Tenable Security Center API: Query

/query

Methods

GET

Gets the list of Queries.

Fields Parameter

Expand

NOTE: Currently, all fields come back on GET all, but the ** indicates fields which will be listed in a future release

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields type "vuln", sourceType "cumulative" | null

* id
** name
** description
creator
owner
ownerGroup
targetGroup
tool
type
tags
context
browseColumns
browseSortColumn
browseSortDirection
createdTime
modifiedTime
status
filters
canManage
canUse
groups

Legend

* = always comes back
** = comes back if fields list not specified on GET all

Request Parameters

Expand

Parameters must be passed in as query string (as opposed to JSON) in the format of: /query?type=lce

{
	"type" : <string> "alert" | "all" | "lce" | "mobile" | "ticket" | "user" | "vuln" DEFAULT "all"}

Filter Parameters

usable - The response will be an object containing an array of usable Queries. By default, both usable and manageable objects are returned.
manageable - The response will be an object containing all manageable Queries. By default, both usable and manageable objects are returned.

Example Response

Expand

{
	"type" : "regular",
	"response" : {
		"usable" : [
			{
				"id" : "1",
				"name" : "Name",
				"description" : "Test for posting an alert query"			},
			{
				"id" : "2",
				"name" : "Post Copy Response Example",
				"description" : ""			},
			{
				"id" : "3",
				"name" : "Post Copy Response Example2",
				"description" : ""			},
			{
				"id" : "1391",
				"name" : "TEST",
				"description" : ""			},
			{
				"id" : "1467",
				"name" : "Test 1",
				"description" : ""			},
			{
				"id" : "1468",
				"name" : "Test 2",
				"description" : ""			},
			{
				"id" : "1469",
				"name" : "Test 3",
				"description" : ""			},
			{
				"id" : "1470",
				"name" : "Test 4",
				"description" : ""			},
			{
				"id" : "1471",
				"name" : "Test 5",
				"description" : ""			}
		],
		"manageable" : [
			{
				"id" : "1",
				"name" : "Name",
				"description" : "Test for posting an alert query"			},
			{
				"id" : "2",
				"name" : "Post Copy Response Example",
				"description" : ""			},
			{
				"id" : "3",
				"name" : "Post Copy Response Example2",
				"description" : ""			},
			{
				"id" : "1391",
				"name" : "TEST",
				"description" : ""			},
			{
				"id" : "1434",
				"name" : "query1",
				"description" : "Created with 'group1's shared asset: 'Test Asset 1'.\n\nThis asset will be unshared"			},
			{
				"id" : "1435",
				"name" : "query2",
				"description" : "Created with 'group1's shared asset: 'Test Asset 2'.\n\nThis asset will be deleted"			},
			{
				"id" : "1436",
				"name" : "group1Query",
				"description" : ""			},
			{
				"id" : "1467",
				"name" : "Test 1",
				"description" : ""			},
			{
				"id" : "1468",
				"name" : "Test 2",
				"description" : ""			},
			{
				"id" : "1469",
				"name" : "Test 3",
				"description" : ""			},
			{
				"id" : "1470",
				"name" : "Test 4",
				"description" : ""			},
			{
				"id" : "1471",
				"name" : "Test 5",
				"description" : ""			}
		]
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1427750981
}

POST

Adds a Query

Request Parameters

Expand

{
	"name" : <string>,
	"description" : <string> DEFAULT "",
	"ownerID" : <string> DEFAULT <Session User ID)
	"tags" : <string> DEFAULT "",
	"type" : <string> "alert" | "lce" | "mobile" | "ticket" | "user" | "vuln",
	"context" : <string> DEFAULT "",
	"browseColumns" : <string> DEFAULT "",
	"browseSortColumn" : <string> DEFAULT "",
	"browseSortDirection" : <string> "ASC" | "DESC" DEFAULT "ASC",
	...
}

Type: "alert" (Expand)

Alert Type

...
	"sortField" : <string> OPTIONAL (alphanumeric word(s) separated by a space/dash),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive),
	"startOffset" : <number> OPTIONAL (integer; default "1" if not specified and endOffset is specified),
	"endOffset" : <number> OPTIONAL (integer),
	"tool" : <string> "listalerts",
	"filters" : [
		{
			"filterName" : <string> "alertName" | "createdEndTime" | "createdStartTime" | "createdTimeFrame" | "description" | "didTriggerLastEvaluation" | "lastEvaluatedEndTime" | "lastEvaluatedStartTime" | "lastEvaluatedTimeFrame" | "lastTriggeredEndTime" | "lastTriggeredStartTime" | "lastTriggeredTimeFrame" | "modifiedEndTime" | "modifiedStartTime" | "modifiedTimeFrame",
			"operator" : <string> "",
			"value" : <string> | <number>		}...
	] DEFAULT []
...

Type: "lce" (Expand)

LCE Type

NOTE #1: Filter operators are not validated, but the provided filters are the ones that will properly function.

NOTE #2: Filter "outputAssets" only applies to tool "sumasset".

...
	"sortField" : <string> OPTIONAL (alphanumeric word(s) separated by a space/dash. Must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (default "ASC" if not specified and sortField is specified),
	"startOffset" : <number> OPTIONAL (integer; lower bound to returned record set. default 0 if not specified),
	"endOffset" : <number> OPTIONAL (integer; upper bound to returned record set. default 100 if not specified),
	"tool" : <string> "listdata" | "sumasset" | "sumclassa" | "sumclassb" | "sumclassc" | "sumdate" | "sumevent" | "sumevent2" | "sumip" | "sumport" | "sumprotocol" | "sumsensor" | "sumtime" | "sumtype" | "sumuser" | "syslog" | "timedist",
	"filters" : [
		{
			"filterName" : <string> "asset" | "assetID" | "connectionDirection" | "correlated" | "date" | "destAsset" | "destAssetID" | "destip" | "detailedEventName" | "dport" | "endtime" | "eventName" | "ip" | "lce" | "lceIDs" | "numEvents" | "outputAssets" | "port" | "protocol" | "repository" | "repositoryIDs" | "sensor" | "silo" | "sourceAsset" | "sourceAssetID" | "sourceip" | "sport" | "starttime" | "text" | "timeframe" | "type" | "user",
 
			filterName "asset" | "assetID" | "connectionDirection" | "correlated" | "date" | "destAsset" | "destAssetID" | "destip" | "detailedEventName" | "endtime" | "eventName" | "ip" | "lce" | "lceIDs" | "numEvents" | "outputAssets" | "protocol" | "repository" | "repositoryIDs" | "sensor" | "silo" | "sourceAsset" | "sourceAssetID" | "sourceip" | "starttime" | "text" | "timeframe" | "type" | "user"			-------------------------------------------
			"operator" : <string> "=" | "!=",
			"value" : (Format depends on filter's "filterName" parameter)
 
			filterName "dport" | "port" | "sport"			-------------------------------------------
			"operator" :  <string> "=" | "!=" | "<=" | ">=",
			"value" : (Format depends on filter's "filterName" parameter)

		}...
	] DEFAULT []
...

sourceType "archive"

Note: sourceType will never be "archive." This is included for informational purposes only. Current functionality doesn't accept a "sourceType" parameter, and will always set it to default QUERY_NOT_TREND (null)

...
	"view" : <string>,
	"lce" : {
		"id" : <number>	}
...

Type: "mobile" (Expand)

Mobile Type

NOTE: Filter operators are not validated, but the provided filters are the ones that will properly function.

...
	"sortField" : <string> OPTIONAL (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (default "ASC" if not specified and sortField is specified),
	"startOffset" : <number> OPTIONAL (integer; lower bound to returned record set.  Must be explicitly supplied for tool "vulndetails"),
	"endOffset" : <number> OPTIONAL (integer; upper bound to returned record set.  Must be explicitly supplied for tool "vulndetails"),
	"tool" : <string> "listvuln" | "sumdeviceid" | "summdmuser" | "summodel" | "sumoscpe" | "sumpluginid" | "vulndetails",
	"filters" : [
		{
			"filterName" : <string> "baseCVSSScore" | "cvssV3BaseScore" | "deviceID" | "deviceModel" | "deviceUser" | "deviceVersion" | "exploitAvailable" | "family" | "familyID" | "lastMitigated" | "lastSeen" | "mdmType" | "osCPE" | "patchPublished" | "pluginID" | "pluginModified" | "pluginName" | "pluginOutput" | "pluginPublished" | "port" | "protocol" | "repository" | "repositoryIDs" | "serialNumber" | "severity" | "vulnPublished",
			  			
			filterName "osCPE" | "baseCVSSScore" | "cvssV3BaseScore" |"pluginOutput" | "repository" | "repositoryIDs" | "deviceID" | "deviceModel" | "deviceUser" | "pluginID"			------------------------------------------------------------
			"operator" : "=" | "!=",
			"value" : (Format depends on filter's "filterName" parameter)
 
			filterName "mdmType" | "pluginName" | "lastMitigated" | "lastSeen" | "vulnPublished" | "pluginModified" | "patchPublished" | "pluginPublished" | "acceptedRisk" | "daysMitigated" | "dnsName" | "exploitAvailable" | "family" | "familyID" | "ip" | "lastMitigated" | "mitigatedStatus" | "pluginText" | "port" | "protocol" | "recastRisk" | "responsibleUser" | "severity" | "xref"			---------------------------------------------------------------------------------------------------------------------------------
			"operator" : <string> "=" | "<=" | ">=" | "!=" | "between" | "outside" | "contains" | "excludes" | "in" | "!in",
			"value" : (Format depends on filter's "filterName" parameter)
			
		}...
	] DEFAULT []
...

Type: "ticket" (Expand)

Ticket Type

...
	"sortField" : <string> OPTIONAL (alphanumeric; must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive; must accompany sortField),
	"startOffset" : <number> OPTIONAL (integer; default "0" if not specified and endOffset is specified),
	"endOffset" : <number> OPTIONAL (integer),
	"tool" : <string> "listtickets" | "sumassignee" | "sumclassification" | "sumcreator" | "sumstatus",
	"filters" : [
		{
			"filterName" : <string> "assignedEndTime" | "assignedStartTime" | "assignedTimeFrame" | "assignee" | "assigneeID" | "classification" | "closedEndTime" | "closedStartTime" | "closedTimeFrame" | "createdEndTime" | "createdStartTime" | "createdTimeFrame" | "modifiedEndTime" | "modifiedStartTime" | "modifiedTimeFrame" | "owner" | "ownerID" | "resolvedEndTime" | "resolvedStartTime" | "resolvedTimeFrame" | "status",
			"value" : (Format depends on filter's "filterName" parameter)
		}...
	] DEFAULT []
...

Type: "user" (Expand)

User Type

...
	"sortField" : <string> OPTIONAL (alphanumeric; must accompany sortDir.  username, roleID, and groupID will attempt to perform case-insensitive sort on the text field in relation to the ID),
	"sortDir" : <string> "ASC" | "DESC" OPTIONAL (sort is case insensitive; must accompany sortField),
	"startOffset" : <number> OPTIONAL (integer; default "1" if not specified and endOffset is specified),
	"endOffset" : <number> OPTIONAL (integer),
	"tool" : <string> "listusers" | "sumgroup" | "sumrole",
	"filters" : [
		{
			"filterName" : <string> "address" | "authType" | "country" | "email" | "fax" | "firstname" | "group" | "groupID" | "lastLoginEndTime" | "lastLoginStartTime" | "lastLoginTimeFrame" | "lastname" | "locked" | "phone" | "role" | "roleID" | "state" | "title" | "username",
			"operator" : <string>,
			"value" : (Format depends on filter's "filterName" parameter)
		}...
	]
...

Type: "vuln" (Expand)

Vuln Type

NOTE #1: Filter operators are not validated, but the provided filters are the ones that will properly function.

NOTE #2: Filter "outputAssets" only applies to tool "sumasset".

NOTE #3: Filter "solutionID" only applies to tools "sumremediation" and "remediationdetail". Moreover, tool "remediationdetail" must specify a "solutionID" filter.

...
	"sortField" : <string> OPTIONAL (alphanumeric; any valid field returned in the results entry for the corresponding tool.  [Some restrictions apply.]  Must accompany sortDir),
	"sortDir" : <string> "ASC" | "DESC" DEFAULT "ASC" (default "ASC" if not specified and sortField is specified),
	"startOffset" : <number> OPTIONAL (integer; lower bound to returned record set.  Must be explicitly supplied for tools "vulndetails" and "listvuln"),
	"endOffset" : <number> OPTIONAL (integer; upper bound to returned record set.  Must be explicitly supplied for tools "vulndetails" and "listvuln"),
	"tool" : <string> "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "remediationdetail" | "sumasset" | "sumcce" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "vulndetails" | "vulnipdetail" | "vulnipsummary",
	"filters" : [
		{
			"filterName" : <string> "acceptRiskStatus" | "asset" | "assetCriticalityRating" | "assetID" | "auditFile" | "auditFileID" | "baseCVSSScore" | "benchmarkName" | "cceID" | "cpe" | "cveID" | "cvssV3BaseScore" | "cvssV3Vector" | "cvssVector" | "dataFormat" | "daysMitigated" | "daysToMitigated" | "dnsName" | "exploitAvailable" | "exploitFrameworks" | "family" | "familyID" | "firstSeen" | "iavmID" | "ip" | "lastMitigated" | "lastSeen" | "mitigatedStatus" | "msbulletinID" | "outputAssets" | "patchPublished" | "pluginID" | "pluginModified" | "pluginName" | "pluginPublished" | "pluginText" | "pluginType" | "policy" | "policyID" | "port" | "protocol" | "recastRiskStatus" | "repository" | "repositoryIDs" | "responsibleUser" | "responsibleUserIDs" | "severity" | "solutionID" | "stigSeverity" | "tcpport" | "udpport" | "uuid" | "vprScore" | "vulnPublished" | "xref",
 
			filterName "acceptRiskStatus"			-----------------------------
			"operator" : <string> "=",
			"value" : <string> "all" | "accepted" | "notAccepted" 
			NOTE: During evaluation on the Analysis page, or for various objects, presenting 
			      no "acceptRiskStatus" filter defaults to the "notAccepted" behavior.
  
			filterName "asset"			------------------
			"operator": <string> "=" | "~" (combination expression),
 
			filterName "asset", operator "="			--------------------------------
			"value" : [
				{
					"id" : <number> (integer)
				}...
			]
 
			filterName "asset", operator "~"			--------------------------------
			"value" : <comboRecord> { 
				"operator": <string> "complement" | "intersection" | "difference" | "union", 
				"operand1": <comboRecord> | <number> (integer) | {
					"id" : <number> (integer)
				}
 
				operator not "complement"				-------------------------
				"operand2": <comboRecord> | <number> (integer) | {
					"id" : <number> (integer)
				}
			}

			filterName "assetCriticalityRating"			--------------------------
			"operator" : <string> "=",
			"value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)

			filterName "auditFile" | "policy" | "repository" | "responsibleUser"			--------------------------------------------------------------------
			"operator": <string> "=",
			"value" : {
				"id" : <number> (integer)
			}
 			
			filterName "baseCVSSScore"			--------------------------
			"operator" : <string> "=",
			"value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)

			filterName "benchmarkName"			--------------------------
			"operator" : <string> "=" (fuzzy-left, right-anchored match),
			"value" : <string> 

			filterName "cceID" | "iavmID"			-----------------------------
			"operator" : <string> "=" (fuzzy match),
			"value" : <string> (comma-separated list)

			filterName "cpe"			----------------
			"operator": <string> "=" (i.e. explicit per entry) | 
			                     "~=" (i.e. fuzzy match across entire entries string) | 
			                     "pcre" (i.e. Perl-compatible, regular expression, across entire entries string),
 
			filterName "cpe", operator "=" | "~="			-------------------------------------
			"value" : <string> (comma-separated or newline-separated list)

			filterName "cpe", operator "pcre"			---------------------------------
			"value" : <string> (Perl-compatible, regular expression)

			filterName "cveID" | "msbulletinID"			-----------------------------------
			"operator" : <string> "=" (fuzzy match),
			"value" : <string> (comma-separated or newline-separated list)

			filterName "cvssVector"			-----------------------
			"operator" : <string> "=",
			"value" : <string> (comma-separated list of Simple or Complex CVSS vectors)
 
								Simple CVSS Vector = <string> "AV:L" | "AV:A" | "AV:N" | "AC:H" | "AC:M" | "AC:L" | "Au:N" | "Au:S" | "Au:M" | "C:N" | "C:P" | "C:C" | "I:N" | "I:P" | "I:C" | "A:N" | "A:P" | "A:C" | "E:ND" | "E:U" | "E:P" | "E:POC" | "E:F" | "E:H" | "RL:ND" | "RL:O" | "RL:OF" | "RL:T" | "RL:TF" | "RL:W" | "RL:U" | "RC:ND" | "RC:UC" | "RC:UR" | "RC:C"								Complex CVSS Vector = <string> (slash-separated list of Simple CVSS Vectors where all entries must match)

			filterName "cvssV3BaseScore"			--------------------------
			"operator" : <string> "=",
			"value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)
			
			filterName "cvssV3Vector"			-----------------------
			"operator" : <string> "=",
			"value" : <string> (comma-separated list of Simple or Complex CVSS vectors)
 
								Simple CVSS Vector = <string> "AV:P" | "AV:L" | "AV:A" | "AV:N" | "AC:H" | "AC:L" | "PR:H" | "PR:L" | "PR:N" | "PR:U" | "UI:R" | "UI:N" | "S:C" | "S:U" | "C:N" | "C:L" | "C:H" | "I:N" | "I:L" | "I:H" | "A:N" | "A:L" | "A:H" | "E:H" | "E:F" | "E:P" | "E:U" | "E:X" | "RL:U" | "RL:W" | "RL:OF" | "RL:T" | "RL:O" | "RL:X" | "RC:C" | "RC:R" | "RC:U" | "RC:X"								Complex CVSS Vector = <string> (slash-separated list of Simple CVSS Vectors where all entries must match)

			filterName "daysMitigated" | "firstSeen" | "lastMitigated" | "lastSeen" | "pluginModified" | "pluginPublished" | "vulnPublished"			---------------------------------------------------------------------------------------------------------------------------------------------------
			"operator": <string> "=" (relative with custom format),
			"value" : <string> "<minDaysBack>:<maxDaysBack>" (Both minDaysBack and maxDaysBack are provided in the number of days ago. [e.g. "0:90" is between now and 90 days ago].) | "<minDaysBack>:all" (A value "all" indicates to return all results before minDaysBack) | "currentMonth" | "lastMonth" | "currentQuarter" (i.e. the current fiscal quarter) | "lastQuarter"			filterName "dnsName"			--------------------
			"operator" : <string> "=",
			"value" : <string> (comma-separated or newline-separated list of valid DNS names)
 
			filterName "exploitAvailable"			-----------------------------
			"operator" : <string> "=",
			"value" : <string> "true" | "false"			filterName "exploitFrameworks"			------------------------------
			"operator": <string> "=" (i.e. explicit for entire entries string) | 
			                     "~=" (i.e. fuzzy match across entire entries string),
			"value" : <string>			filterName "family"			-------------------
			"operator": <string> "=" | "!=",
			"value" : [
				{
					"id" : <number> (integer)
				}...
			]

			filterName "ip"			---------------
			"operator" : <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of valid IPs and/or DNS names)

			filterName "mitigatedStatus"			----------------------------
			"operator": <string> "=",
			"value" : <string> "previously" | "never" 
 			filterName "outputAssets"			-------------------------
			"operator": <string> "=",
			"value" : <string> (comma-separated list of Integers) | [
				{
					"id" : <number> (integer)
				}...
			]
 			filterName "patchPublished"			---------------------------
			"operator": <string> "=",
			"value" : <string> "<endDay>:<startDay>" | "<endDay>:all" (Both endDay and startDay are provided in the number of days ago. [e.g. "0:90" is between now and 90 days ago]. A value of "all" for startDay is interpreted as "0" [i.e. from "now", back endDay days ago]) | "currentMonth" | "lastMonth" | "currentQuarter" (i.e. the current fiscal quarter) | "lastQuarter" | "none" (i.e vulnerabilities that cannot be resolved through a patch)
			
			filterName "pluginID"			---------------------
			"operator" : <string> "=" | "!=" | "<=" | ">=",

			filterName "pluginID", operator "=" | "!="			------------------------------------------
			"value" : <number> (comma-separated or newline-separated list of integers or inclusive integer ranges, using a dash ["-"] delimiter, with each value between 0 and 8388607)

			filterName "pluginID", operator "<=" | ">="			-------------------------------------------
			"value" : <number> (integer, between 0 and 8388607)

			filterName "pluginName"			-----------------------
			"operator": <string> "=" (i.e. fuzzy match) | "pcre" (i.e. Perl-compatible, regular expression),
			"value" : <string>			filterName "pluginText"			-----------------------
			"operator": <string> "=" (i.e. fuzzy match, stripped text [forced]) | 
			                     "pcre" (i.e. Perl-compatible, regular expression, stripped text [forced]),
			"value" : <string>			filterName "pluginType"			-----------------------
			"operator": <string> "=",
			"value" : <string> "passive" | "lce" | "active" | "compliance" (comma-separated)
 
			filterName "port" | "tcpport" | "udpport"			-----------------------------------------
			"operator" : <string> "=" | "!=" | "<=" | ">=",
 
			filterName "port" | "tcpport" | "udpport", operator "=" | "!="			--------------------------------------------------------------
			"value" : <number> (comma-separated or newline-separated list of integers or inclusive integer ranges, using a dash ["-"] delimiter, with each value between 0 and 65535)

			filterName "port" | "tcpport" | "udpport", operator "<=" | ">="			---------------------------------------------------------------
			"value" : <number> (integer, between 0 and 65535)
 
			filterName "protocol"			---------------------
			"operator": <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of integers)

			filterName "recastRiskStatus"			-----------------------------
			"operator" : <string> "=",
			"value" : <string> "recast" | "notRecast"			filterName "severity"			---------------------
			"operator": <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of integers) | [
				{
					"id" : <number> (integer)
				}...
			]
 			
			filterName "solutionID"			---------------------
			"operator" : <string> "="			"value" : <string> "SC-" + <number> (comma-separated or newline-separated list of integers; number is an integer representing the Plugin ID of a solution)

			filterName "stigSeverity"			-------------------------
			"operator": <string> "=" | "!=",
			"value" : <string> (comma-separated or newline-separated list of Roman Numerals) | [
				{
					"id" : <string> (valid Roman Numeral)
				}...
			]
 
			filterName "vprScore"			--------------------------
			"operator" : <string> "=",
			"value" : <string> (inclusive, nonnegative, decimal range, using a dash ["-"] delimiter)
			
			filterName "xref"			-----------------
			"operator" : <string> "=" | "!=",
			"value" : <string> (comma-separated list of XREF Expressions)
				XREF Expression = <string> "<type>|<wildCard>" (XREF Type and ID Wildcard, pipe-delimited)
					XREF Type = <string>					ID Wildcard = <string> (where "?" matches a single occurrence of any character and "*" matches any character, any number of times)
 		}...
	] DEFAULT []
...

sourceType "cumulative" | null

Note: sourceType will always be null. Current functionality doesn't accept a "sourceType" parameter, and will always set it to default QUERY_NOT_TREND (null)

...
	"tool" : <string> "cceipdetail" | "cveipdetail" | "iavmipdetail" | "ipcount" | "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "popcount" | "sumasset" | "sumcce" | "sumcceasr" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcpe" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "trend" | "vulndetails" | "vulnipdetail" | "vulnipsummary"...

sourceType "individual"

Note: sourceType will never be "individual." This is included for informational purposes only. Current functionality doesn't accept a "sourceType" parameter, and will always set it to default QUERY_NOT_TREND (null)

...
	"tool" : <string> "cceipdetail" | "cveipdetail" | "iavmipdetail" | "ipcount" | "iplist" | "listmailclients" | "listos" | "listservices" | "listsoftware" | "listsshservers" | "listvuln" | "listwebclients" | "listwebservers" | "popcount" | "sumasset" | "sumcce" | "sumcceasr" | "sumclassa" | "sumclassb" | "sumclassc" | "sumcpe" | "sumcve" | "sumdnsname" | "sumfamily" | "sumiavm" | "sumid" | "sumip" | "summsbulletin" | "sumport" | "sumprotocol" | "sumremediation" | "sumseverity" | "sumuserresponsibility" | "trend" | "vulndetails" | "vulnipdetail" | "vulnipsummary",
	"scanID" : <number>...

Example Response

Expand

{
	"type" : "regular",
	"response" : {
		"id" : "12"		"name" : "Test Combo Filter 2",
		"description" : "",
		"tool" : "sumid",
		"type" : "vuln",
		"tags" : "",
		"context" : "",
		"browseColumns" : "",
		"browseSortColumn" : "",
		"browseSortDirection" : "ASC",
		"createdTime" : "1403620113",
		"modifiedTime" : "1403620113",
		"status" : "0",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"filters" : [
			{
				"filterName" : "ip",
				"operator" : "=",
				"value" : "192.168.1.100"			}
		],
		"canManage" : "true",
		"canUse" : "true",
		"creator" : {
			"id" : "1"			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe",
			"uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"		},
		"owner" : {
			"id" : "1",
			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe",
			"uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1404224762
}

/query/{id}

Methods

GET

Gets the Query associated with {id}.

Fields Parameter

Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

Allowed Fields

* id
** name
** description
creator
owner
ownerGroup
targetGroup
tool
type
tags
context
browseColumns
browseSortColumn
browseSortDirection
createdTime
modifiedTime
status
filters
canManage
canUse
groups

Legend

* = always comes back
** = comes back if fields list not specified on GET all

NOTE: Currently, all fields come back on GET all, but the ** indicates fields which will be listed in a future release

Example Response

Expand

{
	"type" : "regular",
	"response" : {
		"id" : "12"		"name" : "Test Combo Filter 2",
		"description" : "",
		"tool" : "sumid",
		"type" : "vuln",
		"tags" : "",
		"context" : "",
		"browseColumns" : "",
		"browseSortColumn" : "",
		"browseSortDirection" : "ASC",
		"createdTime" : "1403620113",
		"modifiedTime" : "1403620113",
		"status" : "0",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"filters" : [
			{
				"filterName" : "ip",
				"operator" : "=",
				"value" : "192.168.1.100"			}
		],
		"canManage" : "true",
		"canUse" : "true",
		"creator" : {
			"id" : "1"			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe",
			"uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"		},
		"owner" : {
			"id" : "1",
			"username" : "JohnD",
			"firstname" : "John",
			"lastname" : "Doe",
			"uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1404224762
}

PATCH

Edits the Query associated with {id} , changing only the passed in fields.

Request Parameters

(All fields are optional)

See /query::POST for parameters.

Example Response

See /query/{id}::GET

DELETE

Deletes the Query associated with {id} , depending on access and permissions.

Example Response

Expand

{
	"type" : "regular",
	"response" : "",
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1403100582
}

Methods

POST

Shares the Query associated with {id}, depending on access and permissions

Request Parameters

Expand

{
	"groups" : [
		{
			"id" : <number>		}...
	]
}

Example Response

Expand

{
	"type" : "regular",
	"response" : {
		"id" : "3",
		"name" : "Post Copy Response Example2",
		"description" : "",
		"tool" : "sumid",
		"type" : "vuln",
		"tags" : "",
		"context" : "",
		"browseColumns" : "",
		"browseSortColumn" : "",
		"browseSortDirection" : "ASC",
		"createdTime" : "1408380088",
		"modifiedTime" : "1408380088",
		"status" : "0",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"filters" : [
			{
				"filterName" : "ip",
				"operator" : "=",
				"value" : "192.168.1.100"			}
		],
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : "",
			"uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : "",
			"uuid" : "48F26F3B-6A79-4153-96DB-4C63D1BF3D46"		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1409087882
}

/query/tag

Methods

GET

Gets the full list of unique Query tags

Example Response

Expand

{
	"type" : "regular",
	"response" : [
		"Tag1",
		"Tag2",
		"Tag3"	],
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1461093219
}

Tenable Security Center API: Query

/query

Methods

Fields Parameter

Filter Parameters

Example Response

Request Parameters

Alert Type

LCE Type

sourceType "archive"

Mobile Type

Ticket Type

User Type

Vuln Type

sourceType "cumulative" | null

sourceType "individual"

Example Response

/query/{id}

Methods

Fields Parameter

Example Response

Request Parameters

Example Response

Example Response

/query/{id}/share

Methods

Request Parameters

Example Response

/query/tag

Methods

Example Response