{ "version": "2.0", "name": "Rapid7 Nexpose Scan assets by security event", "comment": "", "type": "REST_EVENT", "event_type": [ "RPZ", "TUNNEL" ], "action_type": "Rapid7 Nexpose Scan assets by security event", "content_type": "text/xml", "vendor_identifier": "Rapid7", "quoting": "XMLA", "steps": [ { "name": "checkIPEAs", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ {"left": "${E::ip.extattrs{R7_ScanOnEvent}}", "op": "==", "right": ""} ], "next": "checkNetEAs" } }, { "name": "checkIPScanOnEvent", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::ip.extattrs{R7_Site}}", "op": "==", "right": ""}, {"left": "${E::ip.extattrs{R7_ScanOnEvent}}", "op": "==", "right": "false"} ], "stop": true } }, { "name": "setLIPVars", "operation": "NOP", "body_list": [ "${XC:COPY:{L:source_ip}:{E:source_ip}}", "${XC:ASSIGN:{L:EASource}:{S:IP}}", "${XC:COPY:{L:Hostname}:{E:ip.names[0]}}", "${XC:ASSIGN:{L:SaveEA}:{S:false}}", "${XC:COPY:{L:Site}:{E:ip.extattrs{R7_Site}}}" ] }, { "name": "setIPSiteID", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::ip.extattrs{R7_SiteID}}", "op": "==", "right": ""} ], "eval": "${XC:ASSIGN:{L:SiteID}:{I:0}}${XC:ASSIGN:{L:LastScan}:{S:}}", "else_eval": "${XC:COPY:{L:SiteID}:{E:ip.extattrs{R7_SiteID}}}" } }, { "name": "setIPLastScan", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::ip.extattrs{R7_LastScan}}", "op": "==", "right": ""} ], "eval": "${XC:ASSIGN:{L:LastScan}:{S:}}", "else_eval": "${XC:COPY:{L:LastScan}:{E:ip.extattrs{R7_LastScan}}}" } }, { "name": "setIPScanTemplate", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::ip.extattrs{R7_ScanTemplate}}", "op": "==", "right": ""} ], "eval": "${XC:ASSIGN:{L:ScanTemplate}:{S:default}}", "else_eval": "${XC:COPY:{L:ScanTemplate}:{E:ip.extattrs{R7_ScanTemplate}}}" } }, { "name": "setIPAddByHostname", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::ip.extattrs{R7_AddByHostname}}", "op": "==", "right": ""} ], "eval": "${XC:ASSIGN:{L:AddByHostname}:{S:false}}", "else_eval": "${XC:COPY:{L:AddByHostname}:{E:ip.extattrs{R7_AddByHostname}}}" } }, { "name": "checkNetView", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::network.network_view}", "op": "==", "right": ""} ], "next": "assignScanVars", "else_eval": "${XC:COPY:{L:network_view}:{E:network.network_view}}" } }, { "name": "Get IPv4Fixed _ref", "operation": "GET", "transport": {"path": "fixedaddress?ipv4addr=${L:U:source_ip}&network_view=${L:U:network_view}"}, "wapi": "v2.6" }, { "operation": "CONDITION", "name": "wapi_response_getIPv4Fix_ref", "condition": { "statements": [ {"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""} ], "condition_type": "AND", "next": "Get_Objref" } }, { "name": "Get HostIPv4 _ref", "operation": "GET", "transport": {"path": "record:host?ipv4addr=${L:U:source_ip}&network_view=${L:U:network_view}"}, "wapi": "v2.6" }, { "operation": "CONDITION", "name": "wapi_response_getIPv4Host_ref", "condition": { "statements": [ {"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""} ], "condition_type": "AND", "next": "Get_Objref" } }, { "name": "Get IPv6Fixed _ref", "operation": "GET", "transport": {"path": "ipv6fixedaddress?ipv4addr=${L:U:source_ip}&network_view=${L:U:network_view}"}, "wapi": "v2.6" }, { "operation": "CONDITION", "name": "wapi_response_getIPv6Fix_ref", "condition": { "statements": [ {"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""} ], "condition_type": "AND", "next": "Get_Objref" } }, { "name": "Get HostIPv6 _ref", "operation": "GET", "transport": {"path": "record:host?ipv6addr=${L:U:source_ip}&network_view=${L:U:network_view}"}, "wapi": "v2.6" }, { "operation": "CONDITION", "name": "wapi_response_getIPv6Host_ref", "condition": { "statements": [ {"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""} ], "condition_type": "AND", "next": "Get_Objref" } }, { "name": "Get_Objref", "operation": "CONDITION", "condition": { "statements": [ {"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""} ], "condition_type": "AND", "eval": "${XC:COPY:{L:Obj_ref}:{P:PARSE[0]{_ref}}}${XC:ASSIGN:{L:SaveEA}:{S:true}}" } }, { "name": "CheckIfHost", "operation": "CONDITION", "condition": { "statements": [ {"left": "${L::Obj_ref}", "op": "=~", "right": "record:host"} ], "condition_type": "AND", "eval": "${XC:ASSIGN:{L:EASource}:{S:HOST}}" } }, { "name": "goToSiteIDcheck", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "", "op": "==", "right": ""} ], "next": "assignScanVars" } }, { "name": "checkNetEAs", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::network.extattrs{R7_ScanOnEvent}}", "op": "==", "right": ""}, {"left": "${E::network.extattrs{R7_ScanOnEvent}}", "op": "==", "right": "false"} ], "stop": true } }, { "name": "setLNetVars", "operation": "NOP", "body_list": [ "${XC:COPY:{L:source_ip}:{E:source_ip}}", "${XC:COPY:{L:Site}:{E:network.extattrs{R7_Site}}}", "${XC:ASSIGN:{L:LastScan}:{S:}}", "${XC:ASSIGN:{L:EASource}:{S:Net}}", "${XC:ASSIGN:{L:SaveEA}:{S:false}}", "${XC:ASSIGN:{L:Hostname}:{S:}}", "${XC:ASSIGN:{L:AddByHostname}:{S:false}}" ] }, { "name": "setNetSiteID", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::network.extattrs{R7_SiteID}}", "op": "==", "right": ""} ], "eval": "${XC:ASSIGN:{L:SiteID}:{I:0}}${XC:ASSIGN:{L:LastScan}:{S:}}", "else_eval": "${XC:COPY:{L:SiteID}:{E:network.extattrs{R7_SiteID}}}" } }, { "name": "setNetScanTemplate", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::network.extattrs{R7_ScanTemplate}}", "op": "==", "right": ""} ], "eval": "${XC:ASSIGN:{L:ScanTemplate}:{S:default}}", "else_eval": "${XC:COPY:{L:ScanTemplate}:{E:network.extattrs{R7_ScanTemplate}}}" } }, { "name": "assignScanVars", "operation": "NOP", "body_list": [ "${XC:COPY:{L:ScanDate}:{UT:TIME}}${XC:FORMAT:TRUNCATE:{L:ScanDate}:{10t}}", "${XC:COPY:{L:R7ScanSchTime}:{UT:EPOCH}}${XC:FORMAT:DATE_STRFTIME:{L:R7ScanSchTime}:{%Y%m%dT%H%M59000Z}}" ] }, { "name": "checkIFScannedToday", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${L::LastScan}", "op": "==", "right": "${L::ScanDate}"} ], "stop": true } }, { "name": "Check SiteID", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ {"left": "${L:A:SiteID}", "op": "!=", "right": "0"} ], "next": "Create a schedule" } }, { "name": "Request R7 sites", "parse": "XMLA", "operation": "POST", "body_list": [ "", "" ] }, { "name": "Check sites request on errors", "operation": "CONDITION", "condition": { "statements": [ {"left": "${P:A:PARSE[[name]]}", "op": "!=", "right": "SiteListingResponse"}, {"left": "${P:A:PARSE{{success}}}", "op": "!=", "right": "1"} ], "condition_type": "AND", "else_eval": "${XC:COPY:{L:site_list}:{P:PARSE}", "error": true } }, { "name": "Check if sites list is empty", "operation": "CONDITION", "condition": { "statements": [ {"left": "${L:L:site_list}", "op": "==", "right": "0"} ], "condition_type": "AND", "stop": true } }, { "name": "Pop site from the list", "operation": "VARIABLEOP", "variable_ops": [ { "operation": "POP", "type": "COMPOSITE", "destination": "L:a_site", "source": "L:site_list" } ] }, { "name": "check_a_site", "operation": "CONDITION", "condition": { "statements": [ {"left": "${L:A:Site}", "op": "!=", "right": "${L:A:a_site{{name}}}"} ], "condition_type": "AND", "next": "Check if sites list is empty", "else_eval": "${XC:COPY:{L:SiteID}:{L:a_site{{id}}}}" } }, { "name": "checkSaveSiteID", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ {"left": "${L::SaveEA}", "op": "!=", "right": "true"} ], "next": "Create a schedule" } }, { "name": "Update SiteID", "operation": "PUT", "transport": {"path": "${L:A:Obj_ref}"}, "wapi": "v2.6", "wapi_quoting": "JSON", "body_list": [ "{", "\"extattrs+\":{\"R7_SiteID\": { \"value\": \"${L:A:SiteID}\"}}", "}" ] }, { "name": "Create a schedule", "operation": "SERIALIZE", "serializations": [ {"destination": "L:R7ScanSch","content": " "}, {"destination": "L:R7ScanByHost","content": "${L:A:Hostname}"}, {"destination": "L:R7ScanByIP","content": ""} ] }, { "name": "scanByHostname", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ {"left": "${L::AddByHostname}", "op": "==", "right": "true"}, {"left": "${L::Hostname}", "op": "!=", "right": ""}, {"left": "${L::EASource}", "op": "==", "right": "HOST"} ], "eval": "${XC:COPY:{L:R7ScanHostsRanges}:{L:R7ScanByHost}}", "else_eval": "${XC:COPY:{L:R7ScanHostsRanges}:{L:R7ScanByIP}}" } }, { "name": "skipSchedule", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${L::ScanTemplate}", "op": "==", "right": "default"}, {"left": "${L::ScanTemplate}", "op": "==", "right": ""} ], "eval": "${XC:ASSIGN:{L:R7ScanSch}:{S:}}" } }, { "name": "RequestAssetScan", "parse": "XMLA", "operation": "POST", "body_list": [ "", "", "${L:A:R7ScanHostsRanges}", "${L:A:R7ScanSch}", "" ] }, { "name": "scan_site(errorcheck)", "operation": "CONDITION", "condition": { "statements": [ {"left": "SiteDevicesScanResponse", "op": "!=", "right": "${P:A:PARSE[[name]]}"}, {"left": "${P:A:PARSE{{success}}}", "op": "!=", "right": "1"} ], "condition_type": "OR", "error": true } }, { "name": "checkSaveLastScan", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${L::SaveEA}", "op": "!=", "right": "true"}, {"left": "${L::EASource}", "op": "==", "right": "Net"} ], "next": "Fin" } }, { "name": "Update R7_LastScan", "operation": "PUT", "transport": {"path": "${L:A:Obj_ref}"}, "wapi": "v2.6", "wapi_quoting": "JSON", "body_list": [ "{", "\"extattrs+\":{\"R7_LastScan\": { \"value\": \"${L:U:ScanDate}\"}}", "}" ] }, { "name": "Fin", "operation": "NOP", "body": "${XC:DEBUG:{L:}}${XC:DEBUG:{E:}}${XC:DEBUG:{P:}}" } ] }