CyCognito
CyCognito is an attack surface management tool that scans your external-facing assets. You can bring certificate, domain, IP address, IP range, security findings, and web application data from CyCognito into Brinqa to prioritize risks across your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with CyCognito and how to obtain that information from CyCognito. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select CyCognito from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate CyCognito with Brinqa:
-
API URL: The CyCognito API Server URL. The default URL is
https://api.platform.cycognito.com. -
API token: The API token associated with the CyCognito account, which must have permissions to log in to the API server and return data.
Generate a new CyCognito API token
For the CyCognito connector to use the CyCognito API, you must provide an API token. Only administrators can generate new API tokens. To generate a new API token, follow these steps:
-
Log in to your organization's CyCognito server as an administrator.
-
On the left-hand side of the page, click Workflows & Integrations, and then click API Key Management.
-
Click Add API key. A new window displays. Provide the following information:
-
Key Name: Give your API token a name.
-
Key Access: The CyCognito connector requires read access only, so select Read Only.
-
Set Expiration: Determine whether the token expires or not. If you select On, indicate a time limit for how long the new token is valid.
-
-
Click Create.
Your new API token displays. You cannot view the token again after this. Copy and save it to a secure location.
If you do not have permissions to create an API token, contact your CyCognito administrator. For additional information, see CyCognito documentation.
Additional settings
The CyCognito connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
Types of data to retrieve
The CyCognito connector can retrieve the following types of data from the CyCognito API:
Table 1: Data retrieved from CyCognito
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Certificate | Yes | Certification |
| Domain | Yes | Site |
| IP Address | Yes | Host |
| IP Range | Yes | IP Range |
| Issue | Yes | Vulnerability |
| Issue Definition | Yes | Vulnerability Definition |
| Web Application | Yes | Site |
For detailed steps on how to view the data retrieved from CyCognito in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Certificate
Table 2: Certificate attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Alternative names | Local variable |
| At risk | Local variable |
| Cert | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Creation date | dateCreated |
| Discoverability | Local variable |
| Expiration | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| Investigation status | Local variable |
| IP names | ipAddresses |
| Is active | Local variable |
| Issuer common name | Local variable |
| Issuer country | Local variable |
| Issuer org | Local variable |
| Issuer org unit | Local variable |
| Issuer state | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Organizations | Local variable |
| Regions | Local variable |
| Security grade | Local variable |
| Signature algo | Signature algorithm |
| Status | status |
| Subject common name | Local variable |
| Subject country | Local variable |
| Subject locality | Local variable |
| Subject org | Local variable |
| Subject state | Local variable |
| Sys ID | uid |
| Tags | tags |
| Type | type |
Domain
Table 3: Domain attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| At risk | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Discoverability | Local variable |
| DNS response code | Local variable |
| Domain | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| IP names | ipAddresses |
| Investigation status | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Organizations | Local variable |
| Regions | Local variable |
| Security grade | Local variable |
| Status | status |
| Sub domains | subdomains |
| Sys ID | uid |
| Tags | tags |
| Type | type |
IP Address
Table 4: IP Address attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Alive | Local variable |
| At risk | Local variable |
| Closed ports | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Discoverability | Local variable |
| Domain names | Local variable |
| Dynamically resolved | Local variable |
| Filtered ports | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| IP | ipAddresses |
| Investigation status | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Open ports | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Organizations | Local variable |
| Regions | Local variable |
| Security grade | Local variable |
| Status | status |
| Sys ID | uid |
| Tags | tags |
| Type | type |
IP Range
Table 5: IP Range attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| As list | Local variable |
| At risk | Local variable |
| CIDR | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Country Code | Local variable |
| Description | name, ipRange |
| Discoverability | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| IP range | Local variable |
| Investigation status | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Name | name |
| Owned by | Local variable |
| Organizations | Local variable |
| Owners | owners |
| Regions | Local variable |
| Security grade | Local variable |
| Source | Local variable |
| Status | status |
| Sys id | uid |
| Tags | tags |
| Type | type |
Issue
Table 6: Issue attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Asset ID | targets |
| Comment | Local variable |
| Definition ID | type |
| Evidence | Local variable |
| First detected | firstFound |
| Investigation status | Local variable |
| Last detected | lastFound |
| Locations | Local variable |
| Organizations | Local variable |
| Resolved at | Local variable |
| Status | status, statusCategory |
| Sys ID | uid |
| Tags | tags |
Issue Definition
Table 7: Issue Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CVE | cveRecords, cveIds |
| Detection complexity | Local variable |
| Exploitation score | Local variable |
| Exploitation method | Local variable |
| Potential impact | Local variable |
| References | references |
| Remediation steps | Local variable |
| Severity | severity, severityScore |
| Severity score | Local variable |
| Summary | summary |
| Sys ID | uid |
| Threat | Local variable |
| Title | Local variable |
| Type | type |
Web Application
Table 8: Web Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| At risk | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Description | description |
| Discoverability | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Form | Local variable |
| Has login | Local variable |
| Home page display label | Local variable |
| Hosting type | Local variable |
| Investigation status | Local variable |
| Is encrypted | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Organizations | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Regions | Local variable |
| Security grade | Local variable |
| Status | status |
| Supported protocols | Local variable |
| Sys ID | name, uid |
| Tags | tags |
| Title | Local variable |
| Type | categories |
| Webapp address | Local variable |
| Web resource URLs | Local variable |
| Web servers | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The CyCognito connector supports the following operation options. See connector operation options for information about how to apply them.
Table 9: CyCognito connector operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Certificate | active | true, false | Retrieve certificates that match the specified status. true corresponds to certificates that are active while false corresponds to certificates that are inactive. | Key: active Value: true. This key and value combination only retrieves active certificates. |
| scan_status | changed, normal, new, removed | Retrieve certificates by the specified scan status. | Key: scan_status Value: normal. This key and value combination only retrieves certificates with a scan status of normal. | |
| Domain | active | true, false | Retrieve domains that match the specified status. true corresponds to domains that are active while false corresponds to domains that are inactive. | Key: active Value: false. This key and value combination only retrieves inactive. |
| scan_status | changed, normal, new, removed | Retrieve domains by the specified scan status. | Key: scan_status Value: new. This key and value combination only retrieves domains with a scan status of new. | |
| security_grade | A, B, C, D, F | Retrieve domains based on the specified security grade, ranging from A (Secure or minimal risk) to F (Highly vulnerable). | Key: security_grade Value: F. This key and value combination only retrieves domains with a security grade of F, or highly vulnerable domains. | |
| IP Address | active | true, false | Retrieve IP addresses that match the specified status. true corresponds to IP addresses that are active while false corresponds to IP addresses that are inactive. | Key: active Value: true. This key and value combination only retrieves active IP addresses. |
| scan_status | changed, normal, new, removed | Retrieve IP addresses by the specified scan status. | Key: scan_status Value: changed. This key and value combination only retrieves IP addresses with a scan status of changed. | |
| security_grade | A, B, C, D, F | Retrieve IP addresses based on the specified security grade, ranging from A (Secure or minimal risk) to F (Highly vulnerable). | Key: security_grade Value: D. This key and value combination only retrieves IP Addresses with a security grade of D, or vulnerable IPs. | |
| IP Range | active | true, false | Retrieve IP ranges that match the specified status. true corresponds to IP ranges that are active while false corresponds to IP ranges that are inactive. | Key: active Value: true. This key and value combination only retrieves active IP ranges. |
| scan_status | changed, normal, new, removed | Retrieve IP ranges by the specified scan status. | Key: scan_status Value: removed. This key and value combination only retrieves IP ranges with a scan status of removed. | |
| Web Application | active | true, false | Retrieve web applications that match the specified status. true corresponds to web applications that are active while false corresponds to web applications that are inactive. | Key: active Value: true. This key and value combination only retrieves active IP addresses. |
| scan_status | changed, normal, new, removed | Retrieve web applications by the specified scan status. | Key: scan_status Value: normal. This key and value combination only retrieves web applications with a scan status of normal. | |
| security_grade | A, B, C, D, F | Retrieve web applications based on the specified security grade, ranging from A (Secure or minimal risk) to F (Highly vulnerable). | Key: security_grade Value: F. This key and value combination only retrieves web applications with a security grade of F, or highly vulnerable web applications. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The CyCognito connector uses the CyCognito REST API v1. Specifically, it uses the following endpoints:
Table 10: CyCognito API endpoints used by the connector
| Connector Object | API Endpoints |
|---|---|
| Certificate | GET /v1/assets/cert/{asset_id} |
| Domain | GET /v1/assets/domain/{asset_id} |
| IP Address | GET /v1/assets/ip/{asset_id} |
| IP Range | GET /v1/assets/iprange/{asset_id} |
| Issue | GET /v1/issues/issue/{issue_instance_id} |
| Web Application | GET /v1/assets/webapp/{asset_id} |
Changelog
The CyCognito connector has undergone the following changes:
3.0.12
- Removed prefixes (e.g.,
ip/,domain/) from related asset attributes to standardize values. For example,ip/1.1.1.1is now displayed as1.1.1.1.
3.0.11
- Fixed an issue where the Issue Definition object sync was failing.
3.0.10
-
Fixed an issue where the connector wasn't retrieving inactive and removed assets from CyCognito.
-
Updated the default behavior to retrieve assets with SCAN_STATUS values of normal, new, change, and removed.
- You can override this by using the new operation option:
scan_status.
- You can override this by using the new operation option:
-
Replaced the
aliveoperation option withactive.noteIf you are currently using the
aliveoperation option, please update your integration configuration to useactiveto avoid potential errors during syncs. -
Added support for parallel processing for faster syncs.
-
Increased the default page size to 1000.
-
Added the SOURCE_STATUS attribute to the Certificate, Domain, IP Address, IP Range, and Web Application objects.
3.0.9
- Fixed an issue where assets with a status of "Inactive" or "Removed" in CyCognito were incorrectly displayed as "Active" in Brinqa.
3.0.8
- Changed the COUNTRY attribute on the IP Range object to COUNTRY_CODE.
3.0.7
- Changed the attribute type of CLOSED_PORTS, FILTERED_PORTS, and OPEN_PORTS on the IP Address object from string to integer.
3.0.6
- Fixed an issue with the deserialization of IP addresses.
3.0.5
- Removed the DOMAINS attribute from the Certificate object.
3.0.4
-
Added the following attributes to the Certificate, Domain, IP Address, IP Range, and Web Application objects:
- ATTRIBUTION_CERTAINTY
- DISCOVERY_PATH
- DOMAINS
- ENVIRONMENTS
- IP_RANGES
- PLATFORMS
- RELATED_ASSET_IDs
- SERVICES
-
Added the PORT attribute field to the Issue object.
3.0.3
- Fixed inconsistencies between CVEs (Common Vulnerabilities and Exposures) in the Brinqa Platform and CyCognito.
3.0.2
-
Enhanced to include 'resolved' issues in the sync process of the Issue object.
-
Added exceptions to prevent retry attempts in cases where the CyCognito API responds with a 500 Internal Server Error.
3.0.1
- Removed a duplicated NAME attribute.
3.0.0
- Initial Integration+ release.