Report Export Filters

The POST /reports/export endpoint accepts a set of filters to apply to the reports you want to generate. Filters can be used to narrow the vulnerabilities or assets included in the report.

You can use the GET /filters/reports/export endpoint to retrieve the list of valid filters, their supported comparison operators, data types, and allowed values. Alternatively, you can refer to the following tables and examples:

Supported Filters

Filters that can be used in the property field of the report export endpoint are listed in the following table along with their data type and supported comparison operators:

Filters	Operators	Data Type
asset_id	eq, neq	array of strings
asset_name	eq, neq, wc	array of strings
asset_tags	eq, neq	array of objects
cidr_range	eq, neq	array of strings
first_found	gte	int64
indexed_at	gte	int64
last_fixed	gte	int64
last_found	gte	int64
plugin_id	eq, neq	array of integers
severity	eq, neq	array of strings
severity_modification_type	eq, neq	array of strings
source	eq, neq	array of strings
state	eq, neq	array of strings
vpr_score	eq, neq, gt, gte, lt, lte	float—When used with the gt, gte, lt, or lte comparison operators. array of floats—When used with the eq or neq comparison operators.

Filter Values

Some filers require a specific set of supported values. These filters and their supported values are listed in the following table:

Filters	Supported Values
asset_tags	Asset tags are defined as an object with `key` and `value` properties where `key` corresponds to the tag category and `value` corresponds to the tag value. See the example.
first_found	Dates must be specified in Unix 13-digit time format (milliseconds).
indexed_at	Dates must be specified in Unix 13-digit time format (milliseconds).
last_fixed	Dates must be specified in Unix 13-digit time format (milliseconds).
last_found	Dates must be specified in Unix 13-digit time format (milliseconds).
severity	INFO—The vulnerability has a CVSS score of 0. LOW—The vulnerability has a CVSS score between 0.1 and 3.9. MEDIUM—The vulnerability has a CVSS score between 4.0 and 6.9. HIGH—The vulnerability has a CVSS score between 7.0 and 9.9. CRITICAL—The vulnerability has a CVSS score of 10.0.
severity_modification_type	NONE—No modification has been made. RECASTED—A user has recast the risk associated with the vulnerability. ACCEPTED—A user has accepted the risk associated with the vulnerability.
source	AWS—The vulnerability data was obtained from an Amazon Web Services connector. NESSUS_AGENT—The vulnerability data was obtained from a Tenable Nessus Agent scan. NNM—The vulnerability data was obtained from a Tenable Nessus Network Monitor (NNM) scan. NESSUS_SCAN—The vulnerability data was obtained from a Tenable Nessus scan. WAS—You obtained the asset data from a Web App Scanning scan. AZURE—The vulnerability data was obtained from a Microsoft Azure connector. GCP—The vulnerability data was obtained from a Google Cloud Platform connector. ASM—The vulnerability data was obtained from Tenable Attack Surface Management. CLOUD_DISCOVERY_CONNECTOR—The vulnerability data was obtained from a cloud discovery connector. SERVICENOW—The vulnerability data was obtained from ServiceNow.
state	NEW—The vulnerability is newly found on a host. ACTIVE—The vulnerability is currently present on a host. RESURFACED—The vulnerability was previously marked as fixed on a host but has returned. FIXED—The vulnerability was present on a host but is no longer detected.

Examples

Refer to the following examples for various use cases of the report export filters.

Host Findings Executive Summary Report with Filters

To generate a host findings executive summary report containing critical and high severity vulnerabilities found after December 6, 2023, you could use the following cURL request:

curl --request POST \
     --url https://cloud.tenable.com/reports/export \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "name": "My Summary Report",
  "template_name": "host_vulns_summary",
  "filters": [
    {
      "property": "first_found",
      "operator": "gte",
      "value": 1701824400000
    },
    {
      "property": "severity",
      "operator": "eq",
      "value": [
        "CRITICAL",
        "HIGH"
      ]
    }
  ]
}
'

Host Findings Vulnerability Details by Plugin Report with Filters

To generate a host findings vulnerability details by plugin report for specific plugin IDs and where the source was a Nessus scan, you could use the following cURL request:

curl --request POST \
     --url https://cloud.tenable.com/reports/export \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "name": "My Plugin Report",
  "template_name": "host_vulns_by_plugins",
  "filters": [
    {
      "property": "plugin_id",
      "operator": "eq",
      "value": [
        73491,
        73412,
        113075
      ]
    },
    {
      "property": "source",
      "operator": "eq",
      "value": [
        "NESSUS_SCAN"
      ]
    }
  ]
}
'

Host Findings Vulnerability Details by Asset Report with Filters

To generate a host findings vulnerability details by asset report for assets with specific asset tags, you could use the following cURL request:

curl --request POST \
     --url https://cloud.tenable.com/reports/export \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "name": "My Asset Report",
  "template_name": "host_vulns_by_assets",
  "filters": [
    {
      "property": "asset_tags",
      "operator": "eq",
      "value": [
        {
          "key": "OfficeLocation",
          "value": [
            "Dallas"
          ]
        },
        {
          "key": "DeviceType",
          "value": [
            "Laptop"
          ]
        }
      ]
    }
  ]
}
'