Actions refer to the automated tasks that can be performed on the API. You can create an action against an API. The action can be triggered by an event or you can set up an action that is triggered by a schedule.
Create an action
Navigate to the APIs tab on the dashboard.
Select the API you want to create the action against.
Click Actions. Then click Create Action.
Select to create an Event Driven Action or a Scheduled Action.
Create an Event Driven Action
Fill out the Event Driven Action form:
Name: Enter a name for the action.
Description: Enter a description for the action.
Events: Select which event or events will trigger the action.
Integration Type: Chose from Custom or Managed:
Custom: Select from a previously created Lambda or Webhook integration. Alternatively, click Create to create a new one.
Managed:
API CVE Detection - Scan the entered endpoint for CVEs.
SSL Vulnerabilities Detection - Scan the entered endpoint for SSL vulnerabilities.
Data Exposure Detection - Scan the entered endpoint for data exposure.
Default Login Detection - Scan the entered endpoint to check if you are hosting any services using default login credentials.
Fuzzing Detection - Fuzz the entered endpoint.
Note: See below for further information on each of the managed actions.
Scheduled action
Set up an Action to trigger on a schedule. Fill out the Event Driven Action form:
Name: Enter a name for the action.
Description: Enter a description for the action.
Scheduled rate minutes: The rate in minutes at which the action should be run.
Integration Type: Chose from Custom or Managed:
Custom: Select from a previously created Lambda or Webhook integration. Alternatively, click Create to create a new one.
Managed:
API CVE Detection - Scan the entered endpoint for CVEs.
SSL Vulnerabilities Detection - Scan the entered endpoint for SSL vulnerabilities.
Data Exposure Detection - Scan the entered endpoint for data exposure.
Default Login Detection - Scan the entered endpoint to check if you are hosting any services using default login credentials.
Fuzzing Detection - Fuzz the entered endpoint.
Note: See below for further information on each of the managed actions.
Custom integration example
Below is a FireTail actions event payload. See the GitHub Repo for details on how to call back to FireTail with your own findings.
This managed action scans your endpoint for CVEs (common vulnerabilities and exposures) and generates observations. CVEs are identified by the year in which the vulnerability was discovered or publicly disclosed. Each CVE entry receives a unique identifier number. In total, 2302 checks are made. See the table below for some examples of CVEs that are scanned for in this managed action.
CVE identifier
Name
Description
Severity
CVE-2024-21893
Ivanti SAML - Server Side Request Forgery (SSRF)
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
High
CVE-2023-49103
OwnCloud - Phpinfo Configuration
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.
High
CVE-2023-42442
JumpServer > 3.6.4 - Information Disclosure
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed.Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).
Medium
CVE-2023-48023
Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery
The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.
High
SSL Vulnerabilities Detection
This managed action will scan your endpoint for SSL Vulnerabilities and generate observations. SSL (Secure Sockets Layer) vulnerabilities refer to weaknesses or flaws in the SSL protocol or implementations that could potentially compromise the security of data transmitted over the internet. SSL is a cryptographic protocol used to establish secure connections between a web server and a client, typically a web browser, ensuring that data exchanged between them is encrypted and protected from interception or tampering. In total, 24 SSL checks are made. See the table below for examples of SSL vulnerability detections:
SSL examples:
D
Name
Description
Severity
insecure-cipher-suite-detect
Insecure Cipher Suite Detection
Weak ciphers are those encryption algorithms vulnerable to attack, often as a result of an insufficient key length.
Low
mismatched-ssl-certificate
Mismatched SSL Certificate
Mismatched certificates occur when there is inconsistency between the common name to which the certificate was issued and the domain name in the URL. This issue impacts the trust value of the affected website.
Low
untrusted-root-certificate
Untrusted Root Certificate - Detection
A root certificate is a digital certificate issued by a trusted certificate authority that acts as a basis for other digital certificates.An untrusted root certificate is a certificate that is issued by an authority that is not trusted by the computer, and therefore cannot be used to authenticate websites or other digital certificates.
Low
metasploit-c2
Metasploit C2 - Detection
A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks.
Info
Data Exposure Detection
This managed action will scan your endpoint for data exposure and generate observations. In total, 467 data exposure checks are made. See the table below for examples of data exposure detections:
ID
Name
Description
Severity
aws-config
AWS Configuration - Detection
AWS config found via /.aws/config.
Medium
aws-credentials
AWS Credentials - Detection
AWS credentials found via /.aws/credentials endpoint.
High
openapi
OpenAPI - Detection
OpenAPI was detected.
Info
swagger-api
Public Swagger API - Detection
Public Swagger API was detected.
Info
access-log-file
Publicly accessible access-log file
Log file was exposed.
Low
Default Login Detection
This managed action will scan your endpoint to see if you are hosting any services using default login credentials and generate observations. In total, 173 default login checks are made. See the table below for some examples of default login detections:
ID
Name
Description
Severity
rancher-default-login
Rancher Default Login
Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes.
High
solarwinds-default-admin
SolarWinds Orion Default Login
SolarWinds Orion default admin credentials were discovered.
High
elasticsearch-default-login
ElasticSearch - Default Login
Elasticsearch default credentials were discovered.
High
gitlab-weak-login
Gitlab Default Login
Gitlab default login credentials were discovered.
High
FUZZING Detection
This managed action will fuzz your endpoint and generate observations.
Fuzzing an endpoint involves sending a large volume of invalid, unexpected, or random data inputs to the endpoint, to identify vulnerabilities, crashes, or unexpected behavior. This technique aims to discover security flaws, such as buffer overflows, injection vulnerabilities, or parsing errors, that may not be identified through traditional testing methods. In total, 11 fuzzing checks are made. See the table below for some examples:
ID
Name
Description
Severity
cache-poisoning-fuzz
Cache Poison Fuzzing
Cache poisoning is aimed at manipulating the client-side cache to force clients to load resources that are unexpected, partial, or under the control of an attacker.
Info
xff-403-bypass
X-Forwarded-For 403-forbidden bypass
Template to detect 403 forbidden endpoint bypass behind Nginx/Apache proxy & load balancers, based on X-Forwarded-For header.
Info
linux-lfi-fuzzing
Linux - Local File Inclusion Fuzzing
Multiple fuzzes for /etc/passwd on passed URLs were conducted, leading to multiple instances of local file inclusion vulnerability.
High
header-command-injection
Header - Remote Command Injection
Headers were tested for remote command injection vulnerabilities.