Integrations
It is possible to send Cyberwatch data to a third party system using Integrations.
Creation of Integration
- Click on Administration
- Click on Integrations
- Click on Add
Complete the fields of the integration creation form:
- Integration template:
- Microsoft Teams - Assets Information is a configuration template that allows you to send on your Teams channel, information relating to vulnerabilities present on your assets.
- Microsoft Teams - Vulnerabilities Information is a configuration template that allows you to send information about CVEs.
- Microsoft Teams - Patch Management* is a configuration template that allows you to send information about patches to be deployed on your assets.
- Integration protocol: Protocol of the integration, available protocols are:
- HTTP hook to send HTTP rest requests
- SMTP hook to send emails using SMTP configured in Administration > SMTP
- Name of the integration: Integration name that will be displayed in the integration choice lists
- Location of the integration hook: Location where it will be possible to find the integration. The available locations are:
- Inventory
- Asset details - Vulnerabilities tab
- Asset details - Patch management tab
- Asset details - Compliance tab
- Asset details - Security issues tab
- Vulnerability encyclopedia
- Vulnerability details
- Compliance rules encyclopedia
- Compliance rule details
- Security issues encyclopedia
- Security issue details
- Corrective actions
- Corrective action details
- None: concerns integrations available only for alerts.
- Integration template:
For HTTP hook integrations:
- URL of the request: URL to which the data will be sent.
Headers of the request: Headers of the request in the form of a dictionary, example:
{ "Accept-Charset": "utf-8", "Accept-Encoding": "gzip", "Authorization": "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==", "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0" }
- Body of the request: Body of the request containing the data to send. Supports Templating.
- HTTP method of the request: Choice of the HTTP method with which the request will be sent.
- Use a self-signed certificate for this request: Used to connect to a self-signed server. Warning: Connecting to a self-signed server poses a risk that a third party can intercept traffic to the server via this certificate.
- Use the proxy configuration for this request: Allows to use the proxy configured in Cyberwatch.
For SMTP hook integrations:
- Recipient’s email address.
- Subject of the email. Supports Templating.
- Content of the email: The message containing the data to send. Supports Templating.
- Save
If the fields have been correctly filled in, the integration will appear in the list of integrations.
To configure integrations using Teams, click here.
Templating
Cyberwatch uses the Liquid templating engine for formatting the body of HTTP requests and emails. Its documentation is available at https://shopify.dev/docs/api/liquid.
The following Cyberwatch data variables are available:
Variable | Description | Example |
---|---|---|
asset | Relevant asset, for contexts where there is only one. Attributes: - name : name of the asset.- description : asset’s description.- cve_announcements_count : number of asset vulnerabilities.- critical_cve_announcements_count :number of high-priority vulnerabilities of the asset.- compliance_rules_count : number of asset compliance rules.- compliance_rules_failed_count : number of failed compliance rules for the asset.- compliance_rules_succeed_count : number of successful compliance rules for the asset.- compliance_rules_anomalies_count : number of anomaly compliance rules of the asset.- security_issues_count : number of security issues of the asset. | {{ asset.name }} ⇒ MY-PC.DOMAIN |
assets | List of the relevant assets. Attributes are the same as asset . | {{ assets | map: 'name' | join: ', ' }} ⇒ example-1.local, example-2.local |
cve | Relevant CVE, for contexts where there is only one. Attributes: - code : reference of the CVE announcement.- description : CVE description.- score : CVSS score of the CVE.- epss : EPSS score of the CVE. | {{ cve.code }} ⇒ CVE-2023-1234 |
cves | List of the relevant CVEs. Attributes are the same as cve . | {{ cves | map: 'code' | join: ', ' }} ⇒ CVE-2023-0001, CVE-2023-0002 |
technology | Relevant technology, for contexts where there is only one. Attributes: - product : product name of the technology.- target_title : title of the technology.- target_version_string : target version of the technology.- cve_announcements_count : number of vulnerabilities in the technology.- critical_cve_announcements_count : number of high-priority vulnerabilities in the technology. | {{ technology.product }} ⇒ Google Chrome |
technologies | List of the relevant technologies. Attributes are the same as technology . | {{ technologies | map: 'product' | join: ', ' }} ⇒ linux, linux-firmware |
compliance_rule | Relevant compliance rule, for contexts where there is only one. Attributes: - name : name of the compliance rule.- description : description of the compliance rule.- code : reference of the compliance rule.- rationale : rationale of the compliance rule.- audit : audit of the compliance rule.- remediation : remediation of the compliance rule.- require_sudo : admin rights requirement of the compliance rule.- reference : reference in the benchmark of the compliance rule. | {{ compliance_rule.name }} ⇒ Ensure rsyslog service is enabled |
compliance_rules | List of the relevant compliance rules. Attributes are the same as compliance_rule . | {{ compliance_rules | map: 'code' | join: ', ' }} ⇒ CIS-AWS-1.4, CIS-AWS-1.20 |
security_issue | Relevant security issue, for contexts where there is only one. Attributes: - sid : reference of the security issue.- title : name of the security issue.- description : description of the security issue. | {{ security_issue.title }} ⇒ TAA - TSX Asynchronous Abort |
security_issues | List of the relevant security issues. Attributes are the same as security_issue . | {{ security_issues | map: 'sid' | join: ', ' }} ⇒ WSTG-INPV-17, WSTG-ATHN-10 |
host | Relevant discovered asset, for contexts where there is only one. Attributes: - hostname : host name of the discovered asset. | {{ host.hostname }} ⇒ bar.example.com |
hosts | List of relevant discovered assets. Attributes are the same as host . | {{ hosts | map: 'hostname' | join: ', ' }} ⇒ bar.example.com, foo.example.com |
On top the built-in Liquid filters, the json
filter lets you format data in JSON. You can use it for instance to send a list of CVEs to an API with the body { "cves": {{ cves | json }} }
. The list of CVEs will be generated as a JSON array like { "cves": [{ "code": "CVE-2023-0001" }, { "code": "CVE-2023-0002" }] }
.
The following Cyberwatch alert variables are available:
Variable | Description |
---|---|
alert_name | Name of the alert that triggered the integration |
manage_link | Link to the alert edit page |
node_name | Name of the instance on which the alert was triggered |
node_url | Link to the instance on which the alert was triggered |
Edit an Integration
- Click on Administration
- Click on Integrations
- Click on the edit button (pencil icon) corresponding to the integration to edit
- Modify the desired fields in the form. The fields are completed with the values of the edited integration
- Save
Delete an Integration
- Click on Administration
- Click on Integrations
- Click on the delete button (trash icon) corresponding to the integration to delete
- Confirm
Test an Integration
- Click on Administration
- Click on Integrations
- Click on the test button (arrow icon) corresponding to the integration to test
- Check that a notification containing the state of the response appears, attesting to the connection with the server.
Use an Integration
The integrations can be used at different locations depending on the choice made in the creation/edition form:
Inventory
- Click on Inventory
- Select the assets to send
- Click on the button
Bulk actions
- Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Asset details - Vulnerabilities tab
- Click on Inventory
- Click on the name of the asset from which send the data
- Click on the
Vulnerabilities
tab - Select the vulnerabilities to send
- Click on the arrow to the right of the
Ignore
button - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Asset details - Patch management tab
- Click on Inventory
- Click on the name of the asset from which send the data
- Click on the
Patch management
tab - Select the patches to send
- Click on the arrow to the right of the
Schedule selected fixes
button (or theSend the selection
button in case of an asset on “scan only” mode) - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Asset details - Compliance tab
- Click on Inventory
- Click on the name of the asset from which send the data
- Click on the
Compliance
tab - Select the patches to send
- Click on the
Send the selection
button - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Asset details - Security issues tab
- Click on Inventory
- Click on the name of the asset from which send the data
- Click on the
Security issues
tab - Select the security issues to send
- Click on the arrow to the right of the
Ignore
button - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Vulnerability encyclopedia
- Click on Vulnerabilities
- Select the vulnerabilities to send
- Click on the button
Bulk actions
- Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Vulnerability details
- Click on Vulnerabilities
- Click on a CVE reference to access the details of this CVE
- Select the assets to send
- Click on the arrow to the right of the
Ignore
button - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Compliance rules encyclopedia
- Click on Compliance rules
- Select the compliance rules to send
- Click on the button
Bulk actions
- Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Details of a compliance rule
- Click on Compliance rules
- Click on a compliance rule reference to access the details of this compliance rule
- Select the assets to send
- Click on the arrow to the right of the
Check the assets
button - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Security issues encyclopedia
- Click on Security issues
- Select the security issues to send
- Click on the button
Bulk actions
- Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Security issue details
- Click on Security issues
- Click on a security issue reference to access the details of this security issue.
- Select assets to send
- Click on the arrow to the right of the
Ignore
button - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Corrective actions
- Click on Corrective actions
- Select the corrective actions to send
- Click on the button
Bulk actions
- Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right
Corrective action details
- Click on Corrective actions
- Click on a corrective action reference to access the details of this corrective action.
- Select assets to send
- Click on the arrow to the right of the
Deploy
button - Click on the name of the integration in the drop-down menu
- Check the status of the response in the notification at the top right