Hexiosec ASM User Guides
Using the Public API
Link Changes Endpoint
11 min
the link changes endpoint returns the same underlying data you see on the changes page in the hexiosec asm app you can us e it t o export or automate change detection between scan iterations (new and removed risks, domains, and services) relationship to the app the endpoint uses the same comparison logic and data source as the changes page in the app, so the added / removed results will match what you see there for the same iteration window and filters api reference full request/response details, query parameters, and schemas are available in the api reference https //asm hexiosec com/api/ui#get /v1/scan data/ scan id /link changes understanding what this endpoint shows the link changes api reports when relationships between assets change in the data model, assets are represented as nodes and the connections (or relationships) between them as links for example a new risk was detected on a service a domain started pointing to a new ip address a component appeared on a website this makes it excellent for tracking risk changes , but it is not a direct feed of “new assets vs removed assets ” getting risk changes if you want counts such as “4850 new risks, 257 risks removed” query the endpoint filtered to risks ( link type=risk ) count new risks = entries with change type added removed risks = entries with change type removed this mirrors the “risk” rows in the app changes page getting asset changes (domains, ips, websites) if you want the numbers of new and removed assets for each scan iteration, you don’t need to calculate these yourself the /v1/scans/{id}/iterations endpoint already provides stats nodes and stats nodesbylabel , which include counts of added and removed items grouped by label (e g domain, ipv4, service) example snippet from an iteration response "stats" { "nodes" { "added" 0, "removed" 4 }, "nodesbylabel" \[ { "label" "domain", "added" 0, "inscope" 13, "removed" 0 }, { "label" "ipv4", "added" 0, "removed" 0 }, { "label" "service", "added" 0, "removed" 1 } ] } this matches the “overview” counts you see in the app — for example new domains → nodesbylabel\[label="domain"] added removed ipv4s → nodesbylabel\[label="ipv4"] removed if you want the detailed records of what changed (not just counts), use the link changes endpoint mapping app terms to api filters when you see “change type domain” or “change type ipv4” in the app, that maps to node types in the api to type=domain → changes involving domains to type=ipv4 or ipv6 → changes involving ips link type=risk → changes involving risks remember these filters still return relationship changes, not a pure list of new assets summary use link changes for – new/removed risks – relationship changes (dns mappings, components appearing) use scan iteration endpoint for – new vs removed assets (domains, ips, websites) together, these give you the full picture of what changed in your attack surface between two scans or over time