AGAC v1 release, Veracode and Jira expansion, plus more personalization and better team management in Nucleus
Welcome to the Nucleus Product Update 3.6. It’s already the halfway point for 2023, and we’re not slowing down anytime soon. Our team continues to work at high speed to introduce new features and product capabilities that continually improve your Nucleus platform experience and vulnerability management outcomes.
Key highlights from this update include:
- Better access control and asset grouping with AGAC v1 release
- Improved team management with new bulk API endpoint
- More personalized vulnerability intel with new CVSS version picker
- Veracode connector expansion adding the ability to ingest sandbox scans
- Greater remediation automation via Jira with dynamic ticketing assignment
Get the details for all updates below.
Have questions or want to know more about anything you see here? Our team is happy to help. Just reach out to our crew at support@nucleussec.com for further assistance. Happy reading!
Better access control and asset grouping with AGAC v1 release
On June 28, Asset Group Access Control (AGAC) was automatically enabled for all Nucleus customers. Org admins now have more control over what their users can access in a project. AGAC ensures only the people who need to see specific vulnerability data within a project can access it, while others can’t, by allowing admins to restrict user access by specified asset groups.
Additionally, automatic asset grouping is now the default behavior within Nucleus to ensure that asset groups stay updated dynamically. As mentioned last month, these product changes combined fulfill a critical need for our customers to safeguard access to their sensitive data and streamline their mitigation teams’ experience. You can learn more in the Asset Group Access Control support article and this blog. For further questions or help, please email support@nucleussec.com or contact your Nucleus Account Manager.
Greater remediation automation via Jira with dynamic ticketing assignment
Released July 5, this new feature allows Nucleus to route Jira tickets by the assignee in Nucleus. This means that Nucleus customers who previously would have required multiple rules (sometimes hundreds!) to cover the number of assignees they had on vulnerability instances of a unique vulnerability can now condense that work down to one rule covering all assignees. This new dynamic field allows our customers to reduce many rules to a few and avoid manual rule updates when orgs add and remove team members. Please note: This feature is currently in Beta and opt-in only. For more information or to opt-in, please email support@nucleussec.com or contact your Nucleus Account Manager.
Improved team management with new bulk API endpoint
On June 28, we released a new bulk API endpoint for team management, enabling our customers to programmatically manage teams via API in bulk. Our customers can now manage teams and related tasks more quickly and efficiently, including updating team names and adding or removing users for multiple teams. In conjunction with our previously existing SSO team mapping functionality, this is a powerful feature enabling effective management of even the largest and most complex organizations. You can learn more in our Project Teams API documentation (login required).
More personalized vulnerability intel with new CVSS version picker
Released June 14, a new org-level setting allows Nucleus customers to select the CVSS version used within the product. Our default of using the highest of the two scores will remain the same, though customers will now have the option to pick CVSS v3 or CVSS v2 when there is more than one score available. In cases where a selected score isn’t available, we will automatically use the alternative available score so that customers always have a score to reference within Nucleus. Read more about this feature here.
Veracode connector expansion adding the ability to ingest sandbox scans
Nucleus customers can now ingest sandbox scans via the Veracode connector in addition to application scans. Released June 28, this new functionality enables our customers to bring pre-production vulns onto Nucleus to better integrate into CI/CD and DevOps workflows. Sandbox scans are treated as branches of the applications from an asset perspective, which means customers are easily able to see the difference between application and sandbox vulnerabilities. Furthermore, assets that are sandboxes won’t count against customer asset counts for licensing purposes. Sandbox scan ingestion is currently a beta product, available to all customers — visit this help article to learn more.
Hear about our latest product updates
This week, our very own Director of Product, Rob Gibson, and Director of Product Marketing, Sonia Blanks, discussed some of our new and upcoming features and improvements during the Q2 2023: What’s New from Nucleus product webinar. Check out the on-demand recording now to ensure you and the team are fully up to date on all things Nucleus.
Click here to expand our full Release Notes
You can access the Nucleus change log to view the complete, unedited version of release updates posted each week. Select the subscribe to the RSS feed option on this page if you would like to receive weekly change log updates. This new Nucleus Product Update is intended to fully summarize and outline those weekly changes for you, with more details, each month. The product updates include all the following features and improvements:
New Features
- Version 1 of Asset Group Access Control (AGAC) is now generally available. Learn more by reviewing the highlighted section above or the Nucleus Support Center AGAC-focused help articles.
Product Improvements (Performance, Experience, & Functionality)
- Added an Org level configuration to set the CVSS version used throughout Nucleus if multiple CVSS versions are available. This release does not change the default behavior, which is to use the highest of the two scores.
- Updated the Asset Processing API endpoints to include asset group dynamic fields. Swagger API docs have been updated.
- Added a new bulk /teams API endpoint to more efficiently add and remove users, update team names, etc.
- Added a configuration for displaying the age of finding instances on the Top Risks page. Please contact Nucleus Support if you are interested in having this enabled for your org.
- Added the ability to ingest sandbox scans when importing by all in the Veracode Connector. This is a beta release, available to all customers in the product UI.
Integration Improvements
All:
- Improved asset matching accuracy in scan parsers when relying on fuzzy matching, and increased ingestion speed for large scans.
Axonius:
- Improved asset matching in the Axonius connector to prevent edge cases where assets were over-matched or under-matched.
Defender:
- Added Defender machine tag metadata which was not showing up as available criteria within Asset Processing automation.
Jira:
- Added support for Jira on-prem, version 9.0 and higher. Contact Nucleus Support for this to be enabled in your Nucleus environment.
Prisma Cloud:
- Improved the Prisma Cloud connector by speeding up ingestion by all CI image scans.
- Updated the Prisma Cloud connector by removing the legacy scans import option.
- Updated the Prisma Cloud Connector to map tags with the proper status within Nucleus.
Qualys:
- Improved the speed of Qualys CSV scan ingestion in cases where there are a large number of potential findings.
ServiceNow:
- Improved the ServiceNow Basic connector so that asset syncs now complete much faster than before.
Snyk:
- Improved scan ingestion in the Snyk connector by falling back to the V1 org endpoint in cases where the v3 endpoint is unreliable and returns no organizations even when they exist.
- Updated the Snyk connector so that importing unique container images with multiple Snyk projects will result in a merged asset with all findings instead of just a single project.
Sonatype:
- Increased the speed of Sonatype scan ingests, especially when ingesting a large number of scans in bulk.
Tenable:
- Improved the tenable.io connector so that there is a match step for VM instances from GCP.
Bug Fixes
- Fixed an issue with Security Hub where EC2 scans were not mitigated as expected where subsequent scans had mitigated findings.
- Fixed an issue in Asset Processing automation where reordering rules was not working as expected, especially in cases with a large number of asset processing rules.
- Fixed an issue where the discovered dates in the instances view changed upon scroll.
- Fixed an issue where forward slashes in asset group names were not matched as expected in Finding Processing automation.
- Fixed an issue where filtering by assignee in the Active Vulns page was incorrectly returning results, since the assignee only had resolved instances assigned.
- Fixed an issue where the Compliance grid did not match the number of compliance instances.
- Fixed an issue where the trends page data was not accurately represented in the trends report pdf.
- Fixed an issue where the number of instances on the Tickets page was not lining up to the instance count attached in the ticket CSV.
- Fixed an issue where the UI and API showed different results when filtering by certain finding statuses.
- Fixed an issue where a single Qualys WAS scan report could be scheduled repeatedly.
- Fixed an issue when editing Global Reports, where the asset groups list was not populating.
- Fixed an issue where the Nucleus footer was showing in reports that were emailed from Nucleus, even though the org had a custom footer configured.
- Fixed an issue where the compliance tab was missing from the Vulnerability Details XLSX report.
- Fixed an issue where the Discovered Date on the Active Vulnerabilities page was displaying an incorrect date with certain filters were applied.
- Fixed an issue in Ticketing and Issue Tracking automation, where the UI said we would not set default values in automation in situations where we should set that information.
- Fixed an issue in Qualys where previously mitigated findings were incorrectly marked as “potential.”