3 Replies Latest reply: Mar 21, 2017 6:12 AM by CodyDumont RSS

How to recast a risk using Security Center API

aguida Novice

Hello,

 

Trying to obtain the correct risk valuation for our assets, we need to assign different Severity to the same vulnerability plugin depending on the IP address of the asset and their corresponding repository. For example, a vulnerability considered Critical for an asset that is exposed to Internet, is not the same as other asset that have the same vulnerability, but is on the internal network with restricted access.

 

To do this, we created two repositories, "Internet Faced" and "Internal Network", and now we want to use the Security Center API to recast all the vulnerabilities detected on "Internal Network" assets, lowering one level (for example, if the default severity for a plugin is Critical, we want to change to High for "Internal Network" assets).

 

Is this possible using the Security Center API?

 

We reviewed the URL with Web Inspector of Mozilla Firefox when we do a recast risk from the gui, and obtain something similar to this:

First we obtain the token:

curl -s -k -X POST -d '{"username":"username","password":"password"}' -c sc_cookie.txt https://scserver/rest/token

{"type":"regular","response":{"lastLogin":"1490035370","lastLoginIP":"XXX.XXX.XXX.XXX","failedLogins":"1","failedLoginIP":"XXX.XXX.XXX.XXX","lastFailedLogin":"1490037677","token":Token,"unassociatedCert":"false"},"error_code":0,"error_msg":"","warnings":[],"timestamp":1490037694}

 

After that, we used the obtained URL with parameters (in this example, trying to change the Severity of "Windows Terminal Services Enabled", plugin 72387, from Info to Low):

curl -s -k -X POST -H "X-SecurityCenter: Token" -H 'Content-Type: application/json' -b sc_cookie.txt https://scserver/rest/recastRiskRule?{"name":"Windows Terminal Services Enabled","hostType":"all","plugin":{"id":"72387"},"protocol":"any","port":"any","newSeverity":{"id":1},"comments":"TestAPI","repositories":[{"id":3,"name":"Internal Network","description":"Internal Network","context":"","status":null,"createdTime":null,"modifiedTime":1489764096,"ipRange":"XXX.XXX.XXX.XXX,XXX.XXX.XXX.XXX"organizations":[],"correlation":[]}],"expires":-1}

But we obtain this response:

{"type":"regular","response":"","error_code":146,"error_msg":"The attribute 'repositories' is missing but should be a non-empty array.\n","warnings":[],"timestamp":1490036722}

 

We don't understand that response, because we are putting the "repositories" parameter with their corresponding values, all extracted and written identical as the URL obtained from the "Recast Risk" on the web gui.

 

Does anybody know how to do a recast from the API?

 

Thanks in advance,

Alejandro

  • Re: How to recast a risk using Security Center API
    CodyDumont Master

    While this possible in the API, you  don't need to.  You should be able to just create a recast rule in SecurityCenter GUI to take care of this issue.

    • Re: How to recast a risk using Security Center API
      aguida Novice

      Hi Cody,

       

      You are saying that it is possible to make a Recast Rule that Recast for example all "Critical" detected vulnerabilities on assets in the mentioned repository, "Internal Network", and change them to "High"? Can you tell me in a few words how to do that?

       

      Furthermore, can you tell me how can I do a recast with the method mentioned before (an HTTP POST) in the right way? That is, why the mentioned HTTP POST is failing saying that the attribute 'repositories' is missing, when I'm using that atrribute in my HTTP POST.

       

      Thanks for your help.

       

      Regards,

      Alejandro

      • Re: How to recast a risk using Security Center API
        CodyDumont Master

        I dont think CURL is the best thing for this, as Recasting is on per PluginID basis.  So if you want to recast all the Critical Severity plugins, you are going to have to get a list of said plugins each time the script is executed.

         

        So the script would first have to query all the critical plugins, then apply a recast similar to the one I have below.

         

        Tenable has a Professional Services that can assist with API scripts.

         

        Here is the JSON to update on of my systems.

         

        {

          "name":"CentOS 6 : kernel (CESA-2017:0307)",

          "hostType":"asset",

          "hostValue":{"id":159},

          "plugin":{"id":"97389"},

          "protocol":"any",

          "port":"any",

          "newSeverity":{"id":3},

          "comments":"test",

          "repositories":[

             {

                "id":2,

               "name":"xxxx xxx",

               "description":"xxxx x xxxx xxxxxx",

               "context":"",

               "status":null,

               "createdTime":null,

               "modifiedTime":1464027284,

               "dataFormat":"IPv4",

              "type":"Local",

              "trendingDays":"360",

              "trendWithRaw":"true",

              "ipRange":"xx.xx.15.0/24,xx.xx.112.0-xx.xx.114.255",

               "organizations":[],

               "correlation":[]

             }

          ],

          "expires":-1

        }