Support Center > Search Results > SecureKnowledge Details
Use the CloudGuard Dome9 REST API to send findings to Dome9 from an external system
Solution

Pre-requisites

Dome9 account & API Key/Secret

Send a list of findings

The request below sends a single finding from an external system (Qualys) to Dome9, using the POST method:

POST api/v2/ExternalFindings
  [
  {
    "ResourceId": "tests3bucket1",
    "ResourceType": "S3Bucket",
    "externalCloudAccountId": "1*********30",
    "vendor": "aws",
    "FindingSource": "Qualys",
    "findingSourceUrl": "http://myqualys.qualys.com",
    "findingSeverity": "Low",
    "originalFindingSeverity": "Low",
    "findingId": "10000",
    "scanId":"a",
    "findingCreatedAt": "2019-07-31T12:03:24",
    "findingTitle": "No Encryption",
    "findingDescription": "Server side encryption not enabled for S3 bucket",
    "findingStatus": "open",
    "findingCategory": "s3",
    "findingRecommendation": "enable encryption",
    "relatedFindingsRef": ["abcd"],
    "findingRulesPackage": { "id":"","name":"","provider":"","version":""
  },
  "additionalFields": [
      {
        "name": "",
        "value": "",
        "comment": ""
      }
    ]
  }
  ]  
 

Parameters

ResourceId must refer to the id or name of a resource in the cloud account.

ResourceType is from the list of resource types for the different cloud providers.

externalCloudAccountId is the cloud account id in the cloud provider, and vendor is the cloud provider

findingSeverity must be in Low, Medium, or High, while the originalFindingSeverity can be any value.

The findingId field must be unique for the external source (findingSource).

This adds a finding for an S3 bucket.

Example with validation errors

This block has errors in the request:

{
    "ResourceId": "tests3bucket1",
    "ResourceType": "S3",
    "externalCloudAccountId": "1**********0",
    "vendor": "aws",
    "FindingSource": "Qualys",
    "findingSourceUrl": "http://myqualys.qualys.com",
    "findingSeverity": "Low",
    "originalFindingSeverity": "Low",
    "findingId": "10000",
   ...
  }

The response indicates the problem field, in this case resourceType (should be S3bucket, not S3):

  {
    "failedRecords": [
        {
            "request": {
                "resourceId": "tests3bucket1",
                "resourceName": null,
                "resourceType": null,
                "externalCloudAccountId": "1**********0",
                "vendor": "aws",
                "findingSource": "Qualys",
                "findingSourceDescription": null,
                "findingSourceUrl": "http://myqualys.qualys.com",
                "findingSeverity": "Low",
                "originalFindingSeverity": "Low",
                "findingId": "10000",
				...
             },
            "reason": "Empty or Invalid ResourceType"
        }
    ],
    "totalFailedRecords": 1,
    "totalSuccessfulRecords": 0
}

Archive findings

Archive findings using the ExternalFindings/Archive method. The findingSource and findingId fields identify the record tab to be archived:


{
    "ResourceId": "tests3bucket1",
    "externalCloudAccountId": "1**********0",
    "FindingSource": "Qualys",
    "findingId": "10000"

  }

The response is 204 (No Content).

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment