jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b1a21e87714b687bf4a4441c89d8291091ad2922
cve-dashboard/docs/MOP-workflow-color-codes.md
jramos b1a21e8771 docs: Add MOP for Workflow column color codes 
Method of Procedure explaining FP# badge states, color meanings,
required actions, decision flowchart, and quick reference card.
Intended for training NTS-AEO team members on the Reporting page.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-11 15:45:48 -06:00

4.8 KiB
Raw Blame History

MOP: Ivanti Finding Workflow Status — STEAM Security Dashboard

Document Type: Method of Procedure Applies To: STEAM Security Dashboard — Reporting Page Audience: NTS-AEO-ACCESS-ENG / NTS-AEO-STEAM team members

1. Purpose

This document explains how to interpret the Workflow column on the Reporting page and what action to take for each status. The goal is to ensure every open finding is actively managed and no False Positive (FP) exception lapses unnoticed.

2. Background

What the Reporting Page Shows

The Reporting page displays open findings only (severity 8.5+, generic_state = Open). A finding disappears from this list when it is closed — which happens when a valid, approved FP exception is on file or when the vulnerability is remediated.

What the Workflow Column Shows

The Workflow column tracks FP# tickets only — False Positive requests that a team member has manually submitted in Ivanti. These represent cases where the team has asserted a finding is not exploitable or applicable in our environment.

SYS# workflows are not shown. SYS# are auto-generated system tracking records and do not require team action.

Key Rule

If a finding appears in the Reporting page, it requires action — regardless of whether it has an FP# badge or not.

3. Workflow Column Color Codes

🔴 Red — Act Immediately

State What It Means Required Action
Expired An FP# ticket existed but the exception window has lapsed. The finding re-opened. Log into Ivanti and submit a new FP request for this finding. Reference the previous ticket if relevant.
Rejected The security team reviewed the FP request and denied it. The finding is considered a real, exploitable vulnerability. Remediate the vulnerability. Apply the relevant patch, configuration change, or compensating control. Do not resubmit an FP without new evidence.

🟡 Amber — Action Required Soon

State What It Means Required Action
Reworked The FP request was challenged by the reviewer and sent back for revision. Review the reviewer's comments in Ivanti. Update the FP justification and resubmit the ticket.
Actionable The FP ticket has been flagged as needing team action. Open the ticket in Ivanti to review what is needed and respond accordingly.

🔵 Blue — In Flight, Monitor

State What It Means Required Action
Requested An FP# ticket has been submitted and is awaiting security team approval. No immediate action. Monitor for approval or rejection. If no response within your SLA window, follow up with the approver.

— (No Badge) — Untriaged

State What It Means Required Action
No workflow badge No FP ticket has ever been submitted for this finding. Triage the finding. Determine whether to: (1) remediate it, or (2) submit a new FP request if you have justification that it is a false positive.

4. Decision Flowchart

Finding appears in Reporting page
│
├── Does it have a Workflow badge?
│   │
│   ├── NO (—)
│   │   └── Triage → Remediate OR submit new FP request
│   │
│   └── YES → Check the color:
│       │
│       ├── 🔵 BLUE (Requested)
│       │   └── Wait for approval. Follow up if SLA window is approaching.
│       │
│       ├── 🟡 AMBER (Reworked / Actionable)
│       │   └── Open Ivanti ticket → Review feedback → Update → Resubmit
│       │
│       └── 🔴 RED
│           │
│           ├── Expired → Submit NEW FP request in Ivanti
│           │
│           └── Rejected → Remediate the vulnerability

5. How to Submit or Renew an FP Request in Ivanti

  1. Log into Ivanti / RiskSense
  2. Navigate to Host Findings
  3. Search for the Finding ID shown in the dashboard (Finding ID column)
  4. Select the finding → ActionsRequest False Positive
  5. Complete the justification form:
    • Describe why the finding is not exploitable in this environment
    • Reference any compensating controls, network segmentation, or vendor guidance
    • Attach supporting evidence if available
  6. Submit — ticket will appear as Requested (blue) in the dashboard once processed

6. Quick Reference Card

Badge Color State One-Line Action
🔴 Red Expired Renew FP request in Ivanti
🔴 Red Rejected Remediate the vulnerability
🟡 Amber Reworked Update and resubmit FP ticket
🟡 Amber Actionable Review ticket in Ivanti
🔵 Blue Requested Monitor — no action yet
No badge Triage: remediate or submit FP

Last updated: 2026-03-11

Reference in New Issue View Git Blame Copy Permalink