Is it possible to get the “first found date” for a vulnerability on an asset using the API? I have tried, but all in vain. All I can get is the “published date” and the “added date”. Has anyone else come across this issue?
Your assistance will be appreciated.
Try using the cloud integrations API. If you pass either the includeSame = true or a comparisonTime and currentTime variables you should get a list of the vulnerabilities per that asset which includes a field for first_found. https://help.rapid7.com/insightvm/en-us/api/integrations.html
You can always check this as well if you go to query builder and go into expert mode. The syntax used for expert mode is generally the same syntax for the API
data = {
“asset”: “asset.groups IN [‘os_windows workstations all’]”,
“vulnerability”: “exploits.size > 0 && severity IN [‘Critical’]”,
“finding” : “finding.firstFound <= /NOW – P90D/”
}
This one runs, brings back exploitable and critical vulnerabilities but doesn’t apply the date filter (ie it brings back vulnerabilities newer than 90 days old). I wonder whether the finding parameter is accessible via the API…
No I do not think the finding filter is accepted through the API actually. At least it’s not listed as an expected field through the documentation and I also get no change when applying a finding filter in my lab.