Mandiant Attack Surface Management

This Integration is part of the Mandiant Advantage Attack Surface Management Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Integrate with Mandiant Advantage Attack Surface Management to import "issues" as Incidents. This integration was integrated and tested with version 1 of AttackSurfaceManagement

Configure Mandiant Attack Surface Management on Cortex XSOAR#

Navigate to Settings > Integrations > Servers & Services.
Search for Mandiant Attack Surface Management.

Click Add instance to create and configure a new integration instance.

Parameter	Description	Required
Your server URL	The ASM API URL. Leave as `https://asm-api.advantage.mandiant.com/\` if you're unsure	True
Access Key	The Access and Secret Keys used for authentication	True
Secret Key		True
Project ID	The ASM Project ID to retrieve issues from	False
Collection IDs	A list of Collection IDs, separated by commas (`,`)	False
Initial Lookback Days	The number of days to look back when first retrieving issues.	True
Maximum Issues To Fetch	The maximum number of issues to pull during a single fetch-incidents command.	True
Trust any certificate (not secure)		False
Use system proxy settings		False
Mirror incoming incidents		False

Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

attacksurfacemanagement-get-projects#

Retrieve a list of all accessible ASM projects.

Base Command#

attacksurfacemanagement-get-projects

Input#

There are no input arguments for this command.

Context Output#

Path	Type	Description
MandiantAdvantageASM.Projects.Name	String	The name of the project
MandiantAdvantageASM.Projects.ID	Number	The ID of the project
MandiantAdvantageASM.Projects.Owner	unknown	The E-Mail of the project owner

Command example#

!attacksurfacemanagement-get-projects

Context Example#

{
  "MandiantAdvantageASM": {
    "Projects": [
      {
        "ID": 6797,
        "Name": "ASMQA_AttackSurfaceAPP",
        "Owner": "name@attacksurface.app"
      }
    ]
  }
}

Human Readable Output#

Results#

ID Name Owner
6797 ASMQA_AttackSurfaceAPP name@attacksurface.app

ID	Name	Owner
6797	ASMQA_AttackSurfaceAPP	name@attacksurface.app

attacksurfacemanagement-get-collections#

Retrieve a list of collections for a specified project

Base Command#

attacksurfacemanagement-get-collections

Input#

Argument Name	Description	Required
project_id	The ID of the project to query collections for.	Optional

Context Output#

Path	Type	Description
MandiantAdvantageASM.Collections.Name	String	The name of the collection
MandiantAdvantageASM.Collections.ID	String	The ID of the collection
MandiantAdvantageASM.Collections.Owner	unknown	The owner of the collection

Command example#

!attacksurfacemanagement-get-collections

Context Example#

{
    "MandiantAdvantageASM": {
        "Collections": [
            {
                "ID": "attacksurface_mw3tdwq",
                "Name": "Attacksurface_APP_QA",
                "Owner": "ASMQA_AttackSurfaceAPP"
            }
        ]
    }
}

Human Readable Output#

Results#

ID Name Owner
attacksurface_mw3tdwq Attacksurface_APP_QA ASMQA_AttackSurfaceAPP

ID	Name	Owner
attacksurface_mw3tdwq	Attacksurface_APP_QA	ASMQA_AttackSurfaceAPP

fetch-incidents#

Fetch Incidents

Base Command#

fetch-incidents

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

get-remote-data#

Update a specific incident

Base Command#

get-remote-data

Input#

Argument Name	Description	Required
id	The ASM Incident ID.	Required
lastUpdate	Retrieve entries that were created after lastUpdate. Default is 0.	Optional

Context Output#

There is no context output for this command.

update-remote-system#

Update issue in Mandiant Advantage ASM

Base Command#

update-remote-system

Input#

Argument Name	Description	Required

Context Output#

There is no context output for this command.

Incident Mirroring#

You can enable incident mirroring between Cortex XSOAR incidents and Mandiant Attack Surface Management corresponding events (available from Cortex XSOAR version 6.0.0). To set up the mirroring:

Enable Fetching incidents in your instance configuration.

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents. Important Note: To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and Mandiant Attack Surface Management.