{ "name": "Tenable IO Scan", "vendor_identifier": "Tenable IO", "comment": "Tenable IO scan assets by a security event", "version": "4.0", "type": "REST_EVENT", "event_type": [ "RPZ", "TUNNEL", "ADP" ], "content_type": "application/json", "steps": [ { "name": "assign_Time_Variable", "comment": "getting the time variable to check later if the asset was allready scaned within a certain time to stop it", "operation": "NOP", "body_list": [ "${XC:COPY:{L:ScanDate}:{UT:TIME}}${XC:FORMAT:TRUNCATE:{L:ScanDate}:{10t}}" ] }, { "name": "check_EA_on_IP", "comment": "Checking if scan is wanted on the IP EA and if not there checking the Network EA", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${E:A:ip.extattrs{TNBL_IO_Scan}}", "op": "==", "right": "true" }, { "left": "${E:A:ip.extattrs{TNBL_IO_Scan_Template}}", "op": "!=", "right": "" } ], "eval": "${XC:COPY:{L:TNBL_IO_Scan_Template}:{E:ip.extattrs{TNBL_IO_Scan_Template}}}", "next": "check_EA_For_Last_Scan" } }, { "name": "check_EA_on_Net", "comment": "Checking if Scan is wanted on the Network EA if not then stop as IP EA was allready checked", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${E:A:network.extattrs{TNBL_IO_Scan}}", "op": "!=", "right": "true" }, { "left": "${E:A:network.extattrs{TNBL_IO_Scan_Template}}", "op": "==", "right": "" } ], "stop": true, "else_eval": "${XC:COPY:{L:TNBL_IO_Scan_Template}:{E:network.extattrs{TNBL_IO_Scan_Template}}}" } }, { "name": "check_EA_For_Last_Scan", "comment": "Checking if the IP was ever scanned and if it was scanned we assign the time to the variable TNBL_IO_Last_Scan to compair with the variable ScanDate later", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${E:A:ip.extattrs{TNBL_IO_Last_Scan}}", "op": "==", "right": "" } ], "next": "Get_IP", "else_eval": "${XC:COPY:{L:LastScan}:{E:ip.extattrs{TNBL_IO_Last_Scan}}}${XC:FORMAT:TRUNCATE:{L:LastScan}:{10t}}" } }, { "name": "Check_if_allready_Scanned", "comment": "check if last scan was allready scanned and if so then stop template", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${L:A:LastScan}", "op": "==", "right": "${L:A:ScanDate}" } ], "stop": true, "else_next": "Get_IP" } }, { "name": "Get_IP", "comment": "assigning different values to different variable depending if the address is IPv4 or IPv6", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${E:A:source_ip}", "op": "=~", "right": ":" } ], "eval": "${XC:ASSIGN:{L:IPv}:{S:IPv6}}${XC:ASSIGN:{L:IPReq}:{S:ipv6address}}", "else_eval": "${XC:ASSIGN:{L:IPv}:{S:IPv4}}${XC:ASSIGN:{L:IPReq}:{S:ipv4address}}" } }, { "name": "Get_Scan_List", "comment": "Grab all the scans available", "operation": "GET", "parse": "JSON", "override_headers": true, "headers": { "X-apikeys": "accessKey=${S:A:accessKey};secretKey=${S:A:secretKey}", "Content-Type": "application/json" }, "transport": { "path": "scans" } }, { "name": "copy_over_scans_to_L_variable", "comment": "copy over scans to L namespace so that it can be used", "operation": "NOP", "body": "${XC:COPY:{L:Scans}:{P:scans}" }, { "name": "Check_if_Scan_list_is_empty", "comment": "Check to see if scans is empty after poping from the stack", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${L:L:Scans}", "op": "==", "right": "0" } ], "stop": true } }, { "name": "Pop_asset_from_the_list", "comment": "pop top of scan list to use variable", "operation": "VARIABLEOP", "variable_ops": [ { "operation": "POP", "type": "DICTIONARY", "destination": "L:One_Scans", "source": "L:Scans" } ] }, { "name": "Check_If_Correct_Scan", "comment": "check if the scan that was poped off the list is the correct scan to run", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${L:A:TNBL_IO_Scan_Template}", "op": "!=", "right": "${L:A:One_Scans{name}}" } ], "next": "Check_if_Scan_list_is_empty", "else_eval": "${XC:COPY:{L:Scan_ID}:{L:One_Scans{id}}", "else_next": "Copy_Scan" } }, { "name": "Copy_Scan", "comment": "Copy_Scan", "operation": "POST", "parse": "JSON", "override_headers": true, "headers": { "X-apikeys": "accessKey=${S:A:accessKey};secretKey=${S:A:secretKey}", "Content-Type": "application/json" }, "transport": { "path": "scans/${L:A:Scan_ID}/copy" } }, { "name": "Configure_Copied_Scan", "comment": "Configure_Copied_Scan", "operation": "PUT", "parse": "JSON", "override_headers": true, "headers": { "X-apikeys": "accessKey=${S:A:accessKey};secretKey=${S:A:secretKey}", "Content-Type": "application/json" }, "transport": { "path": "scans/${P:A:id}/" }, "body_list": [ "{", "\"scan_id\":\"${P:A:id}\",", "\"settings\":{", "\"name\":\"Infoblox Scan for ${E:A:source_ip} on ${UT:A:TIME}\",", "\"description\": \"Scan occured because of a ${E:A:event_type} event\",", "\"enabled\":\"false\",", "\"text_targets\":\"${E:A:source_ip}\"", "}", "}" ] }, { "name": "Start_Copied_Scan", "comment": "Start_Scan", "operation": "POST", "parse": "JSON", "override_headers": true, "headers": { "X-apikeys": "accessKey=${S:A:accessKey};secretKey=${S:A:secretKey}", "Content-Type": "application/json" }, "transport": { "path": "scans/${P:A:id}/launch" } }, { "name": "Get_ref", "comment": "Get_ref", "operation": "GET", "transport": { "path": "${L:U:IPReq}?ip_address=${E:U:source_ip}&network_view=${E:U:network.network_view}" }, "wapi": "v2.7" }, { "name": "Check_if_IP_is_unmanaged", "comment": "Check_if_IP_is_unmanaged", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:PARSE[0]{types}[0]}", "op": "!=", "right": "UNMANAGED" }, { "left": "${P:A:PARSE[0]{objects}}", "op": "!=", "right": "" } ], "eval": "${XC:COPY:{L:Obj_refs}:{P:PARSE[0]{objects}}}" } }, { "name": "Check_if_an_object_list_is_empty", "comment": "Check_if_an_object_list_is_empty", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${L:A:Obj_refs[0]}", "op": "!=", "right": "" } ], "else_stop": true } }, { "name": "Pop_object_from_the_list", "comment": "Pop_object_from_the_list", "operation": "VARIABLEOP", "variable_ops": [ { "operation": "POP", "type": "SINGLE", "destination": "L:Ref", "source": "L:Obj_refs" } ] }, { "name": "check_an_obj_type", "comment": "check_an_obj_type", "operation": "CONDITION", "condition": { "statements": [ { "left": "${L:A:Ref}", "op": "=~", "right": "record:host.*" }, { "left": "${L:A:Ref}", "op": "=~", "right": "fixedaddress.*" }, { "left": "${L:A:Ref}", "op": "=~", "right": "ipv6fixedaddress.*" } ], "condition_type": "OR", "else_next": "Check_if_an_object_list_is_empty", "eval": "${XC:COPY:{L:Obj_ref}:{L:Ref}}" } }, { "name": "Update_extattrs_last_scan", "comment": "Update_extattrs_last_scan", "operation": "PUT", "transport": { "path": "${L:A:Obj_ref}" }, "wapi": "v2.7", "wapi_quoting": "JSON", "body_list": [ "{\"extattrs+\":{\"TNBL_IO_Last_Scan\": { \"value\": \"${E:A:timestamp}\"}}}" ] }, { "name": "FinExit", "comment": "Stop execution of the template.", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "1", "op": "==", "right": "1" } ], "stop": true } } ] }