Cyware Situational Awareness Platform (CSAP)
App Vendor: Cyware Labs
App Category: Cyware Product, IT Services, Messaging
Connector Version: 1.3.1
API Version: CSAP V3
About App
CSAP is an automated threat alert aggregation and information sharing platform that equips key security personnel with information to improve situational awareness and resilience. You can now aggregate custom threat intelligence feeds (including Cyware’s solutions) with vulnerability and malware early advisories to provide actionable alerts to employees, vendors, customers, peers, and more.
CSAP also allows you to adopt a threat-intel-driven approach to manage security alerts to ensure Members are aware of the latest cyber threats facing your organization. You can now enrich, anonymize, and share precise and relevant threat intelligence including Indicators of Compromise (IOCs), Threat Intelligence, and Incident Responses.
The CSAP app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Create Crisis Alert | This action creates a crisis alert in the CSAP application. |
Create Situational Awareness Alert | This action creates a situational awareness alert to a CSAP user/member. |
Notify User of a Triggered Action | This action notifies a user of a triggered action in the CSAP application. |
Notify User of an Alert | This action sends an alert notification to a CSAP user. |
Get a List of User Groups | This action retrieves a list of user groups from the CSAP application. |
Update Situational Awareness Alert | This action updates the situational awareness alert details available in the CSAP application using the alert ID. |
Get a List of Alert Categories | This action retrieves a list of alert categories from the CSAP application. |
Get a List of Related Alerts | This action retrieves a list of related alert details using indicators from the CSAP application. |
Get a List of Severity Categories | This action retrieves a list of severity categories from the CSAP application. |
Get a List of Threat Methods | This action retrieves a list of threat methods from the CSAP application. |
Get a List of Incident Types | This action retrieves a list of incident types from the CSAP application. |
Get Incident Details | This action retrieves the details of an incident from the CSAP application. |
Get a List of Reported Incidents | This action retrieves the list of reported incidents from the CSAP application. |
Get a List of Information Sources | This action retrieves the list of information sources from the CSAP application. |
Get a List of Alerts | This action retrieves the list of alerts from the CSAP application. |
Get Alert Details | This action retrieves the details of an alert from the CSAP application. |
Report a Cyber Incident | This action creates a cyber incident in the CSAP application. |
Get a List of Users | This action retrieves the list of users from the CSAP application. |
Get User Details | This action retrieves the details of a user from the CSAP application. |
Get Category Details | This action retrieves the details of a category from the CSAP application. |
Get a List of Reported Intel | This action retrieves the list of reported intel from the CSAP application. |
Report Cyber Intel | This action is used to report cyber intel to the CSAP application. |
Get additional Details of an Organization | This action retrieves additional details of an organization from the CSAP application. |
Get Alerts through a Tracking ID | This action retrieves alerts of an organization using tracking ID from the CSAP application. |
List All Fields | This action retrieves the list of all the fields available in the CSAP application. |
Get specific Field Details | This action retrieves details of a specific field from the CSAP application. |
Get Messages from a Topic | This action retrieves messages from a topic from the CSAP application. |
Get a List of Topics of an Alert | This action retrieves the list of topics for an alert from the CSAP application. |
Get Attachments | This action retrieves attachments from the CSAP application. |
Create a Tag | This action creates a new tag in a CSAP application. |
Get Tags | This action retrieves the tags present in a CSAP application. |
Get Intel Details | This action retrieves the details of intel. |
Update Published Alert | This action updates an alert without overriding the alert ID. |
Generic Action | This is a generic action to perform any additional use case on CSAP. |
Configuration Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL for accessing the CSAP application via REST API. Example: https://tenant.domain.tld/api/ | Text | Required | |
Access ID | Enter the Access ID for the OpenAPI credential provisioned on the CSAP application. Example: "xxxxxxe0-c981-4xx8-bxxx-f3xxxx8b8" | Text | Required | |
Secret key | Enter the Secret Key for the OpenAPI credential provisioned on the CSAP application. Example: "xxxxxxe0-c981" | Password | Required |
Action: Create Situational Awareness (SA) Alert
This action creates a situational awareness alert in Collaborate.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the alert title. Example: "Spearphishing Threat" | Text | Required | |
Description | Enter the alert description. Example: "Spearphishing threat compromised devices" | Text | Required | |
Category name | Enter the category name. Example: "Advisory" | Text | Optional | |
Status | Enter the alert status. Example: "published" | Text | Optional | Allowed values:
|
Traffic Light Protocol | Enter the alert traffic light protocol. Example: "green" | Text | Optional | Allowed values:
|
Additional fields | Enter additional fields in the form of key-value pairs. Example: "card_category": "Vulnerabilities" | Key Value | Optional | Allowed Keys:
|
Example Request
[
{
"tlp":"WHITE",
"title":"Spearphishing Threat",
"description":"Spearphishing threat compromised devices",
"extra_fields":{
"card_category":"Vulnerabilities"
},
"category_name":"Advisory"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | Object | The response object contains specific details of the alert. |
app_instance.response.content | String | The content of the alert. Example: "Multiple failed login attempts detected from the following IP addresses" |
app_instance.response.optional_fields | Object | An object for any optional fields related to the alert. |
app_instance.response.short_id | String | A unique identifier for the alert. Example: "8272068c" |
app_instance.response.status | String | The status of the alert. Example: "PUBLISHED" |
app_instance.response.title | String | The title of the alert. Example: "Suspicious Login Activity Detected" |
app_instance.response.tlp | String | The Traffic Light Protocol (TLP) associated with the alert. Example: "CLEAR" |
app_instance.status | Integer | The HTTP status code of the response. Example: 200 |
Action: Create crisis alert
This action creates a crisis alert in Collaborate.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the alert title. Example: "Spearphishing Threat" | Text | Required | |
Description | Enter the alert description. Example: "Spearphishing threat compromised devices" | Text | Required | |
Status | Enter the alert status. Example: "PUBLISHED" | Text | Optional | Allowed values:
|
TLP | Enter the alert traffic light protocol. Example: "green" | Text | Optional | Allowed values:
Default value:
|
Additional fields | Enter additional fields in the form of key-value pairs. Example: "card_category": "Vulnerabilities" | Key Value | Optional | Allowed Keys:
NoteTo create a crisis alert, ensure the card category is Crisis Notification. |
Example Request
[
{
"tlp":"WHITE",
"title":"Spearphishing Threat",
"description":"Spearphishing threat compromised devices",
"extra_fields":{
"card_category":"Vulnerabilities"
},
"category_name":"New Catagory"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | Object | An object containing the response details. |
app_instance.response.content | String | The content of the alert. |
app_instance.response.optional_fields | Object | An object for additional optional fields. |
app_instance.response.short_id | String | The short identifier of the alert. Example: "8b12962e" |
app_instance.response.status | String | The status of the alert. Example: "DRAFT" |
app_instance.response.title | String | The title of the alert. |
app_instance.response.tlp | String | The Traffic Light Protocol (TLP) classification. Example: "GREEN" |
app_instance.status | Number | The HTTP status code of the response. Example: 200 |
Action: Get Organization Additional Details
This action retrieves additional details of an organization from the Collaborate application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Organization Name | Enter the organization name to get details. Example: "Organization 1" | Text | Required |
Example Request
[
{
"organization_name": "Example Organization"
}
]Action: Get alert details
This action retrieves the details of an alert from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the unique ID assigned to each topic. Example: "0cc6a7ba" | Text | Required | You can get the alert ID using the Get a list of alerts action. |
Example Request
[
{
"alert_id": "0cc6a7ba "
}
]Action: Get alerts through a tracking ID
This action retrieves alerts of an organization using tracking ID from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tracking ID | Enter the tracking ID. Example: "123aabc21" | Text | Required | |
Count | Enter the count. Example: "4" | Text | Optional | Default value:
|
Extra params | Enter payload data in the form of key-value pairs. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"tracking_ID": "123aabc21",
"count": "4"
}
]Action: Get a list of alert categories
This action retrieves a list of alert categories from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "page": "2" | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"pagesize":"10",
"page":"2"
}
]Action: Get a list of alerts
This action retrieves the list of alerts from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "status": "draft" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"status": "draft",
"page": "2",
"pagesize": "10"
}
]Action: Get a list of incident types
This action retrieves a list of incident types from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "page": "3" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"pagesize":"10",
"page":"2"
}
]Action: Get a list of information sources
This action retrieves the list of information sources from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "page": "3" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"page": "3",
"pagesize": "10"
}
]Action: Get a list of reported incidents
This action retrieves the list of reported incidents from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"page": "3",
"pagesize": "10"
}
]Action: Get a list of reported intel
This action retrieves the list of reported intel from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter the additional parameters in the form of key-value pairs. Example: "page": "3" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"page": "3",
"pagesize": "10"
}
]Action: Get a list of severity categories
This action retrieves a list of severity categories from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "page": "3" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"pagesize":"10",
"page":"3"
}
]Action: Get a list of threat methods
This action retrieves a list of threat methods from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "page": "3" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"pagesize":"10",
"page":"3"
}
]Action: Get a list of topics of an alert
This action retrieves the list of topics for an alert from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the ID assigned to an alert. Example: "341123e1" | Text | Required | You can get the alert ID using the Get a list of alerts action. |
Example Request
[
{
"alert_id": "341123e1"
}
]Action: Get a list of user groups
This action retrieves a list of user groups from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "page": "2" | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"pagesize":"10",
"page":"2"
}
]Action: Get a list of users
This action retrieves the list of users from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional parameters | Enter additional parameters in the form of key-value pairs. Example: "page": "3" | Key Value | Optional | Allowed values:
|
Example Request
[
{
"page": "3",
"pagesize": "10"
}
]Action: Get category details
This action retrieves the details of a category from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Category ID | Enter the category ID. Example: "249ab570" | Text | Required |
Example Request
[
{
"category_id": "2491b570"
}
]Action: Get incident details
This action retrieves the details of an incident from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID. Example: "cy-c1f5d0b1" | Text | Required | You can get the incident ID using the Get a list of reported incidents action. |
Example Request
[
{
"incident_id": "cy-c1f5d0b1"
}
]Action: Get Intel Details
This action retrieves the details of intel.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Incident ID | Enter the incident ID. Example: "AB-ba747x91" | Text | Required |
Example Request
[
{
"incident_id": "AB-ba747x91"
}
]Action: Get messages from a topic
This action retrieves messages from a topic from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the limit to retrieve the messages from a topic. Example: 300 | Integer | Optional | |
To Time | Enter the time till which the action must retrieve messages. Example: 1636182792 | Text | Required | |
Topic ID | Enter the topic ID. Example: "altye1avGM8N2w" | Text | Required | You can get the topic ID using the Get a list of topics of an alert action. |
From Time | Enter the time from which the action must start retrieving messages. Example: 1578294758 | Text | Required |
Example Request
[
{
"limit": 300,
"to_time": 1636182792,
"topic_id": "altye1avGM8N2w",
"from_time": 1578294758
}
]Action: Get specific field details
This action retrieves details of a specific field from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Field UID | Enter the field unique ID. Example: "fdee25fbdf1dd" | Text | Required | You can retrieve the field ID using the List all fields action. |
Example Request
[
{
"field_id": "fdee25fbdf1dd"
}
]Action: Get user details
This action retrieves the details of a user from the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User email | Enter the user's email. Example: "andrew@abc.com" | Text | Required |
Example Request
[
{
"email": "andrew@abc.com"
}
]Action: List all fields
This action retrieves the list of all the fields available in the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query params | Enter query params in the form of key-value pairs. | Key Value | Optional | Allowed values:
|
Action: Notify user of an alert
This action can be used to send an alert notification to a CSAP user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Card Info | Enter the card info details. Example: "Additional detail of Alert" | Text | Required | |
Parameters | Enter the parameters in the form of key-value pairs. Example: "card_image_name": "Sample Card Image" | Key Value | Optional | Allowed values:
|
Example Request
[
"card_info": "Additional detail of Alert",
"image":{
"card_image":"<image url>",
"card_image_name":"<name of image>"
},
]Action: Notify user of a triggered action
This action notifies a user of a triggered action in the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Parameters | Enter the parameters in the form of key-value pairs. Example: "action_name": "Example Action" | Key Value | Optional | |
Display | Enter the alert display data. Example: "group_tlp": "RED" | Key Value | Optional | Allowed keys:
|
Example Request
[
"action_name": "Example Action"
"card_group":[
{
"group_id":"edxhkshdxx",
"group_name":"Threat Intel Analyst",
"group_tlp":"RED"
}
],
"card_info":"",
"image":{
"card_image":"<image url>",
"card_image_name":"<name of image>"
},
"card_category":{
"category_id":"xxxxxxxx",
"category_name":"<category name>"
},
]Action: Report a cyber incident
This action creates an incident in the CSAP application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident title | Enter the incident title. Example: "Ransomware Detected" | Text | Required | |
Description | Enter the incident description. Example: "Ransomware threat via phishing email" | Text | Required | |
Attachment | Enter attachments as a list in a dictionary. Example: [{"file_name": "cyware", "type": "url", "file": "https://cyware.com/cyware.jpg"}] | Key Value | Optional | |
Additional parameters | Enter additional parameters in the form of key-value pairs. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"incident_title": "Ransomware Detected",
"description": "Ransomware threat via phishing email",
"attachment":{
"file_name": "cyware",
"type": "URL",
"file": "https://cyware.com/cyware.jpg"
},
extra_field:{
"incident_type": "Ransomware"
},
},
]
Action: Report cyber intel
This action can be used to report cyber intel to cyware situational awareness platform (csap) application.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter the title for the intel. Example: "New Intel" | Text | Required | |
Description | Enter the description for the intel. Example: "Example Description" | Text | Required | |
Incident type | Enter the incident type. Example: "asset defacement" | Text | Required | Enter an incident type value as defined by your CSAP administrator. |
TLP | Enter the TLP for the reported intel. Example: "Red" | Text | Optional | Allowed values:
Default value:
|
Attachments | Enter the attachments as a JSON list. Example: [{"file_name": "cyware", "type": "url", "file": "https://cyware.com/cyware.jpg"}] | Key Value | Optional | |
Additional parameters | Enter the additional parameters in the form of key-value pairs. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"title": "New Intel",
"description": "Example Description",
"incident_type": "asset defacement",
"tlp": "Red",
"attachment":
{
"file_name": "cyware",
"type": "URL",
"file": "https://cyware.com/cyware.jpg"
}
"extra_parameters":
{
"severity": "Critical"
}
}
]Action: Update situational awareness alert
This action updates the situational awareness alert details available in the CSAP application using the alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the Alert ID. Example: "0cc6a7ba" | Text | Required | You can get Alert ID using the Get alert details action. |
Title | Enter the alert title. Example: "Sample Alert Title" | Text | Optional | |
Description | Enter the alert description. Example: "Example Description" | Text | Optional | |
Status | Enter the alert status. allowed values: - published - draft - expired by default, the value is published. Example: "draft" | Text | Optional | Allowed values:
Default value:
|
Threat indicators | Enter the threat indicators list as the value associated with the appropriate indicator type key. Example: {"ip": ['1.1.1.1', 8.8.8.8']} | Key Value | Optional | Allowed values:
|
Card information | Enter the additional details of an alert as card information. for example, "<additional detail of alert>", "image": { "card_image": "<image url>", "card_image_name": "<name of image>" | Key Value | Optional | |
Additional fields | Enter additional fields in the form of key-value pairs. Example: "card_category": "Vulnerabilities" | Key Value | Optional | Allowed Keys:
|
Traffic Light Protocol (TLP) | Enter the Traffic Light Protocol (TLP). Example: "green" | Text | Required | Allowed values:
|
Example Request
[
{
"tlp":"WHITE",
"title":"Spearphishing Threat",
"description":"Spearphishing threat compromised devices",
"extra_fields":{
"card_category":"Vulnerabilities"
},
"category_name":"Advisory"
}
]Action: Update Published Alert
This action updates an alert without overriding the alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Short ID | Enter the alert unique ID. Example: "37e03cb9" | Text | Required | |
Title | Enter the title. Example: "threat awareness" | Text | Required | |
Content | Enter the description for the alert. Example: "The aim of this alert is to aware you of the recent phishing incidents" | Text | Required | |
Status | Enter the status of the alert. Example: "DRAFT" | Text | Required | Allowed values:
|
Extra Data | Enter any extra data to update an alert. Example: {'tlp': 'RED'} | Key Value | Optional |
Example Request
[
{
"title":"threat awareness",
"status":"DRAFT",
"content":"The aim of this alert is to aware you of the recent phishing incident",
"short_id":"37e03cb9"
}
]Action: Generic Action
This is a generic action to perform any additional use case on CSAP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method to use. Example: "GET" | Text | Required | |
Endpoint | Enter the CSAP endpoint to use. Example: "create_alert/" | Text | Required | |
Payload | Enter the payload in JSON format. Example: {"tlp": "green"} | Any | Optional | |
Query Params | Enter the query parameters in JSON format. Example: {"limit": "10"} | Any | Optional |
Example Request
[
{
"method": "POST",
"payload": {
"tlp": "GREEN",
"title": "awareness about alerts",
"status": "DRAFT",
"content": "this action informs user about the recent incidents"
},
"endpoint": "create_alert/"
}
]