Cyberwatch
This Integration is part of the Cyberwatch Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
Find, prioritize, and fix vulnerabilities on your IT & OT assets. This integration was integrated and tested with version 13.11 of Cyberwatch.
Configure Cyberwatch in Cortex#
| Parameter | Description | Required |
|---|---|---|
| Master scanner URL (e.g. https://192.168.0.1) | The Cyberwatch master scanner URL. | True |
| API Access key | See the Cyberwatch documentation for instructions to generate the API access and secret keys. | True |
| API Secret key | See the Cyberwatch documentation for instructions to generate the API access and secret keys. | True |
| Trust any certificate (not secure) | False | |
| Use system proxy settings | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
cyberwatch-list-cves#
Get a list of CVEs from Cyberwatch.
Base Command#
cyberwatch-list-cves
Input#
| Argument Name | Description | Required |
|---|---|---|
| exploit_code_maturity[] | Filter CVE announcements with exploit_code_maturity. Available values: undefined, unproven, proof_of_concept, functional, high. Possible values are: undefined, unproven, proof_of_concept, functional, high. | Optional |
| access_vector[] | Filter CVE announcements with access_vector. Available values: access_vector_physical, access_vector_local, access_vector_adjacent, access_vector_network. Possible values are: access_vector_physical, access_vector_local, access_vector_adjacent, access_vector_network. | Optional |
| active | Filter CVE announcements that are active or not (true or false). Possible values are: true, false. | Optional |
| level | Filter CVE announcements based on their level. Available values: level_unknown, level_none, level_low, level_medium, level_high, level_critical. Possible values are: level_unknown, level_none, level_low, level_medium, level_high, level_critical. | Optional |
| ignored | Filter CVE announcements that are ignored or not (true or false). Possible values are: true, false. | Optional |
| prioritized | Filter CVE announcements that are prioritized or not (true or false). Possible values are: true, false. | Optional |
| technology_product | Filter CVE announcements with technology_product (CPE product field). | Optional |
| technology_vendor | Filter CVE announcements with technology_vendor (CPE vendor field). | Optional |
| groups[] | Filter CVE announcements with a list of groups. Multiple groups can be provided with comma, e.g. groups[]=GroupA,GroupB. | Optional |
| page | Get a specific CVE announcements page. If not specified, get all CVEs. | Optional |
| per_page | Specify the number of CVE per page. Default value 500. | Optional |
| hard_limit | Specify the maximum number of results. This is useful to avoid memory issues on Cortex. Default value is 2000. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.CVE.cve_code | string | CVE reference |
| Cyberwatch.CVE.score | number | CVE score |
| Cyberwatch.CVE.exploitable | boolean | CVE exploitability |
| Cyberwatch.CVE.epss | number | CVE EPSS |
| Cyberwatch.CVE.published | date | CVE publication date |
| Cyberwatch.CVE.last_modified | date | CVE last modification date |
Command example#
!cyberwatch-list-cves page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch CVEs#
cve_code content published last_modified level score epss cvss_v3 CVE-2014-7552 The Zombie Diary (aka com.ezjoy.feelingtouch.zombiediary)... 2014-10-20T08:55:10 2014-11-14T13:13:46 level_medium 5.4 0.00049 CVE-2014-5669 The 9GAG - Funny pics and videos (aka com.ninegag.android.app)... 2014-09-08T23:55:36 2014-09-10T23:33:44 level_medium 5.4 0.00049 CVE-2013-5021 Multiple absolute path traversal vulnerabilities in National Instruments... 2013-08-06T18:55:05 2023-11-07T01:16:25 level_critical 9.3 0.89796 CVE-2014-7387 The ACC Advocacy Action (aka com.acc.app.android.ui) application 2.0... 2014-10-19T08:55:15 2014-11-14T13:10:30 level_medium 5.4 0.00049 CVE-2013-4319 pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager)... 2013-10-11T20:55:40 2013-10-15T14:05:34 level_critical 9.0 0.0026
Command example#
!cyberwatch-list-cves prioritized=true page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch CVEs#
cve_code content published last_modified level score epss cvss_v3 CVE-2020-15683 Mozilla developers and community members... 2020-10-22T19:15:13 2022-04-28T16:24:03 level_critical 9.8 0.01033 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2020-15254 Crossbeam is a set of tools for concurrent programming. In crossbeam... 2020-10-16T15:15:12 2022-08-05T17:30:49 level_critical 9.8 0.00603 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2020-15969 Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 2020-11-03T02:15:12 2023-11-07T02:17:58 level_high 8.8 0.00833 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2020-26950 In certain circumstances, the MCallGetProperty opcode can be emitted... 2020-12-09T00:15:12 2022-04-08T09:28:19 level_high 8.8 0.92391 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-30547 Out of bounds write in ANGLE in Google Chrome prior... 2021-06-15T20:15:08 2023-11-07T02:33:06 level_high 8.8 0.00829 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high
Command example#
!cyberwatch-list-cves exploit_code_maturity[]=functional,high access_vector[]=access_vector_physical,access_vector_network active=true level=level_critical ignored=false page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch CVEs#
cve_code content published last_modified level score epss cvss_v3 CVE-2018-13382 An Improper Authorization vulnerability... 2019-06-04T19:29:00 2021-06-03T09:15:08 level_critical 9.1 0.89131 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_noneCVE-2020-15254 Crossbeam is a set of tools for concurrent programming... 2020-10-16T15:15:12 2022-08-05T17:30:49 level_critical 9.8 0.00603 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2022-26486 An unexpected message in the WebGPU IPC framework could... 2022-12-22T19:15:22 2022-12-30T19:55:00 level_critical 9.6 0.0032 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_changed
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2023-32412 A use-after-free issue was addressed with improved... 2023-06-23T16:15:13 2023-07-27T02:15:34 level_critical 9.8 0.02044 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2024-21762 A out-of-bounds write in Fortinet FortiOS versions 7.4.0... 2024-02-09T08:15:08 2024-02-13T17:21:14 level_critical 9.8 0.01842 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high
Command example#
!cyberwatch-list-cves page=1 per_page=5 groups[]=ENV_PRODUCTION,Cloud active=true ignored=false prioritized=true
Context Example#
Human Readable Output#
Cyberwatch CVEs#
cve_code content published last_modified level score epss cvss_v3 CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability 2021-03-11T15:15:13 2023-12-29T16:15:59 level_high 8.8 0.04096 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_required
scope: scope_changed
confidentiality_impact: confidentiality_impact_low
integrity_impact: integrity_impact_high
availability_impact: availability_impact_lowCVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:15 2023-12-29T19:15:53 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:16 2023-12-29T19:15:56 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:16 2023-12-29T19:15:56 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_highCVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability 2021-03-11T15:15:16 2023-12-29T19:15:56 level_critical 9.8 0.04652 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high
Command example#
!cyberwatch-list-cves exploit_code_maturity[]=high,functional technology_vendor=openbsd technology_product=openssh page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch CVEs#
cve_code content published last_modified level score epss cvss_v3 CVE-2012-0814 The auth_parse_options function in auth-options... 2012-01-27T18:55:01 2023-11-07T01:10:02 level_low 3.5 0.00285 CVE-2011-5000 The ssh_gssapi_parse_ename function in gss-serv.c... 2012-04-05T12:55:03 2012-07-22T01:33:00 level_low 3.5 0.00353 CVE-2010-4755 The (1) remote_glob function in sftp-glob.c and the... 2011-03-02T19:00:00 2014-08-08T19:01:22 level_medium 4.0 0.01098 CVE-2008-3259 OpenSSH before 5.1 sets the SO_REUSEADDR socket... 2008-07-22T14:41:00 2017-08-07T23:31:43 level_low 1.2 0.00042 CVE-2007-2243 OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled... 2007-04-25T14:19:00 2017-07-28T23:31:19 level_medium 5.0 0.00721
Command example#
!cyberwatch-list-cves exploit_code_maturity[]=high,functional technology_vendor=openbsd technology_product=openssh page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch CVEs#
cve_code content published last_modified level score epss cvss_v3 CVE-2014-7552 The Zombie Diary... 2014-10-20T08:55:10 2014-11-14T13:13:46 level_medium 5.4 0.00049
cyberwatch-fetch-cve#
Get all details for a CVE from Cyberwatch.
Base Command#
cyberwatch-fetch-cve
Input#
| Argument Name | Description | Required |
|---|---|---|
| cve_code | The CVE number to fetch. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.CVE.cve_code | string | CVE reference |
| Cyberwatch.CVE.score | number | CVE score |
| Cyberwatch.CVE.exploitable | boolean | CVE exploitability |
| Cyberwatch.CVE.epss | number | CVE EPSS |
| Cyberwatch.CVE.published | date | CVE publication date |
| Cyberwatch.CVE.last_modified | date | CVE last modification date |
Command example#
!cyberwatch-fetch-cve cve_code=CVE-2024-21413
Context Example#
Human Readable Output#
Cyberwatch CVE#
cve_code content published last_modified level score epss cvss_v3 servers_count security_announcements_count CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability 2024-02-13T17:16:00 2024-05-28T22:15:34 level_critical 9.8 0.00586 access_vector: access_vector_network
access_complexity: access_complexity_low
privileges_required: privileges_required_none
user_interaction: user_interaction_none
scope: scope_unchanged
confidentiality_impact: confidentiality_impact_high
integrity_impact: integrity_impact_high
availability_impact: availability_impact_high2 2
cyberwatch-list-assets#
Get a list of assets scanned by Cyberwatch.
Base Command#
cyberwatch-list-assets
Input#
| Argument Name | Description | Required |
|---|---|---|
| environment_id | Filter assets by environment (criticality) ID. | Optional |
| reboot_required | Filter assets that require a reboot (true or false). Possible values are: true, false. | Optional |
| os | Filter assets by OS (must use keys as mentioned on <URL_SCANNER>/cbw_assets/os). | Optional |
| group_id | Filter assets by group ID. | Optional |
| hostname | Filter assets by hostname. | Optional |
| address | Filter assets by IP address. | Optional |
| category | Filter assets by category. Available values : no_category, server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, cloud, mobile. Possible values are: no_category, server, desktop, hypervisor, network_device, network_target_or_website, docker_image, industrial_device, cloud, mobile. | Optional |
| communication_failed | Filter assets with communication failed (true or false). Possible values are: true, false. | Optional |
| page | Get a specific asset page. If not specified, get all assets. | Optional |
| per_page | Specify the number of assets per page. Default value 500. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.Asset.id | number | Asset ID |
| Cyberwatch.Asset.hostname | string | Asset hostname |
| Cyberwatch.Asset.description | string | Asset description |
| Cyberwatch.Asset.created_at | date | Asset creation date |
| Cyberwatch.Asset.last_communication | date | Asset last communication date |
| Cyberwatch.Asset.analyzed_at | date | Asset last analysis date |
| Cyberwatch.Asset.cve_announcements_count | number | Number of active CVEs on the asset |
| Cyberwatch.Asset.updates_count | number | Number of recommended security updates on the asset |
| Cyberwatch.Asset.prioritized_cve_announcements_count | number | Number of prioritized CVEs on the asset |
| Cyberwatch.Asset.reboot_required | boolean | Asset reboot requirement |
Command example#
!cyberwatch-list-assets page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch Assets#
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 912 ip-192-168-0-214 None server 2020-11-10T15:36:29 Ubuntu 14.04 LTS High values: ENV_PRODUCTION, Sentinelo, auditeur, APP_Apache, LINUX 0 0 0 values: 1183 EC2AMAZ-C9SIS5H False server 2019-01-19T07:28:13 Windows Server 2016 Low values: Cloud, ZONE_EU_FR 2858 110 3 values: 1186 ip-192-168-0-56 False server 2019-02-11T09:14:01 Ubuntu 18.04 LTS Low values: Cloud, LINUX 1210 9 225 values: 1187 ip-192-168-0-39 True server 2019-02-11T09:15:01 Ubuntu 18.04 LTS Low values: ENV_PRODUCTION, LINUX 1167 9 217 values: 1188 MacBook-Pro.local False desktop 2019-05-16T14:29:20 Mac OS X Low values: Direction_Comm 3966 86 19 values:
Command example#
!cyberwatch-list-assets environment_id=27 page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch Assets#
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1548 Siemens Rapidlab 1200 None industrial_device 2022-10-19T09:50:02 Siemens Actif isolé critique values: Sante 2 0 1 values: 1577 WIN-09PACDLD False desktop 2022-12-08T14:26:31 Windows 10 1809 Actif isolé critique values: 1038 44 2 values:
Command example#
!cyberwatch-list-assets reboot_required=true communication_failed=false page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch Assets#
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1187 ip-192-168-0-39 True server 2019-02-11T09:15:01 Ubuntu 18.04 LTS Low values: ENV_PRODUCTION, LINUX 1167 9 217 values: 1189 fic2019 True server 2019-02-11T09:14:01 Ubuntu 18.04 LTS Low values: Cloud, ZONE_EU_ES, LINUX 1203 9 221 values: 1208 melchior True server 2021-04-12T07:48:36 Windows Server 2012 R2 Medium values: 1060 230 5 values: 1393 ip-192-168-0-128 True server 2024-07-03T07:53:49 Ubuntu 20.04 LTS Medium values: LINUX 1167 88 207 values: 1555 EC2AMAZ-SNIAI0J True server 2022-11-04T09:05:52 Windows Server 2022 Medium values: 1355 256 3 values:
Command example#
!cyberwatch-list-assets hostname=WIN-GNVEC8UIKUD page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch Assets#
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1197 WIN-GNVEC8UIKUD False server 2019-09-13T09:14:34 Windows Server 2012 R2 High values: APP_Apache, APP_BaseDeDonnees, AmazonWebServices 1699 645 9 values: 1198 WIN-GNVEC8UIKUD False server 2019-09-21T12:57:20 Windows Server 2012 R2 High values: APP_BaseDeDonnees 1699 644 9 values:
Command example#
!cyberwatch-list-assets address=127.0.0.1 page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch Assets#
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1188 MacBook-Pro.local False desktop 2019-05-16T14:29:20 Mac OS X Low values: Direction_Comm 3966 86 19 values: 1226 WIN-97RELK05NHD False server 2021-03-11T11:05:45 Windows Server 2012 R2 Low values: 0_Compliance 259 8 23 values: Mon_Catalogue 1270 midas False server 2021-07-19T14:36:09 Windows Server 2019 Medium values: 0_Compliance 1617 368 3 values: Security_Best_Practices 1208 melchior True server 2021-04-12T07:48:36 Windows Server 2012 R2 Medium values: 1060 230 5 values: 1186 ip-192-168-0-56 False server 2019-02-11T09:14:01 Ubuntu 18.04 LTS Low values: Cloud, LINUX 1210 9 225 values:
Command example#
!cyberwatch-list-assets os=windows_2008_r2 category=server group_id=768 page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch Assets#
id hostname reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1200 WIN-IUVBSL1UF49 False server 2019-09-21T12:56:28 Windows Server 2008 R2 Low values: AmazonWebServices 1800 66 12 values:
cyberwatch-fetch-asset#
Get security details for an asset scanned by Cyberwatch.
Base Command#
cyberwatch-fetch-asset
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The asset ID to fetch. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.Asset.id | number | Asset ID |
| Cyberwatch.Asset.hostname | string | Asset hostname |
| Cyberwatch.Asset.description | string | Asset description |
| Cyberwatch.Asset.created_at | date | Asset creation date |
| Cyberwatch.Asset.last_communication | date | Asset last communication date |
| Cyberwatch.Asset.analyzed_at | date | Asset last analysis date |
| Cyberwatch.Asset.cve_announcements_count | number | Number of active CVEs on the asset |
| Cyberwatch.Asset.prioritized_cve_announcements_count | number | Number of prioritized CVEs on the asset |
| Cyberwatch.Asset.reboot_required | boolean | Asset reboot requirement |
Command example#
!cyberwatch-fetch-asset id=1206
Context Example#
Human Readable Output#
Cyberwatch Asset#
id hostname description reboot_required category last_communication os environment groups cve_announcements_count prioritized_cve_announcements_count updates_count compliance_repositories 1206 vps418658 None False server 2020-11-03T10:25:01 Debian 10 (Buster) Privacy values: 0_Compliance, demonstration, LINUX 898 117 127 values: Security_Best_Practices
cyberwatch-fetch-asset-fulldetails#
Get all details for an asset scanned by Cyberwatch, including packages, ports, services, metadata.
Base Command#
cyberwatch-fetch-asset-fulldetails
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The asset ID to fetch with all details. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.Asset.id | number | Asset ID |
| Cyberwatch.Asset.hostname | string | Asset hostname |
| Cyberwatch.Asset.description | string | Asset description |
| Cyberwatch.Asset.created_at | date | Asset creation date |
| Cyberwatch.Asset.last_communication | date | Asset last communication date |
| Cyberwatch.Asset.analyzed_at | date | Asset last analysis date |
| Cyberwatch.Asset.cve_announcements_count | number | Number of active CVEs on the asset |
| Cyberwatch.Asset.prioritized_cve_announcements_count | number | Number of prioritized CVEs on the asset |
| Cyberwatch.Asset.reboot_required | boolean | Asset reboot requirement |
Command example#
!cyberwatch-fetch-asset-fulldetails id=1206
Context Example#
Human Readable Output#
Cyberwatch Asset#
| id | hostname | description | reboot_required | category | last_communication | os | environment | groups | cve_announcements_count | prioritized_cve_announcements_count | updates_count | compliance_repositories | packages_count | metadata_count | services_count | ports_count | connector_type |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1206 | vps418658 | None | False | server | 2020-11-03T10:25:01 | Debian 10 (Buster) | Privacy | values: 0_Compliance, demonstration, LINUX | 898 | 117 | 127 | values: Security_Best_Practices | 312 | 0 | 0 | 0 | Agent |
cyberwatch-list-securityissues#
Get a list of Security issues from Cyberwatch.
Base Command#
cyberwatch-list-securityissues
Input#
| Argument Name | Description | Required |
|---|---|---|
| level | Filter Security Issues based on their level. Available values: level_info, level_low, level_medium, level_high, level_critical. Possible values are: level_info, level_low, level_medium, level_high, level_critical. | Optional |
| sid | Filter Security Issues by Security Issue reference / sid. | Optional |
| page | Get a specific Security Issues page. If not specified, get all Security Issues. | Optional |
| per_page | Specify the number of Security Issues per page. Default value 500. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.SecurityIssue.id | number | Security Issue ID |
| Cyberwatch.SecurityIssue.title | string | Security Issue title |
| Cyberwatch.SecurityIssue.description | string | Security Issue description |
| Cyberwatch.SecurityIssue.level | string | Security Issue level |
| Cyberwatch.SecurityIssue.sid | string | Security Issue SID |
| Cyberwatch.SecurityIssue.editable | boolean | Security Issue editability |
Command example#
!cyberwatch-list-securityissues page=1 per_page=5 level=level_critical
Context Example#
Human Readable Output#
Cyberwatch Security Issues#
id sid level title description 42 Pentest-2020-01 level_critical Capacité à faire une injection SQL 44 PENTEST-2021-REF-1 level_critical Résultat d'un test d'intrusion Description technique du résultat de test d'intrusion 47 WSTG-INPV-05 level_critical SQL Injection An SQL injection attack ... 48 WSTG-INPV-06 level_critical LDAP Injection LDAP injection is a server ... 50 WSTG-INPV-08 level_critical SSI Injection The Server-Side Includes attack ...
Command example#
!cyberwatch-list-securityissues sid=WSTG-INPV-05 page=1 per_page=5
Context Example#
Human Readable Output#
Cyberwatch Security Issues#
id sid level title description 47 WSTG-INPV-05 level_critical SQL Injection An SQL injection attack ...
cyberwatch-fetch-securityissue#
Get all details for a Security issue from Cyberwatch.
Base Command#
cyberwatch-fetch-securityissue
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The Security Issue ID to fetch. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.SecurityIssue.id | number | Security Issue ID |
| Cyberwatch.SecurityIssue.title | string | Security Issue title |
| Cyberwatch.SecurityIssue.description | string | Security Issue description |
| Cyberwatch.SecurityIssue.level | string | Security Issue level |
| Cyberwatch.SecurityIssue.sid | string | Security Issue SID |
| Cyberwatch.SecurityIssue.editable | boolean | Security Issue editability |
Command example#
!cyberwatch-fetch-securityissue id=47
Context Example#
Human Readable Output#
Cyberwatch Security Issue#
id sid title description servers_count cve_announcements_count 47 WSTG-INPV-05 SQL Injection An SQL injection attack...
cyberwatch-list-sysadmin-assets#
Get a list of assets from Cyberwatch Sysadmin (/assets/servers) view.
Base Command#
cyberwatch-list-sysadmin-assets
Input#
| Argument Name | Description | Required |
|---|---|---|
| page | Get a specific Sysadmin asset page. If not specified, gets all assets. | Optional |
| per_page | Number of Sysadmin assets per page. Default is 500. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.SysadminAsset.id | number | Sysadmin Asset ID |
| Cyberwatch.SysadminAsset.hostname | string | Sysadmin Asset hostname |
| Cyberwatch.SysadminAsset.last_communication | date | Sysadmin Asset last communication date |
| Cyberwatch.SysadminAsset.category | string | Sysadmin Asset category |
Command example#
!cyberwatch-list-sysadmin-assets per_page=2
Context Example#
Human Readable Output#
Cyberwatch Sysadmin Assets#
id hostname last_communication category 10 srv-sysadmin-1 2025-06-01T10:00:00 server 11 srv-sysadmin-2 2025-06-02T11:00:00 server
cyberwatch-fetch-sysadmin-asset#
Get details for a Sysadmin Asset from Cyberwatch (/assets/servers/<ID>).
Base Command#
cyberwatch-fetch-sysadmin-asset
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The Sysadmin Asset ID to fetch. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.SysadminAsset.id | number | Sysadmin Asset ID |
| Cyberwatch.SysadminAsset.hostname | string | Sysadmin Asset hostname |
| Cyberwatch.SysadminAsset.description | string | Sysadmin Asset description |
| Cyberwatch.SysadminAsset.last_communication | date | Sysadmin Asset last communication date |
| Cyberwatch.SysadminAsset.category | string | Sysadmin Asset category |
| Cyberwatch.SysadminAsset.deploying_period_id | number | Deploying period ID |
| Cyberwatch.SysadminAsset.rebooting_period_id | number | Rebooting period ID |
| Cyberwatch.SysadminAsset.policy_id | number | Policy ID |
| Cyberwatch.SysadminAsset.ignoring_policy_id | number | Ignoring policy ID |
Command example#
!cyberwatch-fetch-sysadmin-asset id=10
Context Example#
Human Readable Output#
Cyberwatch Sysadmin Asset#
id hostname description last_communication category deploying_period_id rebooting_period_id policy_id ignoring_policy_id 10 srv-sysadmin-1 first sysadmin asset 2025-06-01T10:00:00 server 0 0 0 0
cyberwatch-list-compliance-assets#
Get a list of assets from Cyberwatch Compliance (/compliance/assets) view.
Base Command#
cyberwatch-list-compliance-assets
Input#
| Argument Name | Description | Required |
|---|---|---|
| page | Get a specific Compliance asset page. If not specified, gets all assets. | Optional |
| per_page | Number of Compliance assets per page. Default is 500. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.ComplianceAsset.id | number | Compliance Asset ID |
| Cyberwatch.ComplianceAsset.hostname | string | Compliance Asset hostname |
| Cyberwatch.ComplianceAsset.status | string | Compliance status summary for the asset |
| Cyberwatch.ComplianceAsset.compliance_rules_failed_count | number | Number of failed compliance rules |
| Cyberwatch.ComplianceAsset.compliance_rules_succeed_count | number | Number of succeeded compliance rules |
Command example#
!cyberwatch-list-compliance-assets per_page=2
Context Example#
Human Readable Output#
Cyberwatch Compliance Assets#
id hostname status compliance_rules_failed_count compliance_rules_succeed_count 77 comp-asset-1 ok 1 9 78 comp-asset-2 warning 3 7
cyberwatch-fetch-compliance-asset#
Get details for a Compliance Asset from Cyberwatch (/compliance/assets/<ID>).
Base Command#
cyberwatch-fetch-compliance-asset
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | The Compliance Asset ID to fetch. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.ComplianceAsset.id | number | Compliance Asset ID |
| Cyberwatch.ComplianceAsset.hostname | string | Compliance Asset hostname |
| Cyberwatch.ComplianceAsset.status | string | Compliance status summary for the asset |
| Cyberwatch.ComplianceAsset.compliance_rules_count | number | Total number of compliance rules evaluated |
| Cyberwatch.ComplianceAsset.compliance_rules_failed_count | number | Number of failed compliance rules |
| Cyberwatch.ComplianceAsset.compliance_rules_succeed_count | number | Number of succeeded compliance rules |
| Cyberwatch.ComplianceAsset.compliance_repositories | unknown | List of compliance repositories attached to the asset |
Command example#
!cyberwatch-fetch-compliance-asset id=77
Context Example#
Human Readable Output#
Cyberwatch Compliance Asset#
id hostname status compliance_rules_count compliance_rules_failed_count compliance_rules_succeed_count compliance_repositories 77 comp-asset-1 ok 10 1 9 values: Security_Best_Practices
cyberwatch-send-declarative-data-asset#
Upload Declarative Data (airgap) built from hostname + JSON to Cyberwatch (via /api/v2/cbw_scans/scripts).
The command first checks that the hostname already exists to avoid creating a new server.
Base Command#
cyberwatch-send-declarative-data-asset
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Asset hostname to associate with the Declarative Data. | Required |
| data | JSON string of key/value pairs to include (e.g. {"meta": "test"}). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.DeclarativeDataUpload.server_id | number | Server ID returned by API (created/updated) |
| Cyberwatch.DeclarativeDataUpload.matched_server_id | number | Existing server ID matched by hostname |
| Cyberwatch.DeclarativeDataUpload.status | string | Upload status |
| Cyberwatch.DeclarativeDataUpload.message | string | Upload message or error |
Command example#
!cyberwatch-send-declarative-data-asset hostname="Hostname" data={"meta":"test|Cortex"}
Context Example#
Human Readable Output#
Cyberwatch Declarative Data Upload#
hostname server_id matched_server_id status message Hostname 191 191 submitted
cyberwatch-get-declarative-data-asset#
Retrieve Declarative Data for a Cyberwatch server (GET /api/v3/servers/{id}/info).
Returns the raw text blob.
Base Command#
cyberwatch-get-declarative-data-asset
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | Server ID to read. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Cyberwatch.DeclarativeData.id | number | Server ID |
| Cyberwatch.DeclarativeData.raw | string | Raw Declarative Data text |
Command example#
!cyberwatch-get-declarative-data-asset id=191
Context Example#
Human Readable Output#
Cyberwatch Declarative Data (server 191)#
Fetch Incidents#
Fetches new CVE incidents from Cyberwatch and creates Cortex XSOAR incidents. This is not an interactive command – it runs automatically on the integration’s Fetch incidents interval once the integration is configured as an Incident Fetcher.
What is fetched? For every asset returned by Asset filters, the integration inspects its active CVE announcements. Each CVE that passes the CVE filters (see below) is turned into a separate Cortex XSOAR incident.
Fetch Parameters (configured in the integration instance)#
| Parameter | Description | Required / Default |
|---|---|---|
| First fetch | The date/time to start fetching from. Accepts absolute dates (e.g. 2024-01-01 00:00:00) or relative durations (3 days, 12 hours). | Optional / 3 days |
| Max fetch | Maximum number of incidents to fetch on one run. | Optional / 200 |
| Asset filters | JSON object that will be passed verbatim to Cyberwatch’s List assets API (same fields as the cyberwatch-list-assets command). | Optional / {} (no filtering) |
| CVE filters | JSON object with the same fields accepted by cyberwatch-list-cves (e.g. ignored, prioritized, min_cvss, min_epss, active). Example: {"ignored": false, "prioritized": true, "min_cvss": 7} | Optional / {"active": true, "ignored": false, "prioritized": true} (ignore CVEs marked “ignored” in Cyberwatch, only pushes prioritized and active ones) |
Incident JSON structure#
| Field | Type | Description |
|---|---|---|
| name | string | CVE_CODE on Hostname |
| occurred | date | Time the CVE was detected on the asset ( detected_at ). |
| rawJSON.cve | object | The CVE announcement as returned by Cyberwatch (cve_code, score, epss, …). |
Example incident (abridged)#
Notes & Best Practices#
- Deduplication – each incident ID is
"<CVE_CODE>-<ASSET_ID>", so the same CVE detected on two servers produces two separate incidents, while re-fetching the same CVE/asset pair will not create duplicates. - Last run tracking – the integration stores the UNIX timestamp of the most recent CVE it created. At every cycle it only considers announcements whose
detected_atvalue is newer than that timestamp. - Tuning the volume – if you receive too many incidents, tighten CVE filters (for example
{"prioritized": true, "min_cvss": 9})
Once the parameters are saved and Fetch incidents is enabled, new Cyberwatch vulnerabilities will start appearing as Cortex XSOAR incidents automatically.