NexposeEmailParser
Parses nexpose report into a clear table that contain risk score and vulnerability count for each server, And creates a new incident for each server.
javascript · Rapid7 InsightVM
Source
var entries = executeCommand('getEntries', {}); var report = 0; if (!args.entryID) { for (var i = 0; i < entries.length; i++) { if (entries[i].File) { var entryIDFromInv = entries[i].ID; report = getFileByEntryID(entryIDFromInv); if (/$<NexposeReport/.exec(report)) { break; } } } } else { report = getFileByEntryID(args.entryID); } var contents = []; var nodes = report.split(/<\/node>/); for (var i=0; i < nodes.length; i++) { var nodeRegexp = /<node address="(.*)" status="(.*)" device-id="(.*)" site-name="(.*)" site-importance="(.*)" scan-template=".*" risk-score="(.*)">/g; var match = nodeRegexp.exec(nodes[i]); if (nodes[i] && match) { var testRegexp = /<test id=.*>/g ; var vulnCount = nodes[i].match(testRegexp) ? nodes[i].match(testRegexp).length : '0'; var data = { Address: match[1], Name: match[4], Risk: match[6], Status: match[2], Importance: match[5], Vulnerabilities: vulnCount }; if ((args.minRiskScore && args.minRiskScore <= data.Risk) || !args.minRiskScore) { if ((args.minVulnCount && args.minVulnCount <= data.Vulnerabilities) || !args.minVulnCount) { contents.push(data); var sev = "low"; if (data.Risk > 3000) { sev = "critical"; } else if (data.Risk > 2500) { sev = "high"; } else if (data.Risk > 2000) { sev = "medium"; } createNewIncident({ type: 'Nexpose alert', details: nodes[i], severity: sev, name: data.Address + ' vulnerability count ' + data.Vulnerabilities + ' risk score ' + data.Risk, systems: data.Address }); } } } } return [{Contents: contents, ContentsFormat: formats.table, Type: entryTypes.note}, closeInvestigation({Reason: 'Spawned ' + contents.length + ' child incidents'})];
README
Parses the Nexpose report into a clear table that contains risk scores and vulnerability counts for each server, and creates a new incident for each server.
Script Data
| Name | Description |
|---|---|
| Script Type | javascript |
| Tags | nexpose, ingestion |
Dependencies
This script uses the following commands and scripts.
- nexpose
Inputs
| Argument Name | Description |
|---|---|
| entryID | The ID of the entry containing the Nexpose report. If none is provided, the script will iterate and find a relevant entry. |
| minRiskScore | The Minimal Risk Score an item in the report needs to reach in order to trigger an incident. Leave this field empty to trigger for any risk score. |
| minVulnCount | The Minimal Vulnerability Count an item in the report needs to reach in order to trigger an incident. Leave this field empty to trigger for any count. |
| defaultNexposeSeverity | The severity to be set on the triggered incidents. |
Outputs
There are no outputs for this script.