Bishop Fox Cosmos
Bishop Fox Cosmos is an External Attack Surface Management (EASM) platform that discovers and monitors your organization's external attack surface. You can bring domain, network, DNS record, subdomain, IP address, port, service, and pentest finding data from Bishop Fox Cosmos into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Bishop Fox Cosmos and how to obtain that information from Bishop Fox. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Bishop Fox Cosmos from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Bishop Fox Cosmos with Brinqa:
-
Server URL: The Cosmos API base URL. The default URL is
https://api.cosmos.bishopfox.com. -
Login URL: The OAuth token endpoint. The default URL is
https://bishopfox.auth0.com/oauth/token. -
Audience: The OAuth audience. The default value is
cosmos_public. -
API key: The API key (client ID) associated with the Bishop Fox Cosmos account.
-
API secret: The API secret (client secret) associated with the Bishop Fox Cosmos account.
-
Organization ID: The Bishop Fox organization UUID.
The connector authenticates using the OAuth 2.0 Client Credentials grant. It exchanges the API key and API secret for a bearer token at the Bishop Fox Auth0 token endpoint, then includes the token in the Authorization header on every Cosmos API request. The token is valid for 10 hours and is automatically refreshed when it expires.
Additional settings
The Bishop Fox Cosmos connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100.
-
Parallel requests: The maximum number of concurrent page-number page fetches per sync. Cursor-paginated endpoints stay sequential. The default setting is 4.
Types of data to retrieve
The Bishop Fox Cosmos connector can retrieve the following types of data from the Bishop Fox Cosmos API:
Table 1: Data retrieved from Bishop Fox Cosmos
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| DnsRecord | No | — |
| Domain | No | Site |
| Finding | No | Pentest Finding |
| Finding Definition | No | Pentest Finding Definition |
| Hostname Service | No | API Endpoint |
| IP Address | No | Host |
| IP Service | No | API Endpoint |
| Network | No | IP Range |
| Port | No | — |
| Subdomain | No | Host |
The Bishop Fox Cosmos connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Bishop Fox Cosmos in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
DnsRecord
Table 2: DnsRecord attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| cdn_category | CDN_CATEGORY |
| cdn_vendor | CDN_VENDOR |
| client_id | CLIENT_ID |
| cloud | CLOUD |
| created_at | SOURCE_CREATED_DATE |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| designation | DESIGNATION |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| hostname | HOSTNAME |
| hostname | NAME |
| id | UID |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| ownership | OWNERSHIP |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| record_type | RECORD_TYPE |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| asset_type | TYPE |
| tags | TAGS |
| ttl | TTL |
| updated_at | SOURCE_LAST_MODIFIED |
| value | RECORD_VALUE |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Domain
Table 3: Domain attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| client_id | CLIENT_ID |
| cloud | CLOUD |
| confidence_level | CONFIDENCE_LEVEL |
| created_at | SOURCE_CREATED_DATE |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| domain | DOMAIN_NAME |
| domain | NAME |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| expiry | EXPIRY |
| id | UID |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| ownership | OWNERSHIP |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| registrant_organization | REGISTRANT_ORGANIZATION |
| registrar | REGISTRAR |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| asset_type | TYPE |
| tags | TAGS |
| updated_at | SOURCE_LAST_MODIFIED |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Finding
Table 4: Finding attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| finding_id | TYPE |
| subject.asset_id | ASSET_ID |
| subject.asset_id | TARGETS |
| subject.asset_type | ASSET_TYPE |
| subject.client_id | CLIENT_ID |
| subject.client_note | CLIENT_NOTE |
| subject.created_at | SOURCE_CREATED_DATE |
| subject.remediated_at | LAST_FIXED |
| subject.remediation_description | RECOMMENDATION |
| subject.retest_count | RETEST_COUNT |
| subject.status | PROVIDER_STATUS |
| subject.status | SOURCE_STATUS |
| subject.updated_at | SOURCE_LAST_MODIFIED |
| Generated (MD5 of finding_id and subject_id) | UID |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Finding Definition
Table 5: Finding Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| additional_resources | REFERENCES |
| bfid | BFID |
| bfid | NAME |
| category, sub_category | CATEGORIES |
| client_note | CLIENT_NOTE |
| definition | DESCRIPTION |
| delivery_date | PUBLISHED_DATE |
| details | DETAILS |
| emerging_threat_id | EMERGING_THREAT_ID |
| engagement_id | ENGAGEMENT_ID |
| finding_id | UID |
| finding_type | FINDING_TYPE |
| organization_id | ORGANIZATION_ID |
| recommendations | RECOMMENDATION |
| reported_at | SOURCE_CREATED_DATE |
| severity | SEVERITY |
| severity | SEVERITY_SCORE |
| severity | SOURCE_SEVERITY |
| source | SOURCE |
| sub_category | SUB_CATEGORY |
| tags | TAGS |
| updated_at | SOURCE_LAST_MODIFIED |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Hostname Service
Table 6: Hostname Service attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| application_protocol | PROTOCOL |
| cdn_name | CDN_NAME |
| cdn_type | CDN_TYPE |
| client_id | CLIENT_ID |
| cloud | CLOUD |
| cpe_list[].cpes[] | CPE_RECORDS |
| created_at | SOURCE_CREATED_DATE |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| hostname | HOST |
| ip_list | IP_ADDRESSES |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| ownership | OWNERSHIP |
| parent_asset_id | HOSTS |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| path | PATH |
| port | PORT |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| asset_type | TYPE |
| tags | TAGS |
| updated_at | SOURCE_LAST_MODIFIED |
| id | UID |
| Generated (sync capture timestamp) | LAST_CAPTURED |
IP Address
Table 7: IP Address attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| aged_out | AGED_OUT |
| aged_out_source | AGED_OUT_SOURCE |
| client_id | CLIENT_ID |
| cloud | CLOUD |
| correlation_id | CORRELATION_ID |
| created_at | SOURCE_CREATED_DATE |
| created_by | CREATED_BY |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| deleted | DELETED |
| deleted_at | DELETED_AT |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| id | UID |
| ip_address | IP_ADDRESSES |
| ip_address | NAME |
| ip_address (when classified as public) | PUBLIC_IP_ADDRESSES |
| location | LOCATION |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| ownership | OWNERSHIP |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| refreshed_at | REFRESHED_AT |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| scan_level_override | SCAN_LEVEL_OVERRIDE |
| sources[*].system | SOURCES |
| asset_type | TYPE |
| tags | TAGS |
| updated_at | SOURCE_LAST_MODIFIED |
| updated_by | UPDATED_BY |
| Generated (sync capture timestamp) | LAST_CAPTURED |
IP Service
Table 8: IP Service attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| application_protocol | PROTOCOL |
| cdn_name | CDN_NAME |
| cdn_type | CDN_TYPE |
| client_id | CLIENT_ID |
| cloud | CLOUD |
| cpe_list[].cpes[] | CPE_RECORDS |
| created_at | SOURCE_CREATED_DATE |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| id | UID |
| ip_address | IP_ADDRESSES |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| ownership | OWNERSHIP |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| port | PORT |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| asset_type | TYPE |
| tags | TAGS |
| updated_at | SOURCE_LAST_MODIFIED |
| Generated (resolved via Port → IpAddress) | HOSTS |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Network
Table 9: Network attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| address | ADDRESS |
| address/prefix | IPV4_RANGES |
| address/prefix | IPV6_RANGES |
| address/prefix | NAME |
| client_id | CLIENT_ID |
| cloud | CLOUD |
| confidence_level | CONFIDENCE_LEVEL |
| created_at | SOURCE_CREATED_DATE |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| id | UID |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| ownership | OWNERSHIP |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| prefix | PREFIX |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| asset_type | TYPE |
| tags | TAGS |
| updated_at | SOURCE_LAST_MODIFIED |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Port
Table 10: Port attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| aged_out | AGED_OUT |
| aged_out_source | AGED_OUT_SOURCE |
| client_id | CLIENT_ID |
| cloud | CLOUD |
| correlation_id | CORRELATION_ID |
| created_at | SOURCE_CREATED_DATE |
| created_by | CREATED_BY |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| deleted | DELETED |
| deleted_at | DELETED_AT |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| first_reachable_at | FIRST_REACHABLE_AT |
| first_verified_at | FIRST_VERIFIED_AT |
| id | UID |
| ip_address | IP_ADDRESSES |
| ip_address/port | NAME |
| last_probed_at | LAST_PROBED_AT |
| last_reachable_at | LAST_REACHABLE_AT |
| last_verified_at | LAST_VERIFIED_AT |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| ownership | OWNERSHIP |
| parent_asset_id (when parent_asset_type=ip-address) | HOSTS |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| port | PORT |
| reachable | REACHABLE |
| refreshed_at | REFRESHED_AT |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| scan_level_override | SCAN_LEVEL_OVERRIDE |
| sources[*].system | SOURCES |
| suggested_protocols | SUGGESTED_PROTOCOLS |
| suggested_protocols (first) | PROTOCOL |
| asset_type | TYPE |
| tags | TAGS |
| transport_protocol | TRANSPORT_PROTOCOL |
| updated_at | SOURCE_LAST_MODIFIED |
| updated_by | UPDATED_BY |
| verified | VERIFIED |
| Generated (sync capture timestamp) | LAST_CAPTURED |
Subdomain
Table 11: Subdomain attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| client_id | CLIENT_ID |
| cloud | CLOUD |
| confidence_level | CONFIDENCE_LEVEL |
| created_at | SOURCE_CREATED_DATE |
| customer_id | CUSTOMER_ID |
| data_updated_at | LAST_SCANNED |
| designation | DESIGNATION |
| enabled | ENABLED |
| engagements | ENGAGEMENTS |
| hostname | HOST |
| hostname | HOSTNAMES |
| hostname | NAME |
| id | UID |
| is_apex | IS_APEX |
| organization_id | ORGANIZATION_ID |
| origination | ORIGINATION |
| orphaned_cname | ORPHANED_CNAME |
| ownership | OWNERSHIP |
| parent_asset_id | PARENT_ASSET_ID |
| parent_asset_type | PARENT_ASSET_TYPE |
| reserved_engagements | RESERVED_ENGAGEMENTS |
| rfc1918 | RFC1918 |
| serviceable | SERVICEABLE |
| asset_type | TYPE |
| tags | TAGS |
| updated_at | SOURCE_LAST_MODIFIED |
| viable | VIABLE |
| wildcard | WILDCARD |
| wildcard_scan_override | WILDCARD_SCAN_OVERRIDE |
| Generated (sync capture timestamp) | LAST_CAPTURED |
APIs
The Bishop Fox Cosmos connector uses the Bishop Fox Cosmos v5 API. Specifically, it uses the following endpoints:
Table 12: Bishop Fox Cosmos API endpoints
| Connector Object | API Endpoint |
|---|---|
| DnsRecord | GET /v5/asset-view/dns-records |
| Domain | GET /v5/asset-view/domains |
| Finding | GET /v5/findings |
| Finding Definition | GET /v5/findings |
| Hostname Service | GET /v5/asset-view/hostname-services |
| IP Address | GET /v5/asset-view/ip-addresses |
| IP Service | GET /v5/asset-view/ip-services |
| Network | GET /v5/asset-view/networks |
| Port | GET /v5/asset-view/ports |
| Subdomain | GET /v5/asset-view/subdomains |
The /v5/asset-view/ports and /v5/asset-view/ip-addresses endpoints are functional but absent from the public Bishop Fox API documentation. The IP Service sync also performs an auxiliary fetch of GET /v5/asset-view/ports (cached once per sync) to resolve the HOSTS attribute by following the Port → IpAddress parent chain.
Changelog
The Bishop Fox Cosmos connector has undergone the following changes:
Table 13: Bishop Fox Cosmos connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.1 | Bug Fixes - Projection-restricted asset types no longer fail the sync. Some asset types (notably ports and IP addresses) are not exposed under the 'cosmos_public' audience and the Bishop Fox API rejects them with a '400 public projection not supported for this asset type'. The connector now detects this response and skips the affected asset type, logging a warning, instead of failing the run. IP service syncs still complete in this case, just without the port-derived host back-link. To ingest ports and IP addresses, configure an audience whose token is entitled to the private projection. - Findings pagination. The connector now retrieves every page of '/v5/findings', not just the first. Previously a token-based pagination loop terminated after page 1 because the Bishop Fox v5 API is page-number-based and never returns the expected token field, so customers with more than one page (100 records) of findings or finding definitions were missing the rest of their data. Improvements - Parallel page-number pagination. Endpoints that advertise 'total' + 'limit' (currently '/v5/findings' and '/v5/asset-view/networks', with others auto-detected at runtime) now fetch their pages concurrently, bounded by the 'Parallel requests' configuration property (default: 4). For large tenants this dramatically shortens sync time. Cursor-paginated endpoints stay sequential because each page's continuation token is only known after the previous response. - Attribute consolidation precedence. All custom Bishop Fox attributes now participate in the platform's data-consolidation pipeline at the standard connector priority (50) instead of being last-in. When the same record receives values from multiple sources, the values reported by this connector now win ties against non-connector channels (manual UI edits, bulk imports, etc.), matching how every other Brinqa connector already behaves. No Migration | June 3rd, 2026 |
| 3.0.0 | Initial Integration+ release. The BishopFox connector integrates with Bishop Fox Cosmos (External Attack Surface Management) to synchronize asset surface data: registered domains, network ranges, DNS records, subdomains, IP addresses, open ports, and discovered services, together with pentest findings and their definitions. Migration Required - Schema rebuild required. All ten model schemas changed: standard 'connectors-model' 'AttributeInfos' (UID, HOST, IP_ADDRESSES, PORT, PROTOCOL, etc.) replace the previous String-keyed attributes; 'OBJECT_TYPE' constants stabilized; 'LAST_CAPTURED' added everywhere. Action: re-sync all data after upgrade. - Hierarchy expanded. Three asset classes that were previously implicit are now first-class models: 'IpAddress', 'Port', and 'DnsRecord'. Action: enable them in your sync schedule if you want the full asset graph. - UDM targets assigned. Subdomain and IpAddress map to 'Host'; HostnameService and IpService map to 'ApiEndpoint'; Domain to 'Site'; Network to 'IpRange'; Finding/FindingDefinition to 'PentestFinding'/'PentestFindingDefinition'. Action: review downstream feeds that key on these UDMs. - Asset → Host references are now explicit via the HOSTS attribute on HostnameService (links to Subdomain) and IpService (links to IpAddress, resolved via Port lookup). The platform-reserved TARGETS is no longer used on assets, only on Findings. - Findings API behavior fixed. The legacy connector sent 'since', 'severity', and CSV-formatted 'status' to '/v5/findings', all of which the v5 API rejects with '400 validation failed'. The new connector sends only documented parameters; 'status' and 'category' are emitted as repeated keys per the v5 spec. | June 3rd, 2026 |