--- name: building-vulnerability-scanning-workflow description: 'Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover, prioritize, and track remediation of security vulnerabilities across infrastructure. Use when SOC teams need to establish recurring vulnerability assessment processes, integrate scan results with SIEM alerting, and build remediation tracking dashboards. ' domain: cybersecurity subdomain: soc-operations tags: - soc - vulnerability-scanning - nessus - qualys - openvas - cvss - remediation - patch-management version: '1.0' author: mahipal license: Apache-2.0 nist_csf: - DE.CM-01 - DE.AE-02 - RS.MA-01 - DE.AE-06 --- # Building Vulnerability Scanning Workflow ## When to Use Use this skill when: - SOC teams need to establish or improve recurring vulnerability scanning programs - Scan results require prioritization beyond raw CVSS scores using asset context and threat intelligence - Vulnerability data must be integrated into SIEM for correlation with exploitation attempts - Remediation tracking needs formalization with SLA-based dashboards and reporting **Do not use** for penetration testing or active exploitation — vulnerability scanning identifies weaknesses, penetration testing validates exploitability. ## Prerequisites - Vulnerability scanner (Tenable Nessus Professional, Qualys VMDR, or OpenVAS/Greenbone) - Asset inventory with criticality classifications (business-critical, standard, development) - Network access from scanner to all target segments (agent-based or network scan) - SIEM integration for scan result ingestion and correlation - Patch management system (WSUS, SCCM, Intune) for remediation tracking ## Workflow ### Step 1: Define Scan Scope and Scheduling Create scan policies covering all asset types: **Nessus Scan Configuration (API):** ```python import requests nessus_url = "https://nessus.company.com:8834" headers = {"X-ApiKeys": f"accessKey={access_key};secretKey={secret_key}"} # Create scan policy policy = { "uuid": "advanced", "settings": { "name": "SOC Weekly Infrastructure Scan", "description": "Weekly credentialed scan of all server and workstation segments", "scanner_id": 1, "policy_id": 0, "text_targets": "10.0.0.0/16, 172.16.0.0/12", "launch": "WEEKLY", "starttime": "20240315T020000", "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=SA", "enabled": True }, "credentials": { "add": { "Host": { "Windows": [{ "domain": "company.local", "username": "nessus_svc", "password": "SCAN_SERVICE_PASSWORD", "auth_method": "Password" }], "SSH": [{ "username": "nessus_svc", "private_key": "/path/to/nessus_key", "auth_method": "public key" }] } } } } response = requests.post(f"{nessus_url}/scans", headers=headers, json=policy, verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true") # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments scan_id = response.json()["scan"]["id"] print(f"Scan created: ID {scan_id}") ``` **Qualys VMDR Scan via API:** ```python import qualysapi conn = qualysapi.connect( hostname="qualysapi.qualys.com", username="api_user", password="API_PASSWORD" ) # Launch vulnerability scan params = { "action": "launch", "scan_title": "Weekly_Infrastructure_Scan", "ip": "10.0.0.0/16", "option_id": "123456", # Scan profile ID "iscanner_name": "Internal_Scanner_01", "priority": "0" } response = conn.request("/api/2.0/fo/scan/", params) print(f"Scan launched: {response}") ``` ### Step 2: Process and Prioritize Scan Results Download results and apply risk-based prioritization: ```python import requests import csv # Export Nessus results response = requests.get( f"{nessus_url}/scans/{scan_id}/export", headers=headers, params={"format": "csv"}, verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments ) # Parse and prioritize vulns = [] reader = csv.DictReader(response.text.splitlines()) for row in reader: cvss = float(row.get("CVSS v3.0 Base Score", 0)) asset_criticality = get_asset_criticality(row["Host"]) # From asset inventory # Risk-based priority calculation risk_score = cvss * asset_criticality_multiplier(asset_criticality) # Boost score if actively exploited (check CISA KEV) if row.get("CVE") in cisa_kev_list: risk_score *= 1.5 vulns.append({ "host": row["Host"], "plugin_name": row["Name"], "severity": row["Risk"], "cvss": cvss, "cve": row.get("CVE", "N/A"), "risk_score": round(risk_score, 1), "asset_criticality": asset_criticality, "kev": row.get("CVE") in cisa_kev_list }) # Sort by risk score vulns.sort(key=lambda x: x["risk_score"], reverse=True) ``` **CISA KEV (Known Exploited Vulnerabilities) Check:** ```python import requests kev_response = requests.get( "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" ) kev_data = kev_response.json() cisa_kev_list = {v["cveID"] for v in kev_data["vulnerabilities"]} # Check if vulnerability is actively exploited def is_actively_exploited(cve_id): return cve_id in cisa_kev_list ``` ### Step 3: Define Remediation SLAs Apply SLA-based remediation timelines: | Priority | CVSS Range | Asset Type | SLA | Examples | |----------|-----------|------------|-----|---------| | **P1 Critical** | 9.0-10.0 + KEV | All assets | 24 hours | Log4Shell, EternalBlue on prod servers | | **P2 High** | 7.0-8.9 or 9.0+ non-KEV | Business-critical | 7 days | RCE without known exploit | | **P3 Medium** | 4.0-6.9 | Business-critical | 30 days | Authenticated privilege escalation | | **P4 Low** | 0.1-3.9 | Standard | 90 days | Information disclosure, low-impact DoS | | **P5 Informational** | 0.0 | Development | Next cycle | Best practice findings, config hardening | ### Step 4: Integrate with SIEM for Exploitation Detection Correlate vulnerability scan data with SIEM alerts to detect active exploitation: ```spl index=vulnerability sourcetype="nessus:scan" | eval vuln_key = Host.":".CVE | join vuln_key type=left [ search index=ids_ips sourcetype="snort" OR sourcetype="suricata" | eval vuln_key = dest_ip.":".cve_id | stats count AS exploit_attempts, latest(_time) AS last_exploit_attempt by vuln_key ] | where isnotnull(exploit_attempts) | eval risk = "CRITICAL — Vulnerability being actively exploited" | sort - exploit_attempts | table Host, CVE, plugin_name, cvss_score, exploit_attempts, last_exploit_attempt, risk ``` **Alert when KEV vulnerabilities are detected on critical assets:** ```spl index=vulnerability sourcetype="nessus:scan" severity="Critical" | lookup cisa_kev_lookup.csv cve_id AS CVE OUTPUT kev_status, due_date | where kev_status="active" | lookup asset_criticality_lookup.csv ip AS Host OUTPUT criticality | where criticality IN ("business-critical", "mission-critical") | table Host, CVE, plugin_name, cvss_score, kev_status, due_date, criticality ``` ### Step 5: Build Remediation Tracking Dashboard **Splunk Dashboard for Vulnerability Metrics:** ```spl -- Open vulnerabilities by severity index=vulnerability sourcetype="nessus:scan" status="open" | stats count by severity | eval order = case(severity="Critical", 1, severity="High", 2, severity="Medium", 3, severity="Low", 4, 1=1, 5) | sort order -- SLA compliance tracking index=vulnerability sourcetype="nessus:scan" status="open" | eval sla_days = case( severity="Critical", 1, severity="High", 7, severity="Medium", 30, severity="Low", 90 ) | eval days_open = round((now() - first_detected) / 86400) | eval sla_status = if(days_open > sla_days, "OVERDUE", "Within SLA") | stats count by severity, sla_status -- Remediation trend over 90 days index=vulnerability sourcetype="nessus:scan" | eval is_open = if(status="open", 1, 0) | eval is_closed = if(status="fixed", 1, 0) | timechart span=1w sum(is_open) AS opened, sum(is_closed) AS remediated ``` ### Step 6: Automate Remediation Ticketing Create tickets automatically for high-priority findings: ```python import requests servicenow_url = "https://company.service-now.com/api/now/table/incident" headers = { "Content-Type": "application/json", "Authorization": f"Bearer {snow_token}" } for vuln in vulns: if vuln["risk_score"] >= 8.0: ticket = { "short_description": f"[VULN] {vuln['cve']} — {vuln['plugin_name']} on {vuln['host']}", "description": ( f"Vulnerability: {vuln['plugin_name']}\n" f"CVE: {vuln['cve']}\n" f"CVSS: {vuln['cvss']}\n" f"Host: {vuln['host']}\n" f"Asset Criticality: {vuln['asset_criticality']}\n" f"CISA KEV: {'YES' if vuln['kev'] else 'NO'}\n" f"Risk Score: {vuln['risk_score']}\n" f"Remediation SLA: {'24 hours' if vuln['kev'] else '7 days'}" ), "urgency": "1" if vuln["kev"] else "2", "impact": "1" if vuln["asset_criticality"] == "business-critical" else "2", "assignment_group": "IT Infrastructure", "category": "Vulnerability" } response = requests.post(servicenow_url, headers=headers, json=ticket) print(f"Ticket created: {response.json()['result']['number']}") ``` ## Key Concepts | Term | Definition | |------|-----------| | **CVSS** | Common Vulnerability Scoring System — standardized severity rating (0-10) for vulnerabilities | | **CISA KEV** | Known Exploited Vulnerabilities catalog — CISA-maintained list of vulnerabilities with confirmed active exploitation | | **Credentialed Scan** | Vulnerability scan using authenticated access for deeper detection than network-only scanning | | **Asset Criticality** | Business impact classification determining remediation priority (mission-critical, business-critical, standard) | | **Remediation SLA** | Service Level Agreement defining maximum time allowed to patch vulnerabilities by severity | | **EPSS** | Exploit Prediction Scoring System — ML-based probability score predicting likelihood of exploitation | ## Tools & Systems - **Tenable Nessus / Tenable.io**: Enterprise vulnerability scanner with 200,000+ plugin checks and compliance auditing - **Qualys VMDR**: Cloud-based vulnerability management with asset discovery, prioritization, and patching integration - **OpenVAS (Greenbone)**: Open-source vulnerability scanner with community-maintained vulnerability feed - **CISA KEV Catalog**: US government maintained list of actively exploited vulnerabilities requiring mandatory remediation - **Rapid7 InsightVM**: Vulnerability management platform with live dashboards and remediation project tracking ## Common Scenarios - **Zero-Day Response**: New CVE published — run targeted scan for affected software, cross-reference with KEV and exploit databases - **Compliance Audit Prep**: Generate PCI DSS or HIPAA vulnerability report showing scan coverage and remediation status - **Post-Patch Verification**: Rescan patched systems to confirm vulnerability closure and update tracking dashboard - **Network Expansion**: New subnet added to infrastructure — onboard to scan scope with appropriate policy - **Third-Party Risk**: Scan externally-facing assets to validate vendor patch compliance before integration ## Output Format ``` VULNERABILITY SCAN REPORT — Weekly Summary ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Scan Date: 2024-03-16 02:00 UTC Scan Scope: 10.0.0.0/16 (1,247 hosts scanned) Duration: 4h 23m Coverage: 98.7% (16 hosts unreachable) Findings: Severity Count New CISA KEV Critical 23 5 3 High 187 34 12 Medium 892 78 0 Low 1,456 112 0 Info 3,891 201 0 Top Priority (P1 — 24hr SLA): CVE-2024-21762 FortiOS RCE 3 hosts KEV: YES CVE-2024-1709 ConnectWise RCE 1 host KEV: YES CVE-2024-3400 Palo Alto PAN-OS RCE 2 hosts KEV: YES SLA Compliance: Critical: 82% within SLA (4 overdue) High: 91% within SLA (17 overdue) Medium: 88% within SLA (107 overdue) Tickets Created: 39 (ServiceNow) ```