Hi all,
what’s the best way to get all found InsightVM vulnerabilities on my assets with a specific riskscore (active risk strategy)? My goal is to create a ticket in Jira for each CVE with a score of 1000.
Thanks for your help!
Joe
thanks for your reply! I have InsightConnect and my goal is to automate the whole process.
Does the InisghtVM API v3 vulnerabilities endpoint return only found vulnerabilities? The description sounds like it will return the whole database of vulnerabilities, even if they are not present on my machines - I was not able to find an API endpoint which would allow me to query all vulnerabilities that were found on endpoints and specify a filter for the risk score.
I also looked at the available InsightConnect Extensions and Actions but wasn’t able to find one for my use case. Is there anything specific on your mind when you refere to InsightConnect?
Hi Joe, I started work on something similar in insightConnect but it’s not exactly efficient, and would have likely ‘denial of serviced’ our own ticketing systems with the criteria I was using so put it on hold!
The way I did it was as follows:
Create a workflow that starts with an Asset Search step. Then add a loop around each asset. Then clear a Global Artifact (which is used to store the vulns per asset in, rather than creating per vuln tickets). Then run a Get Asset Vulns step. But that only contains the basics so then add another loop around the vulns discovered. Then check the Vuln risk score in a decision step and, if above the required crtieria, perform a ‘Get Vuln Details’ step to retrieve the data into an array. Then run a Get Solution step to return the solution. Then write it all into the Global Artifact. Once the loop around the asset is complete, create a ticket and email as required, clears the GA and moves onto the next asset.
Whenever i ran it on a limited number of assets it took an amount of time to run that meant it was probably not feasible to apply to our whole list of assets so I parked it. That said I ran it all using v6.1.0 of the plugin so there may be improvements in the latest version to make this easier.
UPDATE: I’ve coincidentally just seen this post which says that loops take exponentially longer on each iteration so I wouldn’t recommend the above (which loops inside a loop inside a loop) until that’s resolved!
Hi @talford
thanks for your reply and your detailed explanation.
I’m just wondering why it seems that there is no “easy” approach as this use case should be pretty standard in my opinion.
Maybe using the InsightVM Cloud extension it is possible to atleast get a list of assets that have vulnerabilities exceeding a defined risk score by using the vuln_criteria option with the asset search action?
I also tried using the “Insight VM Vulneability Found” trigger but the data does not include details about CVEs or the active risk scores… Another approach I tried was the prebuilt Alert on New High-Risk Vulnerability in InsightVM with Slack workflow, but this one is based on the vulnerability severity. I need to check if it is possible to be rewritten to consider the active risk score.
Thanks and best,
Joe
You will have to use a combination of API calls if you don’t want to use the SQL query action to generate a custom csv report. First I would use the Asset Search action to do just as you said; filter assets based on risk-score.
Example filter:
{
"filters": [
{
"field": "risk-score",
"operator": "is-greater-than",
"value": 200
}
],
"match": "all"
}
Then you can loop over each asset and use the Get Asset Vulnerabilities action to pull each assets vulns. This may produce a lot of data, but given this process it should give you what you want.