Exporting Vulnerability Scanner Reports

In order to use the vulnerability sync feature, you will need to generate a report using your third-party vulnerability scanner. The following vendor reports are currently supported:

Requirements for the CSV import:

  • The very first line in each CSV must contain the required data, depending on your CSV provider.
    For example:hostname, cve id.  Follow the format requirements as noted in the console (Add New Task dialog window).

  • Hostnames are not case-sensitive.

    • Hostnames should not be wrapped in any quotes, parenthesis, brackets, or single tics.

  • The CVE field should not contain any special characters other than dashes, for example CVE-2021-1234, or commas for a list of CVEs.

  • Severity is an optional field

    • Severities must use one of the following keywords, unless otherwise indicated: Critical, High, Medium, Low

  • The CSV report must be less than 1 GB.

  • The CSV row maximum is 1 million rows.

Example CSV file:

Hostname, CVE ID, Severity
finance-laptop,cve-2021-1234,high
finance-laptop,cve-2021-6789
finance-laptop,cve-2021-5522,critical
sales_laptop,cve-2021-9944,medium

Note

Using Notepad++ to open and save vulnerability scanner exports introduces hidden characters and can cause the manual import to fail. Automox recommends using a different source code editor.

Crowdstrike Falcon Spotlight - Vulnerability Report

Follow these instructions to download a vulnerability report from the Crowdstrike Falcon Spotlight platform.

  • From the Crowdstrike dashboard, ensure that the report identifies hostnames and CVE IDs.

  • Be sure to include relevant filters as there is a file size limit for the ingest of 1 GB.

  • Additionally, be aware that more CVE IDs will mean more tasks to be created by Automox.

Example of CrowdStrike’s Spotlight Vulnerability Dashboard. Note: It is possible to filter on relevant vulnerabilities for the export.

  • Select the file format CSV and export the report.

Rapid7 - Vulnerability Report Export

Follow these instructions to manually create and export a vulnerability report from Rapid7 InsightVM/Nexpose.

Note: If you are using the Rapid7 InsightConnect , you do not need to manually export a vulnerability report from Rapid7 InsightVM/Nexpose. The vulnerability sync workflow bypasses the manual need to export and upload the report to Automox.

When the synced imported report is ready, you can continue with the vulnerability process from the point of observing the mapping process until it is complete and take actions as required. Follow the description in our Vulnerability Sync documentation: Using Automox Vulnerability Sync → Syncing the Imported Report.

See also Automox Plugin for Rapid7 InsightConnect.

Requirements: You must use the on-premise console to generate the report

Creating a Rapid7 vulnerability report

In order to easily export vulnerability findings from Rapid7 InsightVM/Nexpose in a format that is quickly imported into Automox, we recommend creating a Custom SQL Report. This can be done within the InsightVM console by following these steps:

  1. Navigate to Reports.

  2. On the Create a Report page, select Export.

  3. Select SQL Query Export from the list of templates.

  4. Add the query for the custom report and validate.

  5. Save and run the report.

As new scans are performed, your Vulnerability Management team can regenerate reports and scope them to the groups, sites, and categories they are hoping to target. If the SQL query is modified for your environment needs, ensure the hostname and cve id fields are headers within the report export.

Query for custom SQL report

In the InsightVM/Nexpose Console, create a custom SQL Report using the following query:

select favf.asset_id, favf.vulnerability_id, da.host_name as hostname, dvf.reference as "cve id"
FROM fact_asset_vulnerability_finding favf
JOIN dim_vulnerability_reference dvf ON dvf.vulnerability_id = favf.vulnerability_id
JOIN dim_asset da ON da.asset_id = favf.asset_id
WHERE dvf.source = 'CVE'

That query will yield a result something like the following: 

asset_id, vulnerability_id, hostname, cve id
18, 200, hostname-1, CVE-2017-8682

Make sure that it is saved in CSV format and use that file to upload into the console. Feel free to apply other filters to the SQL report. See also the following example queries for Rapid7 vulnerability reports:

Query for vulnerabilities with severity of Critical

This query is used to create a report for CVEs with a severity level of "critical".

select favf.asset_id, favf.vulnerability_id, da.host_name as hostname, dvf.reference as "cve id"
FROM fact_asset_vulnerability_finding favf
JOIN dim_vulnerability_reference dvf ON dvf.vulnerability_id = favf.vulnerability_id
JOIN dim_vulnerability dv ON favf.vulnerability_id = dv.vulnerability_id
JOIN dim_asset da ON da.asset_id = favf.asset_id
WHERE dvf.source = 'CVE' and dv.severity = 'Critical'

Query for vulnerabilities by specific CVEs

This query is used to create a report for a specific CVE.

select favf.asset_id, favf.vulnerability_id, da.host_name as hostname, dvf.reference as "cve id"
FROM fact_asset_vulnerability_finding favf
JOIN dim_vulnerability_reference dvf ON dvf.vulnerability_id = favf.vulnerability_id
JOIN dim_asset da ON da.asset_id = favf.asset_id
WHERE dvf.reference = 'CVE-1234'

If you need additional assistance or want to modify the query, use the Rapid7 documentation located here:

Creating reports based on SQL queries

Tenable.io - CSV Vulnerability Export

To download a vulnerability report from Tenable.io, follow the documentation as described here: Tenable Documentation: Export Vulnerability Data

When exporting vulnerability data, you must include the following fields in the report:

  • Host

  • CVE

  • Risk

After exporting the data, you generally do not need to modify the report in order to upload it to Automox as long as you select Tenable Vulnerability Management for the CSV Provider. Note: It is recommended that you always verify that the headers are in the expected format.

import-csv-tenable.png

Qualys - Scan Report

By exporting a Qualys New Scan Report, it is possible to upload vulnerability details from Qualys scans to remediate devices. 

To generate a scan report, navigate to Reports → Templates → New Scan Template

When Creating the Report Template, select Vulnerability Details to ensure that CVE information is included in the report. The Qualys report includes IP addresses and a list of CVE IDs for correlating with Automox. No modifications to the report are necessary in order to upload to Automox as long as you select Qualys for the CSV Provider:

import-csv-qualys.png

Related Topics

Was this article helpful?
0 out of 0 found this helpful