VMware Aria Automation for Secure Clouds provides public Findings APIs documented through a user-friendly Swagger interface for its customers to query for violations and gather insights about connected threats. Users can build automation to ingest findings and rules details to combine with their internal or external tools.
To perform the API calls described in this article, you need to have the following:
You can use the Findings APIs to view violations, events, and anomalies detected in their cloud accounts. The APIs allow for powerful aggregations, filters, sorts, and searches that can be used for cloud resource inventorying, snapshotting, and reporting.
Users can easily view all the findings in their cloud accounts. This enables users to proactively resolve any violations in their cloud configuration and create detailed reports for internal tracking.
curl -X POST \
https://api.securestate.vmware.com/v2/findings/query \
-H 'Authorization: Bearer {access_token}' \
-d '{}'
Response body
{
"totalCount": 10414,
"pageCount": 1000,
"results": [
{
"id": "5c64...",
"type": "violation",
"ruleId": "5c6...",
"cloudAccountId": "5c...",
"cloudProvider": "AWS",
"objectId": "arn:aws:cloudtrail:...",
"objectXid": "161866044093_us-east-2_...",
"service": "user",
"region": "us-east-2",
"level": "Medium",
"creationTime": "2019-05-22T18:01:35Z",
"lastUpdateTime": "2019-06-04T07:06:17Z",
"riskScore": 40,
"cloudTags": {},
"status": "Open"
},
...
],
"continuationToken": "{continuation_token}"
}
To access the next set of pages, you must pass in the value from the continuationToken
field to the query from the previous response.
curl -X POST \
https://api.securestate.vmware.com/v2/findings/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"paginationInfo":{
"continuationToken": "{continuation_token}",
"pageSize": 1000
}
}'
Users can filter, search, and aggregate on the findings in their cloud accounts. The API allows users to drill deeper into the findings to take appropriate action. Examples of these queries are provided below.
You can define filters on various properties including services, levels, cloud account IDs, cloud tags, and so on.
curl -X POST \
https://api.securestate.vmware.com/v2/findings/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"filters": {
"services": ["service_name"],
"Levels": ["High"]
}
}'
Substring search on finding attributes is supported, enabling users to quickly scope to a certain subset of findings.
curl -X POST \
https://api.securestate.vmware.com/v2/findings/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"filters": {
"queryString": "search_string"
}
}'
Powerful aggregations of findings can be created to understand a categorical breakdown of findings over certain findings attributes, such as level, service, and so on.
curl -X POST \
https://api.securestate.vmware.com/v2/findings/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"aggregations": {
"rules": {
"aggregationType": "Terms",
"fieldName": "Level"
}
}
}'
You can also view all the details of a finding in order to make appropriate improvements in their configuration. Details of the finding include the violating object, associated rule, severity, cloud provider, status, and more are available.
curl -X GET \
https://api.securestate.vmware.com/v2/findings/{findingId} \
-H 'Authorization: Bearer {access_token}' \
Response body
{
"id": "...",
"type": "violation",
"ruleId": "5c6...",
"cloudAccountId": "5c5...",
"cloudProvider": "AWS",
"objectId": "arn:aws:cloudtrail:...",
"objectXid": "16186...",
"service": "cloudtrail",
"region": "sa-east-1",
"level": "Low",
"creationTime": "2019-05-22T18:01:24Z",
"lastUpdateTime": "2019-06-04T07:05:18Z",
"riskScore": 10,
"cloudTags": null,
"completeBlob": "{...}",
"status": "Open"
}
Refer to the Entity Data Service API Swagger documentation for interactive examples of these API calls.