Skip to main content

Asimily Insight

This Integration is part of the Asimily Insight Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Integrate Asimily Insight to ingest security anomalies, CVEs, and leverage detailed asset data for streamlined incident investigation.

Asimily Insight delivers comprehensive IoT/OT security and management by providing deep asset visibility, automated vulnerability prioritization, and actionable mitigation strategies aligned with MITRE ATT&CK. It analyzes device communication, calculates holistic risk scores, and enables targeted network segmentation. The platform detects anomalies, simplifies policy management, and automates forensic packet capture. Beyond security, Asimily optimizes asset utilization, tracks operational usage, and manages configuration drift. Its Risk Simulator improves efficiency, and centralized data streamlines IT/OT convergence while identifying unmanaged devices.

This integration utilizes the Asimily Insight RESTful APIs to provide seamless access to comprehensive device data. Users can retrieve detailed information on IT, medical, and security parameters, as well as view known vulnerabilities (CVEs), detect asset anomalies, and maintain synchronized data—either on a regular schedule or on demand.

What does this pack do?#

  • On-Demand Asset Retrieval: Query Asimily Insight for detailed device information using search parameters, such as IP address, MAC address, facility, or device ID.
  • Anomaly Alert Synchronization: Regularly sync alerts generated by Asimily Insight to ensure up-to-date visibility into device-related security and operational events.
  • Vulnerability (CVE) Synchronization: Periodically retrieve and update known device vulnerabilities detected by Asimily Insight to support informed risk management and mitigation.
  • Incident Creation in Cortex XSOAR: All synced data—whether alerts, or vulnerabilities is automatically converted into incidents within the Cortex XSOAR platform for streamlined investigation and response workflows. Asset info can be automatically queried and stored by using Playbook to call the asimily-get-asset-details command.

Configure Asimily Insight on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Asimily Insight.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired/DefaultType
    NameXSOAR Integration Instance NameTrueString
    Asimily Portal URLThis will be in the following format: https://customer-portal.asimily.com.TrueString
    API User NameThe Asimily Insight API usernameTrueString
    PasswordThe password of the Asimily Insight API userTrueString
    Trust any certificate (not secure)Default FalseBoolean
    Use system proxy settingsDefault FalseBoolean
    Device Family Filter for Fetch OperationFetch incidents only for assets with selected device families in fetch-incidents"All"Multi-Select
    Device Tags Filter for Fetch OperationFetch incidents only for assets with selected device tags in fetch-incidents"All"Multi-Select
    Fetch Anomaly AlertsIf fetch anomalies incidents in fetch-incidentsDefault FalseBoolean
    Fetch Anomaly CriticalityFetch anomaly incidents only for anomalies with selected criticality"High Only"Single-Select
    Fetch Device CVEsIf fetch CVEs incidents in fetch-incidentsDefault FalseBoolean
    Fetch CVE ScoreFetch CVEs incidents only for CVEs with selected scores"High Only"Single-Select
    Incidents Fetch IntervalThe default 5-minute fetch interval can be adjusted based on observed fetch duration to optimize data freshness and system load.5Number
    Fetches incidentsIf Fetch incidentsFalseBoolean
  4. Click Test to validate the URL, API username, API password and connection.

Resetting the "Last Run" Timestamp#

If you modify any of the fetch filters (Fetch Anomaly Alerts, Fetch Device CVEs, Device Family Filter, Device Tags Filter, Fetch Anomaly Criticality, Fetch CVE Score), this means there may be new devices included to fetch incidents or there will be new incidents included for existing devices. It is strongly recommended to Reset the "last run" timestamp.

To reset:

  1. Go to the integration instance configuration.
  2. Navigate to Collect > Advanced Settings.
  3. Click Reset the "last run" timestamp.
  4. Click Reset Now.

This ensures that incidents related to newly included devices and updated filters are correctly fetched.

Reset Fetch Incident Last Run Timestamp

Configure Pre-Process Rules#

The integration pulls in assets information, anomaly alerts, CVEs from Asimily Insight based on its updates or upon query, creating the need for a preprocessing rule that drops the incoming incident if it's a duplication.

Follow the guidelines below to configure the preprocessing rule.

  1. Navigate to Settings > Object Setup > Incidents > Pre-Process Rules.
  2. Click +New Rule on the top right corner.
  3. Name the rule appropriately (e.g. Asimily Incident Dedup).
  4. In the Conditions for Incoming Incident section, enter:
    • Type - Includes - Asimily
  5. In the Action section, select Run a script.
  6. In the Choose a script section, pick from the drop-down list:
    • PreProcessAsimilyDedup

The configuration of the preprocessing rule is optional, but highly recommended to avoid duplication.

Pre-process Rule

The integration includes a preprocessing script (PreProcessAsimilyDedup) that will drop the incoming incident if it's a duplicate. It will search all past incidents with all status.

Alternative rule settings can be:

  1. In the Action section, select Drop and update.
  2. In the Update section, enter
    • Link to - Oldest incident - Created within the last - Your desired timeframe
    • DbotMirrorId - Is identical (Incoming Incident) - to incoming incident

Commands#

You can run these commands from the Cortex XSOAR CLI, as part of an automation, or within a playbook. Upon successful execution, a DBot message will appear in the War Room with execution details. If asset data, anomaly alerts, or CVE information is retrieved, corresponding incidents will be automatically created with appropriate incident types.

asimily-get-asset-details#


Fetch assets details from Asimily Insight. You can add argument filters.

Base Command#

asimily-get-asset-details

Input#

ArgumentDescriptionRequiredSupport List
mac_addrThe MAC Address of Asimily AssetOptionalNo
ip_addrThe IP Address of Asimily AssetOptionalNo
facilityThe Facility of Asimily AssetOptionalNo
asimily_device_idAsimily Insight given ID for devicesOptionalNo
limitMaximum amount of items to fetch.OptionalNo

Context Output#

Fetched ${fetch_limit} out of ${device_count} assets matching search. Asset fetch count is limited to avoid server overload.

PathTypeDescription
AsimilyInsight.Asset.asimilydeviceidnumberAsimily Device ID
AsimilyInsight.Asset.asimilydeviceipv4addressunknownAsimily Device IP Address
AsimilyInsight.Asset.asimilydevicemacaddressstringAsimily Device MAC Address
AsimilyInsight.Asset.asimilydeviceipv6addressunknownAsimily Device IPV6 Address
AsimilyInsight.Asset.asimilydevicemanufacturerstringAsimily Device Manufacturer
AsimilyInsight.Asset.asimilydevicemodelstringAsimily Device Model
AsimilyInsight.Asset.asimilydeviceosstringAsimily Device OS
AsimilyInsight.Asset.asimilydeviceosversionstringAsimily Device OS Version
AsimilyInsight.Asset.asimilydevicetypestringAsimily Device Type
AsimilyInsight.Asset.asimilydevicefamiliesunknownAsimily Device Families
AsimilyInsight.Asset.asimilydeviceserialnumberstringAsimily Device Serial Number
AsimilyInsight.Asset.asimilydevicedepartmentstringAsimily Device Department
AsimilyInsight.Asset.asimilydevicefacilitystringAsimily Device Facility
AsimilyInsight.Asset.asimilydevicehardwarearchitecturestringAsimily Device Hardware Architecture
AsimilyInsight.Asset.asimilydevicehostnamestringAsimily Device Host Name
AsimilyInsight.Asset.asimilydevicelocationstringAsimily Device Location
AsimilyInsight.Asset.asimilydeviceregionstringAsimily Device Region
AsimilyInsight.Asset.asimilydevicesoftwareverisonstringAsimily Device Software Verison
AsimilyInsight.Asset.asimilydeviceifstoreephibooleanAsimily Device If Store Ephi
AsimilyInsight.Asset.asimilydeviceiftransmitephibooleanAsimily Device If Transmit Ephi
AsimilyInsight.Asset.asimilydeviceriskscorenumberAsimily Device Risk Score
AsimilyInsight.Asset.asimilydevicelikelihoodnumberAsimily Device Likelihood
AsimilyInsight.Asset.asimilydeviceimpactnumberAsimily Device Impact
AsimilyInsight.Asset.asimilydeviceaverageutilizationpercentnumberAsimily Device Average Utilization Percent
AsimilyInsight.Asset.asimilydeviceuptimenumberAsimily Device Up Time
AsimilyInsight.Asset.asimilydeviceisconnectedbooleanAsimily Device Is Connected
AsimilyInsight.Asset.asimilydeviceiscurrentlyinusebooleanAsimily Device Is Currently In Use
AsimilyInsight.Asset.asimilydeviceisnetworkingdeviceboolean'Asimily Device Is Networking Device '
AsimilyInsight.Asset.asimilydeviceiswirelessbooleanAsimily Device Is Wireless
AsimilyInsight.Asset.asimilydeviceclassstringAsimily Device Class
AsimilyInsight.Asset.asimilydevicemanagedbystringAsimily Device Managed By
AsimilyInsight.Asset.asimilydeviceanomalypresentbooleanAsimily Device Anomaly Present
AsimilyInsight.Asset.asimilydevicemds2stringAsimily Device MDS2
AsimilyInsight.Asset.asimilydevicecmmsidstringAsimily Device CMMS ID
AsimilyInsight.Asset.asimilydevicelastdiscoveredtimedateAsimily Device Last Discovered Time
AsimilyInsight.Asset.asimilydevicetagunknownAsimily Device Tag
AsimilyInsight.Asset.asimilydevicemasterfamilystringAsimily Device Master Family
AsimilyInsight.Asset.asimilydevicediscoverysourcestringAsimily Device Discovery Source
AsimilyInsight.Asset.asimilydeviceapplicationsunknownAsimily Device Applications
AsimilyInsight.Asset.asimilydeviceurlstringAsimily Device URL
AsimilyInsight.Asset.asimilydeviceifusingendpointsecuritybooleanAsimily Device If Using Endpoint Security

asimily-get-asset-anomalies#


Fetch anomaly alerts from Asimily Insight. You can add argument filters.

Base Command#

asimily-get-asset-anomalies

Input#

Argument NameDescriptionRequiredSupport List
mac_addrThe MAC Address of Asimily AssetOptionalNo
ip_addrThe IP Address of Asimily AssetOptionalNo
asimily_device_idAsimily Insight given ID for devicesOptionalNo
device_familyOptionalYes
device_tagOptionalYes
criticalityAnomaly Alert Criticality Filter. Options: High Only, Medium and High, AllOptionalNo
limitMaximum amount of items to fetch. (Fetch will stop after device anomalies reached the limit)OptionalNo

Context Output#

Fetched ${fetch_count} anomalies for ${fetch_device_count} devices matching search. ${pending_device_count} devices matching search is not fetched. Fetch count is limited to avoid server overload.

PathTypeDescription
AsimilyInsight.Anomaly.asimilyanomalynamestringAsimily Anomaly Name
AsimilyInsight.Anomaly.asimilyanomalycriticalitystringAsimily Anomaly Criticality
AsimilyInsight.Anomaly.asimilyanomalyearliesttriggertimedateAsimily Anomaly Earliest Trigger Time
AsimilyInsight.Anomaly.asimilyanomalylasttriggertimedateAsimily Anomaly Last Trigger Time
AsimilyInsight.Anomaly.asimilyanomalyalertidstringAsimily Anomaly Alert ID
AsimilyInsight.Anomaly.asimilyanomalyurlsunknownAsimily Anomaly URLs
AsimilyInsight.Anomaly.asimilyanomalyisfixedbooleanAsimily Anomaly Is Fixed
AsimilyInsight.Anomaly.asimilyanomalyfixbystringAsimily Anomaly Fix By
AsimilyInsight.Anomaly.asimilyanomalycriticalityscorenumberAsimily Anomaly Criticality Score
AsimilyInsight.Anomaly.asimilyanomalymitretacticstringAsimily Anomaly Mitre Tactic
AsimilyInsight.Anomaly.asimilyanomalymitretechniquestringAsimily Anomaly Mitre Technique
AsimilyInsight.Anomaly.asimilyanomalycategorystringAsimily Anomaly Category
AsimilyInsight.Anomaly.asimilyanomalydescriptionstringAsimily Anomaly Description
AsimilyInsight.Anomaly.asimilyanomalycustomeranomalyidstringAsimily Anomaly Customer Anomaly ID. Unique anomaly type identifier assigned by Asimily for a specific customer. This ID can be used in future operations such as invoking anomaly fix actions.
AsimilyInsight.Anomaly.asimilydeviceidnumberAsimily Device ID
AsimilyInsight.Anomaly.asimilydevicemacaddressstringAsimily Device MAC Address
AsimilyInsight.Anomaly.asimilydeviceipv4addressstringAsimily Device IPV4 Address
AsimilyInsight.Anomaly.asimilydevicehostnamestringAsimily Device Host Name
AsimilyInsight.Anomaly.asimilydevicetypestringAsimily Device Type
AsimilyInsight.Anomaly.asimilydevicemodelstringAsimily Device Model
AsimilyInsight.Anomaly.asimilydeviceosstringAsimily Device OS
AsimilyInsight.Anomaly.asimilydevicemanufacturerstringAsimily Device Manufacturer
AsimilyInsight.Anomaly.asimilydevicefamiliesunknownAsimily Device Families

asimily-get-asset-vulnerabilities#


Fetch device CVEs from Asimily Insight. You can add argument filters.

Base Command#

asimily-get-asset-vulnerabilities

Input#

Argument NameDescriptionRequiredSupport List
mac_addrThe MAC Address of Asimily AssetOptionalNo
ip_addrThe IP Address of Asimily AssetOptionalNo
asimily_device_idAsimily Insight given ID for devicesOptionalNo
device_familyOptionalYes
device_tagOptionalYes
cve_scoreCVE Score Filter. Options: High Only, Medium and High, All (Score limit: High=7.5, Medium=3.5)OptionalNo
limitMaximum amount of items to fetch. (Fetch will stop after device CVEs reached the limit)OptionalNo

Context Output#

Fetched ${fetch_count} CVEs for ${fetch_device_count} devices matching search. ${pending_device_count} devices matching search is not fetched. Fetch count is limited to avoid server overload.

PathTypeDescription
AsimilyInsight.CVE.asimilycvenamestringAsimily CVE Name
AsimilyInsight.CVE.asimilycvecwetypestringAsimily CVE CWE Type
AsimilyInsight.CVE.asimilycveentitytypestringAsimily CVE Entity Type
AsimilyInsight.CVE.asimilycveentitynamestringAsimily CVE Entity Name
AsimilyInsight.CVE.asimilycvescorenumberAsimily CVE Score
AsimilyInsight.CVE.asimilycvecvss3basescorenumberAsimily CVE CVSS 3 Base Score
AsimilyInsight.CVE.asimilycvedescripttionstringAsimily CVE Descripttion
AsimilyInsight.CVE.asimilycveisfixedbooleanAsimily CVE Is Fixed
AsimilyInsight.CVE.asimilycvefixedbystringAsimily CVE Fixed By
AsimilyInsight.CVE.asimilycveoempatchedbooleanAsimily CVE OEM Patched
AsimilyInsight.CVE.asimilycveismutedbooleanAsimily CVE Is Muted
AsimilyInsight.CVE.asimilycveexploitableinwildbooleanAsimily CVE Exploitable In Wild
AsimilyInsight.CVE.asimilycvepublisheddatedateAsimily CVE Published Date
AsimilyInsight.CVE.asimilycveopendatedateAsimily CVE Open Date
AsimilyInsight.CVE.asimilycvefixeddatedateAsimily CVE Fixed Date
AsimilyInsight.CVE.asimilydeviceidnumberAsimily Device ID
AsimilyInsight.CVE.asimilydevicemacaddressstringAsimily Device MAC Address
AsimilyInsight.CVE.asimilydeviceipv4addressstringAsimily Device IPV4 Address
AsimilyInsight.CVE.asimilydevicehostnamestringAsimily Device Host Name
AsimilyInsight.CVE.asimilydevicetypestringAsimily Device Type
AsimilyInsight.CVE.asimilydevicemodelstringAsimily Device Model
AsimilyInsight.CVE.asimilydeviceosstringAsimily Device OS
AsimilyInsight.CVE.asimilydevicemanufacturerstringAsimily Device Manufacturer
AsimilyInsight.CVE.asimilydevicefamiliesstringAsimily Device Families

Additional Information#

Incident Search#

  1. System searchable fields: macaddress, devicelocalip, devicemodel, hostnames, deviceid
  2. Asimily Insight Custom searchable fields: asimilyanomalyname, asimilycvename

Incident Name#

  1. For Asimily Anomaly incident, name will be anomalyname|hostname|ip|mac
  2. For Asimily CVE incident, name will be cvename|hostname|ip|mac

Incident Criticality Mapping#

  1. XSOAR incidents have 4 levels of criticality:
    • Informational (0)
    • Low (1)
    • Medium (2)
    • High (3)
    • Critical (4)
  2. Asimily Anomaly Alerts have 3 levels of criticality (Low/Medium/High). When creating incidents, we populate the incident criticality using the respective anomaly alert criticality.
  3. Asimily Asset CVEs have Asimily Calculated CVE score (Range: 0-10). When creating incidents, we populate the incident criticality using the respective CVE scores.
    • Low (CVE score: < 3.5)
    • Medium (CVE score: < 7.5)
    • High (CVE score: < 10)

Default Playbook#

To enrich incidents with corresponding asset information, we've published a default playbook for two custom incident types. This playbook calls asimily-get-asset-details to retrieve asset information and stores it in Context Data (under Asimily > Asset).

We've also added a section to custom incident layouts to display this information.

Users can modify this playbook or create similar ones. We recommend using the device ID or MAC address as a unique identifier when querying asset details.