Exporting data from Cisco Vulnerability Management

You can export data from Cisco Vulnerability Management using either the API or the UI. 

Export Data from the API

Exporting data from the API is asynchronous. You can use the Data Exports section in the API to:

• Request a data export
• Check the status of a running export
• Kill an export request
• Retrieve the final export

You must specify the format of the data, including the model type (asset, fix, finding, or vulnerability), and data format (json, jsonl, xml). When you export vulnerabilities, you can include details about the vulnerabilities, and solutions for the vulnerabilities. Also, you can request all your data or a subset of your data by adding search parameters, and you can pick which fields are returned in asset and vulnerability exports. For more information about retrieving data, see the API documentation. For an example, see the Python code here.

Incremental exports via the API

If you have an environment with many assets, it might be burdensome to continuously export and download large data files. Thankfully, Cisco Vulnerability Management provides the capability to export only the delta of records that have changed recently. For more information, see the blog post or our training playlist. The API parameters are available in our API documentation.

API Export Limitations

If you expect that your export has a large amount of data, use the API export because it has no hard limit. The number of entries returned is dependent on the entry size, the number of entries in the request, and how busy the analytics engine is. We approximate the limit to be around 100M entries.

Export Data from the UI

Using the UI, it's easy to export data to a CSV file.

To Export Assets

1. Click VM > Explore.
2. Click the Assets tab.
3. On the right-hand side of the page, click Export Assets.
   
4. In the Export Assets list, choose the fields that you want to include in the export.
   Note: If you do not select any fields, the export returns only the ID.
   
5. Click Continue.
6. Select a file type, and a compression type.
   
   Note: If you select None as the compression type, you can only export up to 100,000 entries. The None option is available only when the Async Asset Export Setting is not enabled. If you select None and your export exceeds 100,000 entries, an error message displays that asks you to reduce the number of selections before you can continue with the export.
   Tip: Instead, chose the Zip or Gzip compression types and you can then export up to 4,000,000 entries.
   
7. Click Export Assets. A success message banner will display at the top of the window.
   
8. To download the exported file, click VM > Activity. Find the relevant Export ID, and then in the Action column, click the blue icon to download the export.
   

To Export Fixes

1. Click VM > Explore.
2. Click the Fixes tab.
3. On the right-hand side of the page, click Export Fixes.
   
4. In the Export Fixes list, choose the fields that you want to include in the export.
   Note: If you do not select any fields, the export returns only the Fix ID and Asset ID.
   
5. Click Continue.
6. Select a file type, and a compression type.
   
7. Click Export Fixes. A success message banner will display at the top of the window.
   
8. To download the exported file, click VM > Activity. Find the relevant Export ID, and then in the Action column, click the blue icon to download the export.
   

To Export Vulnerabilities

1. Click VM > Explore.
2. Click the Vulnerabilities tab.
3. On the right-hand side of the page, click Export Vulnerabilities.
   
   
4. In the Export Vulnerabilities list, select the fields that you want to be included in the export.
   Note: If you do not select any fields, the export returns only the ID.
   
5. Click Continue.
   Note: When you select the Details field, you can export up to 500,000 vulnerabilities. If the number of rows in your export exceeds that number, an error message displays that asks you to reduce the number of selections before you can continue with the export.
   
6. Select a file type, and a compression type.
   
7. Click Export Vulnerabilities. A success message banner will display at the top of the window.
   
8. To download the exported file, click VM > Activity. Find the relevant Export ID, and then in the Action column, click the blue icon to download the export.
   

To export Top Fixes

1. Click VM > Dashboard.
2. In the risk meter that you want to export the top fixes for, click Top Fixes. 
3. At the top of the screen, select the Top Fix Group that you want to export the top fixes for.
4. Click Export CSV, and choose to export the chosen Group, or All Top Fix Groups.
5. Do one of the following:
   * In the banner that displays at the top of the screen, click View My Exports, and then click the download icon in the Action column of the Exports table.
   * Wait until you receive an email from Cisco, and click the Download CSV Export link.

To export Findings data

1. Click AppSec > Explore.
2. Do one of the following:
   * Use the filter options to reduce the amount of data to export and then scroll down to the bottom of the Search panel on the right-hand side of the page.
   * To export all items on the page, scroll down to the bottom of the Search panel on the right-hand side of the page.
3. Click Export this view.
4. Click CSV.
5. To download the exported file, click VM> Activity. Find the relevant export ID and click on the blue download action button to download the export

Viewing Export Status

To view a list of all export jobs and their status, go to VM > Activity.

This will open up a page listing all exports and the following information:

• Status
• Export ID
• Type Asset/Vulnerability/Fix
• Source UI/API
• Time requested in GMT
• Time completed in GMT
• Record Count 

To download the export files, click on the file icon in the “Action” column.

UI Export Limitations

CSV exports from the UI can be synchronous and downloaded immediately or asynchronous and an email link will be sent that allows you to extract a CSV gzipped file. Smaller asset exports are synchronous and downloaded as a CSV file with a limitation of 100 K entries. Any export of fixes, and any large vulnerability exports, will be asynchronous and downloaded in the gzip format with a limitation of 500 K entries. Any export of assets is limited to 100 K entries when downloaded from the UI and is downloaded immediately in the browser as a CSV file. To increase the UI Asset Export limit to 4 M entries, contact your CX representative. The increase impacts the download behavior, the export request is processed in the background and will be a CSV gzipped file. The increase does not impact how fixes and vulnerabilities are exported from the UI.

Extracting CSV Data from a Gzip or .gz File

Depending on the size of the export, data exported from the UI may come in a gzip file. Data exported from the API will be in the .gz format. The .gz format is used because it works most efficiently to stream data from connector runs to an exportable download. You will need a program to unzip .gz files to view the results of the download. Windows does not come preinstalled with a program to do this, so if you are a Windows user, you will need to find a program that suits your company and environment. Some popular programs include winzip, winrar, and 7-zip.

When exporting data from the API, we recommend that you use the following curl command when obtaining gzip data.

curl --request GET \
     --url https://api.kennasecurity.com/data_exports \
     --header 'Accept: application/gzip' \
     --header 'X-Risk-Token: abcdefgh8ijklmnopqrstuvwxyz26'
     --output downloads/kenna_data.gzip

After the data is downloaded into the specified file, it will need to be unzipped to be readable.

You can see a Python example in the Acquiring Vulnerabilities per Asset blog, Exporting Asset Data section.