Tenable Security Center API: Analysis

 

/analysis

Methods

POST

Processes a query for analysis

Request Parameters
Expand

Note

If the parameter query['id'] is not specified, the query parameter will require a valid query, unless the type is "scLog" (deprecated in 5.19.0).  The format for the full query definition can be found in the Query section of the API.

Note

The results are inclusive of the startOffset parameter value and exclusive of the endOffset parameter value.

Type: vuln (Expand)
Vuln Type
{
	"type" : "vuln",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sourceType" : <string> "individual" | "cumulative" | "patched",
	"wasVuln" : <string> "onlyWas" | "excludeWas" | "includeWas" OPTIONAL (This field is used to query only WAS vulns, exclude WAS vulns, or include WAS vulns with regular VM data respectively.  The default behavior is to include WAS vulns with regular VM data.),														
	"startOffset" : <number>,
	"endOffset" : <number>,
}


When the sourceType is "individual", a scanID must be provided in the root of the request object:

{
	"type" : "vuln",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sourceType" : "individual",
	"startOffset" : <number>,
	"endOffset" : <number>,
	"scanID" : <number>,
	"view" : "all" | "new" | "patched"
}
Type: event (Expand)
Event Type
{
	"type" : "event",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sourceType" : <string> "lce" | "archive"
}


When the sourceType is "archive", lceID and view must be provided in the root of the request object:

{
	"type" : "event",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sourceType" : "archive",
	"lceID" : <number>,
	"view" : <string> (silo id)
}
Type: user (Expand)
User Type
{
	"type" : "user",
	"query" : {
		"id" : <number> | (valid query)
	}
}
Type: scLog (Expand)
SCLog Type (deprecated in 5.19.0)

scLog has a unique query object with its own special filters.

{
	"type" : "scLog",
	"date" : scLog basename (eg. "201412") | "all",
	"query": {
		"startOffset" : <number>,
		"endOffset" : <number>,
		"filters" : [
			{
				"filterName" : "keywords",
					"operator" : "=",
				"value" : <string>
			},
			{
				"filterName" : "severity",
				"value" : {
					"id" : <number> [0-2],
					"operator" : "=",
					"name":"INFO|WARNING|CRITICAL"
					}
			},
			{
				"filtername" : "initiator",
				"operator" : "=",
				"value" : {
					"id" : <number>,
					"username" : <string>
				}
			},
			{
				"filterName" : "module",
				"operator" : "=",
				"value" : <string> (eg. "auth")
			},
			{
				"filterName" : "organization",
				"value" : {
					"id" : <number>
				}
			}
		]
	}
}

scLog basenames can be retrieved from the system::GET call, but only for a logged in user.

Type: mobile (Expand)
Mobile Type
{
	"type" : "mobile",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL,
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"startOffset" : <number>,
	"endOffset" : <number>
}
Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"totalRecords" : "1",
 		"returnedRecords" : 1,
		"startOffset" : "0",
		"endOffset" : "50",
		"matchingDataElementCount" : "-1",
		"results":[
			{
				"pluginID" : "119500",
				"severity" : {
					"id" : "4",
					"name" : "Critical",
					"description" : "Critical Severity"
				},
				"vprScore" : "6.7",
				"vprContext" : "[
					{
						"id" : "age_of_vuln",
						"name" : "Vulnerability Age",
						"value" : "60 - 180 days",
						"type" : "string"
					},
					{
						"id" : "cvssV3_impactScore",
						"name" : "CvssV3 Impact Score",
						"value" : 5.9,
						"type" : "number"
					},
					{
						"id" : "exploit_code_maturity",
						"name" : "Exploit Code Maturity",
						"value" : "Unproven",
						"type" : "string"
					},
					{
						"id" : "predicted_impactScore",
						"name" : "Predicted Impact Score",
						"value" : false,
						"type" : "boolean"
					},
					{	
						"id" : "product_coverage",
						"name" : "Product Coverage",
						"value" : "Low",
						"type" : "string"
					},
					{
						"id" : "threat_intensity_last_28",
						"name " : "Threat Intensity",
						"value" : "Low",
						"type" : "string"
					},
					{
						"id" : "threat_recency",
						"name" : "Threat Recency",
						"value" : "7 to 30 days",
						"type" : "string"
					},
					{
						"id" : "threat_sources_last_28",
						"name" : "Threat Sources",
						"value" : "Security Research",
						"type" : "string"
					}
			]",
			"ip" : "172.26.48.75",
			"uuid" : "",
			"port" : "8080",
			"protocol" : "TCP",
			"name" : "Jenkins < 2.138.4 LTS \/ 2.150.1 LTS \/ 2.154 MultipleVulnerabilities",
			"dnsName" : "",
			"macAddress" : "00:50:56:be:27:da",
			"netbiosName" : "TARGET\\WINDOW7X64",
			"uniqueness" : "repositoryID,ip,dnsName",
			"hostUniqueness" : "repositoryID,ip,dnsName",
			"family" : {
					"id" : "6",
					"name" : "CGI abuses",
					"type" : "active"
			},
			"repository" : {
					"id" : "516",
					"name" : "repo1",
					"description" : "",
					"dataFormat" : "IPv4"
			},
			"pluginInfo" : "119500 (8080\/6) Jenkins < 2.138.4 LTS \/ 2.150.1 LTS \/ 2.154 Multiple Vulnerabilities"
			}
		]
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1553525692
}

/analysis/download

Methods

POST

Downloads an analysis of a Query

Request Parameters
Expand

Note

The "user" type of Analysis is not supported in download.

Note

The results are inclusive of the startOffset parameter value and exclusive of the endOffset parameter value.

Type: vuln (Expand)
Vuln Type
{
	"type" : "vuln",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sourceType" : <string> "individual" | "cumulative" | "patched",
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL,
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"startOffset" : <number>,
	"endOffset" : <number>,
	"columns" : [
		{
			"name" : <string>
		}
	]
}


When the sourceType is "individual", scanID and view must be provided in the root of the request object:

{
	"type" : "vuln",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sourceType" : <string> "individual",
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL,
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"startOffset" : <number>,
	"endOffset" : <number>,
	"columns" : [
		{
			"name" : <string>
		}
	],
	"scanID" : <number>,
	"view" : <string>
}
Type: event (Expand)
Event Type
{
	"type" : "event",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sourceType" : <string> "lce" | "archive",
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL,
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir)
}



When the sourceType is "archive", lceID and view must be provided in the root of the request object:

{
	"type" : "event",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sourceType" : <string> "lce" | "archive",
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL,
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"lceID" : <number>,
	"view" : <string> (silo id)
}
Type: scLog (Expand)
SCLog Type (deprecated in 5.19.0)


{
	"type" : "scLog",
	"offset" : <number>,
	"length" : <number>,
	"severity" : "INFO" | "WARN" | "CRITICAL",
	"keywords" : <string> keywords separated by " ", "\t", "\n", or "\r" (eg. "Authentication User"),
	"date" : scLog basename (eg. "201412") | "all",
	"username" : <string> (Optional),
	"module" : <string> (eg. "auth") (Optional),
	"orgID" : <number> (Admins only; Optional)
}
Type: mobile (Expand)
Mobile Type
{
	"type" : "mobile",
	"query" : {
		"id" : <number> | (valid query)
	},
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL,
	"sortField" : <string> (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"startOffset" : <number>,
	"endOffset" : <number>,
	"columns" : [
		{
			"name" : <string>
		}
	]
}
Example Response

None given. The response will be CSV format.