Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
580
Views
3
Helpful
1
Comments

Counting Closed Vulnerabilities in Cisco Vulnerability Management

AdvocateRick
Cisco Employee
Cisco Employee

on ‎03-15-2023 10:12 PM - edited on ‎05-05-2023 07:53 AM by Cisco Employee

Recently there was a customer that used Data Exports APIs to count the number of closed vulnerabilities for the last seven days.  Depending on the number of vulnerabilities, this could take some time as well as use Cisco Vulnerability Management server resources.  Is there an alternative?  Yes, the "Search Vulnerabilities" API.

A new code sample, get_closed_vuln_count.py was created to demonstrate.  Since it started from previous code, it is a little heavy for the task; for instance, it performs logging.

Let's look at the search set-up:

 32 # Performs a vulnerabilities search with the status of closed for the last seven days.
 33 def search_closed_vulns(base_url, headers):
 34     search_vulns_url = f"{base_url}/vulnerabilities/search"
 35 
 36     # See https://help.kennasecurity.com/hc/en-us/articles/206280593-Kenna-Search-Terms for q search terms.
 37     query_params = "?status[]=closed&q=closed_at:>now-7d&fields=id,created_at,last_seen_time,cve_id,description"
 38     search_vulns_url += query_params
 39 
 40     response = requests.get(search_vulns_url, headers=headers)
 41     if response.status_code != 200:
 42         process_http_error(f"Vulnerability Search API Error", response, search_vulns_url)
 43         sys.exit(1)
 44 
 45     return response.json()

On line 37, the query_parms is filtering on status[] set to "closed" and q is set to last seven days (close_at:>now-7d), while fields indicates what response fields are to be returned.  With Search Vulnerabilities URL and the query_parms, the "Search Vulnerabilities" API is invoked (line 40).

The response contains the vulnerabilities and the meta attribute. (line 71).

 69     closed_vulns_resp = search_closed_vulns(base_url, headers)
 70 
 71     meta = closed_vulns_resp['meta']
 72     total_count = meta['total_count']

The total_count is a field in meta (line 72).

Feel free to play with the search filters. So there you have it, download the code and start using it.

Comments
jaredkalmus
Cisco Employee
Cisco Employee
‎03-16-2023 11:14 AM

This is great, thank you Rick. This reminds me of the flexibility of Kenna's API. While there may not be a specific endpoint to get this data, it's easy to collect with a little bit of creativity with Kenna's filtering ability. Always nice to have a single tactical request to deliver the exact data needed without having to perform any major post-response processing or data manipulation.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents