Cisco Vulnerability Management Source
Cisco Vulnerability Management, formerly known as Kenna Security, provides you with the necessary contextual insights and threat intelligence to proactively intercept and respond effectively to potential exploits. The Cisco Vulnerability Management integration collects assets and vulnerability data from the Cisco API.
Data collected​
| Polling Interval | Data |
|---|---|
| 24 hours | Asset |
| 24 hours | Vulnerability |
Setup​
Vendor configuration​
You'll need a Cisco Base URL and API Key to configure the integration.
The Base URL is required to interact with the Cisco API. You can determine this by looking at the format of the subdomain for your subscription. For example, https://apidocs.kennasecurity.com/reference/welcome.
To generate an API Key, follow these steps:
Only administrators are allowed to retrieve the key. For more information, refer to Kenna Security API Authentication.
- Sign in to the Kenna Security platform.
- Click on the settings menu in the upper right-hand corner.
- Select API Keys from the dropdown that appears. Administrators can create, change, or revoke API keys from this menu.
- Copy and save the generated API Keys. If lost, an admin will need to generate a new key in order to copy and distribute the key.
Source configuration​
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the Sumo Logic top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - On the Collectors page, click Add Source next to a Hosted Collector.
- Search for and select Cisco Vulnerability Management.
- Enter a Name for the Source. The description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
_sourceCategory. - Forward to SIEM. Check the checkbox to forward your data to Cloud SIEM. note
Select Forward to SIEM only if you have Cloud SIEM installed.
- (Optional) Fields. Click the +Add link to add custom log metadata Fields.
- Define the fields you want to associate, each field needs a name (key) and value.
A green circle with a checkmark is shown when the field exists and is enabled in the Fields table schema.
An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
- Define the fields you want to associate, each field needs a name (key) and value.
- Base URL. Provide your Cisco Vulnerability Management customer-specific domain, for example,
https://api.kennasecurity.com. - API Key. Enter the Cisco Vulnerability Management API key.
- Data Collection. Select one or more of the data types, Assets and Vulnerabilities.
- When you are finished configuring the Source, click Save.
JSON schema​
Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See how to use JSON to configure Sources for more details.Â
| Parameter | Type | Value | Required | Description |
|---|---|---|---|---|
| schemaRef | JSON Object | {"type":"Cisco Vulnerability Management"} | Yes | Define the specific schema type. |
| sourceType | String | "Universal" | Yes | Type of source. |
| config | JSON Object | Configuration object | Yes | Source type specific values. |
Configuration Object​
| Parameter | Type | Required | Default | Description | Example |
|---|---|---|---|---|---|
| name | String | Yes | null | Type a desired name of the source. The name must be unique per Collector. This value is assigned to the metadata field _source. | "mySource" |
| description | String | No | null | Type a description of the source. | "Testing source" |
| category | String | No | null | Type a category of the source. This value is assigned to the metadata field _sourceCategory. See best practices for details. | "mySource/test" |
| fields | JSON Object | No | null | JSON map of key-value fields (metadata) to apply to the Collector or Source. Use the boolean field _siemForward to enable forwarding to SIEM. | {"_siemForward": false, "fieldA": "valueA"} |
base_URL | String | Yes | null | Base URL to connect endpoints. | Â "events.1password.com" |
apiKey | String | Yes | null | Provide the Cisco Vulnerability Management API token you want to use to authenticate collection requests. | Â "acsac25$" |
dataCollection | []String | Yes | null | Define one or more of the available data source to collect from. | Â ["Vulnerabilities","Assets"] |
JSON example​
{
"api.version": "v1",
"source": {
"config": {
"name": "Cisco Vulnerability Management",
"description": "Cisco Vulnerability Management",
"category": "Cisco Vulnerability Management",
"baseURL": "api.domain.com",
"apiKey": "XXXgXXXXXXXxfkNsaXXXXo8VqkXXXixRf5VlnwcXXXXXchX",
"dataCollection": [
"assets",
"vulnerabilities"
]
},
"schemaRef": {
"type": "Cisco Vulnerability Management"
},
"sourceType": "Universal"
}
}
Terraform example​
resource "sumologic_cloud_to_cloud_source" "cisco_vulnerability_management_source" {
collector_id = sumologic_collector.collector.id
schema_ref = {
type = "Cisco Vulnerability Management"
}
config = jsonencode({
"name": "Cisco Vulnerability Management",
"description": "Cisco Vulnerability Management",
"category": "Cisco Vulnerability Management",
"baseURL": "api.domain.com",
"apiKey": "XXXgXXXXXXXxfkNsaXXXXo8VqkXXXixRf5VlnwcXXXXXchX",
"dataCollection": [
"assets",
"vulnerabilities"
]
})
}
resource "sumologic_collector" "collector" {
name = "my-collector"
description = "Just testing this"
}
Limitations​
The Search Assets and Vulnerabilities API has a restriction that allows access to just 20 pages of records in its response. We follow the API's suggestion of using a page limit of 5000. So, if the API sends us more than 20 pages of data, our integration will only handle the first 100,000 records, and the rest of the records won't be accessible.
FAQ​
Click here for more information about Cloud-to-Cloud sources.