Tenable Security Center API: Query

/query

Methods
GET

Gets the list of Queries.

Fields Parameter
Expand

NOTE: Currently, all fields come back on GET all, but the ** indicates fields which will be listed in a future release

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields type "vuln", sourceType "cumulative" | null

* id
** name
** description
creator
owner
ownerGroup
targetGroup
tool
type
tags
context
browseColumns
browseSortColumn
browseSortDirection
createdTime
modifiedTime
status
filters
canManage
canUse
groups

Legend

* = always comes back
** = comes back if fields list not specified on GET all

Request Parameters

Expand

Parameters must be passed in as query string (as opposed to JSON) in the format of: /query?type=lce

1
2
{
    "type" : <string> "alert" | "all" | "lce" | "mobile" | "ticket" | "user" | "vuln" DEFAULT "all"}
Filter Parameters

usable - The response will be an object containing an array of usable Queries. By default, both usable and manageable objects are returned.
manageable - The response will be an object containing all manageable Queries. By default, both usable and manageable objects are returned. 

Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
{
    "type" : "regular",
    "response" : {
        "usable" : [
            {
                "id" : "1",
                "name" : "Name",
                "description" : "Test for posting an alert query"           },
            {
                "id" : "2",
                "name" : "Post Copy Response Example",
                "description" : ""          },
            {
                "id" : "3",
                "name" : "Post Copy Response Example2",
                "description" : ""          },
            {
                "id" : "1391",
                "name" : "TEST",
                "description" : ""          },
            {
                "id" : "1467",
                "name" : "Test 1",
                "description" : ""          },
            {
                "id" : "1468",
                "name" : "Test 2",
                "description" : ""          },
            {
                "id" : "1469",
                "name" : "Test 3",
                "description" : ""          },
            {
                "id" : "1470",
                "name" : "Test 4",
                "description" : ""          },
            {
                "id" : "1471",
                "name" : "Test 5",
                "description" : ""          }
        ],
        "manageable" : [
            {
                "id" : "1",
                "name" : "Name",
                "description" : "Test for posting an alert query"           },
            {
                "id" : "2",
                "name" : "Post Copy Response Example",
                "description" : ""          },
            {
                "id" : "3",
                "name" : "Post Copy Response Example2",
                "description" : ""          },
            {
                "id" : "1391",
                "name" : "TEST",
                "description" : ""          },
            {
                "id" : "1434",
                "name" : "query1",
                "description" : "Created with 'group1's shared asset: 'Test Asset 1'.\n\nThis asset will be unshared"           },
            {
                "id" : "1435",
                "name" : "query2",
                "description" : "Created with 'group1's shared asset: 'Test Asset 2'.\n\nThis asset will be deleted"            },
            {
                "id" : "1436",
                "name" : "group1Query",
                "description" : ""          },
            {
                "id" : "1467",
                "name" : "Test 1",
                "description" : ""          },
            {
                "id" : "1468",
                "name" : "Test 2",
                "description" : ""          },
            {
                "id" : "1469",
                "name" : "Test 3",
                "description" : ""          },
            {
                "id" : "1470",
                "name" : "Test 4",
                "description" : ""          },
            {
                "id" : "1471",
                "name" : "Test 5",
                "description" : ""          }
        ]
    },
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1427750981
}
POST

Adds a Query

Request Parameters
Expand
1
2
3
4
5
6
7
8
9
10
11
12
{
    "name" : <string>,
    "description" : <string> DEFAULT "",
    "ownerID" : <string> DEFAULT <Session User ID)
    "tags" : <string> DEFAULT "",
    "type" : <string> "alert" | "lce" | "mobile" | "ticket" | "user" | "vuln",
    "context" : <string> DEFAULT "",
    "browseColumns" : <string> DEFAULT "",
    "browseSortColumn" : <string> DEFAULT "",
    "browseSortDirection" : <string> "ASC" | "DESC" DEFAULT "ASC",
    ...
}

Type: "alert" (Expand)
Alert Type
1
2
3
4
5
6
7
8
9
10
11
12
13
...
    "sortField" : <string> OPTIONAL (alphanumeric word(s) separated by a space/dash),
    "sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive),
    "startOffset" : <number> OPTIONAL (integer; default "1" if not specified and endOffset is specified),
    "endOffset" : <number> OPTIONAL (integer),
    "tool" : <string> "listalerts",
    "filters" : [
        {
            "filterName" : <string> "alertName" | "createdEndTime" | "createdStartTime" | "createdTimeFrame" | "description" | "didTriggerLastEvaluation" | "lastEvaluatedEndTime" | "lastEvaluatedStartTime" | "lastEvaluatedTimeFrame" | "lastTriggeredEndTime" | "lastTriggeredStartTime" | "lastTriggeredTimeFrame" | "modifiedEndTime" | "modifiedStartTime" | "modifiedTimeFrame",
            "operator" : <string> "",
            "value" : <string> | <number>       }...
    ] DEFAULT []
...
Type: "lce" (Expand)
LCE Type

NOTE #1: Filter operators are not validated, but the provided filters are the ones that will properly function.

NOTE #2: Filter "outputAssets" only applies to tool "sumasset".

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
...
    "sortField" : <string> OPTIONAL (alphanumeric word(s) separated by a space/dash. Must accompany sortDir),
    "sortDir" : <string> "ASC" | "DESC" OPTIONAL (default "ASC" if not specified and sortField is specified),
    "startOffset" : <number> OPTIONAL (integer; lower bound to returned record set. default 0 if not specified),
    "endOffset" : <number> OPTIONAL (integer; upper bound to returned record set. default 100 if not specified),
    "tool" : <string> "listdata" | "sumasset" | "sumclassa" | "sumclassb" | "sumclassc" | "sumdate" | "sumevent" | "sumevent2" | "sumip" | "sumport" | "sumprotocol" | "sumsensor" | "sumtime" | "sumtype" | "sumuser" | "syslog" | "timedist",
    "filters" : [
        {
            "filterName" : <string> "asset" | "assetID" | "connectionDirection" | "correlated" | "date" | "destAsset" | "destAssetID" | "destip" | "detailedEventName" | "dport" | "endtime" | "eventName" | "ip" | "lce" | "lceIDs" | "numEvents" | "outputAssets" | "port" | "protocol" | "repository" | "repositoryIDs" | "sensor" | "silo" | "sourceAsset" | "sourceAssetID" | "sourceip" | "sport" | "starttime" | "text" | "timeframe" | "type" | "user",
  
            filterName "asset" | "assetID" | "connectionDirection" | "correlated" | "date" | "destAsset" | "destAssetID" | "destip" | "detailedEventName" | "endtime" | "eventName" | "ip" | "lce" | "lceIDs" | "numEvents" | "outputAssets" | "protocol" | "repository" | "repositoryIDs" | "sensor" | "silo" | "sourceAsset" | "sourceAssetID" | "sourceip" | "starttime" | "text" | "timeframe" | "type" | "user"            -------------------------------------------
            "operator" : <string> "=" | "!=",
            "value" : (Format depends on filter's "filterName" parameter)
  
            filterName "dport" | "port" | "sport"           -------------------------------------------
            "operator" :  <string> "=" | "!=" | "<=" | ">=",
            "value" : (Format depends on filter's "filterName" parameter)
 
        }...
    ] DEFAULT []
...
sourceType "archive"

Note: sourceType will never be "archive." This is included for informational purposes only. Current functionality doesn't accept a "sourceType" parameter, and will always set it to default QUERY_NOT_TREND (null)

1
2
3
4
5
...
    "view" : <string>,
    "lce" : {
        "id" : <number>   }
...
Type: "mobile" (Expand)
Mobile Type

NOTE: Filter operators are not validated, but the provided filters are the ones that will properly function.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
...
    "sortField" : <string> OPTIONAL (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
    "sortDir" : <string> "ASC" | "DESC" OPTIONAL (default "ASC" if not specified and sortField is specified),
    "startOffset" : <number> OPTIONAL (integer; lower bound to returned record set.  Must be explicitly supplied for tool "vulndetails"),
    "endOffset" : <number> OPTIONAL (integer; upper bound to returned record set.  Must be explicitly supplied for tool "vulndetails"),
    "tool" : <string> "listvuln" | "sumdeviceid" | "summdmuser" | "summodel" | "sumoscpe" | "sumpluginid" | "vulndetails",
    "filters" : [
        {
            "filterName" : <string> "baseCVSSScore" | "cvssV3BaseScore" | "deviceID" | "deviceModel" | "deviceUser" | "deviceVersion" | "exploitAvailable" | "family" | "familyID" | "lastMitigated" | "lastSeen" | "mdmType" | "osCPE" | "patchPublished" | "pluginID" | "pluginModified" | "pluginName" | "pluginOutput" | "pluginPublished" | "port" | "protocol" | "repository" | "repositoryIDs" | "serialNumber" | "severity" | "vulnPublished",
                         
            filterName "osCPE" | "baseCVSSScore" | "cvssV3BaseScore" |"pluginOutput" | "repository" | "repositoryIDs" | "deviceID" | "deviceModel" | "deviceUser" | "pluginID"          ------------------------------------------------------------
            "operator" : "=" | "!=",
            "value" : (Format depends on filter's "filterName" parameter)
  
            filterName "mdmType" | "pluginName" | "lastMitigated" | "lastSeen" | "vulnPublished" | "pluginModified" | "patchPublished" | "pluginPublished" | "acceptedRisk" | "daysMitigated" | "dnsName" | "exploitAvailable" | "family" | "familyID" | "ip" | "lastMitigated" | "mitigatedStatus" | "pluginText" | "port" | "protocol" | "recastRisk" | "responsibleUser" | "severity" | "xref"           ---------------------------------------------------------------------------------------------------------------------------------
            "operator" : <string> "=" | "<=" | ">=" | "!=" | "between" | "outside" | "contains" | "excludes" | "in" | "!in",
            "value" : (Format depends on filter's "filterName" parameter)
             
        }...
    ] DEFAULT []
...
Type: "ticket" (Expand)
Ticket Type
1
2
3
4
5
6
7
8
9
10
11
12
13
...
    "sortField" : <string> OPTIONAL (alphanumeric; must accompany sortDir),
    "sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive; must accompany sortField),
    "startOffset" : <number> OPTIONAL (integer; default "0" if not specified and endOffset is specified),
    "endOffset" : <number> OPTIONAL (integer),
    "tool" : <string> "listtickets" | "sumassignee" | "sumclassification" | "sumcreator" | "sumstatus",
    "filters" : [
        {
            "filterName" : <string> "assignedEndTime" | "assignedStartTime" | "assignedTimeFrame" | "assignee" | "assigneeID" | "classification" | "closedEndTime" | "closedStartTime" | "closedTimeFrame" | "createdEndTime" | "createdStartTime" | "createdTimeFrame" | "modifiedEndTime" | "modifiedStartTime" | "modifiedTimeFrame" | "owner" | "ownerID" | "resolvedEndTime" | "resolvedStartTime" | "resolvedTimeFrame" | "status",
            "value" : (Format depends on filter's "filterName" parameter)
        }...
    ] DEFAULT []
...
Type: "user" (Expand)
User Type
1
2
3
4
5
6
7
8
9
10
11
12
13
14
...
    "sortField" : <string> OPTIONAL (alphanumeric; must accompany sortDir.  username, roleID, and groupID will attempt to perform case-insensitive sort on the text field in relation to the ID),
    "sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive; must accompany sortField),
    "startOffset" : <number> OPTIONAL (integer; default "1" if not specified and endOffset is specified),
    "endOffset" : <number> OPTIONAL (integer),
    "tool" : <string> "listusers" | "sumgroup" | "sumrole",
    "filters" : [
        {
            "filterName" : <string> "address" | "authType" | "country" | "email" | "fax" | "firstname" | "group" | "groupID" | "lastLoginEndTime" | "lastLoginStartTime" | "lastLoginTimeFrame" | "lastname" | "locked" | "phone" | "role" | "roleID" | "state" | "title" | "username",
            "operator" : <string>,
            "value" : (Format depends on filter's "filterName" parameter)
        }...
    ]
...
Type: "vuln" (Expand)
Vuln Type

NOTE #1: Filter operators are not validated, but the provided filters are the ones that will properly function.

NOTE #2: Filter "outputAssets" only applies to tool "sumasset".

NOTE #3: Filter "solutionID" only applies to tools "sumremediation" and "remediationdetail". Moreover, tool "remediationdetail" must specify a "solutionID" filter.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
...
    "sortField" : <string> OPTIONAL (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
    "sortDir" : <string> "ASC" | "DESC" DEFAULT "ASC" (default "ASC" if not specified and sortField is specified),
    "startOffset" : <number> OPTIONAL (integer; lower bound to returned record set.  Must be explicitly supplied for tools "vulndetails" and "listvuln"),
    "endOffset" : <number> OPTIONAL (integer; upper bound to returned record set.  Must be explicitly supplied for tools "vulndetails" and "listvuln"),
    "tool" : <string> "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "remediationdetail" | "sumasset" | "sumcce" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "vulndetails" | "vulnipdetail" | "vulnipsummary",
    "filters" : [
        {
            "filterName" : <string> "acceptRiskStatus" | "asset" | "assetCriticalityRating" | "assetID" | "auditFile" | "auditFileID" | "baseCVSSScore" | "benchmarkName" | "cceID" | "cpe" | "cveID" | "cvssV3BaseScore" | "cvssV3Vector" | "cvssVector" | "dataFormat" | "daysMitigated" | "daysToMitigated" | "dnsName" | "exploitAvailable" | "exploitFrameworks" | "family" | "familyID" | "firstSeen" | "iavmID" | "ip" | "lastMitigated" | "lastSeen" | "mitigatedStatus" | "msbulletinID" | "outputAssets" | "patchPublished" | "pluginID" | "pluginModified" | "pluginName" | "pluginPublished" | "pluginText" | "pluginType" | "policy" | "policyID" | "port" | "protocol" | "recastRiskStatus" | "repository" | "repositoryIDs" | "responsibleUser" | "responsibleUserIDs" | "severity" | "solutionID" | "stigSeverity" | "tcpport" | "udpport" | "uuid" | "vprScore" | "vulnPublished" | "xref",
  
            filterName "acceptRiskStatus"           -----------------------------
            "operator" : <string> "=",
            "value" : <string> "all" | "accepted" | "notAccepted"
            NOTE: During evaluation on the Analysis page, or for various objects, presenting
                  no "acceptRiskStatus" filter defaults to the "notAccepted" behavior.
   
            filterName "asset"          ------------------
            "operator": <string> "=" | "~" (combination expression),
  
            filterName "asset", operator "="            --------------------------------
            "value" : [
                {
                    "id" : <number> (integer)
                }...
            ]
  
            filterName "asset", operator "~"            --------------------------------
            "value" : <comboRecord> {
                "operator": <string> "complement" | "intersection" | "difference" | "union",
                "operand1": <comboRecord> | <number> (integer) | {
                    "id" : <number> (integer)
                }
  
                operator not "complement"               -------------------------
                "operand2": <comboRecord> | <number> (integer) | {
                    "id" : <number> (integer)
                }
            }
 
            filterName "assetCriticalityRating"         --------------------------
            "operator" : <string> "=",
            "value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)
 
            filterName "auditFile" | "policy" | "repository" | "responsibleUser"            --------------------------------------------------------------------
            "operator": <string> "=",
            "value" : {
                "id" : <number> (integer)
            }
             
            filterName "baseCVSSScore"          --------------------------
            "operator" : <string> "=",
            "value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)
 
            filterName "benchmarkName"          --------------------------
            "operator" : <string> "=" (fuzzy-left, right-anchored match),
            "value" : <string>
 
            filterName "cceID" | "iavmID"           -----------------------------
            "operator" : <string> "=" (fuzzy match),
            "value" : <string> (comma-separated list)
 
            filterName "cpe"            ----------------
            "operator": <string> "=" (i.e. explicit per entry) |
                                 "~=" (i.e. fuzzy match across entire entries string) |
                                 "pcre" (i.e. Perl-compatible, regular expression, across entire entries string),
  
            filterName "cpe", operator "=" | "~="           -------------------------------------
            "value" : <string> (comma-separated or newline-separated list)
 
            filterName "cpe", operator "pcre"           ---------------------------------
            "value" : <string> (Perl-compatible, regular expression)
 
            filterName "cveID" | "msbulletinID"         -----------------------------------
            "operator" : <string> "=" (fuzzy match),
            "value" : <string> (comma-separated or newline-separated list)
 
            filterName "cvssVector"         -----------------------
            "operator" : <string> "=",
            "value" : <string> (comma-separated list of Simple or Complex CVSS vectors)
  
                                Simple CVSS Vector = <string> "AV:L" | "AV:A" | "AV:N" | "AC:H" | "AC:M" | "AC:L" | "Au:N" | "Au:S" | "Au:M" | "C:N" | "C:P" | "C:C" | "I:N" | "I:P" | "I:C" | "A:N" | "A:P" | "A:C" | "E:ND" | "E:U" | "E:P" | "E:POC" | "E:F" | "E:H" | "RL:ND" | "RL:O" | "RL:OF" | "RL:T" | "RL:TF" | "RL:W" | "RL:U" | "RC:ND" | "RC:UC" | "RC:UR" | "RC:C"                              Complex CVSS Vector = <string> (slash-separated list of Simple CVSS Vectors where all entries must match)
 
            filterName "cvssV3BaseScore"            --------------------------
            "operator" : <string> "=",
            "value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)
             
            filterName "cvssV3Vector"           -----------------------
            "operator" : <string> "=",
            "value" : <string> (comma-separated list of Simple or Complex CVSS vectors)
  
                                Simple CVSS Vector = <string> "AV:P" | "AV:L" | "AV:A" | "AV:N" | "AC:H" | "AC:L" | "PR:H" | "PR:L" | "PR:N" | "PR:U" | "UI:R" | "UI:N" | "S:C" | "S:U" | "C:N" | "C:L" | "C:H" | "I:N" | "I:L" | "I:H" | "A:N" | "A:L" | "A:H" | "E:H" | "E:F" | "E:P" | "E:U" | "E:X" | "RL:U" | "RL:W" | "RL:OF" | "RL:T" | "RL:O" | "RL:X" | "RC:C" | "RC:R" | "RC:U" | "RC:X"                                Complex CVSS Vector = <string> (slash-separated list of Simple CVSS Vectors where all entries must match)
 
            filterName "daysMitigated" | "firstSeen" | "lastMitigated" | "lastSeen" | "pluginModified" | "pluginPublished" | "vulnPublished"            ---------------------------------------------------------------------------------------------------------------------------------------------------
            "operator": <string> "=" (relative with custom format),
            "value" : <string> "<minDaysBack>:<maxDaysBack>" (Both minDaysBack and maxDaysBack are provided in the number of days ago. [e.g. "0:90" is between now and 90 days ago].) | "<minDaysBack>:all" (A value "all" indicates to return all results before minDaysBack) | "currentMonth" | "lastMonth" | "currentQuarter" (i.e. the current fiscal quarter) | "lastQuarter"          filterName "dnsName"            --------------------
            "operator" : <string> "=",
            "value" : <string> (comma-separated or newline-separated list of valid DNS names)
  
            filterName "exploitAvailable"           -----------------------------
            "operator" : <string> "=",
            "value" : <string> "true" | "false"           filterName "exploitFrameworks"          ------------------------------
            "operator": <string> "=" (i.e. explicit for entire entries string) |
                                 "~=" (i.e. fuzzy match across entire entries string),
            "value" : <string>            filterName "family"         -------------------
            "operator": <string> "=" | "!=",
            "value" : [
                {
                    "id" : <number> (integer)
                }...
            ]
 
            filterName "ip"         ---------------
            "operator" : <string> "=" | "!=",
            "value" : <string> (comma-separated or newline-separated list of valid IPs and/or DNS names)
 
            filterName "mitigatedStatus"            ----------------------------
            "operator": <string> "=",
            "value" : <string> "previously" | "never"
            filterName "outputAssets"           -------------------------
            "operator": <string> "=",
            "value" : <string> (comma-separated list of Integers) | [
                {
                    "id" : <number> (integer)
                }...
            ]
            filterName "patchPublished"         ---------------------------
            "operator": <string> "=",
            "value" : <string> "<endDay>:<startDay>" | "<endDay>:all" (Both endDay and startDay are provided in the number of days ago. [e.g. "0:90" is between now and 90 days ago]. A value of "all" for startDay is interpreted as "0" [i.e. from "now", back endDay days ago]) | "currentMonth" | "lastMonth" | "currentQuarter" (i.e. the current fiscal quarter) | "lastQuarter" | "none" (i.e vulnerabilities that cannot be resolved through a patch)
             
            filterName "pluginID"           ---------------------
            "operator" : <string> "=" | "!=" | "<=" | ">=",
 
            filterName "pluginID", operator "=" | "!="          ------------------------------------------
            "value" : <number> (comma-separated or newline-separated list of integers or inclusive integer ranges, using a dash ["-"] delimiter, with each value between 0 and 8388607)
 
            filterName "pluginID", operator "<=" | ">="           -------------------------------------------
            "value" : <number> (integer, between 0 and 8388607)
 
            filterName "pluginName"         -----------------------
            "operator": <string> "=" (i.e. fuzzy match) | "pcre" (i.e. Perl-compatible, regular expression),
            "value" : <string>            filterName "pluginText"         -----------------------
            "operator": <string> "=" (i.e. fuzzy match, stripped text [forced]) |
                                 "pcre" (i.e. Perl-compatible, regular expression, stripped text [forced]),
            "value" : <string>            filterName "pluginType"         -----------------------
            "operator": <string> "=",
            "value" : <string> "passive" | "lce" | "active" | "compliance" (comma-separated)
  
            filterName "port" | "tcpport" | "udpport"           -----------------------------------------
            "operator" : <string> "=" | "!=" | "<=" | ">=",
  
            filterName "port" | "tcpport" | "udpport", operator "=" | "!="          --------------------------------------------------------------
            "value" : <number> (comma-separated or newline-separated list of integers or inclusive integer ranges, using a dash ["-"] delimiter, with each value between 0 and 65535)
 
            filterName "port" | "tcpport" | "udpport", operator "<=" | ">="           ---------------------------------------------------------------
            "value" : <number> (integer, between 0 and 65535)
  
            filterName "protocol"           ---------------------
            "operator": <string> "=" | "!=",
            "value" : <string> (comma-separated or newline-separated list of integers)
 
            filterName "recastRiskStatus"           -----------------------------
            "operator" : <string> "=",
            "value" : <string> "recast" | "notRecast"         filterName "severity"           ---------------------
            "operator": <string> "=" | "!=",
            "value" : <string> (comma-separated or newline-separated list of integers) | [
                {
                    "id" : <number> (integer)
                }...
            ]
             
            filterName "solutionID"         ---------------------
            "operator" : <string> "="         "value" : <string> "SC-" + <number> (comma-separated or newline-separated list of integers; number is an integer representing the Plugin ID of a solution)
 
            filterName "stigSeverity"           -------------------------
            "operator": <string> "=" | "!=",
            "value" : <string> (comma-separated or newline-separated list of Roman Numerals) | [
                {
                    "id" : <string> (valid Roman Numeral)
                }...
            ]
  
            filterName "vprScore"           --------------------------
            "operator" : <string> "=",
            "value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)
             
            filterName "xref"           -----------------
            "operator" : <string> "=" | "!=",
            "value" : <string> (comma-separated list of XREF Expressions)
                XREF Expression = <string> "<type>|<wildCard>" (XREF Type and ID Wildcard, pipe-delimited)
                    XREF Type = <string>                  ID Wildcard = <string> (where "?" matches a single occurrence of any character and "*" matches any character, any number of times)
        }...
    ] DEFAULT []
...
sourceType "cumulative" | null

Note: sourceType will always be null. Current functionality doesn't accept a "sourceType" parameter, and will always set it to default QUERY_NOT_TREND (null)

1
2
...
    "tool" : <string> "cceipdetail" | "cveipdetail" | "iavmipdetail" | "ipcount" | "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "popcount" | "sumasset" | "sumcce" | "sumcceasr" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcpe" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "trend" | "vulndetails" | "vulnipdetail" | "vulnipsummary"...
sourceType "individual"

Note: sourceType will never be "individual." This is included for informational purposes only. Current functionality doesn't accept a "sourceType" parameter, and will always set it to default QUERY_NOT_TREND (null)

1
2
3
...
    "tool" : <string> "cceipdetail" | "cveipdetail" | "iavmipdetail" | "ipcount" | "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "popcount" | "sumasset" | "sumcce" | "sumcceasr" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcpe" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "trend" | "vulndetails" | "vulnipdetail" | "vulnipsummary",
    "scanID" : <number>...
Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
    "type" : "regular",
    "response" : {
        "id" : "12"     "name" : "Test Combo Filter 2",
        "description" : "",
        "tool" : "sumid",
        "type" : "vuln",
        "tags" : "",
        "context" : "",
        "browseColumns" : "",
        "browseSortColumn" : "",
        "browseSortDirection" : "ASC",
        "createdTime" : "1403620113",
        "modifiedTime" : "1403620113",
        "status" : "0",
        "ownerGID" : "0",
        "targetGID" : "-1",
        "filters" : [
            {
                "filterName" : "ip",
                "operator" : "=",
                "value" : "192.168.1.100"           }
        ],
        "canManage" : "true",
        "canUse" : "true",
        "creator" : {
            "id" : "1"          "username" : "JohnD",
            "firstname" : "John",
            "lastname" : "Doe",
            "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"     },
        "owner" : {
            "id" : "1",
            "username" : "JohnD",
            "firstname" : "John",
            "lastname" : "Doe",
            "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"     },
        "ownerGroup" : {
            "id" : "0",
            "name" : "Full Access",
            "description" : "Full Access group"     },
        "targetGroup" : {
            "id" : -1,
            "name" : "",
            "description" : ""      }
    },
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1404224762
}

/query/{id}

Methods
GET

Gets the Query associated with {id}.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields

* id
** name
** description
creator
owner
ownerGroup
targetGroup
tool
type
tags
context
browseColumns
browseSortColumn
browseSortDirection
createdTime
modifiedTime
status
filters
canManage
canUse
groups

Legend

* = always comes back
** = comes back if fields list not specified on GET all

NOTE: Currently, all fields come back on GET all, but the ** indicates fields which will be listed in a future release

Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
    "type" : "regular",
    "response" : {
        "id" : "12"     "name" : "Test Combo Filter 2",
        "description" : "",
        "tool" : "sumid",
        "type" : "vuln",
        "tags" : "",
        "context" : "",
        "browseColumns" : "",
        "browseSortColumn" : "",
        "browseSortDirection" : "ASC",
        "createdTime" : "1403620113",
        "modifiedTime" : "1403620113",
        "status" : "0",
        "ownerGID" : "0",
        "targetGID" : "-1",
        "filters" : [
            {
                "filterName" : "ip",
                "operator" : "=",
                "value" : "192.168.1.100"           }
        ],
        "canManage" : "true",
        "canUse" : "true",
        "creator" : {
            "id" : "1"          "username" : "JohnD",
            "firstname" : "John",
            "lastname" : "Doe",
            "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"     },
        "owner" : {
            "id" : "1",
            "username" : "JohnD",
            "firstname" : "John",
            "lastname" : "Doe",
            "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"     },
        "ownerGroup" : {
            "id" : "0",
            "name" : "Full Access",
            "description" : "Full Access group"     },
        "targetGroup" : {
            "id" : -1,
            "name" : "",
            "description" : ""      }
    },
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1404224762
}
PATCH

Edits the Query associated with {id} , changing only the passed in fields.

Request Parameters

(All fields are optional)

See /query::POST for parameters.

Example Response
See /query/{id}::GET
DELETE

Deletes the Query associated with {id} , depending on access and permissions.

Example Response
Expand
1
2
3
4
5
6
7
8
{
    "type" : "regular",
    "response" : "",
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1403100582
}

/query/{id}/share

Methods
POST

Shares the Query associated with {id}, depending on access and permissions

Request Parameters
Expand
1
2
3
4
5
6
{
    "groups" : [
        {
            "id" : <number>       }...
    ]
}
Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
    "type" : "regular",
    "response" : {
        "id" : "3",
        "name" : "Post Copy Response Example2",
        "description" : "",
        "tool" : "sumid",
        "type" : "vuln",
        "tags" : "",
        "context" : "",
        "browseColumns" : "",
        "browseSortColumn" : "",
        "browseSortDirection" : "ASC",
        "createdTime" : "1408380088",
        "modifiedTime" : "1408380088",
        "status" : "0",
        "ownerGID" : "0",
        "targetGID" : "-1",
        "filters" : [
            {
                "filterName" : "ip",
                "operator" : "=",
                "value" : "192.168.1.100"           }
        ],
        "creator" : {
            "id" : "1",
            "username" : "head",
            "firstname" : "Security Manager",
            "lastname" : "",
            "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"     },
        "owner" : {
            "id" : "1",
            "username" : "head",
            "firstname" : "Security Manager",
            "lastname" : "",
            "uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"     },
        "ownerGroup" : {
            "id" : "0",
            "name" : "Full Access",
            "description" : "Full Access group"     },
        "targetGroup" : {
            "id" : -1,
            "name" : "",
            "description" : ""      }
    },
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1409087882
}

/query/tag

Methods
GET

Gets the full list of unique Query tags

Example Response
Expand
1
2
3
4
5
6
7
8
9
10
11
{
    "type" : "regular",
    "response" : [
        "Tag1",
        "Tag2",
        "Tag3"  ],
    "error_code" : 0,
    "error_msg" : "",
    "warnings" : [],
    "timestamp" : 1461093219
}