I have discussed risk meter creation in a past blog; but what do you do with risk meters once they are created? In the Kenna Security GUI, the risk meters have a score and are shown with a nice graphic. This score is created by looking at all the vulnerabilities of the assets associated with the risk meter. You could drill down to find the risk meter vulnerabilities in the GUI, or you could write a program to dump the risk meter vulnerabilities into a CSV file.
Let’s review a couple of definitions:
- An Asset is a “thing” (a server, a router, a laptop, etc) that vulnerabilities are tied to.
- A Risk Meter is a group of assets based on search or filter criteria. Each Risk Meter has its own Vulnerability Risk Score, which is a measure of the security risk a group of assets poses to the organization. Also known as Asset Groups.
As a security officer in your organization, you might want to customize a report for your management. This blog will discuss obtaining risk meter vulnerabilities via a program and start you on a path of customizing reports from risk meters.
The program, risk_meter_vulns.py, takes two input parameters:
- risk meter name (required)
- risk score fence (optional) If not specified, it is zero (0).
At the beginning
Let’s start with main. After the command line parameters are parsed, and the KENNA_API_KEY is obtained, the risk meter name is verified and a dictionary with the risk meter name as the key and the query string as its value is returned. We will see why the query string is useful later on.
Next the CSV file is opened using the writer() function.
Finally, the code loops through all the risk meters in the risk meter dictionary. In this version of the code, there is only one risk meter in the dictionary; however, with the for loop, a collection of risk meters could be utilized.
Inside the for loop, a title is printed, assets associated with the risk meter are obtained along with the vulnerabilities for each asset in the get_assets_in_risk_meter() function.
Finding the risk meter
Since the Kenna Security API does not have a “Search Risk Meter” API, the code invokes the “List Risk Meters” API and searches for the risk meter name. This is done to verify that the risk meter exists with the specified risk meter name; and to obtain the query string.
In line 13, “List Risk Meters” API is invoked. In line 19, the asset_groups or risk meters are extracted from the JSON response. Lines 22 to 24 search for a risk_meter by name. If found, a dictionary of one is returned. The key is the name with the value of the querystring.
Why return a dictionary instead of a tuple you might ask. The reason is that this function could be replaced with a function that returns all risk meters and the calling code won’t have to change except to call a different function. This was mentioned in the “At the Beginning” section.
Get the assets associated with the risk meter
In the function, get_assets_in_risk_meter(), the assets are obtained in page mode. See “Acquiring Vulnerabilities per Asset” for more information on page mode. We can obtain up to 100,000 assets with a 5,000 page size with 20 pages. Hopefully, you don’t have over 100,000 assets associated with a risk meter. If you do, this code will not obtain all the vulnerabilities.
If you read over the Kenna Security API documentation, you’ll notice that when listing an asset group, you don’t get the assets associated with the asset group. Here is where the query string is important. My colleague, Stephan George, gave me this clue. To obtain the assets in an asset group or risk meter, you invoke the “Search Assets” API with the query string provided in the “List Asset Groups” API response.
Look at line 79 where the query_string is used along with the 5000 entries per page specification.
Now that we have the assets associated with the risk meter, we obtain the vulnerabilities for each asset.
Obtaining Vulnerabilities per Asset with FilteringNotice in line 104, the asset locator is written to the file. In line 107, the function get_vuln_info() is called to obtain the vulnerability information. The URL is provided for in line 106 that is used to invoke the “Show Asset Vulnerabilities” API.
This code is similar to the code in page_asset_vulns.py, except the vulnerabilities are filtered on an open status and if the risk score is equal or higher than the risk score fence.
If the vulnerability matches the criteria, it is placed in an array for processing later in line 52.
For each vulnerability that matches the criteria of open status and higher or equal to the fence, the code writes some vulnerability information into the CSV file.
The reason there are temporary variables is because the vulns_writer.writerow()statement in line 70 becomes a very long line. I also left a debug print() statement for your convenience. As you can see, the code writes the CVE ID, along with the priority, threat, severity, risk score, and CVE description.
Here is the output from the command: python risk_meter_vulns.py Windows 70__assets
The filtering can be changed; for example, priority could be used. The information that is written to the CSV file could also be modified for your customized reports. So go have some fun customizing.
The code samples are in the Kenna Security blog_samples repo.