The List Vulnerabilities endpoint in the Fleet API contains a cve_published property that contains a timestamp for when the CVE was initially published.
Sometimes, CVEs are updated as new information is learned about them. This would result in the metadata associated with the CVE being updated in Fleet (like cvss_score, epss_probability, and cisa_known_exploit). When these properties are updated, we assume cve_published date does not change.
If data associated with a CVE has been updated since it was published, there is no way to determine that using the Fleet API.
For customers that ingest vulnerabilities into a 3rd party dashboard, it means they have to import all vulnerabilities each time they run their workflow rather than just the ones that have changed .
What have you tried?
I used the GET /api/v1/fleet/vulnerabilities endpoint of the Fleet API to view a list of vulnerabilities in my environment. I am able to see when a particular CVE was published (cve_published) and when the entry was added to my Fleet server (created_at). I am not able to determine if a vulnerability has been update since it was published or imported into a 3rd party dashboard.
Potential solutions
When Fleet pulls vulnerabilities from its 3rd party vulnerability sources, it could detect if any previously known vulnerabilities have updated or changed properties. If they do, Fleet could log a timestamp of when the updated properties were detected. A Fleet admin could use the API to filter vulnerabilities that have new or updated properties after a specific date.
What is the expected workflow as a result of your proposal?
As a result of this workflow, a Fleet admin that uses the API to import vulnerabilities into a 3rd party dashboard would only get results for vulnerabilities that have been updated after a specified date.
This would streamline the existing workflow as it would not update data that has not changed since the last time the workflow was run.
JoStableford
commented
4 weeks ago
Problem
The List Vulnerabilities endpoint in the Fleet API contains a
cve_publishedproperty that contains a timestamp for when the CVE was initially published.Sometimes, CVEs are updated as new information is learned about them. This would result in the metadata associated with the CVE being updated in Fleet (like
cvss_score,epss_probability, andcisa_known_exploit). When these properties are updated, we assumecve_publisheddate does not change.If data associated with a CVE has been updated since it was published, there is no way to determine that using the Fleet API.
For customers that ingest vulnerabilities into a 3rd party dashboard, it means they have to import all vulnerabilities each time they run their workflow rather than just the ones that have changed .
What have you tried?
I used the
GET /api/v1/fleet/vulnerabilitiesendpoint of the Fleet API to view a list of vulnerabilities in my environment. I am able to see when a particular CVE was published (cve_published) and when the entry was added to my Fleet server (created_at). I am not able to determine if a vulnerability has been update since it was published or imported into a 3rd party dashboard.Potential solutions
When Fleet pulls vulnerabilities from its 3rd party vulnerability sources, it could detect if any previously known vulnerabilities have updated or changed properties. If they do, Fleet could log a timestamp of when the updated properties were detected. A Fleet admin could use the API to filter vulnerabilities that have new or updated properties after a specific date.
What is the expected workflow as a result of your proposal?
As a result of this workflow, a Fleet admin that uses the API to import vulnerabilities into a 3rd party dashboard would only get results for vulnerabilities that have been updated after a specified date. This would streamline the existing workflow as it would not update data that has not changed since the last time the workflow was run.