InsightVM POST Exception API

jacob_horning · August 18, 2020, 3:38pm

I was wondering if you could clear up some information on the insightvm API documentation. For vulnerability exception POST. There are four links that are associated with the post request. Which ones are optional to use and the ending of the link with the … are those supposed to be nexpose_ids, vulnerability_ids or asset_ids? And for the vulnerability section in scope is it looking of the nexpose_id or vulnerability_id?

Thank you so much!

holly_wilsey · August 18, 2020, 6:42pm

Here’s an example payload for the API call:

{
  "expires": "2020-09-18T012:00:00.000Z",
  "scope": {
    "id": 18,
    "type": "asset",
    "vulnerability": "msft-cve-2018-0904"
  },
  "state": "Under Review",
  "submit": {
    "reason": "Acceptable Risk"
  }
}

You don’t actually need to fill in any of the info under links - those are fields that are populated when you do a GET of this endpoint and allows you to see more exception info.

The date format you see with expires is the one you want to use, and you can update the date/time as you see fit.

Under scope, the ID is the asset ID since we’re doing a type of asset, and the vulnerability is just the name.

The state is going to be “Under Review” since the others are all approval/expiration related options.

The only field you need under submit is reason, and if you look at the documentation for this endpoint, you can see the valid options for reason listed there.

In general if you’re trying to figure out what a payload requires in the future, one thing that can help is to do a GET of the endpoint and see what the payload looks like. In this case I did a GET for api/3/vulnerability_exceptions in Postman and it allowed me to see what the above values should look like for an exception.

Also if you try to POST to this endpoint and you’re missing a field or have some other issue, the API may give you a helpful error message telling you what the issue is. When I was testing the payload above, I get a Bad Request and the error message told me that “State is a required field.” So sometimes you just have to play around with it until you get it right.

LPO · June 20, 2023, 2:52pm

What are the possible values for “type” ?
Let’s imagine a vulnerability detected on several ports… there are several detections for the same asset, but only 1 of them must be considered an exception…

john_hartman · June 22, 2023, 12:56pm

There are four different scopes: global (all instances all assets), asset (all instances on this asset), instance (just this instance on this asset), and group (all instances on these assets in this asset group).

I may be off on the actual value that is returned through the API for those but they would fit in those categories.