Run scan for CVE in IVM and output as a ticket in SNOW

I am attempting to take alert output from a workflow (posts description of a vulnerability either as a ticket or into a Teams chat) and run a scan with IVM so that we can create a ticket based on the individual CVE and not a huge batch of tickets per asset that happen to be effected by the CVE.

Currently:

Alert > Scrape CVE > Severity threshold > Post CVE to Teams (OR send to SNOW for a ticket per CVE per asset alerted) > Vuln lookup enrichment in IVM > Post enrichment to Teams.

Hopeful Endstate:

Alert > Scrape CVE > Severity Threshold > Lookup CVE with IVM (Or Recorded Future/VT/NIST/etc.) Scan organization assets for CVE > Post assets with Vuln to Teams > Create a SNOW ticket with the CVE as subject and list of assets affected in description.

So far, I am able to get the CVE title sent to Teams and have the trigger (!lookup-vuln) set in the post so it automatically lookups the Vuln within Teams via another workflow.
Which is good but the biggest issue is that our Patching/Vuln policy for tickets requires it to be listed by CVE as well as include as much info as possible on the CVE. Ideally they include a solution link because the Service Desk will not go searching for the patch.

Any help would be appreciated!

I am experimenting with the plugin:
Lookup Vulnerable Hosts from Teams
Could help me with my end state. Will keep all updated!

Output is now:
Severity: Severe
CVSS: V2:4.6 | V3:7.8
Risk Score: 109.08
Assets Impacted: 111

The big thing here is Assets Impacted: 111
I am able to get a number of assets affected by the CVE. Now I just need a list of those assets (so they can be listed in the ticket) and hopefully links to patches found via search of NIST’s DB

Added a step prior to posting to Teams as I am attempting to scrape the CVE number via python script.

import re

text ={{["Get Vulnerability Content from Rapid7 Vuln DB"].[content_result].[title]}}

m = re.search('CVE(.+?):', text)
if m:
    found = m.group(1)

# found: CVE-#

The output of {{[“Get Vulnerability Content from Rapid7 Vuln DB”].[content_result].[title]}}
will look something like:

APPLICATION NAME Vulnerability: CVE-2021-XXXX LONG DESCRIPTION

So my scraper is trying to just pull “-2021-XXXX”
The problem is that the syntax of output describing the CVE varies.

Microsoft looks like
Microsoft CVE-2021-XXX: Windows LONG DESCRIPTION

While Google looks like:
Google Chrome Vulnerability: CVE-2021-XXXX LONG DESCRIPTION

As you can see, MS outputs the CVE followed by a colon while Google’s output is a colon followed by a space and then the CVE and LONG DESCRIPTION separated only by a space.

Drawing a blank on how to get this working.

No progress yet.
Really not understanding why I am not getting good ouotput.

Changed things up and now I get:

KeyError: 're\n\ntext'

New code is simple:

import re

text ="{{["Get Vulnerability Content from Rapid7 Vuln DB"].[content_result].[title]}}"

CVE = re.search(r'CVE-\d{4}-\d{4,7}', text)

I tried using > print(CVE) as well. Nadda.

The only output is a comma in Teams.

Hi Robert! For your Python script that you shared, is that the full script? You will need a return if you want to send the output of your script back to the workflow.

Alternatively, have you tried using the built-in Pattern Match step? It’s purpose is to provide regex capabilities without needing the Python script :slight_smile: