Get Vulnerabilities
GET/pub/v4.0/vulnerability/list
Get a list of vulnerability instances.
Rate limiting: 60 times per minute
Request
Query Parameters
The customer ID to which the API call is directed
Optional field setting the start of a time range for retrieving vulnerability instances. For example, to get all instances since November 3, 2020, starting at 00:00 AM in the Pacific Time Zone(UTC-8), the start time would be stime=2020-11-3T08:00Z.
If you prefer to specify the time in your local time rather than adjusting it to UTC time, you can also format the start time as 2020-11-03T:00:00-08:00. Especially when starting at a later hour in the day, this format involves less calculating. For example, if you want to get vulnerability instances starting from 6:00 PM on November 3, 2020, entering 2020-11-03T18:00-08:00 is much simpler than entering 2020-11-04T02:00Z.
Optional field that sets the start of a time range for retrieving vulnerabilities created in the database or that have been updated. When this field is used, the stime field is ignored.
The number of items in one response; that is, in one page. The default page length for vulnerabilities is 1000 and the maximum is 1000. Setting a shorter length improves response times. Note: The pagelength parameter is only valid when grouping vulnerability instances by device, not when grouping them by vulnerability.
In addition to the pagelength parameter, offset gets items on subsequent pages. For example, if the page length of your first request is 100, you get the first 100 vulnerabilities. To get the next 100, add offset=100 to your second request. This skips the first 100 vulnerabilities and gets the next 100 starting from 101. Note: The offset parameter is only valid when grouping vulnerability instances by device, not when grouping them by vulnerability.
The name of a specific vulnerability. If omitted, all vulnerabilities are returned.
The status of vulnerabilities to be retrieved: confirmed or potential vulnerabilities. The following field is either the string “Confirmed” or “Potential”. If no value is passed, both types of vulnerabilities are returned.
The grouping of device vulnerability instances in query results. Each groupby option results in a different JSON object structure in the response. groupby=vulnerability (the default) organizes results into groups by vulnerability. Each vulnerability and the device IDs impacted are an item in the items list. groupby=device organizes results into groups by device ID. Each device ID and a single vulnerability are an item in the items list.
To request all vulnerability instances for a specific device, the value is the string vulnerability followed by &deviceid='<'device_id'>', where the device ID is either a MAC address or, for static IP devices, an IP address. (Entering an IP address for a device whose device identifier is a MAC address doesn’t work. Similarly, entering a MAC address for a device whose device identifier is an IP address also doesn’t work.)
Responses
- 200
- 4XX
- 5XX
Successful Response (We only show some important fields here.)
- application/json
- Schema
- Example (from schema)
- vulnerabilityList
- vulnerabilityInstanceList
Schema
- VulnerabilyInstanceListSchema
- VulnerabilyListSchema
- Array [
- Array [
- ]
- ]
- Array [
- ]
The number of vulnerablity instances matching the request
items object[]
An array containing vulnerablity instances
The hostname of the device associated with a vulnerability instance
The IP address of a device associated with a vulnerability instance
The MAC address or IP address of the device
The profile to which the device belongs
The vertical to which the device profile belongs
The category to which the device profile belongs
The device vendor
The device model
The device OS
The OS and OS version combined
The ID of the site where the device is deployed
The asset tag of the device; if none, then “null” is returned
The device serial number
The date of the latest activity of the device
The risk score of the vulnerability instance
The risk level of the vulnerability instance: Low, Medium, High, or Critical
The state of the zb_ticket for a vulnerability instance —investigation, remediation, resolved, or new if the vulnerability was detected but nobody has yet taken action to address it
The unique ticket ID for a vulnerability instance
The email address of one or more people assigned to remediate a vulnerability instance; if there aren’t any, null is returned
An array that holds the history of all actions taken on a vulnerability instance, including status changes, user notes, if it was sent to asset management, and if it was resolved; if no actions were taken, null is returned
The work order number returned from an integrated third-party asset management system such as AIMS, Connectiv, Nuvolo, or ServiceNow to which a vulnerability instance was sent
Index values indicating the type of information sent to asset management; 0 = vulnerability summary, 1 = vulnerability impact, 2 = device information
Additional instructions included with the work order
The date when a vulnerability instance was originally detected
The name of the vulnerability
allTags object[]
An array of user-defined tags assigned to the device. Each item in the array consists of three attributes: tagType, tagValue, and tagId.
The key for a user-defined tag
The value of the tag key for a user-defined tag
The ID of a user-defined tag
The number of vulnerablities matching the request
items object
items object[]
An array containing vulnerablities
data object
Potential Object
The device profiles that the vulnerability affects or potentially affects
List of device IDs of all IoT devices that are vulnerable or potentially vulnerable
Confirmed Object
The device profiles that the vulnerability affects or potentially affects
Name of the vulnerability
v2 or v3 Score ranges are different for the two Common Vulnerability Scoring System versions. Version 2 has three score ranges: Low 0.0 - 3.9, Medium 4.0 - 6.9, High 7.0 - 10.0. Version 3 has five ranges: None - 0.0, Low 0.1 - 3.9, Medium 4.0 - 6.9, High, 7.0 - 8.9, Critical 9.0 - 10.0.)
Possible values: [Low, Medium, High, Critical]
Only vulnerabilities with a CVSSv3 rating can have a Critical severity level.
The most recent date that an instance of this vulnerability was detected on an IoT device
The CVSS score for the vulnerability.
A description of what the vulnerability is and how it can be exploited
The source of the vulnerability detection: IoT Security when IoT Security learns it through its own detection and analysis; or, if learned through integration with a third-party vulnerability scanner, the name of the scanner–Qualys, Rapid7, Tenable
The type of attack to which a vulnerability makes a device susceptible; for example, Code Execution, Overflow, Info Leak, Denial of Service
{}
{
"ver": "v4.0",
"api": "/vulnerability/list",
"items": {
"items": [
{
"data": {
"Potential": {
"profile": [
"F5 Networks Device",
"NetApp Device"
],
"device": 133,
"addressedInstance": 0
},
"Confirmed": {
"profile": [
"Palo Alto Networks Device",
"Siemens Building Technology Device"
],
"device": 13,
"addressedInstance": 0
}
},
"name": "CVE-2021-46143",
"tenantid": "",
"cvssVersion": "v3",
"serviceLevel": null,
"severity": "High",
"date": "2022-10-02T23:59:59.000Z",
"CVSS": 7.8,
"description": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.",
"source": "IoT Security"
}
]
}
}
{
"ver": "v4.0",
"api": "/vulnerability/list",
"items": [
{
"name": "Polycom_64167f372d45",
"ip": "10.1.1.84",
"deviceid": "64:16:7f:37:2d:45",
"profile": "Polycom IP Phone",
"profile_vertical": "Office",
"display_profile_category": "IP Phone",
"vendor": "Polycom",
"model": "VVX601",
"os": "Embedded",
"osCombined": "Embedded",
"siteid": "0",
"asset_tag": null,
"sn": null,
"date": "2020-05-12T01:28:26.986Z",
"risk_score": 20,
"risk_level": "Low",
"ticketState": "new",
"zb_ticketid": "vuln-52f40a58",
"ticketAssignees": [
"analyst1@acmecorp.com"
],
"reason_history": [
{
"action": "sent to asset management: aims",
"reason": "Check system",
"reason_type": null,
"user_email": "admin@acmecorp.com",
"timestamp": "2019-10-18T22:00:20.255Z",
"aims_workorder_number": 152027
}
],
"remediate_workorder": "152027",
"remediate_checkbox": "0,1,2",
"remediate_instruction": null,
"detected_date": "2019-10-15T20:18:42.135Z",
"vulnerability_name": "CVE-2019-12948",
"allTags": [
{
"tagType": "TestFilter",
"tagValue": "withTagInLocalFilter5",
"tagId": "6030135777a1d6fb488e26ad"
},
{
"tagType": "TestFilter",
"tagValue": "withTagInLocalFilter4",
"tagId": "60301332ff1679e9481b62a6"
}
]
}
]
}
Client Error Response
- application/json
- Schema
- Example (from schema)
- Bad Request
- Forbidden access
- Too many requests
Schema
STATUS_CODE
GENERAL_MESSAGE
{
"code": "string",
"msg": "string"
}
{
"code": 400,
"msg": "Bad Request. This occurs when an HTTP request contains an invalid query string."
}
{
"code": 403,
"msg": "Forbidden access. Either the provided API key is invalid or it does not have the required RBAC permissions to run this API."
}
{
"code": 429,
"msg": "Too many requests. The number of requests for device details for a single device exceeded the rate limit of 180 queries per minute per tenant."
}
Server Error Response
- application/json
- Schema
- Example (from schema)
- vulnerabilityInstanceList
Schema
STATUS_CODE
GENERAL_MESSAGE
{
"code": "string",
"msg": "string"
}
{
"code": 500,
"msg": "Internal server error. A unified status for API communication type errors."
}