Created
September 14, 2015 22:21
-
-
Save MSAdministrator/15bc73f36cb1be8b6958 to your computer and use it in GitHub Desktop.
Get-QualysNotificationData
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-NotificationData { | |
[cmdletbinding()] | |
param ( | |
[parameter(Mandatory=$true, | |
ValueFromPipeline=$true, | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please enter a QID (Qualys ID) to search for")] | |
[ValidateCount(1,20)] | |
[ValidateNotNullOrEmpty()] | |
[string[]]$QID, | |
[parameter(Mandatory=$true, | |
ValueFromPipeline=$true, | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please provide a credential obejct")] | |
[ValidateNotNullOrEmpty()] | |
[System.Management.Automation.CredentialAttribute()]$credential | |
) | |
$vulnhostobject = @() | |
$ipaddresses = @() | |
$notificationData = @() | |
$vulnerableHostInfo = @() | |
$assetgroupinfo = @() | |
$results = @() | |
$vulnhost = @() | |
$assetgroup = @() | |
$businessunitinfo = @() | |
$assetgroupinfo = @() | |
#each of these XML files are generated every night or a set amount of time. | |
$businessunitinfo = Import-Clixml -Path C:\randompath\QualysData\businessunitinfo.xml | |
$assetgroupinfo = Import-Clixml -Path C:\randompath\QualysData\assetgroupinfo.xml | |
$vulnerableHostInfo = Get-VulnerableHost -assetgroup "All" -QID $QID -credential $credential | |
$knowledgeBaseInfo = Get-KnowledgebaseInfo -QID $QID -credential $credential | |
foreach ($vulnhost in $vulnerableHostInfo){ | |
foreach ($assetgroup in $assetgroupinfo){ | |
for ($a=0;$a -lt ($vulnhost.assetgroup).count;$a++){ | |
for ($b=0;$b -lt ($assetgroup.assetgrouptitle).count;$b++){ | |
if ($vulnhost.assetgroup[$a] -eq $assetgroup[$b].assetgrouptitle){ | |
for ($u=0; $u -le $($businessunitinfo.userlogin).count;$u++){ | |
if ($assetgroup[$b].userlogin -eq $businessunitinfo[$u].userlogin){ | |
if ($assetgroup[$b].userrole -eq "Unit Manager"){ | |
for ($v=0;$v -lt $($vulnhost.ipaddress).count;$v++){ | |
$props = @{businessunitinfo = @{businessunit=$businessunitinfo[$u].businessunit | |
userlogin=$businessunitinfo[$u].userlogin | |
firstname=$businessunitinfo[$u].firstname | |
lastname=$businessunitinfo[$u].lastname | |
title=$businessunitinfo[$u].title | |
email=$businessunitinfo[$u].email | |
userrole=$businessunitinfo[$u].userrole | |
} | |
assetgroupinfo= @{userlogin=$assetgroup[$b].userlogin | |
userrole=$assetgroup[$b].userrole | |
assetgrouptitle=$assetgroup[$b].assetgrouptitle | |
ip=$assetgroup[$b].ip | |
} | |
vulnerablehost=$vulnhost[$v] | |
QualysKBInfo=$knowledgeBaseInfo | |
} | |
$temphostobject = New-Object PSObject -Property $props | |
$vulnhostobject += $temphostobject | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
return $vulnhostobject | |
} | |
function Get-VulnerableHost () | |
{ | |
[cmdletbinding()] | |
param ( | |
[parameter(ParameterSetName="set1", | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please enter a single IP or a range of IPs")] | |
[ValidateNotNullOrEmpty()] | |
[string[]]$ip, | |
[parameter(ParameterSetName="set2", | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please enter an Asset Group or comma seperated list of Asset Groups. Default is All")] | |
[ValidateNotNullOrEmpty()] | |
[string[]]$assetgroup, | |
[parameter(Mandatory=$true, | |
ValueFromPipeline=$true, | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please enter a QID (Qualys ID) to search for")] | |
[ValidateCount(1,20)] | |
[ValidateNotNullOrEmpty()] | |
[string[]]$QID, | |
[parameter(Mandatory=$true, | |
ValueFromPipeline=$true, | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please provide a crednetial obejct")] | |
[ValidateNotNullOrEmpty()] | |
[System.Management.Automation.CredentialAttribute()]$credential | |
) | |
<# | |
.SYNOPSIS | |
Query's QualysGuard asset_search.php for a host or hosts with a specific vulnerability | |
.DESCRIPTION | |
Query's the API to find details about a specific host | |
Takes input as an IP(s), Asset Group title (string), and specific QID (Vulnerability) | |
.PARAMETER ip | |
Specify a single or a comma seperated list of IP addresses you are wanting to search | |
.PARAMETER assetgroup | |
Specifices a single or a comma seperated list of Asset Groups you are wanting to search | |
Default value is "All" | |
.PARAMETER Credential | |
Specifices a set of credentials used to query the QualysGuard API | |
.INPUTS | |
You can pipe PSCustomObjects that have an IP, QID, assetgroup property(ies) to Get-VulnerableHost | |
.EXAMPLE | |
C:\PS> Get-VulnerableHost -ip "ipaddresses" -QID "105489" -credential $cred | |
.EXAMPLE | |
C:\PS> Get-VulnerableHost -assetgroup "assetgrouptitle" -QID "105489" -credential $cred | |
.EXAMPLE | |
C:\PS> $custompsobject | Get-VulnerableHost -credential $cred | |
$custompsobject has two properties - IP and QID | |
#> | |
$vulnhostobject = @() | |
$hosturl = @() | |
$assetinfo = @() | |
$item = @() | |
if ($ip){ | |
$hosturl = "https://qualysapi.qualys.com/msp/asset_search.php?target_ips=$ip&vuln_qid=$QID" | |
} | |
if ($assetgroup){ | |
$hosturl = "https://qualysapi.qualys.com/msp/asset_search.php?target_asset_groups=$assetgroup&vuln_qid=$QID" | |
} | |
[xml]$assetinfo = Invoke-RestMethod -Uri $hosturl -Credential $credential | |
foreach ($item in $assetinfo.SelectNodes("/ASSET_SEARCH_REPORT/HOST_LIST/HOST")){ | |
#CREATING A NEW OBJECT | |
$objectproperties = @{ipaddress=$($item.IP); | |
dnsname=$($item.DNS.InnerText); | |
netbios=$($item.NETBIOS.InnerText); | |
ostype=$($item.OPERATING_SYSTEM.InnerText); | |
QID=$($QID); | |
QIDResult=$($item.QID_LIST.$($QID).RESULT.InnerText); | |
lastscandate=$($item.LAST_SCAN_DATE); | |
assetgroup=$($item.ASSET_GROUPS.ASSET_GROUP_TITLE.InnerText) | |
} | |
$temphostobject = New-Object PSObject -Property $objectproperties | |
$vulnhostobject += $temphostobject | |
}#foreach loop | |
return $vulnhostobject | |
}#Get-VulnerableHost | |
function Get-KnowledgebaseInfo () | |
{ | |
[cmdletbinding()] | |
param ( | |
[parameter(Mandatory=$true, | |
ValueFromPipeline=$true, | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please enter a QID (Qualys ID) to search for")] | |
[ValidateCount(1,20)] | |
[ValidateNotNullOrEmpty()] | |
[string[]]$QID, | |
[parameter(Mandatory=$true, | |
ValueFromPipeline=$true, | |
ValueFromPipelineByPropertyName=$true, | |
HelpMessage="Please provide a crednetial obejct")] | |
[ValidateNotNullOrEmpty()] | |
[System.Management.Automation.CredentialAttribute()]$credential | |
) | |
$vulnhostobject = @() | |
$hosturl = @() | |
$assetinfo = @() | |
#this loop will iterate through all the hosturl arrays | |
[xml]$vulninfo = Invoke-RestMethod -Uri "https://qualysapi.qualys.com/msp/knowledgebase_download.php?vuln_id=$($QID)" -Credential $credential | |
foreach ($item in $vulninfo.SelectNodes("/VULNS/VULN")){ | |
$tempvulninfoobject = @() | |
$objectproperties = @{QID=$($item.QID) | |
VULN_TYPE=$($item.VULN_TYPE.InnerText) | |
SEVERITY_LEVEL=$($item.SEVERITY_LEVEL) | |
TITLE=$($item.TITLE.InnerText) | |
CATEGORY=$($item.CATEGORY.InnerText) | |
BUGTRAQ=$($item.BUGTRAQ_ID_LIST.BUGTRAQ_ID) | |
PATCHABLE=$($item.PATCHABLE) | |
VENDOR_REFERENCE=$($item.VENDOR_REFERENCE_LIST.VENDOR_REFERENCE.InnerText) | |
CVE=$($item.CVE_ID_LIST) | |
DIAGNOSIS=$($item.DIAGNOSIS.InnerText) | |
CONSEQUENCE=$($item.CONSEQUENCE.InnerText) | |
SOLUTION=$($item.SOLUTION.InnerText) | |
COMPLIANCE_TYPE=$($item.COMPLIANCE.COMPLIANCE_INFO.COMPLIANCE_TYPE.InnerText) | |
COMPLIANCE_DESCRIPTION=$($item.COMPLIANCE.COMPLIANCE_INFO.COMPLIANCE_DESCRIPTION.InnerText) | |
EXPLOITABILITY=$($item.CORRELATION.EXPLOITABILITY) | |
MALWARE=$($item.CORRELATION.MALWARE) | |
CVSS_BASE=$($item.CVSS_BASE) | |
CVSS_TEMPORAL=$($item.CVSS_TEMPORAL) | |
CVSS_ACCESS_VECTOR=$($item.CVSS_ACCESS_VECTOR) | |
CVSS_ACCESS_COMPLEXITY=$($item.CVSS_ACCESS_COMPLEXITY) | |
CVSS_AUTHENTICATION=$($item.CVSS_AUTHENTICATION) | |
CVSS_CONFIDENTIALITY_IMPACT=$($item.CVSS_CONFIDENTIALITY_IMPACT) | |
CVSS_INTEGRITY_IMPACT=$($item.CVSS_INTEGRITY_IMPACT) | |
CVSS_AVAILABILITY_IMPACT=$($item.CVSS_AVAILABILITY_IMPACT) | |
CVSS_EXPLOITABILITY=$($item.CVSS_EXPLOITABILITY) | |
CVSS_REMEDIATION_LEVEL=$($item.CVSS_REMEDIATION_LEVEL) | |
CVSS_REPORT_CONFIDENCE=$($item.CVSS_REPORT_CONFIDENCE) | |
PCI_FLAG=$($item.PCI_FLAG) | |
} | |
$tempvulninfoobject = New-Object PSObject -Property $objectproperties | |
$vulninfoobject += $tempvulninfoobject | |
}#foreach loop | |
return $vulninfoobject | |
}#Get-VulnerableHost | |
________________________________ | |
assetgroupinfo.xml | |
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> | |
<Obj RefId="0"> | |
<TN RefId="0"> | |
<T>System.Object[]</T> | |
<T>System.Array</T> | |
<T>System.Object</T> | |
</TN> | |
<LST> | |
<Obj RefId="1"> | |
<TN RefId="1"> | |
<T>System.Management.Automation.PSCustomObject</T> | |
<T>System.Object</T> | |
</TN> | |
<MS> | |
<S N="assetgrouptitle">West DC Assets (DC)</S> | |
<S N="userrole">Unit Manager</S> | |
<Obj N="ip" RefId="2"> | |
<TNRef RefId="0" /> | |
<LST> | |
<S>192.168.0.1</S> | |
<S>192.168.0.2</S> | |
<S>192.168.0.3</S> | |
</LST> | |
</Obj> | |
<S N="userlogin">login1</S> | |
</MS> | |
</Obj> | |
<Obj RefId="3"> | |
<TNRef RefId="1" /> | |
<MS> | |
<S N="assetgrouptitle">North DC Assets (DC)</S> | |
<S N="userrole">Unit Manager</S> | |
<Obj N="ip" RefId="4"> | |
<TNRef RefId="0" /> | |
<LST> | |
<S>192.168.0.4</S> | |
<S>192.168.0.15</S> | |
<S>192.168.0.17</S> | |
</LST> | |
</Obj> | |
<S N="userlogin">login2</S> | |
</MS> | |
</Obj> | |
<Obj RefId="5"> | |
<TNRef RefId="1" /> | |
<MS> | |
<S N="assetgrouptitle">South DC Assets (DC)</S> | |
<S N="userrole">Unit Manager</S> | |
<Obj N="ip" RefId="6"> | |
<TNRef RefId="0" /> | |
<LST> | |
<S>192.168.0.1</S> | |
<S>192.168.0.15</S> | |
</LST> | |
</Obj> | |
<S N="userlogin">login3</S> | |
</MS> | |
</Obj> | |
<Obj RefId="7"> | |
<TNRef RefId="1" /> | |
<MS> | |
<S N="assetgrouptitle">East DC Assets (DC)</S> | |
<S N="userrole">Unit Manager</S> | |
<Obj N="ip" RefId="8"> | |
<TNRef RefId="0" /> | |
<LST> | |
<<S>192.168.0.4</S> | |
<S>192.168.0.15</S> | |
<S>192.168.0.17</S> | |
</LST> | |
</Obj> | |
<S N="userlogin">login2</S> | |
</MS> | |
</Obj> | |
</LST> | |
</Obj> | |
</Objs> | |
__________________________________________ | |
bussinessunitinfo.xml | |
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> | |
<Obj RefId="0"> | |
<TN RefId="0"> | |
<T>System.Object[]</T> | |
<T>System.Array</T> | |
<T>System.Object</T> | |
</TN> | |
<LST> | |
<Obj RefId="1"> | |
<TN RefId="1"> | |
<T>System.Management.Automation.PSCustomObject</T> | |
<T>System.Object</T> | |
</TN> | |
<MS> | |
<S N="userlogin">login1</S> | |
<S N="businessunit">North DC Assets (DC)</S> | |
<S N="lastname">McDonald</S> | |
<S N="userrole">Unit Manager</S> | |
<S N="email">something@something.com</S> | |
<S N="firstname">Old</S> | |
<S N="title">System Security Analyst</S> | |
</MS> | |
</Obj> | |
<Obj RefId="2"> | |
<TNRef RefId="1" /> | |
<MS> | |
<S N="userlogin">login2</S> | |
<S N="businessunit">EAST DC Assets (DC)</S> | |
<S N="lastname">McDonald</S> | |
<S N="userrole">Unit Manager</S> | |
<S N="email">something@something.com</S> | |
<S N="firstname">Old</S> | |
<S N="title">System Security Analyst</S> | |
</MS> | |
</Obj> | |
<Obj RefId="3"> | |
<TNRef RefId="1" /> | |
<MS> | |
<S N="userlogin">login3</S> | |
<S N="businessunit">WEST DC Assets (DC)</S> | |
<S N="lastname">McDonald</S> | |
<S N="userrole">Unit Manager</S> | |
<S N="email">something@something.com</S> | |
<S N="firstname">Old</S> | |
<S N="title">System Security Analyst</S> | |
</MS> | |
</Obj> | |
</LST> | |
</Obj> | |
</Objs> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment