Get vulnerability tests

Cortex XSIAM Platform APIs
post /public_api/v1/assets/get_vulnerability_tests

Get a complete or filtered list of vulnerability tests. Results include details about each test, including the number of services confirmed vulnerable.

Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise Plus. In Cortex XSIAM Enterprise and Cortex NG SIEM, requires the ASM add-on.

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"filters\":[{\"field\":\"name\",\"operator\":\"string\",\"value\":\"string\"}]}}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/assets/get_vulnerability_tests", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":[{\"field\":\"name\",\"operator\":\"string\",\"value\":\"string\"}]}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": [ { "field": "name", "operator": "string", "value": "string" } ] } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":[{\"field\":\"name\",\"operator\":\"string\",\"value\":\"string\"}]}}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": ["filters": [ [ "field": "name", "operator": "string", "value": "string" ] ]]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"name\",\"operator\":\"string\",\"value\":\"string\"}]}}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"name\",\"operator\":\"string\",\"value\":\"string\"}]}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/assets/get_vulnerability_tests"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"name\",\"operator\":\"string\",\"value\":\"string\"}]}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataobjectrequired
filtersarray

An array of filter fields.

[
fieldstring (Enum)

Identifies the field the filter will match on.

Allowed values:"name""status""vulnerability_ids""description""affected_software""cwe_ids""vendor_names""severity_score""epss_score""count_vulnerable_services"
operatorstring

Identifies the comparison operator to use for this filter. The following list shows which operator can be used for each filter field:

  • name: contains, eq, neq
  • status: eq
  • vulnerability_ids: contains, not_contains
  • description: contains
  • affected_software: contains, not_contains
  • cwe_ids: contains, not_contains
  • vendor_names: contains, not_contains
  • severity_score: eq, neq, gte, lte
  • epss_score: eq, neq, gte, lte
  • count_vulnerable_services: eq, neq, gte, lte
valuestring

Value depends on the filter field used.

  • name: string e.g. apache
  • status: Enabled, Disabled
  • vulnerability_ids: strings in the form of CVE IDs, such as CVE-1, CVE-2
  • description: string e.g. apache
  • affected_software: strings
  • cwe_ids: strings in the form of CWE IDs such as CWE-20
  • vendor_names: strings such as Cisco, Siemens
  • severity_score: numbers, such as 2, 3.5
  • epss_score: numbers, such as 2, 3.5
  • count_vulnerable_services: integers, such as 1,2,5
]
REQUEST
{ "request_data": { "filters": [ { "field": "name", "operator": "contains", "value": "apache" } ] } }
Responses

OK

Body
application/json
replyobject
total_countinteger
result_countinteger
vulnerability_testsarray
[
idstring
namestring
vulnerability_idsarray[string]
descriptionstring
statusstring
vendor_namesarray[string]
affected_softwarearray
[
NAMEstring
VERSION_START_INCLUDINGobject
VERSION_START_EXCLUDINGobject
VERSION_END_INCLUDINGobject
VERSION_END_EXCLUDINGstring
VENDORstring
PRODUCTstring
VERSIONstring
]
severity_scorenumber
cwe_idsarray[string]
epss_scorenumber
referencesarray[string]
remediation_guidancestring
first_publishedinteger
createdinteger
count_vulnerable_servicesobject
]
RESPONSE
{ "reply": { "total_count": 1, "result_count": 1, "vulnerability_tests": [ { "id": "69527826-e1c5-42d8-b8d8-2c2005b75cbe", "name": "Apache Solr DataImportHandler Code Injection Vulnerability", "vulnerability_ids": [ "CVE-2019-0193" ], "description": "Apache Solr, a popular open-source search platform built on Apache Lucene, is affected by a remote code execution vulnerability. Solr's DataImportHandler (DIH), an optional module widely used to import data from databases and other sources, allows the entire DIH configuration to come from a request's \"dataConfig\" parameter. The debug mode of the DIH admin screen uses this feature for convenient debugging and development of a DIH configuration. However, since a DIH configuration can contain scripts, this parameter poses a security risk. The affected products can potentially be exposed to the public internet, making them vulnerable to exploitation.\n", "status": "DISABLED", "vendor_names": [ "apache" ], "affected_software": [ { "NAME": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "VERSION_START_INCLUDING": null, "VERSION_START_EXCLUDING": null, "VERSION_END_INCLUDING": null, "VERSION_END_EXCLUDING": "8.2.0", "VENDOR": "apache", "PRODUCT": "solr", "VERSION": "*" } ], "severity_score": 7.2, "cwe_ids": [ "CWE-94" ], "epss_score": 0.9605, "references": [ "https://issues.apache.org/jira/browse/SOLR-13669" ], "remediation_guidance": "Exploiting this vulnerability may lead to remote code execution, which could compromise the security and integrity of the affected system. To address this issue, follow these steps:\n\n1. Upgrade to Apache Solr 8.2.0 or later, which is secure by default.\n2. Alternatively, edit the solrconfig.xml to configure all DataImportHandler usages with an \"invariants\" section listing the \"dataConfig\" parameter set to an empty string.\n3. Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the DIH request handler. This is a best practice for all Solr installations.\n\nBy implementing these fixes and mitigations, you can protect your Apache Solr installation from the remote code execution vulnerability described in CVE-2019-0193.\n", "first_published": 1699326060000, "created": 1711058940000, "count_vulnerable_services": null } ] } }