Skip to content

vulnerability-workflow

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

vulnerability-workflow

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
config.json
config.json
 
 
custom-integration-vulnerability-workflow.star
custom-integration-vulnerability-workflow.star
 
 

README.md

Custom Integration: Vulnerability Ticketing Workflow

Overview

This custom integration fetches high-risk vulnerabilities from runZero, opens a case for each new CVE-Asset pair by sending a POST to an external system (like a ticketing or workflow platform), and tags the asset in runZero to track ticket creation.

The workflow ensures each CVE on an asset is only ticketed once, using a tag like CVE-2024-1234=OPENED.

Prerequisites

  • runZero:

    • Superuser access to Custom Integrations.
    • API token (access_secret) to access vulnerability exports and update asset tags.

  • External Ticketing System:

    • An HTTP endpoint to receive ticket payloads (e.g., a Sumo Logic HTTP collector or custom webhook server).

Configuration

Script Variables

Variable Description
WORKFLOW_ENDPOINT URL where the POST request should send new CVE-asset tickets (e.g., Sumo Logic HTTP source URL).
VULNERABILITY_SEARCH runZero search string for vulnerabilities to act on (e.g., risk:critical).

Update the WORKFLOW_ENDPOINT value inside the script before deploying.

How the Script Works

  1. Fetch Vulnerabilities
    Queries the runZero API for vulnerabilities matching the VULNERABILITY_SEARCH filter.

  2. Aggregate Vulnerabilities
    Deduplicates by asset_id:cve to ensure only one ticket per asset per CVE.

  3. Post Ticket Payload
    Sends a JSON payload describing the asset and vulnerability to the configured WORKFLOW_ENDPOINT.

  4. Tag Asset
    Updates the asset in runZero by tagging it with the CVE ID (e.g., CVE-2024-1234=OPENED).

  5. Skip if Already Ticketed
    Assets already tagged with the CVE are skipped to avoid duplicate tickets.

Payload Example

When a new CVE-asset match is detected, the integration sends a POST with the following JSON payload:

{
  "asset_id": "UUID of asset",
  "cve": "CVE-2024-1234",
  "tags": {"existing_tag": "value"},
  "vulnerability_name": "Description of the CVE",
  "vulnerability_exploitable": true,
  "os_vendor": "Vendor Name",
  "os_product": "OS Product Name",
  "addresses": ["192.168.1.10"],
  "names": ["hostname.local"],
  "macs": ["00:11:22:33:44:55"]
}

Deployment Steps

  1. Create a Credential in runZero:

    • Go to Credentials.
    • Create a Custom Integration Script Secrets credential.
    • Store your runZero API token in the access_secret field.

  2. Create the Custom Integration:

    • Go to Custom Integrations.
    • Name the integration (e.g., vuln-ticketing-workflow).
    • Paste this script.
    • Click Validate and Save.

  3. Schedule the Integration:

    • Go to Ingest.
    • Create a new task linked to this custom integration.
    • Select the credential you created.
    • Set a schedule (e.g., run hourly or daily).

Notes

  • Ensure your external workflow system can ingest JSON POST requests.
  • This script expects that runZero asset tags are used consistently and that no other system overwrites them.
  • If you want to handle closing/removing tickets when vulnerabilities are remediated, you will need additional logic.