implementing-vulnerability-sla-breach-alerting

为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。

9 stars

Best use case

implementing-vulnerability-sla-breach-alerting is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。

Teams using implementing-vulnerability-sla-breach-alerting should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-vulnerability-sla-breach-alerting Compares

Feature / Agentimplementing-vulnerability-sla-breach-alertingStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 实施漏洞 SLA 违规告警

## 概述

漏洞修复 SLA 根据严重程度定义了处理安全发现结果的最大时限。本技能涵盖构建自动化告警系统,用于跟踪修复时间线、检测 SLA 违规、发送升级通知并生成合规报告。行业标准 SLA 目标为:关键(24-48 小时)、高(15-30 天)、中(60 天)、低(90 天)。

## 前置条件

- Python 3.9+,安装 `requests`、`pandas`、`jinja2`、`smtplib` 库
- 带 API 访问的漏洞管理平台(DefectDojo、Qualys、Tenable)
- SMTP 服务器或 Webhook 端点(Slack、Microsoft Teams、PagerDuty)
- 用于 SLA 跟踪的数据库(PostgreSQL 或 SQLite)

## SLA 策略定义

### 标准 SLA 分层

| 严重程度 | 修复 SLA | 宽限期 | 升级级别 |
|----------|----------------|--------------|-----------------|
| 关键(CVSS 9.0-10.0) | 48 小时 | 12 小时 | VP 工程 + CISO |
| 高(CVSS 7.0-8.9) | 15 天 | 5 天 | 工程总监 |
| 中(CVSS 4.0-6.9) | 60 天 | 14 天 | 团队负责人 |
| 低(CVSS 0.1-3.9) | 90 天 | 30 天 | 资产负责人 |

### SLA 配置文件

```yaml
# sla_policy.yaml
sla_tiers:
  critical:
    cvss_min: 9.0
    cvss_max: 10.0
    remediation_days: 2
    grace_period_days: 0.5
    escalation_contacts:
      - ciso@company.com
      - vp-engineering@company.com
    pagerduty_severity: critical
  high:
    cvss_min: 7.0
    cvss_max: 8.9
    remediation_days: 15
    grace_period_days: 5
    escalation_contacts:
      - security-director@company.com
    pagerduty_severity: high
  medium:
    cvss_min: 4.0
    cvss_max: 6.9
    remediation_days: 60
    grace_period_days: 14
    escalation_contacts:
      - team-lead@company.com
    pagerduty_severity: warning
  low:
    cvss_min: 0.1
    cvss_max: 3.9
    remediation_days: 90
    grace_period_days: 30
    escalation_contacts:
      - asset-owner@company.com
    pagerduty_severity: info

notification_channels:
  slack:
    webhook_url: "${SLACK_WEBHOOK_URL}"
    channel: "#vulnerability-alerts"
  email:
    smtp_host: smtp.company.com
    smtp_port: 587
    from_address: vuln-alerts@company.com
  pagerduty:
    api_key: "${PAGERDUTY_API_KEY}"
    service_id: "${PAGERDUTY_SERVICE_ID}"

alert_schedules:
  approaching_breach:
    percentage_elapsed: 80
    frequency_hours: 24
  at_breach:
    notification: immediate
    escalation: true
  post_breach:
    frequency_hours: 12
    escalation_increase: true
```

## 实施步骤

### 步骤 1:SLA 跟踪数据库模式

```sql
CREATE TABLE vulnerability_sla (
    id SERIAL PRIMARY KEY,
    cve_id VARCHAR(20) NOT NULL,
    finding_id VARCHAR(100) NOT NULL,
    asset_hostname VARCHAR(255),
    severity VARCHAR(20) NOT NULL,
    cvss_score DECIMAL(3,1),
    discovered_at TIMESTAMP NOT NULL,
    sla_deadline TIMESTAMP NOT NULL,
    remediated_at TIMESTAMP,
    status VARCHAR(20) DEFAULT 'open',
    owner_email VARCHAR(255),
    escalation_level INTEGER DEFAULT 0,
    last_alert_sent TIMESTAMP,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

CREATE INDEX idx_sla_status ON vulnerability_sla(status);
CREATE INDEX idx_sla_deadline ON vulnerability_sla(sla_deadline);
CREATE INDEX idx_sla_severity ON vulnerability_sla(severity);
```

### 步骤 2:SLA 违规检测逻辑

```python
from datetime import datetime, timedelta, timezone
import yaml

def load_sla_policy(policy_path="sla_policy.yaml"):
    with open(policy_path, "r") as f:
        return yaml.safe_load(f)

def get_sla_tier(cvss_score, policy):
    for tier_name, tier in policy["sla_tiers"].items():
        if tier["cvss_min"] <= cvss_score <= tier["cvss_max"]:
            return tier_name, tier
    return "low", policy["sla_tiers"]["low"]

def calculate_sla_deadline(discovered_at, cvss_score, policy):
    tier_name, tier = get_sla_tier(cvss_score, policy)
    deadline = discovered_at + timedelta(days=tier["remediation_days"])
    return deadline, tier_name

def check_sla_status(discovered_at, sla_deadline, remediated_at=None):
    now = datetime.now(timezone.utc)
    if remediated_at:
        if remediated_at <= sla_deadline:
            return "remediated_within_sla"
        return "remediated_breach"
    if now > sla_deadline:
        overdue_days = (now - sla_deadline).days
        return f"breached_{overdue_days}d_overdue"
    remaining = sla_deadline - now
    total_sla = sla_deadline - discovered_at
    pct_elapsed = ((total_sla - remaining) / total_sla) * 100
    if pct_elapsed >= 80:
        return "approaching_breach"
    return "within_sla"
```

### 步骤 3:通知分发

```python
import requests
import json
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart

def send_slack_alert(webhook_url, vuln_data, sla_status):
    color = {"breached": "#FF0000", "approaching_breach": "#FFA500", "within_sla": "#36A64F"}
    status_color = color.get("breached" if "breached" in sla_status else sla_status, "#808080")
    payload = {
        "attachments": [{
            "color": status_color,
            "title": f"漏洞 SLA 告警:{vuln_data['cve_id']}",
            "fields": [
                {"title": "严重程度", "value": vuln_data["severity"], "short": True},
                {"title": "CVSS", "value": str(vuln_data["cvss_score"]), "short": True},
                {"title": "资产", "value": vuln_data["asset_hostname"], "short": True},
                {"title": "SLA 状态", "value": sla_status, "short": True},
                {"title": "截止时间", "value": vuln_data["sla_deadline"].strftime("%Y-%m-%d %H:%M UTC"), "short": True},
                {"title": "负责人", "value": vuln_data.get("owner_email", "未分配"), "short": True},
            ],
        }]
    }
    requests.post(webhook_url, json=payload, timeout=10)
```

### 步骤 4:计划 SLA 检查运行程序

```bash
# 通过 cron 每小时运行 SLA 违规检查
echo "0 * * * * cd /opt/vuln-sla && python3 scripts/process.py --check-sla" | crontab -

# 手动检查
python3 scripts/process.py --check-sla --policy sla_policy.yaml

# 生成 SLA 合规报告
python3 scripts/process.py --report --period monthly --output sla_report.html
```

## 参考资料

- 漏洞管理 SLA 指南:https://hostedscan.com/blog/vulnerability-management-slas-guide
- NIST SP 800-40 Rev 4 - 补丁管理:https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
- PagerDuty Events API v2:https://developer.pagerduty.com/api-reference/a7d81b0e9200f-send-an-event-to-pager-duty
- Slack Incoming Webhooks:https://api.slack.com/messaging/webhooks

Related Skills

testing-api-for-mass-assignment-vulnerability

9
from killvxk/cybersecurity-skills-zh

测试 API 是否存在批量赋值(mass assignment,自动绑定)漏洞——攻击者可在 API 请求中附加额外参数,从而修改本不应被访问的对象属性。测试人员识别可写端点,向请求体注入未公开字段(role、isAdmin、price、balance),验证服务器是否在未过滤的情况下将这些字段绑定到数据模型。属于 OWASP API3:2023 Broken Object Property Level Authorization 范畴。适用于批量赋值测试、参数绑定滥用、自动绑定漏洞或 API 过度发布(over-posting)相关请求。

performing-web-application-vulnerability-triage

9
from killvxk/cybersecurity-skills-zh

使用 OWASP 风险评级方法论对 DAST/SAST 扫描器的 Web 应用程序漏洞发现进行分类,区分真阳性和假阳性,并确定修复优先级。

performing-vulnerability-scanning-with-nessus

9
from killvxk/cybersecurity-skills-zh

使用 Tenable Nessus 执行认证和未认证漏洞扫描,识别网络基础设施、服务器和应用程序中的已知漏洞、 错误配置、默认凭据和缺失补丁。扫描器将发现与 CVE 数据库和 CVSS 评分关联,生成优先级修复指导。 适用于漏洞扫描、Nessus 评估、补丁合规检查或自动化漏洞检测等请求场景。

performing-ssrf-vulnerability-exploitation

9
from killvxk/cybersecurity-skills-zh

通过探测云元数据端点、内网服务和协议处理器,检测用户可控 URL 参数中的 服务端请求伪造(SSRF)漏洞。测试 AWS/GCP/Azure 元数据 API(169.254.169.254)、 通过 HTTP 进行内网端口扫描、URL 协议绕过技术以及 DNS 重绑定检测。

performing-ot-vulnerability-scanning-safely

9
from killvxk/cybersecurity-skills-zh

使用被动监控、原生协议查询和经过精心控制的Tenable OT Security主动扫描,在OT/ICS环境中安全执行漏洞扫描,在不破坏工业过程或导致旧版控制器崩溃的情况下识别漏洞。

performing-ot-vulnerability-assessment-with-claroty

9
from killvxk/cybersecurity-skills-zh

本技能涵盖使用Claroty xDome平台在OT环境中执行漏洞评估,实现全面资产发现、风险评分、漏洞关联和修复优先级排序。内容涉及通过流量分析进行被动漏洞识别、OT设备安全主动查询、与CVE数据库和ICS-CERT公告集成,以及考虑运营影响和补偿控制措施的基于风险的优先级排序。

performing-endpoint-vulnerability-remediation

9
from killvxk/cybersecurity-skills-zh

通过基于风险评分对 CVE 进行优先级排序、部署补丁、应用配置变更和验证修复 来执行端点漏洞修复。适用于修复漏洞扫描发现的问题、响应严重 CVE 公告 或维护端点合规性与补丁管理 SLA 的场景。适用于涉及漏洞修复、CVE 补丁、 端点漏洞管理或安全修复部署的请求。

performing-authenticated-vulnerability-scan

9
from killvxk/cybersecurity-skills-zh

认证(凭据)漏洞扫描使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查,相比未认证扫描可发现 45-60% 更多漏洞。

performing-agentless-vulnerability-scanning

9
from killvxk/cybersecurity-skills-zh

配置并执行无代理漏洞扫描(agentless vulnerability scanning),利用网络协议、云快照分析和基于 API 的发现方式评估系统安全,无需在端点安装 Agent。

performing-active-directory-vulnerability-assessment

9
from killvxk/cybersecurity-skills-zh

使用 PingCastle、BloodHound 和 Purple Knight 评估 Active Directory 安全态势,识别错误配置、权限提升路径和攻击向量。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。