Integrations

It is possible to send Cyberwatch data to a third party system using Integrations.

Creation of Integration

1. Click on Administration
2. Click on Integrations
3. Click on Add

4. Complete the fields of the integration creation form:

   • Integration template:
     • Microsoft Teams - Assets Information is a configuration template that allows you to send on your Teams channel, information relating to vulnerabilities present on your assets.
     • Microsoft Teams - Vulnerabilities Information is a configuration template that allows you to send information about CVEs.
     • Microsoft Teams - Patch Management* is a configuration template that allows you to send information about patches to be deployed on your assets.
   • Integration protocol: Protocol of the integration, available protocols are:
     • HTTP hook to send HTTP rest requests
     • SMTP hook to send emails using SMTP configured in Administration > SMTP
   • Name of the integration: Integration name that will be displayed in the integration choice lists
   • Location of the integration hook: Location where it will be possible to find the integration. The available locations are:
     • Inventory: corresponds to the Inventory.
     • Server details - Detection: corresponds to a server page on the “Vulnerabilities” tab.
     • Server details - Patching: corresponds to a server page on the “Patch management” tab.
     • Vulnerability details: corresponds to a specific vulnerability page in the Vulnerability Encyclopedia.

5. For HTTP hook integrations:

   • URL of the request: URL to which the data will be sent.

   • Headers of the request: Headers of the request in the form of a dictionary, example:

         {
             "Accept-Charset": "utf-8",
             "Accept-Encoding": "gzip",
             "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==",
             "Content-Type": "application/json",
             "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0"
         }
     

   • Body of the request: Body of the request containing the data to send. Supports Templating.
   • HTTP method of the request: Choice of the HTTP method with which the request will be sent.
   • Use a self-signed certificate for this request: Used to connect to a self-signed server. Warning: Connecting to a self-signed server poses a risk that a third party can intercept traffic to the server via this certificate.
   • Use the proxy configuration for this request: Allows to use the proxy configured in Cyberwatch.

6. For SMTP hook integrations:

   • Recipient’s email address.
   • Subject of the email. Supports Templating.
   • Content of the email: The message containing the data to send. Supports Templating.
7. Save

If the fields have been correctly filled in, the integration will appear in the list of integrations.

To configure integrations using Teams, click here.

Templating

Cyberwatch uses the Liquid templating engine for formatting the body of HTTP requests and emails. Its documentation is available at https://shopify.dev/docs/api/liquid.

The following Cyberwatch data variables are available:

Variable	Description	Example
asset	Relevant asset, for contexts where there is only one. Attributes: - name: name of the asset. - description : asset’s description. - cve_announcements_count : number of asset vulnerabilities. - critical_cve_announcements_count :number of high-priority vulnerabilities of the asset. - compliance_rules_count : number of asset compliance rules. - compliance_rules_failed_count : number of failed compliance rules for the asset. - compliance_rules_succeed_count : number of successful compliance rules for the asset. - compliance_rules_anomalies_count : number of anomaly compliance rules of the asset. - security_issues_count : number of security issues of the asset.	{{ asset.name }} ⇒ MY-PC.DOMAIN
assets	List of the relevant assets. Attributes are the same as asset.	{{ assets | map: 'name' | join: ', ' }} ⇒ example-1.local, example-2.local
cve	Relevant CVE, for contexts where there is only one. Attributes: - code: reference of the CVE announcement. - description : CVE description. - score : CVSS score of the CVE. - epss : EPSS score of the CVE.	{{ cve.code }} ⇒ CVE-2023-1234
cves	List of the relevant CVEs. Attributes are the same as cve.	{{ cves | map: 'code' | join: ', ' }} ⇒ CVE-2023-0001, CVE-2023-0002
technology	Relevant technology, for contexts where there is only one. Attributes: - product: product name of the technology. - target_title : title of the technology. - target_version_string : target version of the technology. - cve_announcements_count : number of vulnerabilities in the technology. - critical_cve_announcements_count : number of high-priority vulnerabilities in the technology.	{{ technology.product }} ⇒ Google Chrome
technologies	List of the relevant technologies. Attributes are the same as technology.	{{ technologies | map: 'product' | join: ', ' }} ⇒ linux, linux-firmware
compliance_rule	Relevant compliance rule, for contexts where there is only one. Attributes: - name: name of the compliance rule. - description: description of the compliance rule. -code: reference of the compliance rule. -rationale: rationale of the compliance rule. -audit: audit of the compliance rule. -remediation: remediation of the compliance rule. -require_sudo: admin rights requirement of the compliance rule. -reference: reference in the benchmark of the compliance rule.	{{ compliance_rule.name }} ⇒ Ensure rsyslog service is enabled
compliance_rules	List of the relevant compliance rules. Attributes are the same as compliance_rule.	{{ compliance_rules | map: 'code' | join: ', ' }} ⇒ CIS-AWS-1.4, CIS-AWS-1.20
security_issue	Relevant security issue, for contexts where there is only one. Attributes: - sid : reference of the security issue. - title : name of the security issue. - description : description of the security issue.	{{ security_issue.title }} ⇒ TAA - TSX Asynchronous Abort
security_issues	List of the relevant security issues. Attributes are the same as security_issue.	{{ security_issues | map: 'sid' | join: ', ' }} ⇒ WSTG-INPV-17, WSTG-ATHN-10
host	Relevant discovered asset, for contexts where there is only one. Attributes: - hostname : host name of the discovered asset.	{{ host.hostname }} ⇒ bar.example.com
hosts	List of relevant discovered assets. Attributes are the same as host.	{{ hosts | map: 'hostname' | join: ', ' }} ⇒ bar.example.com, foo.example.com

On top the built-in Liquid filters, the json filter lets you format data in JSON. You can use it for instance to send a list of CVEs to an API with the body { "cves": {{ cves | json }} }. The list of CVEs will be generated as a JSON array like { "cves": [{ "code": "CVE-2023-0001" }, { "code": "CVE-2023-0002" }] }.

The following Cyberwatch alert variables are available:

Variable	Description
alert_name	Name of the alert that triggered the integration
manage_link	Link to the alert edit page
node_name	Name of the instance on which the alert was triggered
node_url	Link to the instance on which the alert was triggered

Edit an Integration

1. Click on Administration
2. Click on Integrations
3. Click on the edit button (pencil icon) corresponding to the integration to edit
4. Modify the desired fields in the form. The fields are completed with the values of the edited integration
5. Save

Delete an Integration

1. Click on Administration
2. Click on Integrations
3. Click on the delete button (trash icon) corresponding to the integration to delete
4. Confirm

Test an Integration

1. Click on Administration
2. Click on Integrations
3. Click on the test button (arrow icon) corresponding to the integration to test
4. Check that a modal containing the state of the response appears, attesting to the connection with the server.

Use an Integration

The integrations can be used at different locations depending on the choice made in the creation/edition form:

Inventory

1. Click on Inventory
2. Select the assets to send
3. Click on the button Bulk actions
4. Click on the name of the integration in the drop-down menu
5. Check the status of the response in the modal at the top right

Server details - Detection

1. Click on Inventory
2. Click on the name of the asset from which send the data
3. Click on the Vulnerabilities tab
4. Select the vulnerabilities to send
5. Click on the arrow to the right of the Ignore and comment button
6. Click on the name of the integration in the drop-down menu
7. Check the status of the response in the modal at the top right

Server details - Patching

1. Click on Inventory
2. Click on the name of the asset from which send the data
3. Click on the Patch management tab
4. Select the packages/applications/vulnerabilities to send
5. Click on the arrow to the right of the Schedule selected fixes button (or the Send the selection button in case of an asset on “scan only” mode)
6. Click on the name of the integration in the drop-down menu
7. Check the status of the response in the modal at the top right

Vulnerability details

1. Click on Vulnerability Encyclopedia
2. Click on a CVE reference to access the details of this CVE
3. Select the assets to send
4. Click on the arrow to the right of the Ignore and comment button
5. Click on the name of the integration in the drop-down menu
6. Check the status of the response in the modal at the top right

Details of a compliance rule

1. Click on Compliance rules
2. Click on a compliance rule reference to access the details of this compliance rule
3. Select the assets to send
4. Click on the arrow to the right of the Check the assets button
5. Click on the name of the integration in the drop-down menu
6. Check the status of the response in the modal at the top right

Security issue details

1. Click on Security issues
2. Click on a security issue reference to access the details of this security issue.
3. Select assets to send
4. Click on the arrow to the right of the Ignore button
5. Click on the name of the integration in the drop-down menu
6. Check the status of the response in the modal at the top right