Skip to main content

CyCognito

This Integration is part of the CyCognito Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

The CyCognito integration fetches issues discovered by the CyCognito platform, thereby providing users with a view of their organization's internet-exposed attack surface. These issues include identification, prioritization, and recommendations for remediation of the risks faced by the organization. The integration contains commands to query assets and issues detected by the CyCognito platform, and includes a rich dashboard and layout with issue management capability. This integration was integrated and tested with CyCognito V1 API.

Configure CyCognito on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for CyCognito.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeyThe API Key required to authenticate to the service.True
    Incident typeIncident type to map if no classifier is provided.False
    Incident Mirroring DirectionThe mirroring direction in which to mirror the incident. You can mirror only in (from CyCognito to XSOAR), out (from XSOAR to CyCognito), or in both directions.False
    Fetch incidentsIndicates whether to fetch incident from the instance.False
    First Fetch TimeThe date or relative timestamp from which to begin fetching incidents.

    Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

    For example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z
    False
    Max FetchThe maximum number of incidents to fetch every time. The maximum value is '1000'.False
    Issue TypeThe type of issue to fetch. By default, all types of issues will be fetched. Multiple selection is supported.False
    LocationsFilters incidents according to the geographic locations in which the issue is found. Multiple selection is supported.False
    SeverityThe severity levels of the issues to fetch from CyCognito. By default, all the severity levels will be fetched, Multiple selection is supported.False
    Investigation StatusThe investigation status of the issues to fetch from CyCognito. By default, it fetches uninvestigated issues.False
    Advanced FilterApplies a filter to the list of issues based on a JSON-specific query.

    Format:
    [{
    "field": "issue-type",
    "op": "in",
    "values": [
    "Unsafe Authentication",
    "Vulnerable Software"
    ]
    },
    {
    "op": "not-in",
    "field": "severity-score",
    "values": [10, 9]
    }]

    Note: When using several filtering options (e.g., 'Issue Type' and 'Advanced Filter'), Advanced Filter parameters will take precedence over other parameters.
    For a complete reference to the CyCognito fields and operations, please refer to the CyCognito API V0 documentation at
    https://docs.cycognito.com/reference/query-issues
    False
    Trust any certificate (not secure)Indicates whether to allow connections without verifying SSL certificate's validity.False
    Use system proxy settingsIndicates whether to use XSOAR's system proxy settings to connect to the API.False
    Incidents Fetch IntervalTime interval for fetching incidents.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cycognito-issue-get#


Retrieves information about an issue associated with a particular instance based on the provided issue instance ID.

Base Command#

cycognito-issue-get

Input#

Argument NameDescriptionRequired
issue_instance_idUnique issue ID of the instance.

Example: 0.0.0.0-cyc-auth-default-credentials,
example.com-cyc-sql-injection, 0.0.0.0-cyc-exposed-bucket-with-data.

Note: Users can retrieve the list of issue instance IDs by executing the "cycognito-issues-list" command.
Required

Context Output#

PathTypeDescription
CyCognito.Issue.idStringUnique ID of the issue.
CyCognito.Issue.referencesUnknownIssue reference.
CyCognito.Issue.potential_threatStringThe threat that the issue might cause.
CyCognito.Issue.tagsUnknownTags of the issue.
CyCognito.Issue.organizationsUnknownOrganizations of the instance.
CyCognito.Issue.issue_idStringUnique ID of the issue.
CyCognito.Issue.summaryStringA brief description that summarizes the issue.
CyCognito.Issue.resolved_atStringDate/time when the issue was resolved.
CyCognito.Issue.investigation_statusStringInvestigation status of the issue.
CyCognito.Issue.locationsUnknownThe geographic location of the instance.
CyCognito.Issue.detection_complexityStringMeasures the difficulty at which a vulnerable asset can be detected by a potential attacker.
CyCognito.Issue.titleStringTitle of the issue.
CyCognito.Issue.exploitation_scoreNumberExploitation score of the issue.
CyCognito.Issue.issue_typeStringType of the issue.
CyCognito.Issue.commentStringComment associated with the issue.
CyCognito.Issue.severityStringSeverity of the issue.
CyCognito.Issue.remediation_stepsUnknownA list of actions that describe how to resolve the issue.
CyCognito.Issue.potential_impactUnknownA list of categories that describe what might happen if the issue is exploited.
CyCognito.Issue.exploitation_methodStringExploitation method of the issue.
CyCognito.Issue.affected_assetStringThe unique ID of the asset with which the issue is associated.
CyCognito.Issue.severity_scoreNumberThe numeric severity of the issue is in the range of 0 (not severe) through 10 (severe).
CyCognito.Issue.last_detectedDateThe time at which the issue was last detected.
CyCognito.Issue.first_detectedDateThe time at which the issue was first detected.
CyCognito.Issue.issue_statusStringStatus of the issue found.
CyCognito.Issue.evidenceUnknownProvides a reason or proof of why the issue was indeed detected by CyCognito.

Command example#

!cycognito-issue-get issue_instance_id=127.0.0.1-cve-2019-00000

Context Example#

{
"CyCognito": {
"Issue": {
"affected_asset": "ip/127.0.0.1",
"detection_complexity": "Service Detection",
"exploitation_method": "Metasploit",
"exploitation_score": 3,
"first_detected": "2022-03-31T03:39:22.568Z",
"id": "127.0.0.1-cve-2019-00000",
"investigation_status": "investigating",
"issue_id": "CVE-2019-00000",
"issue_status": "new",
"issue_type": "Vulnerable Software",
"last_detected": "2022-03-31T03:39:22.568Z",
"locations": [
"IND"
],
"organizations": [
"Acme Interior Design",
"Acme Corporation"
],
"potential_impact": [
"Loss of integrity",
"Loss of confidentiality",
"Data compromise"
],
"references": [],
"remediation_steps": [
"Patch the Pulse Secure VPN to the latest version."
],
"severity": "critical",
"severity_score": 10,
"summary": "| The Pulse Secure VPN has been confirmed to be vulnerable to an arbitrary file reading vulnerability. | Unauthenticated remote attackers can send the asset a specially crafted URI and thereby access arbitrary sensitive files. | Attackers can leverage the harvested information to perform further attacks.",
"tags": [
"Vulnerable Software",
"Pulse Secure",
"network vulnerabilities"
],
"potential_threat": "Information Disclosure",
"title": "Pulse Secure Arbitrary File Reading"
}
}
}

Human Readable Output#

Issue detail:#

ID: 127.0.0.1-test#

TitleAffected AssetDetection ComplexityInvestigation StatusExploitation ScoreFirst DetectedLast DetectedOrganizationsLocationsPotential ThreatSeverityIssue TypeIssue StatusRemediation StepsPotential ImpactTagsSummaryLink to Platform
Pulse Secure Arbitrary File Readingip/127.0.0.1Service Detectioninvestigating331 Mar 2022, 03:39 AM31 Mar 2022, 03:39 AMAcme Interior Design, Acme CorporationIndiaInformation DisclosurecriticalVulnerable SoftwarenewPatch the Pulse Secure VPN to the latest version.Loss of integrity, Loss of confidentiality, Data compromiseVulnerable Software, Pulse Secure, network vulnerabilitiesThe Pulse Secure VPN has been confirmed to be vulnerable to an arbitrary file reading vulnerability. Unauthenticated remote attackers can send the asset a specially crafted URI and thereby access arbitrary sensitive files. Attackers can leverage the harvested information to perform further attacks.Click Here

cycognito-asset-get#


Retrieves information about a specific asset according to the specified asset type and asset ID.

Base Command#

cycognito-asset-get

Input#

Argument NameDescriptionRequired
asset_typeThe type of asset.

Supported values: 'ip', 'domain', 'cert', 'webapp', 'iprange'
Required
asset_idThe unique asset identifier.

Note: The asset ID value can be found by executing the "cycognito-assets-list" command.
Required

Context Output#

PathTypeDescription
CyCognito.Asset.aliveBooleanWhether the port is alive or not.
CyCognito.Asset.commentStringComment associated with the asset.
CyCognito.Asset.idStringUnique identifier of the asset.
Note: The asset ID is derived from the asset_id input field.
CyCognito.Asset.typeStringThe type of asset.
CyCognito.Asset.business_unitsUnknownThe business units of the asset.
CyCognito.Asset.signatureStringThe identifier of the certificate.
CyCognito.Asset.closed_ports.statusStringStatus of the closed ports object associated with the asset.
CyCognito.Asset.closed_ports.portNumberPort of the closed ports object associated with the asset.
CyCognito.Asset.closed_ports.protocolStringProtocol associated with the asset.
CyCognito.Asset.createdDateCreation time of the asset.
CyCognito.Asset.domainStringDomain of the asset.
CyCognito.Asset.domainsUnknownList of domains associated with the asset.
CyCognito.Asset.domain_namesUnknownList of domain names associated with the asset.
CyCognito.Asset.expirationDateThe date and time at which the asset expires.
CyCognito.Asset.first_seenDateThe time and date at which the asset was first discovered.
CyCognito.Asset.hosting_typeStringHosting type of the asset.
CyCognito.Asset.ipStringIP address of the asset.
CyCognito.Asset.ip_addressesUnknownIP name of the asset.
CyCognito.Asset.issuer_alt_namesUnknownList of alternative names of the issuers.
CyCognito.Asset.issuer_common_nameStringCommon name of the Issuer.
CyCognito.Asset.issuer_countryStringCountry of the issuer.
CyCognito.Asset.issuer_localityStringLocality of the issuer.
CyCognito.Asset.issuer_organizationStringThe issuer's organization.
CyCognito.Asset.issuer_organization_unitStringThe issuer's organization unit.
CyCognito.Asset.issuer_stateStringThe state of the issuer.
CyCognito.Asset.issues_countNumberCount of the issues.
CyCognito.Asset.last_seenDateThe time and date at which the asset was last seen.
CyCognito.Asset.locationsUnknownLocation of the asset.
CyCognito.Asset.open_ports.statusStringStatus of the open ports object associated with the asset.
CyCognito.Asset.open_ports.portNumberPort of the open ports object associated with the asset.
CyCognito.Asset.open_ports.protocolStringProtocol associated with the asset.
CyCognito.Asset.organizationsUnknownOrganizations of the asset.
CyCognito.Asset.statusStringStatus of the asset.
CyCognito.Asset.security_gradeStringSecurity rating of the asset.
CyCognito.Asset.severe_issuesNumberThe number of severe issues associated with the asset.
CyCognito.Asset.signature_algorithmStringSignature algorithm of the asset.
CyCognito.Asset.sub_domainsUnknownSubdomains of the asset.
CyCognito.Asset.subject_alt_namesUnknownList of alternate subject names.
CyCognito.Asset.subject_common_nameStringCommon name of the subject.
CyCognito.Asset.subject_countryStringSubject's country.
CyCognito.Asset.subject_localityStringLocality of the subject.
CyCognito.Asset.subject_organizationStringSubject's Organization.
CyCognito.Asset.subject_organization_unitStringThe organization unit of the subject.
CyCognito.Asset.subject_stateStringState of the subject.
CyCognito.Asset.tagsUnknownTags of the asset.
CyCognito.Asset.dynamically_resolvedStringWhether the asset has a rotating IP address.
CyCognito.Asset.investigation_statusStringInvestigation status of the asset.
CyCognito.Asset.discoverabilityStringQuantifies an asset's level of exposure.

Command example#

!cycognito-asset-get asset_type=ip asset_id=127.0.0.1

Context Example#

{
"CyCognito": {
"Asset": {
"alive": true,
"closed_ports": [
{
"port": 8080,
"protocol": "tcp",
"status": "closed"
},
{
"port": 102,
"protocol": "tcp",
"status": "closed"
},
{
"port": 445,
"protocol": "tcp",
"status": "closed"
},
{
"port": 161,
"protocol": "tcp",
"status": "closed"
},
{
"port": 4040,
"protocol": "tcp",
"status": "closed"
},
{
"port": 7070,
"protocol": "tcp",
"status": "closed"
},
{
"port": 1723,
"protocol": "tcp",
"status": "closed"
}
],
"comment": {
"content": "A grade",
"last_update": "2022-05-06T05:19:05.931Z"
},
"dynamically_resolved": "no",
"first_seen": "2022-01-20T03:58:36.696Z",
"hosting_type": "owned",
"id": "127.0.0.1",
"investigation_status": "investigated",
"ip": "127.0.0.1",
"issues_count": 1,
"last_seen": "2022-03-31T03:39:22.568Z",
"locations": [
"IND"
],
"open_ports": [
{
"port": 9999,
"protocol": "tcp",
"status": "open"
},
{
"port": 2000,
"protocol": "tcp",
"status": "open"
}
],
"organizations": [
"Acme Interior Design",
"Acme Corporation"
],
"security_grade": "B",
"severe_issues": 0,
"status": "new",
"tags": [
"Gateways",
"ACME"
],
"type": "ip"
}
}
}

Human Readable Output#

Asset Details:#

Asset IDAsset TypeHosting TypeAliveLocationsFirst SeenLast SeenStatusSecurity GradeTagsOrganizationsSevere IssuesInvestigation StatusOpen Ports
127.0.0.1ipownedtrueIndia20 Jan 2022, 03:58 AM31 Mar 2022, 03:39 AMnewBGateways,
ACME
Acme Interior Design, Acme Corporation0investigatedTCP - 9999, TCP - 2000

cycognito-asset-investigation-status-change#


Modifies the investigation status of the specified asset.

Base Command#

cycognito-asset-investigation-status-change

Input#

Argument NameDescriptionRequired
asset_typeThe type of asset.

Supported values: 'ip', 'domain', 'cert', 'webapp', 'iprange'
Required
asset_idThe unique asset identifier.

Note: The asset ID value can be found by executing the "cycognito-assets-list" command.
Required
investigation_statusThe investigation status of the asset.

Supported values: 'uninvestigated', 'investigating', 'investigated'.
Required

Context Output#

PathTypeDescription
CyCognito.Asset.typeStringThe type of the asset.
CyCognito.Asset.idStringUnique identifier of the asset.
Note: The asset ID is derived from the asset_ID input field.
CyCognito.Asset.investigation_statusStringInvestigation status of the Asset.
CyCognito.Asset.action_statusStringWhether the status update is successful or failed.

Command example#

!cycognito-asset-investigation-status-change asset_type=ip asset_id=127.0.0.1 investigation_status=investigated

Context Example#

{
"CyCognito": {
"Asset": {
"action_status": "Success",
"asset_type": "ip",
"id": "127.0.0.1",
"investigation_status": "investigated"
}
}
}

Human Readable Output#

Investigation Status has been successfully updated for 127.0.0.1#

Asset TypeAsset IDInvestigation StatusAction Status
ip127.0.0.1investigatedSuccess

cycognito-issue-investigation-status-change#


Modifies the investigation status of the specified issue.

Base Command#

cycognito-issue-investigation-status-change

Input#

Argument NameDescriptionRequired
issue_instance_idThe unique issue ID of the instance whose investigation status is to be changed.

Example: 0.0.0.0-cyc-auth-default-credentials,
example.com-cyc-sql-injection, 0.0.0.0-cyc-exposed-bucket-with-data.

Note: Users can retrieve the list of issue instance IDs by executing the "cycognito-issues-list" command.
Required
investigation_statusThe investigation status of the issue.

Supported values: 'uninvestigated', 'investigating', 'investigated'
Required

Context Output#

PathTypeDescription
CyCognito.Issue.idStringUnique ID of the issue.
CyCognito.Issue.investigation_statusStringInvestigation status of the issue.
CyCognito.Issue.action_statusStringWhether the update is successful or failed.

Command example#

!cycognito-issue-investigation-status-change issue_instance_id=127.0.0.1-cve-2019-00000 investigation_status=investigated

Context Example#

{
"CyCognito": {
"Issue": {
"action_status": "Success",
"id": "127.0.0.1-cve-2019-00000",
"investigation_status": "investigated"
}
}
}

Human Readable Output#

Investigation Status has been successfully updated for 127.0.0.1-cve-2019-00000#

Issue IDInvestigation StatusAction Status
127.0.0.1-cve-2019-00000investigatedSuccess

cycognito-issues-list#


Retrieves the list of the issues that meet the specified filter criteria.

Base Command#

cycognito-issues-list

Input#

Argument NameDescriptionRequired
countThe number of results to retrieve.

Maximum value is '1000'. Default is 50.
Optional
offsetSets the starting index for the returned results. By specifying offset, you retrieve a subset of records starting with the offset value.

Note: If a negative value is provided then the default value of 0 will be used. Default is 0.
Optional
searchAn Advanced Search parameter to query the response.

Note: Retrieves all the occurrences that are included in the string.
Optional
first_detectedThe date and time at which CyCognito first discovered and attributed the asset to the organization.

Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

For example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z
Optional
last_detectedThe date and time at which CyCognito most recently attributed the asset to the organization.

Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

For example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z
Optional
organizationsFilters the issues according to the provided organizations. Supports comma-separated values.Optional
locationsThe geographical locations in which the issue is found. Supported values contain the three-letter ISO country code for the respective countries--e.g., IND, USA.Optional
issue_typeFilters the records according to the issue type. Supports comma-separated values.

Supported values: "Abandoned Asset", "Certificate Validity", "Cryptographic Vulnerability", "E-mail Security", "Exposed Asset", "Exposed Data", "Exposed Dev Environment", "Information Gathering", "Phishing Threat", "Potential Imposter Asset", "Security Hygiene", "Unmaintained Asset", "Unsafe Authentication", "Vulnerable Software", "Weak Encryption", "XSS"
Optional
sort_byThe name of the field by which to sort the results. The response fields available for sorting the data are found in the following documentation:
https://docs.cycognito.com/reference/reference-getting-started.
Optional
sort_orderSpecifies whether to sort the results in either ascending or descending order.

Supported values: 'asc', 'desc'
Optional
advanced_filterApplies a filter to the list of issues based on a JSON-specific query.

Format:
[{
"field": "issue-type",
"op": "in",
"values": [
"Unsafe Authentication",
"Vulnerable Software"
]
},
{
"op": "not-in",
"field": "severity-score",
"values": [10, 9]
}]

Note: When using several filtering options (e.g., 'Issue Type' and 'Advanced Filter'), advance_json parameters will take precedence over other parameters.
For a complete reference to the CyCognito fields and operations, please refer to the CyCognito API V0 documentation at
https://docs.cycognito.com/reference/query-issues.
Optional

Context Output#

PathTypeDescription
CyCognito.Issue.idStringUnique ID of the issue.
CyCognito.Issue.referencesUnknownReference of the issue.
CyCognito.Issue.potential_threatStringThe threat that the issue might cause.
CyCognito.Issue.tagsUnknownTags of the issue.
CyCognito.Issue.organizationsUnknownOrganizations of the instance.
CyCognito.Issue.issue_idStringUnique ID of the issue.
CyCognito.Issue.summaryStringA brief description that summarizes the issue.
CyCognito.Issue.resolved_atStringDate/time when the issue was resolved.
CyCognito.Issue.investigation_statusStringInvestigation status of the issue.
CyCognito.Issue.locationsUnknownThe geographic location of the instance.
CyCognito.Issue.detection_complexityStringMeasures the difficulty at which a vulnerable asset can be detected by a potential attacker.
CyCognito.Issue.titleStringTitle of the issue.
CyCognito.Issue.exploitation_scoreNumberExploitation score of the issue.
CyCognito.Issue.issue_typeStringType of the issue.
CyCognito.Issue.commentStringComment associated with the issue.
CyCognito.Issue.severityStringSeverity of the issue.
CyCognito.Issue.remediation_stepsUnknownA list of actions that describe how to resolve the issue.
CyCognito.Issue.potential_impactUnknownA list of categories that describe what might happen if the issue is exploited.
CyCognito.Issue.exploitation_methodStringExploitation method of the issue.
CyCognito.Issue.affected_assetStringThe unique ID of the asset with which the issue is associated.
CyCognito.Issue.severity_scoreNumberThe numeric severity of the issue is in the range of 0 (not severe) through 10 (severe).
CyCognito.Issue.last_detectedDateThe time at which the issue was last detected.
CyCognito.Issue.first_detectedDateThe time at which the issue was first detected.
CyCognito.Issue.issue_statusStringStatus of the issue found.
CyCognito.Issue.evidenceUnknownProvides a reason or proof of why the issue was indeed detected by CyCognito.

Command example#

!cycognito-issues-list count=2

Context Example#

{
"CyCognito": {
"Issue": [
{
"affected_asset": "ip/127.0.0.1",
"detection_complexity": "Service Detection",
"exploitation_method": "Metasploit",
"exploitation_score": 3,
"first_detected": "2022-03-31T03:39:22.568Z",
"id": "issue/127.0.0.1-cve-2019-00000",
"investigation_status": "investigating",
"issue_id": "CVE-2019-00000",
"issue_status": "new",
"issue_type": "Vulnerable Software",
"last_detected": "2022-03-31T03:39:22.568Z",
"locations": [
"USA"
],
"organizations": [
"ACME Ticketing",
"ACME Cleantech Solutions",
"Acme Holdings"
],
"potential_impact": [
"Loss of integrity",
"Loss of confidentiality",
"Loss of availability",
"Data compromise",
"Network breach"
],
"references": [],
"remediation_steps": [
"Patch the NetScaler to the latest version.",
"If a patch is not feasible, perform \"work-around\" mitigations per Citrix's instructions."
],
"severity": "critical",
"severity_score": 10,
"summary": "| The NetScaler has been confirmed to be vulnerable to CVE-2019-00000 (first made public in December 2019). | Due to improper handling of the path names, CVE-2019-00000 enables attackers to perform directory traversal and unauthenticated, remote arbitrary code execution via specially crafted HTTP requests. | As NetScalers serve as entry-points to organization networks, attackers can exploit this vulnerability to breach organization networks and leverage the NetScaler for further attacks. | This vulnerability has been exploited \"in the wild\" by unknown attackers.",
"tags": [
"Pulse Secure"
],
"potential_threat": "Remote Code Execution",
"title": "CVE-2019-00000 (Unauthenticated Remote Directory Traversal & Code Execution)"
},
{
"affected_asset": "ip/127.0.0.2",
"comment": {
"content": "hello",
"last_update": "2022-06-14T06:42:20.952Z"
},
"detection_complexity": "Handshake",
"exploitation_method": "Man-in-the-Middle",
"exploitation_score": 4,
"first_detected": "2022-03-20T18:48:33.528Z",
"id": "issue/127.0.0.2-cyc-tls-hsts-dummy",
"investigation_status": "investigating",
"issue_id": "CYC-TLS-HSTS-DUMMY",
"issue_status": "new",
"issue_type": "Cryptographic Vulnerability",
"last_detected": "2022-03-20T18:48:33.528Z",
"locations": [
"USA"
],
"organizations": [
"Acme Homes"
],
"potential_impact": [
"Loss of integrity",
"Loss of confidentiality"
],
"remediation_steps": [
"Enable an HSTS policy of at least 180 days."
],
"severity": "critical",
"severity_score": 10,
"summary": "The server's HSTS policy is either too short or non-existent. | HTTP Strict Transport Security is an optional HTTP header that instructs browsers to only communicate with the server using HTTPS (and not HTTP) for a certain period of time, thus helping prevent \"SSL-stripping\" attacks.",
"potential_threat": "Trust",
"title": "Insecure HSTS"
}
]
}
}

Human Readable Output#

Issues:#

IDTitleSeverity ScoreSeverityIssue TypeIssue StatusOrganizationsInvestigation StatusFirst DetectedLast DetectedLocations
127.0.0.1-cve-2019-00000Pulse Secure Arbitrary File Reading10.0criticalVulnerable SoftwarenewAcme Interior Design, Acme Corporationinvestigating31 Mar 2022, 03:39 AM31 Mar 2022, 03:39 AMIndia
127.0.0.2-cve-2019-00000CVE-2019-00000 (Unauthenticated Remote Directory Traversal & Code Execution)10.0criticalVulnerable SoftwarenewACME Ticketing, ACME Cleantech Solutions, Acme Holdingsuninvestigated31 Mar 2022, 03:39 AM31 Mar 2022, 03:39 AMUnited States

cycognito-assets-list#


Retrieves the list of assets that meet specified filter criteria.

Base Command#

cycognito-assets-list

Input#

Argument NameDescriptionRequired
asset_typeThe type of asset.

Supported values: 'ip', 'domain', 'cert', 'webapp', 'iprange'
Required
countThe number of results to be retrieved in a response.

Maximum value is '1000'. Default is 50.
Optional
offsetSets the starting index for the returned results. By specifying offset, you retrieve a subset of records starting with the offset value.

Note: If a negative value is provided then the default value of 0 will be used. Default is 0.
Optional
searchAn Advanced Search parameter to query the response.

Note: Retrieves all the occurrences that are included in the string.
Optional
statusFilters the assets according to the selected status. Supports comma-separated values.

Supported values: 'changed', 'new', 'normal'
Optional
organizationsFilters the assets according to the provided organizations. Supports comma-separated values.Optional
security_gradeFilters the assets according to the provided security ratings. Supports comma-separated values.

Supported values: 'A', 'B', 'C', 'D', 'F'

Where:
A = Very strong
B = Strong
C = Less vulnerable
D = Vulnerable
F = Highly vulnerable
Optional
locationsThe geographical locations in which the asset is found. Supported values contain the three-letter ISO country code for the respective countries'e.g., IND, USA.
Locations are available only for IP, Domain, and Certificate asset types.
Optional
first_seenThe date and time at which CyCognito first discovered and attributed the asset to the organization.

Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

For example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z
Optional
last_seenThe date and time at which CyCognito most recently attributed the asset to the organization.

Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

For example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z
Optional
sort_bySpecifies the field by which to sort.

Note: The response fields available for sorting the data are found in the following documentation:
https://docs.cycognito.com/reference/query-assets.
Optional
sort_orderSpecifies whether to sort the results in either ascending or descending order.

Supported values: 'asc', 'desc'. Default is desc.
Optional
advanced_filterApplies a filter to the list of assets based on a JSON-specific query.

Format:
[{
"field": "status",
"op": "in",
"values": [
"new",
"changed"
]
},
{
"op": "not-in",
"field": "security-rating",
"values": ["A"]
}]

Note: For a complete reference to the CyCognito fields and operations, please refer to the CyCognito API V0 documentation at https://docs.cycognito.com/reference/query-assets.
Optional

Context Output#

PathTypeDescription
CyCognito.Asset.aliveBooleanWhether the port is alive or not.
CyCognito.Asset.commentStringComments related to the asset.
CyCognito.Asset.idStringUnique identifier of the asset.
Note: Asset ID is derived from the asset_id input field.
CyCognito.Asset.typeStringType of the asset.
CyCognito.Asset.business_unitsUnknownBusiness units of the asset.
CyCognito.Asset.signatureStringThe identifier of the certificate.
CyCognito.Asset.closed_ports.statusStringStatus of the closed ports object associated with the asset.
CyCognito.Asset.closed_ports.portNumberPort of the closed ports object associated with the asset.
CyCognito.Asset.closed_ports.protocolStringProtocol associated with the asset.
CyCognito.Asset.createdDateDate and time at which the asset was created.
CyCognito.Asset.domainStringDomain name of the asset.
CyCognito.Asset.domainsUnknownDomain of the asset.
CyCognito.Asset.domain_namesUnknownList of domain names associated with the asset.
CyCognito.Asset.expirationDateDate and time at which the asset is expired.
CyCognito.Asset.first_seenDateTime at which an asset was first discovered and attributed to the organization.
CyCognito.Asset.hosting_typeStringHosting type of the asset.
CyCognito.Asset.investigation_statusStringInvestigation status of the asset.
CyCognito.Asset.ipStringIP of the asset.
CyCognito.Asset.ip_addressesUnknownList of IP associated with the asset.
CyCognito.Asset.issuer_alt_namesUnknownList of alternate issuer names.
CyCognito.Asset.issuer_common_nameStringCommon name of the Issuer.
CyCognito.Asset.issuer_countryStringCountry of Issuer.
CyCognito.Asset.issuer_localityStringLocality of issuer.
CyCognito.Asset.issuer_organizationStringOrganization of the issuer.
CyCognito.Asset.issuer_organization_unitStringThe organization unit of the issuer.
CyCognito.Asset.issuer_stateStringState of the issuer.
CyCognito.Asset.issues_countNumberCount of issues associated with the asset.
CyCognito.Asset.last_seenDateTime at which an asset was discovered and attributed to the organization.
CyCognito.Asset.locationsUnknownList of geographic locations with which an asset might be associated.
CyCognito.Asset.open_ports.statusStringStatus of the open ports object associated with the asset.
CyCognito.Asset.open_ports.portNumberPort of the open ports object associated with the asset.
CyCognito.Asset.open_ports.protocolStringProtocol associated with the asset.
CyCognito.Asset.organizationsUnknownList of organizations associated with the asset.
CyCognito.Asset.statusStringLast status of the asset.
CyCognito.Asset.security_gradeStringSecurity rating of the asset based on the number and severity of the associated issues.
CyCognito.Asset.severe_issuesNumberThe number of severe issues associated with the asset.
CyCognito.Asset.signature_algorithmStringSignature algorithm associated with the asset.
CyCognito.Asset.sub_domainsUnknownList of subdomains associated with the asset.
CyCognito.Asset.subject_alt_namesUnknownList of alternate subject names.
CyCognito.Asset.subject_common_nameStringCommon name of the subject.
CyCognito.Asset.subject_countryStringSubject's country.
CyCognito.Asset.subject_localityStringLocality of the subject.
CyCognito.Asset.subject_organizationStringSubject's organization.
CyCognito.Asset.subject_organization_unitStringThe organization unit of the subject.
CyCognito.Asset.subject_stateStringState of the subject.
CyCognito.Asset.tagsUnknownList of tags associated with the asset.
CyCognito.Asset.dynamically_resolvedStringWhether the asset has a rotating IP address.
CyCognito.Asset.discoverabilityStringQuantifies an asset's level of exposure.

Command example#

!cycognito-assets-list asset_type=ip count=2

Context Example#

{
"CyCognito": {
"Asset": [
{
"alive": true,
"closed_ports": [
{
"port": 6001,
"protocol": "tcp",
"status": "closed"
},
{
"port": 47808,
"protocol": "tcp",
"status": "closed"
},
{
"port": 5900,
"protocol": "tcp",
"status": "closed"
},
{
"port": 111,
"protocol": "tcp",
"status": "closed"
},
{
"port": 9200,
"protocol": "tcp",
"status": "closed"
},
{
"port": 11211,
"protocol": "tcp",
"status": "closed"
},
{
"port": 1723,
"protocol": "tcp",
"status": "closed"
}
],
"dynamically_resolved": "no",
"first_seen": "2022-03-23T12:36:17.808Z",
"hosting_type": "owned",
"id": "ip/127.0.0.1",
"investigation_status": "investigated",
"ip": "127.0.0.1",
"issues_count": 1,
"last_seen": "2022-03-31T03:39:22.568Z",
"locations": [
"MYS"
],
"open_ports": [
{
"port": 465,
"protocol": "tcp",
"status": "open"
},
{
"port": 993,
"protocol": "tcp",
"status": "open"
},
{
"port": 80,
"protocol": "tcp",
"status": "open"
},
{
"port": 53,
"protocol": "udp",
"status": "open"
}
],
"organizations": [
"Acme Corporation"
],
"security_grade": "F",
"severe_issues": 1,
"status": "new",
"tags": [
"Vulnerable Software",
"Red Hat"
],
"type": "ip"
},
{
"alive": true,
"closed_ports": [
{
"port": 3389,
"protocol": "tcp",
"status": "closed"
},
{
"port": 8888,
"protocol": "tcp",
"status": "closed"
},
{
"port": 110,
"protocol": "tcp",
"status": "closed"
},
{
"port": 548,
"protocol": "tcp",
"status": "closed"
},
{
"port": 23,
"protocol": "tcp",
"status": "closed"
},
{
"port": 11211,
"protocol": "tcp",
"status": "closed"
},
{
"port": 1723,
"protocol": "tcp",
"status": "closed"
}
],
"dynamically_resolved": "no",
"first_seen": "2022-03-23T12:27:04.354Z",
"hosting_type": "owned",
"id": "ip/127.0.0.2",
"investigation_status": "investigated",
"ip": "127.0.0.2",
"issues_count": 2,
"last_seen": "2022-03-31T03:39:22.568Z",
"locations": [
"MYS"
],
"open_ports": [
{
"port": 587,
"protocol": "tcp",
"status": "open"
},
{
"port": 21,
"protocol": "tcp",
"status": "open"
},
{
"port": 22,
"protocol": "tcp",
"status": "open"
},
{
"port": 465,
"protocol": "tcp",
"status": "open"
}
],
"organizations": [
"Acme Corporation"
],
"security_grade": "F",
"severe_issues": 1,
"status": "new",
"tags": [
"Block Cipher"
],
"type": "ip"
}
]
}
}

Human Readable Output#

Asset List:#

Assets Type: IP#

Asset IDSecurity GradeStatusOrganizationsInvestigation StatusSevere IssuesFirst SeenLast SeenHosting TypeLocations
127.0.0.1FnewAcme Corporationinvestigated123 Mar 2022, 12:27 PM31 Mar 2022, 03:39 AMownedMalaysia
127.0.0.2FnewAcme Corporationinvestigated123 Mar 2022, 12:27 PM31 Mar 2022, 03:39 AMownedMalaysia