Cortex Xpanse
This Integration is part of the Cortex Xpanse Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
Integration to pull assets and other ASM related information. This integration was integrated and tested with version 2.0 of Cortex Expander.
Configure Cortex Xpanse on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Cortex Xpanse.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL The web UI with `api-` appended to front (e.g., https://api-xsiam.paloaltonetworks.com\). For more information, see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis. True API Key ID For more information, see https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis. True API Key True Trust any certificate (not secure) False Use system proxy settings False Fetch incidents False Incidents Fetch Interval False Incident type False Maximum number of alerts per fetch The maximum number of alerts per fetch. Cannot exceed 100. False First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False Alert Severities to Fetch The severity of the alerts that will be fetched. If no severity is provided then alerts of all the severities will be fetched. Note: An alert whose status was changed to a filtered status after its creation time will not be fetched. False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
asm-list-external-service#
Get a list of all your external services filtered by business units, externally detected providers, domain, externally inferred CVEs, active classifications, inactive classifications, service name, service type, protocol, IP address, is active, and discovery type. Maximum result limit is 100 assets.
Base Command#
asm-list-external-service
Input#
| Argument Name | Description | Required |
|---|---|---|
| ip_address | IP address on which to search. | Optional |
| domain | Domain on which to search. | Optional |
| is_active | Whether the service is active. Possible values are: yes, no. | Optional |
| discovery_type | How the service was discovered. Possible values are: colocated_on_ip, directly_discovery, unknown. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ASM.ExternalService.service_id | String | External service UUID. |
| ASM.ExternalService.service_name | String | Name of the external service. |
| ASM.ExternalService.service_type | String | Type of the external service. |
| ASM.ExternalService.ip_address | String | IP address of the external service. |
| ASM.ExternalService.externally_detected_providers | String | Providers of the external service. |
| ASM.ExternalService.is_active | String | Whether the external service is active. |
| ASM.ExternalService.first_observed | Date | Date of the first observation of the external service. |
| ASM.ExternalService.last_observed | Date | Date of the last observation of the external service. |
| ASM.ExternalService.port | Number | Port number of the external service. |
| ASM.ExternalService.protocol | String | Protocol number of the external service. |
| ASM.ExternalService.inactive_classifications | String | External service classifications that are no longer active. |
| ASM.ExternalService.discovery_type | String | How the external service was discovered. |
| ASM.ExternalService.business_units | String | External service associated business units. |
| ASM.ExternalService.externally_inferred_vulnerability_score | Unknown | External service vulnerability score. |
Command example#
!asm-list-external-service domain=acme.com is_active=yes discovery_type=directly_discovery
Context Example#
Human Readable Output#
External Services#
Active Classifications Business Units Discovery Type Domain Externally Detected Providers First Observed Ip Address Is Active Last Observed Port Protocol Service Id Service Name Service Type HttpServer,
MicrosoftOWAServer,
ServerSoftware,
MicrosoftIisWebServer,
ApplicationServerSoftwareAcme,
VanDelay IndustriesDirectlyDiscovered autodiscover.acme.com Microsoft Azure 1659395040000 1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1Active 1663024320000 80 TCP 4c755fea-59e8-3719-8829-9f6adde65068 HTTP Server at autodiscover.acme.com:80 HttpServer HttpServer,
ServerSoftwareAcme,
VanDelay IndustriesDirectlyDiscovered web.acme.com Amazon Web Services 1659396480000 1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1Active 1663029060000 80 TCP 32c85ab1-fc98-3061-a813-2fe5daf7e7c5 HTTP Server at web.acme.com:80 HttpServer
asm-get-external-service#
Get service details according to the service ID.
Base Command#
asm-get-external-service
Input#
| Argument Name | Description | Required |
|---|---|---|
| service_id | A string representing the service ID you want to get details for. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| ASM.ExternalService.service_id | String | External service UUID. |
| ASM.ExternalService.service_name | String | Name of the external service. |
| ASM.ExternalService.service_type | String | Type of the external service. |
| ASM.ExternalService.ip_address | String | IP address of the external service. |
| ASM.ExternalService.externally_detected_providers | String | Providers of the external service. |
| ASM.ExternalService.is_active | String | Whether the external service is active. |
| ASM.ExternalService.first_observed | Date | Date of the first observation of the external service. |
| ASM.ExternalService.last_observed | Date | Date of the last observation of the external service. |
| ASM.ExternalService.port | Number | Port number of the external service. |
| ASM.ExternalService.protocol | String | Protocol of the external service. |
| ASM.ExternalService.inactive_classifications | String | External service classifications that are no longer active. |
| ASM.ExternalService.discovery_type | String | How the external service was discovered. |
| ASM.ExternalService.business_units | String | External service associated business units. |
| ASM.ExternalService.externally_inferred_vulnerability_score | Unknown | External service vulnerability score. |
| ASM.ExternalService.details | String | Additional details. |
Command example#
!asm-get-external-service service_id=94232f8a-f001-3292-aa65-63fa9d981427
Context Example#
Human Readable Output#
External Service#
Active Classifications Business Units Details Discovery Type Externally Detected Providers Externally Inferred Cves Externally Inferred Vulnerability Score First Observed Ip Address Is Active Last Observed Port Protocol Service Id Service Name Service Type SSHWeakMACAlgorithmsEnabled,
SshServer,
OpenSSHAcme serviceKey: 1.1.1.1:22
serviceKeyType: IP
businessUnits: {'name': 'Acme'}
providerDetails: {'name': 'AWS', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}
certificates:
domains:
ips: {'ip': 873887795, 'protocol': 'TCP', 'provider': 'AWS', 'geolocation': {'latitude': 39.0438, 'longitude': -77.4879, 'countryCode': 'US', 'city': 'ASHBURN', 'regionCode': 'VA', 'timeZone': None}, 'activityStatus': 'Active', 'lastObserved': 1663026500000, 'firstObserved': 1662774169000}
classifications: {'name': 'SshServer', 'activityStatus': 'Active', 'values': [{'jsonValue': '{"version":"2.0","serverVersion":"OpenSSH_7.6p1","extraInfo":"Ubuntu-4ubuntu0.7"}', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}], 'firstObserved': 1662774120000, 'lastObserved': 1663026480000},
{'name': 'SSHWeakMACAlgorithmsEnabled', 'activityStatus': 'Active', 'values': [{'jsonValue': '{}', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}], 'firstObserved': 1662774120000, 'lastObserved': 1663026480000},
{'name': 'OpenSSH', 'activityStatus': 'Active', 'values': [{'jsonValue': '{"version":"7.6"}', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}], 'firstObserved': 1662774120000, 'lastObserved': 1663026480000}
tlsVersions:
inferredCvesObserved: {'inferredCve': {'cveId': 'CVE-2020-15778', 'cvssScoreV2': 6.8, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 7.8, 'cveSeverityV3': 'HIGH', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2021-41617', 'cvssScoreV2': 4.4, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 7.0, 'cveSeverityV3': 'HIGH', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2019-6110', 'cvssScoreV2': 4.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 6.8, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2019-6109', 'cvssScoreV2': 4.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 6.8, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2020-14145', 'cvssScoreV2': 4.3, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.9, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2019-6111', 'cvssScoreV2': 5.8, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.9, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2018-20685', 'cvssScoreV2': 2.6, 'cveSeverityV2': 'LOW', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2018-15919', 'cvssScoreV2': 5.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2016-20012', 'cvssScoreV2': 4.3, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2018-15473', 'cvssScoreV2': 5.0, 'cveSeverityV2': 'MEDIUM', 'cvssScoreV3': 5.3, 'cveSeverityV3': 'MEDIUM', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000},
{'inferredCve': {'cveId': 'CVE-2021-36368', 'cvssScoreV2': 2.6, 'cveSeverityV2': 'LOW', 'cvssScoreV3': 3.7, 'cveSeverityV3': 'LOW', 'inferredCveMatchMetadata': {'inferredCveMatchType': 'ExactVersionMatch', 'product': 'openssh', 'confidence': 'High', 'vendor': 'openbsd', 'version': '7.6'}}, 'activityStatus': 'Active', 'firstObserved': 1662774169000, 'lastObserved': 1663026500000}
enrichedObservationSource: CLOUD
ip_ranges: {}ColocatedOnIp Amazon Web Services CVE-2020-15778,
CVE-2021-41617,
CVE-2019-6110,
CVE-2019-6109,
CVE-2020-14145,
CVE-2019-6111,
CVE-2018-20685,
CVE-2018-15919,
CVE-2016-20012,
CVE-2018-15473,
CVE-2021-363687.8 1662774120000 1.1.1.1 Active 1663026480000 22 TCP 94232f8a-f001-3292-aa65-63fa9d981427 SSH Server at 1.1.1.1:22 SshServer
asm-list-external-ip-address-range#
Get a list of all your internet exposures filtered by business units and organization handles. Maximum result limit is 100 ranges.
Base Command#
asm-list-external-ip-address-range
Input#
| Argument Name | Description | Required |
|---|
Context Output#
| Path | Type | Description |
|---|---|---|
| ASM.ExternalIpAddressRange.range_id | String | External IP address range UUID. |
| ASM.ExternalIpAddressRange.first_ip | String | First IP address of the external IP address range. |
| ASM.ExternalIpAddressRange.last_ip | String | Last IP address of the external IP address range. |
| ASM.ExternalIpAddressRange.ips_count | Number | Number of IP addresses of the external IP address range. |
| ASM.ExternalIpAddressRange.active_responsive_ips_count | Number | The number of IPs in the external address range that are actively responsive. |
| ASM.ExternalIpAddressRange.date_added | Date | Date the external IP address range was added. |
| ASM.ExternalIpAddressRange.business_units | String | External IP address range associated business units. |
| ASM.ExternalIpAddressRange.organization_handles | String | External IP address range associated organization handles. |
Command example#
!asm-list-external-ip-address-range
Context Example#
Human Readable Output#
External IP Address Ranges#
Active Responsive Ips Count Business Units Date Added First Ip Ips Count Last Ip Organization Handles Range Id 0 VanDelay Industries 1663031000145 1.1.1.1 64 1.1.1.1 MAINT-HK-PCCW-BIA-CS,
BNA2-AP,
TA66-AP4da29b7f-3086-3b52-981b-aa8ee5da1e60 0 VanDelay Industries 1663031000144 1.1.1.1 16 1.1.1.1 AR17615-RIPE,
EASYNET-UK-MNT,
JW372-RIPE,
EH92-RIPE6ef4638e-7788-3ef5-98a5-ad5b7f4e02f5
asm-get-external-ip-address-range#
Get external IP address range details according to the range IDs.
Base Command#
asm-get-external-ip-address-range
Input#
| Argument Name | Description | Required |
|---|---|---|
| range_id | A string representing the range ID for which you want to get the details. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| ASM.ExternalIpAddressRange.range_id | String | External IP address range UUID. |
| ASM.ExternalIpAddressRange.first_ip | String | First IP address of the external IP address range. |
| ASM.ExternalIpAddressRange.last_ip | String | Last IP address of the external IP address range. |
| ASM.ExternalIpAddressRange.ips_count | Number | Number of IP addresses of the external IP address range. |
| ASM.ExternalIpAddressRange.active_responsive_ips_count | Number | The number of IPs in the external address range that are actively responsive. |
| ASM.ExternalIpAddressRange.date_added | Date | Date the external IP address range was added. |
| ASM.ExternalIpAddressRange.business_units | String | External IP address range associated business units. |
| ASM.ExternalIpAddressRange.organization_handles | String | External IP address range associated organization handles. |
| ASM.ExternalIpAddressRange.details | String | Additional information. |
Command example#
!asm-get-external-ip-address-range range_id=4da29b7f-3086-3b52-981b-aa8ee5da1e60
Context Example#
Human Readable Output#
External IP Address Range#
Active Responsive Ips Count Business Units Date Added Details First Ip Ips Count Last Ip Organization Handles Range Id 0 VanDelay Industries 1663031000145 networkRecords: {'handle': '1.1.1.1 - 1.1.1.1', 'firstIp': '1.1.1.1', 'lastIp': '1.1.1.1', 'name': 'SEARS-HK', 'whoIsServer': 'whois.apnic.net', 'lastChanged': 1663030241931, 'organizationRecords': [{'handle': 'MAINT-HK-PCCW-BIA-CS', 'dateAdded': 1663029346957, 'address': '', 'email': 'noc@acme.com', 'phone': '', 'org': '', 'formattedName': '', 'kind': 'group', 'roles': ['registrant'], 'lastChanged': None, 'firstRegistered': None, 'remarks': ''}, {'handle': 'BNA2-AP', 'dateAdded': 1663029346957, 'address': "27/F, PCCW Tower, Taikoo Place,\n979 King's Road, Quarry Bay, HK ", 'email': 'cs@acme.com', 'phone': '+852-2888-6932', 'org': '', 'formattedName': 'BIZ NETVIGATOR ADMINISTRATORS', 'kind': 'group', 'roles': ['administrative'], 'lastChanged': 1514892767000, 'firstRegistered': 1220514857000, 'remarks': ''}, {'handle': 'TA66-AP', 'dateAdded': 1663029346957, 'address': 'HKT Limited\nPO Box 9896 GPO ', 'email': 'noc@acme.com', 'phone': '+852-2883-5151', 'org': '', 'formattedName': 'TECHNICAL ADMINISTRATORS', 'kind': 'group', 'roles': ['technical'], 'lastChanged': 1468555410000, 'firstRegistered': 1220514856000, 'remarks': ''}], 'remarks': 'Sears Holdings Global Sourcing Ltd'} 1.1.1.1 64 1.1.1.1 MAINT-HK-PCCW-BIA-CS,
BNA2-AP,
TA66-AP4da29b7f-3086-3b52-981b-aa8ee5da1e60
asm-list-asset-internet-exposure#
Get a list of all your internet exposures filtered by ip address, domain, type, and/or if there is an active external service. Maximum result limit is 100 assets.
Base Command#
asm-list-asset-internet-exposure
Input#
| Argument Name | Description | Required |
|---|---|---|
| ip_address | IP address on which to search. | Optional |
| name | Name of asset on which to search. | Optional |
| type | Type of the external service. Possible values are: certificate, cloud_compute_instance, on_prem, domain, unassociated_responsive_ip. | Optional |
| has_active_external_services | Whether the internet exposure has an active external service. Possible values are: yes, no. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ASM.AssetInternetExposure.asm_ids | String | Attack surface management UUID. |
| ASM.AssetInternetExposure.name | String | Name of the exposed asset. |
| ASM.AssetInternetExposure.asset_type | String | Type of the exposed asset. |
| ASM.AssetInternetExposure.cloud_provider | Unknown | The cloud provider used to collect these cloud assets as either GCP, AWS, or Azure. |
| ASM.AssetInternetExposure.region | Unknown | Displays the region as provided by the cloud provider. |
| ASM.AssetInternetExposure.last_observed | Unknown | Last time the exposure was observed. |
| ASM.AssetInternetExposure.first_observed | Unknown | First time the exposure was observed. |
| ASM.AssetInternetExposure.has_active_externally_services | Boolean | Whether the internet exposure is associated with an active external service(s). |
| ASM.AssetInternetExposure.has_xdr_agent | String | Whether the internet exposure asset has an XDR agent. |
| ASM.AssetInternetExposure.cloud_id | Unknown | Displays the resource ID as provided from the cloud provider. |
| ASM.AssetInternetExposure.domain_resolves | Boolean | Whether the asset domain is resolvable. |
| ASM.AssetInternetExposure.operation_system | Unknown | The operating system reported by the source for this asset. |
| ASM.AssetInternetExposure.agent_id | Unknown | The endpoint ID if there is an endpoint installed on this asset. |
| ASM.AssetInternetExposure.externally_detected_providers | String | The provider of the asset as determined by an external assessment. |
| ASM.AssetInternetExposure.service_type | String | Type of the asset. |
| ASM.AssetInternetExposure.externally_inferred_cves | String | If the internet exposure has associated CVEs. |
| ASM.AssetInternetExposure.ips | String | IP addresses associated with the internet exposure. |
Command example#
!asm-list-asset-internet-exposure name="acme.com" type=certificate has_active_external_services=no
Context Example#
Human Readable Output#
Asset Internet Exposures#
Asm Ids Asset Type Business Units Certificate Algorithm Certificate Classifications Certificate Issuer Domain Resolves Has Active Externally Services Has Xdr Agent Name Sensor cfa1cd5a-77f1-3963-8557-7f652309a143 CERTIFICATE Acme,
VanDelay IndustriesSHA256withRSA LongExpiration,
Wildcard,
ExpiredDigiCert false false NA *.digital-dev.acme.com XPANSE 78a11e94-58a9-329c-99ca-e527d2db6cfb CERTIFICATE Acme,
VanDelay IndustriesSHA256withRSA LongExpiration,
Wildcard,
ExpiredDigiCert false false NA *.digital-prod.acme.com XPANSE
asm-get-asset-internet-exposure#
Get internet exposure asset details according to the asset ID.
Base Command#
asm-get-asset-internet-exposure
Input#
| Argument Name | Description | Required |
|---|---|---|
| asm_id | A string representing the asset ID for which you want to get the details. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| ASM.AssetInternetExposure.asm_ids | String | Attack surface management UUID. |
| ASM.AssetInternetExposure.name | String | Name of the exposed asset. |
| ASM.AssetInternetExposure.type | String | Type of the exposed asset. |
| ASM.AssetInternetExposure.last_observed | Unknown | Last time the exposure was observed. |
| ASM.AssetInternetExposure.first_observed | Unknown | First time the exposure was observed. |
| ASM.AssetInternetExposure.created | Date | Date the ASM issue was created. |
| ASM.AssetInternetExposure.business_units | String | Asset associated business units. |
| ASM.AssetInternetExposure.domain | Unknown | Asset associated domain. |
| ASM.AssetInternetExposure.certificate_issuer | String | Asset certificate issuer. |
| ASM.AssetInternetExposure.certificate_algorithm | String | Asset certificate algorithm. |
| ASM.AssetInternetExposure.certificate_classifications | String | Asset certificate classifications. |
| ASM.AssetInternetExposure.resolves | Boolean | Whether the asset has DNS resolution. |
| ASM.AssetInternetExposure.details | Unknown | Additional details. |
| ASM.AssetInternetExposure.externally_inferred_vulnerability_score | Unknown | Asset vulnerability score. |
Command example#
!asm-get-asset-internet-exposure asm_id=3c176460-8735-333c-b618-8262e2fb660c
Context Example#
Human Readable Output#
Asset Internet Exposure#
Asm Ids Business Units Certificate Algorithm Certificate Classifications Certificate Issuer Created Details Name Resolves Type 3c176460-8735-333c-b618-8262e2fb660c Acme SHA1withRSA Wildcard,
Expired,
InsecureSignatureThawte 1663030146931 providerDetails:
domain: null
topLevelAssetMapperDomain: null
domainAssetType: null
isPaidLevelDomain: false
domainDetails: null
dnsZone: null
latestSampledIp: null
subdomainMetadata: null
recentIps:
businessUnits: {'name': 'Acme'}
certificateDetails: {"issuer": "C=US,O=Thawte\, Inc.,CN=Thawte SSL CA", "issuerAlternativeNames": "", "issuerCountry": "US", "issuerEmail": null, "issuerLocality": null, "issuerName": "Thawte SSL CA", "issuerOrg": "Thawte\\, Inc.", "formattedIssuerOrg": "Thawte", "issuerOrgUnit": null, "issuerState": null, "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp21W/QVHuo0Nyy9l6Qp6Ye7yniuCccplWLdkL34pB0roNWBiklLJFftFTXJLtUuYEBhEbUtOPtNr5QRZFo+LQSj+JMQsGajEgNvIIMDms2xtc+vYkuJeNRsN/0zRm8iBjCNEZ0zBbWdupO6xee+Lngq5RiyRzAN2+Q5HlmHmVOcc7NtY5VIQhajp3a5Gc7tmLXa7ZxwQb+afdlpmE0iv4ZxmXFyHwlPXUlIxfETDDjtv2EzAgrnpZ5juo7TEFZA7AjsT0lO6cC2qPE9x9kC02PeC1Heg4hWf70CsXcKQBsprLqusrPYM9+OYfZnj+Dq9j6FjZD314Nz4qTGwmZrwDQIDAQAB", "publicKeyAlgorithm": "RSA", "publicKeyRsaExponent": 65537, "signatureAlgorithm": "SHA1withRSA", "subject": "C=US,ST=New Jersey,L=Wayne,O=Acme,OU=MIS,CN=.acme.com", "subjectAlternativeNames": ".acme.com", "subjectCountry": "US", "subjectEmail": null, "subjectLocality": "Wayne", "subjectName": "*.acme.com", "subjectOrg": "Acme", "subjectOrgUnit": "MIS", "subjectState": "New Jersey", "serialNumber": "91384582774546160650506315451812470612", "validNotBefore": 1413158400000, "validNotAfter": 1444780799000, "version": "3", "publicKeyBits": 2048, "publicKeyModulus": "a76d56fd0547ba8d0dcb2f65e90a7a61eef29e2b8271ca6558b7642f7e29074ae83560629252c915fb454d724bb54b981018446d4b4e3ed36be50459168f8b4128fe24c42c19a8c480dbc820c0e6b36c6d73ebd892e25e351b0dff4cd19bc8818c2344674cc16d676ea4eeb179ef8b9e0ab9462c91cc0376f90e479661e654e71cecdb58e5521085a8e9ddae4673bb662d76bb671c106fe69f765a661348afe19c665c5c87c253d75252317c44c30e3b6fd84cc082b9e96798eea3b4c415903b023b13d253ba702daa3c4f71f640b4d8f782d477a0e2159fef40ac5dc29006ca6b2eabacacf60cf7e3987d99e3f83abd8fa163643df5e0dcf8a931b0999af00d", "publicKeySpki": "Up3fHwOddA9cXEeO4XBOgn63bfnvkXsOrOv6AycwQAk=", "sha1Fingerprint": "77d025c36f055e254063ae2ac3625fd4bf4507fb", "sha256Fingerprint": "9a37c952ee1169cfa6e91efb57fe6d405d1ca48b26a714e9a46f008c15ea62e8", "md5Fingerprint": "498ec19ebd6c6883ecd43d064e713002"}
inferredCvesObserved:
ip_ranges: {}*.acme.com false Certificate
asm-list-alerts#
Get a list of all your ASM alerts filtered by alert IDs, severity and/or creation time. Can also sort by creation time or severity. Maximum result limit is 100 assets.
Base Command#
asm-list-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id_list | Comma-separated list of integers of the alert ID. | Optional |
| severity | Comma-separated list of strings of alert severity (valid values are low, medium, high, critical, informational). | Optional |
| lte_creation_time | A date in the format 2019-12-31T23:59:00. Only incidents that were created on or before the specified date/time will be retrieved. | Optional |
| gte_creation_time | A date in the format 2019-12-31T23:59:00. Only incidents that were created on or after the specified date/time will be retrieved. | Optional |
| sort_by_creation_time | Sorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending). Possible values are: asc, desc. | Optional |
| sort_by_severity | Sorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending). Possible values are: asc, desc. | Optional |
| page | Page number (for pagination). The default is 0 (the first page). Default is 0. | Optional |
| limit | Maximum number of incidents to return per page. The default and maximum is 100. Default is 100. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ASM.Alert.alert_id | String | A unique identifier that Cortex XSIAM assigns to each alert. |
| ASM.Alert.severity | String | The severity that was assigned to this alert when it was triggered (Options are Informational, Low, Medium, High, Critical, or Unknown). |
| ASM.Alert.external_id | String | The alert ID as recorded in the detector from which this alert was sent. |
| ASM.Alert.name | String | Summary of the ASM internet exposure alert. |
| ASM.Alert.description | String | More detailed explanation of internet exposure alert. |
| ASM.Alert.host_name | String | The hostname of the endpoint or server on which this alert triggered. |
| ASM.Alert.dynamic_fields | Unknown | Alert fields pulled from Cortex XSOAR context. |
| ASM.Alert.events | Unknown | Individual events that comprise the alert. |
| ASM.Alert.detection_timestamp | Date | Date the alert was created. |
Command example#
!asm-list-alerts limit=2 severity=high sort_by_creation_time=asc
Context Example#
Human Readable Output#
ASM Alerts#
Action Action Pretty Agent Os Type Alert Id Alert Type Description Detection Timestamp Events External Id Is Pcap Is Whitelisted Last Modified Ts Local Insert Ts Matching Status Name Resolution Comment Resolution Status Severity Source Starred NOT_AVAILABLE N/A NO_HOST 231 Unclassified Networking and security infrastructure, such as firewalls and routers, generally should not have their administration panels open to public Internet. Compromise of these devices, often though password guessing or vulnerability exploitation, provides privileged access to an enterprise network. 1659452808759 {'agent_install_type': 'NA', 'agent_host_boot_time': None, 'event_sub_type': None, 'module_id': None, 'association_strength': None, 'dst_association_strength': None, 'story_id': None, 'event_id': None, 'event_type': None, 'event_timestamp': 1659452808759, 'actor_process_instance_id': None, 'actor_process_image_path': None, 'actor_process_image_name': None, 'actor_process_command_line': None, 'actor_process_signature_status': 'N/A', 'actor_process_signature_vendor': None, 'actor_process_image_sha256': None, 'actor_process_image_md5': None, 'actor_process_causality_id': None, 'actor_causality_id': None, 'actor_process_os_pid': None, 'actor_thread_thread_id': None, 'causality_actor_process_image_name': None, 'causality_actor_process_command_line': None, 'causality_actor_process_image_path': None, 'causality_actor_process_signature_vendor': None, 'causality_actor_process_signature_status': 'N/A', 'causality_actor_causality_id': None, 'causality_actor_process_execution_time': None, 'causality_actor_process_image_md5': None, 'causality_actor_process_image_sha256': None, 'action_file_path': None, 'action_file_name': None, 'action_file_md5': None, 'action_file_sha256': None, 'action_file_macro_sha256': None, 'action_registry_data': None, 'action_registry_key_name': None, 'action_registry_value_name': None, 'action_registry_full_key': None, 'action_local_ip': None, 'action_local_ip_v6': None, 'action_local_port': None, 'action_remote_ip': None, 'action_remote_ip_v6': None, 'action_remote_port': 80, 'action_external_hostname': None, 'action_country': 'UNKNOWN', 'action_process_instance_id': None, 'action_process_causality_id': None, 'action_process_image_name': None, 'action_process_image_sha256': None, 'action_process_image_command_line': None, 'action_process_signature_status': 'N/A', 'action_process_signature_vendor': None, 'os_actor_effective_username': None, 'os_actor_process_instance_id': None, 'os_actor_process_image_path': None, 'os_actor_process_image_name': None, 'os_actor_process_command_line': None, 'os_actor_process_signature_status': 'N/A', 'os_actor_process_signature_vendor': None, 'os_actor_process_image_sha256': None, 'os_actor_process_causality_id': None, 'os_actor_causality_id': None, 'os_actor_process_os_pid': None, 'os_actor_thread_thread_id': None, 'fw_app_id': None, 'fw_interface_from': None, 'fw_interface_to': None, 'fw_rule': None, 'fw_rule_id': None, 'fw_device_name': None, 'fw_serial_number': None, 'fw_url_domain': None, 'fw_email_subject': None, 'fw_email_sender': None, 'fw_email_recipient': None, 'fw_app_subcategory': None, 'fw_app_category': None, 'fw_app_technology': None, 'fw_vsys': None, 'fw_xff': None, 'fw_misc': None, 'fw_is_phishing': 'N/A', 'dst_agent_id': None, 'dst_causality_actor_process_execution_time': None, 'dns_query_name': None, 'dst_action_external_hostname': None, 'dst_action_country': None, 'dst_action_external_port': None, 'contains_featured_host': 'NO', 'contains_featured_user': 'NO', 'contains_featured_ip': 'NO', 'image_name': None, 'container_id': None, 'cluster_name': None, 'referenced_resource': None, 'operation_name': None, 'identity_sub_type': None, 'identity_type': None, 'project': None, 'cloud_provider': None, 'resource_type': None, 'resource_sub_type': None, 'user_agent': None, 'user_name': None} FAKE-GUID false false 1660240725450 1659455267908 MATCHED Networking Infrastructure ASM alert resolution STATUS_070_RESOLVED_OTHER high ASM false NOT_AVAILABLE N/A NO_HOST 33 Unclassified Networking and security infrastructure, such as firewalls and routers, generally should not have their administration panels open to public Internet. Compromise of these devices, often though password guessing or vulnerability exploitation, provides privileged access to an enterprise network. 1659452809020 {'agent_install_type': 'NA', 'agent_host_boot_time': None, 'event_sub_type': None, 'module_id': None, 'association_strength': None, 'dst_association_strength': None, 'story_id': None, 'event_id': None, 'event_type': None, 'event_timestamp': 1659452809020, 'actor_process_instance_id': None, 'actor_process_image_path': None, 'actor_process_image_name': None, 'actor_process_command_line': None, 'actor_process_signature_status': 'N/A', 'actor_process_signature_vendor': None, 'actor_process_image_sha256': None, 'actor_process_image_md5': None, 'actor_process_causality_id': None, 'actor_causality_id': None, 'actor_process_os_pid': None, 'actor_thread_thread_id': None, 'causality_actor_process_image_name': None, 'causality_actor_process_command_line': None, 'causality_actor_process_image_path': None, 'causality_actor_process_signature_vendor': None, 'causality_actor_process_signature_status': 'N/A', 'causality_actor_causality_id': None, 'causality_actor_process_execution_time': None, 'causality_actor_process_image_md5': None, 'causality_actor_process_image_sha256': None, 'action_file_path': None, 'action_file_name': None, 'action_file_md5': None, 'action_file_sha256': None, 'action_file_macro_sha256': None, 'action_registry_data': None, 'action_registry_key_name': None, 'action_registry_value_name': None, 'action_registry_full_key': None, 'action_local_ip': None, 'action_local_ip_v6': None, 'action_local_port': None, 'action_remote_ip': None, 'action_remote_ip_v6': None, 'action_remote_port': 80, 'action_external_hostname': None, 'action_country': 'UNKNOWN', 'action_process_instance_id': None, 'action_process_causality_id': None, 'action_process_image_name': None, 'action_process_image_sha256': None, 'action_process_image_command_line': None, 'action_process_signature_status': 'N/A', 'action_process_signature_vendor': None, 'os_actor_effective_username': None, 'os_actor_process_instance_id': None, 'os_actor_process_image_path': None, 'os_actor_process_image_name': None, 'os_actor_process_command_line': None, 'os_actor_process_signature_status': 'N/A', 'os_actor_process_signature_vendor': None, 'os_actor_process_image_sha256': None, 'os_actor_process_causality_id': None, 'os_actor_causality_id': None, 'os_actor_process_os_pid': None, 'os_actor_thread_thread_id': None, 'fw_app_id': None, 'fw_interface_from': None, 'fw_interface_to': None, 'fw_rule': None, 'fw_rule_id': None, 'fw_device_name': None, 'fw_serial_number': None, 'fw_url_domain': None, 'fw_email_subject': None, 'fw_email_sender': None, 'fw_email_recipient': None, 'fw_app_subcategory': None, 'fw_app_category': None, 'fw_app_technology': None, 'fw_vsys': None, 'fw_xff': None, 'fw_misc': None, 'fw_is_phishing': 'N/A', 'dst_agent_id': None, 'dst_causality_actor_process_execution_time': None, 'dns_query_name': None, 'dst_action_external_hostname': None, 'dst_action_country': None, 'dst_action_external_port': None, 'contains_featured_host': 'NO', 'contains_featured_user': 'NO', 'contains_featured_ip': 'NO', 'image_name': None, 'container_id': None, 'cluster_name': None, 'referenced_resource': None, 'operation_name': None, 'identity_sub_type': None, 'identity_type': None, 'project': None, 'cloud_provider': None, 'resource_type': None, 'resource_sub_type': None, 'user_agent': None, 'user_name': None} FAKE-GUID false false 1660240426055 1659455246812 MATCHED Networking Infrastructure ASM alert resolution STATUS_070_RESOLVED_OTHER high ASM false