building-vulnerability-scanning-workflow
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseBuilding Vulnerability Scanning Workflow
构建漏洞扫描工作流
When to Use
适用场景
Use this skill when:
- SOC teams need to establish or improve recurring vulnerability scanning programs
- Scan results require prioritization beyond raw CVSS scores using asset context and threat intelligence
- Vulnerability data must be integrated into SIEM for correlation with exploitation attempts
- Remediation tracking needs formalization with SLA-based dashboards and reporting
Do not use for penetration testing or active exploitation — vulnerability scanning identifies weaknesses, penetration testing validates exploitability.
当以下情况时,可使用本方案:
- SOC团队需要建立或改进定期漏洞扫描程序
- 扫描结果需要结合资产上下文和威胁情报,实现超越原始CVSS评分的优先级划分
- 漏洞数据必须集成到SIEM中,以便与漏洞利用尝试进行关联分析
- 修复跟踪需要通过基于SLA的仪表板和报告实现规范化
请勿用于渗透测试或主动漏洞利用——漏洞扫描仅识别弱点,渗透测试则验证漏洞可利用性。
Prerequisites
前置条件
- Vulnerability scanner (Tenable Nessus Professional, Qualys VMDR, or OpenVAS/Greenbone)
- Asset inventory with criticality classifications (business-critical, standard, development)
- Network access from scanner to all target segments (agent-based or network scan)
- SIEM integration for scan result ingestion and correlation
- Patch management system (WSUS, SCCM, Intune) for remediation tracking
- 漏洞扫描器(Tenable Nessus Professional、Qualys VMDR或OpenVAS/Greenbone)
- 带有重要性分类的资产清单(业务关键型、标准型、开发型)
- 扫描器到所有目标网段的网络访问权限(基于代理或网络扫描)
- 用于扫描结果摄入和关联分析的SIEM集成能力
- 用于修复跟踪的补丁管理系统(WSUS、SCCM、Intune)
Workflow
工作流
Step 1: Define Scan Scope and Scheduling
步骤1:定义扫描范围与调度
Create scan policies covering all asset types:
Nessus Scan Configuration (API):
python
import requests
nessus_url = "https://nessus.company.com:8834"
headers = {"X-ApiKeys": f"accessKey={access_key};secretKey={secret_key}"}创建覆盖所有资产类型的扫描策略:
Nessus扫描配置(API方式):
python
import requests
nessus_url = "https://nessus.company.com:8834"
headers = {"X-ApiKeys": f"accessKey={access_key};secretKey={secret_key}"}Create scan policy
Create scan policy
policy = {
"uuid": "advanced",
"settings": {
"name": "SOC Weekly Infrastructure Scan",
"description": "Weekly credentialed scan of all server and workstation segments",
"scanner_id": 1,
"policy_id": 0,
"text_targets": "10.0.0.0/16, 172.16.0.0/12",
"launch": "WEEKLY",
"starttime": "20240315T020000",
"rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=SA",
"enabled": True
},
"credentials": {
"add": {
"Host": {
"Windows": [{
"domain": "company.local",
"username": "nessus_svc",
"password": "SCAN_SERVICE_PASSWORD",
"auth_method": "Password"
}],
"SSH": [{
"username": "nessus_svc",
"private_key": "/path/to/nessus_key",
"auth_method": "public key"
}]
}
}
}
}
response = requests.post(f"{nessus_url}/scans", headers=headers, json=policy,
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true") # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
scan_id = response.json()["scan"]["id"]
print(f"Scan created: ID {scan_id}")
**Qualys VMDR Scan via API:**
```python
import qualysapi
conn = qualysapi.connect(
hostname="qualysapi.qualys.com",
username="api_user",
password="API_PASSWORD"
)policy = {
"uuid": "advanced",
"settings": {
"name": "SOC Weekly Infrastructure Scan",
"description": "Weekly credentialed scan of all server and workstation segments",
"scanner_id": 1,
"policy_id": 0,
"text_targets": "10.0.0.0/16, 172.16.0.0/12",
"launch": "WEEKLY",
"starttime": "20240315T020000",
"rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=SA",
"enabled": True
},
"credentials": {
"add": {
"Host": {
"Windows": [{
"domain": "company.local",
"username": "nessus_svc",
"password": "SCAN_SERVICE_PASSWORD",
"auth_method": "Password"
}],
"SSH": [{
"username": "nessus_svc",
"private_key": "/path/to/nessus_key",
"auth_method": "public key"
}]
}
}
}
}
response = requests.post(f"{nessus_url}/scans", headers=headers, json=policy,
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true") # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
scan_id = response.json()["scan"]["id"]
print(f"Scan created: ID {scan_id}")
**Qualys VMDR扫描(API方式):**
```python
import qualysapi
conn = qualysapi.connect(
hostname="qualysapi.qualys.com",
username="api_user",
password="API_PASSWORD"
)Launch vulnerability scan
Launch vulnerability scan
params = {
"action": "launch",
"scan_title": "Weekly_Infrastructure_Scan",
"ip": "10.0.0.0/16",
"option_id": "123456", # Scan profile ID
"iscanner_name": "Internal_Scanner_01",
"priority": "0"
}
response = conn.request("/api/2.0/fo/scan/", params)
print(f"Scan launched: {response}")
undefinedparams = {
"action": "launch",
"scan_title": "Weekly_Infrastructure_Scan",
"ip": "10.0.0.0/16",
"option_id": "123456", # Scan profile ID
"iscanner_name": "Internal_Scanner_01",
"priority": "0"
}
response = conn.request("/api/2.0/fo/scan/", params)
print(f"Scan launched: {response}")
undefinedStep 2: Process and Prioritize Scan Results
步骤2:处理并优先排序扫描结果
Download results and apply risk-based prioritization:
python
import requests
import csv下载扫描结果并应用基于风险的优先级划分:
python
import requests
import csvExport Nessus results
Export Nessus results
response = requests.get(
f"{nessus_url}/scans/{scan_id}/export",
headers=headers,
params={"format": "csv"},
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
)
response = requests.get(
f"{nessus_url}/scans/{scan_id}/export",
headers=headers,
params={"format": "csv"},
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
)
Parse and prioritize
Parse and prioritize
vulns = []
reader = csv.DictReader(response.text.splitlines())
for row in reader:
cvss = float(row.get("CVSS v3.0 Base Score", 0))
asset_criticality = get_asset_criticality(row["Host"]) # From asset inventory
# Risk-based priority calculation
risk_score = cvss * asset_criticality_multiplier(asset_criticality)
# Boost score if actively exploited (check CISA KEV)
if row.get("CVE") in cisa_kev_list:
risk_score *= 1.5
vulns.append({
"host": row["Host"],
"plugin_name": row["Name"],
"severity": row["Risk"],
"cvss": cvss,
"cve": row.get("CVE", "N/A"),
"risk_score": round(risk_score, 1),
"asset_criticality": asset_criticality,
"kev": row.get("CVE") in cisa_kev_list
})vulns = []
reader = csv.DictReader(response.text.splitlines())
for row in reader:
cvss = float(row.get("CVSS v3.0 Base Score", 0))
asset_criticality = get_asset_criticality(row["Host"]) # From asset inventory
# Risk-based priority calculation
risk_score = cvss * asset_criticality_multiplier(asset_criticality)
# Boost score if actively exploited (check CISA KEV)
if row.get("CVE") in cisa_kev_list:
risk_score *= 1.5
vulns.append({
"host": row["Host"],
"plugin_name": row["Name"],
"severity": row["Risk"],
"cvss": cvss,
"cve": row.get("CVE", "N/A"),
"risk_score": round(risk_score, 1),
"asset_criticality": asset_criticality,
"kev": row.get("CVE") in cisa_kev_list
})Sort by risk score
Sort by risk score
vulns.sort(key=lambda x: x["risk_score"], reverse=True)
**CISA KEV (Known Exploited Vulnerabilities) Check:**
```python
import requests
kev_response = requests.get(
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
)
kev_data = kev_response.json()
cisa_kev_list = {v["cveID"] for v in kev_data["vulnerabilities"]}vulns.sort(key=lambda x: x["risk_score"], reverse=True)
**CISA KEV(已知被利用漏洞)检查:**
```python
import requests
kev_response = requests.get(
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
)
kev_data = kev_response.json()
cisa_kev_list = {v["cveID"] for v in kev_data["vulnerabilities"]}Check if vulnerability is actively exploited
Check if vulnerability is actively exploited
def is_actively_exploited(cve_id):
return cve_id in cisa_kev_list
undefineddef is_actively_exploited(cve_id):
return cve_id in cisa_kev_list
undefinedStep 3: Define Remediation SLAs
步骤3:定义修复SLA要求
Apply SLA-based remediation timelines:
| Priority | CVSS Range | Asset Type | SLA | Examples |
|---|---|---|---|---|
| P1 Critical | 9.0-10.0 + KEV | All assets | 24 hours | Log4Shell, EternalBlue on prod servers |
| P2 High | 7.0-8.9 or 9.0+ non-KEV | Business-critical | 7 days | RCE without known exploit |
| P3 Medium | 4.0-6.9 | Business-critical | 30 days | Authenticated privilege escalation |
| P4 Low | 0.1-3.9 | Standard | 90 days | Information disclosure, low-impact DoS |
| P5 Informational | 0.0 | Development | Next cycle | Best practice findings, config hardening |
应用基于SLA的修复时间线:
| 优先级 | CVSS评分范围 | 资产类型 | SLA要求 | 示例 |
|---|---|---|---|---|
| P1 严重 | 9.0-10.0 + KEV | 所有资产 | 24小时 | Log4Shell、生产服务器上的EternalBlue |
| P2 高 | 7.0-8.9 或 9.0+非KEV | 业务关键型 | 7天 | 无已知利用方式的远程代码执行漏洞 |
| P3 中 | 4.0-6.9 | 业务关键型 | 30天 | 需认证的权限提升漏洞 |
| P4 低 | 0.1-3.9 | 标准型 | 90天 | 信息泄露、低影响拒绝服务 |
| P5 信息性 | 0.0 | 开发型 | 下一周期 | 最佳实践建议、配置加固 |
Step 4: Integrate with SIEM for Exploitation Detection
步骤4:与SIEM集成以检测漏洞利用
Correlate vulnerability scan data with SIEM alerts to detect active exploitation:
spl
index=vulnerability sourcetype="nessus:scan"
| eval vuln_key = Host.":".CVE
| join vuln_key type=left [
search index=ids_ips sourcetype="snort" OR sourcetype="suricata"
| eval vuln_key = dest_ip.":".cve_id
| stats count AS exploit_attempts, latest(_time) AS last_exploit_attempt by vuln_key
]
| where isnotnull(exploit_attempts)
| eval risk = "CRITICAL — Vulnerability being actively exploited"
| sort - exploit_attempts
| table Host, CVE, plugin_name, cvss_score, exploit_attempts, last_exploit_attempt, riskAlert when KEV vulnerabilities are detected on critical assets:
spl
index=vulnerability sourcetype="nessus:scan" severity="Critical"
| lookup cisa_kev_lookup.csv cve_id AS CVE OUTPUT kev_status, due_date
| where kev_status="active"
| lookup asset_criticality_lookup.csv ip AS Host OUTPUT criticality
| where criticality IN ("business-critical", "mission-critical")
| table Host, CVE, plugin_name, cvss_score, kev_status, due_date, criticality将漏洞扫描数据与SIEM告警关联,以检测主动漏洞利用行为:
spl
index=vulnerability sourcetype="nessus:scan"
| eval vuln_key = Host.":".CVE
| join vuln_key type=left [
search index=ids_ips sourcetype="snort" OR sourcetype="suricata"
| eval vuln_key = dest_ip.":".cve_id
| stats count AS exploit_attempts, latest(_time) AS last_exploit_attempt by vuln_key
]
| where isnotnull(exploit_attempts)
| eval risk = "CRITICAL — Vulnerability being actively exploited"
| sort - exploit_attempts
| table Host, CVE, plugin_name, cvss_score, exploit_attempts, last_exploit_attempt, risk当关键资产上检测到KEV漏洞时触发告警:
spl
index=vulnerability sourcetype="nessus:scan" severity="Critical"
| lookup cisa_kev_lookup.csv cve_id AS CVE OUTPUT kev_status, due_date
| where kev_status="active"
| lookup asset_criticality_lookup.csv ip AS Host OUTPUT criticality
| where criticality IN ("business-critical", "mission-critical")
| table Host, CVE, plugin_name, cvss_score, kev_status, due_date, criticalityStep 5: Build Remediation Tracking Dashboard
步骤5:构建修复跟踪仪表板
Splunk Dashboard for Vulnerability Metrics:
spl
-- Open vulnerabilities by severity
index=vulnerability sourcetype="nessus:scan" status="open"
| stats count by severity
| eval order = case(severity="Critical", 1, severity="High", 2, severity="Medium", 3,
severity="Low", 4, 1=1, 5)
| sort order
-- SLA compliance tracking
index=vulnerability sourcetype="nessus:scan" status="open"
| eval sla_days = case(
severity="Critical", 1,
severity="High", 7,
severity="Medium", 30,
severity="Low", 90
)
| eval days_open = round((now() - first_detected) / 86400)
| eval sla_status = if(days_open > sla_days, "OVERDUE", "Within SLA")
| stats count by severity, sla_status
-- Remediation trend over 90 days
index=vulnerability sourcetype="nessus:scan"
| eval is_open = if(status="open", 1, 0)
| eval is_closed = if(status="fixed", 1, 0)
| timechart span=1w sum(is_open) AS opened, sum(is_closed) AS remediated用于漏洞指标的Splunk仪表板:
spl
-- Open vulnerabilities by severity
index=vulnerability sourcetype="nessus:scan" status="open"
| stats count by severity
| eval order = case(severity="Critical", 1, severity="High", 2, severity="Medium", 3,
severity="Low", 4, 1=1, 5)
| sort order
-- SLA compliance tracking
index=vulnerability sourcetype="nessus:scan" status="open"
| eval sla_days = case(
severity="Critical", 1,
severity="High", 7,
severity="Medium", 30,
severity="Low", 90
)
| eval days_open = round((now() - first_detected) / 86400)
| eval sla_status = if(days_open > sla_days, "OVERDUE", "Within SLA")
| stats count by severity, sla_status
-- Remediation trend over 90 days
index=vulnerability sourcetype="nessus:scan"
| eval is_open = if(status="open", 1, 0)
| eval is_closed = if(status="fixed", 1, 0)
| timechart span=1w sum(is_open) AS opened, sum(is_closed) AS remediatedStep 6: Automate Remediation Ticketing
步骤6:自动化修复工单创建
Create tickets automatically for high-priority findings:
python
import requests
servicenow_url = "https://company.service-now.com/api/now/table/incident"
headers = {
"Content-Type": "application/json",
"Authorization": f"Bearer {snow_token}"
}
for vuln in vulns:
if vuln["risk_score"] >= 8.0:
ticket = {
"short_description": f"[VULN] {vuln['cve']} — {vuln['plugin_name']} on {vuln['host']}",
"description": (
f"Vulnerability: {vuln['plugin_name']}\n"
f"CVE: {vuln['cve']}\n"
f"CVSS: {vuln['cvss']}\n"
f"Host: {vuln['host']}\n"
f"Asset Criticality: {vuln['asset_criticality']}\n"
f"CISA KEV: {'YES' if vuln['kev'] else 'NO'}\n"
f"Risk Score: {vuln['risk_score']}\n"
f"Remediation SLA: {'24 hours' if vuln['kev'] else '7 days'}"
),
"urgency": "1" if vuln["kev"] else "2",
"impact": "1" if vuln["asset_criticality"] == "business-critical" else "2",
"assignment_group": "IT Infrastructure",
"category": "Vulnerability"
}
response = requests.post(servicenow_url, headers=headers, json=ticket)
print(f"Ticket created: {response.json()['result']['number']}")为高优先级发现自动创建工单:
python
import requests
servicenow_url = "https://company.service-now.com/api/now/table/incident"
headers = {
"Content-Type": "application/json",
"Authorization": f"Bearer {snow_token}"
}
for vuln in vulns:
if vuln["risk_score"] >= 8.0:
ticket = {
"short_description": f"[VULN] {vuln['cve']} — {vuln['plugin_name']} on {vuln['host']}",
"description": (
f"Vulnerability: {vuln['plugin_name']}\n"
f"CVE: {vuln['cve']}\n"
f"CVSS: {vuln['cvss']}\n"
f"Host: {vuln['host']}\n"
f"Asset Criticality: {vuln['asset_criticality']}\n"
f"CISA KEV: {'YES' if vuln['kev'] else 'NO'}\n"
f"Risk Score: {vuln['risk_score']}\n"
f"Remediation SLA: {'24 hours' if vuln['kev'] else '7 days'}"
),
"urgency": "1" if vuln["kev"] else "2",
"impact": "1" if vuln["asset_criticality"] == "business-critical" else "2",
"assignment_group": "IT Infrastructure",
"category": "Vulnerability"
}
response = requests.post(servicenow_url, headers=headers, json=ticket)
print(f"Ticket created: {response.json()['result']['number']}")Key Concepts
核心概念
| Term | Definition |
|---|---|
| CVSS | Common Vulnerability Scoring System — standardized severity rating (0-10) for vulnerabilities |
| CISA KEV | Known Exploited Vulnerabilities catalog — CISA-maintained list of vulnerabilities with confirmed active exploitation |
| Credentialed Scan | Vulnerability scan using authenticated access for deeper detection than network-only scanning |
| Asset Criticality | Business impact classification determining remediation priority (mission-critical, business-critical, standard) |
| Remediation SLA | Service Level Agreement defining maximum time allowed to patch vulnerabilities by severity |
| EPSS | Exploit Prediction Scoring System — ML-based probability score predicting likelihood of exploitation |
| 术语 | 定义 |
|---|---|
| CVSS | 通用漏洞评分系统——用于对漏洞进行标准化严重程度评级(0-10分) |
| CISA KEV | 已知被利用漏洞目录——由CISA维护的已确认被主动利用的漏洞列表 |
| Credentialed Scan | 凭证式扫描——使用认证访问权限进行的漏洞扫描,比纯网络扫描检测更深入 |
| Asset Criticality | 资产重要性——决定修复优先级的业务影响分类(任务关键型、业务关键型、标准型) |
| Remediation SLA | 修复服务水平协议——按漏洞严重程度定义的最长补丁修复时限 |
| EPSS | 漏洞利用预测评分系统——基于机器学习的概率评分,用于预测漏洞被利用的可能性 |
Tools & Systems
工具与系统
- Tenable Nessus / Tenable.io: Enterprise vulnerability scanner with 200,000+ plugin checks and compliance auditing
- Qualys VMDR: Cloud-based vulnerability management with asset discovery, prioritization, and patching integration
- OpenVAS (Greenbone): Open-source vulnerability scanner with community-maintained vulnerability feed
- CISA KEV Catalog: US government maintained list of actively exploited vulnerabilities requiring mandatory remediation
- Rapid7 InsightVM: Vulnerability management platform with live dashboards and remediation project tracking
- Tenable Nessus / Tenable.io:企业级漏洞扫描器,拥有200,000+插件检查和合规审计功能
- Qualys VMDR:基于云的漏洞管理平台,具备资产发现、优先级划分和补丁集成能力
- OpenVAS (Greenbone):开源漏洞扫描器,带有社区维护的漏洞库
- CISA KEV Catalog:美国政府维护的已被主动利用漏洞列表,要求强制修复
- Rapid7 InsightVM:漏洞管理平台,提供实时仪表板和修复项目跟踪功能
Common Scenarios
常见场景
- Zero-Day Response: New CVE published — run targeted scan for affected software, cross-reference with KEV and exploit databases
- Compliance Audit Prep: Generate PCI DSS or HIPAA vulnerability report showing scan coverage and remediation status
- Post-Patch Verification: Rescan patched systems to confirm vulnerability closure and update tracking dashboard
- Network Expansion: New subnet added to infrastructure — onboard to scan scope with appropriate policy
- Third-Party Risk: Scan externally-facing assets to validate vendor patch compliance before integration
- 零日漏洞响应:新CVE发布后,针对受影响软件运行定向扫描,与KEV和漏洞利用数据库交叉比对
- 合规审计准备:生成PCI DSS或HIPAA漏洞报告,展示扫描覆盖范围和修复状态
- 补丁后验证:重新扫描已打补丁的系统,确认漏洞已修复并更新跟踪仪表板
- 网络扩展:基础设施新增子网后,将其纳入扫描范围并应用相应策略
- 第三方风险评估:扫描面向外部的资产,在集成前验证供应商的补丁合规性
Output Format
输出格式
VULNERABILITY SCAN REPORT — Weekly Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scan Date: 2024-03-16 02:00 UTC
Scan Scope: 10.0.0.0/16 (1,247 hosts scanned)
Duration: 4h 23m
Coverage: 98.7% (16 hosts unreachable)
Findings:
Severity Count New CISA KEV
Critical 23 5 3
High 187 34 12
Medium 892 78 0
Low 1,456 112 0
Info 3,891 201 0
Top Priority (P1 — 24hr SLA):
CVE-2024-21762 FortiOS RCE 3 hosts KEV: YES
CVE-2024-1709 ConnectWise RCE 1 host KEV: YES
CVE-2024-3400 Palo Alto PAN-OS RCE 2 hosts KEV: YES
SLA Compliance:
Critical: 82% within SLA (4 overdue)
High: 91% within SLA (17 overdue)
Medium: 88% within SLA (107 overdue)
Tickets Created: 39 (ServiceNow)VULNERABILITY SCAN REPORT — Weekly Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scan Date: 2024-03-16 02:00 UTC
Scan Scope: 10.0.0.0/16 (1,247 hosts scanned)
Duration: 4h 23m
Coverage: 98.7% (16 hosts unreachable)
Findings:
Severity Count New CISA KEV
Critical 23 5 3
High 187 34 12
Medium 892 78 0
Low 1,456 112 0
Info 3,891 201 0
Top Priority (P1 — 24hr SLA):
CVE-2024-21762 FortiOS RCE 3 hosts KEV: YES
CVE-2024-1709 ConnectWise RCE 1 host KEV: YES
CVE-2024-3400 Palo Alto PAN-OS RCE 2 hosts KEV: YES
SLA Compliance:
Critical: 82% within SLA (4 overdue)
High: 91% within SLA (17 overdue)
Medium: 88% within SLA (107 overdue)
Tickets Created: 39 (ServiceNow)