Skill

building-vulnerability-scanning-workflow

Builds structured vulnerability scanning workflows with Nessus, Qualys, OpenVAS to discover, prioritize via CVSS, and track remediation of infrastructure vulnerabilities for SOC teams integrating with SIEM.

Python

security

infrastructure

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

以下情况使用本技能：

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

building-vulnerability-scanning-workflow

5.9k

Builds vulnerability scanning workflow using Nessus, Qualys, OpenVAS to discover, prioritize, track remediation. For SOC teams with recurring scans, SIEM integration, dashboards.

3 files

cybersecurity-skills

building-vulnerability-scanning-workflow

Builds structured vulnerability scanning workflows using Nessus, Qualys, OpenVAS for SOC teams to discover, prioritize, integrate with SIEM, and track remediation of infrastructure vulnerabilities.

asi

performing-vulnerability-scanning-with-nessus

Executes authenticated and unauthenticated vulnerability scans with Tenable Nessus to identify CVEs, misconfigurations, default credentials, and missing patches in networks, servers, and applications. Useful for compliance audits, patch checks, and pentest reconnaissance.

3 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

构建漏洞扫描工作流

适用场景

以下情况使用本技能：

SOC 团队需要建立或改进定期漏洞扫描计划
扫描结果需要结合资产背景和威胁情报，超越原始 CVSS 分数进行优先级排序
漏洞数据必须集成到 SIEM 中，与利用尝试进行关联
修复跟踪需要通过基于 SLA 的仪表盘和报告正式化

不适用于渗透测试或主动利用——漏洞扫描识别弱点，渗透测试验证可利用性。

前置条件

漏洞扫描器（Tenable Nessus Professional、Qualys VMDR 或 OpenVAS/Greenbone）
具有关键性分类的资产清单（业务关键、标准、开发）
从扫描器到所有目标网段的网络访问（基于代理或网络扫描）
用于扫描结果接入和关联的 SIEM 集成
用于修复跟踪的补丁管理系统（WSUS、SCCM、Intune）

工作流程

步骤 1：定义扫描范围和计划

创建覆盖所有资产类型的扫描策略：

Nessus 扫描配置（API）：

import requests

nessus_url = "https://nessus.company.com:8834"
headers = {"X-ApiKeys": f"accessKey={access_key};secretKey={secret_key}"}

# 创建扫描策略
policy = {
    "uuid": "advanced",
    "settings": {
        "name": "SOC Weekly Infrastructure Scan",
        "description": "Weekly credentialed scan of all server and workstation segments",
        "scanner_id": 1,
        "policy_id": 0,
        "text_targets": "10.0.0.0/16, 172.16.0.0/12",
        "launch": "WEEKLY",
        "starttime": "20240315T020000",
        "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=SA",
        "enabled": True
    },
    "credentials": {
        "add": {
            "Host": {
                "Windows": [{
                    "domain": "company.local",
                    "username": "nessus_svc",
                    "password": "SCAN_SERVICE_PASSWORD",
                    "auth_method": "Password"
                }],
                "SSH": [{
                    "username": "nessus_svc",
                    "private_key": "/path/to/nessus_key",
                    "auth_method": "public key"
                }]
            }
        }
    }
}

response = requests.post(f"{nessus_url}/scans", headers=headers, json=policy, verify=False)
scan_id = response.json()["scan"]["id"]
print(f"扫描已创建：ID {scan_id}")

Qualys VMDR 扫描（API）：

import qualysapi

conn = qualysapi.connect(
    hostname="qualysapi.qualys.com",
    username="api_user",
    password="API_PASSWORD"
)

# 启动漏洞扫描
params = {
    "action": "launch",
    "scan_title": "Weekly_Infrastructure_Scan",
    "ip": "10.0.0.0/16",
    "option_id": "123456",  # 扫描配置文件 ID
    "iscanner_name": "Internal_Scanner_01",
    "priority": "0"
}

response = conn.request("/api/2.0/fo/scan/", params)
print(f"扫描已启动：{response}")

步骤 2：处理和优先级排序扫描结果

下载结果并应用基于风险的优先级排序：

import requests
import csv

# 导出 Nessus 结果
response = requests.get(
    f"{nessus_url}/scans/{scan_id}/export",
    headers=headers,
    params={"format": "csv"},
    verify=False
)

# 解析并优先级排序
vulns = []
reader = csv.DictReader(response.text.splitlines())
for row in reader:
    cvss = float(row.get("CVSS v3.0 Base Score", 0))
    asset_criticality = get_asset_criticality(row["Host"])  # 来自资产清单

    # 基于风险的优先级计算
    risk_score = cvss * asset_criticality_multiplier(asset_criticality)

    # 如果被主动利用则提高评分（检查 CISA KEV）
    if row.get("CVE") in cisa_kev_list:
        risk_score *= 1.5

    vulns.append({
        "host": row["Host"],
        "plugin_name": row["Name"],
        "severity": row["Risk"],
        "cvss": cvss,
        "cve": row.get("CVE", "N/A"),
        "risk_score": round(risk_score, 1),
        "asset_criticality": asset_criticality,
        "kev": row.get("CVE") in cisa_kev_list
    })

# 按风险评分排序
vulns.sort(key=lambda x: x["risk_score"], reverse=True)

CISA KEV（已知被利用漏洞）检查：

import requests

kev_response = requests.get(
    "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
)
kev_data = kev_response.json()
cisa_kev_list = {v["cveID"] for v in kev_data["vulnerabilities"]}

# 检查漏洞是否被主动利用
def is_actively_exploited(cve_id):
    return cve_id in cisa_kev_list

步骤 3：定义修复 SLA

应用基于 SLA 的修复时间线：

优先级	CVSS 范围	资产类型	SLA	示例
P1 关键	9.0-10.0 + KEV	所有资产	24 小时	生产服务器上的 Log4Shell、EternalBlue
P2 高	7.0-8.9 或 9.0+ 非 KEV	业务关键	7 天	无已知利用的 RCE
P3 中	4.0-6.9	业务关键	30 天	认证型权限提升
P4 低	0.1-3.9	标准	90 天	信息泄露、低影响 DoS
P5 信息	0.0	开发	下个周期	最佳实践发现、配置加固

步骤 4：与 SIEM 集成进行利用检测

将漏洞扫描数据与 SIEM 告警关联，检测主动利用：

index=vulnerability sourcetype="nessus:scan"
| eval vuln_key = Host.":".CVE
| join vuln_key type=left [
    search index=ids_ips sourcetype="snort" OR sourcetype="suricata"
    | eval vuln_key = dest_ip.":".cve_id
    | stats count AS exploit_attempts, latest(_time) AS last_exploit_attempt by vuln_key
  ]
| where isnotnull(exploit_attempts)
| eval risk = "关键 — 漏洞正在被主动利用"
| sort - exploit_attempts
| table Host, CVE, plugin_name, cvss_score, exploit_attempts, last_exploit_attempt, risk

当关键资产上检测到 KEV 漏洞时告警：

index=vulnerability sourcetype="nessus:scan" severity="Critical"
| lookup cisa_kev_lookup.csv cve_id AS CVE OUTPUT kev_status, due_date
| where kev_status="active"
| lookup asset_criticality_lookup.csv ip AS Host OUTPUT criticality
| where criticality IN ("business-critical", "mission-critical")
| table Host, CVE, plugin_name, cvss_score, kev_status, due_date, criticality

步骤 5：构建修复跟踪仪表盘

Splunk 漏洞指标仪表盘：

-- 按严重性统计未修复漏洞
index=vulnerability sourcetype="nessus:scan" status="open"
| stats count by severity
| eval order = case(severity="Critical", 1, severity="High", 2, severity="Medium", 3,
                    severity="Low", 4, 1=1, 5)
| sort order

-- SLA 合规跟踪
index=vulnerability sourcetype="nessus:scan" status="open"
| eval sla_days = case(
    severity="Critical", 1,
    severity="High", 7,
    severity="Medium", 30,
    severity="Low", 90
  )
| eval days_open = round((now() - first_detected) / 86400)
| eval sla_status = if(days_open > sla_days, "已超期", "在 SLA 内")
| stats count by severity, sla_status

-- 90 天修复趋势
index=vulnerability sourcetype="nessus:scan"
| eval is_open = if(status="open", 1, 0)
| eval is_closed = if(status="fixed", 1, 0)
| timechart span=1w sum(is_open) AS opened, sum(is_closed) AS remediated

步骤 6：自动化修复工单

为高优先级发现自动创建工单：

import requests

servicenow_url = "https://company.service-now.com/api/now/table/incident"
headers = {
    "Content-Type": "application/json",
    "Authorization": f"Bearer {snow_token}"
}

for vuln in vulns:
    if vuln["risk_score"] >= 8.0:
        ticket = {
            "short_description": f"[VULN] {vuln['cve']} — {vuln['plugin_name']} on {vuln['host']}",
            "description": (
                f"漏洞：{vuln['plugin_name']}\n"
                f"CVE：{vuln['cve']}\n"
                f"CVSS：{vuln['cvss']}\n"
                f"主机：{vuln['host']}\n"
                f"资产关键性：{vuln['asset_criticality']}\n"
                f"CISA KEV：{'是' if vuln['kev'] else '否'}\n"
                f"风险评分：{vuln['risk_score']}\n"
                f"修复 SLA：{'24 小时' if vuln['kev'] else '7 天'}"
            ),
            "urgency": "1" if vuln["kev"] else "2",
            "impact": "1" if vuln["asset_criticality"] == "business-critical" else "2",
            "assignment_group": "IT Infrastructure",
            "category": "Vulnerability"
        }
        response = requests.post(servicenow_url, headers=headers, json=ticket)
        print(f"工单已创建：{response.json()['result']['number']}")

核心概念

术语	定义
CVSS	通用漏洞评分系统——漏洞的标准化严重性评级（0-10）
CISA KEV	已知被利用漏洞目录——CISA 维护的具有确认主动利用的漏洞列表
凭据扫描（Credentialed Scan）	使用认证访问的漏洞扫描，比纯网络扫描检测更深入
资产关键性（Asset Criticality）	确定修复优先级的业务影响分类（关键任务、业务关键、标准）
修复 SLA（Remediation SLA）	定义按严重性修补漏洞最长允许时间的服务级别协议
EPSS	利用预测评分系统——基于机器学习预测被利用可能性的概率评分

工具与系统

Tenable Nessus / Tenable.io：具有 200,000+ 插件检查和合规审计的企业级漏洞扫描器
Qualys VMDR：具有资产发现、优先级排序和补丁集成的云端漏洞管理平台
OpenVAS（Greenbone）：具有社区维护漏洞库的开源漏洞扫描器
CISA KEV 目录：美国政府维护的需要强制修复的主动被利用漏洞列表
Rapid7 InsightVM：具有实时仪表盘和修复项目跟踪的漏洞管理平台

常见场景

零日响应：新 CVE 发布——针对受影响软件运行定向扫描，与 KEV 和利用数据库交叉对比
合规审计准备：生成显示扫描覆盖范围和修复状态的 PCI DSS 或 HIPAA 漏洞报告
补丁后验证：对已打补丁系统重新扫描，确认漏洞已关闭并更新跟踪仪表盘
网络扩展：基础设施新增子网——将其加入扫描范围并配置适当策略
第三方风险：扫描对外暴露的资产，在集成前验证供应商补丁合规性

输出格式

漏洞扫描报告 — 每周摘要
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
扫描日期：    2024-03-16 02:00 UTC
扫描范围：    10.0.0.0/16（已扫描 1,247 台主机）
持续时间：    4 小时 23 分钟
覆盖率：      98.7%（16 台主机不可达）

发现结果：
  严重性     数量     新增    CISA KEV
  关键       23       5       3
  高         187      34      12
  中         892      78      0
  低         1,456    112     0
  信息       3,891    201     0

最高优先级（P1 — 24 小时 SLA）：
  CVE-2024-21762  FortiOS RCE           3 台主机   KEV：是
  CVE-2024-1709   ConnectWise RCE       1 台主机   KEV：是
  CVE-2024-3400   Palo Alto PAN-OS RCE  2 台主机   KEV：是

SLA 合规率：
  关键：82% 在 SLA 内（4 项已超期）
  高：  91% 在 SLA 内（17 项已超期）
  中：  88% 在 SLA 内（107 项已超期）

已创建工单：39 张（ServiceNow）