Vulnerability management API reference for OT monitoring sensors

Article
12/01/2022

This article lists the vulnerability management REST APIs supported for Microsoft Defender for IoT OT monitoring sensors.

The data included in the API responses includes the same information as if you generated a vulnerability report from the on-premises management console.

devices (Retrieve device vulnerability information)

Use this API to request vulnerability assessment results for each device.

URI: /api/v1/reports/vulnerabilities/devices

GET

This API is called without any request parameters.

Type: JSON

Array of JSON objects that represent assessed devices and their reported vulnerabilities.

Devices that are found to have no vulnerabilities are not included in the result response.

Device fields

Name	Type	Nullable / Not nullable	List of values
name	String	Not nullable	-
ipAddresses	JSON array	Not nullable	-
securityScore	Numeric	Not nullable	-
vendor	String	Nullable
firmwareVersion	String	Nullable	-
model	String	Nullable	-
isWirelessAccessPoint	Boolean	Not nullable	`True` or `False`
operatingSystem	Operating system object	Nullable	-
vulnerabilities	Vulnerabilities object	Not nullable	-

Operating system fields

Name	Type	Nullable / Not nullable	List of values
name	String	Not nullable	-
type	String	Not nullable	-
version	String	Nullable	-
latestVersion	String	Nullable	-

Vulnerabilities fields

Name	Type	Nullable / Not nullable	List of values
antiViruses	JSON array of strings	Nullable	Antivirus names
plainTextPasswords	JSON array	Nullable	Password objects
remoteAccess	JSON array	Nullable	Remote access objects
isBackupServer	Boolean	Not nullable	`True` or `False`
openedPorts	JSON array	Nullable	Opened port objects
isEngineeringStation	Boolean	Not nullable	`True` or `False`
isKnownScanner	Boolean	Not nullable	`True` or `False`
cves	JSON array	Nullable	CVE objects
isUnauthorized	Boolean	Not nullable	`True` or `False`
malwareIndicationsDetected	Boolean	Not nullable	`True` or `False`
weakAuthentication	JSON array of strings	Nullable	Detected applications that are using weak authentication

Password fields

Name	Type	Nullable / Not nullable	List of values
password	String	Not nullable	-
protocol	String	Not nullable	-
strength	String	Not nullable	`Very weak`, `Weak`, `Medium`, `Strong`

Remote access fields

Name	Type	Nullable	List of values
port	Numeric	Not nullable	-
transport	String	Not nullable	`TCP`, `UDP`
client	String	Not nullable	IP address
clientSoftware	String	Not nullable	Name of the remote protocol, like `SSH`, `VNC`, `Remote desktop`, or `Team viewer`

Open port fields

Name	Type	Nullable / Not nullable	List of values
port	Numeric	Not nullable	-
transport	String	Not nullable	`TCP` or `UDP`
protocol	String	Nullable	-
isConflictingWithFirewall	Boolean	Not nullable	`True` or `False`

CVE fields

Name	Type	Nullable / Not nullable	List of values
id	String	Not nullable	-
score	Numeric, decimal value	Not nullable	-
description	String	Not nullable	-

Response example

[
    {
        "name": "IED \#10",
        "ipAddresses": ["10.2.1.10"],
        "securityScore": 100,
        "vendor": "ABB Switzerland Ltd, Power Systems",
        "firmwareVersion": null,
        "model": null,
        "operatingSystem": {
            "name": "ABB Switzerland Ltd, Power Systems",
            "type": "abb",
            "version": null,
            "latestVersion": null
        },
        "vulnerabilities": {
        "antiViruses": [
        "McAfee"
        ],
        "plainTextPasswords": [
            {
                "password": "123456",
                "protocol": "HTTP",
                "strength": "Very Weak"
            }
        ],
        "remoteAccess": [
            {
                "port": 5900,
                "transport": "TCP",
                "clientSoftware": "VNC",
                "client": "10.2.1.20"
            }
        ],
        "isBackupServer": true,
        "openedPorts": [
            {
                "port": 445,
                "transport": "TCP",
                "protocol": "SMP Over IP",
                "isConflictingWithFirewall": false
            },
            {
                "port": 80,
                "transport": "TCP",
                "protocol": "HTTP",
                "isConflictingWithFirewall": false
            }
        ],
        "isEngineeringStation": false,
        "isKnownScanner": false,
        "cves": [
            {
                "id": "CVE-2015-6490",
                "score": 10,
                "description": "Frosty URL - Stack-based buffer overflow on Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices through B FRN 15.003 allows remote attackers to execute arbitrary code via unspecified vectors"
            },
            {
                "id": "CVE-2012-6437",
                "score": 10,
                "description": "MicroLogix 1100 and 1400 do not properly perform authentication for Ethernet firmware updates, which allows remote attackers to execute arbitrary code via a Trojan horse update image"
            },
            {
                "id": "CVE-2012-6440",
                "score": 9.3,
                "description": "MicroLogix 1100 and 1400 allows man-in-the-middle attackers to conduct replay attacks via HTTP traffic."
            }
        ],
        "isUnauthorized": false,
        "malwareIndicationsDetected": true
        }
    }
]

Type: GET

API:

curl -k -H "Authorization: <AUTH_TOKEN>" https://<IP_ADDRESS>/api/v1/reports/vulnerabilities/devices

Example:

curl -k -H "Authorization: 1234b734a9244d54ab8d40aedddcabcd" https://127.0.0.1/api/v1/reports/vulnerabilities/devices

security (Retrieve security vulnerabilities)

Use this API to request results of a general vulnerability assessment report. This assessment provides insight into your system's security level.

This assessment is based on general network and system information and not on a specific device evaluation.

URI: /api/v1/reports/vulnerabilities/security

GET

This API is called without any request parameters.

Type: JSON representation of one or more data tables, each with specific and potentially different structures.

The response is displayed in a map view, which maps table titles to table rows. Rows are represented as a list of objects with the same structures.

unauthorizedDevices fields

Name	Type	Nullable / Not nullable	List of values
address	String	Nullable	IP or MAC address of the unauthorized device
name	String	Nullable	Name of the unauthorized device
firstDetectionTime	Numeric	Nullable	Timestamp the device was first detected, in milliseconds from Epoch time and in UTC timezone
lastSeen	Numeric	Nullable	Timestamp that traffic was last detected as sent to or from the device, in milliseconds from Epoch time and in UTC timezone

illegalTrafficByFirewallRules fields

Name	Type	Nullable / Not nullable	List of values
server	String	Nullable	Server IP address
client	String	Nullable	Client IP address
port	Numeric	Nullable	The server port
transport	String	Nullable	`TCP`, `UDP`, or `ICMP`

weakFirewallRules fields

Name	Type	Nullable / Not nullable	List of values
sources	JSON array of sources	Nullable	JSON array of sources in any of the following formats: - `Any` - `ip address (host)` - `from ip-to ip (RANGE)` - `ip address, subnet mask (NETWORK)`
destinations	JSON array of destinations	Nullable	JSON array of destination objects, in any of the following formats: - `Any` - `ip address (host)` - `from ip-to ip (RANGE)` - `ip address, subnet mask (NETWORK)`
ports	JSON array of ports	Nullable	JSON array of port objects, in any of the following formats: - `Any` - `port (protocol, if detected)` - `from port-to port (protocol, if detected)`

accessPoints fields

Name	Type	Nullable / Not nullable	List of values
macAddress	String	Nullable	The access point's MAC address
vendor	String	Nullable	The access point's vendor name
ipAddress	String	Nullable	The access point's IP address, or N/A
name	String	Nullable	The access point's device name, or N/A
wireless	String	Nullable	Whether the access point is connected to a wireless network: `No`, `Suspected`, or `Yes`

connectionsBetweenSubnets fields

Name	Type	Nullable / Not nullable	List of values
server	String	Nullable	The server's IP address
client	String	Nullable	The client's IP address

industrialMalwareIndicators fields

Name	Type	Nullable / Not nullable	List of values
detectionTime	Numeric	Nullable	Timestamp the malware was first detected, in milliseconds from Epoch time and in UTC timezone
alertMessage	String	Nullable	The alert message sent
description	String	Nullable	The alert message description
devices	JSON array	Not nullable	A JSON array of strings representing device names

internetConnections fields

Name	Type	Nullable / Not nullable	List of values
internalAddress	String	Nullable	The connection's internal IP address
authorized	Boolean	Nullable	`Yes` or `No`
externalAddresses	JSON array	Not nullable	A JSON array of the connection's external IP addresses

Response example

{
    "unauthorizedDevices": [
        {
            "address": "10.2.1.14",
            "name": "PLC \#14",
            "firstDetectionTime": 1462645483000,
            "lastSeen": 1462645495000,
        }
    ],
    "redundantFirewallRules": [
        {
            "sources": "170.39.3.0/255.255.255.0",
            "destinations": "Any",
            "ports": "102"
        }
    ],
    "connectionsBetweenSubnets": [
        {
            "server": "10.2.1.22",
            "client": "170.39.2.0"
        }
    ],
    "industrialMalwareIndications": [
        {
            "detectionTime": 1462645483000,
            "alertMessage": "Suspicion of Malicious Activity (Regin)",
            "description": "Suspicious network activity was detected. Such behavior might be attributed to the Regin malware.",
            "addresses": [
                "10.2.1.4",
                "10.2.1.5"
            ]
        }
    ],
    "illegalTrafficByFirewallRules": [
        {
            "server": "10.2.1.7",
            "port": "20000",
            "client": "10.2.1.4",
            "transport": "TCP"
        },
        {
            "server": "10.2.1.8",
            "port": "20000",
            "client": "10.2.1.4",
            "transport": "TCP"
        },
        {
            "server": "10.2.1.9",
            "port": "20000",
            "client": "10.2.1.4",
            "transport": "TCP"
        }
    ],
    "internetConnections": [
        {
            "internalAddress": "10.2.1.1",
            "authorized": "Yes",
            "externalAddresses": ["10.2.1.2",”10.2.1.3”]
        }
    ],
    "accessPoints": [
        {
            "macAddress": "ec:08:6b:0f:1e:22",
            "vendor": "TP-LINK TECHNOLOGIES",
            "ipAddress": "173.194.112.22",
            "name": "Enterprise AP",
            "wireless": "Yes"
        }
    ],
    "weakFirewallRules": [
        {
            "sources": "170.39.3.0/255.255.255.0",
            "destinations": "Any",
            "ports": "102"
        }
    ]
}

Type: GET

APIs:

curl -k -H "Authorization: <AUTH_TOKEN>" https://<IP_ADDRESS>/api/v1/reports/vulnerabilities/security

Example:

curl -k -H "Authorization: 1234b734a9244d54ab8d40aedddcabcd" https://127.0.0.1/api/v1/reports/vulnerabilities/security

operational (Retrieve operational vulnerabilities)

Use this API to request results of a general vulnerability assessment. This assessment provides insight into the operational status of your network. It's based on general network and system information and not on a specific device evaluation.

URI: /api/v1/reports/vulnerabilities/operational

GET

This API is called without any request parameters.

Type: JSON representation of one or more data tables, each with specific and potentially different structures.

The response is displayed in a map view, which maps table titles to table rows. Rows are represented as a list of objects with the same structures.

backupServer result fields

Name	Type	Nullable / Not nullable	List of values
source	String	Nullable	The source IP address
destination	String	Nullable	The destination IP address
port	Numeric	Nullable	The backup server port
transport	String	Nullable	The backup server transport protocol `TCP` or `UDP`
backupMaximalInterval	String	Nullable	The maximum interval time between backups
lastSeenBackup	Numeric	Nullable	Timestamp that a backup was last seen, in milliseconds from Epoch time and in UTC timezone

ipNetworks result fields

Name	Type	Nullable / Not nullable	List of values
addresses	Numeric	Not nullable	The number of IP addresses discovered in the subnet range.
network	String	Not nullable	The subnet base IP address.
mask	String	Not nullable	The subnet mask.

protocolProblems result fields

Name	Type	Nullable / Not nullable	List of values
protocol	String	Not nullable	A protocol for which a protocol violation alert was triggered
addresses	JSON array of IP addresses	Not nullable	JSON array of IP addresses where the violation originated
alert	String	Not nullable	The title of the alert triggered
reportTime	Numeric	Not nullable	Timestamp that a report was last generated, in milliseconds from Epoch time and in UTC timezone

protocolDataVolumes result fields

Name	Type	Nullable / Not nullable	List of values
protocol	String	Nullable	A protocol that was detected on the network by the OT network sensor
volume	String	Nullable	The volume of protocol packets captured by the OT network sensor, in MB

disconnections result fields

Name	Type	Nullable / Not nullable	List of values
assetAddress	String	Nullable	The IP address of the disconnected asset
assetName	String	Nullable	The name of the disconnected asset
lastDetectionTime	Numeric	Nullable	Timestamp that the disconnect was last detected, in milliseconds from Epoch time and in UTC timezone
backToNormalTime	Numeric	Nullable	Timestamp that the connection returned, in milliseconds from Epoch time and in UTC timezone

Response example

{
    "backupServer": [
        {
            "backupMaximalInterval": "1 Hour, 29 Minutes",
            "source": "10.2.1.22",
            "destination": "170.39.2.14",
            "port": 10000,
            "transport": "TCP",
            "lastSeenBackup": 1462645483000
        }
    ],
    "ipNetworks": [
        {
            "addresses": "21",
            "network": "10.2.1.0",
            "mask": "255.255.255.0"
        },
        {
            "addresses": "3",
            "network": "170.39.2.0",
            "mask": "255.255.255.0"
        }
    ],
    "protocolProblems": [
        {
            "protocol": "DNP3",
            "addresses": [
                "10.2.1.7",
                "10.2.1.8"
            ],
            "alert": "Illegal DNP3 Operation",
            "reportTime": 1462645483000
        },
        {
            "protocol": "DNP3",
            "addresses": [
                "10.2.1.15"
            ],
            "alert": "Master Requested an Application Layer Confirmation",
            "reportTime": 1462645483000
        }
    ],
    "protocolDataVolumes": [
        {
            "protocol": "MODBUS (502)",
            "volume": "21.07 MB"
        },
        {
            "protocol": "SSH (22)",
            "volume": "0.001 MB"
        }
    ],
    "disconnections": [
        {
            "assetAddress": "10.2.1.3",
            "assetName": "PLC \#3",
            "lastDetectionTime": 1462645483000,
            "backToNormalTime": 1462645484000
        }
    ]
}

Type: GET

APIs:

curl -k -H "Authorization: <AUTH_TOKEN>" https://<IP_ADDRESS>/api/v1/reports/vulnerabilities/operational

Example:

curl -k -H "Authorization: 1234b734a9244d54ab8d40aedddcabcd" https://127.0.0.1/api/v1/reports/vulnerabilities/operational

mitigation (Retrieve mitigation steps)

Use this API to request a mitigation assessment. This assessment provides recommended steps for mitigating detected vulnerabilities. It's based on general network and system information and not on a specific device evaluation.

URI: /api/v1/reports/vulnerabilities/mitigation

GET

This API is called without any request parameters.

Type: JSON

JSON object that represents recommended mitigation steps.

Response fields

Field name	Type	Nullable	List of values
notifications	JSON array of strings	Not nullable	Recommended mitigation steps for detected vulnerabilities
mitigation	JSON array	Not nullable	mitigation objects

mitigation fields

Field name	Type	Nullable	List of values
content	String	Not nullable	Recommended mitigation steps for detected vulnerabilities
scoreImprovement	Integer	Nullable	Expected percentage of security improvement after mitigation steps are taken.
details	Table	Nullable	A table listing mitigation recommendations, such as would be generated in the Risk assessment report. Each recommendation includes details about possible security impact if the action is performed and more. For more information, see Risk mitigation.

Note

You might have multiple mitigation steps, with some returned in the notifications field, and others returned in the mitigation field. Items with scoreImprovement and details data is returned only in the mitigation field. Items without scoreImprovement and details data is returned only in the notifications field.

Response example

{
    "notifications": ["Firewall policy import", "Marking \"important devices\"", "Further device information import"],
    "mitigation": [{
        "content": "Install an Antivirus solution to increase protection of the workstations",
        "details": null,
        "scoreImprovement": 10
    }, {
        "content": "Investigate all malware indicators (Contact your incident response team or support.microsoft.com). When assured the problem is solved, acknowledge the alert",
        "details": {
            "name": "",
            "description": {
                "name": "",
                "important": false,
                "warning": false
            },
            "headers": ["Detection Time", "Alert Message", "Description", "Devices"],
            "rows": [
                ["03/10/2022 07:10:24", "Address Scan Detected", "Address scan detected.\nScanning address: 10.10.10.22\nScanned subnet: 10.11.0.0/16\nScanned addresses: 10.11.1.1, 10.11.20.1, 10.11.20.10, 10.11.20.100, 10.11.20.2, 10.11.20.3, 10.11.20.4, 10.11.20.5, 10.11.20.6, 10.11.20.7...\nIt is recommended to notify the security officer of the incident.", ""],
            ]
        },
        "scoreImprovement": 8
    }, {
        "content": "Install a backup server in the network",
        "details": null,
        "scoreImprovement": 5
    }, {
        "content": "Install latest security updates (Devices: 2)",
        "details": {
            "name": "",
            "description": {
                "name": "",
                "important": false,
                "warning": false
            },
            "headers": ["Name", "Address"],
            "rows": [
                ["10.13.10.5", "10.13.10.5"],
                ["192.168.1.127", "192.168.1.127"]
            ]
        },
        "scoreImprovement": 2
    }, {
        "content": "Increase password complexity for authentication (Devices: 53)",
        "details": {
            "name": "",
            "description": {
                "name": "",
                "important": false,
                "warning": false
            },
            "headers": ["Name", "Address"],
            "rows": [
                ["10.10.10.13", "10.10.10.13"],
                ["10.10.10.14", "10.10.10.14"],
                ["10.10.10.15", "10.10.10.15"],
                ["10.13.10.3", "10.13.10.3"],
                ["10.13.10.40", "10.13.10.40"],
                ["10.13.10.5", "10.13.10.5"],
                ["10.13.11.2", "10.13.11.2"],
                ["10.13.11.3", "10.13.11.3"],
                ["192.168.1.100", "192.168.1.100"],
                ["192.168.1.242", "192.168.1.242"]
            ]
        },
        "scoreImprovement": 2
    }, {
        "content": "Investigate and acknowledge all unacknowledge alerts",
        "details": {
            "name": "",
            "description": {
                "name": "",
                "important": false,
                "warning": false
            },
            "headers": ["Detection Time", "Alert Message", "Description"],
            "rows": [
                ["03/10/2022 07:10:24", "Address Scan Detected", "Address scan detected.\nScanning address: 10.10.10.22\nScanned subnet: 10.11.0.0/16\nScanned addresses: 10.11.1.1, 10.11.20.1, 10.11.20.10, 10.11.20.100, 10.11.20.2, 10.11.20.3, 10.11.20.4, 10.11.20.5, 10.11.20.6, 10.11.20.7...\nIt is recommended to notify the security officer of the incident."],
                ["03/10/2022 07:44:52", "No Traffic Detected on Sensor Interface", "The sensor stopped detecting network traffic on local_listener."]
            ]
        },
        "scoreImprovement": 1
    }]
}

curl -k -H "Authorization: 1234b734a9244d54ab8d40aedddcabcd" "https://<IP address>/api/v1/reports/vulnerabilities/mitigation"

Next steps

For more information, see the Defender for IoT API reference overview.

Vulnerability management API reference for OT monitoring sensors

devices (Retrieve device vulnerability information)

GET

Device fields

Operating system fields

Vulnerabilities fields

Password fields

Remote access fields

Open port fields

CVE fields

Response example

security (Retrieve security vulnerabilities)

GET

unauthorizedDevices fields

illegalTrafficByFirewallRules fields

weakFirewallRules fields

accessPoints fields

connectionsBetweenSubnets fields

industrialMalwareIndicators fields

internetConnections fields

Response example

operational (Retrieve operational vulnerabilities)

GET

backupServer result fields

ipNetworks result fields

protocolProblems result fields

protocolDataVolumes result fields

disconnections result fields

Response example

mitigation (Retrieve mitigation steps)

GET

Response fields

mitigation fields

Response example

Next steps

Feedback

Additional resources