Integrations

It is possible to send Cyberwatch data to a third party system using Integrations.

Creation of Integration

1. Click on Administration
2. Click on Integrations
3. Click on Add

4. Complete the fields of the integration creation form:

   • Integration template:
     • Microsoft Teams - Assets Information is a configuration template that allows you to send on your Teams channel, information relating to vulnerabilities present on your assets
     • Microsoft Teams - Vulnerabilities Information is a configuration template that allows you to send information about CVEs
     • Microsoft Teams - Patch Management* is a configuration template that allows you to send information about patches to be deployed on your assets
   • Integration protocol: Protocol of the integration, available protocols are:
     • HTTP hook to send HTTP rest requests
     • SMTP hook to send emails using SMTP configured in Administration > SMTP
   • Name of the integration: Integration name that will be displayed in the integration choice lists
   • Location of the integration hook: Location where it will be possible to find the integration. The available locations are:
     • Inventory
     • Asset details - Vulnerabilities tab
     • Asset details - Patch management tab
     • Asset details - Compliance tab
     • Asset details - Security issues tab
     • Vulnerabilities encyclopedia
     • Compliance rules encyclopedia
     • Security issues encyclopedia
     • Corrective actions
     • Vulnerability details
     • Compliance rule details
     • Security issue details
     • Corrective action details
     • None: concerns integrations available only for alerts

5. For HTTP hook integrations:

   • URL of the request: URL to which the data will be sent

   • Headers of the request: Headers of the request in the form of a dictionary, example:

         {
             "Accept-Charset": "utf-8",
             "Accept-Encoding": "gzip",
             "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==",
             "Content-Type": "application/json",
             "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0"
         }
     

   • Body of the request: Body of the request containing the data to send. Supports Templating.
   • HTTP method of the request: Choice of the HTTP method with which the request will be sent.
   • Use a self-signed certificate for this request: Used to connect to a self-signed server. Warning: Connecting to a self-signed server poses a risk that a third party can intercept traffic to the server via this certificate.
   • Use the proxy configuration for this request: Allows to use the proxy configured in Cyberwatch

6. For SMTP hook integrations:

   • Recipient’s email address
   • Subject of the email. Supports Templating
   • Content of the email: The message containing the data to send. Supports Templating
7. Save

If the fields have been correctly filled in, the integration will appear in the list of integrations.

To configure integrations using Teams, click here.

Templating

Cyberwatch uses the Liquid templating engine for formatting the body of HTTP requests and emails. Its documentation is available at https://shopify.dev/docs/api/liquid.

The following Cyberwatch data variables are available:

Variable	Description	Example
asset	Relevant asset, for contexts where there is only one. Attributes: - name: name of the asset. - description : asset’s description. - cve_announcements_count : number of asset vulnerabilities. - critical_cve_announcements_count :number of high-priority vulnerabilities of the asset. - compliance_rules_count : number of asset compliance rules. - compliance_rules_failed_count : number of failed compliance rules for the asset. - compliance_rules_succeed_count : number of successful compliance rules for the asset. - compliance_rules_anomalies_count : number of anomaly compliance rules of the asset. - security_issues_count : number of security issues of the asset.	{{ asset.name }} ⇒ MY-PC.DOMAIN
assets	List of the relevant assets. Attributes are the same as asset.	{{ assets | map: 'name' | join: ', ' }} ⇒ example-1.local, example-2.local
cve	Relevant CVE, for contexts where there is only one. Attributes: - code: reference of the CVE announcement. - content : CVE description. - summary : CVE short description. - score : CVSS score of the CVE. - epss : EPSS score of the CVE. - cisa_exploit_add_at : date of addition to CISA KEV. - certfr_exploit_add_at : date of addition to CERT-FR ALE.	{{ cve.code }} ⇒ CVE-2023-1234
cves	List of the relevant CVEs. Attributes are the same as cve.	{{ cves | map: 'code' | join: ', ' }} ⇒ CVE-2023-0001, CVE-2023-0002
technology	Relevant technology, for contexts where there is only one. Attributes: - product: product name of the technology. - target_title : title of the technology. - target_version_string : target version of the technology. - cve_announcements_count : number of vulnerabilities in the technology. - critical_cve_announcements_count : number of high-priority vulnerabilities in the technology.	{{ technology.product }} ⇒ Google Chrome
technologies	List of the relevant technologies. Attributes are the same as technology.	{{ technologies | map: 'product' | join: ', ' }} ⇒ linux, linux-firmware
compliance_rule	Relevant compliance rule, for contexts where there is only one. Attributes: - name: name of the compliance rule. - description: description of the compliance rule. -code: reference of the compliance rule. -rationale: rationale of the compliance rule. -audit: audit of the compliance rule. -remediation: remediation of the compliance rule. -require_sudo: admin rights requirement of the compliance rule. -reference: reference in the benchmark of the compliance rule.	{{ compliance_rule.name }} ⇒ Ensure rsyslog service is enabled
compliance_rules	List of the relevant compliance rules. Attributes are the same as compliance_rule.	{{ compliance_rules | map: 'code' | join: ', ' }} ⇒ CIS-AWS-1.4, CIS-AWS-1.20
security_issue	Relevant security issue, for contexts where there is only one. Attributes: - sid : reference of the security issue. - title : name of the security issue. - description : description of the security issue.	{{ security_issue.title }} ⇒ TAA - TSX Asynchronous Abort
security_issues	List of the relevant security issues. Attributes are the same as security_issue.	{{ security_issues | map: 'sid' | join: ', ' }} ⇒ WSTG-INPV-17, WSTG-ATHN-10
host	Relevant discovered asset, for contexts where there is only one. Attributes: - hostname : host name of the discovered asset.	{{ host.hostname }} ⇒ bar.example.com
hosts	List of relevant discovered assets. Attributes are the same as host.	{{ hosts | map: 'hostname' | join: ', ' }} ⇒ bar.example.com, foo.example.com

On top the built-in Liquid filters, the json filter lets you format data in JSON. You can use it for instance to send a list of CVEs to an API with the body { "cves": {{ cves | json }} }. The list of CVEs will be generated as a JSON array like { "cves": [{ "code": "CVE-2023-0001" }, { "code": "CVE-2023-0002" }] }.

The following Cyberwatch alert variables are available:

Variable	Description
alert_name	Name of the alert that triggered the integration
manage_link	Link to the alert edit page
node_name	Name of the instance on which the alert was triggered
node_url	Link to the instance on which the alert was triggered
host	from a discovery, domain name of the asset found
hosts	from a discovery, list of domain names of assets found

Available variables per location of the integration hook

Asset’s details

Location of the integration hook	Available variables
Vulnerabilities tab	asset, assets, cve, cves
Patch management tab	asset, assets, cve, cves, technology, technologies
Compliance tab	asset, assets, technology, technologies
Security issue tab	asset, assets, security_issue, security_issues

Encyclopedias

Location of the integration hook	Available variables
Vulnerabilities	asset, assets, cve, cves
Compliance rules	asset, assets, compliance_rule, compliance_rules
Security issues	asset, assets, security_issue, security_issues
Corrective actions	asset, assets, technology, technologies
Inventory	asset, assets

Details

Location of the integration hook	Available variables
Vulnerability details	asset, assets, cve, cves
Compliance rule details	asset, assets, compliance_rule, compliance_rules
Security issue details	asset, assets, security_issue, security_issues
Corrective action details	asset, assets, cve, cves, technology, technologies

Edit an Integration

1. Click on Administration
2. Click on Integrations
3. Click on the edit button (pencil icon) corresponding to the integration to edit
4. Modify the desired fields in the form The fields are completed with the values of the edited integration
5. Save

Delete an Integration

1. Click on Administration
2. Click on Integrations
3. Click on the delete button (trash icon) corresponding to the integration to delete
4. Confirm

Test an Integration

1. Click on Administration
2. Click on Integrations
3. Click on the test button (arrow icon) corresponding to the integration to test
4. Check that a notification containing the state of the response appears, attesting to the connection with the server

Use an Integration

The integrations can be used at different locations depending on the choice made in the creation/edition form:

Inventory

1. Click on Inventory
2. Select the assets to send
3. Click on the button Bulk actions
4. Click on the name of the integration in the drop-down menu
5. Check the status of the response in the notification at the top right

Asset details - Vulnerabilities tab

1. Click on Inventory
2. Click on the name of the asset from which send the data
3. Click on the Vulnerabilities tab
4. Select the vulnerabilities to send
5. Click on the arrow to the right of the Ignore button
6. Click on the name of the integration in the drop-down menu
7. Check the status of the response in the notification at the top right

Asset details - Patch management tab

1. Click on Inventory
2. Click on the name of the asset from which send the data
3. Click on the Patch management tab
4. Select the patches to send
5. Click on the arrow to the right of the Schedule selected fixes button (or the Send the selection button in case of an asset on “scan only” mode)
6. Click on the name of the integration in the drop-down menu
7. Check the status of the response in the notification at the top right

Asset details - Compliance tab

1. Click on Inventory
2. Click on the name of the asset from which send the data
3. Click on the Compliance tab
4. Select the patches to send
5. Click on the Send the selection button
6. Click on the name of the integration in the drop-down menu
7. Check the status of the response in the notification at the top right

Asset details - Security issues tab

1. Click on Inventory
2. Click on the name of the asset from which send the data
3. Click on the Security issues tab
4. Select the security issues to send
5. Click on the arrow to the right of the Ignore button
6. Click on the name of the integration in the drop-down menu
7. Check the status of the response in the notification at the top right

Vulnerability encyclopedia

1. Click on Vulnerabilities
2. Select the vulnerabilities to send
3. Click on the button Bulk actions
4. Click on the name of the integration in the drop-down menu
5. Check the status of the response in the notification at the top right

Vulnerability details

1. Click on Vulnerabilities
2. Click on a CVE reference to access the details of this CVE
3. Select the assets to send
4. Click on the arrow to the right of the Ignore button
5. Click on the name of the integration in the drop-down menu
6. Check the status of the response in the notification at the top right

Compliance rules encyclopedia

1. Click on Compliance rules
2. Select the compliance rules to send
3. Click on the button Bulk actions
4. Click on the name of the integration in the drop-down menu
5. Check the status of the response in the notification at the top right

Details of a compliance rule

1. Click on Compliance rules
2. Click on a compliance rule reference to access the details of this compliance rule
3. Select the assets to send
4. Click on the arrow to the right of the Check the assets button
5. Click on the name of the integration in the drop-down menu
6. Check the status of the response in the notification at the top right

Security issues encyclopedia

1. Click on Security issues
2. Select the security issues to send
3. Click on the button Bulk actions
4. Click on the name of the integration in the drop-down menu
5. Check the status of the response in the notification at the top right

Security issue details

1. Click on Security issues
2. Click on a security issue reference to access the details of this security issue
3. Select assets to send
4. Click on the arrow to the right of the Ignore button
5. Click on the name of the integration in the drop-down menu
6. Check the status of the response in the notification at the top right

Corrective actions

1. Click on Corrective actions
2. Select the corrective actions to send
3. Click on the button Bulk actions
4. Click on the name of the integration in the drop-down menu
5. Check the status of the response in the notification at the top right

Corrective action details

1. Click on Corrective actions
2. Click on a corrective action reference to access the details of this corrective action
3. Select assets to send
4. Click on the arrow to the right of the Deploy button
5. Click on the name of the integration in the drop-down menu
6. Check the status of the response in the notification at the top right