Hello
Is it possible to get the “first found date” for a vulnerability on an asset using the API? I have tried, but all in vain. All I can get is the “published date” and the “added date”. Has anyone else come across this issue?
Your assistance will be appreciated.
Try using the cloud integrations API. If you pass either the includeSame = true or a comparisonTime and currentTime variables you should get a list of the vulnerabilities per that asset which includes a field for first_found.
https://help.rapid7.com/insightvm/en-us/api/integrations.html
{{baseUrl}}/vm/v4/integration/assets?includeSame=true
Thanks John
I was able to get the information that I needed.
Thanks John
What’s the syntax for doing AND queries in the API?
should be &&
You can always check this as well if you go to query builder and go into expert mode. The syntax used for expert mode is generally the same syntax for the API
Thanks John
Looks like there is an issue with First found when building the query. I keep getting an unexpected error. Is anyone else having a similar issue?
Can you show what your query looks like?
data = {
“asset”: “asset.groups IN [‘os_windows workstations all’]”,
“vulnerability”: “exploits.size > 0 && severity IN [‘Critical’]”,
“finding” : “finding.firstFound <= /NOW – P90D/”
}
This one runs, brings back exploitable and critical vulnerabilities but doesn’t apply the date filter (ie it brings back vulnerabilities newer than 90 days old). I wonder whether the finding parameter is accessible via the API…
No I do not think the finding filter is accepted through the API actually. At least it’s not listed as an expected field through the documentation and I also get no change when applying a finding filter in my lab.