Cyberwatch
Cyberwatch Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
Find, prioritize, and fix vulnerabilities on your IT & OT assets. This integration was integrated and tested with version 13.11 of Cyberwatch.
#
Configure Cyberwatch on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for Cyberwatch.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Master scanner URL (e.g. https://192.168.0.1) The Cyberwatch master scanner URL. True API Access key See the Cyberwatch documentation for instructions to generate the API access and secret keys. True API Secret key See the Cyberwatch documentation for instructions to generate the API access and secret keys. True Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cyberwatch-list-cvesGet a list of CVEs from Cyberwatch.
#
Base Commandcyberwatch-list-cves
#
InputArgument Name | Description | Required |
---|---|---|
exploit_code_maturity[] | Filter CVE announcements with exploit_code_maturity. Available values: undefined, unproven, proof_of_concept, functional, high. Possible values are: undefined, unproven, proof_of_concept, functional, high. | Optional |
access_vector[] | Filter CVE announcements with access_vector. Available values: access_vector_physical, access_vector_local, access_vector_adjacent, access_vector_network. Possible values are: access_vector_physical, access_vector_local, access_vector_adjacent, access_vector_network. | Optional |
active | Filter CVE announcements that are active or not (true or false). Possible values are: true, false. | Optional |
level | Filter CVE announcements based on their level. Available values: level_unknown, level_none, level_low, level_medium, level_high, level_critical. Possible values are: level_unknown, level_none, level_low, level_medium, level_high, level_critical. | Optional |
ignored | Filter CVE announcements that are ignored or not (true or false). Possible values are: true, false. | Optional |
prioritized | Filter CVE announcements that are prioritized or not (true or false). Possible values are: true, false. | Optional |
technology_product | Filter CVE announcements with technology_product (CPE product field). | Optional |
technology_vendor | Filter CVE announcements with technology_vendor (CPE vendor field). | Optional |
groups[] | Filter CVE announcements with a list of groups. Multiple groups can be provided with comma, e.g. groups[]=GroupA,GroupB. | Optional |
page | Get a specific CVE announcements page. If not specified, get all CVEs. | Optional |
per_page | Specify the number of CVE per page. Default value 500. | Optional |
hard_limit | Specify the maximum number of results. This is useful to avoid memory issues on Cortex. Default value is 2000. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberwatch.CVE.cve_code | string | CVE reference |
Cyberwatch.CVE.score | number | CVE score |
Cyberwatch.CVE.exploitable | boolean | CVE exploitability |
Cyberwatch.CVE.epss | number | CVE EPSS |
Cyberwatch.CVE.published | date | CVE publication date |
Cyberwatch.CVE.last_modified | date | CVE last modification date |
#
Command example!cyberwatch-list-cves page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch CVEs
cve_code content published last_modified level score epss cvss_v3 CVE-2014-7552 The Zombie Diary (aka com.ezjoy.feelingtouch.zombiediary)... 2014-10-20T08:55:10 2014-11-14T13:13:46 level_medium 5.4 0.00049 CVE-2014-5669 The 9GAG - Funny pics and videos (aka com.ninegag.android.app)... 2014-09-08T23:55:36 2014-09-10T23:33:44 level_medium 5.4 0.00049 CVE-2013-5021 Multiple absolute path traversal vulnerabilities in National Instruments... 2013-08-06T18:55:05 2023-11-07T01:16:25 level_critical 9.3 0.89796 CVE-2014-7387 The ACC Advocacy Action (aka com.acc.app.android.ui) application 2.0... 2014-10-19T08:55:15 2014-11-14T13:10:30 level_medium 5.4 0.00049 CVE-2013-4319 pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager)... 2013-10-11T20:55:40 2013-10-15T14:05:34 level_critical 9.0 0.0026
#
Command example!cyberwatch-list-cves prioritized=true page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch CVEs
cve_code content published last_modified level score epss cvss_v3 CVE-2020-15683 Mozilla developers and community members... 2020-10-22T19:15:13 2022-04-28T16:24:03 level_critical 9.8 0.01033 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2020-15254 Crossbeam is a set of tools for concurrent programming. In crossbeam... 2020-10-16T15:15:12 2022-08-05T17:30:49 level_critical 9.8 0.00603 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2020-15969 Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-11-03T02:15:12 2023-11-07T02:17:58 level_high 8.8 0.00833 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2020-26950 In certain circumstances, the MCallGetProperty opcode can be emitted... 2020-12-09T00:15:12 2022-04-08T09:28:19 level_high 8.8 0.92391 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-30547 Out of bounds write in ANGLE in Google Chrome prior... 2021-06-15T20:15:08 2023-11-07T02:33:06 level_high 8.8 0.00829 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high
#
Command example!cyberwatch-list-cves exploit_code_maturity[]=functional,high access_vector[]=access_vector_physical,access_vector_network active=true level=level_critical ignored=false page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch CVEs
cve_code content published last_modified level score epss cvss_v3 CVE-2018-13382 An Improper Authorization vulnerability... 2019-06-04T19:29:00 2021-06-03T09:15:08 level_critical 9.1 0.89131 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_noneCVE-2020-15254 Crossbeam is a set of tools for concurrent programming... 2020-10-16T15:15:12 2022-08-05T17:30:49 level_critical 9.8 0.00603 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2022-26486 An unexpected message in the WebGPU IPC framework could... 2022-12-22T19:15:22 2022-12-30T19:55:00 level_critical 9.6 0.0032 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_changed
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2023-32412 A use-after-free issue was addressed with improved... 2023-06-23T16:15:13 2023-07-27T02:15:34 level_critical 9.8 0.02044 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2024-21762 A out-of-bounds write in Fortinet FortiOS versions 7.4.0... 2024-02-09T08:15:08 2024-02-13T17:21:14 level_critical 9.8 0.01842 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high
#
Command example!cyberwatch-list-cves page=1 per_page=5 groups[]=ENV_PRODUCTION,Cloud active=true ignored=false prioritized=true
#
Context Example#
Human Readable Output#
Cyberwatch CVEs
cve_code content published last_modified level score epss cvss_v3 CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability 2021-03-11T15:15:13 2023-12-29T16:15:59 level_high 8.8 0.04096 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_changed
confidentiality_impact: confidentiality_impact_low
integrity_impact: integrity_impact_high
availability_impact: availability_impact_lowCVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:15 2023-12-29T19:15:53 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:16 2023-12-29T19:15:56 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:16 2023-12-29T19:15:56 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:16 2023-12-29T19:15:56 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high
#
Command example!cyberwatch-list-cves exploit_code_maturity[]=high,functional technology_vendor=openbsd technology_product=openssh page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch CVEs
cve_code content published last_modified level score epss cvss_v3 CVE-2012-0814 The auth_parse_options function in auth-options... 2012-01-27T18:55:01 2023-11-07T01:10:02 level_low 3.5 0.00285 CVE-2011-5000 The ssh_gssapi_parse_ename function in gss-serv.c... 2012-04-05T12:55:03 2012-07-22T01:33:00 level_low 3.5 0.00353 CVE-2010-4755 The (1) remote_glob function in sftp-glob.c and the... 2011-03-02T19:00:00 2014-08-08T19:01:22 level_medium 4.0 0.01098 CVE-2008-3259 OpenSSH before 5.1 sets the SO_REUSEADDR socket... 2008-07-22T14:41:00 2017-08-07T23:31:43 level_low 1.2 0.00042 CVE-2007-2243 OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled... 2007-04-25T14:19:00 2017-07-28T23:31:19 level_medium 5.0 0.00721
#
Command example!cyberwatch-list-cves exploit_code_maturity[]=high,functional technology_vendor=openbsd technology_product=openssh page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch CVEs
cve_code content published last_modified level score epss cvss_v3 CVE-2014-7552 The Zombie Diary... 2014-10-20T08:55:10 2014-11-14T13:13:46 level_medium 5.4 0.00049
#
cyberwatch-fetch-cveGet all details for a CVE from Cyberwatch.
#
Base Commandcyberwatch-fetch-cve
#
InputArgument Name | Description | Required |
---|---|---|
cve_code | The CVE number to fetch. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberwatch.CVE.cve_code | string | CVE reference |
Cyberwatch.CVE.score | number | CVE score |
Cyberwatch.CVE.exploitable | boolean | CVE exploitability |
Cyberwatch.CVE.epss | number | CVE EPSS |
Cyberwatch.CVE.published | date | CVE publication date |
Cyberwatch.CVE.last_modified | date | CVE last modification date |
#
Command example!cyberwatch-fetch-cve cve_code=CVE-2024-21413
#
Context Example#
Human Readable Output#
Cyberwatch CVE
cve_code content published last_modified level score epss cvss_v3 servers_count security_announcements_count CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability 2024-02-13T17:16:00 2024-05-28T22:15:34 level_critical 9.8 0.00586 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high2 2
#
cyberwatch-list-assetsGet a list of assets scanned by Cyberwatch.
#
Base Commandcyberwatch-list-assets
#
InputArgument Name | Description | Required |
---|---|---|
environment_id | Filter assets by environment (criticality) ID. | Optional |
reboot_required | Filter assets that require a reboot (true or false). Possible values are: true, false. | Optional |
os | Filter assets by OS (must use keys as mentioned on <URL_SCANNER>/cbw_assets/os). | Optional |
group_id | Filter assets by group ID. | Optional |
hostname | Filter assets by hostname. | Optional |
address | Filter assets by IP address. | Optional |
category | Filter assets by category. Available values : no_category, server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, cloud, mobile. Possible values are: no_category, server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, cloud, mobile. | Optional |
communication_failed | Filter assets with communication failed (true or false). Possible values are: true, false. | Optional |
page | Get a specific asset page. If not specified, get all assets. | Optional |
per_page | Specify the number of assets per page. Default value 500. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberwatch.Asset.id | number | Asset ID |
Cyberwatch.Asset.hostname | string | Asset hostname |
Cyberwatch.Asset.description | string | Asset description |
Cyberwatch.Asset.created_at | date | Asset creation date |
Cyberwatch.Asset.last_communication | date | Asset last communication date |
Cyberwatch.Asset.analyzed_at | date | Asset last analysis date |
Cyberwatch.Asset.cve_announcements_count | number | Number of active CVEs on the asset |
Cyberwatch.Asset.updates_count | number | Number of recommended security updates on the asset |
Cyberwatch.Asset.prioritized_cve_announcements_count | number | Number of prioritized CVEs on the asset |
Cyberwatch.Asset.reboot_required | boolean | Asset reboot requirement |
#
Command example!cyberwatch-list-assets page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch Assets
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 912 ip-192-168-0-214 None server 2020-11-10T15:36:29 Ubuntu 14.04 LTS High values: ENV_PRODUCTION, Sentinelo, auditeur, APP_Apache, LINUX 0 0 0 values: 1183 EC2AMAZ-C9SIS5H False server 2019-01-19T07:28:13 Windows Server 2016 Low values: Cloud, ZONE_EU_FR 2858 110 3 values: 1186 ip-192-168-0-56 False server 2019-02-11T09:14:01 Ubuntu 18.04 LTS Low values: Cloud, LINUX 1210 9 225 values: 1187 ip-192-168-0-39 True server 2019-02-11T09:15:01 Ubuntu 18.04 LTS Low values: ENV_PRODUCTION, LINUX 1167 9 217 values: 1188 MacBook-Pro.local False desktop 2019-05-16T14:29:20 Mac OS X Low values: Direction_Comm 3966 86 19 values:
#
Command example!cyberwatch-list-assets environment_id=27 page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch Assets
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1548 Siemens Rapidlab 1200 None industrial_device 2022-10-19T09:50:02 Siemens Actif isolé critique values: Sante 2 0 1 values: 1577 WIN-09PACDLD False desktop 2022-12-08T14:26:31 Windows 10 1809 Actif isolé critique values: 1038 44 2 values:
#
Command example!cyberwatch-list-assets reboot_required=true communication_failed=false page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch Assets
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1187 ip-192-168-0-39 True server 2019-02-11T09:15:01 Ubuntu 18.04 LTS Low values: ENV_PRODUCTION, LINUX 1167 9 217 values: 1189 fic2019 True server 2019-02-11T09:14:01 Ubuntu 18.04 LTS Low values: Cloud, ZONE_EU_ES, LINUX 1203 9 221 values: 1208 melchior True server 2021-04-12T07:48:36 Windows Server 2012 R2 Medium values: 1060 230 5 values: 1393 ip-192-168-0-128 True server 2024-07-03T07:53:49 Ubuntu 20.04 LTS Medium values: LINUX 1167 88 207 values: 1555 EC2AMAZ-SNIAI0J True server 2022-11-04T09:05:52 Windows Server 2022 Medium values: 1355 256 3 values:
#
Command example!cyberwatch-list-assets hostname=WIN-GNVEC8UIKUD page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch Assets
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1197 WIN-GNVEC8UIKUD False server 2019-09-13T09:14:34 Windows Server 2012 R2 High values: APP_Apache, APP_BaseDeDonnees, AmazonWebServices 1699 645 9 values: 1198 WIN-GNVEC8UIKUD False server 2019-09-21T12:57:20 Windows Server 2012 R2 High values: APP_BaseDeDonnees 1699 644 9 values:
#
Command example!cyberwatch-list-assets address=127.0.0.1 page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch Assets
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1188 MacBook-Pro.local False desktop 2019-05-16T14:29:20 Mac OS X Low values: Direction_Comm 3966 86 19 values: 1226 WIN-97RELK05NHD False server 2021-03-11T11:05:45 Windows Server 2012 R2 Low values: 0_Compliance 259 8 23 values: Mon_Catalogue 1270 midas False server 2021-07-19T14:36:09 Windows Server 2019 Medium values: 0_Compliance 1617 368 3 values: Security_Best_Practices 1208 melchior True server 2021-04-12T07:48:36 Windows Server 2012 R2 Medium values: 1060 230 5 values: 1186 ip-192-168-0-56 False server 2019-02-11T09:14:01 Ubuntu 18.04 LTS Low values: Cloud, LINUX 1210 9 225 values:
#
Command example!cyberwatch-list-assets os=windows_2008_r2 category=server group_id=768 page=1 per_page=5
#
Context Example#
Human Readable Output#
Cyberwatch Assets
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1200 WIN-IUVBSL1UF49 False server 2019-09-21T12:56:28 Windows Server 2008 R2 Low values: AmazonWebServices 1800 66 12 values:
#
cyberwatch-fetch-assetGet security details for an asset scanned by Cyberwatch.
#
Base Commandcyberwatch-fetch-asset
#
InputArgument Name | Description | Required |
---|---|---|
id | The asset ID to fetch. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberwatch.Asset.id | number | Asset ID |
Cyberwatch.Asset.hostname | string | Asset hostname |
Cyberwatch.Asset.description | string | Asset description |
Cyberwatch.Asset.created_at | date | Asset creation date |
Cyberwatch.Asset.last_communication | date | Asset last communication date |
Cyberwatch.Asset.analyzed_at | date | Asset last analysis date |
Cyberwatch.Asset.cve_announcements_count | number | Number of active CVEs on the asset |
Cyberwatch.Asset.prioritized_cve_announcements_count | number | Number of prioritized CVEs on the asset |
Cyberwatch.Asset.reboot_required | boolean | Asset reboot requirement |
#
Command example!cyberwatch-fetch-asset id=1206
#
Context Example#
Human Readable Output#
Cyberwatch Asset
id hostname description reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1206 vps418658 None False server 2020-11-03T10:25:01 Debian 10 (Buster) Privacy values: 0_Compliance, demonstration, LINUX 898 117 127 values: Security_Best_Practices
#
cyberwatch-fetch-asset-fulldetailsGet all details for an asset scanned by Cyberwatch, including packages, ports, services, metadata.
#
Base Commandcyberwatch-fetch-asset-fulldetails
#
InputArgument Name | Description | Required |
---|---|---|
id | The asset ID to fetch with all details. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberwatch.Asset.id | number | Asset ID |
Cyberwatch.Asset.hostname | string | Asset hostname |
Cyberwatch.Asset.description | string | Asset description |
Cyberwatch.Asset.created_at | date | Asset creation date |
Cyberwatch.Asset.last_communication | date | Asset last communication date |
Cyberwatch.Asset.analyzed_at | date | Asset last analysis date |
Cyberwatch.Asset.cve_announcements_count | number | Number of active CVEs on the asset |
Cyberwatch.Asset.prioritized_cve_announcements_count | number | Number of prioritized CVEs on the asset |
Cyberwatch.Asset.reboot_required | boolean | Asset reboot requirement |
#
Command example!cyberwatch-fetch-asset-fulldetails id=1206