Cyberpion Pack.#This Integration is part of the
Supported Cortex XSOAR versions: 6.0.0 and later.
Vulnerabilities management This integration was integrated and tested with version 1.0 of Cyberpion
#Configure Cyberpion on Cortex XSOAR
Navigate to Settings > Integrations > Servers & Services.
Search for Cyberpion.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL (e.g. https://api.example.com/security/api) True API Key True Maximum number of incidents per fetch False Action items category to fetch as incidents. Allowed values: "Network", "Web", "Cloud", "DNS", "PKI", "Vulnerabilities", "TLS", "Email Server", "Mobile". True Minimum Action items severity level to fetch incidents from. Allowed values are integers between 1 to 10.
1 will fetch all incidents.
True First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False Fetch incidents False Incident type False Show only active issues False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Retrieves domain's action items
|domain||Get action items for this domain.||Required|
|Cyberpion.DomainData.Vulnerabilities.id||String||Action item ID|
|Cyberpion.DomainData.Domain||String||Domain to get action items that are related to|
|Cyberpion.DomainData.Vulnerabilities.category||String||Category of action item. can be DNS, PKI, Cloud, Vulnerability|
|Cyberpion.DomainData.Vulnerabilities.urgency||Number||Action item urgency|
|Cyberpion.DomainData.Vulnerabilities.is_open||Boolean||Is action item still relevant (open)|
|Cyberpion.DomainData.Vulnerabilities.creation_time||Date||Action item's creation time|
|Cyberpion.DomainData.Vulnerabilities.link||String||Link to the action item in Cyberpion's portal|
|Cyberpion.DomainData.Vulnerabilities.title||String||Action item's title|
|Cyberpion.DomainData.Vulnerabilities.impact||String||Action item's potential impact from a security perspective|
|Cyberpion.DomainData.Vulnerabilities.summary||String||Action item summary|
|Cyberpion.DomainData.Vulnerabilities.solution||String||The necessary course of action needed to remediate the threat|
|Cyberpion.DomainData.Vulnerabilities.description||String||Description of the source of the issue that was detected|
|Cyberpion.DomainData.Vulnerabilities.technical_details||String||Technical details of the issue|
#Human Readable Output
domain category urgency is_open creation_time link title impact summary solution description technical_details $anon100-2.com PKI 5.0 true 2020-11-19 14:27:07.430866 UTC https://api.test.com/static/new/index.html#/pages/assessments/certificates/cert_test_report;$anon100-2.com Fix PKI issues: Vulnerable domain use certificate that valid fo domain, Domain shares a certificate with vulnerable domain Bad PKI design (anomalies, inconsistency, or ignoring best practices) indicates on missing management. PKI anomalies might become security vulnerability, mainly, due to the difficulty in following them. The domain $anon100-2.com uses certificate that is used also for vulnerable domains and can be forged with another valid certificate that is used for another vulnerable domain Issue a new certificate for the domain Certificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because:
1) The domain shares certificate with other domains that are vulnerable. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. For exmaple, a stolen private key can be abused to impersonate the domain, and in some cases also to intercept live traffic.
2) Other vulnerable domains use a certificate that is valid for the domain. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. Although the certificates are different, if the other certificate is valid for the domain and it is compromised, attackers can abuse it to impersonate the domain.
shares a certificate with the vulnerable domains: $anon100-265.com (risk rank: 98), sd2.$anon100-2.com (risk rank: 98), sd2.$anon100-265.com (risk rank: 98)
could be authenticated with the certificate that is used by the vulnerable domains: $anon100-265.com (cvss: 98.39526778), sd2.$anon100-2.com (cvss: 98.39526778), sd2.$anon100-265.com (cvss: 98.39526778)
Retrieves domain's info and current state
|domain||Get info and current state of this domain.||Required|
|Cyberpion.DomainState.id||String||Domain State ID|
|Cyberpion.DomainState.ips||String||Reverse Ip's of domain's ips|
|Cyberpion.DomainState.risk_rank||Number||Domain's risk rank|
|Cyberpion.DomainState.vuln_count||Number||Number of vulnerabilities associated with domain|
|Cyberpion.DomainState.cname_chain||String||Domain's CName chain (DNS record)|
|Cyberpion.DomainState.domain_types||String||Domain's infrastructure info (provider etc.)|
|Cyberpion.DomainState.discovery_date||Date||The Date domain was discovered|
#Human Readable Output
id domain ips risk_rank vuln_count cname_chain domain_types discovery_date 9ab5474a-3da2-4910-9d59-9a1f11a2193e $anon100-2.com 220.127.116.11: None
0 0 1.