Integrate Cisco Vulnerability Management with Google SecOps
This document describes how to integrate Cisco Vulnerability Management with Google Security Operations (Google SecOps).
Integration version: 1.0
Use Cases
Get the contextual insight and threat intelligence needed to intercept the next exploit and respond with precision.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| API Root | String | Yes | The API Root of the Cisco Vulnerability Management integration. | |
| API Token | Password | Yes | The API Token of the Cisco Vulnerability Management integration. | |
| Verify SSL | bool | Checked | Yes | If selected, the integration validates the SSL certificate when connecting to Cisco Vulnerability Management. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Ping
Test the connectivity to Cisco Vulnerability Management.
Parameters
N/A
Run on
The action does not use entities, nor has mandatory input parameters.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook
execution: If successful: print "Successfully connected to the Cisco Vulnerability Management server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: print "Failed to connect to the Cisco Vulnerability Management server! Error is {0}".format(exception.stacktrace) |
General |
Enrich Entities
Enrich entities using information from Cisco Vulnerability Management.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| External ID | CSV | No | Comma-separated list of external IDs associated with an asset. Assets searched by external ID will be searched in parallel to entities. |
Run on
This action runs on the following entities:
- CVE
- IP Address
- Hostname
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"Entity": "Entity",
"EntityResult":
{
"id": 1177,
"status": "open",
"closed_at": null,
"created_at": "2025-02-06T09:00:16Z",
"due_date": "2024-09-03",
"notes": "Unknown",
"port": [],
"priority": 10,
"identifiers": [
"CVE-2024-38107"
],
"last_seen_time": "2025-02-06T08:59:24.000Z",
"scanner_score": null,
"fix_id": 2692956,
"scanner_vulnerabilities": [
{
"port": null,
"external_unique_id": "CVE-2024-38107",
"open": true
}
],
"asset_id": 101,
"connectors": [
{
"id": 160084,
"name": "Custom CSV",
"connector_definition_name": "Custom CSV",
"vendor": "Cisco"
}
],
"service_ticket": null,
"urls": {
"asset": "api.trial1.eu.kennasecurity.com/assets/101"
},
"solution": "The following products are affected by this vulnerability:<ul><li><i>Operating System</i> <b>microsoft windows_10_1507</b></li><li><i>Operating System</i> <b>microsoft windows_10_1607</b></li><li><i>Operating System</i> <b>microsoft windows_10_1809</b></li><li><i>Operating System</i> <b>microsoft windows_10_21h2</b></li><li><i>Operating System</i> <b>microsoft windows_10_22h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_21h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_22h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_23h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_24h2</b></li><li><i>Operating System</i> <b>microsoft windows_server_2012</b></li><li><i>Operating System</i> <b>microsoft windows_server_2016</b></li><li><i>Operating System</i> <b>microsoft windows_server_2019</b></li><li><i>Operating System</i> <b>microsoft windows_server_2022</b></li><li><i>Operating System</i> <b>microsoft windows_server_2022_23h2</b></li></ul>The following remediations or software updates can fix your system:<ul><li><b>windows_11_24h2</b> version needs to be updated to version 10.0.26100.1457 or greater.</li><li><b>windows_server_2022_23h2</b> version needs to be updated to version 10.0.25398.1085 or greater.</li><li><b>Windows 10 Version 20H2 Build 10240</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041782\">5041782</a>.</li><li><b>Windows 10 Version 1607 Build 14393</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041773\">5041773</a>.</li><li><b>Windows 10 Version 1809 Build 17763</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041578\">5041578</a>.</li><li><b>Windows 10 Version 21H2 Build 19044</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041580\">5041580</a>.</li><li><b>Windows 10 Version 22H2 Build 19045</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041580\">5041580</a>.</li><li><b>Windows 11 Version 21H2 Build 22000</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041592\">5041592</a>.</li><li><b>Windows 11 Version 22H2 Build 22621</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041585\">5041585</a>.</li><li><b>Windows 11 Version 23H2 Build 22631</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041585\">5041585</a>.</li><li><b>Windows Server 2012</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041851\">5041851</a>.</li><li><b>Windows Server 2012 R2</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041828\">5041828</a>.</li><li><b>Windows Server 2016</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041773\">5041773</a>.</li><li><b>Windows Server 2019</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041578\">5041578</a>.</li><li><b>Windows Server 2022 Build 20348</b> needs to be patched with: <a href=\"https://support.microsoft.com/en-in/help/5041160\">5041160</a>.</li></ul>Refer to these referenced URL(s) for more information on remediation:<br/><ul><li><a href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38107\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38107</a></li></ul>",
"patch": true,
"patch_published_at": "2024-08-13T18:15:10.000Z",
"cve_id": "CVE-2024-38107",
"cve_description": "Windows Power Dependency Coordinator Elevation of Privilege Vulnerability",
"cve_published_at": "2024-08-13T18:15:10.000Z",
"description": null,
"wasc_id": null,
"severity": 7,
"threat": 3,
"popular_target": false,
"active_internet_breach": false,
"easily_exploitable": false,
"malware_exploitable": false,
"remote_code_execution": false,
"predicted_exploitable": false,
"platform_types": [
"operating system"
],
"cvss_v2": {
"exploit_subscore": 3.1,
"impact_subscore": 10.0,
"score": 6.8,
"temporal_score": 5.6
},
"cvss_v3": {
"exploit_subscore": 1.8,
"impact_subscore": 5.9,
"score": 7.8
},
"custom_fields": [],
"first_found_on": "2024-08-13T00:00:00Z",
"top_priority": false,
"risk_meter_score": 28,
"closed": false
}
}
Entity enrichment
Prefix: CiscoVM_
| Enrichment field name | Logic - When to apply |
|---|---|
| priority | When available in JSON |
| severity | When available in JSON |
| threat | When available in JSON |
| solution | When available in JSON |
| patch_available | When available in JSON |
| description | When available in JSON |
| published_at | When available in JSON |
| risk_score | When available in JSON |
Enrichment table asset
Prefix: CiscoVM_
| Enrichment field name | Logic - When to apply |
|---|---|
| os | When available in JSON |
| priority | When available in JSON |
| vulnerabilities_count | When available in JSON |
| status | When available in JSON |
| last_seen_time | When available in JSON |
| tags | When available in JSON |
| ip_address | When available in JSON |
| hostname | When available in JSON |
| fqdn | When available in JSON |
| risk_score | When available in JSON |
| asset_groups | When available in JSON |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook
execution: If data is available for one entity (is_success = true): print "Successfully enriched the following entities in Cisco Vulnerability Management: {entity.identifier}". If data is not available for one entity (is_success=true): print "The action wasn't able to enrich the following entities in Cisco Vulnerability Management: {entity.identifier}" If data is not available for all (is_success=false): No information was found for the provided entities. The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) |
General |
Update Asset
Update asset information associated with Google SecOps entities from Cisco Vulnerability Management.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| External ID | CSV | No | Comma-separated list of external IDs associated with an asset. Assets searched by external ID will be searched in parallel to entities. | |
| Status | DDL | Select One Possible values:
|
No | Status for the asset. |
| Note | String | No | Note for the asset. |
Run on
This action runs on the following entities:
- IP Address
- Hostname
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook
execution: If data is available for one entity (is_success = true): print "Successfully updated the following entities in Cisco Vulnerability Management: {entity.identifier}". If 1 entity not found (is_success=true): print "The action wasn't able to update the following entities in Cisco Vulnerability Management: {entity.identifier}" If data is not available for all (is_success=false): None of the provided entities were updated. The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Update Asset". Reason: {0}''.format(error.Stacktrace) |
General |
List Asset Vulnerabilities
Return information about vulnerabilities associated with entities from Cisco Vulnerability Management.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| External ID | CSV | No | Comma-separated list of external IDs associated with an asset. Assets searched by external ID will be searched in parallel to entities. | |
| Lowest Risk Score To Return | Int | No | Risk score that is associated with vulnerabilities. If provided, action will filter out all of the vulnerabilities that have lower risk score than provided in Lowest Risk Score To Return. |
Run on
This action runs on the following entities:
- IP Address
- Hostname
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"Entity": "Entity",
"EntityResult": [
{
"id": 1177,
"status": "open",
"closed_at": null,
"created_at": "2025-02-06T09:00:16Z",
"due_date": "2024-09-03",
"notes": "Unknown",
"port": [],
"priority": 10,
"identifiers": [
"CVE-2024-38107"
],
"last_seen_time": "2025-02-06T08:59:24.000Z",
"scanner_score": null,
"fix_id": 2692956,
"scanner_vulnerabilities": [
{
"port": null,
"external_unique_id": "CVE-2024-38107",
"open": true
}
],
"asset_id": 101,
"connectors": [
{
"id": 160084,
"name": "Custom CSV",
"connector_definition_name": "Custom CSV",
"vendor": "Cisco"
}
],
"service_ticket": null,
"urls": {
"asset": "api.trial1.eu.kennasecurity.com/assets/101"
},
"solution": "The following products are affected by this vulnerability:<ul><li><i>Operating System</i> <b>microsoft windows_10_1507</b></li><li><i>Operating System</i> <b>microsoft windows_10_1607</b></li><li><i>Operating System</i> <b>microsoft windows_10_1809</b></li><li><i>Operating System</i> <b>microsoft windows_10_21h2</b></li><li><i>Operating System</i> <b>microsoft windows_10_22h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_21h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_22h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_23h2</b></li><li><i>Operating System</i> <b>microsoft windows_11_24h2</b></li><li><i>Operating System</i> <b>microsoft windows_server_2012</b></li><li>",
"patch": true,
"patch_published_at": "2024-08-13T18:15:10.000Z",
"cve_id": "CVE-2024-38107",
"cve_description": "Windows Power Dependency Coordinator Elevation of Privilege Vulnerability",
"cve_published_at": "2024-08-13T18:15:10.000Z",
"description": null,
"wasc_id": null,
"severity": 7,
"threat": 3,
"popular_target": false,
"active_internet_breach": false,
"easily_exploitable": false,
"malware_exploitable": false,
"remote_code_execution": false,
"predicted_exploitable": false,
"platform_types": [
"operating system"
],
"cvss_v2": {
"exploit_subscore": 3.1,
"impact_subscore": 10.0,
"score": 6.8,
"temporal_score": 5.6
},
"cvss_v3": {
"exploit_subscore": 1.8,
"impact_subscore": 5.9,
"score": 7.8
},
"custom_fields": [],
"first_found_on": "2024-08-13T00:00:00Z",
"top_priority": false,
"risk_meter_score": 28,
"closed": false
}
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook
execution: If data is available for one entity (is_success = true): print "Successfully listed vulnerabilities for the following entities in Cisco Vulnerability Management: {entity.identifier}". If 1 entity not found (is_success=true): print "The action wasn't able to find the following entities in Cisco Vulnerability Management: {entity.identifier}" If data is not available for all (is_success=false): None of the provided entities were found. If no vulnerabilities for some (is_success=true): No vulnerabilities based on the provided criteria were found for the following entities in Cisco Vulnerability Management: {entity.identifier} If no vulnerabilities for all (is_success=true): No vulnerabilities based on the provided criteria were found for the provided entities. The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Asset Vulnerabilities". Reason: {0}''.format(error.Stacktrace) |
General |
Request Data Export
Request data export from Cisco Vulnerability Management and attach results to the case wall. This action doesn't run on Google SecOps entities.
This action is asynchronous. Adjust the script timeout value in the Google SecOps IDE for the action as needed.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Export Format | DDL | JSON Possible values:
|
Yes | Format of the data export. |
| Export Model | DDL | Asset Possible values:
|
Yes | Model of object that needs to be exported. |
| Export Fields | CSV | No | Comma-separated list of fields that you want to return. | |
| Query Filter | String | No | Query to filter data that should be exported. |
Run on
N/A
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook
execution: If data is available(is_success = true): print "Successfully performed data export in Cisco Vulnerability Management.". Async message: Waiting for data export to complete… The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Request Data Export". Reason: {0}''.format(error.Stacktrace) If error_message in response: print "Error executing action "Request Data Export". Reason: {error_message}''. |
General |
Need more help? Get answers from Community members and Google SecOps professionals.