Skip to content

Cisco Cyber Vision Executor

Category: Network and Vulnerability Scanners Script: cisco_cybervision.py Integration: REST API Faraday Plugin: Raw JSON (no plugin — generates Faraday JSON directly)

Description

Connects to the Cisco Cyber Vision platform API to retrieve OT/IoT vulnerability data organized by presets (filter sets). Fetches vulnerability lists per preset with pagination, and constructs Faraday-compatible JSON with CVE and CVSS data for each affected asset.

Prerequisites

  • Cisco Cyber Vision instance with API access enabled
  • API token (Admin > API > Token in the Cyber Vision web UI)

Configuration

Environment Variables (Setup)

Variable Required Description
CYBERVISION_TOKEN Yes API authentication token
CYBERVISION_HTTPS_URL Yes Base HTTPS URL (e.g., https://192.168.1.100). Must start with https://

Execution Arguments

Parameter Type Mandatory Description
SPECIFIC_PRESETS list No JSON list of specific preset names to query
PRESETS_CONTAINING string No Filter presets whose label contains this substring
MY_PRESETS boolean No Only fetch presets in the "My preset" category
REFRESH_PRESETS boolean No If true, triggers a data refresh on presets and exits without importing

Common Agent Parameters Supported

AGENT_CONFIG_VULN_TAG, AGENT_CONFIG_HOSTNAME_TAG

YAML Configuration Example

executors:
  cybervision_scan:
    repo_executor: cisco_cybervision.py
    max_size: 65536
    varenvs:
      CYBERVISION_TOKEN: "${CYBERVISION_TOKEN}"
      CYBERVISION_HTTPS_URL: "https://cybervision.local"
    params:
      SPECIFIC_PRESETS:
        mandatory: false
        type: list
        base: list
      MY_PRESETS:
        mandatory: false
        type: boolean
        base: boolean

How It Works

  1. Connects to the Cyber Vision API at the configured URL
  2. Fetches available presets from /api/3.0/presets
  3. Filters presets based on SPECIFIC_PRESETS, PRESETS_CONTAINING, or MY_PRESETS
  4. For each matching preset, retrieves the paginated vulnerability list from /api/3.0/presets/{id}/visualisations/vulnerability-list
  5. Optionally refreshes preset data via /api/3.0/presets/{id}/refreshData
  6. Constructs Faraday JSON with host entries containing CVE IDs, CVSS scores, and vulnerability details

Notes

  • The URL must use HTTPS; HTTP is not supported
  • If no preset filter is specified, all accessible presets are queried
  • Use REFRESH_PRESETS to trigger a data refresh before importing; this is useful for ensuring the latest vulnerability data