I am attempting to take alert output from a workflow (posts description of a vulnerability either as a ticket or into a Teams chat) and run a scan with IVM so that we can create a ticket based on the individual CVE and not a huge batch of tickets per asset that happen to be effected by the CVE.
Currently:
Alert > Scrape CVE > Severity threshold > Post CVE to Teams (OR send to SNOW for a ticket per CVE per asset alerted) > Vuln lookup enrichment in IVM > Post enrichment to Teams.
Hopeful Endstate:
Alert > Scrape CVE > Severity Threshold > Lookup CVE with IVM (Or Recorded Future/VT/NIST/etc.) Scan organization assets for CVE > Post assets with Vuln to Teams > Create a SNOW ticket with the CVE as subject and list of assets affected in description.
So far, I am able to get the CVE title sent to Teams and have the trigger (!lookup-vuln) set in the post so it automatically lookups the Vuln within Teams via another workflow.
Which is good but the biggest issue is that our Patching/Vuln policy for tickets requires it to be listed by CVE as well as include as much info as possible on the CVE. Ideally they include a solution link because the Service Desk will not go searching for the patch.
Any help would be appreciated!
I am experimenting with the plugin:
Lookup Vulnerable Hosts from Teams
Could help me with my end state. Will keep all updated!
Output is now:
Severity: Severe
CVSS: V2:4.6 | V3:7.8
Risk Score: 109.08
Assets Impacted: 111
The big thing here is Assets Impacted: 111
I am able to get a number of assets affected by the CVE. Now I just need a list of those assets (so they can be listed in the ticket) and hopefully links to patches found via search of NIST’s DB
Added a step prior to posting to Teams as I am attempting to scrape the CVE number via python script.
import re
text ={{["Get Vulnerability Content from Rapid7 Vuln DB"].[content_result].[title]}}
m = re.search('CVE(.+?):', text)
if m:
found = m.group(1)
# found: CVE-#
The output of {{[“Get Vulnerability Content from Rapid7 Vuln DB”].[content_result].[title]}}
will look something like:
APPLICATION NAME Vulnerability: CVE-2021-XXXX LONG DESCRIPTION
So my scraper is trying to just pull “-2021-XXXX”
The problem is that the syntax of output describing the CVE varies.
Microsoft looks like
Microsoft CVE-2021-XXX: Windows LONG DESCRIPTION
While Google looks like:
Google Chrome Vulnerability: CVE-2021-XXXX LONG DESCRIPTION
As you can see, MS outputs the CVE followed by a colon while Google’s output is a colon followed by a space and then the CVE and LONG DESCRIPTION separated only by a space.
Drawing a blank on how to get this working.
No progress yet.
Really not understanding why I am not getting good ouotput.
Changed things up and now I get:
KeyError: 're\n\ntext'
New code is simple:
import re
text ="{{["Get Vulnerability Content from Rapid7 Vuln DB"].[content_result].[title]}}"
CVE = re.search(r'CVE-\d{4}-\d{4,7}', text)
I tried using > print(CVE) as well. Nadda.
The only output is a comma in Teams.
Hi Robert! For your Python script that you shared, is that the full script? You will need a return
if you want to send the output of your script back to the workflow.
Alternatively, have you tried using the built-in Pattern Match step? It’s purpose is to provide regex capabilities without needing the Python script