QualysVM-GetAssets-ByCVEID
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Get CVE IDs from incident. 2. Create a Dynamic Search List with CVE IDs as filter criteria. 3. Generate the Vulnerability Report based on Dynamic Search List. 4. Download the report and store it to a blob storage. This report has details about assets which are vulnerable to CVE. 5. Add the link of report as a comment to the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | QualysVM |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureblob |
Managed | 1 | 2 |
azuresentinel |
Managed | 1 | 1 |
QualysCustomConnector |
Custom | 1 | 8 |
Action parameters (URLs, paths, function IDs)
azureblob (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_SAS_URI_by_path_(V2) | post | /v2/datasets/@{encodeURIComponent('AccountNameFromSettings')}/CreateSharedLinkByPath |
— |
| Create_blob_(V2) | post | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files |
— |
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
QualysCustomConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_Dynamic_Search_List_of_CVEs | post | /api/2.0/fo/qid/search_list/dynamic/ |
— |
| Create_Scan_Report_Template | post | /api/2.0/fo/report/template/scan/ |
— |
| Delete_Dynamic_Search_List | post | /api/2.0/fo/qid/search_list/dynamic/ |
— |
| Delete_Scan_Report_Template | post | /api/2.0/fo/report/template/scan/ |
— |
| Download_Report | post | /api/2.0/fo/report/ |
— |
| Get_Report_Status | post | /api/2.0/fo/report/ |
— |
| Launch_Scan_Report | post | /api/2.0/fo/report/ |
— |
| Get_Report_Status_Again | post | /api/2.0/fo/report/ |
— |
Additional Documentation
📄 Source: QualysVMPlaybooks/QualysVM-GetAssets-ByCVEID/readme.md
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- Get CVE IDs from incident.
- Create a Dynamic Search List with CVE IDs as filter criteria.
- Generate the Vulnerability Report based on Dynamic Search List.
- Download the report and store it to a blob storage. This report has details about assets which are vulnerable to CVE.
- Add the link of report as a comment to the incident.
Prerequisites
- Prior to the deployment of this playbook, Qualys Logic App Custom Connector needs to be deployed under the same subscription.
- Refer to Qualys Logic App Custom Connector documentation for deployment instructions.
- New or Existing Storage Account deployed under the same subscription.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name
- Custom Connector Name
- Storage Account Name
Post-Deployment instructions
a. Authorize Connections
Once deployment is complete, authorize each connection if required.
- Select the Microsoft Sentinel connection resource
- Click Edit API connection blade
- Click Authorize/Provide credentianls if required
- Click Save
- Repeat these steps for other Connections
- For Qualys connection, provide Qualys Username and Password
b. Configurations in Sentinel
In Microsoft sentinel, analytical rules should be configured to trigger an incident that contains CVE ID. Since there is no entity for CVE for now, CVEID need to be passed as key value pair in Custom details section. [Important] In the Custom details section of the analytics rule creation workflow, Assign CVEID as key and choose appropriate column as value.
Check the documentation to know more about custom details in alerts.
Check the documentation to learn more about mapping entities.
Configure the automation rules to trigger the playbook. Check the documentation to learn more about automation rules.
c. Create Container report-blob in Storage Account
- Choose Containers blade in Data storage section
- Click on +Container
- Give name report-blob
- Let the Public access level be deafault Private (no anonymous access)
- Click Create
d. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose Systen assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊