Skip to main content

Cyware Orchestrate

Cyware Situational Awareness Platform (CSAP) 1.0.0

App Vendor: Cyware Labs

App Category: Cyware Product, IT Services, Messaging

Connector Version: 1.3.1

API Version: CSAP V3

About App

CSAP is an automated threat alert aggregation and information sharing platform that equips key security personnel with information to improve situational awareness and resilience. You can now aggregate custom threat intelligence feeds (including Cyware’s solutions) with vulnerability and malware early advisories to provide actionable alerts to employees, vendors, customers, peers, and more.

CSAP also allows you to adopt a threat-intel-driven approach to manage security alerts to ensure Members are aware of the latest cyber threats facing your organization. You can now enrich, anonymize, and share precise and relevant threat intelligence including Indicators of Compromise (IOCs), Threat Intelligence, and Incident Responses.

The CSAP app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Create Crisis Alert

This action creates a crisis alert in the CSAP application.

Create Situational Awareness Alert

This action creates a situational awareness alert to a CSAP user/member.

Notify User of a Triggered Action

This action notifies a user of a triggered action in the CSAP application.

Notify User of an Alert

This action sends an alert notification to a CSAP user.

Get a List of User Groups

This action retrieves a list of user groups from the CSAP application.

Update Situational Awareness Alert

This action updates the situational awareness alert details available in the CSAP application using the alert ID.

Get a List of Alert Categories

This action retrieves a list of alert categories from the CSAP application.

Get a List of Related Alerts

This action retrieves a list of related alert details using indicators from the CSAP application.

Get a List of Severity Categories

This action retrieves a list of severity categories from the CSAP application.

Get a List of Threat Methods

This action retrieves a list of threat methods from the CSAP application.

Get a List of Incident Types

This action retrieves a list of incident types from the CSAP application.

Get Incident Details

This action retrieves the details of an incident from the CSAP application.

Get a List of Reported Incidents

This action retrieves the list of reported incidents from the CSAP application.

Get a List of Information Sources

This action retrieves the list of information sources from the CSAP application.

Get a List of Alerts

This action retrieves the list of alerts from the CSAP application.

Get Alert Details

This action retrieves the details of an alert from the CSAP application.

Report a Cyber Incident

This action creates a cyber incident in the CSAP application.

Get a List of Users

This action retrieves the list of users from the CSAP application.

Get User Details

This action retrieves the details of a user from the CSAP application.

Get Category Details

This action retrieves the details of a category from the CSAP application.

Get a List of Reported Intel

This action retrieves the list of reported intel from the CSAP application.

Report Cyber Intel

This action is used to report cyber intel to the CSAP application.

Get additional Details of an Organization

This action retrieves additional details of an organization from the CSAP application.

Get Alerts through a Tracking ID

This action retrieves alerts of an organization using tracking ID from the CSAP application.

List All Fields

This action retrieves the list of all the fields available in the CSAP application.

Get specific Field Details

This action retrieves details of a specific field from the CSAP application.

Get Messages from a Topic

This action retrieves messages from a topic from the CSAP application.

Get a List of Topics of an Alert

This action retrieves the list of topics for an alert from the CSAP application.

Get Attachments

This action retrieves attachments from the CSAP application.

Create a Tag

This action creates a new tag in a CSAP application.

Get Tags

This action retrieves the tags present in a CSAP application.

Get Intel Details

This action retrieves the details of intel.

Update Published Alert

This action updates an alert without overriding the alert ID.

Generic Action

This is a generic action to perform any additional use case on CSAP.

Configuration Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Base URL 

Enter the base URL for accessing the CSAP application via REST API.

Example:

https://tenant.domain.tld/api/

Text

Required

Access ID 

Enter the Access ID for the OpenAPI credential provisioned on the CSAP application.

Example:

"xxxxxxe0-c981-4xx8-bxxx-f3xxxx8b8"

Text

Required

Secret key 

Enter the Secret Key for the OpenAPI credential provisioned on the CSAP application.

Example:

"xxxxxxe0-c981"

Password

Required

Action: Create Situational Awareness (SA) Alert

This action creates a situational awareness alert in Collaborate.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Title 

Enter the alert title.

Example:

"Spearphishing Threat"

Text

Required

Description 

Enter the alert description.

Example:

"Spearphishing threat compromised devices"

Text

Required

Category name 

Enter the category name.

Example:

"Advisory"

Text

Optional

Status 

Enter the alert status.

Example:

"published"

Text

Optional

Allowed values:

  • published

  • draft

Traffic Light Protocol 

Enter the alert traffic light protocol.

Example:

"green"

Text

Optional

Allowed values:

  • green

  • red

  • white

  • amber

Additional fields 

Enter additional fields in the form of key-value pairs.

Example:

"card_category": "Vulnerabilities"

Key Value

Optional

Allowed Keys:

  • card_category

  • card_image

  • card_group

  • card_info

Example Request 

[
   {
      "tlp":"WHITE",
      "title":"Spearphishing Threat",
      "description":"Spearphishing threat compromised devices",
      "extra_fields":{
         "card_category":"Vulnerabilities"
      },
      "category_name":"Advisory"
   }
]

Action Response Parameters

Parameter

Type

Description

{app_instance}

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response    

Object

The response object contains specific details of the alert.

app_instance.response.content    

String

The content of the alert. Example: "Multiple failed login attempts detected from the following IP addresses"

app_instance.response.optional_fields    

Object

An object for any optional fields related to the alert.

app_instance.response.short_id    

String

A unique identifier for the alert. Example: "8272068c"

app_instance.response.status    

String

The status of the alert. Example: "PUBLISHED"

app_instance.response.title    

String

The title of the alert. Example: "Suspicious Login Activity Detected"

app_instance.response.tlp    

String

The Traffic Light Protocol (TLP) associated with the alert. Example: "CLEAR"

app_instance.status

Integer    

The HTTP status code of the response. Example: 200

Action: Create crisis alert

This action creates a crisis alert in Collaborate.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Title

Enter the alert title.

Example:

"Spearphishing Threat"

Text

Required

Description

Enter the alert description.

Example:

"Spearphishing threat compromised devices"

Text

Required

Status

Enter the alert status.

Example:

"PUBLISHED"

Text

Optional

Allowed values:

  • PUBLISHED

  • DRAFT

TLP

Enter the alert traffic light protocol.

Example:

"green"

Text

Optional

Allowed values:

  • white

  • green

  • red

  • amber

Default value:

  • white

Additional fields

Enter additional fields in the form of key-value pairs.

Example:

"card_category": "Vulnerabilities"

Key Value

Optional

Allowed Keys:

  • card_category

  • card_image

  • card_group

  • card_info

Note

To create a crisis alert, ensure the card category is Crisis Notification.

Example Request

[
   {
      "tlp":"WHITE",
      "title":"Spearphishing Threat",
      "description":"Spearphishing threat compromised devices",
      "extra_fields":{
         "card_category":"Vulnerabilities"
      },
      "category_name":"New Catagory"
   }
]

Action Response Parameters

Parameter

Type

Description

{app_instance}

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

Object

An object containing the response details.

app_instance.response.content

String

The content of the alert.

app_instance.response.optional_fields

Object

An object for additional optional fields.

app_instance.response.short_id

String

The short identifier of the alert. Example: "8b12962e"

app_instance.response.status

String

The status of the alert. Example: "DRAFT"

app_instance.response.title

String

The title of the alert.

app_instance.response.tlp

String

The Traffic Light Protocol (TLP) classification. Example: "GREEN"

app_instance.status

Number

The HTTP status code of the response. Example: 200

Action: Get Organization Additional Details

This action retrieves additional details of an organization from the Collaborate application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Organization Name

Enter the organization name to get details.

Example:

"Organization 1"

Text

Required

Example Request

[
    {
        "organization_name": "Example Organization"
    }
]
Action: Get alert details

This action retrieves the details of an alert from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the unique ID assigned to each topic.

Example:

"0cc6a7ba"

Text

Required

You can get the alert ID using the Get a list of alerts action.

Example Request

[
    {
        "alert_id": "0cc6a7ba "
    }
]
Action: Get alerts through a tracking ID

This action retrieves alerts of an organization using tracking ID from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Tracking ID

Enter the tracking ID.

Example:

"123aabc21"

Text

Required

Count

Enter the count.

Example:

"4"

Text

Optional

Default value:

  • 1

Extra params

Enter payload data in the form of key-value pairs.

Key Value

Optional

Allowed values:

  • Status (Published, Draft)

  • published_time

Example Request

[
    {
        "tracking_ID": "123aabc21",
        "count": "4"
    }
]
Action: Get a list of alert categories

This action retrieves a list of alert categories from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"page": "2"

Key Value

Optional

Allowed keys:

  • page

  • page size

Example Request

[
   {
      "pagesize":"10",
      "page":"2"
   }
]
Action: Get a list of alerts

This action retrieves the list of alerts from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"status": "draft"

Key Value

Optional

Allowed values:

  • page

  • status

  • pagesize

Example Request

[
    {
        "status": "draft",
        "page": "2",
        "pagesize": "10"
    }
]
Action: Get a list of incident types

This action retrieves a list of incident types from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"page": "3"

Key Value

Optional

Allowed values:

  • page

  • pagesize

Example Request

[
   {
      "pagesize":"10",
      "page":"2"
   }
]
Action: Get a list of information sources

This action retrieves the list of information sources from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"page": "3"

Key Value

Optional

Allowed values:

  • page

  • pagesize

Example Request

[
    {
        "page": "3",
        "pagesize": "10"
    }
]
Action: Get a list of reported incidents

This action retrieves the list of reported incidents from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Key Value

Optional

Allowed values:

  • page

  • pagesize

Example Request

[
    {
        "page": "3",
        "pagesize": "10"
    }
]
Action: Get a list of reported intel

This action retrieves the list of reported intel from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter the additional parameters in the form of key-value pairs.

Example:

"page": "3"

Key Value

Optional

Allowed values:

  • page

  • pagesize

Example Request

[
    {
        "page": "3",
        "pagesize": "10"
    }
]
Action: Get a list of severity categories

This action retrieves a list of severity categories from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"page": "3"

Key Value

Optional

Allowed values:

  • page

  • pagesize

Example Request

[
   {
      "pagesize":"10",
      "page":"3"
   }
]
Action: Get a list of threat methods

This action retrieves a list of threat methods from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"page": "3"

Key Value

Optional

Allowed values:

  • page

  • pagesize

Example Request

[
   {
      "pagesize":"10",
      "page":"3"
   }
]
Action: Get a list of topics of an alert

This action retrieves the list of topics for an alert from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the ID assigned to an alert.

Example:

"341123e1"

Text

Required

You can get the alert ID using the Get a list of alerts action.

Example Request

[
    {
        "alert_id": "341123e1"
    }
]
Action: Get a list of user groups

This action retrieves a list of user groups from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"page": "2"

Key Value

Optional

Allowed keys:

  • page

  • page size

Example Request

[
   {
      "pagesize":"10",
      "page":"2"
   }
]
Action: Get a list of users

This action retrieves the list of users from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional parameters

Enter additional parameters in the form of key-value pairs.

Example:

"page": "3"

Key Value

Optional

Allowed values:

  • page

  • pagesize

Example Request

[
    {
        "page": "3",
        "pagesize": "10"
    }
]
Action: Get category details

This action retrieves the details of a category from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Category ID

Enter the category ID.

Example:

"249ab570"

Text

Required

Example Request

[
    {
        "category_id": "2491b570"
    }
]
Action: Get incident details

This action retrieves the details of an incident from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID

Enter the incident ID.

Example:

"cy-c1f5d0b1"

Text

Required

You can get the incident ID using the Get a list of reported incidents action.

Example Request

[
    {
        "incident_id": "cy-c1f5d0b1"
    }
]
Action: Get Intel Details

This action retrieves the details of intel.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident ID

Enter the incident ID.

Example:

"AB-ba747x91"

Text

Required

Example Request

[
    {
        "incident_id": "AB-ba747x91"
    }
]
Action: Get messages from a topic

This action retrieves messages from a topic from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit

Enter the limit to retrieve the messages from a topic.

Example:

300

Integer

Optional

To Time

Enter the time till which the action must retrieve messages.

Example:

1636182792

Text

Required

Topic ID

Enter the topic ID.

Example:

"altye1avGM8N2w"

Text

Required

You can get the topic ID using the Get a list of topics of an alert action.

From Time

Enter the time from which the action must start retrieving messages.

Example:

1578294758

Text

Required

Example Request

[
    {
        "limit": 300,
        "to_time": 1636182792,
        "topic_id": "altye1avGM8N2w",
        "from_time": 1578294758
    }
]
Action: Get specific field details

This action retrieves details of a specific field from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Field UID

Enter the field unique ID.

Example:

"fdee25fbdf1dd"

Text

Required

You can retrieve the field ID using the List all fields action.

Example Request

[
    {
        "field_id": "fdee25fbdf1dd"
    }
]
Action: Get user details

This action retrieves the details of a user from the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

User email

Enter the user's email.

Example:

"andrew@abc.com"

Text

Required

Example Request

[
    {
        "email": "andrew@abc.com"
    }
]
Action: List all fields

This action retrieves the list of all the fields available in the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query params

Enter query params in the form of key-value pairs.

Key Value

Optional

Allowed values:

  • Status (Active, Inactive)

  • Type (Text, Text Box, Boolean, Date, Single Select, Multi-Select)

Action: Notify user of an alert

This action can be used to send an alert notification to a CSAP user.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Card Info

Enter the card info details.

Example:

"Additional detail of Alert"

Text

Required

Parameters

Enter the parameters in the form of key-value pairs.

Example:

"card_image_name": "Sample Card Image"

Key Value

Optional

Allowed values:

  • card_info

Example Request

[
"card_info": "Additional detail of Alert",
"image":{
   "card_image":"<image url>",
   "card_image_name":"<name of image>"
},
]
Action: Notify user of a triggered action

This action notifies a user of a triggered action in the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Parameters

Enter the parameters in the form of key-value pairs.

Example:

"action_name": "Example Action"

Key Value

Optional

Display

Enter the alert display data.

Example:

"group_tlp": "RED"

Key Value

Optional

Allowed keys:

  • card_group (Recipient Groups for the Alert)

  • group_id (Unique ID for the Recipient Group)

  • group_name (Recipient Group Name)

  • group_tlp (RED, WHITE, GREEN, AMBER)

  • card_info (Alert Information)

  • card_image (Alert Image)

  • card_image_name (Alert Image Name)

  • card_category (Alert Category)

  • category_id (Unique ID for the Category)

  • category_name (Category Name)

Example Request

[
"action_name": "Example Action"
"card_group":[
   {
      "group_id":"edxhkshdxx",
      "group_name":"Threat Intel Analyst",
      "group_tlp":"RED"
   }
],
"card_info":"",
"image":{
   "card_image":"<image url>",
   "card_image_name":"<name of image>"
},
"card_category":{
   "category_id":"xxxxxxxx",
   "category_name":"<category name>"
},
]
Action: Report a cyber incident

This action creates an incident in the CSAP application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident title

Enter the incident title.

Example:

"Ransomware Detected"

Text

Required

Description

Enter the incident description.

Example:

"Ransomware threat via phishing email"

Text

Required

Attachment

Enter attachments as a list in a dictionary.

Example:

[{"file_name": "cyware", "type": "url", "file": "https://cyware.com/cyware.jpg"}]

Key Value

Optional

Additional parameters

Enter additional parameters in the form of key-value pairs.

Key Value

Optional

Allowed keys:

  • incident_type

  • threat_methods

  • severity

  • technology_impacted

  • impact

Example Request

[
    {
        "incident_title": "Ransomware Detected",
        "description": "Ransomware threat via phishing email",
        "attachment":{
            "file_name": "cyware",
            "type": "URL",
            "file": "https://cyware.com/cyware.jpg"
        },
        extra_field:{
            "incident_type": "Ransomware"
        },
    },
]
            
Action: Report cyber intel

This action can be used to report cyber intel to cyware situational awareness platform (csap) application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Title

Enter the title for the intel.

Example:

"New Intel"

Text

Required

Description

Enter the description for the intel.

Example:

"Example Description"

Text

Required

Incident type

Enter the incident type.

Example:

"asset defacement"

Text

Required

Enter an incident type value as defined by your CSAP administrator.

TLP

Enter the TLP for the reported intel.

Example:

"Red"

Text

Optional

Allowed values:

  • Red

  • Amber

  • Green

  • Amber

Default value:

  • White

Attachments

Enter the attachments as a JSON list.

Example:

[{"file_name": "cyware", "type": "url", "file": "https://cyware.com/cyware.jpg"}]

Key Value

Optional

Additional parameters

Enter the additional parameters in the form of key-value pairs.

Key Value

Optional

Allowed values:

  • threat_methods

  • severity

  • incident_date

  • system_function

  • threat_actors

  • detection_method

  • system_affected

  • report_sources

  • affected_practices

  • confidence_level

  • direct_impact

  • indicators

  • action_taken

  • comments

  • incident_results

Example Request

[
    {
        "title": "New Intel",
        "description": "Example Description",
        "incident_type": "asset defacement",
        "tlp": "Red",
        "attachment":
            {
            "file_name": "cyware",
            "type": "URL",
            "file": "https://cyware.com/cyware.jpg"
            }
        "extra_parameters":
            {
            "severity": "Critical"
            }
    }
]
Action: Update situational awareness alert

This action updates the situational awareness alert details available in the CSAP application using the alert ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the Alert ID.

Example:

"0cc6a7ba"

Text

Required

You can get Alert ID using the Get alert details action.

Title

Enter the alert title.

Example:

"Sample Alert Title"

Text

Optional

Description

Enter the alert description.

Example:

"Example Description"

Text

Optional

Status

Enter the alert status. allowed values: - published - draft - expired by default, the value is published.

Example:

"draft"

Text

Optional

Allowed values:

  • published

  • draft

  • expired

Default value:

  • published

Threat indicators

Enter the threat indicators list as the value associated with the appropriate indicator type key.

Example:

{"ip": ['1.1.1.1', 8.8.8.8']}

Key Value

Optional

Allowed values:

  • ip

  • domain

  • hash

  • url

  • email

  • SHA256

Card information

Enter the additional details of an alert as card information. for example, "<additional detail of alert>", "image": { "card_image": "<image url>", "card_image_name": "<name of image>"

Key Value

Optional

Additional fields

Enter additional fields in the form of key-value pairs.

Example:

"card_category": "Vulnerabilities"

Key Value

Optional

Allowed Keys:

  • card_category

  • card_image

  • card_group

  • card_info

Traffic Light Protocol (TLP)

Enter the Traffic Light Protocol (TLP).

Example:

"green"

Text

Required

Allowed values:

  • green

  • red

  • white

  • amber

Example Request

[
   {
      "tlp":"WHITE",
      "title":"Spearphishing Threat",
      "description":"Spearphishing threat compromised devices",
      "extra_fields":{
         "card_category":"Vulnerabilities"
      },
      "category_name":"Advisory"
   }
]
Action: Update Published Alert

This action updates an alert without overriding the alert ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Short ID

Enter the alert unique ID.

Example:

"37e03cb9"

Text

Required

Title

Enter the title.

Example:

"threat awareness"

Text

Required

Content

Enter the description for the alert.

Example:

"The aim of this alert is to aware you of the recent phishing incidents"

Text

Required

Status

Enter the status of the alert.

Example:

"DRAFT"

Text

Required

Allowed values:

  • DRAFT

  • PUBLISHED

Extra Data

Enter any extra data to update an alert.

Example:

{'tlp': 'RED'}

Key Value

Optional

Example Request

[
   {
      "title":"threat awareness",
      "status":"DRAFT",
      "content":"The aim of this alert is to aware you of the recent phishing incident",
      "short_id":"37e03cb9"
   }
]
Action: Generic Action

This is a generic action to perform any additional use case on CSAP.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method

Enter the HTTP method to use.

Example:

"GET"

Text

Required

Endpoint

Enter the CSAP endpoint to use.

Example:

"create_alert/"

Text

Required

Payload

Enter the payload in JSON format.

Example:

{"tlp": "green"}

Any

Optional

Query Params

Enter the query parameters in JSON format.

Example:

{"limit": "10"}

Any

Optional

Example Request

[
    {
        "method": "POST",
        "payload": {
            "tlp": "GREEN",
            "title": "awareness about alerts",
            "status": "DRAFT",
            "content": "this action informs user about the recent incidents"
        },
        "endpoint": "create_alert/"
    }
]