Hello,
I am trying to search my insightvm console via the API for all assets pertaining to a specific CVE. The documentation isn’t too specific on which GET method to use for this. Does anyone have any recommendations on how I can accomplish this?
Thanks in advance,
Jake
{console_url}/api/3/vulnerabilities/{vulnerability_id}/assets
Hey @jacob_horning, as Brandon mentioned if you already know the vulnerability ID then you can use the endpoint he provided.
If you don’t know the exact vulnerability ID in question, then there are two other ways to pull information on assets pertaining to a CVE reference.
First, you could leverage a SQL query and use the dim_vulnerability_reference table:
select da.asset_id, da.ip_address, da.host_name, da.last_assessed_for_vulnerabilities, dvf.source, dvf.reference, favf.vulnerability_instances, favf.vulnerability_id
FROM fact_asset_vulnerability_finding favf
JOIN dim_vulnerability_reference dvf ON dvf.vulnerability_id = favf.vulnerability_id
JOIN dim_asset da ON da.asset_id = favf.asset_id
WHERE dvf.reference = 'CVE-2017-8682'
This will result in output similar to:
| asset_id | ip_address | host_name | last_assessed_for_vulnerabilities | source | reference | vulnerability_instances | vulnerability_id |
|---|---|---|---|---|---|---|---|
| 18 | 10.0.0.1 | hostname-1 | 2020-03-26 10:04:24.218 | CVE | CVE-2017-8682 | 1 | 77345 |
If a report is more the form you are hoping to get this in for easy consumption and large numbers of devices, then this would be a good way to go and you can always use the API to bulk pull this data: Extracting Bulk Data with the InsightVM Console API.
The second option would be to use the Asset Search endpoint with a filter similar to:
{
"filters": [
{
"field": "cve",
"operator": "is",
"value": "CVE-2017-8682"
}
],
"match": "all"
}
A bit more information on how to use this endpoint can be found here: InsightVM Asset Search Automation.
Hope these two options help! Definitely let us know if one of these was more suitable for your needs.