Today, let’s see a practical application of the Tenable.sc API analysis endpoint. We’ll use the list of known exploited vulnerabilities provided by CISA and compare the CVEs to the results of our scans. This will give us a list of active unpatched CVEs in our network that should be prioritized, as they are being used in real world attacks.
Known Exploited Vulnerabilities(KEV)
CISA kindly provides a CSV file with all the vulnerabilities in their catalog of known exploited vulnerabilities; we can download it here
Tenable.sc Analysis API Endpoint
As we saw in previous posts, we can interact with the Analysis endpoint through the API, just need to generate the access and secret keys as seen here and build the authentication headers like this:
$accessKey = 'ACCESS_KEY_HERE'
$secretKey = 'SECRET_KEY_HERE'
$headers = @{}
$headers.Add("x-apikey", "accessKey=$accessKey;secretKey=$secretKey")
Filters
I’ll use just 2 filters for this request, lastSeen and severity:
# Filters applied:
# Last observed: within the last 7 days
# Severity: Medium, High, Critical
$filters = @(
@{"filterName"="lastSeen"; "operator"="="; "value"="0:7"},
@{"filterName"="severity"; "operator"="="; "value"="2,3,4"}
)
This will give us back all Medium, High and Critical vulnerabilities observed within the last 7 days.
Query
Now we build the query with the filter just defined, using the tool vulndetails:
$query = @{"tool"="vulndetails";
"createdTime"=0;
"modifiedTime"=0;
"name"="";
"description"="";
"type"="vuln";
"sortDir"="desc";
"context"="";
"startOffset"=0;
"endOffset"=99999;
"sortField"="severity";
"filters"=$filters
}
Request
We build the body:
$body = @{"sourceType"="cumulative";"type"="vuln";"query"=$query} | ConvertTo-Json -Compress -Depth 5
Then make the request to analysis endpoint:
#Tenable.sc URL
$scURL = 'https://192.168.12.11'
#Get results from query
$result = Invoke-RestMethod -Uri $scURL/rest/analysis -Method Post -Headers $headers -Body $body -UseBasicParsing
$queryResult = $result.response
This gives us all vulnerability data for the last 7 days in the $queryResult variable.
Report unpatched KEV
Let’s make a CSV report with all the unpatched known exploited vulnerabilities detected in our scans. We extract just some fields from the data and format it to compare it to the CSV list we downloaded from CISA.
# We get all vulnerabilities IP, CVEs, Name and pluginID
$resultFormatted = @()
foreach ($record in $queryResult.results) {
$ip = $record.ip
$cve = $record.cve
$name = $record.pluginName
$pluginID = $record.pluginID
$resultFormatted += New-Object psobject -Property @{
'IP' = $ip
'CVE' = $cve
'pluginID' = $pluginID
'Name' = $name
} | Select-Object IP,CVE,pluginID,Name
}
Now get the list of CVEs both in KEV file and in our DB:
# Get contents of KEV from CISA file
$kev = Import-Csv 'C:\KEV\known_exploited_vulnerabilities.csv'
# Get list of CVEs matching in our DB
$kevMatch = @()
foreach ( $vuln in $resultFormatted ) {
# Some records have multiple CVEs in a single vulnerability
$individualCVE = $vuln.CVE -split ","
foreach ($i in $individualCVE) {
if ( $i -in $kev.cveID) {
$kevMatch += $vuln
}
}
}
And that gives us a list of unpatched CVEs in our scan data:
Lastly, we generate a CSV report with our findings; in the output we get the IP, CVE, Name, and plugin ID to help us with remediation:
#Prepare outputfile
$outputFile = 'C:\KEV\active_kev.csv'
#export to CSV all hosts with active CVEs from the KEV list
$kevMatch | Export-Csv -path $outputFile -NoTypeInformation
Conclusion
All entries in the generated report should be marked as priority for remediation, as they are being actively exploited.
This is just a quick example on how to use the API to our advantage and provide added value to our reports, I hope you liked it and gave you ideas for your own uses of Tenable.sc API!