Skip to main content

Cortex Attack Surface Management

This Integration is part of the Cortex Attack Surface Management Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Integration to pull assets and other ASM related information. This integration was integrated and tested with version 1.2.0 of Cortex Attack Surface Management.

Configure Cortex Attack Surface Management#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cortex Attack Surface Management.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLThe web UI with `api-` appended to front (e.g., https://api-xsiam.paloaltonetworks.com\). For more information please see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.True
    API Key IDFor more information please see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis. Only a standard API key type is supported.True
    API KeyTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

asm-list-external-service#


Get a list of all your external services filtered by business units, externally detected providers, domain, externally inferred CVEs, active classifications, inactive classifications, service name, service type, protocol, IP address, is active, and discovery type. Maximum result limit is 100 assets.

Base Command#

asm-list-external-service

Input#

Argument NameDescriptionRequired
ip_addressIP address on which to search.Optional
domainDomain on which to search.Optional
is_activeWhether the service is active. Possible values are: yes, no.Optional
discovery_typeHow service was discovered. Possible values are: colocated_on_ip, directly_discovery, unknown.Optional

Context Output#

PathTypeDescription
ASM.ExternalService.service_idStringExternal service UUID.
ASM.ExternalService.service_nameStringName of the external service.
ASM.ExternalService.service_typeStringType of the external service.
ASM.ExternalService.ip_addressStringIP address of the external service.
ASM.ExternalService.externally_detected_providersStringProviders of an external service.
ASM.ExternalService.is_activeStringWhether the external service is active.
ASM.ExternalService.first_observedDateDate of the first observation of the external service.
ASM.ExternalService.last_observedDateDate of the last observation of the external service.
ASM.ExternalService.portNumberPort number of the external service.
ASM.ExternalService.protocolStringProtocol number of the external service.
ASM.ExternalService.inactive_classificationsStringExternal service classifications that are no longer active.
ASM.ExternalService.discovery_typeStringHow the external service was discovered.
ASM.ExternalService.business_unitsStringExternal service associated business units.
ASM.ExternalService.externally_inferred_vulnerability_scoreUnknownExternal service vulnerability score.

Command example#

!asm-list-external-service domain=acme.com is_active=yes discovery_type=directly_discovery

Context Example#

{
"ASM": {
"ExternalService": [
{
"active_classifications": [
"HttpServer",
"MicrosoftOWAServer",
"ServerSoftware",
"MicrosoftIisWebServer",
"ApplicationServerSoftware"
],
"business_units": [
"Acme",
"VanDelay Industries"
],
"discovery_type": "DirectlyDiscovered",
"domain": [
"autodiscover.acme.com"
],
"externally_detected_providers": [
"Microsoft Azure"
],
"externally_inferred_cves": [],
"externally_inferred_vulnerability_score": null,
"first_observed": 1659395040000,
"inactive_classifications": [],
"ip_address": [
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1"
],
"is_active": "Active",
"last_observed": 1663024320000,
"port": 80,
"protocol": "TCP",
"service_id": "4c755fea-59e8-3719-8829-9f6adde65068",
"service_name": "HTTP Server at autodiscover.acme.com:80",
"service_type": "HttpServer"
},
{
"active_classifications": [
"HttpServer",
"ServerSoftware"
],
"business_units": [
"Acme",
"VanDelay Industries"
],
"discovery_type": "DirectlyDiscovered",
"domain": [
"web.acme.com"
],
"externally_detected_providers": [
"Amazon Web Services"
],
"externally_inferred_cves": [],
"externally_inferred_vulnerability_score": null,
"first_observed": 1659396480000,
"inactive_classifications": [],
"ip_address": [
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1"
],
"is_active": "Active",
"last_observed": 1663029060000,
"port": 80,
"protocol": "TCP",
"service_id": "32c85ab1-fc98-3061-a813-2fe5daf7e7c5",
"service_name": "HTTP Server at web.acme.com:80",
"service_type": "HttpServer"
}
]
}
}

Human Readable Output#

External Services#

Active ClassificationsBusiness UnitsDiscovery TypeDomainExternally Detected ProvidersFirst ObservedIp AddressIs ActiveLast ObservedPortProtocolService IdService NameService Type
HttpServer,
MicrosoftOWAServer,
ServerSoftware,
MicrosoftIisWebServer,
ApplicationServerSoftware
Acme,
VanDelay Industries
DirectlyDiscoveredautodiscover.acme.comMicrosoft Azure16593950400001.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1
Active166302432000080TCP4c755fea-59e8-3719-8829-9f6adde65068HTTP Server at autodiscover.acme.com:80HttpServer
HttpServer,
ServerSoftware
Acme,
VanDelay Industries
DirectlyDiscoveredweb.acme.comAmazon Web Services16593964800001.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1
Active166302906000080TCP32c85ab1-fc98-3061-a813-2fe5daf7e7c5HTTP Server at web.acme.com:80HttpServer

asm-get-external-service#


Get service details according to the service ID.

Base Command#

asm-get-external-service

Input#

Argument NameDescriptionRequired
service_idA string representing the service ID you want to get details for.Required

Context Output#

PathTypeDescription
ASM.ExternalService.service_idStringExternal service UUID.
ASM.ExternalService.service_nameStringName of the external service.
ASM.ExternalService.service_typeStringType of the external service.
ASM.ExternalService.ip_addressStringIP address of the external service.
ASM.ExternalService.externally_detected_providersStringProviders of the external service.
ASM.ExternalService.is_activeStringWhether the external service is active.
ASM.ExternalService.first_observedDateDate of the first observation of the external service.
ASM.ExternalService.last_observedDateDate of the last observation of the external service.
ASM.ExternalService.portNumberPort number of the external service.
ASM.ExternalService.protocolStringProtocol of the external service.
ASM.ExternalService.inactive_classificationsStringExternal service classifications that are no longer active.
ASM.ExternalService.discovery_typeStringHow the external service was discovered.
ASM.ExternalService.business_unitsStringExternal service associated business units.
ASM.ExternalService.externally_inferred_vulnerability_scoreUnknownExternal service vulnerability score.
ASM.ExternalService.detailsStringAdditional details.

Command example#

!asm-get-external-service service_id=94232f8a-f001-3292-aa65-63fa9d981427

Context Example#

{
"ASM": {
"ExternalService": {
"active_classifications": [
"SSHWeakMACAlgorithmsEnabled",
"SshServer",
"OpenSSH"
],
"business_units": [
"Acme"
],
"details": {
"businessUnits": [
{
"name": "Acme"
}
],
"certificates": [],
"classifications": [
{
"activityStatus": "Active",
"firstObserved": 1662774120000,
"lastObserved": 1663026480000,
"name": "SshServer",
"values": [
{
"firstObserved": 1662774169000,
"jsonValue": "{\"version\":\"2.0\",\"serverVersion\":\"OpenSSH_7.6p1\",\"extraInfo\":\"Ubuntu-4ubuntu0.7\"}",
"lastObserved": 1663026500000
}
]
},
{
"activityStatus": "Active",
"firstObserved": 1662774120000,
"lastObserved": 1663026480000,
"name": "SSHWeakMACAlgorithmsEnabled",
"values": [
{
"firstObserved": 1662774169000,
"jsonValue": "{}",
"lastObserved": 1663026500000
}
]
},
{
"activityStatus": "Active",
"firstObserved": 1662774120000,
"lastObserved": 1663026480000,
"name": "OpenSSH",
"values": [
{
"firstObserved": 1662774169000,
"jsonValue": "{\"version\":\"7.6\"}",
"lastObserved": 1663026500000
}
]
}
],
"domains": [],
"enrichedObservationSource": "CLOUD",
"inferredCvesObserved": [
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2020-15778",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "HIGH",
"cvssScoreV2": 6.8,
"cvssScoreV3": 7.8,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2021-41617",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "HIGH",
"cvssScoreV2": 4.4,
"cvssScoreV3": 7,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2019-6110",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 4,
"cvssScoreV3": 6.8,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2019-6109",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 4,
"cvssScoreV3": 6.8,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2020-14145",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 4.3,
"cvssScoreV3": 5.9,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2019-6111",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 5.8,
"cvssScoreV3": 5.9,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2018-20685",
"cveSeverityV2": "LOW",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 2.6,
"cvssScoreV3": 5.3,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2018-15919",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 5,
"cvssScoreV3": 5.3,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2016-20012",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 4.3,
"cvssScoreV3": 5.3,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2018-15473",
"cveSeverityV2": "MEDIUM",
"cveSeverityV3": "MEDIUM",
"cvssScoreV2": 5,
"cvssScoreV3": 5.3,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
},
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"inferredCve": {
"cveId": "CVE-2021-36368",
"cveSeverityV2": "LOW",
"cveSeverityV3": "LOW",
"cvssScoreV2": 2.6,
"cvssScoreV3": 3.7,
"inferredCveMatchMetadata": {
"confidence": "High",
"inferredCveMatchType": "ExactVersionMatch",
"product": "openssh",
"vendor": "openbsd",
"version": "7.6"
}
},
"lastObserved": 1663026500000
}
],
"ip_ranges": {},
"ips": [
{
"activityStatus": "Active",
"firstObserved": 1662774169000,
"geolocation": {
"city": "ASHBURN",
"countryCode": "US",
"latitude": 39.0438,
"longitude": -77.4879,
"regionCode": "VA",
"timeZone": null
},
"ip": 873887795,
"lastObserved": 1663026500000,
"protocol": "TCP",
"provider": "AWS"
}
],
"providerDetails": [
{
"firstObserved": 1662774169000,
"lastObserved": 1663026500000,
"name": "AWS"
}
],
"serviceKey": "1.1.1.1:22",
"serviceKeyType": "IP",
"tlsVersions": []
},
"discovery_type": "ColocatedOnIp",
"domain": [],
"externally_detected_providers": [
"Amazon Web Services"
],
"externally_inferred_cves": [
"CVE-2020-15778",
"CVE-2021-41617",
"CVE-2019-6110",
"CVE-2019-6109",
"CVE-2020-14145",
"CVE-2019-6111",
"CVE-2018-20685",
"CVE-2018-15919",
"CVE-2016-20012",
"CVE-2018-15473",
"CVE-2021-36368"
],
"externally_inferred_vulnerability_score": 7.8,
"first_observed": 1662774120000,
"inactive_classifications": [],
"ip_address": [
"1.1.1.1"
],
"is_active": "Active",
"last_observed": 1663026480000,
"port": 22,
"protocol": "TCP",
"service_id": "94232f8a-f001-3292-aa65-63fa9d981427",
"service_name": "SSH Server at 1.1.1.1:22",
"service_type": "SshServer"
}
}
}

Human Readable Output#

External Service#

Active ClassificationsBusiness UnitsDetailsDiscovery TypeExternally Detected ProvidersExternally Inferred CvesExternally Inferred Vulnerability ScoreFirst ObservedIp AddressIs ActiveLast ObservedPortProtocolService IdService NameService Type
SSHWeakMACAlgorithmsEnabled,
SshServer,
OpenSSH
AcmeserviceKey: 1.1.1.1:22
serviceKeyType: IP
businessUnits: {'name': 'Acme'}
providerDetails: {'name': 'AWS', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}
certificates:
domains:
ips: {'ip': 873887795, 'protocol': 'TCP', 'provider': 'AWS', 'geolocation': {'latitude': 39.0438, 'longitude': -77.4879, 'countryCode': 'US', 'city': 'ASHBURN', 'regionCode': 'VA', 'timeZone': None}, 'activityStatus': 'Active', 'lastObserved': 1663026500000, 'firstObserved': 1662774169000}
classifications: {'name': 'SshServer', 'activityStatus': 'Active', 'values': [{'jsonValue': '{"version":"2.0","serverVersion":"OpenSSH_7.6p1","extraInfo":"Ubuntu-4ubuntu0.7"}', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}], 'firstObserved': 1662774120000, 'lastObserved': 1663026480000},
{'name': 'SSHWeakMACAlgorithmsEnabled', 'activityStatus': 'Active', 'values': [{'jsonValue': '{}', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}], 'firstObserved': 1662774120000, 'lastObserved': 1663026480000},
{'name': 'OpenSSH', 'activityStatus': 'Active', 'values': [{'jsonValue': '{"version":"7.6"}', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}], 'firstObserved': 1662774120000, 'lastObserved': 1663026480000}
tlsVersions:
inferredCvesObserved: {'inferredCve': {'cveId': 'CVE-2020-15778', 'cvssScoreV2': 6.8, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 7.8, 'cveSeverityV3': 'HIGH', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2021-41617', 'cvssScoreV2': 4.4, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 7.0, 'cveSeverityV3': 'HIGH', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2019-6110', 'cvssScoreV2': 4.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 6.8, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2019-6109', 'cvssScoreV2': 4.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 6.8, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2020-14145', 'cvssScoreV2': 4.3, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.9, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2019-6111', 'cvssScoreV2': 5.8, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.9, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2018-20685', 'cvssScoreV2': 2.6, 'cveSeverityV2': 'LOW', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2018-15919', 'cvssScoreV2': 5.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2016-20012', 'cvssScoreV2': 4.3, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2018-15473', 'cvssScoreV2': 5.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2021-36368', 'cvssScoreV2': 2.6, 'cveSeverityV2': 'LOW', 'cvssScoreV3': 3.7, 'cveSeverityV3': 'LOW', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}
enrichedObservationSource: CLOUD
ip_ranges: {}
ColocatedOnIpAmazon Web ServicesCVE-2020-15778,
CVE-2021-41617,
CVE-2019-6110,
CVE-2019-6109,
CVE-2020-14145,
CVE-2019-6111,
CVE-2018-20685,
CVE-2018-15919,
CVE-2016-20012,
CVE-2018-15473,
CVE-2021-36368
7.816627741200001.1.1.1Active166302648000022TCP94232f8a-f001-3292-aa65-63fa9d981427SSH Server at 1.1.1.1:22SshServer

asm-list-external-ip-address-range#


Get a list of all your internet exposure filtered by business units and organization handles. Maximum result limit is 100 ranges.

Base Command#

asm-list-external-ip-address-range

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
ASM.ExternalIpAddressRange.range_idStringExternal IP address range UUID.
ASM.ExternalIpAddressRange.first_ipStringFirst IP address of the external IP address range.
ASM.ExternalIpAddressRange.last_ipStringLast IP address of the external IP address range.
ASM.ExternalIpAddressRange.ips_countNumberNumber of IP addresses of the external IP address range.
ASM.ExternalIpAddressRange.active_responsive_ips_countNumberThe number of IPs in the external address range that are actively responsive.
ASM.ExternalIpAddressRange.date_addedDateDate the external IP address range was added.
ASM.ExternalIpAddressRange.business_unitsStringExternal IP address range associated business units.
ASM.ExternalIpAddressRange.organization_handlesStringExternal IP address range associated organization handles.

Command example#

!asm-list-external-ip-address-range

Context Example#

{
"ASM": {
"ExternalIpAddressRange": [
{
"active_responsive_ips_count": 0,
"business_units": [
"VanDelay Industries"
],
"date_added": 1663031000145,
"first_ip": "1.1.1.1",
"ips_count": 64,
"last_ip": "1.1.1.1",
"organization_handles": [
"MAINT-HK-PCCW-BIA-CS",
"BNA2-AP",
"TA66-AP"
],
"range_id": "4da29b7f-3086-3b52-981b-aa8ee5da1e60"
},
{
"active_responsive_ips_count": 0,
"business_units": [
"VanDelay Industries"
],
"date_added": 1663031000144,
"first_ip": "1.1.1.1",
"ips_count": 16,
"last_ip": "1.1.1.1",
"organization_handles": [
"AR17615-RIPE",
"EASYNET-UK-MNT",
"JW372-RIPE",
"EH92-RIPE"
],
"range_id": "6ef4638e-7788-3ef5-98a5-ad5b7f4e02f5"
}
]
}
}

Human Readable Output#

External IP Address Ranges#

Active Responsive Ips CountBusiness UnitsDate AddedDetailsFirst IpIps CountLast IpOrganization Handles
0VanDelay Industries16630310001451.1.1.1641.1.1.1MAINT-HK-PCCW-BIA-CS,
BNA2-AP,
TA66-AP
4da29b7f-3086-3b52-981b-aa8ee5da1e60
0VanDelay Industries16630310001441.1.1.1161.1.1.1AR17615-RIPE,
EASYNET-UK-MNT,
JW372-RIPE,
EH92-RIPE
6ef4638e-7788-3ef5-98a5-ad5b7f4e02f5

asm-get-external-ip-address-range#


Get the external IP address range details according to the range IDs.

Base Command#

asm-get-external-ip-address-range

Input#

Argument NameDescriptionRequired
range_idA string representing the range ID for which you want to get the details.Required

Context Output#

PathTypeDescription
ASM.ExternalIpAddressRange.range_idStringExternal IP address range UUID.
ASM.ExternalIpAddressRange.first_ipStringFirst IP address of the external IP address range.
ASM.ExternalIpAddressRange.last_ipStringLast IP address of the external IP address range.
ASM.ExternalIpAddressRange.ips_countNumberNumber of IP addresses of the external IP address range.
ASM.ExternalIpAddressRange.active_responsive_ips_countNumberThe number of IPs in the external address range that are actively responsive.
ASM.ExternalIpAddressRange.date_addedDateDate the external IP address range was added.
ASM.ExternalIpAddressRange.business_unitsStringExternal IP address range associated business units.
ASM.ExternalIpAddressRange.organization_handlesStringExternal IP address range associated organization handles.
ASM.ExternalIpAddressRange.detailsStringAdditional information.

Command example#

!asm-get-external-ip-address-range range_id=4da29b7f-3086-3b52-981b-aa8ee5da1e60

Context Example#

{
"ASM": {
"ExternalIpAddressRange": {
"active_responsive_ips_count": 0,
"business_units": [
"VanDelay Industries"
],
"date_added": 1663031000145,
"details": {
"networkRecords": [
{
"firstIp": "1.1.1.1",
"handle": "1.1.1.1 - 1.1.1.1",
"lastChanged": 1663030241931,
"lastIp": "1.1.1.1",
"name": "SEARS-HK",
"organizationRecords": [
{
"address": "",
"dateAdded": 1663029346957,
"email": "noc@acme.com",
"firstRegistered": null,
"formattedName": "",
"handle": "MAINT-HK-PCCW-BIA-CS",
"kind": "group",
"lastChanged": null,
"org": "",
"phone": "",
"remarks": "",
"roles": [
"registrant"
]
},
{
"address": "27/F, PCCW Tower, Taikoo Place,\n979 King's Road, Quarry Bay, HK ",
"dateAdded": 1663029346957,
"email": "cs@acme.com",
"firstRegistered": 1220514857000,
"formattedName": "BIZ NETVIGATOR ADMINISTRATORS",
"handle": "BNA2-AP",
"kind": "group",
"lastChanged": 1514892767000,
"org": "",
"phone": "+852-2888-6932",
"remarks": "",
"roles": [
"administrative"
]
},
{
"address": "HKT Limited\nPO Box 9896 GPO ",
"dateAdded": 1663029346957,
"email": "noc@acme.com",
"firstRegistered": 1220514856000,
"formattedName": "TECHNICAL ADMINISTRATORS",
"handle": "TA66-AP",
"kind": "group",
"lastChanged": 1468555410000,
"org": "",
"phone": "+852-2883-5151",
"remarks": "",
"roles": [
"technical"
]
}
],
"remarks": "Sears Holdings Global Sourcing Ltd",
"whoIsServer": "whois.apnic.net"
}
]
},
"first_ip": "1.1.1.1",
"ips_count": 64,
"last_ip": "1.1.1.1",
"organization_handles": [
"MAINT-HK-PCCW-BIA-CS",
"BNA2-AP",
"TA66-AP"
],
"range_id": "4da29b7f-3086-3b52-981b-aa8ee5da1e60"
}
}
}

Human Readable Output#

External IP Address Range#

Active Responsive Ips CountBusiness UnitsDate AddedFirst IpIps CountLast IpOrganization HandlesRange Id
0VanDelay Industries1663031000145networkRecords: {'handle': '1.1.1.1 - 1.1.1.1', 'firstIp': '1.1.1.1', 'lastIp': '1.1.1.1', 'name': 'SEARS-HK', 'whoIsServer': 'whois.apnic.net', 'lastChanged': 1663030241931, 'organizationRecords': [{'handle': 'MAINT-HK-PCCW-BIA-CS', 'dateAdded': 1663029346957, 'address': '', 'email': 'noc@acme.com', 'phone': '', 'org': '', 'formattedName': '', 'kind': 'group', 'roles': ['registrant'], 'lastChanged': None, 'firstRegistered': None, 'remarks': ''}, {'handle': 'BNA2-AP', 'dateAdded': 1663029346957, 'address': "27/F, PCCW Tower, Taikoo Place,\n979 King's Road, Quarry Bay, HK ", 'email': 'cs@acme.com', 'phone': '+852-2888-6932', 'org': '', 'formattedName': 'BIZ NETVIGATOR ADMINISTRATORS', 'kind': 'group', 'roles': ['administrative'], 'lastChanged': 1514892767000, 'firstRegistered': 1220514857000, 'remarks': ''}, {'handle': 'TA66-AP', 'dateAdded': 1663029346957, 'address': 'HKT Limited\nPO Box 9896 GPO ', 'email': 'noc@acme.com', 'phone': '+852-2883-5151', 'org': '', 'formattedName': 'TECHNICAL ADMINISTRATORS', 'kind': 'group', 'roles': ['technical'], 'lastChanged': 1468555410000, 'firstRegistered': 1220514856000, 'remarks': ''}], 'remarks': 'Sears Holdings Global Sourcing Ltd'}1.1.1.1641.1.1.1MAINT-HK-PCCW-BIA-CS,
BNA2-AP,
TA66-AP
4da29b7f-3086-3b52-981b-aa8ee5da1e60

asm-list-asset-internet-exposure#


Get a list of all your internet exposure filtered by IP address, domain, type, asm id, IPv6 address, AWS/GCP/Azure tags, has XDR agent, Externally detected providers, Externally inferred cves, Business units list, has BU overrides and/or if there is an active external service. Maximum result limit is 100 assets.

Base Command#

asm-list-asset-internet-exposure

Input#

Argument NameDescriptionRequired
ip_addressIP address on which to search.Optional
nameName of the asset on which to search.Optional
typeType of the external service. Possible values are: certificate, cloud_compute_instance, on_prem, domain, unassociated_responsive_ip.Optional
has_active_external_servicesWhether the internet exposure has an active external service. Possible values are: yes, no.Optional
asm_id_listList of asm ids.Optional
ipv6_addressIPv6 address on which to search.Optional
gcp_cloud_tagsSearch based on GCP cloud tags.Optional
aws_cloud_tagsSearch based on AWS cloud tags.Optional
azure_cloud_tagsSearch based on AZURE cloud tags.Optional
has_xdr_agentSearch based on xdr agent.Optional
externally_detected_providersSearch on externally detected providers.Optional
externally_inferred_cvesSearch on externally inferred cve.Optional
business_units_listSearch on Business units list.Optional
has_bu_overridesWhether it has BU overrides. Possible values are: True, False.Optional
mac_addressSearch based on MAC address.Optional

Context Output#

PathTypeDescription
ASM.AssetInternetExposure.asm_idsStringAttack surface management UUID.
ASM.AssetInternetExposure.nameStringName of the exposed asset.
ASM.AssetInternetExposure.asset_typeStringType of the exposed asset.
ASM.AssetInternetExposure.cloud_providerUnknownThe cloud provider used to collect these cloud assets as either GCP, AWS, or Azure.
ASM.AssetInternetExposure.regionUnknownDisplays the region as provided by the cloud provider.
ASM.AssetInternetExposure.last_observedUnknownLast time the exposure was observed.
ASM.AssetInternetExposure.first_observedUnknownFirst time the exposure was observed.
ASM.AssetInternetExposure.has_active_externally_servicesBooleanWhether the internet exposure is associated with an active external service(s).
ASM.AssetInternetExposure.has_xdr_agentStringWhether the internet exposure asset has an XDR agent.
ASM.AssetInternetExposure.cloud_idUnknownDisplays the resource ID as provided from the cloud provider.
ASM.AssetInternetExposure.domain_resolvesBooleanWhether the asset domain is resolvable.
ASM.AssetInternetExposure.operation_systemUnknownThe operating system reported by the source for this asset.
ASM.AssetInternetExposure.agent_idUnknownIf there is an endpoint installed on this asset, this is the endpoint ID.
ASM.AssetInternetExposure.externally_detected_providersStringThe provider of the asset as determined by an external assessment.
ASM.AssetInternetExposure.service_typeStringType of the asset.
ASM.AssetInternetExposure.externally_inferred_cvesStringIf the internet exposure has associated CVEs.
ASM.AssetInternetExposure.ipsStringIP addresses associated with the internet exposure.

Command example#

!asm-list-asset-internet-exposure name="acme.com" type=certificate has_active_external_services=no

Context Example#

{
"ASM": {
"AssetInternetExposure": [
{
"agent_id": null,
"asm_ids": [
"cfa1cd5a-77f1-3963-8557-7f652309a143"
],
"asm_va_score": null,
"asset_type": "CERTIFICATE",
"business_units": [
"Acme",
"VanDelay Industries"
],
"certificate_algorithm": "SHA256withRSA",
"certificate_classifications": [
"LongExpiration",
"Wildcard",
"Expired"
],
"certificate_issuer": "DigiCert",
"cloud_id": null,
"cloud_provider": null,
"domain_resolves": false,
"externally_detected_providers": [],
"externally_inferred_cves": [],
"first_observed": null,
"has_active_externally_services": false,
"has_xdr_agent": "NA",
"iot_category": null,
"iot_model": null,
"iot_profile": null,
"ip_ranges": [],
"ips": [],
"last_observed": null,
"mac_addresses": [],
"management_status": [],
"name": "*.digital-dev.acme.com",
"operation_system": null,
"region": null,
"sensor": [
"XPANSE"
],
"service_type": []
},
{
"agent_id": null,
"asm_ids": [
"78a11e94-58a9-329c-99ca-e527d2db6cfb"
],
"asm_va_score": null,
"asset_type": "CERTIFICATE",
"business_units": [
"Acme",
"VanDelay Industries"
],
"certificate_algorithm": "SHA256withRSA",
"certificate_classifications": [
"LongExpiration",
"Wildcard",
"Expired"
],
"certificate_issuer": "DigiCert",
"cloud_id": null,
"cloud_provider": null,
"domain_resolves": false,
"externally_detected_providers": [],
"externally_inferred_cves": [],
"first_observed": null,
"has_active_externally_services": false,
"has_xdr_agent": "NA",
"iot_category": null,
"iot_model": null,
"iot_profile": null,
"ip_ranges": [],
"ips": [],
"last_observed": null,
"mac_addresses": [],
"management_status": [],
"name": "*.digital-prod.acme.com",
"operation_system": null,
"region": null,
"sensor": [
"XPANSE"
],
"service_type": []
}
]
}
}

Human Readable Output#

Asset Internet Exposures#

Asm IdsAsset TypeBusiness UnitsCertificate AlgorithmCertificate ClassificationsCertificate IssuerDomain ResolvesHas Active Externally ServicesHas Xdr AgentNameSensor
cfa1cd5a-77f1-3963-8557-7f652309a143CERTIFICATEAcme,
VanDelay Industries
SHA256withRSALongExpiration,
Wildcard,
Expired
DigiCertfalsefalseNA*.digital-dev.acme.comXPANSE
78a11e94-58a9-329c-99ca-e527d2db6cfbCERTIFICATEAcme,
VanDelay Industries
SHA256withRSALongExpiration,
Wildcard,
Expired
DigiCertfalsefalseNA*.digital-prod.acme.comXPANSE

asm-get-asset-internet-exposure#


Get internet exposure asset details according to the asset ID.

Base Command#

asm-get-asset-internet-exposure

Input#

Argument NameDescriptionRequired
asm_idA string representing the asset ID for which you want to get the details.Required

Context Output#

PathTypeDescription
ASM.AssetInternetExposure.asm_idsStringAttack surface management UUID.
ASM.AssetInternetExposure.nameStringName of the exposed asset.
ASM.AssetInternetExposure.typeStringType of the exposed asset.
ASM.AssetInternetExposure.last_observedUnknownLast time the exposure was observed.
ASM.AssetInternetExposure.first_observedUnknownFirst time the exposure was observed.
ASM.AssetInternetExposure.createdDateDate the ASM issue was created.
ASM.AssetInternetExposure.business_unitsStringAsset associated business units.
ASM.AssetInternetExposure.domainUnknownAsset associated domain.
ASM.AssetInternetExposure.certificate_issuerStringAsset certificate issuer.
ASM.AssetInternetExposure.certificate_algorithmStringAsset certificate algorithm.
ASM.AssetInternetExposure.certificate_classificationsStringAsset certificate.classifications.
ASM.AssetInternetExposure.resolvesBooleanWhether the asset has a DNS resolution.
ASM.AssetInternetExposure.detailsUnknownAdditional details.
ASM.AssetInternetExposure.externally_inferred_vulnerability_scoreUnknownAsset vulnerability score.

Command example#

!asm-get-asset-internet-exposure asm_id=3c176460-8735-333c-b618-8262e2fb660c

Context Example#

{
"ASM": {
"AssetInternetExposure": {
"active_external_services_types": [],
"active_service_ids": [],
"all_service_ids": [],
"asm_ids": "3c176460-8735-333c-b618-8262e2fb660c",
"business_units": [
"Acme"
],
"certificate_algorithm": "SHA1withRSA",
"certificate_classifications": [
"Wildcard",
"Expired",
"InsecureSignature"
],
"certificate_issuer": "Thawte",
"created": 1663030146931,
"details": {
"businessUnits": [
{
"name": "Acme"
}
],
"certificateDetails": {
"formattedIssuerOrg": "Thawte",
"issuer": "C=US,O=Thawte\\, Inc.,CN=Thawte SSL CA",
"issuerAlternativeNames": "",
"issuerCountry": "US",
"issuerEmail": null,
"issuerLocality": null,
"issuerName": "Thawte SSL CA",
"issuerOrg": "Thawte\\\\, Inc.",
"issuerOrgUnit": null,
"issuerState": null,
"md5Fingerprint": "498ec19ebd6c6883ecd43d064e713002",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp21W/QVHuo0Nyy9l6Qp6Ye7yniuCccplWLdkL34pB0roNWBiklLJFftFTXJLtUuYEBhEbUtOPtNr5QRZFo+LQSj+JMQsGajEgNvIIMDms2xtc+vYkuJeNRsN/0zRm8iBjCNEZ0zBbWdupO6xee+Lngq5RiyRzAN2+Q5HlmHmVOcc7NtY5VIQhajp3a5Gc7tmLXa7ZxwQb+afdlpmE0iv4ZxmXFyHwlPXUlIxfETDDjtv2EzAgrnpZ5juo7TEFZA7AjsT0lO6cC2qPE9x9kC02PeC1Heg4hWf70CsXcKQBsprLqusrPYM9+OYfZnj+Dq9j6FjZD314Nz4qTGwmZrwDQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 2048,
"publicKeyModulus": "a76d56fd0547ba8d0dcb2f65e90a7a61eef29e2b8271ca6558b7642f7e29074ae83560629252c915fb454d724bb54b981018446d4b4e3ed36be50459168f8b4128fe24c42c19a8c480dbc820c0e6b36c6d73ebd892e25e351b0dff4cd19bc8818c2344674cc16d676ea4eeb179ef8b9e0ab9462c91cc0376f90e479661e654e71cecdb58e5521085a8e9ddae4673bb662d76bb671c106fe69f765a661348afe19c665c5c87c253d75252317c44c30e3b6fd84cc082b9e96798eea3b4c415903b023b13d253ba702daa3c4f71f640b4d8f782d477a0e2159fef40ac5dc29006ca6b2eabacacf60cf7e3987d99e3f83abd8fa163643df5e0dcf8a931b0999af00d",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "Up3fHwOddA9cXEeO4XBOgn63bfnvkXsOrOv6AycwQAk=",
"serialNumber": "91384582774546160650506315451812470612",
"sha1Fingerprint": "77d025c36f055e254063ae2ac3625fd4bf4507fb",
"sha256Fingerprint": "9a37c952ee1169cfa6e91efb57fe6d405d1ca48b26a714e9a46f008c15ea62e8",
"signatureAlgorithm": "SHA1withRSA",
"subject": "C=US,ST=New Jersey,L=Wayne,O=Acme,OU=MIS,CN=*.babiesrus.com",
"subjectAlternativeNames": "*.babiesrus.com",
"subjectCountry": "US",
"subjectEmail": null,
"subjectLocality": "Wayne",
"subjectName": "*.babiesrus.com",
"subjectOrg": "Acme",
"subjectOrgUnit": "MIS",
"subjectState": "New Jersey",
"validNotAfter": 1444780799000,
"validNotBefore": 1413158400000,
"version": "3"
},
"dnsZone": null,
"domain": null,
"domainAssetType": null,
"domainDetails": null,
"inferredCvesObserved": [],
"ip_ranges": {},
"isPaidLevelDomain": false,
"latestSampledIp": null,
"providerDetails": [],
"recentIps": [],
"subdomainMetadata": null,
"topLevelAssetMapperDomain": null
},
"domain": null,
"external_services": [],
"externally_detected_providers": [],
"externally_inferred_cves": [],
"externally_inferred_vulnerability_score": null,
"first_observed": null,
"ips": [],
"last_observed": null,
"name": "*.babiesrus.com",
"resolves": false,
"type": "Certificate"
}
}
}

Human Readable Output#

Asset Internet Exposure#

Asm IdsBusiness UnitsCertificate AlgorithmCertificate ClassificationsCertificate IssuerCreatedDetailsNameResolvesType
3c176460-8735-333c-b618-8262e2fb660cAcmeSHA1withRSAWildcard,
Expired,
InsecureSignature
Thawte1663030146931providerDetails:
domain: null
topLevelAssetMapperDomain: null
domainAssetType: null
isPaidLevelDomain: false
domainDetails: null
dnsZone: null
latestSampledIp: null
subdomainMetadata: null
recentIps:
businessUnits: {'name': 'Acme'}
certificateDetails: {"issuer": "C=US,O=Thawte\, Inc.,CN=Thawte SSL CA", "issuerAlternativeNames": "", "issuerCountry": "US", "issuerEmail": null, "issuerLocality": null, "issuerName": "Thawte SSL CA", "issuerOrg": "Thawte\\, Inc.", "formattedIssuerOrg": "Thawte", "issuerOrgUnit": null, "issuerState": null, "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp21W/QVHuo0Nyy9l6Qp6Ye7yniuCccplWLdkL34pB0roNWBiklLJFftFTXJLtUuYEBhEbUtOPtNr5QRZFo+LQSj+JMQsGajEgNvIIMDms2xtc+vYkuJeNRsN/0zRm8iBjCNEZ0zBbWdupO6xee+Lngq5RiyRzAN2+Q5HlmHmVOcc7NtY5VIQhajp3a5Gc7tmLXa7ZxwQb+afdlpmE0iv4ZxmXFyHwlPXUlIxfETDDjtv2EzAgrnpZ5juo7TEFZA7AjsT0lO6cC2qPE9x9kC02PeC1Heg4hWf70CsXcKQBsprLqusrPYM9+OYfZnj+Dq9j6FjZD314Nz4qTGwmZrwDQIDAQAB", "publicKeyAlgorithm": "RSA", "publicKeyRsaExponent": 65537, "signatureAlgorithm": "SHA1withRSA", "subject": "C=US,ST=New Jersey,L=Wayne,O=Acme,OU=MIS,CN=.babiesrus.com", "subjectAlternativeNames": ".babiesrus.com", "subjectCountry": "US", "subjectEmail": null, "subjectLocality": "Wayne", "subjectName": "*.babiesrus.com", "subjectOrg": "Acme", "subjectOrgUnit": "MIS", "subjectState": "New Jersey", "serialNumber": "91384582774546160650506315451812470612", "validNotBefore": 1413158400000, "validNotAfter": 1444780799000, "version": "3", "publicKeyBits": 2048, "publicKeyModulus": "a76d56fd0547ba8d0dcb2f65e90a7a61eef29e2b8271ca6558b7642f7e29074ae83560629252c915fb454d724bb54b981018446d4b4e3ed36be50459168f8b4128fe24c42c19a8c480dbc820c0e6b36c6d73ebd892e25e351b0dff4cd19bc8818c2344674cc16d676ea4eeb179ef8b9e0ab9462c91cc0376f90e479661e654e71cecdb58e5521085a8e9ddae4673bb662d76bb671c106fe69f765a661348afe19c665c5c87c253d75252317c44c30e3b6fd84cc082b9e96798eea3b4c415903b023b13d253ba702daa3c4f71f640b4d8f782d477a0e2159fef40ac5dc29006ca6b2eabacacf60cf7e3987d99e3f83abd8fa163643df5e0dcf8a931b0999af00d", "publicKeySpki": "Up3fHwOddA9cXEeO4XBOgn63bfnvkXsOrOv6AycwQAk=", "sha1Fingerprint": "77d025c36f055e254063ae2ac3625fd4bf4507fb", "sha256Fingerprint": "9a37c952ee1169cfa6e91efb57fe6d405d1ca48b26a714e9a46f008c15ea62e8", "md5Fingerprint": "498ec19ebd6c6883ecd43d064e713002"}
inferredCvesObserved:
ip_ranges: {}
*.babiesrus.comfalseCertificate

asm-list-remediation-rule#


Returns list of remediation path rules.

Base Command#

asm-list-remediation-rule

Input#

Argument NameDescriptionRequired
asm_rule_idA string representing the ASM rule ID you want to get the associated remediation path rules for.Required
sort_by_creation_timeSorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending). Possible values are: asc, desc.Optional

Context Output#

PathTypeDescription
ASM.RemediationRule.rule_idStringRemediation path rule UUID.
ASM.RemediationRule.rule_nameStringRemediation path rule name.
ASM.RemediationRule.descriptionStringRemediation path rule description.
ASM.RemediationRule.attack_surface_rule_idStringAssociation ASM rule ID for the remediation path rules.
ASM.RemediationRule.criteriaUnknownArray of remediation path rule criteria.
ASM.RemediationRule.criteria_conjunctionStringWhether criteria is processed with AND or OR.
ASM.RemediationRule.actionStringAction to take on rule match.
ASM.RemediationRule.created_byStringEmail of who created the rule.
ASM.RemediationRule.created_by_prettyStringReadable name of who created the rule.
ASM.RemediationRule.created_atDateDate the rule was created.

Command example#

!asm-list-remediation-rule asm_rule_id=RdpServer sort_by_creation_time=desc

Context Example#

{
"ASM": {
"RemediationRule": {
"action": "Email",
"attack_surface_rule_id": "RdpServer",
"created_at": 1672897301000,
"created_by": "test@test.com",
"created_by_pretty": "Test User",
"criteria": [
{
"field": "severity",
"operator": "eq",
"value": "high"
},
{
"field": "isCloudManaged",
"operator": "eq",
"value": "true"
}
],
"criteria_conjunction": "AND",
"description": "for testing",
"rule_id": "b935cf69-add9-4e75-8c3d-fe32ee471554",
"rule_name": "TestRule"
}
}
}

Human Readable Output#

Remediation Rules#

ActionAttack Surface Rule IdCreated AtCreated ByCreated By PrettyCriteriaCriteria ConjunctionDescriptionRule IdRule Name
EmailRdpServer1672897301000test@test.comTest User{'field': 'severity', 'value': 'high', 'operator': 'eq'},
{'field': 'isCloudManaged', 'value': 'true', 'operator': 'eq'}
ANDfor testingb935cf69-add9-4e75-8c3d-fe32ee471554TestRule

asm-start-remediation-confirmation-scan#


Starts a new Remediation Confirmation Scan or gets an existing scan ID.

Base Command#

asm-start-remediation-confirmation-scan

Input#

Argument NameDescriptionRequired
service_idThe ID of the service in Cortex Xpanse associated with the alert.Required
attack_surface_rule_idThe Cortex Xpanse attack surface rule associated with the alert.Required
alert_internal_idThe Cortex Xpanse alert ID.Required

Context Output#

PathTypeDescription
ASM.RemediationScan.scanIdstringThe ID returned for the created or existing scan.
ASM.RemediationScan.scan_creation_statusstringThe creation status of the scan (based on HTTP status).

Command example#

!asm-start-remediation_confirmation_scan service_id="abc12345-abab-1212-1212-abc12345abcd" attack_surface_rule_id="InsecureOpenSSH" alert_internal_id="1"

Context Example#

{
"ASM": {
"RemediationScan": {
"scanId": "abcdef12-3456-789a-bcde-fgh012345678",
"scan_creation_status": "created"
}
}
}

Human Readable Output#

Creation of Remediation Confirmation Scan#

ScanidScan Creation Status
abcdef12-3456-789a-bcde-fgh012345678created

asm-get-remediation-confirmation-scan-status#


Get the status of an existing Remediation Confirmation Scan.

Base Command#

asm-get-remediation-confirmation-scan-status

Input#

Argument NameDescriptionRequired
scan_idThe ID of an existing remediation confirmation scan.Required
interval_in_secondsThe interval, in seconds, to poll for scan results of an existing Remediation Confirmation Scan. Default is 600.Optional
timeout_in_secondsThe timeout, in seconds, for polling for scan results of an existing Remediation Confirmation Scan. Default is 11000.Optional
hide_polling_outputWhether to hide the polling result (automatically filled by polling).Optional
pollingWhether to poll until there is at least one result. Possible values are: true, false. Default is true.Optional

Context Output#

PathTypeDescription
ASM.RemediationScan.statusstringStatus of the Remediation Confirmation Scan.
ASM.RemediationScan.resultstringResult of the Remediation Confirmation Scan.

Command example#

!asm-get-remediation-confirmation-scan-status scan_id="abcdef12-3456-789a-bcde-fgh012345678"

Context Example#

{
"ASM": {
"RemediationScan": {
"status": "SUCCESS", // Required
"result": "REMEDIATED" // Optional (If not SUCCESS)
}
}
}

Human Readable Output#

Status of Remediation Confirmation Scan#

statusresult
SUCCESSREMEDIATED

asm-get-attack-surface-rule#


Get information of an attack surface rule ID.

Base Command#

asm-get-attack-surface-rule

Input#

Argument NameDescriptionRequired
attack_surface_rule_idA comma-separated list of attack surface rule IDs. For example: RdpServer,InsecureOpenSSH.Optional
enabled_statusGet the info about rule IDs with enabled status on or off. Has to be comma separated. For example: on,off.Optional
priorityGet the info about rule IDs with a priority. Has to be comma separated. For example: high,medium.Optional
categoryGet the info about rule IDs of a category. Has to be comma separated.Optional

Context Output#

PathTypeDescription
ASM.AttackSurfaceRule.attack_surface_rule_idunknownAttack surface rule ID.
ASM.AttackSurfaceRule.attack_surface_rule_nameunknownAttack surface rule name.
ASM.AttackSurfaceRule.categoryunknownAttack surface rule category.
ASM.AttackSurfaceRule.enabled_statusunknownAttack surface rule status.
ASM.AttackSurfaceRule.priorityunknownAttack surface rule priority.
ASM.AttackSurfaceRule.remediation_guidanceunknownRemediation guidance of attack surface rule.

Command example#

!asm-get-attack-surface-rule attack_surface_rule_id=RdpServer raw-response=true

Context Example#

{
"reply": {
"attack_surface_rules": [
{
"attack_surface_rule_id": "RdpServer",
"attack_surface_rule_name": "RDP Server",
"category": "Attack Surface Reduction",
"created": 1698113023000,
"description": "Remote Desktop Protocol (RDP) servers provide remote access to a computer over a network connection. Externally accessible RDP servers pose a significant security risk as they are frequent targets for attackers and can be vulnerable to a variety of documented exploits.",
"enabled_status": "ON",
"knowledge_base_link": null,
"modified": 1605140275000,
"modified_by": null,
"priority": "High",
"remediation_guidance": "Recommendations to reduce the likelihood of malicious RDP attempts are as follows:\n\n1. Best practice is to not have RDP publicly accessible on the Internet and instead only on trusted local networks.\n2. Implement a risk-based approach that prioritizes patching RDP vulnerabilities that have known weaponized public exploits.\n3. Limit RDP access to a specific user group and implementing lockout policies is an additional measure to protect against RDP brute-forcing which is another common tactic used by attackers. In addition, enable NLA (Network Level Authentication) which is non-default on older versions.\n4. If remote access to RDP or terminal services is a business requirement, it should only be made accessible through a secure Virtual Private Network (VPN) connection with multi-factor authentication (MFA) to the corporate network or through a zero-trust remote access gateway."
}
],
"result_count": 1,
"total_count": 1
}
}

Human Readable Output#

Results#

ATTACK_SURFACE_RULE_IDATTACK_SURFACE_RULE_NAMECATEGORYCREATEDDESCRIPTIONENABLED_STATUSKNOWLEDGE_BASE_LINKMODIFIEDMODIFIED_BYPRIORITYREMEDIATION_GUIDANCE
RdpServerRDP ServerAttack Surface Reduction1698113023000Remote Desktop Protocol (RDP) servers provide remote access to a computer over a network connection. Externally accessible RDP servers pose a significant security risk as they are frequent targets for attackers and can be vulnerable to a variety of documented exploits.ON1605140275000HighRecommendations to reduce the likelihood of malicious RDP attempts are as follows:\n\n1. Best practice is to not have RDP publicly accessible on the Internet and instead only on trusted local networks.\n2. Implement a risk-based approach that prioritizes patching RDP vulnerabilities that have known weaponized public exploits.\n3. Limit RDP access to a specific user group and implementing lockout policies is an additional measure to protect against RDP brute-forcing which is another common tactic used by attackers. In addition, enable NLA (Network Level Authentication) which is non-default on older versions.\n4. If remote access to RDP or terminal services is a business requirement, it should only be made accessible through a secure Virtual Private Network (VPN) connection with multi-factor authentication (MFA) to the corporate network or through a zero-trust remote access gateway