Skip to content

Суberwatch Detection

Overview

Cyberwatch is a vulnerability detection and monitoring solution.

This integration encompasses the detection logs from Cyberwatch Vulnerability Manager.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Third-party application logs Cyberwatch generate vulnerabilities reports

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category vulnerability
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "active='true',computer_category='desktop',computer_criticality='criticality_medium',\ncomputer_id='0',computer_name='test_syslog',computer_os='',computer_os_arch='',computer_os_name='',\ncreated_at='2022-10-03 14:02:32 +0200',cve_code='CVE-XXXX-XXXX',cve_level='high',cve_published_at='2022-10-03 14:02:32 +0200'\n,cve_score='10.0',cve_status='ignored',cvss_AC='access_complexity_low',cvss_AV='access_vector_network',cvss_Au='authentication_none',\ncvss_A='availability_impact_complete',cvss_C='confidentiality_impact_complete',cvss_I='integrity_impact_complete',fixed_at='',\ngroups='berlin,development',ignored='true',ip='127.0.0.1',source_node='cyberwatch',updated_at='2022-10-03 14:02:32 +0200'",
    "event": {
        "category": [
            "vulnerability"
        ],
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-10-03T12:02:32Z",
    "cyberwatch": {
        "vas": {
            "active": true,
            "computer": {
                "criticality": "criticality_medium"
            },
            "cve": {
                "published_at": "2022-10-03T12:02:32.000000Z",
                "status": "ignored"
            },
            "cvss": {
                "attack_authentication": "authentication_none",
                "attack_complexity": "access_complexity_low",
                "attack_vector": "access_vector_network",
                "availability": "availability_impact_complete",
                "confidentiality": "confidentiality_impact_complete",
                "integrity": "integrity_impact_complete"
            },
            "groups": [
                "berlin",
                "development"
            ],
            "ignored": "true"
        }
    },
    "device": {
        "id": "0"
    },
    "host": {
        "id": "0",
        "ip": "127.0.0.1",
        "name": "test_syslog",
        "type": "desktop"
    },
    "observer": {
        "name": "cyberwatch",
        "product": "cyberwatch"
    },
    "related": {
        "ip": [
            "127.0.0.1"
        ]
    },
    "vulnerability": {
        "id": "CVE-XXXX-XXXX",
        "score": {
            "base": 10.0
        },
        "severity": "high"
    }
}
{
    "message": "node='master',active='true',computer_category='desktop',computer_criticality='criticality_medium',computer_id='0',computer_name='test_syslog',computer_os='',computer_os_arch='',computer_os_name='',created_at='2024-03-07 11:36:11 +0100',cve_code='CVE-XXXX-XXXX',cve_level='high',cve_published_at='2024-03-07 11:36:11 +0100',cve_score='10.0',cve_status='ignored',cvss_AC='access_complexity_low',cvss_AV='access_vector_network',cvss_Au='authentication_none',cvss_A='availability_impact_complete',cvss_C='confidentiality_impact_complete',cvss_I='integrity_impact_complete',epss='0.90484',fixed_at='',groups='berlin,development',ignored='true',ip='127.0.0.1',source_node='cyberwatch',updated_at='2024-03-07 11:36:11 +0100'",
    "event": {
        "category": [
            "vulnerability"
        ],
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-03-07T10:36:11Z",
    "cyberwatch": {
        "vas": {
            "active": true,
            "computer": {
                "criticality": "criticality_medium"
            },
            "cve": {
                "published_at": "2024-03-07T10:36:11.000000Z",
                "status": "ignored"
            },
            "cvss": {
                "attack_authentication": "authentication_none",
                "attack_complexity": "access_complexity_low",
                "attack_vector": "access_vector_network",
                "availability": "availability_impact_complete",
                "confidentiality": "confidentiality_impact_complete",
                "integrity": "integrity_impact_complete"
            },
            "epss": {
                "score": "0.90484"
            },
            "groups": [
                "berlin",
                "development"
            ],
            "ignored": "true"
        }
    },
    "device": {
        "id": "0"
    },
    "host": {
        "id": "0",
        "ip": "127.0.0.1",
        "name": "test_syslog",
        "type": "desktop"
    },
    "observer": {
        "name": "cyberwatch",
        "product": "cyberwatch"
    },
    "related": {
        "ip": [
            "127.0.0.1"
        ]
    },
    "vulnerability": {
        "id": "CVE-XXXX-XXXX",
        "score": {
            "base": 10.0
        },
        "severity": "high"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
cyberwatch.vas.active boolean Indicates the current presence of the vulnerability on the asset
cyberwatch.vas.computer.criticality keyword Criticality of the asset as defined in Cyberwatch
cyberwatch.vas.cve.published_at keyword CVE Publication Date
cyberwatch.vas.cve.status keyword Vulnerability status on the affected asset
cyberwatch.vas.cvss.attack_authentication keyword Vulnerability exploitability metric: authentication
cyberwatch.vas.cvss.attack_complexity keyword Vulnerability exploitability metric: access complexity
cyberwatch.vas.cvss.attack_vector keyword Vulnerability exploitability metric: access vector
cyberwatch.vas.cvss.availability keyword Vulnerability impact metric: availability
cyberwatch.vas.cvss.confidentiality keyword Vulnerability impact metric: confidentiality
cyberwatch.vas.cvss.integrity keyword Vulnerability impact metric: integrity
cyberwatch.vas.epss.score keyword Exploit Prediction Scoring System
cyberwatch.vas.fixed_at datetime Vulnerability corrected on the asset on
cyberwatch.vas.groups array Lists of groups
cyberwatch.vas.ignored keyword Indicates whether the vulnerability has been ignored on the asset or not
event.category keyword Event category. The second categorization field in the hierarchy.
event.provider keyword Source of the event.
event.type keyword Event type. The third categorization field in the hierarchy.
host.architecture keyword Operating system architecture.
host.id keyword Unique host id.
host.ip ip Host ip addresses.
host.name keyword Name of the host.
host.os.full keyword Operating system name, including the version or code name.
host.os.name keyword Operating system name, without the version.
host.type keyword Type of host.
observer.name keyword Custom name of the observer.
observer.product keyword The product name of the observer.
vulnerability.id keyword ID of the vulnerability.
vulnerability.score.base float Vulnerability Base score.
vulnerability.severity keyword Severity of the vulnerability.

Configure

This setup guide will show you how to forward your Cyberwatch logs to Sekoia.io by means of a syslog transport channel.

Forward logs to Sekoia.io

Please consult the Syslog Forwarding documentation to set up a syslog concentrator.

Enable Syslog forwarding for Cyberwatch

Once configured, Cyberwatch will send hourly the latest CVEs detected to the remote Syslog server

  1. Click Administration
  2. Click External tools
  3. Click Remote Syslog server

In the Remote Syslog server configuration, provide the address, the port and the transport to the syslog concentrator

Create the intake

Go to the intake page and create a new intake from the format Cyberwatch Detection.

Further readings