Cyberpion
Cyberpion Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Vulnerabilities management This integration was integrated and tested with version 1.0 of Cyberpion
#
Configure Cyberpion in CortexParameter | Description | Required |
---|---|---|
Server URL (e.g. https://api.example.com/security/api) | True | |
API Key | True | |
Maximum number of incidents per fetch | False | |
Action items category to fetch as incidents. | Allowed values: "Network", "Web", "Cloud", "DNS", "PKI", "Vulnerabilities", "TLS", "Email Server", "Mobile". | True |
Minimum Action items severity level to fetch incidents from. | Allowed values are integers between 1 to 10. 1 will fetch all incidents. | True |
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False | |
Fetch incidents | False | |
Incident type | False | |
Show only active issues | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cyberpion-get-domain-action-itemsRetrieves domain's action items
#
Base Commandcyberpion-get-domain-action-items
#
InputArgument Name | Description | Required |
---|---|---|
domain | Get action items for this domain. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberpion.DomainData.Vulnerabilities.id | String | Action item ID |
Cyberpion.DomainData.Domain | String | Domain to get action items that are related to |
Cyberpion.DomainData.Vulnerabilities.category | String | Category of action item. can be DNS, PKI, Cloud, Vulnerability |
Cyberpion.DomainData.Vulnerabilities.urgency | Number | Action item urgency |
Cyberpion.DomainData.Vulnerabilities.is_open | Boolean | Is action item still relevant (open) |
Cyberpion.DomainData.Vulnerabilities.creation_time | Date | Action item's creation time |
Cyberpion.DomainData.Vulnerabilities.link | String | Link to the action item in Cyberpion's portal |
Cyberpion.DomainData.Vulnerabilities.title | String | Action item's title |
Cyberpion.DomainData.Vulnerabilities.impact | String | Action item's potential impact from a security perspective |
Cyberpion.DomainData.Vulnerabilities.summary | String | Action item summary |
Cyberpion.DomainData.Vulnerabilities.solution | String | The necessary course of action needed to remediate the threat |
Cyberpion.DomainData.Vulnerabilities.description | String | Description of the source of the issue that was detected |
Cyberpion.DomainData.Vulnerabilities.technical_details | String | Technical details of the issue |
#
Command Example!cyberpion-get-domain-action-items domain="$anon100-2.com"
#
Context Example#
Human Readable Output#
Cyberpion#
Action Items
domain category urgency is_open creation_time link title impact summary solution description technical_details $anon100-2.com PKI 5.0 true 2020-11-19 14:27:07.430866 UTC https://api.test.com/static/new/index.html#/pages/assessments/certificates/cert_test_report;$anon100-2.com Fix PKI issues: Vulnerable domain use certificate that valid fo domain, Domain shares a certificate with vulnerable domain Bad PKI design (anomalies, inconsistency, or ignoring best practices) indicates on missing management. PKI anomalies might become security vulnerability, mainly, due to the difficulty in following them. The domain $anon100-2.com uses certificate that is used also for vulnerable domains and can be forged with another valid certificate that is used for another vulnerable domain Issue a new certificate for the domain Certificates are used to authenticate the identities in online communications. Certificate must be both valid (format, cryptographic schemes, etc.) and issued by a trusted certificate authority (CA). The certificate of the domain is about to become invalid, because:
1) The domain shares certificate with other domains that are vulnerable. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. For exmaple, a stolen private key can be abused to impersonate the domain, and in some cases also to intercept live traffic.
2) Other vulnerable domains use a certificate that is valid for the domain. Sharing trust with vulnerable domains exposes the domain to risk if the vulnerable domains are hacked. Although the certificates are different, if the other certificate is valid for the domain and it is compromised, attackers can abuse it to impersonate the domain.shares a certificate with the vulnerable domains: $anon100-265.com (risk rank: 98), sd2.$anon100-2.com (risk rank: 98), sd2.$anon100-265.com (risk rank: 98)
could be authenticated with the certificate that is used by the vulnerable domains: $anon100-265.com (cvss: 98.39526778), sd2.$anon100-2.com (cvss: 98.39526778), sd2.$anon100-265.com (cvss: 98.39526778)
#
cyberpion-get-domain-stateRetrieves domain's info and current state
#
Base Commandcyberpion-get-domain-state
#
InputArgument Name | Description | Required |
---|---|---|
domain | Get info and current state of this domain. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberpion.DomainState.id | String | Domain State ID |
Cyberpion.DomainState.domain | String | The Domain |
Cyberpion.DomainState.ips | String | Reverse Ip's of domain's ips |
Cyberpion.DomainState.risk_rank | Number | Domain's risk rank |
Cyberpion.DomainState.vuln_count | Number | Number of vulnerabilities associated with domain |
Cyberpion.DomainState.cname_chain | String | Domain's CName chain (DNS record) |
Cyberpion.DomainState.domain_types | String | Domain's infrastructure info (provider etc.) |
Cyberpion.DomainState.discovery_date | Date | The Date domain was discovered |
#
Command Example!cyberpion-get-domain-state domain="$anon100-2.com"
#
Context Example#
Human Readable Output#
Cyberpion#
Domain State
id domain ips risk_rank vuln_count cname_chain domain_types discovery_date 9ab5474a-3da2-4910-9d59-9a1f11a2193e $anon100-2.com 153.228.75.31: None
235.125.130.90: None0 0 1.
service_type: CBSP
provider: Incapsula
service: None
description: None2021-03-07