Workflow: Lookup Vulnerability from Slack

joe_agnew · April 20, 2020, 9:46pm

The Lookup Vulnerability from Slack workflow is one of several low-to-no configuration workflows now available for InsightConnect. These workflows are intended to serve two purposes:

Provide a quick way to get started using automation
Allow users to build off of an existing workflow

Let’s take a quick glance at what this new workflow does. First, the requirements are pretty minimal: you need Slack, and the ChatOps connection into Slack is the only thing that will need to be customized for this to work in your environment.

The immediate value of this workflow is quick-hitting information on vulnerabilities that InsightVM knows about. Have a vulnerability you’re reading about in a security disclosure, on the news, or in an email from an exec? Ping the bot with the name or CVE and get some quick and concise responses.

It’s easy to also take apart this workflow and enhance it. Novice workflow builders can learn a great deal from tearing one of these apart and understanding the components, and it’s fairly straightforward to substitute steps to change the functionality as desired. Sydney walks us through how she did something similar with a built-in InsightIDR automation template, and Spencer took us through his learnings with Slack and InsightConnect. Look carefully at that second post and you’ll see that he actually applied those learnings to the workflow at the center of this post!

This workflow also serves as a basis for something currently being developed - cloud workflows. Today this workflow goes through the orchestrator, but no components of it actually require an orchestrator to function. Stay tuned for cloud plugins and workflows, which will both enhance workflows like this with a speed boost as well as unlock new use cases.

mauro_papa · August 26, 2020, 11:36am

Hello, I just installed the latest version of this workflow and getting the following error at the “search results to String” Can you please check?
(‘action input JSON was invalid’, <ValidationError: “[{‘identifier’: ‘msft-cve-2020-0767’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0767’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0767: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0713’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0713’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0713: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0712’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0712’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0712: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0711’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0711’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0711: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0710’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0710’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0710: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0673’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0673’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0673: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0674’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0674’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0674: Scripting Engine Memory Corruption Vulnerability’}] is not of type ‘object’”>)
Traceback (most recent call last):
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.0.2-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 393, in start_step
step.input.validate(params)
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.0.2-py3.8.egg/insightconnect_plugin_runtime/variables.py”, line 22, in validate
validate(parameters, self.schema)
File “/usr/local/lib/python3.8/site-packages/jsonschema-3.2.0-py3.8.egg/jsonschema/validators.py”, line 934, in validate
raise error
jsonschema.exceptions.ValidationError: [{‘identifier’: ‘msft-cve-2020-0767’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0767’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0767: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0713’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0713’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0713: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0712’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0712’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0712: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0711’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0711’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0711: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0710’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0710’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0710: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0673’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0673’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0673: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0674’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0674’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0674: Scripting Engine Memory Corruption Vulnerability’}] is not of type ‘object’

Failed validating ‘type’ in schema[‘properties’][‘input’]:
{‘description’: ‘Input variable’,
‘order’: 1,
‘title’: ‘Input’,
‘type’: ‘object’}

On instance[‘input’]:
[{‘identifier’: ‘msft-cve-2020-0767’,
‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0767’,
‘published_at’: ‘2020-02-11T00:00:00.000Z’,
‘title’: 'Microsoft CVE-2020-0767: Scripting Engine Memory ’
‘Corruption Vulnerability’},
{‘identifier’: ‘msft-cve-2020-0713’,
‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0713’,
‘published_at’: ‘2020-02-11T00:00:00.000Z’,
‘title’: 'Microsoft CVE-2020-0713: Scripting Engine Memory ’
‘Corruption Vulnerability’},
{‘identifier’: ‘msft-cve-2020-0712’,
‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0712’,
‘published_at’: ‘2020-02-11T00:00:00.000Z’,
‘title’: 'Microsoft CVE-2020-0712: Scripting Engine Memory ’
‘Corruption Vulnerability’},
{‘identifier’: ‘msft-cve-2020-0711’,
‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0711’,
‘published_at’: ‘2020-02-11T00:00:00.000Z’,
‘title’: 'Microsoft CVE-2020-0711: Scripting Engine Memory ’
‘Corruption Vulnerability’},
{‘identifier’: ‘msft-cve-2020-0710’,
‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0710’,
‘published_at’: ‘2020-02-11T00:00:00.000Z’,
‘title’: 'Microsoft CVE-2020-0710: Scripting Engine Memory ’
‘Corruption Vulnerability’},
{‘identifier’: ‘msft-cve-2020-0673’,
‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0673’,
‘published_at’: ‘2020-02-11T00:00:00.000Z’,
‘title’: 'Microsoft CVE-2020-0673: Scripting Engine Memory ’
‘Corruption Vulnerability’},
{‘identifier’: ‘msft-cve-2020-0674’,
‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0674’,
‘published_at’: ‘2020-02-11T00:00:00.000Z’,
‘title’: 'Microsoft CVE-2020-0674: Scripting Engine Memory ’
‘Corruption Vulnerability’}]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.0.2-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 307, in handle_step
output = self.start_step(
File “/usr/local/lib/python3.8/site-packages/insightconnect_plugin_runtime-4.0.2-py3.8.egg/insightconnect_plugin_runtime/plugin.py”, line 400, in start_step
raise ClientException("{} input JSON was invalid".format(step_key), e)
insightconnect_plugin_runtime.exceptions.ClientException: (‘action input JSON was invalid’, <ValidationError: “[{‘identifier’: ‘msft-cve-2020-0767’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0767’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0767: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0713’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0713’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0713: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0712’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0712’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0712: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0711’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0711’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0711: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0710’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0710’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0710: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0673’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0673’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0673: Scripting Engine Memory Corruption Vulnerability’}, {‘identifier’: ‘msft-cve-2020-0674’, ‘link’: ‘https://vdb-kasf1i23nr1kl2j4.rapid7.com/v1/content/msft-cve-2020-0674’, ‘published_at’: ‘2020-02-11T00:00:00.000Z’, ‘title’: ‘Microsoft CVE-2020-0674: Scripting Engine Memory Corruption Vulnerability’}] is not of type ‘object’”>)

holly_wilsey · August 31, 2020, 6:55pm

We’re currently looking into this error in the workflow, so thanks for reporting. I’ll let you know what we find and if it’s something that requires pushing a fix.

mauro_papa · September 15, 2020, 1:23pm

Hi Holly, is there any update on this?

holly_wilsey · September 15, 2020, 11:35pm

Hey @mauro_papa, this is something the team’s still looking into. Sorry for the delay! We’ll post updates here as we have them and reach out if there’s anything we want to double check with you in terms of things like configuration.

zyoutz · October 13, 2020, 7:29pm

@mauro_papa we recently released an update to the Lookup Vulnerability from Slack (1.1.4) workflow and we believe this has since been resolved. I haven’t been able to reproduce the error that you previously experienced with several different vulnerability lookup combinations.

Any chance you could import the most recent version of the workflow and let us know if you still are running into issues? I would recommend making sure the previously imported workflow version is either inactive or deleted. If you do run into a problem again, would you please take a screenshot of the input to slack so we can make sure we replicate with the exact same lookup.

Another benefit to this new version of the workflow is that it no longer has a reliance on the orchestrator to be run. You can select to run the Rapid7 VulnDB plugin from the Cloud!