Im trying to automate some reports via the api, is it possible to get asset.agentkey is null value somewhere?

Screen Shot 2022-10-06 at 1.48.57 PM

i got this far with the assets search…

but im still 85ish assets off


import requests, json
import requests


headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json;charset=UTF-8',
        'Authorization': 'Basic =='
        }

hostname = "https://url:3780"
url1 = hostname + "/api/3/assets/search?size=100"

payload = {
    "match" : "all",
    "filters" : [{
        "field": "owner-tag",
        "operator": "contains",
        "value":"desktop_support"},
        {
        "field": "vulnerability-category",
        "operator": "contains",
        "value":"microsoft_patch"},
        {
        "field": "operating-system",
        "operator": "contains",
        "value":"microsoft"}]
    }

print(type(payload))
response = requests.post(url1, headers=headers, json=payload, verify=False)

print(response.text)

So you’re using the Query Builder as your example here which has a different syntax than what the console uses. You’re using the console API which is probably where the confusion lies.

What you have built into your API call is pulled directly from the Filtered Asset Search on the console so the field you’re most likely looking for is
Screen Shot 2022-10-07 at 10.15.39 AM

If you save that search then do a GET request for that asset group you can get the exact specifics on the JSON you need to put into your request. For example mine looks like this:

"filters": [
        {
            "field": "owner-tag",
            "operator": "contains",
            "value": "desktop_support"
        },
        {
            "field": "vulnerability-category",
            "operator": "contains",
            "value": "microsoft_patch"
        },
        {
            "field": "operating-system",
            "operator": "contains",
            "value": "microsoft"
        },
        {
            "field": "site-id",
            "operator": "in",
            "values": [
                "14"
              ]
         }
]

So that would get you what you want if you want to continue grabbing the info through the Console API. Alternatively you could just switch to the InsightVM Cloud Integrations API and more or less copy and paste your current search from Query builder.

1 Like

thanks, yeah i was able to figure it out for the most part, we also have a tag for rapid7 so i was able to use that!

Also, is it possible to do NOT IN (in the operator)?, is, is not the samee as not in?

if i were to use the insight vm cloud api, how would i get the data i would need? Id prefer to do it this way actually if possible,

https://exposure-analytics.insight.rapid7.com/#/dashboard/4d6468fb-da36-4238-b104-dc42edde332a?qb=bb0a49f9-d0ed-4159-b5b7-e3727eed0432

this is my url, so what would i use for my ID?

Good Morning ss153152

When it comes to the Searches in the v3 API, there is a section called “Search Criteria” in the Reponses part of the documentation which will show you exactly what fields you can search on, and what operators can be used on them.

https://help.rapid7.com/insightvm/en-us/api/index.html#section/Overview/Responses

If you use the v4 cloud API, then you just need to use an API key for authorization. Then, use the POST action Search Assets. There, you would use the queries for the query builder in the search criteria.

https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets

1 Like

Screen Shot 2022-10-17 at 3.10.22 PM
can i search other items from the searchintegration assets?

i just created a key and it says unauthorized

do i have to wait a couple hrs beefore its replicated to the cloud? i mean its already generated from the cloud but im getting unauthorized
i just created a new key 10 minutes ago and i cant authorize

headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json;charset=UTF-8',
        'Authorization': 'd15c6d39-mykey-413f-887d-d561b044ff55'
        }

url = f'https://us.api.insight.rapid7.com/vm/v4/admin/health'
response = requests.get(url=url, headers=headers,   verify=False)
json2 = response.json()
print(json2)

i still cant authorize :frowning:

Good Evening ss153152

The field name for the API key in the header is ‘X-Api-Key’, not ‘Authorization’

Thank you for the response, now im getting a 401 :frowning:

headers = {
        "X-Api-Key": 'insert api key'
        }
payload = {
"tags": "IN ['desktop_support]",
"vulnerability": "severity IN ['Critical', 'Severe']"}
#d15c6d39-274c-413f-887d-d561b044ff55
url = f'https://us.api.insight.rapid7.com/vm/v4/integration/assets'
response = requests.post(url=url, headers=headers, data=payload , verify=False)
#json2 = response
print(response)1

Screen Shot 2022-10-17 at 9.44.58 PM

i tried base64 encoding the api key as well no dice

You don’t need to base64 encode the api key, if you’re getting a 401 then it could be the user account that created the API key did not have the proper permissions if the account was not an admin.

1 Like

Thanks… i’ll have to have my r7 guy take a look, does this look ok as far as filtering goes?

payload = {
"tags": "IN ['DESKTOP_SUPPORT']",
 "os.vendor": "contains ['microosoft']",
 "asset.agentKey": "IS NOT ['Null']",
 "vulnerability_category": "NOT IN ['microsoft patch']"}

There’s a typo in “microsoft” there

That should be vulnerability.categories

1 Like

thank you! what about tags? does that need to be different?

nah, that looks right

1 Like

So i got connected to the insight vm, however, my filter isnt working quite right. I am getting 49,642 assets back, when i should be getting back 24878

Here is my code

    payload = {
    'tags': "IN ['desktop_support']",
    'asset.agentKey' : "IS NOT ['NULL']",
    'os.vendor' : "CONTAINS ['Microsoft']",
    'vulnerability.categories' : "NOT IN ['microsoft patch']"}
    url = f'https://us.api.insight.rapid7.com/vm/v4/integration/assets'
    #url = f'https://sv03tmcr7.dot.ca.gov:3780/api/3/asset_groups/{group}'

    response = requests.post(url, headers=headers, json=payload, verify=False)
    #response = requests.get(url=url, headers=headers, verify=False)

Screen Shot 2022-10-19 at 10.08.03 AM

Any chance you can see what im doing wrong?

Screen Shot 2022-10-19 at 10.21.53 AM

i get the full amount of assets back that i believe are in the inventory no filters being applied :frowning:

Looking at that snippet of code there i dont see you converting that payload to json with json.dumps(payload) or anything.

Typically i would have expected an error but maybe since its not being treated as JSON thats why its not actually applying the filter?

i think thats what json does…

response = requests.post(url, headers=headers, payload=json.dumps(payload), verify=False)
#response = requests.get(url, headers=headers, data=json.dumps(payload), verify=False)
print(url)

same results…
it brings back 49648 assets :frowning:

ss153152,

Your request body in the variable ‘payload’ is not correct.

The request body Schema according to the documentation is an ‘asset’ part and a ‘vulnerability’ part. The 3 asset search filters you have go in the ‘asset’ part as one string, and the final filter for vuln.category NOT IN [‘microsoft patch’] goes in the ‘vulnerability’ part

https://help.rapid7.com/insightvm/en-us/api/integrations.html#operation/searchIntegrationAssets

1 Like