Skip to main content

Cyberpion

This Integration is part of the Cyberpion Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Vulnerabilities management This integration was integrated and tested with version 1.0 of Cyberpion

Configure Cyberpion on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cyberpion.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g. https://api.example.com/security/api)True
    API KeyTrue
    Maximum number of incidents per fetchFalse
    Action items category to fetch as incidents.Allowed values: "DNS", "PKI", "Cloud", "Vulnerabilities".True
    Minimum Action items severity level to fetch incidents from.Allowed values are integers between 1 to 10.
    1 will fetch all incidents.
    True
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Fetch incidentsFalse
    Incident typeFalse
    Show only active issuesFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cyberpion-get-domain-action-items#


Retrieves domain's action items

Base Command#

cyberpion-get-domain-action-items

Input#

Argument NameDescriptionRequired
domainGet action items for this domain.Required

Context Output#

PathTypeDescription
Cyberpion.DomainData.Vulnerabilities.idStringAction item ID
Cyberpion.DomainData.DomainStringDomain to get action items that are related to
Cyberpion.DomainData.Vulnerabilities.categoryStringCategory of action item. can be DNS, PKI, Cloud, Vulnerability
Cyberpion.DomainData.Vulnerabilities.urgencyNumberAction item urgency
Cyberpion.DomainData.Vulnerabilities.is_openBooleanIs action item still relevant (open)
Cyberpion.DomainData.Vulnerabilities.creation_timeDateAction item's creation time
Cyberpion.DomainData.Vulnerabilities.linkStringLink to the action item in Cyberpion's portal
Cyberpion.DomainData.Vulnerabilities.titleStringAction item's title
Cyberpion.DomainData.Vulnerabilities.impactStringAction item's potential impact from a security perspective
Cyberpion.DomainData.Vulnerabilities.summaryStringAction item summary
Cyberpion.DomainData.Vulnerabilities.solutionStringThe necessary course of action needed to remediate the threat
Cyberpion.DomainData.Vulnerabilities.descriptionStringDescription of the source of the issue that was detected
Cyberpion.DomainData.Vulnerabilities.technical_detailsStringTechnical details of the issue

Command Example#

!cyberpion-get-domain-action-items domain="$anon100-2.com"

Context Example#

{
"Cyberpion": {
"DomainData": {
"Domain": "$anon100-2.com",
"Vulnerabilities": [
{
"alert_type": "cyberpion_action_item",
"category": "PKI",
"creation_time": "2020-11-19 14:27:07.430866 UTC",
"description": "Certificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because:\n1) The domain shares certificate with other domains that are vulnerable. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. For exmaple, a stolen private key can be abused to impersonate the domain, and in some cases also to intercept live traffic.\n2) Other vulnerable domains use a certificate that is valid for the domain. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. Although the certificates are different, if the other certificate is valid for the domain and it is compromised, attackers can abuse it to impersonate the domain.\n",
"domain": "$anon100-2.com",
"id": 175692,
"impact": "Bad PKI design (anomalies, inconsistency, or ignoring best practices) indicates on missing management. PKI anomalies might become security vulnerability, mainly, due to the difficulty in following them.",
"is_open": true,
"link": "https://api.test.com/static/new/index.html#/pages/assessments/certificates/cert_test_report;$anon100-2.com",
"solution": "Issue a new certificate for the domain",
"summary": "The domain $anon100-2.com uses certificate that is used also for vulnerable domains and can be forged with another valid certificate that is used for another vulnerable domain",
"technical_details": "shares a certificate with the vulnerable domains: $anon100-265.com (risk rank: 98), sd2.$anon100-2.com (risk rank: 98), sd2.$anon100-265.com (risk rank: 98)\ncould be authenticated with the certificate that is used by the vulnerable domains: $anon100-265.com (cvss: 98.39526778), sd2.$anon100-2.com (cvss: 98.39526778), sd2.$anon100-265.com (cvss: 98.39526778)",
"title": "Fix PKI issues: Vulnerable domain use certificate that valid fo domain, Domain shares a certificate with vulnerable domain",
"urgency": 5
}
]
}
}
}

Human Readable Output#

Cyberpion#

Action Items#

domaincategoryurgencyis_opencreation_timelinktitleimpactsummarysolutiondescriptiontechnical_details
$anon100-2.comPKI5.0true2020-11-19 14:27:07.430866 UTChttps://api.test.com/static/new/index.html#/pages/assessments/certificates/cert_test_report;$anon100-2.comFix PKI issues: Vulnerable domain use certificate that valid fo domain, Domain shares a certificate with vulnerable domainBad PKI design (anomalies, inconsistency, or ignoring best practices) indicates on missing management. PKI anomalies might become security vulnerability, mainly, due to the difficulty in following them.The domain $anon100-2.com uses certificate that is used also for vulnerable domains and can be forged with another valid certificate that is used for another vulnerable domainIssue a new certificate for the domainCertificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because:
1) The domain shares certificate with other domains that are vulnerable. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. For exmaple, a stolen private key can be abused to impersonate the domain, and in some cases also to intercept live traffic.
2) Other vulnerable domains use a certificate that is valid for the domain. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. Although the certificates are different, if the other certificate is valid for the domain and it is compromised, attackers can abuse it to impersonate the domain.
shares a certificate with the vulnerable domains: $anon100-265.com (risk rank: 98), sd2.$anon100-2.com (risk rank: 98), sd2.$anon100-265.com (risk rank: 98)
could be authenticated with the certificate that is used by the vulnerable domains: $anon100-265.com (cvss: 98.39526778), sd2.$anon100-2.com (cvss: 98.39526778), sd2.$anon100-265.com (cvss: 98.39526778)

cyberpion-get-domain-state#


Retrieves domain's info and current state

Base Command#

cyberpion-get-domain-state

Input#

Argument NameDescriptionRequired
domainGet info and current state of this domain.Required

Context Output#

PathTypeDescription
Cyberpion.DomainState.idStringDomain State ID
Cyberpion.DomainState.domainStringThe Domain
Cyberpion.DomainState.ipsStringReverse Ip's of domain's ips
Cyberpion.DomainState.risk_rankNumberDomain's risk rank
Cyberpion.DomainState.vuln_countNumberNumber of vulnerabilities associated with domain
Cyberpion.DomainState.cname_chainStringDomain's CName chain (DNS record)
Cyberpion.DomainState.domain_typesStringDomain's infrastructure info (provider etc.)
Cyberpion.DomainState.discovery_dateDateThe Date domain was discovered

Command Example#

!cyberpion-get-domain-state domain="$anon100-2.com"

Context Example#

{
"Cyberpion": {
"DomainState": {
"cname_chain": null,
"discovery_date": "2021-03-07",
"domain": "$anon100-2.com",
"domain_types": "1.\nservice_type: CBSP\nprovider: Incapsula\nservice: None\ndescription: None",
"id": "9ab5474a-3da2-4910-9d59-9a1f11a2193e",
"ips": "153.228.75.31: None\n235.125.130.90: None",
"risk_rank": 0,
"vuln_count": 0
}
}
}

Human Readable Output#

Cyberpion#

Domain State#

iddomainipsrisk_rankvuln_countcname_chaindomain_typesdiscovery_date
9ab5474a-3da2-4910-9d59-9a1f11a2193e$anon100-2.com153.228.75.31: None
235.125.130.90: None
001.
service_type: CBSP
provider: Incapsula
service: None
description: None
2021-03-07