Skip to content

Instantly share code, notes, and snippets.

@MSAdministrator

MSAdministrator/QualysNotificationData.ps1

Created September 14, 2015 22:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MSAdministrator/15bc73f36cb1be8b6958 to your computer and use it in GitHub Desktop.
Save MSAdministrator/15bc73f36cb1be8b6958 to your computer and use it in GitHub Desktop.
Download ZIP
Get-QualysNotificationData
Raw
QualysNotificationData.ps1
function Get-NotificationData {
[cmdletbinding()]
param (
[parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please enter a QID (Qualys ID) to search for")]
[ValidateCount(1,20)]
[ValidateNotNullOrEmpty()]
[string[]]$QID,
[parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please provide a credential obejct")]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.CredentialAttribute()]$credential
)
$vulnhostobject = @()
$ipaddresses = @()
$notificationData = @()
$vulnerableHostInfo = @()
$assetgroupinfo = @()
$results = @()
$vulnhost = @()
$assetgroup = @()
$businessunitinfo = @()
$assetgroupinfo = @()
#each of these XML files are generated every night or a set amount of time.
$businessunitinfo = Import-Clixml -Path C:\randompath\QualysData\businessunitinfo.xml
$assetgroupinfo = Import-Clixml -Path C:\randompath\QualysData\assetgroupinfo.xml
$vulnerableHostInfo = Get-VulnerableHost -assetgroup "All" -QID $QID -credential $credential
$knowledgeBaseInfo = Get-KnowledgebaseInfo -QID $QID -credential $credential
foreach ($vulnhost in $vulnerableHostInfo){
foreach ($assetgroup in $assetgroupinfo){
for ($a=0;$a -lt ($vulnhost.assetgroup).count;$a++){
for ($b=0;$b -lt ($assetgroup.assetgrouptitle).count;$b++){
if ($vulnhost.assetgroup[$a] -eq $assetgroup[$b].assetgrouptitle){
for ($u=0; $u -le $($businessunitinfo.userlogin).count;$u++){
if ($assetgroup[$b].userlogin -eq $businessunitinfo[$u].userlogin){
if ($assetgroup[$b].userrole -eq "Unit Manager"){
for ($v=0;$v -lt $($vulnhost.ipaddress).count;$v++){
$props = @{businessunitinfo = @{businessunit=$businessunitinfo[$u].businessunit
userlogin=$businessunitinfo[$u].userlogin
firstname=$businessunitinfo[$u].firstname
lastname=$businessunitinfo[$u].lastname
title=$businessunitinfo[$u].title
email=$businessunitinfo[$u].email
userrole=$businessunitinfo[$u].userrole
}
assetgroupinfo= @{userlogin=$assetgroup[$b].userlogin
userrole=$assetgroup[$b].userrole
assetgrouptitle=$assetgroup[$b].assetgrouptitle
ip=$assetgroup[$b].ip
}
vulnerablehost=$vulnhost[$v]
QualysKBInfo=$knowledgeBaseInfo
}
$temphostobject = New-Object PSObject -Property $props
$vulnhostobject += $temphostobject
}
}
}
}
}
}
}
}
}
return $vulnhostobject
}
function Get-VulnerableHost ()
{
[cmdletbinding()]
param (
[parameter(ParameterSetName="set1",
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please enter a single IP or a range of IPs")]
[ValidateNotNullOrEmpty()]
[string[]]$ip,
[parameter(ParameterSetName="set2",
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please enter an Asset Group or comma seperated list of Asset Groups. Default is All")]
[ValidateNotNullOrEmpty()]
[string[]]$assetgroup,
[parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please enter a QID (Qualys ID) to search for")]
[ValidateCount(1,20)]
[ValidateNotNullOrEmpty()]
[string[]]$QID,
[parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please provide a crednetial obejct")]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.CredentialAttribute()]$credential
)
<#
.SYNOPSIS
Query's QualysGuard asset_search.php for a host or hosts with a specific vulnerability
.DESCRIPTION
Query's the API to find details about a specific host
Takes input as an IP(s), Asset Group title (string), and specific QID (Vulnerability)
.PARAMETER ip
Specify a single or a comma seperated list of IP addresses you are wanting to search
.PARAMETER assetgroup
Specifices a single or a comma seperated list of Asset Groups you are wanting to search
Default value is "All"
.PARAMETER Credential
Specifices a set of credentials used to query the QualysGuard API
.INPUTS
You can pipe PSCustomObjects that have an IP, QID, assetgroup property(ies) to Get-VulnerableHost
.EXAMPLE
C:\PS> Get-VulnerableHost -ip "ipaddresses" -QID "105489" -credential $cred
.EXAMPLE
C:\PS> Get-VulnerableHost -assetgroup "assetgrouptitle" -QID "105489" -credential $cred
.EXAMPLE
C:\PS> $custompsobject | Get-VulnerableHost -credential $cred
$custompsobject has two properties - IP and QID
#>
$vulnhostobject = @()
$hosturl = @()
$assetinfo = @()
$item = @()
if ($ip){
$hosturl = "https://qualysapi.qualys.com/msp/asset_search.php?target_ips=$ip&vuln_qid=$QID"
}
if ($assetgroup){
$hosturl = "https://qualysapi.qualys.com/msp/asset_search.php?target_asset_groups=$assetgroup&vuln_qid=$QID"
}
[xml]$assetinfo = Invoke-RestMethod -Uri $hosturl -Credential $credential
foreach ($item in $assetinfo.SelectNodes("/ASSET_SEARCH_REPORT/HOST_LIST/HOST")){
#CREATING A NEW OBJECT
$objectproperties = @{ipaddress=$($item.IP);
dnsname=$($item.DNS.InnerText);
netbios=$($item.NETBIOS.InnerText);
ostype=$($item.OPERATING_SYSTEM.InnerText);
QID=$($QID);
QIDResult=$($item.QID_LIST.$($QID).RESULT.InnerText);
lastscandate=$($item.LAST_SCAN_DATE);
assetgroup=$($item.ASSET_GROUPS.ASSET_GROUP_TITLE.InnerText)
}
$temphostobject = New-Object PSObject -Property $objectproperties
$vulnhostobject += $temphostobject
}#foreach loop
return $vulnhostobject
}#Get-VulnerableHost
function Get-KnowledgebaseInfo ()
{
[cmdletbinding()]
param (
[parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please enter a QID (Qualys ID) to search for")]
[ValidateCount(1,20)]
[ValidateNotNullOrEmpty()]
[string[]]$QID,
[parameter(Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true,
HelpMessage="Please provide a crednetial obejct")]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.CredentialAttribute()]$credential
)
$vulnhostobject = @()
$hosturl = @()
$assetinfo = @()
#this loop will iterate through all the hosturl arrays
[xml]$vulninfo = Invoke-RestMethod -Uri "https://qualysapi.qualys.com/msp/knowledgebase_download.php?vuln_id=$($QID)" -Credential $credential
foreach ($item in $vulninfo.SelectNodes("/VULNS/VULN")){
$tempvulninfoobject = @()
$objectproperties = @{QID=$($item.QID)
VULN_TYPE=$($item.VULN_TYPE.InnerText)
SEVERITY_LEVEL=$($item.SEVERITY_LEVEL)
TITLE=$($item.TITLE.InnerText)
CATEGORY=$($item.CATEGORY.InnerText)
BUGTRAQ=$($item.BUGTRAQ_ID_LIST.BUGTRAQ_ID)
PATCHABLE=$($item.PATCHABLE)
VENDOR_REFERENCE=$($item.VENDOR_REFERENCE_LIST.VENDOR_REFERENCE.InnerText)
CVE=$($item.CVE_ID_LIST)
DIAGNOSIS=$($item.DIAGNOSIS.InnerText)
CONSEQUENCE=$($item.CONSEQUENCE.InnerText)
SOLUTION=$($item.SOLUTION.InnerText)
COMPLIANCE_TYPE=$($item.COMPLIANCE.COMPLIANCE_INFO.COMPLIANCE_TYPE.InnerText)
COMPLIANCE_DESCRIPTION=$($item.COMPLIANCE.COMPLIANCE_INFO.COMPLIANCE_DESCRIPTION.InnerText)
EXPLOITABILITY=$($item.CORRELATION.EXPLOITABILITY)
MALWARE=$($item.CORRELATION.MALWARE)
CVSS_BASE=$($item.CVSS_BASE)
CVSS_TEMPORAL=$($item.CVSS_TEMPORAL)
CVSS_ACCESS_VECTOR=$($item.CVSS_ACCESS_VECTOR)
CVSS_ACCESS_COMPLEXITY=$($item.CVSS_ACCESS_COMPLEXITY)
CVSS_AUTHENTICATION=$($item.CVSS_AUTHENTICATION)
CVSS_CONFIDENTIALITY_IMPACT=$($item.CVSS_CONFIDENTIALITY_IMPACT)
CVSS_INTEGRITY_IMPACT=$($item.CVSS_INTEGRITY_IMPACT)
CVSS_AVAILABILITY_IMPACT=$($item.CVSS_AVAILABILITY_IMPACT)
CVSS_EXPLOITABILITY=$($item.CVSS_EXPLOITABILITY)
CVSS_REMEDIATION_LEVEL=$($item.CVSS_REMEDIATION_LEVEL)
CVSS_REPORT_CONFIDENCE=$($item.CVSS_REPORT_CONFIDENCE)
PCI_FLAG=$($item.PCI_FLAG)
}
$tempvulninfoobject = New-Object PSObject -Property $objectproperties
$vulninfoobject += $tempvulninfoobject
}#foreach loop
return $vulninfoobject
}#Get-VulnerableHost
________________________________
assetgroupinfo.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Object[]</T>
<T>System.Array</T>
<T>System.Object</T>
</TN>
<LST>
<Obj RefId="1">
<TN RefId="1">
<T>System.Management.Automation.PSCustomObject</T>
<T>System.Object</T>
</TN>
<MS>
<S N="assetgrouptitle">West DC Assets (DC)</S>
<S N="userrole">Unit Manager</S>
<Obj N="ip" RefId="2">
<TNRef RefId="0" />
<LST>
<S>192.168.0.1</S>
<S>192.168.0.2</S>
<S>192.168.0.3</S>
</LST>
</Obj>
<S N="userlogin">login1</S>
</MS>
</Obj>
<Obj RefId="3">
<TNRef RefId="1" />
<MS>
<S N="assetgrouptitle">North DC Assets (DC)</S>
<S N="userrole">Unit Manager</S>
<Obj N="ip" RefId="4">
<TNRef RefId="0" />
<LST>
<S>192.168.0.4</S>
<S>192.168.0.15</S>
<S>192.168.0.17</S>
</LST>
</Obj>
<S N="userlogin">login2</S>
</MS>
</Obj>
<Obj RefId="5">
<TNRef RefId="1" />
<MS>
<S N="assetgrouptitle">South DC Assets (DC)</S>
<S N="userrole">Unit Manager</S>
<Obj N="ip" RefId="6">
<TNRef RefId="0" />
<LST>
<S>192.168.0.1</S>
<S>192.168.0.15</S>
</LST>
</Obj>
<S N="userlogin">login3</S>
</MS>
</Obj>
<Obj RefId="7">
<TNRef RefId="1" />
<MS>
<S N="assetgrouptitle">East DC Assets (DC)</S>
<S N="userrole">Unit Manager</S>
<Obj N="ip" RefId="8">
<TNRef RefId="0" />
<LST>
<<S>192.168.0.4</S>
<S>192.168.0.15</S>
<S>192.168.0.17</S>
</LST>
</Obj>
<S N="userlogin">login2</S>
</MS>
</Obj>
</LST>
</Obj>
</Objs>
__________________________________________
bussinessunitinfo.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Object[]</T>
<T>System.Array</T>
<T>System.Object</T>
</TN>
<LST>
<Obj RefId="1">
<TN RefId="1">
<T>System.Management.Automation.PSCustomObject</T>
<T>System.Object</T>
</TN>
<MS>
<S N="userlogin">login1</S>
<S N="businessunit">North DC Assets (DC)</S>
<S N="lastname">McDonald</S>
<S N="userrole">Unit Manager</S>
<S N="email">something@something.com</S>
<S N="firstname">Old</S>
<S N="title">System Security Analyst</S>
</MS>
</Obj>
<Obj RefId="2">
<TNRef RefId="1" />
<MS>
<S N="userlogin">login2</S>
<S N="businessunit">EAST DC Assets (DC)</S>
<S N="lastname">McDonald</S>
<S N="userrole">Unit Manager</S>
<S N="email">something@something.com</S>
<S N="firstname">Old</S>
<S N="title">System Security Analyst</S>
</MS>
</Obj>
<Obj RefId="3">
<TNRef RefId="1" />
<MS>
<S N="userlogin">login3</S>
<S N="businessunit">WEST DC Assets (DC)</S>
<S N="lastname">McDonald</S>
<S N="userrole">Unit Manager</S>
<S N="email">something@something.com</S>
<S N="firstname">Old</S>
<S N="title">System Security Analyst</S>
</MS>
</Obj>
</LST>
</Obj>
</Objs>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment