implementing-vulnerability-sla-breach-alerting
为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。
Best use case
implementing-vulnerability-sla-breach-alerting is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。
Teams using implementing-vulnerability-sla-breach-alerting should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-vulnerability-sla-breach-alerting/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-vulnerability-sla-breach-alerting Compares
| Feature / Agent | implementing-vulnerability-sla-breach-alerting | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 实施漏洞 SLA 违规告警
## 概述
漏洞修复 SLA 根据严重程度定义了处理安全发现结果的最大时限。本技能涵盖构建自动化告警系统,用于跟踪修复时间线、检测 SLA 违规、发送升级通知并生成合规报告。行业标准 SLA 目标为:关键(24-48 小时)、高(15-30 天)、中(60 天)、低(90 天)。
## 前置条件
- Python 3.9+,安装 `requests`、`pandas`、`jinja2`、`smtplib` 库
- 带 API 访问的漏洞管理平台(DefectDojo、Qualys、Tenable)
- SMTP 服务器或 Webhook 端点(Slack、Microsoft Teams、PagerDuty)
- 用于 SLA 跟踪的数据库(PostgreSQL 或 SQLite)
## SLA 策略定义
### 标准 SLA 分层
| 严重程度 | 修复 SLA | 宽限期 | 升级级别 |
|----------|----------------|--------------|-----------------|
| 关键(CVSS 9.0-10.0) | 48 小时 | 12 小时 | VP 工程 + CISO |
| 高(CVSS 7.0-8.9) | 15 天 | 5 天 | 工程总监 |
| 中(CVSS 4.0-6.9) | 60 天 | 14 天 | 团队负责人 |
| 低(CVSS 0.1-3.9) | 90 天 | 30 天 | 资产负责人 |
### SLA 配置文件
```yaml
# sla_policy.yaml
sla_tiers:
critical:
cvss_min: 9.0
cvss_max: 10.0
remediation_days: 2
grace_period_days: 0.5
escalation_contacts:
- ciso@company.com
- vp-engineering@company.com
pagerduty_severity: critical
high:
cvss_min: 7.0
cvss_max: 8.9
remediation_days: 15
grace_period_days: 5
escalation_contacts:
- security-director@company.com
pagerduty_severity: high
medium:
cvss_min: 4.0
cvss_max: 6.9
remediation_days: 60
grace_period_days: 14
escalation_contacts:
- team-lead@company.com
pagerduty_severity: warning
low:
cvss_min: 0.1
cvss_max: 3.9
remediation_days: 90
grace_period_days: 30
escalation_contacts:
- asset-owner@company.com
pagerduty_severity: info
notification_channels:
slack:
webhook_url: "${SLACK_WEBHOOK_URL}"
channel: "#vulnerability-alerts"
email:
smtp_host: smtp.company.com
smtp_port: 587
from_address: vuln-alerts@company.com
pagerduty:
api_key: "${PAGERDUTY_API_KEY}"
service_id: "${PAGERDUTY_SERVICE_ID}"
alert_schedules:
approaching_breach:
percentage_elapsed: 80
frequency_hours: 24
at_breach:
notification: immediate
escalation: true
post_breach:
frequency_hours: 12
escalation_increase: true
```
## 实施步骤
### 步骤 1:SLA 跟踪数据库模式
```sql
CREATE TABLE vulnerability_sla (
id SERIAL PRIMARY KEY,
cve_id VARCHAR(20) NOT NULL,
finding_id VARCHAR(100) NOT NULL,
asset_hostname VARCHAR(255),
severity VARCHAR(20) NOT NULL,
cvss_score DECIMAL(3,1),
discovered_at TIMESTAMP NOT NULL,
sla_deadline TIMESTAMP NOT NULL,
remediated_at TIMESTAMP,
status VARCHAR(20) DEFAULT 'open',
owner_email VARCHAR(255),
escalation_level INTEGER DEFAULT 0,
last_alert_sent TIMESTAMP,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX idx_sla_status ON vulnerability_sla(status);
CREATE INDEX idx_sla_deadline ON vulnerability_sla(sla_deadline);
CREATE INDEX idx_sla_severity ON vulnerability_sla(severity);
```
### 步骤 2:SLA 违规检测逻辑
```python
from datetime import datetime, timedelta, timezone
import yaml
def load_sla_policy(policy_path="sla_policy.yaml"):
with open(policy_path, "r") as f:
return yaml.safe_load(f)
def get_sla_tier(cvss_score, policy):
for tier_name, tier in policy["sla_tiers"].items():
if tier["cvss_min"] <= cvss_score <= tier["cvss_max"]:
return tier_name, tier
return "low", policy["sla_tiers"]["low"]
def calculate_sla_deadline(discovered_at, cvss_score, policy):
tier_name, tier = get_sla_tier(cvss_score, policy)
deadline = discovered_at + timedelta(days=tier["remediation_days"])
return deadline, tier_name
def check_sla_status(discovered_at, sla_deadline, remediated_at=None):
now = datetime.now(timezone.utc)
if remediated_at:
if remediated_at <= sla_deadline:
return "remediated_within_sla"
return "remediated_breach"
if now > sla_deadline:
overdue_days = (now - sla_deadline).days
return f"breached_{overdue_days}d_overdue"
remaining = sla_deadline - now
total_sla = sla_deadline - discovered_at
pct_elapsed = ((total_sla - remaining) / total_sla) * 100
if pct_elapsed >= 80:
return "approaching_breach"
return "within_sla"
```
### 步骤 3:通知分发
```python
import requests
import json
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
def send_slack_alert(webhook_url, vuln_data, sla_status):
color = {"breached": "#FF0000", "approaching_breach": "#FFA500", "within_sla": "#36A64F"}
status_color = color.get("breached" if "breached" in sla_status else sla_status, "#808080")
payload = {
"attachments": [{
"color": status_color,
"title": f"漏洞 SLA 告警:{vuln_data['cve_id']}",
"fields": [
{"title": "严重程度", "value": vuln_data["severity"], "short": True},
{"title": "CVSS", "value": str(vuln_data["cvss_score"]), "short": True},
{"title": "资产", "value": vuln_data["asset_hostname"], "short": True},
{"title": "SLA 状态", "value": sla_status, "short": True},
{"title": "截止时间", "value": vuln_data["sla_deadline"].strftime("%Y-%m-%d %H:%M UTC"), "short": True},
{"title": "负责人", "value": vuln_data.get("owner_email", "未分配"), "short": True},
],
}]
}
requests.post(webhook_url, json=payload, timeout=10)
```
### 步骤 4:计划 SLA 检查运行程序
```bash
# 通过 cron 每小时运行 SLA 违规检查
echo "0 * * * * cd /opt/vuln-sla && python3 scripts/process.py --check-sla" | crontab -
# 手动检查
python3 scripts/process.py --check-sla --policy sla_policy.yaml
# 生成 SLA 合规报告
python3 scripts/process.py --report --period monthly --output sla_report.html
```
## 参考资料
- 漏洞管理 SLA 指南:https://hostedscan.com/blog/vulnerability-management-slas-guide
- NIST SP 800-40 Rev 4 - 补丁管理:https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
- PagerDuty Events API v2:https://developer.pagerduty.com/api-reference/a7d81b0e9200f-send-an-event-to-pager-duty
- Slack Incoming Webhooks:https://api.slack.com/messaging/webhooksRelated Skills
testing-api-for-mass-assignment-vulnerability
测试 API 是否存在批量赋值(mass assignment,自动绑定)漏洞——攻击者可在 API 请求中附加额外参数,从而修改本不应被访问的对象属性。测试人员识别可写端点,向请求体注入未公开字段(role、isAdmin、price、balance),验证服务器是否在未过滤的情况下将这些字段绑定到数据模型。属于 OWASP API3:2023 Broken Object Property Level Authorization 范畴。适用于批量赋值测试、参数绑定滥用、自动绑定漏洞或 API 过度发布(over-posting)相关请求。
performing-web-application-vulnerability-triage
使用 OWASP 风险评级方法论对 DAST/SAST 扫描器的 Web 应用程序漏洞发现进行分类,区分真阳性和假阳性,并确定修复优先级。
performing-vulnerability-scanning-with-nessus
使用 Tenable Nessus 执行认证和未认证漏洞扫描,识别网络基础设施、服务器和应用程序中的已知漏洞、 错误配置、默认凭据和缺失补丁。扫描器将发现与 CVE 数据库和 CVSS 评分关联,生成优先级修复指导。 适用于漏洞扫描、Nessus 评估、补丁合规检查或自动化漏洞检测等请求场景。
performing-ssrf-vulnerability-exploitation
通过探测云元数据端点、内网服务和协议处理器,检测用户可控 URL 参数中的 服务端请求伪造(SSRF)漏洞。测试 AWS/GCP/Azure 元数据 API(169.254.169.254)、 通过 HTTP 进行内网端口扫描、URL 协议绕过技术以及 DNS 重绑定检测。
performing-ot-vulnerability-scanning-safely
使用被动监控、原生协议查询和经过精心控制的Tenable OT Security主动扫描,在OT/ICS环境中安全执行漏洞扫描,在不破坏工业过程或导致旧版控制器崩溃的情况下识别漏洞。
performing-ot-vulnerability-assessment-with-claroty
本技能涵盖使用Claroty xDome平台在OT环境中执行漏洞评估,实现全面资产发现、风险评分、漏洞关联和修复优先级排序。内容涉及通过流量分析进行被动漏洞识别、OT设备安全主动查询、与CVE数据库和ICS-CERT公告集成,以及考虑运营影响和补偿控制措施的基于风险的优先级排序。
performing-endpoint-vulnerability-remediation
通过基于风险评分对 CVE 进行优先级排序、部署补丁、应用配置变更和验证修复 来执行端点漏洞修复。适用于修复漏洞扫描发现的问题、响应严重 CVE 公告 或维护端点合规性与补丁管理 SLA 的场景。适用于涉及漏洞修复、CVE 补丁、 端点漏洞管理或安全修复部署的请求。
performing-authenticated-vulnerability-scan
认证(凭据)漏洞扫描使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查,相比未认证扫描可发现 45-60% 更多漏洞。
performing-agentless-vulnerability-scanning
配置并执行无代理漏洞扫描(agentless vulnerability scanning),利用网络协议、云快照分析和基于 API 的发现方式评估系统安全,无需在端点安装 Agent。
performing-active-directory-vulnerability-assessment
使用 PingCastle、BloodHound 和 Purple Knight 评估 Active Directory 安全态势,识别错误配置、权限提升路径和攻击向量。
implementing-zero-trust-with-hashicorp-boundary
使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。
implementing-zero-trust-with-beyondcorp
使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。