jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add comprehensive end-user guide for security engineers

Browse Source 
Create docs/user-guide.md covering all dashboard features from the
perspective of a security engineer. Includes getting started, all
page workflows (Home, Triage, Compliance, CCP Metrics, Knowledge Base,
Exports, Jira, Archer Templates), user settings, admin features
(View As, scope toggle), and tips/best practices for daily triage.

No code references, deployment steps, or technical implementation
details — purely operational guidance for end users.
This commit is contained in:
Jordan Ramos
2026-06-24 17:45:37 -06:00
parent b078289c1c
commit fea2127893
1 changed files with 544 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

544
docs/user-guide.md Normal file
View File

@@ -0,0 +1,544 @@
# AEGIS Security Dashboard — User Guide
This guide covers everything you need to operate the AEGIS Security Dashboard as a security engineer. It walks through daily workflows — from CVE triage and compliance monitoring to Jira ticket management and exception handling — organized by the pages you interact with.
---
## Table of Contents
- [Getting Started](#getting-started)
- [Logging In](#logging-in)
- [Navigation](#navigation)
- [Understanding Your Role and Team](#understanding-your-role-and-team)
- [Home Page](#home-page)
- [CVE Lookup and Search](#cve-lookup-and-search)
- [Recent Activity](#recent-activity)
- [Calendar Widget](#calendar-widget)
- [Tickets and Archer Panel](#tickets-and-archer-panel)
- [Ivanti Counts Panel](#ivanti-counts-panel)
- [Vuln Triage — Reporting Page](#vuln-triage--reporting-page)
- [Findings Table](#findings-table)
- [Filtering and Search](#filtering-and-search)
- [Inline Editing and Overrides](#inline-editing-and-overrides)
- [Notes](#notes)
- [Bulk Actions and Queue Staging](#bulk-actions-and-queue-staging)
- [FP Workflow Submission](#fp-workflow-submission)
- [CARD Ownership Lookup](#card-ownership-lookup)
- [Atlas Badges](#atlas-badges)
- [Export](#export)
- [Compliance Page](#compliance-page)
- [Team Selector](#team-selector)
- [Metric Health Cards](#metric-health-cards)
- [Device List](#device-list)
- [Detail Panel and Notes](#detail-panel-and-notes)
- [Remediation Planning](#remediation-planning)
- [Upload Process](#upload-process)
- [CCP Metrics](#ccp-metrics)
- [Multi-Vertical Overview](#multi-vertical-overview)
- [VCL Stats and Trend Charts](#vcl-stats-and-trend-charts)
- [Drill-Down and Forecasting](#drill-down-and-forecasting)
- [Knowledge Base](#knowledge-base)
- [Exports](#exports)
- [Jira Tickets](#jira-tickets)
- [Archer Templates](#archer-templates)
- [User Settings](#user-settings)
- [Admin Features](#admin-features)
- [User Management](#user-management)
- [Audit Log](#audit-log)
- [View As — Impersonation](#view-as--impersonation)
- [Scope Toggle](#scope-toggle)
- [Tips and Best Practices](#tips-and-best-practices)
---
## Getting Started
### Logging In
Open the dashboard in your browser. You will see the login screen with the AEGIS branding. Enter the username and password provided by your administrator.
- Sessions last 24 hours. After that, you will be prompted to log in again.
- If you enter incorrect credentials too many times in a short window, the account is temporarily locked. Wait 15 minutes or contact your admin.
After a successful login, the dashboard loads directly to the **Home** page.
### Navigation
The left-side navigation drawer lists every page available to you. Pages you cannot access based on your group assignment do not appear in the drawer — you will only see what is relevant to your role.
The navigation drawer includes:
- **Home** — CVE management and quick lookup
- **Vuln Triage** — Ivanti host finding reporting and triage
- **Compliance** — AEO compliance posture monitoring
- **CCP Metrics** — cross-vertical VCL reporting (Leadership and Admin only)
- **Knowledge Base** — internal documentation library
- **Exports** — pre-built data export cards
- **Jira Tickets** — ticket management (Standard_User and Admin only)
- **Archer Templates** — risk acceptance form templates (Standard_User and Admin only)
- **Admin** — user management, audit log, system tools (Admin only)
The top-right corner shows a notification bell (unread count badge) and your user menu with access to profile settings and logout.
### Understanding Your Role and Team
Your experience in the dashboard depends on two things: your **group** and your **team assignment**.
**Groups** determine which pages you can see:
| Group | Access Level |
|---|---|
| Admin | All pages, all data, user management, audit log |
| Standard_User | Home, Vuln Triage, Compliance, Knowledge Base, Exports, Jira, Archer Templates |
| Leadership | Home, Vuln Triage, Compliance, CCP Metrics, Knowledge Base, Exports |
| Read_Only | Home, Knowledge Base |
**Team assignment** determines which data you see. You only see findings, compliance items, and asset data belonging to your assigned business unit(s). If you expect to see data that is not appearing, contact your administrator to verify your team assignment.
Note: Admin users bypass team scoping and can view all data across all teams.
---
## Home Page
The Home page is your starting point. It provides quick CVE lookup, recent activity, calendar tracking, and summary panels for open tickets.
### CVE Lookup and Search
The center panel contains the **Quick CVE Lookup** field. Type a CVE identifier (e.g., CVE-2024-12345) and the dashboard queries the National Vulnerability Database to auto-populate severity, description, and publication date.
Below the lookup is the **CVE list** — a searchable, filterable table of all tracked CVEs. You can:
- **Search** by CVE ID, vendor name, or free text
- **Filter** by vendor, severity, or status
- **Expand** a CVE entry to view full details, linked vendor entries, and uploaded documents
- **Create** a new CVE record (Standard_User and above)
- **Upload documents** (advisories, patch notes, screenshots) linked to a specific CVE/vendor pair
Each CVE entry shows its severity badge, vendor count, and document count at a glance. Expanding it reveals the full description, linked Archer tickets, and associated Jira tickets.
Note: Read_Only users can view and search CVEs but cannot create, edit, or upload.
### Recent Activity
The **Recent Activity** feed on the Home page shows a chronological list of recent actions — new CVE entries, document uploads, compliance uploads, and other events. This gives you situational awareness of what your teammates are working on.
Note: Administrative system events (sync completions, scheduled jobs) are hidden from non-Admin users to reduce noise.
### Calendar Widget
The right-side panel includes a **Calendar Widget** that highlights dates with SLA deadlines or scheduled actions. Current day is visually highlighted. Dates with activity show indicator dots.
### Tickets and Archer Panel
The right panel also shows a compact list of **Open Tickets** — Jira tickets and Archer exceptions currently tracked in the dashboard. Each entry shows the ticket key, status badge, and summary. This gives you a quick count of outstanding items without navigating to the dedicated Jira or Archer pages.
### Ivanti Counts Panel
A summary card displays current open and closed finding counts from the most recent Ivanti sync. This provides an at-a-glance view of your team's vulnerability posture without needing to open the full Reporting page.
---
## Vuln Triage — Reporting Page
The Reporting page is where you spend most of your triage time. It displays all synced Ivanti host findings for your assigned team(s), with tools for filtering, annotating, and routing findings to the appropriate workflow.
Note: Available to Admin, Standard_User, and Leadership groups.
### Findings Table
The main table shows one row per host finding. Each row displays:
- **Hostname** and **IP address** (with IPv6 fallback badges where applicable)
- **Severity** — numeric VRR score with color-coded badge (Critical, High, Medium, Low)
- **VRR Group** — severity classification
- **Status** — Open, Closed, or archived state
- **SLA Status** — whether the finding is within or overdue on its remediation SLA
- **BU** — the business unit the finding belongs to
- **FQDN** — fully qualified domain name
- **Atlas badge** — indicates whether an Atlas action plan exists for this host
- **Notes** — any annotations you or your team have added
**Group by Host** — toggle this option to collapse findings that share the same hostname and IP into expandable groups. This reduces visual clutter when a single host has many findings.
**IPv6 badges** — some findings lack an IPv4 address. These show an amber "Q" badge (Qualys IPv6) or an indigo "v6" badge (primary IPv6) depending on which fallback address was captured.
### Filtering and Search
The toolbar above the table provides multiple filtering options:
- **Free-text search** — filters across hostname, IP, FQDN, CVE titles, and notes
- **Column filters** — click a column header to filter by specific values within that column
- **Severity sort** — sort ascending or descending by VRR score
- **BU picker** — multi-select to scope the view to one or more business units (within your team assignment)
- **Status filter** — show only Open, only Closed, or all findings
Filters are composable — apply multiple at once to narrow down your working set.
### Inline Editing and Overrides
For any finding you have write access to:
- **Override hostname** — if the synced hostname is incorrect or needs clarification, click the hostname field to edit it inline. Your override persists across syncs.
- **Override DNS** — similarly, the DNS/FQDN field can be overridden locally without affecting the upstream Ivanti record.
Overrides are visual cues for your team's context — they do not modify the source system.
### Notes
Click the notes cell on any finding row to add or edit a note. Notes are free-text annotations visible to anyone on your team who views the same finding. Use them to record triage decisions, remediation context, or handoff information.
### Bulk Actions and Queue Staging
Select one or more findings using the row checkboxes. The **bulk action toolbar** appears at the top of the table with options to:
- **Add to Queue** — stage selected findings in your personal Ivanti Queue for batch workflow processing
- **Export Selected** — export only the selected rows to CSV or XLSX
When adding to the queue, you choose the workflow type: **FP** (False Positive), **Archer** (Risk Acceptance), **CARD** (Ownership), **GRANITE** (Loader Sheet), **DECOM** (Decommission), or **Remediate**.
The toolbar remains visible as you scroll through the findings list.
### FP Workflow Submission
After staging findings in the queue with the **FP** workflow type, navigate to the **Ivanti Queue** page (accessible from the nav drawer under Vuln Triage). From there:
1. Select one or more FP queue items
2. Click **Submit FP Workflow**
3. Attach supporting documentation (10 MB per file limit)
4. Set the expiration date, scope override, and reason
5. Submit — the workflow is sent directly to Ivanti
**Lifecycle tracking** — submitted workflows move through states: Submitted, Approved, Rejected, Rework, Resubmitted. You can view your submission history in a collapsible panel. If a workflow is rejected, you can edit the justification and resubmit, or re-queue the finding for a different approach.
Approved submissions auto-clear. Rejected submissions can be dismissed or acted upon.
### CARD Ownership Lookup
Hover over an IP address in the findings table to see a **CARD ownership tooltip**. The tooltip shows the confirmed owner team, unconfirmed candidates, and candidate scores from the CARD asset management system.
For deeper investigation, click the IP to open the **CARD Detail Modal** where you can:
- View the full asset record (NCIM, Qualys, Netops Granite data)
- **Confirm** ownership (assigns the asset to your team)
- **Decline** ownership (removes your team from the confirmed slot)
- **Redirect** ownership to another team
Note: CARD actions require Standard_User or Admin group.
### Atlas Badges
Findings with an associated Atlas action plan display a small badge on their row. Click the badge to open the **Atlas Slide-Out Panel** showing the plan type (remediation, risk acceptance, or compensating control), associated vulnerabilities, and plan metadata.
You can create new action plans or update existing ones from this panel if you have write access.
### Export
The **Export** button in the toolbar exports the current filtered view to CSV or XLSX format. The exported file reflects exactly what you see on screen — all active filters, sorting, and column selections are preserved in the output.
---
## Compliance Page
The Compliance page tracks your team's AEO compliance posture — non-compliant devices, metric health, and remediation progress over time.
Note: Available to Admin, Standard_User, and Leadership groups.
### Team Selector
At the top of the page, the **Team** selector lets you switch between teams you have access to (STEAM, ACCESS-ENG). The page reloads to show compliance data for the selected team.
Note: Admin users can view all teams. Non-admin users only see teams matching their assignment.
### Metric Health Cards
Below the team selector, a row of **metric health cards** summarizes each compliance metric's current status. Each card shows:
- Metric name
- Pass/fail indicator (green check or red warning)
- Count of non-compliant devices
- Trend direction (improving, stable, or degrading)
- Estimated resolution date (if set)
Cards with failing metrics are visually highlighted to draw your attention to areas that need remediation effort.
### Device List
Clicking a metric health card opens the **device list** — a table of all devices that are non-compliant for that specific metric. Each row shows the hostname, violation details, how long it has been non-compliant (recurrence tracking), and any associated notes.
### Detail Panel and Notes
Selecting a device from the list opens the **Detail Panel** on the right side. This panel shows:
- Full violation history for that hostname/metric pair
- Notes — add per-device context, remediation steps, or ownership information
- Compliance history across uploads (when the item first appeared, if it was ever resolved, and if it recurred)
Notes support a group ID for batch operations — you can tag multiple notes with the same identifier for bulk reference.
### Remediation Planning
From the Compliance page you can generate **Granite Loader Sheets** directly for non-compliant devices. Select devices and click **Generate Granite Loader** to create a sheet enriched with CARD asset data, ready for remediation tracking.
The page also displays compliance trend charts showing improvement or degradation over time for each metric.
### Upload Process
Note: Compliance uploads require Standard_User or Admin group.
To upload new weekly compliance data:
1. Click the **Upload** button at the top of the Compliance page
2. Select your team's weekly compliance xlsx file (up to 100 MB)
3. The system parses the spreadsheet and presents a **diff preview** — showing new non-compliant items, resolved items, and recurring items
4. Review the diff and confirm the upload
5. Metric health cards and the device list update immediately
The upload is additive — it does not delete previous history. Each upload is tracked with a timestamp so you can see progression over time.
---
## CCP Metrics
The CCP Metrics page provides executive-level visibility into VCL (Vulnerability Compliance Level) posture across multiple verticals and teams.
Note: Available to Admin and Leadership groups only.
### Multi-Vertical Overview
The overview page shows all tracked verticals with aggregated compliance statistics. Each vertical card displays:
- Vertical name and team assignment
- Compliant vs. total device counts
- Non-compliant count (clickable for metric breakdown)
- Data freshness badges — **LIVE** (current report) or **LAST REPORT** (historical)
### VCL Stats and Trend Charts
For each vertical, trend charts show:
- Compliance percentage over time
- Per-metric breakdown of non-compliant items
- Aggregated burndown forecast — projected date when all items reach compliance based on current velocity
### Drill-Down and Forecasting
Click a vertical to drill down into:
- **Sub-team breakdowns** — intermediate view showing per-team compliance within the vertical
- **Per-metric forecast burndown chart** — visual projection of remediation timelines per metric
- **Metric summary cards** — compliant/total counts with remediation plan indicators
- **Device metadata** — asset-level context for non-compliant items
The **Exec Report** page provides an exportable summary suitable for leadership reporting.
Note: Data management (delete vertical, rollback upload, reset all) is Admin-only.
---
## Knowledge Base
The Knowledge Base is an internal document library for policies, guides, reference material, and operational documentation.
Available to all authenticated users.
**Capabilities:**
- **Browse** articles organized by category
- **Search** by title, content, or category
- **View** documents inline — PDFs render in the browser, Markdown articles display formatted content
- **Download** documents in their original format (PDF, Word, Excel)
- **Upload** new articles or documents (Standard_User and above)
Categories help organize content by topic — use them to find security policies, triage playbooks, operational guides, or vendor advisories.
---
## Exports
The **Exports** page provides pre-built export cards for common data pulls. Each card represents a specific dataset you can export with one click.
Available exports include:
- **Jira Tickets** — all tracked tickets in CSV or XLSX format
- **CCP Metrics** — VCL compliance data for reporting
- **Remediation Status** — current remediation state across teams
- **Findings** — filtered Ivanti findings data
- **Granite Loader Sheets** — formatted spreadsheets with CARD enrichment for asset remediation workflows
Select a card, choose your format (CSV or XLSX), and the download starts immediately. Export content reflects the current state of the data at the time you generate it.
Note: Available to Admin, Standard_User, and Leadership groups.
---
## Jira Tickets
The dedicated **Jira Tickets** page lets you create, view, and sync tickets linked to your vulnerability management workflows.
Note: Available to Admin and Standard_User groups only.
**Viewing tickets:**
- The page shows all locally tracked Jira tickets with their key, summary, status, and linked CVE/vendor pair (if applicable)
- Status values display as received from Jira — no mapping or translation
**Creating tickets:**
- Click **Create Ticket** to open the creation form
- Fill in the summary, description, and optionally link to a CVE/vendor pair
- Select the project and issue type (vendor-specific projects and issue types are available)
- The ticket is created in Jira and tracked locally in the dashboard
**Multi-item tickets:**
- From the Ivanti Queue, you can select multiple queue items and create a consolidated Jira ticket covering all of them
- The **Consolidation Modal** lets you review and adjust the combined ticket before submission
**Lookup and sync:**
- Use **JQL Lookup** to search for existing Jira tickets that match criteria
- Results can be saved to the dashboard using **Save to Dashboard** for ongoing tracking
---
## Archer Templates
The **Archer Templates** page manages reusable template content for Archer Risk Acceptance forms.
Note: Available to Admin and Standard_User groups only.
Templates are organized by **Vendor**, **Platform**, and **Model** in a hierarchy. Each template contains static sections:
- Environment Overview
- Segmentation
- Mitigating Controls
**Using templates:**
- Browse or search templates by vendor, platform, or model name
- Click a template to open the **inline view panel** with per-section content
- Use **Copy to Clipboard** buttons on each section to grab content for your Archer submission
- Templates are also accessible from the Ivanti Queue when processing Archer-type workflow items — use the **Template Selector** to pull relevant content directly into your workflow
**Managing templates (Standard_User and Admin):**
- Create new templates with the full section structure
- Clone existing templates as a starting point for variations
- Edit and update template content as environments change
---
## User Settings
Access your profile settings from the **user menu** in the top-right corner.
**Profile view:**
- Your username, display name, group assignment, and team assignment(s)
- Your Ivanti identity (first/last name used for FP workflow filtering)
**Password change:**
- Click **Change Password** in the profile panel
- Enter your current password and the new password
- Passwords must meet minimum length requirements
Note: You cannot change your own group or team assignment. Contact your administrator for role or team changes.
---
## Admin Features
Note: All features in this section require the Admin group.
### User Management
The **Admin** page includes a **User Management** panel where you can:
- View all user accounts with their role, group, team assignment, and Ivanti identity
- **Create** new users with username, password, group, and team assignment
- **Edit** existing users — change their group, role, team assignments, or Ivanti identity
- **Delete** user accounts
- **Reset passwords** for other users
When creating a new user, assign them to the appropriate group and one or more teams. They will only see data for their assigned teams.
### Audit Log
The **Audit Log** panel shows a chronological record of all state-changing operations performed in the dashboard. Each entry includes:
- Timestamp
- Username of the actor
- Action performed (create, update, delete, login, export, etc.)
- Entity type and ID affected
- Details of the change
Use the audit log for compliance investigations, change tracking, or security reviews.
### View As — Impersonation
The **View As** feature lets you temporarily view the dashboard as another user to verify their permissions and data scope.
1. In User Management, find the user you want to impersonate
2. Click the **eye icon** next to their name
3. The dashboard reloads showing exactly what that user sees — their pages, their data, their permissions
4. An **amber banner** appears at the top of the screen indicating you are viewing as another user
5. Click **Exit** on the banner to return to your own view
All access checks use the impersonated user's identity — you see their team data, their page access, their restrictions. However, the audit log still records your real admin identity for traceability.
Use View As to verify a new user's setup before sharing credentials, or to troubleshoot access issues reported by team members.
### Scope Toggle
The **Admin Scope Toggle** allows administrators to temporarily restrict their own view to a single team's data, simulating the experience of a team-scoped user. This helps when reviewing team-specific findings or compliance data without the noise of cross-team visibility.
---
## Tips and Best Practices
**Triage workflow:**
1. Start on the **Reporting** page with the **Group by Host** toggle enabled to reduce noise
2. Sort by severity (descending) to prioritize critical findings first
3. Use the BU picker to focus on one team at a time
4. For each finding, check the CARD tooltip to verify asset ownership
5. Add findings to the queue by workflow type — FP for false positives, Archer for risk acceptance, Remediate for legitimate vulnerabilities needing action
6. Process your queue in batches — submit FP workflows together, generate Granite sheets together
**Compliance monitoring:**
- Check the Compliance page at least weekly after your team's upload
- Focus on metrics where the health card shows degradation (red trend arrow)
- Use the Detail Panel notes to document remediation ownership and ETA per device
- Generate Granite Loader Sheets for any devices that need to be routed through the remediation workflow
**Staying organized:**
- Use the **Recent Activity** feed on the Home page to catch up on team actions
- Check your **notification bell** for sync completions, workflow status changes, and system alerts
- Mark notifications as read to keep your unread count meaningful
- Use the Knowledge Base for referencing team policies and triage playbooks before making decisions
**Export habits:**
- Export findings before and after a triage session to document your progress
- Export compliance data weekly for offline reporting or email distribution to stakeholders
- The Exports page generates point-in-time snapshots — export regularly if you need historical baselines
**Jira integration:**
- Create Jira tickets from the queue consolidation modal when multiple findings on the same host need a single remediation ticket
- Use JQL Lookup to check for existing tickets before creating duplicates
- Save relevant tickets to the dashboard for tracking without switching tools
**Working with CARD:**
- Always verify CARD ownership before routing a finding to a team for remediation
- If a CARD tooltip shows no confirmed owner, use the Detail Modal to search by Host ID for more complete data
- Confirm or redirect ownership through the dashboard to keep CARD records current
---
*For questions about your access level, team assignment, or account setup, contact your dashboard administrator.*