Connecting Vulnerabilities with Assets Through the InsightVM API?

I’m working on integrating a PHP script with the InsightVM API with the goal of pulling down a list of all vulnerabilities and the assets associated with them. I’ve been able to pull the list of assets (InsightVM Cloud Integrations API), no problem, and can see some high level vulnerability information like the total number of vulnerabilities across the different categories, but am not seeing any data on specific vulnerabilities the asset has in the results.

When I query the API for vulnerabilities (InsightVM Cloud Integrations API), it appears to be a list of all vulnerabilities in the system. It looks like I can put a filter in the body, but best I can tell this is only good for searching for vulnerability fields and I don’t see any examples of searching for an asset ID.

So, my question is how do I get a list of either all vulnerabilities associated with an asset or all assets associated with a vulnerability, through the API?

Thanks!

I think the best way would be to generate a CSV report with the asset and vulnerability information and then read this data. You could use the APIs to generate the CSV and download it, and then open the file to read all the rows and populate on your end accordingly. I wrote a code in python to do something similar, maybe you can use this as a reference? Let me know if you need it.

1 Like

Thanks for the response Arshiya! Really appreciate it. I was told that the API functionality in InsightVM was comparable to that of Nexpose or querying the On-Premise InsightVM API. Clearly that’s not the case if we need to download a CSV and manually parse the data. Kinda against the whole point of using an API. In any case, hopefully Rapid7 is working on updating that as it’s kind of a big gap in what their API can do.

1 Like

Hi Jsokol,

If you want to use the API for querying and you already have the vulnerability IDs that exist in your network, maybe you can use the Vulnerability Affected Assets API: InsightVM API (v3)

This will give you a list of asset IDs of all the assets that are affected by this vulnerability. If you have alist of vulnerability IDs, then maybe this would be the best approach for you. I hope this helps?

Thanks again for your response Arshiya. I believe there are two different InsightVM APIs. One is for Rapid7’s “InsightVM Cloud Integrations API”. The other is for Rapid7’s “InsightVM API”. Super confusing…I know. The former is what you referenced in your last message. This works great if you have the ability to connect to the on-premise version of Nexpose/InsightVM that is running, but as best I can tell, this API query that you provided is not accessible through the “Cloud Integrations API”. Hence, why I am struggling to figure this one out. If the same API functionality existed in both places, I’d have had this done long ago.

I’m not 100% sure that retrieving the vulnerabilities across all assets is doable with the InsightVM Cloud Integrations API linked here, given the limited endpoints. That said, would you willing to get the data with a non-API route? I ask because the data warehouse might be a good option in this case.

The data warehouse allows you to export all your console data to an external warehouse so you can have a richer dataset and do more bulk operations, like what you’re trying to do here. From there you can write some SQL queries that enable you to see which vulnerabilities exist across which assets and include or exclude as much additional data as you want.

Here’s some more info about what it takes to setup the data warehouse, along with the schema for it.

https://docs.rapid7.com/insightvm/configuring-data-warehousing-settings/
https://help.rapid7.com/nexpose/en-us/warehouse/warehouse-schema.html

Thanks for your thoughts on this Holly. Really appreciate it. Unfortunately, this isn’t my data or even my InsightVM Cloud instance. I’m trying to use data from a customer to give them some additional insights. Trying to set up a data warehouse isn’t really an option here, but I appreciate the suggestion. It appears that we’re stuck with just getting assets through the InsightVM Cloud API at the moment.

I see, so the struggle is the fact that you’re limited to this particular InsightVM API for retrieving this info.

I checked with some team members and got the suggestion to try this endpoint:

https://{region}.api.insight.com/vm/v4/integration/assets?page=0&size=1000&includeSame=True

You would fill in your region at the beginning, and update the page + size params to be whatever you want. The includeSame param tells it whether to return a list of vulnerabilities that already exist on the asset, and since you’re looking to tie assets to vulns, that could get you what you’re looking for.

If you’re unable to get it working with that endpoint, I would try the Search Assets endpoint and also include the includeSame=true param.

1 Like

Thanks Holly! This query looks promising. I’ll let you know how it goes!

1 Like