For fully working platform, you need to setup connection to Elasticsearch.
--db.driver = elastic #always use elastic, file is just for testing
--db.elastic.url = http://localhost:9200
--db.elastic.user = <<user>>
--db.elastic.password = <<pass>>
--db.elastic.prefix = <<prefix>>
--db.elastic.ssl_check = ignore
Generate interesect to see data correlation between each source.
In this example, we can use AzureAD and Qualys as our sources. We need to have indexed data from each sources. Be sure that you have setup right elastic prefix - db.elastic.prefix.
--qualys.apihost = <<fqdn>> #example - qualysapi.qualys.eu
--qualys.apiuser = <<user>>
--qualys.apipassword = <<pass>>
fcpc qualys download-and-import-all
Guide for setting up new AzureAD source - https://gitlab.foresightcyber.com/fc/fcp/-/blob/develop/doc/dd/7624-AzureAD-module.md.
--azuread.client_id = <<id>>
--azuread.client_secret = <<secret>>
--azuread.tenant = <<tenant>>
fcpc azuread download-and-import-all
Now we have data from each sources, so we can use intersect.
--intersect.query = "azureaddevice"
--intersect.query = "qualyshost"
--intersect.attribute = "name"
--intersect.tag_prefix = "linkage/"
fcpc views execute intersect
After generating intersect, go to Kibana. Create new index pattern with your specific elasticsearch prefix (example - prefix=fcpc_ds -> create index patter with name - fcpc_ds_views_intersect). Go to discover and select this newly created index to see Intersect. You can choose which attributes you want then save your search and download it as CSV.
You need to have data in elasticsearch and full permission for Qualys API user.
--qualys.apihost = <<fqdn>> (example - qualysapi.qualys.eu)
--qualys.apiuser = <<user>>
--qualys.apipassword = <<pass>>
--qualys.dry = 1 #1 for just testing, nothing will happen
Delete Qualys Cisco assets which are not scanned for 30+ days.
fcpc qualys del-assets-by-query '/{tag: "platform:cisco" AND qlastvulnscan: [* TO now-30d]}/'
Delete Qualys Windows servers assets with Cloud Agent which are not active for 7+ days.
fcpc qualys del-assets-by-query '/{tag: "os:windowsserver" AND tag: "qualys:agent" AND qlastcheckin: [* TO now-7d]}/'
Delete Qualys assets without Cloud Agent which are not active for 30+ days.
fcpc qualys del-assets-by-query '/{tag: "os:windowsserver" AND -tag: "qualys:agent" AND qlastvulnscan: [* TO now-30d]}/
Delete duplicated Qualys assets which are not active for more than 7 days in default. Can be change by parameter
--qualys.inactive.asset = 30
fcpc qualys del-assets-by-query '/{tag: "qualys:duplicated" AND tag: "module:duplicated:name" AND tag:"qualys:asset:inactive"}/'
To report firewall changes with compliances You need to have fresh data within these elastic indexes! Run corresponding tasks before! model_access_rules- * , csv_change_tracking_ *
--skybox.elastic.url = <<elasticsearch_url>>
--skybox.elastic.user = <<elasticsearch_user>>
--skybox.elastic.password = <<elasticsearch_pass>>
--skybox.url = <<skybox_url>>
--skybox.user = <<skybox_user>>
--skybox.password = <<skybox_pass>>
--skybox.tls.ignore = 1
To report firewall changes with compliances You need to have fresh data within these elastic indexes! Run corresponding tasks before! model_access_rules- * , csv_change_tracking_ *
fcpc skybox report-firewall-changes ["changesolr" ["rulesolr"]]
To find only modified and new rules and report only rules violating rule policy checks and save to CSV:
fcpc --output.format=csv --skybox.ignore_errors=1 skybox report-firewall-changes 'ChangeType: ( "Modified" "New")' 'violationsCountRulePolicy: [ 1 TO * ]' >changes.csv