Skip to main content

Cyware Orchestrate

SnapAttack

App Vendor: SnapAttack

App Category: Analytics & SIEM

Connector Version: 1.0.0

API Version: 3.1.0, 24.08.04

About App

The SnapAttack API provides access to threat intelligence, attack simulations, and detection rules, enabling automation of threat detection, validation, and response across cybersecurity systems and workflows.

The SnapAttack app is configured with Orchestrate to perform the following actions:

Action Name

Description

Export Analytics 

This action retrieves the list of analytics.

Export Analytics Status 

This action retrieves the status of a specific analytics operation.

Export Analytics Status Result 

This action retrieves the result of a specific analytics operation.

Get Detection Recommendation 

This action retrieves the detection recommendations for a collection by type.

Search Collection 

This action searches in collections for threat actors, vulnerabilities, and more.

Generic Action 

This is a generic action used to make requests to any SnapAttack endpoint.

Configuration Parameters

The following configuration parameters are required for the SnapAttack app to communicate with the SnapAttack enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL 

Enter the base URL to access SnapAttack. 

Example: 

https://app.snapattack.com

Text

Optional

Default value:

https://app.snapattack.com

API Key 

Enter the API key to authenticate with SnapAttack.

Text

Required

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with SnapAttack.

Integer

Optional

Allowed range:

15-120

Default value:

15

Verify 

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, verification is enabled.

Action: Export Analytics

This action retrieves the list of analytics.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Filter Payload 

Enter the filters query to narrow down the response. 

Example:

{"filter":{"op":"and","items":{"field": "visibility","op": "in","value": [ "published"]}}}

Key Value

Required

Steps 

To use this action, follow these steps:

  1. Perform the steps mentioned in the Search Collection action. For more information, see Action: Search Collection.

  2. Paste the list of IDs that you copied from the Search Collection action into the value field in key-value format. The key must be one of the following: vulnerabilities, software, attack_ancestors, or actors, and the value must be the corresponding IDs. Perform this action using the following example payload:

    {
    "filter": {
        "op": "and",
        "items": [
            {
               
                "op": "in",
                "field": "id_name", // Replace id_name with one of the following keys: vulnerabilities, software, attack_ancestors, actors
                "value": [
                    id_name -> value // Replace id_name with the chosen key and value with the list of IDs for that key
                ],
                "case_sensitive": false,
                "highlight": false
                            
            }
            
        ]
    },
    "analytic_compilation_target_id": 1,
    "format": [
        "json"
    ]
}

    Replace id_name with the appropriate key based on the Search Collection action. For example, if you are using IDs related to vulnerabilities, set id_name to vulnerabilities and the value to the corresponding list of IDs.   

  3. After performing these steps, you will receive a task_id for the analytics. You can use this task_id in the Export Analytics Status and Export Analytics Status Result actions to check the status and results of the specified analytics operation respectively.

Action: Export Analytics Status

This action retrieves the status of a specific analytics operation.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Task ID 

Enter the task ID to retrieve its analytic status. 

Example: 

43e52bfe-38af-4cd2-acd2-209c107a1219

Text

Required

You can retrieve this using the action Export Analytics.

Example Request 

[
  {
    "task_id": "8c10cdae-bb5c-4ea8-9b22-471e02dfc2c3"
  }
]
Action: Export Analytics Status Result

This action retrieves the result of a specific analytics operation.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Task ID 

Enter the task ID to retrieve the result of the specified analytics operation.

Example: 

43e52bfe-38af-4cd2-acd2-209c107a1219

Text

Required

You can retrieve this using the action Export Analytics.

Example Request 

[
  {
    "task_id": "b5444d20-810d-49cd-a1db-9a0ad6d7d4bf"
  }
]
Action: Get Detection Recommendation

This action retrieves the detection recommendations for a collection by type.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Content Type 

Enter the content type. 

Example: 

actor

Text

Required

Allowed values: 

collection, session, mitre_id, actor, software, vulnerability, attack

Collection IDs 

Enter the collection IDs. 

Example: 

$LIST[apt29]

List

Required

Example Request 

[
  {
    "threat_type": "actor",
    "collection_ids": [
      "APT29"
    ]
  }
]
Action: Search Collection

This action searches in collections for threat actors, vulnerabilities, and more.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Operation 

Enter the operation to be performed. 

Example: 

and, contains

Text

Optional

Items 

Enter the list of items to be searched. 

Example: 

$JSON[{"field": "text","op": "contains","value": "{{searchterm}}","case_sensitive": false,"highlight": true}]

Any

Optional

Page 

Enter the page number to retrieve results from. 

Example: 

3

Integer

Optional

Default value:

Size 

Enter the number of results to retrieve in each page. 

Example: 

30

Integer

Optional

Default value:

50

Steps 

To use this action, follow these steps: 

  1. Run this action without entering any values for the Operation and Items parameters. This will return the threat indicator types and their available values in key-value format. The possible threat indicator type keys are vulnerability_names, software_names, attack_names, and actor_names. For example, the response may include:

    "vulnerability_names": [
                "CVE-2017-11882",
                "CVE-2018-0798",
                "CVE-2018-0802",
                "CVE-2012-0158",
                "CVE-2017-0199"
            ]

  2. From the response, copy a value from one of the threat indicator types to use in the value field for items. Perform this action again using the following example payload:

    {
    "op": "and",
    "items": [
        {
            "field": "visibility",
            "op": "in",
            "value": [
                "Published"
            ]
        },
        {
            "field": "text",
            "op": "contains",
            "value": "example_names", //Replace example_names with the copied value
            "case_sensitive": false,
            "highlight": true
        }
    ]
}

    Replace example_names with the value you copied. For example, if you copied CVE-2017-11882, replace example_names with CVE-2017-11882.

  3. You will receive IDs for the following keys: vulnerabilities, software, attack_ancestors, and actors.

  4. Copy all the IDs from one of the keys and use them in the Export Analytics action to retrieve the list of analytics. For more information, see Action: Export Analytics.

Action: Generic Action

This is a generic action used to make requests to any SnapAttack endpoint.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Method 

Enter the HTTP method to make the request. 

Text

Required

Allowed values:

GET, PUT, POST, DELETE

Endpoint 

Enter the endpoint to make the request to. 

Example: 

/signatures/export/

Text

Required

Query Params 

Enter the query parameters to pass to the API.

Key Value

Optional

Payload 

Enter the payload to pass to the API.

Any

Optional

Extra Fields 

Enter the extra fields to pass to the API. 

Key Value

Optional

Allowed keys:

payload_json, custom_output, download, retry_wait, retry_count, and response_type

Example Request 

[
  {
    "method": "POST",
    "endpoint": "search/collections/query/cached/v2/",
    "extra_fields": {},
    "query_params": {
      "page": "0",
      "size": "100"
    }
  }
]