Configuration Compliance Test Group/Policy Mark Deprecated

Lacey L · ‎10-24-2023

What does the "Mark Deprecated" UI Action do on the Test Group (formerly Policy) form? The UI Action is present on both "Active" and "Inactive" Test Groups. Does this UI Action just deactivate the Test Group or is this another action?

andy_ojha · ‎10-24-2023

Hey there - good call out.

Unfortunately - this component is not well documented in the current Docs pages for SecOps CC today.

Think of this as a means to limit / filter the downstream data within SecOps CC.

For example, let's say we import 30 Policy records from Qualys
- And for day 1, we only have appetite to bring in the Results from 5 of these Policy's into SecOps CC
- Perhaps we are still baking the other Policies / tuning them - we're just not ready to load the Results for them yet
- You can go to the "Test Group" (formerly, Policy) and set the "Is Deprecated" to True (via that button)
- Then when we make the API requests for downstream data (e.g. Results from Qualys), we only explicitly fetch Results for the Policies that have <Is Deprecated> set to False

We previously did not have a good way to control or filter the Results for certain Policies - but today, this feature helps control / filter / limit what downstream data (e.g. Results) we want to fetch from a source like Qualys

Now - there is a wrinkle to this - currently, you can only toggle it one-way, i.e. setting the Policy to Deprecated. Not exactly sure why it is designed this way (and blocks us from later setting the Policy to be value (Deprecated = False) - but this can be adjusted with something like a fix script / bknd script potentially as needed.

View solution in original post

andy_ojha · ‎10-24-2023

Hey there - good call out.

Unfortunately - this component is not well documented in the current Docs pages for SecOps CC today.

Think of this as a means to limit / filter the downstream data within SecOps CC.

For example, let's say we import 30 Policy records from Qualys
- And for day 1, we only have appetite to bring in the Results from 5 of these Policy's into SecOps CC
- Perhaps we are still baking the other Policies / tuning them - we're just not ready to load the Results for them yet
- You can go to the "Test Group" (formerly, Policy) and set the "Is Deprecated" to True (via that button)
- Then when we make the API requests for downstream data (e.g. Results from Qualys), we only explicitly fetch Results for the Policies that have <Is Deprecated> set to False

We previously did not have a good way to control or filter the Results for certain Policies - but today, this feature helps control / filter / limit what downstream data (e.g. Results) we want to fetch from a source like Qualys

Now - there is a wrinkle to this - currently, you can only toggle it one-way, i.e. setting the Policy to Deprecated. Not exactly sure why it is designed this way (and blocks us from later setting the Policy to be value (Deprecated = False) - but this can be adjusted with something like a fix script / bknd script potentially as needed.

Joe Kline · ‎10-24-2023

I'm glad I saw this one. This has been one of my complaints and support cases back to SN since we started with the CC module. Found out the hard way what happens when my team mate that manages the Qualys PC environment arbitrarily (and without communicating) deleted a Policy on the Qualys platform, and all my Qualys PC XXX Integrations failed miserably since it had no way to mark a policy (as this now offers) and NOT try to go after the IDs over in Qualys.

Good to hear something is there to help out, sad to hear it was implemented rather hard-handed as a one way "stop using it" as Andy describes here. While a bknd Fix script can adjust the values back if I wanted, I really prefer the proper UI Actions tied to the proper roles to make that kind of adjustments...