: Get Vulnerability Instances
Focus
Focus

Get Vulnerability Instances

Table of Contents

Get Vulnerability Instances

Use the IoT Security API to get a list of vulnerability instances.

Synopsis

URI/pub/v4.0/vulnerability/list
HTTP MethodGET
FQDN<customer-name>.iot.paloaltonetworks.com

Description

Get a list of device vulnerability instances.

Request Fields

The URL of this request contains the following parameters:
FieldDescription
customerid
(Required) The customer ID specifies the API call for a specific tenant.
The following value is a string.
stime
Optional field setting the start of a time range for retrieving vulnerability instances. For example, to get all instances since November 3, 2020 starting at 00:00 AM in the Pacific Time Zone (UTC-8), the start time would be stime=2020-11-3T08:00Z.
If you prefer to specify the time in your local time rather than adjusting it to UTC time, you can also format the start time as 2020-11-03T:00:00-08:00. Especially when starting at a later hour in the day, this format involves less calculating. For example, if you want to get vulnerability instances starting from 6:00 PM on November 3, 2020, entering 2020-11-03T18:00-08:00 is much simpler than entering 2020-11-04T02:00Z.
pagelength
Optional but recommended field specifying the number of items for each page. The default page length for vulnerabilities is 1000 and the maximum is 1000. Setting a shorter length improves response times. The following value is an integer.
The pagelength parameter is only valid when grouping vulnerability instances by device, not when grouping them by vulnerability.
offset
In addition to the pagelength parameter, use offset to get items on subsequent pages. For example, if your first request is pagelength = 100, you will get the first 100 vulnerabilities (indexed from 0 to 99). To get the next 100, add offset = 100 to your second request. This skips the first 100 vulnerabilities and gets the next 100 starting from index number 100.
The offset parameter is only valid when grouping vulnerability instances by device, not when grouping them by vulnerability.
name
Optional field defining a specific vulnerability. If omitted, instances for all vulnerabilities are returned. The following value is a string.
status
Optional field that retrieves only confirmed or potential vulnerability instances. The following field is either the string Confirmed or Potential. If no value is passed, both types of vulnerabilities are returned.
groupby
(Required) This specifies how to group device vulnerability instances in query results. Each groupby option results in a different JSON object structure in the response.
groupby=vulnerability (the default) organizes results into groups by vulnerability. Each vulnerability and the device IDs impacted are an item in the items list.
groupby=device organizes results into groups by device ID. Each device ID and a single vulnerability are an item in the items list.
To request all vulnerability instances for a specific device, the value is the string vulnerability followed by &deviceid=<device_id>, where the device ID is either a MAC address or, for static IP devices, an IP address. (Entering an IP address for a device whose device identifier is a MAC address doesn’t work. Similarly, entering a MAC address for a device whose device identifier is an IP address also doesn’t work.)
You can also use queries from the IoT Security portal to customize which vulnerability instances are retrieved.
Request All Vulnerability Instances Grouped by Device Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/vulnerability/list?customerid=acmecorp&groupby=device' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'
Request All Vulnerability Instances for a Specific Device Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/vulnerability/list?customerid=acmecorp&groupby=device&deviceid=64:16:7f:0a:f6:38' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'
Request All Vulnerability Instances Grouped by Vulnerability Example
curl --location -X GET 'https://acmecorp.iot.paloaltonetworks.com/pub/v4.0/vulnerability/list?customerid=acmecorp&groupby=vulnerability' \ -H 'X-Key-Id: KEY_ID' \ -H 'X-Access-Key: ACCESS_KEY'

Success Response

Upon success, the HTTP response code is 200. In addition, this API returns a JSON object containing an array of JSON objects, representing devices and their attributes.
The fields returned differ depending on whether you group results by device or by vulnerability. Both sets of fields are shown below.
When the request includes groupby=device, the response includes the following fields:
FieldDescription
itemsIntroduces items in the list of vulnerability instances
nameThe hostname of the device associated with a vulnerability instance (string)
ipThe IP address of the device associated with a vulnerability instance (string)
deviceidThe MAC address or IP address of the device (string)
profileThe profile to which the device belongs (string)
profile_verticalThe vertical to which the device profile belongs (string)
display_profile_categoryThe category to which the device profile belongs (string)
vendorThe device vendor (string)
modelThe device model (string)
osThe device OS (sting)
osCombinedThe OS and OS version combined (string)
siteidThe ID of the site where the device is deployed (string)
asset_tagThe asset tag of the device; if none, then “null” is returned (string)
snThe device serial number (string)
dateThe date of the latest activity of the device (string)
risk_scoreThe risk score of the vulnerability instance (integer)
risk_levelThe risk level of the vulnerability instance: Low, Medium, High, or Critical (string)
ticketStateThe state of the zb_ticket for a vulnerability instance—investigation, remediation, resolved, or new if the vulnerability was detected but nobody has yet taken action to address it (string)
zb_ticketidThe unique ticket ID for a vulnerability instance (integer)
ticketAssigneesThe email address of one or more people assigned to remediate a vulnerability instance; if there aren’t any, null is returned (string)
reason_historyAn array that holds the history of all actions taken on a vulnerability instance, including status changes, user notes, if it was sent to asset management, and if it was resolved; if no actions were taken, null is returned (string)
remediate_workorderThe work order number returned from an integrated third-party asset management system such as AIMS, Connectiv, Nuvolo, or ServiceNow to which a vulnerability instance was sent (string)
remediate_checkboxIndex values indicating the type of information sent to asset management; 0 = vulnerability summary, 1 = vulnerability impact, 2 = device information
remediate_instructionAdditional instructions included with the work order (string)
detected_dateThe date when a vulnerability instance was originally detected (string)
vulnerability_nameThe name of the vulnerability (string)
tagIdListA list of IDs for user- and system-defined tags assigned to a device
allTagsAn array of user-defined tags assigned to the device. Each item in the array consists of three attributes: tagType, tagValue, and tagId.
tagTypeThe key for a user-defined tag
tagValueThe value of the key for a user-defined tag
tagIdThe ID of a user-defined tag
totalThe total overall number of vulnerability instances on the devices in your network
When the request includes groupby=vulnerability, the response includes the following fields:
FieldDescription
itemsIntroduces items in the list of vulnerability instances
dataThe device profiles, IoT devices, and number of addressed instances for confirmed and potential instances in a vulnerability group
PotentialThe following data is for potential vulnerability instances
ConfirmedThe following data is for confirmed vulnerability instances
profileThe device profiles that the vulnerability affects or potentially affects
deviceList of device IDs of all IoT devices that are vulnerable or potentially vulnerable
addressedInstanceThe number of instances that have been addressed
nameName of the vulnerability; for example, CVE-2015-3959 or Windows SMBv1 Usage
cvssVersionv2 or v3 Score ranges are different for the two Common Vulnerability Scoring System versions. Version 2 has three score ranges: Low 0.0 - 3.9, Medium 4.0 - 6.9, High 7.0 - 10.0. Version 3 has five ranges: None - 0.0, Low 0.1 - 3.9, Medium 4.0 - 6.9, High, 7.0 - 8.9, Critical 9.0 - 10.0.)
severityLow, Medium, High, Critical Only vulnerabilities with a CVSSv3 rating can have a Critical severity level.
dateThe most recent date that an instance of this vulnerability was detected on an IoT device
CVSSThe CVSS score for the vulnerability; for example, 10.0
descriptionA description of what the vulnerability is and how it can be exploited
deviceidThe MAC address or IP address of a device that either has or potentially has a vulnerability
sourceThe source of the vulnerability detection: IoT Security when IoT Security learns it through its own detection and analysis; or, if learned through integration with a third-party vulnerability scanner, the name of the scanner–Qualys, Rapid7, Tenable
vulnerability_typesThe type of attack to which a vulnerability makes a device susceptible; for example, Code Execution, Overflow, Info Leak, Denial of Service
deviceTagsA list of device IDs of all vulnerable and potentially vulnerable IoT devices and any tags they might have
allTagsAn array of user-defined tags assigned to the device. Each item in the array consists of three attributes: tagType, tagValue, and tagId.
tagTypeThe key for a user-defined tag
tagValueThe value of the key for a user-defined tag
tagIdThe ID of a user-defined tag
sourceThe source of the vulnerability detection: IoT Security when IoT Security learns it through its own detection and analysis; or, if learned through integration with a third-party vulnerability scanner, the name of the scanner–Qualys, Rapid7, Tenable
totalThe total number of vulnerabilities affecting devices in your network
Success Response for All Vulnerability Instances (groupby=device) Example
{ "ver": "v4.0", "api": "/vulnerability/list", "items": [ { "deviceid": "64:16:7f:37:2d:45", "detected_date": [ "2021-04-19T23:59:59" ], "name": "Polycom_64167f372d45", "ip": "10.1.1.84", "profile": "Polycom IP Phone", "profile_vertical": "Office", "display_profile_category": "IP Phone", "vendor": "Polycom", "model": "VVX601", "os": "Embedded", "osCombined": "Embedded", "siteid": "0", "asset_tag": null, "sn": null, "date": "2021-03-12T01:28:26.986Z", "risk_score": 20, "risk_level": "Low", "tagIdList": [ "6030135777a1d6fb488e26ad", "60301332ff1679e9481b62a6" ], "ticketState": "new", "zb_ticketid": "vuln-52f40a58", "ticketAssignees": [ "analyst1@acmecorp.com" ], "reason_history": [ { "action": "sent to asset management: aims", "reason": "Check system", "reason_type": null, "user_email": "admin@acmecorp.com", "timestamp": "2019-10-18T22:00:20.255Z", "aims_workorder_number": 152027 "remediate_workorder": "152027", "remediate_checkbox": "0,1,2", "remediate_instruction": null, "detected_date": "2019-10-15T20:18:42.135Z", "vulnerability_name": "CVE-2019-12948" }, ], "allTags": [ { "tagType": "Owner", "tagValue": "Joe", "tagId": "6030135777a1d6fb488e26ad" }, { "tagType": "com-devices", "tagValue": "phones", "tagId": "60301332ff1679e9481b62a6" }, ] } ... ] "total": 34, }
Success Response for All Vulnerability Instances (groupby=vulnerability) Example
{ "ver": "v4.0", "api": "/vulnerability/list", "items": { "items": [ { "data": { "Potential": { "profile": [ "Arista Networks Device", "Cisco Systems Device" ], "device": [ "00:1c:73:20:c4:b5", "00:1c:73:16:a6:33", "00:57:d2:27:d2:d1" ], "addressedInstance": 0 } "Confirmed": { "profile": [ "Roles-Network-Router", "Cisco Networking Switch" ], "device": [ "e4:d3:f1:40:e8:c0", "08:17:35:77:d0:c1" ], "addressedInstance": 0 } }, "name": "CVE-2019-1737", "tenantid": "", "cvssVersion": "v3", "serviceLevel": null, "severity": "High", "date": "2022-07-18T23:59:59.000Z", "CVSS": 8.6, "description": "A vulnerability in the processing of IP Service Level Agreement (SLA) packets by Cisco IOS Software and Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an interface wedge and an eventual denial of service (DoS) condition on the affected device. The vulnerability is due to improper socket resources handling in the IP SLA responder application code. An attacker could exploit this vulnerability by sending crafted IP SLA packets to an affected device. An exploit could allow the attacker to cause an interface to become wedged, resulting in an eventual denial of service (DoS) condition on the affected device.", "source": "IoT Security", "vulnerability_types": [ "Denial Of Service" ] }, ... ] "deviceTags": { "08:17:35:77:d0:c1": { "deviceid": "08:17:35:77:d0:c1", "allTags": [ { "tagType": "lab", "tagValue": "l3", "tagId": "62acbf20a5fb040006174076" }, { "tagType": "location", "tagValue": "office14", "tagId": "62acbf74a5fb040006174078" }, { "tagType": "Forescout", "tagValue": "In Scope", "tagId": "6144c5700a5895bbb5384b88" }, ] }, "00:0f:11:00:e9:f2": { "deviceid": "00:0f:11:00:e9:f2" }, "00:a0:aa:00:01:96": { "deviceid": "00:a0:aa:00:01:96" }, ... } } "total": 61 }

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
FieldDescription
400Bad Request. This occurs when an HTTP request contains an invalid query string.
403Forbidden access. Either the provided API Key is invalid or it does not have the required RBAC permissions to run this API.
429Too many requests. The number of requests for a list of vulnerability instances exceeded the rate limit of 180 queries per minute per tenant.
500Internal server error. A unified status for API communication type errors.
Error Response Format
{code: STATUS_CODE, msg: GENERAL_MESSAGE}