CyCognito
CyCognito is an attack surface management tool that scans your external-facing assets. You can bring certificate, domain, IP address, IP range, security findings, and web application data from CyCogntio into Brinqa to prioritize risks across your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with CyCognito and how to obtain that information from CyCognito. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select CyCognito from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate CyCognito with Brinqa:
-
API URL: The CyCognito API Server URL. The default URL is
https://api.platform.cycognito.com. -
API token: The API token associated with the CyCognito account, which must have permissions to log in to the API server and return data.
Generate a new CyCognito API token
For the CyCognito connector to use the CyCognito API, you must provide an API token. Only administrators can generate new API tokens. To generate a new API token, follow these steps:
-
Log in to your organization's CyCognito server as an administrator.
-
On the left-hand side of the page, click Workflows & Integrations, and then click API Key Management.
-
Click Add API key. A new window displays. Provide the following information:
-
Key Name: Give your API token a name.
-
Key Access: The CyCognito connector requires read access only, so select Read Only.
-
Set Expiration: Determine whether the token expires or not. If you select On, indicate a time limit for how long the new token is valid.
-
-
Click Create.
Your new API token displays. You cannot view the token again. Copy the token and save it in a secure location.
If you do not have permissions to create a CyCognito API token, contact your CyCognito administrator. For additional information, see CyCognito documentation.
Additional settings
The CyCognito connector contains an additional option for specific configuration:
- Set page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
Types of data to retrieve
The CyCognito connector can retrieve the following types of data from the CyCognito API:
Table 1: Data retrieved from CyCognito
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Certificate | Yes | Certification |
| Domain | Yes | Site |
| IP Address | Yes | Host |
| IP Range | Yes | IP Range |
| Issue | Yes | Vulnerability |
| Issue Definition | Yes | Vulnerability Definition |
| Web Application | Yes | Site |
For detailed steps on how to view the data retrieved from CyCognito in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
- Certificate
- Domain
- IP Address
- IP Range
- Issue
- Issue Definition
- Web Application
Table 2: Certificate attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Alternative names | Local variable |
| At risk | Local variable |
| Cert | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Creation date | dateCreated |
| Discoverability | Local variable |
| Domains | domainNames |
| Expiration | Local variable |
| First deteceted | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| Investigation status | Local variable |
| IP names | ipAddresses |
| Is active | Local variable |
| Issuer common name | Local variable |
| Issuer country | Local variable |
| Issuer org | Local variable |
| Issuer org unit | Local variable |
| Issuer state | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Organizations | Local variable |
| Regions | Local variable |
| Security grade | Local variable |
| Signature algo | Signature algorithm |
| Status | status |
| Subject common name | Local variable |
| Subject country | Local variable |
| Subject locality | Local variable |
| Subject org | Local variable |
| Subject state | Local variable |
| Sys ID | uid |
| Tags | tags |
| Type | type |
Table 3: Domain attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| At risk | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Discoverability | Local variable |
| DNS response code | Local variable |
| Domain | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| IP names | ipAddresses |
| Investigation status | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Organizations | Local variable |
| Regions | Local variable |
| Security grade | Local variable |
| Status | status |
| Sub domains | subdomains |
| Sys ID | uid |
| Tags | tags |
| Type | type |
Table 4: IP Address attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Alive | Local variable |
| At risk | Local variable |
| Closed ports | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Discoverability | Local variable |
| Domain names | Local variable |
| Dynamically resolved | Local variable |
| Filtered ports | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| IP | ipAddresses |
| Investigation status | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Open ports | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Organizations | Local variable |
| Regions | Local variable |
| Security grade | Local variable |
| Status | status |
| Sys ID | uid |
| Tags | tags |
| Type | type |
Table 5: IP Range attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| As list | Local variable |
| At risk | Local variable |
| CIDR | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Country | Local variable |
| Description | name + ip_range |
| Discoverability | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Hosting type | Local variable |
| IP range | Local variable |
| Investigation status | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Name | name |
| Owned by | Local variable |
| Organizations | Local variable |
| Owners | owners |
| Regions | Local variable |
| Security grade | Local variable |
| Source | Local variable |
| Status | status |
| Sys id | uid |
| Tags | tags |
| Type | type |
Table 6: Issue attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Asset ID | targets |
| Comment | Local variable |
| Definition ID | type |
| Evidence | Local variable |
| First detected | firstFound |
| Investigation status | Local variable |
| Last detected | lastFound |
| Locations | Local variable |
| Organizations | Local variable |
| Resolved at | Local variable |
| Status | status, statusCategory |
| Sys ID | uid |
| Tags | tags |
Table 7: Issue Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CVE | cveRecords, cveIds |
| Detection complexity | Local variable |
| Exploirtation score | Local variable |
| Exploitation method | Local variable |
| Potential impact | Local variable |
| References | references |
| Remediation steps | Local variable |
| Severity | severity, severityScore |
| Severity score | Local variable |
| Summary | summary |
| Sys ID | uid |
| Threat | Local variable |
| Title | Local variable |
| Type | type |
Table 8: Web Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| At risk | Local variable |
| Comment | Local variable |
| Continent | Local variable |
| Description | description |
| Discoverability | Local variable |
| First detected | firstSeen |
| First seen | firstSeen |
| Form | Local variable |
| Has login | Local variable |
| Home page display label | Local variable |
| Hosting type | Local variable |
| Investigation status | Local variable |
| Is encrypted | Local variable |
| Last detected | lastSeen |
| Last seen | lastSeen |
| Locations | Local variable |
| Organizations | Local variable |
| Owned by | Local variable |
| Owners | owners |
| Regions | Local variable |
| Security grade | Local variable |
| Status | status |
| Supported protocols | Local variable |
| Sys ID | name, uid |
| Tags | tags |
| Title | Local variable |
| Type | categories |
| Webapp address | Local variable |
| Web resource URLs | Local variable |
| Web servers | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The CyCognito connector supports the following operation options. See connector operation options for information about how to apply them.
Table 9: CyCognito connector operation options
| Connector Object | Option | All Possible values | Description | Example |
|---|---|---|---|---|
| Certificate | alive | true, false | Retrieve certificates that match the specified status. true corresponds to certificates that are active or alive, while false corresponds to certificates that are inactive or not alive. | Key: alive Value: true. This key and value combination only retrieves active, or alive, certificates. |
| Domain | alive | true, false | Retrieve domains that match the specified status. true corresponds to domains that are active or alive, while false corresponds to domains that are inactive or not alive. | Key: alive Value: false. This key and value combination only retrieves inactive, or not alive, domains. |
| security_grade | A, B, C, D, F | Retrieve domains based on the specified security grade, ranging from A (Secure or minimal risk) to F (Highly vulnerable). | Key: security_grade Value: F. This key and value combination only retrieves domains with a security grade of F, or highly vulnerable domains. | |
| IP Address | alive | true, false | Retrieve IP addresses that match the specified status. true corresponds to IPs that are active or alive, while false corresponds to IPs that are inactive or not alive. | Key: alive Value: true. This key and value combination only retrieves active, or alive, IP addresses. |
| security_grade | A, B, C, D, F | Retrieve IP addresses based on the specified security grade, ranging from A (Secure or minimal risk) to F (Highly vulnerable). | Key: security_grade Value: D. This key and value combination only retrieves IP Addresses with a security grade of D, or vulnerable IPs. | |
| IP Range | alive | true, false | Retrieve IP ranges that match the specified status. true corresponds to IPs that are active or alive, while false corresponds to IPs that are inactive or not alive. | Key: alive Value: true. This key and value combination only retrieves active, or alive, IP ranges. |
| Web Application | alive | true, false | Retrieve web applications that match the specified status. true corresponds to web applications that are active or alive, while false corresponds to web applications that are inactive or not alive. | Key: alive Value: true. This key and value combination only retrieves active, or alive, web applications. |
| security_grade | A, B, C, D, F | Retrieve web applications based on the specified security grade, ranging from A (Secure or minimal risk) to F (Highly vulnerable). | Key: security_grade Value: F. This key and value combination only retrieves web applications with a security grade of F, or highly vulnerable web applications. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The CyCognito connector uses the CyCognito REST API v1. Specifically, it uses the following endpoints:
Table 10: CyCognito API endpoints used by the connector
| Connector Object | API Endpoints |
|---|---|
| Certificate | GET https://api.platform.cycognito.com/v1/assets/cert/{asset_id} |
| Domain | GET https://api.platform.cycognito.com/v1/assets/domain/{asset_id} |
| IP Address | GET https://api.platform.cycognito.com/v1/assets/ip/{asset_id} |
| IP Range | GET https://api.platform.cycognito.com/v1/assets/iprange/{asset_id} |
| Issue | GET https://api.platform.cycognito.com/v1/issues/issue/{issue_instance_id} |
| Web Application | GET https://api.platform.cycognito.com/v1/assets/webapp/{asset_id} |
Changelog
The CyCognito connector has undergone the following changes:
3.0.6:
- Fixed an issue with the deserialization of IP addresses.
3.0.5:
- Removed the DOMAINS attribute from the Certificate object.
3.0.4
-
Added the following attributes to the Certificate, Domain, IP Address, IP Range, and Web Application objects:
- ATTRIBUTION_CERTAINTY
- DISCOVERY_PATH
- DOMAINS
- ENVIRONMENTS
- IP_RANGES
- PLATFORMS
- RELATED_ASSET_IDs
- SERVICES
-
Added the PORT attribute field to the Issue object.
3.0.3
- Fixed inconsistencies between CVEs (Common Vulnerabilities and Exposures) in the Brinqa Platform and CyCognito.
3.0.2
-
Enhanced to include 'resolved' issues in the sync process of the Issue object.
-
Added exceptions to prevent retry attempts in cases where the CyCognito API responds with a 500 Internal Server Error.
3.0.1
- Removed a duplicated NAME attribute.
3.0.0
- Initial Integration+ release.