CyberCNS API Documentation
CyberCNS APIs are available for partners to integrate CyberCNS with different systems.
API Documentation
Navigate to API Documentation as shown using the CyberCNS portal.
It redirects to FastAPI for CyberCNS.
Navigate to required section. Eg. Company as below to GET Company ID.
Description: String, skip, limit, sort
String: Filter query to be executed against the database.
Skip: It specifies the number of pages to skip.
Eg: when the skip is set to 0 and the limit is set to 10, it will process the entire dataset by splitting it into 10 pages. The data from the first page will be returned, and for the second page, the skip will be 1, and the limit will be 10, returning the next 10 data.Limit: It limits the number of returned values. The default limit is 100.
Sort: It specifies the sorting order based on the 'severity.keyword' field in descending order.
Sample Script (Vulnerability)
Refer to the Sample Script to get vulnerability, refer below example.
import json
sess_cookie = api.get_cookie() def get_vulns(sess_cookie, params, limit, skip=0):   resp = requests.get(      "https://portaluswest2.mycybercns.com/api/vulnerability/",      headers={        "content-type": "application/json"     },      params={"q": json.dumps(params), "limit": limit, "skip": skip},      cookies=sess_cookie,   )    return resp.json() params = {    "query": {      "bool": {        "must":       [         {            "match": {              "severity.keyword": "High"           },         }       ],     }   } } # dict_keys(['data', 'total', 'count', 'scroll_id']) vulns = get_vulns(sess_cookie, params, 5, 0) print(params["query"]["bool"]["must"][0]['match'])
print(f"Total:Â {vulns['total']}")
CyberCNS Collections and Queries
Below are the CyberCNS Collections and Queries which can be used to get required information.
Collection | Query | Enum | Must Example | Explanation |
Company | {"query": {"bool": {"must": [{"exists": {"field": "description"}}], "must_not": [{"exists": {"field": "companyRef"}}]}}} | Â | Â | Â |
Agents | {"query": {"bool": {"must": [ {"exists": {"field": "agent_type"}}]}}} | enumData = ['LinuxX86', 'Windows', 'Darwin', 'LinuxArm']; | must :- {"match": {"companyRef.id.keyword": "<CompanyID>"} | This should be used wherever Company ID reference is required |
Assets | {"query": {"bool": {"must": [{"exists": {"field": "host.importance"}}], "must_not": [{"match": {"isdeprecated": true}}]}}} | Â | for agent level must :- {"match": {"agentRef.id.keyword": "<AgentID>"} | For all agent related queries. Also as agents are company specific in case you need company reference, Company ID reference is required |
Deprecated Assets | {"query": {"bool": {"must": [{"exists": {"field": "host.importance"}}, {"match": {"isdeprecated": true}}]]}}} | Â | Â | Â |
Ports | {"query": {"bool": {"must": [{"exists": {"field": "port"}}, {"exists": {"field": "service"}}]}}} | Â | must :- {"match": {"assetRef.id.keyword": "<AssetID>"} | For all asset details related data like ports, interfaces AssetID must be used |
Interfaces | {"query": {"bool": {"must": [{"exists": {"field": "interface"}}, {"exists": {"field": "mac"}}]}}} | Â | Â | Â |
Users | {"query": {"bool": {"must": [{"exists": {"field": "uid"}}, {"exists": {"field": "username"}}]}}} | Â | Â | Â |
Storage | {"query": {"bool": {"must": [{"exists": {"field": "mountpoint"}}, {"exists": {"field": "device"}}]}}} | Â | Â | Â |
InstalledPrograms | {"query": {"bool": {"must": [{"exists": {"field": "publisher"}}, {"exists": {"field": "version"}}]}}} | Â | Â | Â |
Vulnerability | {"query": {"bool": {"must": [{"exists": {"field": "vul_id"}}, {"exists": {"field": "score"}}]}}} | Â | Â | Â |
Vulnerability Auth | {"query": {"bool": {"must": [{"exists": {"field": "vul_id"}}, {"exists": {"field": "score.base_score"}}, {"range": {"score.base_score": {"gt": 0}}}]}}} | Â | Â | Â |
Vulnerability NoAuth | {"query": {"bool": {"must": [{"exists": {"field": "vul_id"}}, {"exists": {"field": "score.cvss_score"}}, {"exists": {"field": "port"}}, {"range": {"port": {"gt": 0}}}}]}}} | Â | Â | Â |
Compliance | {"query": {"bool": {"must": [{"exists": {"field": "complaince_id"}}]}}} | Â | Â | Â |
Compliance For individual | {"query": {"bool": {"must": [{"exists": {"field": "complaince_id"}}, {"exists":{"field": "benchmarks.<ComplianceType>"}}]}}} | Â | Â | Â |
ComplianceChecks | {"query": {"bool": {"must": [{"exists": {"field": "filename"}}, {"exists": {"field": "isApplicable"}}]}}} | Â | Â | Â |
Remediation | {"query": {"bool": {"must": [{"exists": {"field": "remediation_status"}}]}}} | Â | Â | Â |
RemediationSuppression | {"query": {"bool": {"must": [{"exists": {"field": "remediationdays"}}]}}} | Â | Â | Â |
Jobs | {"query": {"bool": {"must": [{"exists": {"field": "job_data"}}]}}} | Â | Â | Â |
DiscoverySettings | {"query": {"bool": {"must": [{"exists": {"field": "discovery_type"}}]}}} | Â | Â | Â |
AssetCredentials | {"query": {"bool": {"must": [{"exists": {"field": "cred_type"}}, {"exists": {"field": "hostname"}}, {"match": {"hostname.keyword": ""}}], "must_not": [{"exists": {"field": "assetid.keyword"}}]}}} | Â | Â | Â |
ADCredentials | {"query": {"bool": {"must": [{"exists": {"field": "cred_type"}}, {"exists": {"field": "hostname"}}], "must_not": [{"match": {"hostname.keyword": ""}}]}}} | Â | Â | Â |
RegistryMisConfiguration | {"query": {"bool": {"must": [{"exists": {"field": "hive"}}, {"exists": {"field": "found"}}]}}} | Â | Â | Â |
AssetBestPractices | {"query": {"bool": {"must": [{"exists": {"field": "practice_type"}}]}}} | Â | Â | Â |
AssetFirewallPolicy | {"query": {"bool": {"must": [{"exists": {"field": "policytype"}}]}}} | Â | Â | Â |
SNMPv2 | {"query": {"bool": {"must": [{"match": {"snmp_version.keyword": "v2"}}, {"exists": {"field": "community"}}]}}} | Â | Â | Â |
SNMPv3 | {"query": {"bool": {"must": [{"exists": {"field": "securityName"}}]}}} | Â | Â | Â |
AssetTimeStats | {"query": {"bool": {"must": [ {"exists": {"field": "vul_stats"}}]}} | Â | Â | Â |
AD OU | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_ou"}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
AD Users | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_users"}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
AD Groups | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_groups"}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
AD Computers | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_computers"}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
AD GPO | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_gpo"}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
AD Password Policy | {"query":{"bool":{"should":[{"exists":{"field":"maxPasswordAge"}},{"exists":{"field":"minPasswordAge"}}]}}} | Â | Â | Â |
ExternalScan Agent | {"query": {"bool": {"must": [{"match": {"agent_type": 4}}, {"exists": {"field": "agent_type"}}], "must_not": [{"exists": {"field": "companyRef.id.keyword"}}]}}} | Â | Â | Â |
SslScanTimeseries | ": <External Scan Asset ID>}}]}} | Â | Â | Â |
VulnerabilityTimeseries | {"query": {"bool": {"must": [ {"exists": {"field": "uniqueid"}}, {"exists": {"field": "vul_id"}}]}}} | Â | Â | Â |
External Scan Assets | {"query": {"bool": {"must": [{"match": {"discoveredProtocols.keyword": "EXTERNALSCAN"}}, {"exists": {"field": "host.importance"}}]}}} | Â | Â | Â |
Computers Not loggedIn From 30 Days | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_computers"}}, {"match": {"enabled": true}}, {"exists": {"field": "object_type"}}, {"range": {"lastLogonDate": {"lte": "now-30d"}}}]}}} | Â | Â | Â |
Users Not loggedIn From 30 Days | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_users"}}, {"match": {"enabled": true}}, {"exists": {"field": "object_type"}}, {"range": {"lastLogonDate": {"lte": "now-30d"}}}]}}} | Â | Â | Â |
Groups Critical Objects | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_groups"}}, {"match": {"isCriticalSystemObj": true}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
Groups Non Critical Objects | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_groups"}}, {"match": {"isCriticalSystemObj": false}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
Groups Empty | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_groups"}}, {"match": {"empty": false}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
GPO Active | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_gpo"}}, {"match": {"linkedTo": true}}, {"exists": {"field": "object_type"}}]}}} | Â | Â | Â |
GPO In Active | {"query": {"bool": {"must": [{"match": {"object_type.keyword": "ad_gpo"}}, {"exists": {"field": "object_type"}}], "must_not": [{"exists": {"field": "linked"}}]}}} | Â | Â | Â |
GetAll Integration Credentials | {"query": {"bool": {"must": [ {"exists": {"field": "params"}}, {"exists": {"field": "integrationName"}}]}}} | Â | Â | Â |
Get Single Integration Credentials | {"query": {"bool": {"must": [ {"exists": {"field": "params"}}, {"exists": {"field": "integrationName"}}, {"match": {"integrationName.keyword": "<Integration Name>"}}]}}} | Â | Â | Â |
Integration Mappings | {"query": {"bool": {"must": [ {"exists": {"field": "integrationRef.integrationName"}}]}}} | Â | Â | Â |
Single Integration Mappings | {"query": {"bool": {"must": [ {"exists": {"field": "integrationRef.integrationName"}}, {"match": {"integrationRef.integrationName.keyword": "<Integration Name>"}}]}}} | Â | Â | Â |
Integration Mappings based on compay map | {"query": {"bool": {"must": [ {"exists": {"field": "integrationRef.integrationName"}}, {"match": {" companyRef.id .keyword": "<Company ID>"}}]}}} | Â | Â | Â |
Global Integrations | {"query": {"bool": {"must": [{"match": {"sourceCompanyId.keyword": "*"}}, {"match": {"destCompanyId.keyword": "*"}}]}}} | Â | Â | Â |
TableSettings | {"query": {"bool": {"must": [ {"exists": {"field": "tableId"}}, {"exists": {"field": "columns"}}]}}} | Â | Â | Â |
Alerts | {"query": {"bool": {"must": [{"exists": {"field": "description"}}, {"exists": {"field": "name"}}, {"exists": {"field": "status"}}], "should": [{"match": {"status.keyword": "Open"}}, {"match": {"status.keyword": "Closed"}}], "must_not": [{"exists": {"field": "alertsRef"}}]}}} | Â | Â | Â |
Events | {"query": {"bool": {"must": [{"exists": {"field": "description"}}, {"exists": {"field": "name"}}, {"exists": {"field": "status"}}, {"exists": {"field": "alertsRef"}}], "should": [{"match": {"status.keyword": "Open"}}, {"match": {"status.keyword": "Closed"}}]}}} | Â | Â | Â |
ApplicationBaseLine | {"query": {"bool": {"should": [{"exists": {"field": "mandatoryApplications"}}, {"exists": {"field": "deniedApplications"}}]}}} | Â | Â | Â |
Scheduler | {"query": {"bool": {"must": [{"exists": {"field": "scantype"}}, {"exists": {"field": "settings"}}]}}} | Â | Â | Â |
NotificationRules | {"query": {"bool": {"must": [{"exists": {"field": "integrationRule"}}, {"exists": {"field": "alertRules"}}]}}} | Â | Â | Â |
Port Modification Events | {"query": {"bool": {"must": [{"exists": {"field": "description"}}, {"exists": {"field": "name"}}, {"exists": {"field": "status"}}, {"exists": {"field": "alertsRef"}}, {"terms": {"ruleReference.eventId.keyword": ["CCNS-PORTS-CREATE-EVENT-00001", "CCNS-PORTS-DELETE-EVENT-00001"]}}]}}} | Â | Â | Â |
Custom Report Builder | {"query": {"bool": {"must": [{"exists": {"field": "customReportName"}}]}}} | Â | Â | Â |
Custom Report Generated | {"query": {"bool": {"must": [{"exists": {"field": "customreportbuilderRef"}}]}}} | Â | Â | Â |
ApplicationBaseLine Results | {"query": {"bool": {"should": [{"exists": {"field": "is_mandatory_application"}}, {"exists": {"field": "is_denied_application"}}]}}} | Â | Â | Â |
Firewall Assets | {"query":{"bool":{"must":[{"exists":{"field":"host.importance"}},{"match":{"os.product_type.keyword":"firewall"}}]}}} | Â | Â | Â |
Below is an example to show how to query based on created date and updated date.
Collection | Query |
Based on created date for asset  Asset created between 01-01-2020 - 0 Hours UTC to now | {"query": {"bool": {"must": [{"exists": {"field": "host.importance"}},{"range": {"c": {"gte": "2020-01-01T00:00:00","lte": "now"}}}], "must_not": [{"match": {"isdeprecated": true}}]}}} |
Based on last updated date for asset  Asset last updated between 01-01-2020 - 0 Hours UTC to now | {"query": {"bool": {"must": [{"exists": {"field": "host.importance"}},{"range": {"u": {"gte": "2020-01-01T00:00:00","lte": "now"}}}], "must_not": [{"match": {"isdeprecated": true}}]}}} |
Below is the explanation of Enum values to be used for which options ( Type of Agent & OS platform)
Enum | Value to use | For |
enumData = ['LinuxX86', 'Windows', 'Darwin', 'LinuxArm']; | enumData = 1 | LinuxX86 |
 | enumData = 2 | Windows |
 | enumData = 3 | Darwin |
 | enumData = 4 | LinuxArm |
agentEnum = ['Probe', 'Lightweight Agent', 'Lightweight Agent Installed', 'ExternalScanAgent']; | agentEnum = 1 | Probe |
 | agentEnum = 2 | Lightweight Agent |
 | agentEnum = 3 | Lightweight Agent Installed |
 | agentEnum = 4 | ExternalScanAgent |
Sample query to get Asset Details
Navigate to Assets section.
Use below query to get Asset Details for a particular Company
{"query": {"bool": {"must": [{"exists": {"field": "host.importance"}}, {"match": {"companyRef.id.keyword": "bab8d50a-4f59-4c9b-bcab-303650facd24"}}], "must_not": [{"match": {"isdeprecated": true}}]}}}
The highlighted query part is adding a reference of the company (companyid) which is a part of regular Asset query ( available in the document shared earlier) used with company reference.
Note: The company ID used above is for reference only.
API Authorization
CyberCNS helps with header-based API Authorization.
This will work as per the User Role and Companies allow for the User.
Please use your Client ID and Client Secret as Username and Password respectively.
Along with Authorization, the headers need to be passed.
The Tenant/Domain name will be passed against the Customer ID.
In basic authentication, please include the tenant's name in the header section. Alternatively, one can use login session cookies to access the data for queries.
Ensure that the environment variable has been updated and the 'get login' operation has been performed first. Afterward, all the necessary information can be retrieved. Be sure to add the tenant name to the header."
Below is the set of APIs you can use to get external scan-related information.
To get a list of scanned IPs with OS details:
Endpoint: "https://portaluseast2.mycybercns.com/api/externalscanosinfo/"
payload : {"q": {"customerDomain":"<cybercns domain>","companyId":<cybercns companyId>}, "skip": 0, "limit" : 10, "sort": {"updated":-1}}
To get a list of open ports:
Endpoint : "https://portaluseast2.mycybercns.com/api/externalscanportsinfo/"
payload : {"q": {"customerDomain":"<cybercns domain>","companyId":<cybercns companyId>, "state":"open"}, "skip": 0, "limit" : 10, "sort": {"updated":-1}}
To get a list of vulnerabilities:
Endpoint : "https://portaluseast2.mycybercns.com/api/externalscannsescriptsinfo/"
payload : {"q": {"customerDomain":"<cybercns domain>","companyId":<cybercns companyId>, "osId":<_id obetend from first api call externalscanosinfo>}, "skip": 0, "limit" : 10, "sort": {"updated":-1}}
Sample python file with scroll_id value shown below,
import json
import time
import base64
import requests
Â
def run_scroll_api():
  client_id = "<ClientID>"
  client_secret = "<ClientSecret>"
  headers = {"Authorization": f'Basic {base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()}',
        "customerid": "<Tenant Name>"}
  query = {"query": {"bool": {"must": [{"exists": {"field": "vul_id"}}, {"exists": {"field": "score"}}]}}}
Â
  scroll_id = "start"
  final_data = []
  limit = 10000
  page = 0
  base_url = "https://<BaseURL>/api/vulnerability/" # Ex:- "https://portaluseast2.mycybercns.com"
  start_time = time.time()
  while True:
    resp = requests.get(base_url, params={"q": json.dumps(query), "limit": limit,
                       "skip": page, "scroll_id": scroll_id,
                       "fields": json.dumps(['vul_id'])}, headers=headers)
    if resp.status_code != 200:
      print(f"Error in getting response {resp.status_code} {resp.content}")
      break
    else:
      resp = resp.json()
      if len(resp['data']) > 0:
        final_data.extend(resp["data"])
        scroll_id = resp.get("scroll_id")
        page += 1
        print(f"{limit} {len(resp['data'])},  {resp['total']} {resp['count']} {scroll_id}, time elaspsed {time.time() - start_time}")
      else:
        print("Empty data, ")
        break
    # time.sleep(10)
  print(len(final_data))
​
NOTE:
The KRoles and KUsers APIs are related to KeyCloak. All CyberCNS APIs will work with IDs, but for KeyClock, we are using the name of the role or user in the API endpoint for better communication between the UI and KeyCloak.
Â
This completes the API Documentation.