Greetings,
Sorry for the convoluted questions. I am not well versed with APIs or SQL so this may be a really backwards way to do things. Basically, I am trying to create a report that gives me the same (or similar) data that I get from the vulnerabilities section in the InsightVM portal.
So pretty basic Title, CVS, Risk, Date, Severity, and Instances.
What I have so far is a custom SQL query report with the following query:
SELECT Title, malware_kits as Malware, exploits as Exploits, round(cvss_score::numeric, 2) AS CVSS, round(cvss_v3_score::numeric, 2) AS CVSSv3, date_published as PublishedOn, date_modified as Modified, severity, affected_assets as Instances, nexpose_id\n FROM dim_vulnerability \n JOIN fact_vulnerability fv USING (vulnerability_id)\n WHERE fv.vulnerability_instances > 0\n ORDER BY modified DESC
Now this does most of the job here, but this is where I get lost in the weeds a bit.
- When running the report via an API call it dumps all of the data in a block and it is hard to manipulate it from that point. It looks like one large block as a CSV.
I am using GET /api/3/reports/{id}/history/{instance}/output. I have also tried GET /api/3/reports but that did not seem to give me anything aside from the report formats.
Is there a better way to query this specific data for use in an API?
- When I compaire the data that is in this report, it differes slightly from what I can see in the Vulnerabilities section in the console. There are just a handful of items that do not match up and it’s kinda weird. Like there may be 1 or 2 items that are on MY report that are not in the vulns section.
Any advice/critiques is appreciated.
Thanks,
Aaron