Builds automated alerts for vulnerability remediation SLA breaches with severity-based timelines, escalation workflows, and compliance reporting dashboards using Python and databases.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
漏洞修复 SLA 根据严重程度定义了处理安全发现结果的最大时限。本技能涵盖构建自动化告警系统,用于跟踪修复时间线、检测 SLA 违规、发送升级通知并生成合规报告。行业标准 SLA 目标为:关键(24-48 小时)、高(15-30 天)、中(60 天)、低(90 天)。
Builds automated alerting for vulnerability remediation SLA breaches using severity-based timelines, escalation workflows, and compliance reporting dashboards in Python with database tracking.
Builds automated alerting for vulnerability SLA breaches with severity timelines, escalation notifications to email/Slack/PagerDuty, and compliance dashboards using Python and databases.
Builds vulnerability aging dashboards and SLA tracking to measure remediation performance by severity timelines, track KPIs, and enforce accountability in vulnerability management.
Share bugs, ideas, or general feedback.
漏洞修复 SLA 根据严重程度定义了处理安全发现结果的最大时限。本技能涵盖构建自动化告警系统,用于跟踪修复时间线、检测 SLA 违规、发送升级通知并生成合规报告。行业标准 SLA 目标为:关键(24-48 小时)、高(15-30 天)、中(60 天)、低(90 天)。
requests、pandas、jinja2、smtplib 库| 严重程度 | 修复 SLA | 宽限期 | 升级级别 |
|---|---|---|---|
| 关键(CVSS 9.0-10.0) | 48 小时 | 12 小时 | VP 工程 + CISO |
| 高(CVSS 7.0-8.9) | 15 天 | 5 天 | 工程总监 |
| 中(CVSS 4.0-6.9) | 60 天 | 14 天 | 团队负责人 |
| 低(CVSS 0.1-3.9) | 90 天 | 30 天 | 资产负责人 |
# sla_policy.yaml
sla_tiers:
critical:
cvss_min: 9.0
cvss_max: 10.0
remediation_days: 2
grace_period_days: 0.5
escalation_contacts:
- ciso@company.com
- vp-engineering@company.com
pagerduty_severity: critical
high:
cvss_min: 7.0
cvss_max: 8.9
remediation_days: 15
grace_period_days: 5
escalation_contacts:
- security-director@company.com
pagerduty_severity: high
medium:
cvss_min: 4.0
cvss_max: 6.9
remediation_days: 60
grace_period_days: 14
escalation_contacts:
- team-lead@company.com
pagerduty_severity: warning
low:
cvss_min: 0.1
cvss_max: 3.9
remediation_days: 90
grace_period_days: 30
escalation_contacts:
- asset-owner@company.com
pagerduty_severity: info
notification_channels:
slack:
webhook_url: "${SLACK_WEBHOOK_URL}"
channel: "#vulnerability-alerts"
email:
smtp_host: smtp.company.com
smtp_port: 587
from_address: vuln-alerts@company.com
pagerduty:
api_key: "${PAGERDUTY_API_KEY}"
service_id: "${PAGERDUTY_SERVICE_ID}"
alert_schedules:
approaching_breach:
percentage_elapsed: 80
frequency_hours: 24
at_breach:
notification: immediate
escalation: true
post_breach:
frequency_hours: 12
escalation_increase: true
CREATE TABLE vulnerability_sla (
id SERIAL PRIMARY KEY,
cve_id VARCHAR(20) NOT NULL,
finding_id VARCHAR(100) NOT NULL,
asset_hostname VARCHAR(255),
severity VARCHAR(20) NOT NULL,
cvss_score DECIMAL(3,1),
discovered_at TIMESTAMP NOT NULL,
sla_deadline TIMESTAMP NOT NULL,
remediated_at TIMESTAMP,
status VARCHAR(20) DEFAULT 'open',
owner_email VARCHAR(255),
escalation_level INTEGER DEFAULT 0,
last_alert_sent TIMESTAMP,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX idx_sla_status ON vulnerability_sla(status);
CREATE INDEX idx_sla_deadline ON vulnerability_sla(sla_deadline);
CREATE INDEX idx_sla_severity ON vulnerability_sla(severity);
from datetime import datetime, timedelta, timezone
import yaml
def load_sla_policy(policy_path="sla_policy.yaml"):
with open(policy_path, "r") as f:
return yaml.safe_load(f)
def get_sla_tier(cvss_score, policy):
for tier_name, tier in policy["sla_tiers"].items():
if tier["cvss_min"] <= cvss_score <= tier["cvss_max"]:
return tier_name, tier
return "low", policy["sla_tiers"]["low"]
def calculate_sla_deadline(discovered_at, cvss_score, policy):
tier_name, tier = get_sla_tier(cvss_score, policy)
deadline = discovered_at + timedelta(days=tier["remediation_days"])
return deadline, tier_name
def check_sla_status(discovered_at, sla_deadline, remediated_at=None):
now = datetime.now(timezone.utc)
if remediated_at:
if remediated_at <= sla_deadline:
return "remediated_within_sla"
return "remediated_breach"
if now > sla_deadline:
overdue_days = (now - sla_deadline).days
return f"breached_{overdue_days}d_overdue"
remaining = sla_deadline - now
total_sla = sla_deadline - discovered_at
pct_elapsed = ((total_sla - remaining) / total_sla) * 100
if pct_elapsed >= 80:
return "approaching_breach"
return "within_sla"
import requests
import json
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
def send_slack_alert(webhook_url, vuln_data, sla_status):
color = {"breached": "#FF0000", "approaching_breach": "#FFA500", "within_sla": "#36A64F"}
status_color = color.get("breached" if "breached" in sla_status else sla_status, "#808080")
payload = {
"attachments": [{
"color": status_color,
"title": f"漏洞 SLA 告警:{vuln_data['cve_id']}",
"fields": [
{"title": "严重程度", "value": vuln_data["severity"], "short": True},
{"title": "CVSS", "value": str(vuln_data["cvss_score"]), "short": True},
{"title": "资产", "value": vuln_data["asset_hostname"], "short": True},
{"title": "SLA 状态", "value": sla_status, "short": True},
{"title": "截止时间", "value": vuln_data["sla_deadline"].strftime("%Y-%m-%d %H:%M UTC"), "short": True},
{"title": "负责人", "value": vuln_data.get("owner_email", "未分配"), "short": True},
],
}]
}
requests.post(webhook_url, json=payload, timeout=10)
# 通过 cron 每小时运行 SLA 违规检查
echo "0 * * * * cd /opt/vuln-sla && python3 scripts/process.py --check-sla" | crontab -
# 手动检查
python3 scripts/process.py --check-sla --policy sla_policy.yaml
# 生成 SLA 合规报告
python3 scripts/process.py --report --period monthly --output sla_report.html