Kenna Data Importer (JSON Connector)

Kenna Data Importer is a standard format format for bringing vulnerability data into the platform. It is a collection of assets and their vulns, as well as vulnerability definitions for those vulns. 

Setting up a KDI Connector via the UI

 

 You'll need to flip the the Kenna Data Importer feature enabled and create a JSON file to use KDI. See the section below on how to generate a KDI formatted file. Once that's done, here's the process to upload via UI: 
 
1) Log into the instance as an administrator
2) Create a new KDI connector by browsing to "Connectors" -> "Kenna Data Importer"
 
3) Use the "Upload and Run" button to select the JSON file and upload
4) Wait a minute or two while the file is uploaded. if you get a failure message, it'll be stored in the connector's page. 
5) When uploaded, you'll see the assets and vulnerabilities begin to populate!
 

KDI JSON FORMAT 

Field Definitions

+ at least one required
* required field

{
  "skip_autoclose"boolean,
  "assets":[  *
    {
      "file": string,  + (At least one of the fields with a + is required for each asset.)
      "ip_address": string, + (See help center or support for locator order set for your instance)
      "mac_address": string, +
      "hostname": string, +
      "ec2": string, +
      "netbios": string, +
      "external_ip_address": string, +
      "url": string, +
      "fqdn": string, +
      "external_id": string, +
      "database": string, +
      "application": string, (This field should be used as a meta data field with url or file)
      "tags": [
        string (Multiple tags should be listed and separated by commas)
      ],
      "owner": string,
      "os": string, (although not required, it is strongly recommended to populate this field when available)
      "os_version": string,
      "priority": integer, (defaults to 10, between 0 and 10 but default is recommended unless you have a documented risk appetite for assets)
      "vulns":[ * (If an asset contains no open vulns, this can be an empty array, but to avoid vulnerabilities from being closed, use the skip-autoclose flag)
        {
          "scanner_identifier": string, * (each unique scanner identifier will need a corresponding entry in the vuln-defs section below, this typically should be the external identifier used by your scanner)
          "scanner_type": string, * (required)
          "scanner_score": integer (between 0 and 10),
          "override_score": integer (between 0 and 100),
          "created_at": string, (iso8601 timestamp - defaults to current date if not provided)
          "last_seen_at": string, * (iso8601 timestamp)
          "last_fixed_on": string, (iso8601 timestamp)
          "closed_at": string, ** (required with closed status - This field used with status may be provided on remediated vulns to indicate they're closed, or vulns that are already present in Kenna but absent from this data load, for any specific asset, will be closed via our autoclose logic)
          "status": string, * (required - valid values open, closed, false_positive, risk_accepted)
          "port": integer,
        }
      ]
    }
  ],
  "vuln_defs":[ (This section is required for mapping findings from various scanners into canonical CVE or CWE vulnerabilities in Kenna.)
    {
      "scanner_identifier": string, * (entry for each scanner identifier that appears in the vulns section, this typically should be the external identifier used by your scanner)
      "scanner_type": string, * (matches entry in vulns section)
      "cve_identifiers": string, (note that this can be a comma-delimited list format CVE-000-0000)
      "wasc_identifiers": string, (note that this can be a comma-delimited list - format WASC-00)
      "cwe_identifiers": string, (note that this can be a comma-delimited list - format CWE-000)
      "name": string, (title or short name of the vuln, will be auto-generated if not set)
      "description": string, (full description of the vuln)
      "solution": string, (steps or links for remediation teams)
    }
  ]
}

KDI JSON Field Descriptions

 

Field Documentation Key:

  1. * These fields are required
  2. + One or more of this group of fields is required
Top-Level Configuration
  • skip_autoclose * - This boolean is used to determine if payload should trigger closing of existing vulnerabilities, if they exist in this payload.
    • As an example, set this to  true if you upload a file containing only "assets" with no vulns, to avoid all existing vulns from being closed.
Asset Section  ( "assets" section ) 

Asset Locator Fields - These fields are used as locators, and at least one of these is required. 

  • file + - path to affected file
  • ip_address + - IP of internal facing asset
  • mac_address + - MAC address asset
  • hostname + - host name/domain name of affected asset
  • ec2 + - Amazon EC2 instance id or name
  • netbios + - netbios name
  • external_ip_address + - IP of external facing asset
  • url + - URL pointing to asset
  • fqdn + - FQDN of asset
  • external_id + - External ID of asset - This is often used as an internal organizational tracking name for the asset
  • database + - Name of database
  • application + - identifier/name of application - Note that you'll want to set another locator such as url or file when using this asset locator in order to identify the specific component of the application

Asset Metadata Fields 

  • tags - list of strings that correspond to tags on an asset
  • owner - Some string that identifies an owner of an asset
  • os - Operating system of asset
  • os_version - Version of asset's operating system
  • priority - Priority (or value) of asset (integer 0 to 10). This field is used to adjust asset score. Default is 10.
Vulnerability Section ( "vuln" section underneath an individual "asset" )
  • scanner_type * - Some string that identifies the type of scanner data is coming from
  • scanner_identifier * - Some string that is used to identify the unique data coming in from the scanner named in scanner_type
  • details - Details about how to reproduce vuln
  • created_at - DateTime string indicating when vulnerability was first found by scanner
  • scanner_score - score between 1 and 10 given by scanner
  • override_score - score between 1 and 100 that can be used to override scanner score. Only applied if the associated vuln_defs entry has no associated CVE, CWE, or WASC identifiers.
  • last_fixed_on - DateTime string indicating when vuln was last fixed
  • last_seen_at - DateTime string indicating when vuln was last observed
  • status * - status of vuln remediation ("open or closed"), skip_autoclose is set to false, open vulns that already exist in kenna will be closed if this field changes their status to closed.
  • closed_at - DateTime string indicating when vuln was closed
  • port - Port that vuln is referring to
Vulnerability Definition Section ( "vuln_defs" section of the JSON )
  • scanner_type * - Some string that identifies the type of scanner data is coming from
  • scanner_identifier * - some string that is used to identify the unique data coming in from the scanner named in scanner_type
  • cve_identifiers - Comma separated string of CVE Identifiers
  • wasc_identifier - string of a wasc identifier
  • cwe_identifier - string of a cwe indentifier
  • name - Name of a vulnerability identified by scanner
  • description - short description of vulnerability identified in by scanner
  • solution - solution of vulnerability identified by scanner

Examples:

Here is an example of a minimal generated KDI file that is ready for import into the Kenna platform. 

{
  "skip_autoclose":  true,
  "assets":[
    {
      "ip_address""172.31.42.121",
      "ec2""i-02aadcccfda719968",
      "tags": ["AWS"],
      "priority"0,
      "vulns":[
        {
          "scanner_identifier""aws-vuln-id-1",
          "scanner_type""AWS Inspector",
          "created_at""2018-11-10-18:08:57",
          "last_seen_at""2018-11-10-18:08:57",
          "status""open"
        },
        {
          "scanner_identifier""aws-vuln-id-2",
          "scanner_type""AWS Inspector",
          "created_at""2018-11-10-18:08:57",
          "last_seen_at""2018-11-10-18:08:57",
          "status""open"
        },
        {
          "scanner_identifier""aws-vuln-id-3",
          "details""some details about how CVE-2018-10853 and CVE-2018-18074 are impacting asset",
          "scanner_type""AWS Inspector",
          "created_at""2018-11-10-18:08:57",
          "last_seen_at""2018-11-10-18:08:57",
          "status""open"
        }
      ]
    }
  ],
  "vuln_defs":[
    {
      "scanner_identifier""aws-vuln-id-1",
      "scanner_type""AWS Inspector",
      "cve_identifiers""CVE-2018-17456",
      "name""Name of vulnerability involving CVE-2018-17456",
      "description""Description of vuln involving CVE-2018-17456",
      "solution""Do something good to fix CVE-2018-17456"
    },
    {
      "scanner_identifier""aws-vuln-id-2",
      "scanner_type""AWS Inspector",
      "cve_identifiers""CVE-2018-6555",
      "name""Name of vulnerability involving CVE-2018-6555",
      "description""Description of vuln involving CVE-2018-6555",
      "solution""Do something good to fix CVE-2018-6555"
    },
    {
      "scanner_identifier""aws-vuln-id-3",
      "scanner_type""AWS Inspector",
      "name""Name of vulnerability involving CVE-2018-10853, CVE-2018-18074",
      "description""Description of vuln involving CVE-2018-10853, CVE-2018-18074",
      "cve_identifiers""CVE-2018-10853, CVE-2018-18074"
    }
  ]
}
Powered by Zendesk