I’m automating a monthly excel report and I wanted to know the best way to return the results from a query built through InsightVM’s Query Builder. As an example, I have attached a query that I use to determine the amount of assets that have critical exploitable vulnerabilities once the vulnerability finding is older than 30 days (giving them time to patch it before affecting their stats). I’ve thought about doing this a couple of ways, but the only way that seems possible is by using Selenium or BeautifulSoup to scrape the page for the Assets field value. I looked into the API, but the GET query for site assets doesn’t seem to include all of the information I need to do a scan and I don’t believe I can use searchCriteria for a GET. Does anyone have any recommendations for getting this data?
Right now, there’s not a product supported way to access the QB results through API. However, I just recreated your Query from the screenshot you presented and walked through creating a monthly CSV report using our Query Builder report generator. You can set this up for daily or weekly creation if you wanted to - so while not exactly what you asked for there is an in-product way of achieving this CSV creation in an automated fashion based on the query you presented
Thank you so much for giving me the helpful guide and for letting me know that it isn’t possible for the time being. My overall goal for this project was to run this same query for every severity + exploitable (Critical Exploitable, Severe Exploitable, Moderate Exploitable) asset count as well as every severity + non-exploitable asset count for seven different sites (42 different asset counts) and throw that into a single file with some additional data. I think I’m going to try to use Selenium to open the query and manipulate the filters to grab the asset numbers as long as that’s allowed. However, if that doesn’t work or it’s not allowed then I will try the monthly CSV export or pull the data manually.
Thanks for the info Sylvain, I will have to take a look at that. Luckily I was able to use Selenium for now and create a function that parsed the Assets field and change the filters via xpaths and css-selectors. If anyone in the future needs something similar, this is a snippet of how my code looks:
# Wait until the Assets field is not empty
WebDriverWait(driver, 60).until(lambda driver: driver.find_element_by_xpath('//header/ul[1]/li[1]/a[1]').text != 'Assets ()')
# Save the data to a string for manipulation
crit_exp_assets_string = driver.find_element_by_xpath('//header/ul[1]/li[1]/a[1]').text
# Assign the internal exploitable dictionary to a region based on the region and filters selected
int_exp_asset_count[region_name + '_assets'][region_name + '_crit_exp_assets'] = int(re.sub('[^0-9,.]', '', crit_exp_assets_string))
# Uncheck/Check the Exploit.size filter.
driver.find_element_by_xpath('//body[1]/div[6]/div[1]/div[1]/div[2]/div[1]/div[1]/div[4]/div[1]/div[2]/span[' + str(exp_filter) + ']/span[1]').click()
# Change the Severity filter from Critical to Severe
driver.find_element_by_xpath('//body/div[6]/div[1]/div[1]/div[2]/div[1]/div[1]/div[4]/form[1]/div[2]/div[1]/section[2]/div[1]/div[1]/div[1]/div[1]').click()
time.sleep(3)
try:
# The Severity dropdown menu changes the react-select id since it's built dynamically so it needs to be incremented.
driver.find_element_by_css_selector('#react-select-' + str(react_select) + '-option-1').click()
except NoSuchElementException:
# If the React Select dropdown isn't correct, print out the incremented value that failed.
print('React select not found for ' + region_name.upper() + '. React Select = ' + str(react_select))
react_select += 1
time.sleep(3)
# Apply your changes
driver.find_element_by_xpath("//button[contains(text(),'Apply')]").click()
time.sleep(3)
Hi Drew,
one side note on the “30 days” thing: I have the same objective as you have, i.e. I want to flag vulns which have not been remediated / patched more than 30 days after the solution was published.
What you are doing in your query is based on date the vuln was published on, not the date the solution was published on. And I believe there are quite some vulns for which there is some delay between the vuln and the solution publication dates.
But I cannot find in IVM any date related to when the solution was published.
Did you face the same issue as I did, and so did you decide to accept that approximation ? What are your thoughts about that ?
Yes, that’s the exact reason we went with the vuln published date. If you do end up finding a way to grab that solution date then please let me know about it on this post.
