Get Vulnerability Instances
Table of Contents
Get Vulnerability Instances
Use the IoT Security API to get a list of vulnerability
instances.
Synopsis
| URI | /pub/v4.0/vulnerability/list |
| HTTP Method | GET |
| FQDN | <customer-name>.iot.paloaltonetworks.com |
Description
Get a list of device vulnerability
instances.
Request Fields
The URL of this request
contains the following parameters:
| Field | Description |
|---|---|
| customerid | (Required) The customer ID specifies
the API call for a specific tenant. The following value is
a string. |
| stime | Optional field setting the start of a time range
for retrieving vulnerability instances. For example, to get all
instances since November 3, 2020 starting at 00:00 AM in the Pacific
Time Zone (UTC-8), the start time would be stime=2020-11-3T08:00Z. If
you prefer to specify the time in your local time rather than adjusting
it to UTC time, you can also format the start time as 2020-11-03T:00:00-08:00.
Especially when starting at a later hour in the day, this format
involves less calculating. For example, if you want to get vulnerability
instances starting from 6:00 PM on November 3, 2020, entering 2020-11-03T18:00-08:00 is
much simpler than entering 2020-11-04T02:00Z. |
| pagelength | Optional but recommended field specifying
the number of items for each page. The default page length for vulnerabilities
is 1000 and the maximum is 1000. Setting a shorter length improves
response times. The following value is an integer. The pagelength parameter
is only valid when grouping vulnerability instances by device, not
when grouping them by vulnerability. |
| offset | In addition to the pagelength parameter,
use offset to get items on subsequent pages.
For example, if your first request is pagelength = 100,
you will get the first 100 vulnerabilities (indexed from 0 to 99).
To get the next 100, add offset = 100 to
your second request. This skips the first 100 vulnerabilities and
gets the next 100 starting from index number 100. The offset parameter
is only valid when grouping vulnerability instances by device, not
when grouping them by vulnerability. |
| name | Optional field defining a specific vulnerability.
If omitted, instances for all vulnerabilities are returned. The
following value is a string. |
| status | Optional field that retrieves only confirmed
or potential vulnerability instances. The following field is either
the string Confirmed or Potential.
If no value is passed, both types of vulnerabilities are returned. |
| groupby | (Required) This specifies how to
group device vulnerability instances in query results. Each groupby option
results in a different JSON object structure in the response. groupby=vulnerability (the
default) organizes results into groups by vulnerability. Each vulnerability and
the device IDs impacted are an item in the items list. groupby=device organizes
results into groups by device ID. Each device ID and a single vulnerability
are an item in the items list. To request all vulnerability
instances for a specific device, the value is the string vulnerability followed
by &deviceid=<device_id>, where the
device ID is either a MAC address or, for static IP devices, an
IP address. (Entering an IP address for a device whose device identifier
is a MAC address doesn’t work. Similarly, entering a MAC address for
a device whose device identifier is an IP address also doesn’t work.) |
You can also use queries from the IoT Security
portal to customize which vulnerability instances are retrieved.
Request All Vulnerability Instances Grouped
by Device Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/vulnerability/list?customerid=acmecorp&groupby=device' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'
Request
All Vulnerability Instances for a Specific Device Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/vulnerability/list?customerid=acmecorp&groupby=device&deviceid=64:16:7f:0a:f6:38' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'
Request
All Vulnerability Instances Grouped by Vulnerability Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/vulnerability/list?customerid=acmecorp&groupby=vulnerability' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'
Success Response
Upon success,
the HTTP response code is 200. In addition, this API returns a JSON
object containing an array of JSON objects, representing devices
and their attributes.
The fields returned differ depending
on whether you group results by device or by vulnerability. Both
sets of fields are shown below.
When the request includes groupby=device,
the response includes the following fields:
| Field | Description |
|---|---|
| items | Introduces items in the list of vulnerability instances |
| name | The hostname of the device associated with a vulnerability instance (string) |
| ip | The IP address of the device associated with a vulnerability instance (string) |
| deviceid | The MAC address or IP address of the device (string) |
| profile | The profile to which the device belongs (string) |
| profile_vertical | The vertical to which the device profile belongs (string) |
| display_profile_category | The category to which the device profile belongs (string) |
| vendor | The device vendor (string) |
| model | The device model (string) |
| os | The device OS (sting) |
| osCombined | The OS and OS version combined (string) |
| siteid | The ID of the site where the device is deployed (string) |
| asset_tag | The asset tag of the device; if none, then “null” is returned (string) |
| sn | The device serial number (string) |
| date | The date of the latest activity of the device (string) |
| risk_score | The risk score of the vulnerability instance (integer) |
| risk_level | The risk level of the vulnerability instance: Low, Medium, High, or Critical (string) |
| ticketState | The state of the zb_ticket for a vulnerability instance—investigation, remediation, resolved, or new if the vulnerability was detected but nobody has yet taken action to address it (string) |
| zb_ticketid | The unique ticket ID for a vulnerability instance (integer) |
| ticketAssignees | The email address of one or more people assigned to remediate a vulnerability instance; if there aren’t any, null is returned (string) |
| reason_history | An array that holds the history of all actions taken on a vulnerability instance, including status changes, user notes, if it was sent to asset management, and if it was resolved; if no actions were taken, null is returned (string) |
| remediate_workorder | The work order number returned from an integrated third-party asset management system such as AIMS, Connectiv, Nuvolo, or ServiceNow to which a vulnerability instance was sent (string) |
| remediate_checkbox | Index values indicating the type of information sent to asset management; 0 = vulnerability summary, 1 = vulnerability impact, 2 = device information |
| remediate_instruction | Additional instructions included with the work order (string) |
| detected_date | The date when a vulnerability instance was originally detected (string) |
| vulnerability_name | The name of the vulnerability (string) |
| tagIdList | A list of IDs for user- and system-defined tags assigned to a device |
| allTags | An array of user-defined tags assigned to the device. Each item in the array consists of three attributes: tagType, tagValue, and tagId. |
| tagType | The key for a user-defined tag |
| tagValue | The value of the key for a user-defined tag |
| tagId | The ID of a user-defined tag |
| total | The total overall number of vulnerability instances on the devices in your network |
When the request includes groupby=vulnerability,
the response includes the following fields:
| Field | Description |
|---|---|
| items | Introduces items in the list of vulnerability instances |
| data | The device profiles, IoT devices, and number of addressed instances for confirmed and potential instances in a vulnerability group |
| Potential | The following data is for potential vulnerability instances |
| Confirmed | The following data is for confirmed vulnerability instances |
| profile | The device profiles that the vulnerability affects or potentially affects |
| device | List of device IDs of all IoT devices that are vulnerable or potentially vulnerable |
| addressedInstance | The number of instances that have been addressed |
| name | Name of the vulnerability; for example, CVE-2015-3959 or Windows SMBv1 Usage |
| cvssVersion | v2 or v3 Score ranges are different for the two Common Vulnerability Scoring System versions. Version 2 has three score ranges: Low 0.0 - 3.9, Medium 4.0 - 6.9, High 7.0 - 10.0. Version 3 has five ranges: None - 0.0, Low 0.1 - 3.9, Medium 4.0 - 6.9, High, 7.0 - 8.9, Critical 9.0 - 10.0.) |
| severity | Low, Medium, High, Critical Only vulnerabilities with a CVSSv3 rating can have a Critical severity level. |
| date | The most recent date that an instance of this vulnerability was detected on an IoT device |
| CVSS | The CVSS score for the vulnerability; for example, 10.0 |
| description | A description of what the vulnerability is and how it can be exploited |
| deviceid | The MAC address or IP address of a device that either has or potentially has a vulnerability |
| source | The source of the vulnerability detection: IoT Security when IoT Security learns it through its own detection and analysis; or, if learned through integration with a third-party vulnerability scanner, the name of the scanner–Qualys, Rapid7, Tenable |
| vulnerability_types | The type of attack to which a vulnerability makes a device susceptible; for example, Code Execution, Overflow, Info Leak, Denial of Service |
| deviceTags | A list of device IDs of all vulnerable and potentially vulnerable IoT devices and any tags they might have |
| allTags | An array of user-defined tags assigned to the device. Each item in the array consists of three attributes: tagType, tagValue, and tagId. |
| tagType | The key for a user-defined tag |
| tagValue | The value of the key for a user-defined tag |
| tagId | The ID of a user-defined tag |
| source | The source of the vulnerability detection: IoT Security when IoT Security learns it through its own detection and analysis; or, if learned through integration with a third-party vulnerability scanner, the name of the scanner–Qualys, Rapid7, Tenable |
| total | The total number of vulnerabilities affecting devices in your network |
Success Response for All Vulnerability Instances
(groupby=device) Example
{ "ver": "v4.0", "api": "/vulnerability/list", "items": [ { "deviceid": "64:16:7f:37:2d:45", "detected_date": [ "2021-04-19T23:59:59" ], "name": "Polycom_64167f372d45", "ip": "10.1.1.84", "profile": "Polycom IP Phone", "profile_vertical": "Office", "display_profile_category": "IP Phone", "vendor": "Polycom", "model": "VVX601", "os": "Embedded", "osCombined": "Embedded", "siteid": "0", "asset_tag": null, "sn": null, "date": "2021-03-12T01:28:26.986Z", "risk_score": 20, "risk_level": "Low", "tagIdList": [ "6030135777a1d6fb488e26ad", "60301332ff1679e9481b62a6" ], "ticketState": "new", "zb_ticketid": "vuln-52f40a58", "ticketAssignees": [ "analyst1@acmecorp.com" ], "reason_history": [ { "action": "sent to asset management: aims", "reason": "Check system", "reason_type": null, "user_email": "admin@acmecorp.com", "timestamp": "2019-10-18T22:00:20.255Z", "aims_workorder_number": 152027 "remediate_workorder": "152027", "remediate_checkbox": "0,1,2", "remediate_instruction": null, "detected_date": "2019-10-15T20:18:42.135Z", "vulnerability_name": "CVE-2019-12948" }, ], "allTags": [ { "tagType": "Owner", "tagValue": "Joe", "tagId": "6030135777a1d6fb488e26ad" }, { "tagType": "com-devices", "tagValue": "phones", "tagId": "60301332ff1679e9481b62a6" }, ] } ... ] "total": 34, }
Success Response for All Vulnerability Instances
(groupby=vulnerability) Example
{ "ver": "v4.0", "api": "/vulnerability/list", "items": { "items": [ { "data": { "Potential": { "profile": [ "Arista Networks Device", "Cisco Systems Device" ], "device": [ "00:1c:73:20:c4:b5", "00:1c:73:16:a6:33", "00:57:d2:27:d2:d1" ], "addressedInstance": 0 } "Confirmed": { "profile": [ "Roles-Network-Router", "Cisco Networking Switch" ], "device": [ "e4:d3:f1:40:e8:c0", "08:17:35:77:d0:c1" ], "addressedInstance": 0 } }, "name": "CVE-2019-1737", "tenantid": "", "cvssVersion": "v3", "serviceLevel": null, "severity": "High", "date": "2022-07-18T23:59:59.000Z", "CVSS": 8.6, "description": "A vulnerability in the processing of IP Service Level Agreement (SLA) packets by Cisco IOS Software and Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device. The vulnerability is due to improper socket resources handling in the IP SLA responder application code. An attacker could exploit this vulnerability by sending crafted IP SLA packets to an affected device. An exploit could allow the attacker to cause an interface to become wedged, resulting in an eventual denial of service (DoS) condition on the affected device.", "source": "IoT Security", "vulnerability_types": [ "Denial Of Service" ] }, ... ] "deviceTags": { "08:17:35:77:d0:c1": { "deviceid": "08:17:35:77:d0:c1", "allTags": [ { "tagType": "lab", "tagValue": "l3", "tagId": "62acbf20a5fb040006174076" }, { "tagType": "location", "tagValue": "office14", "tagId": "62acbf74a5fb040006174078" }, { "tagType": "Forescout", "tagValue": "In Scope", "tagId": "6144c5700a5895bbb5384b88" }, ] }, "00:0f:11:00:e9:f2": { "deviceid": "00:0f:11:00:e9:f2" }, "00:a0:aa:00:01:96": { "deviceid": "00:a0:aa:00:01:96" }, ... } } "total": 61 }
Error Response
Upon error,
the reply includes an HTTP response code, an error message, and
additional information describing the error. The HTTP response code
is one of the following:
| Field | Description |
|---|---|
| 400 | Bad Request. This occurs when an HTTP request contains an invalid query string. |
| 403 | Forbidden access. Either the provided API Key is invalid or it does not have the required RBAC permissions to run this API. |
| 429 | Too many requests. The number of requests for a list of vulnerability instances exceeded the rate limit of 180 queries per minute per tenant. |
| 500 | Internal server error. A unified status for API communication type errors. |
Error Response Format
{code: STATUS_CODE, msg: GENERAL_MESSAGE}
