InsightVM Cloud Integrations API - search by asset tag?

aolexo · January 9, 2025, 7:27pm

How can I search by asset tag in the v4 asset search API? As a reference, this is part of my list of assets (with lots of field removed for brevity):

$ curl -X POST -H "X-Api-Key: XXX" -H "Content-Type: application/json" https://us2.api.insight.rapid7.com/vm/v4/integration/assets

{
  "data" : [ {
    "assessed_for_policies" : false,
    "tags" : [ {
      "name" : "other vms",
      "type" : "SITE"
    } ],
    "total_vulnerabilities" : 230,
    "new" : [ ],
    "remediated" : [ ]
  } ]
}

I’ve confirmed that searching based on various fields (e.g., ip, os_family, etc.) works, but I can’t search on tags:

$ curl -X POST -H "X-Api-Key: XXX" -H "Content-Type: application/json" -d "{\"asset\": \"tags IN ['other vms']\"}" https://us2.api.insight.rapid7.com/vm/v4/integration/assets
{
  "data" : [ ],
  "metadata" : {
    "number" : 0,
    "size" : 10,
    "totalResources" : 0,
    "totalPages" : 0,
    "cursor" : null
  },
  "links" : [ {
    "href" : "https://us2.api.insight.rapid7.com:443/vm/v4/integration/assets?page=0&size=10&sort=id,asc",
    "rel" : "self"
  } ]
}

OK, this doesn’t work, but surely the inverse will, right?

$ curl -X POST -H "X-Api-Key: XXX" -H "Content-Type: application/json" -d "{\"asset\": \"tags NOT IN ['other vms']\"}" https://us2.api.insight.rapid7.com/vm/v4/integration/assets
{
  "data" : [ ],
  "metadata" : {
    "number" : 0,
    "size" : 10,
    "totalResources" : 0,
    "totalPages" : 0,
    "cursor" : null
  },
  "links" : [ {
    "href" : "https://us2.api.insight.rapid7.com:443/vm/v4/integration/assets?page=0&size=10&sort=id,asc",
    "rel" : "self"
  } ]
}

What about CONTAINS?

$ curl -X POST -H "X-Api-Key: XXX" -H "Content-Type: application/json" -d "{\"asset\": \"tags CONTAINS 'other vms'\"}" https://us2.api.insight.rapid7.com/vm/v4/integration/assets
{
  "data" : [ ],
  "metadata" : {
    "number" : 0,
    "size" : 10,
    "totalResources" : 0,
    "totalPages" : 0,
    "cursor" : null
  },
  "links" : [ {
    "href" : "https://us2.api.insight.rapid7.com:443/vm/v4/integration/assets?page=0&size=10&sort=id,asc",
    "rel" : "self"
  } ]
}

Maybe =?

$ curl -X POST -H "X-Api-Key: XXX" -H "Content-Type: application/json" -d "{\"asset\": \"tags = 'other vms'\"}" https://us2.api.insight.rapid7.com/vm/v4/integration/assets
{
  "_type" : "com.rapid7.spring.rest.error.resource.ErrorResource",
  "status" : 400,
  "localized_message" : null,
  "message" : "Your query string format is not valid. It has 1 error: The operator '=' cannot be used with the data type 'STRINGS'",
  "throwable" : null
}

So I know for sure that tags is a) indexed and b) is string array, which is interesting since it’s an object to begin with. Is there a special syntax for the string value that I’m not aware of or some other insight someone can give me on how to search against this field? Thanks.

brandon_mcclure · January 9, 2025, 9:03pm

what about getting all the assets of a tag, them looping through those calling the assets?

/api/3/tags/{id}/assets

aolexo · January 9, 2025, 9:36pm

That’s the on-prem InsightVM API, isn’t it? We can only use the cloud-based one.