Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2097
Views
0
Helpful
4
Replies

Can we fetch vulnerability details with Cisco AMP using Orbital.

pavankumar.kakarla
Level 1
Level 1

‎07-07-2020 05:19 AM

Can we fetch vulnerability details with Cisco AMP using Orbital feature. If so can someone please let me know if there is any inbuilt query or we have to create customize queries for fetching this information for all applicable endpoints.

 

If there is any customize queries, can someone please share it with us.

Labels:
0 Helpful
4 Replies 4

Matthew Franks
Cisco Employee
Cisco Employee

‎07-07-2020 05:40 AM

When you say fetch vulnerabilities, what exactly are you referring to?  If you're talking about software vulnerabilities reported by AMP, you can use the AMP API to pull this information.  If you're talking about Microsoft reported vulnerabilities, you can use the "Windows HotFixes Monitoring" Orbital query to pull up a list of KBs installed on the system and determine which vulnerabilities exist based off of that.  There are also a few specific CVE queries listed that you can find by searching "CVE" in the orbital queries. 

 

Thanks,

Matt

0 Helpful

pavankumar.kakarla
Level 1
Level 1
In response to Matthew Franks

‎07-07-2020 05:56 AM

Thanks Matt. I just need to fetch complete list of vulnerabilities.

 

I have couple of questions.

 

a) How do we use AMP API to get the list of all software vulnerabilities. Can you please provide some supporting document to run this queries. Also can we run these queries for a particular group instead of single machine.

 

b) With respect to Microsoft vulnerability, I ran "Windows HotFixes Monitoring" query and it gives me set of KBs. Are these KBs open to vulnerability or just the list of KBs that are installed on the machine?

0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to pavankumar.kakarla

‎07-07-2020 06:19 AM

a) The link I sent previously is the API documentation link for the vulnerabilities call.  Here it is again:
https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fvulnerabilities&api_host=api.amp.cisco.com&api_resource=Vulnerabilities&api_version=v1

 

b) The query returns a list of installed KBs.  If you're looking for a specific vulnerability that is fixed by a KB, you can reference this list to see if it is fixed or not.

 

I believe you're looking for the information from a).  You can see examples of various forms of this query by selecting the appropriate tab.

screenshot.png

 

Thanks,

Matt

0 Helpful

Troja007
Cisco Employee
Cisco Employee

‎07-13-2020 12:41 AM

Hello @pavankumar.kakarla,

just a short question. How about a full NIST integration into AMP for Endpoints. Would this be a possible solution for you?

Greetings,

Thorsten

0 Helpful
Customers Also Viewed These Support Documents