SecurityScorecard
This Integration is part of the SecurityScorecard Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Provides commands to access SecurityScorecard's API. This integration was integrated and tested with the latest version of SecurityScorecard's API as of August 2024.
Configure SecurityScorecard in Cortex#
| Parameter | Description | Required |
|---|---|---|
| SecurityScorecard API Base URL | True | |
| Username/Email | The SecurityScorecard username/email. | True |
| API Token | True | |
| Fetch incidents | False | |
| Incidents Fetch Interval | SecurityScorecard is updated on a daily basis therefore there's no need to modify this value. | False |
| Fetch Limit | Maximum number of alerts per fetch. The maximum is 50. | False |
| First fetch | First fetch query (<number> <time unit>, e.g., 12 hours, 7 days. SecurityScorecard provides a maximum of 7 days back. To ensure no alerts are missed, it's recommended to use a value less than 2 days. | False |
| Incident type | False | |
| Trust any certificate (not secure) | False | |
| Use system proxy settings | False | |
| Portfolio ID | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
securityscorecard-portfolios-list#
List all Portfolios.
Base Command#
securityscorecard-portfolios-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | Limit the amount of Portfolios to return. Defaults to 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Portfolio.id | String | Portfolio ID. |
| SecurityScorecard.Portfolio.name | String | Portfolio name. |
| SecurityScorecard.Portfolio.description | String | Portfolio description. |
| SecurityScorecard.Portfolio.privacy | String | Portfolio privacy. Can be either private, shared or team. |
| SecurityScorecard.Portfolio.read_only | Boolean | Whether the portfolio is read only. |
securityscorecard-portfolio-list-companies#
Lists all companies in Portfolio.
Base Command#
securityscorecard-portfolio-list-companies
Input#
| Argument Name | Description | Required |
|---|---|---|
| portfolio_id | Portfolio ID. The Portfolio ID can be retrieved using the 'securityscorecard-portfolios-list' command. | Required |
| grade | Grade filter. To filter multiple grades, comma-separate them, e.g. A,B. Possible values are: A, B, C, D, E, F. | Optional |
| industry | Industry filter. To filter multiple industries, comma-separate them, e.g. education,financial_services. Possible values are: education, financial_services, food, government, healthcare, information_services, manufacturing, retail, technology. | Optional |
| vulnerability | Vulnerability filter. | Optional |
| issue_type | Comma-separated list of issue types. Possible values are: adware_installation_trail, adware_installation, alleged_breach_incident, chatter, anonymous_proxy, service_cassandra, service_couchdb, attack_detected, attack_feed, new_booter_shell, spa_browser, cdn_hosting, tlscert_expired, tlscert_revoked, tlscert_self_signed, tlscert_excessive_expiration, tlscert_weak_signature, tlscert_no_revocation, service_cloud_provider, csp_no_policy_v2, csp_unsafe_policy_v2, csp_too_broad_v2, marketing_site, cookie_missing_secure_attribute, short_term_lending_site, leaked_credentials, leaked_credentials_info, service_dns, new_defacement, ransomware_victim, domain_uses_hsts_preloading, service_elasticsearch, employee_satisfaction, service_end_of_life, service_end_of_service, exposed_personal_information, exposed_personal_information_info, admin_subdomain_v2, tlscert_extended_validation, service_ftp, patching_cadence_high, web_vuln_host_high, service_vuln_host_high, service_imap, iot_camera, industrial_control_device, insecure_https_redirect_pattern_v2, service_ldap, service_ldap_anonymous, social_network_issues, patching_cadence_low, web_vuln_host_low, service_vuln_host_low, spf_record_malformed, malware_controller, malware_1_day, malware_30_day, malware_365_day, malware_infection, malware_infection_trail, patching_cadence_medium, web_vuln_host_medium, service_vuln_host_medium, service_microsoft_sql, minecraft_server, service_mongodb, no_browser_policy, service_mysql, service_neo4j, service_networking, object_storage_bucket_with_risky_acl, open_resolver, exposed_ports, service_open_vpn, service_oracle_db, outdated_os, outdated_browser, non_malware_events_last_month, service_pop3, service_pptp, phishing, typosquat, service_postgresql, exploited_product, public_text_credit_cards, public_text_database_dump, public_text_hashes, public_text_mention, public_text_password_dump, service_pulse_vpn, service_rdp, ransomware_association, redirect_chain_contains_http_v2, service_redis, remote_access, service_smb, mail_server_unusual_port, service_soap, spf_record_wildcard, spf_record_softfail, spf_record_missing, ssh_weak_protocol, ssh_weak_cipher, ssh_weak_mac, tls_weak_protocol, github_information_leak_disclosure, google_information_leak_disclosure, cookie_missing_http_only, domain_missing_https_v2, suspicious_traffic, tls_ocsp_stapling, tls_weak_cipher, telephony, service_telnet, tor_node_events_last_month, upnp_accessible, unsafe_sri_v2, uce, service_vnc, dnssec_detected, waf_detected_v2, hsts_incorrect_v2, hosted_on_object_storage_v2, references_object_storage_v2, x_content_type_options_incorrect_v2, x_frame_options_incorrect_v2, x_xss_protection_incorrect_v2, service_rsync. | Optional |
| had_breach_within_last_days | Domains with breaches in the last X days. Possible values are numbers, e.g. 1000. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Portfolio.Company.domain | String | Company domain. |
| SecurityScorecard.Portfolio.Company.name | String | Company name. |
| SecurityScorecard.Portfolio.Company.score | Number | Company overall score in numeric form (55-100). |
| SecurityScorecard.Portfolio.Company.grade | String | Company overall score in letter grade. |
| SecurityScorecard.Portfolio.Company.grade_url | String | Company overall score URL to SVG asset. |
| SecurityScorecard.Portfolio.Company.last30days_score_change | Number | Company overall score numeric change (±) in the last month. |
| SecurityScorecard.Portfolio.Company.industry | String | Industry category of the domain. |
| SecurityScorecard.Portfolio.Company.size | String | Company size, e.g. 'size_more_than_10000'. |
| SecurityScorecard.Portfolio.Company.is_custom_vendor | Boolean | Whether the company is a custom vendor. |
| SecurityScorecard.Portfolio.Company.total | Number | Total number of companies in Portfolio. |
securityscorecard-company-score-get#
Retrieve company overall score.
Base Command#
securityscorecard-company-score-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Company domain, e.g. google.com. The company must first be added to a Portfolio in order to be able to get its score. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Company.Score.domain | String | Company domain. |
| SecurityScorecard.Company.Score.name | String | Company name. |
| SecurityScorecard.Company.Score.score | Number | Company overall score in numeric form (55-100). |
| SecurityScorecard.Company.Score.grade | String | Company overall score in letter grade form (A-F). |
| SecurityScorecard.Company.Score.last30days_score_change | Number | Company overall score numeric change (±) in the last month. |
| SecurityScorecard.Company.Score.industry | String | ndustry category of the domain. |
| SecurityScorecard.Company.Score.size | String | Company size, e.g. 'size_more_than_10000'. |
securityscorecard-company-factor-score-get#
Retrieve company factor score.
Base Command#
securityscorecard-company-factor-score-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Company domain. | Required |
| severity | Issue severity filter. Comma-separated list of the following values: 'positive', 'info', 'low', 'medium', 'high'. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Company.Factor.name | String | Factor name. |
| SecurityScorecard.Company.Factor.score | Number | Factor score in numeric form (55-100). |
| SecurityScorecard.Company.Factor.grade | String | Factor score in letter grade form (A-F). |
| SecurityScorecard.Company.Factor.Issue.type | String | Type of issue found. |
| SecurityScorecard.Company.Factor.Issue.count | Number | How many times the issue was found. |
| SecurityScorecard.Company.Factor.Issue.severity | String | Severity of the issue. |
| SecurityScorecard.Company.Factor.Issue.total_score_impact | Number | Contribution of issue on overall score. |
| SecurityScorecard.Company.Factor.Issue.detail_url | String | URL to the details of the issue. |
| SecurityScorecard.Company.Factor.total | Number | Number of factors returned. |
securityscorecard-company-history-score-get#
Retrieve company historical scores.
Base Command#
securityscorecard-company-history-score-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Company domain, e.g. google.com. | Required |
| from | Initial date for historical data. Value should be in format YYYY-MM-DD. | Optional |
| to | End date for historical data. Value should be in format YYYY-MM-DD. | Optional |
| timing | Timing granularity. Possible values are: daily, weekly. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Company.ScoreHistory.domain | String | Company domain. |
| SecurityScorecard.Company.ScoreHistory.date | Date | Score date. |
| SecurityScorecard.Company.ScoreHistory.score | Number | Company historical security score in numeric form (55-100). |
securityscorecard-company-history-factor-score-get#
Retrieve company historical factor scores.
Base Command#
securityscorecard-company-history-factor-score-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Company domain, e.g. google.com. | Required |
| from | Initial date for historical data. Value should be in format 'YYYY-MM-DD'. | Optional |
| to | End date for historical data. Value should be in format 'YYYY-MM-DD'. | Optional |
| timing | Timing granularity. or "monthly". Possible values are: daily, weekly, monthly. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Company.FactorHistory.domain | String | Company domain. |
| SecurityScorecard.Company.FactorHistory.date | Date | Score date. |
| SecurityScorecard.Company.FactorHistory.Factor.name | Number | Factor name. |
| SecurityScorecard.Company.FactorHistory.score | Number | Company historical security score in numeric form (55-100). |
securityscorecard-alert-grade-change-create#
Create alert based on grade.
Base Command#
securityscorecard-alert-grade-change-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| change_direction | Direction of change. Possible values are: rises, drops. | Required |
| score_types | Comma-separated list of risk factors to monitor. Possible values are 'overall', 'any_factor_score', 'network_security', 'dns_health', 'patching_cadence', 'endpoint_security', 'ip_reputation', 'application_security', 'cubit_score', 'hacker_chatter', 'leaked_information', 'social_engineering'. | Required |
| target | What do you want to monitor with this alert. This argument is required if the portfolio argument is not specified. Possible values are: my_scorecard, any_followed_company. | Optional |
| portfolio | A portfolio_id to use as a target for the alert. This argument is required if the target argument is not specified. You can get a list of portfolios by running !securityscorecard-portfolios-list. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Alerts.GradeChangeAlert.id | String | Alert ID. |
securityscorecard-alert-score-threshold-create#
Create alert based threshold met.
Base Command#
securityscorecard-alert-score-threshold-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| change_direction | Direction of change. Possible values are: rises_above, drops_below. | Required |
| threshold | The numeric score used as the threshold to trigger the alert. | Required |
| score_types | Comma separated list of risk factors to monitor. Possible values are 'overall', 'any_factor_score', 'network_security', 'dns_health', 'patching_cadence', 'endpoint_security', 'ip_reputation', 'application_security', 'cubit_score', 'hacker_chatter', 'leaked_information', 'social_engineering'. For multiple factors, provide comma-separated list, i.e. leaked_information,social_engineering. | Required |
| target | What do you want to monitor with this alert. This argument is required if the portfolio argument is not specified. Possible values are: my_scorecard, any_followed_company. | Optional |
| portfolio | A portfolio_id to use as a target for the alert. This argument is required if the target argument is not specified. You can get a list of portfolios by running !securityscorecard-portfolios-list. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Alerts.ScoreThresholdAlert.id | String | Alert ID. |
securityscorecard-alert-delete#
Delete an alert.
Base Command#
securityscorecard-alert-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Alert ID. | Required |
Context Output#
There is no context output for this command.
securityscorecard-alerts-list#
List alerts triggered in the last week.
Base Command#
securityscorecard-alerts-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| portfolio_id | Portfolio ID. Can be retrieved using !securityscorecard-portfolios-list. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Alerts.Alert.id | String | Alert ID. |
| SecurityScorecard.Alerts.Alert.email | String | Alert email recipient. |
| SecurityScorecard.Alerts.Alert.change_type | String | Alert change type configured (score or threshold). |
| SecurityScorecard.Alerts.Alert.domain | String | Alert domain. |
| SecurityScorecard.Alerts.Alert.company_name | String | Alert company name. |
| SecurityScorecard.Alerts.Alert.Portfolio.id | array | Alert Portfolio ID. |
| SecurityScorecard.Alerts.Alert.my_scorecard | Boolean | Whether the alert was triggered on private scorecard. This depends on whether 'my_scorecard' was added to the optional argument 'target' when creating alerts using the 'securityscorecard-alert-score-threshold-create' and 'securityscorecard-alert-grade-change-create' commands. |
| SecurityScorecard.Alerts.Alert.created_at | Date | Timestamp of when the alert was triggered. |
securityscorecard-company-services-get#
Retrieve the service providers of a domain.
Base Command#
securityscorecard-company-services-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Company domain. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Service.vendor_domain | String | Vendor domain, e.g. Google, Amazon. |
| SecurityScorecard.Service.client_domain | String | Client domain. This value is identical to the input of the domain argument. |
| SecurityScorecard.Service.categories | array | Vendor service provider, e.g. mail_provider, nameserver_provider. |
securityscorecard-company-events-get#
Retrieve a company's historical events.
Base Command#
securityscorecard-company-events-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Company domain, e.g. google.com. | Required |
| date_from | Initial date for historical data. Value should be in format 2020-01-30T00:00:00.000Z. | Optional |
| date_to | End date for historical data. Value should be in format 2020-01-30T00:00:00.000Z. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Events.Event.ssc_event_id | string | event id. |
| SecurityScorecard.Events.Event.date | date | event date. |
| SecurityScorecard.Events.Event.status | unknown | event status. |
| SecurityScorecard.Events.Event.issue_count | number | event issue count. |
| SecurityScorecard.Events.Event.score_impact | number | event score impact. |
| SecurityScorecard.Events.Event.issue_type | string | event issue type. |
| SecurityScorecard.Events.Event.severity | string | event severity. |
| SecurityScorecard.Events.Event.factor | string | event factor. |
| SecurityScorecard.Events.Event.ssc_detail_url | string | event detail url. |
securityscorecard-company-findings-get#
Retrieve an issue_type's historical findings in a scorecard.
Base Command#
securityscorecard-company-findings-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Retrieve the service providers of a domain. | Required |
| date | The effective_date for historical data. Value should be in format 'YYYY-MM-DD'. | Required |
| issue_type | Key representing issue type, e.g. api_key_exposed. | Required |
| status | group_status filter. Comma-separated list of the following values: 'active', 'inactive', 'all'. | Optional |
Context Output#
There is no context output for this command.
securityscorecard-issue-metadata#
Retrieve metadata for an issue type, including description and recommendation.
Base Command#
securityscorecard-issue-metadata
Input#
| Argument Name | Description | Required |
|---|---|---|
| issue_type | Key representing issue type, e.g. api_key_exposed. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.Metadata.Issues.key | string | Key representing issue type, e.g. api_key_exposed. |
| SecurityScorecard.Metadata.Issues.severity | string | issue severity. |
| SecurityScorecard.Metadata.Issues.factor | string | issue factor. |
| SecurityScorecard.Metadata.Issues.title | string | issue title. |
| SecurityScorecard.Metadata.Issues.short_description | string | issue short description. |
| SecurityScorecard.Metadata.Issues.long_description | string | issue long description. |
| SecurityScorecard.Metadata.Issues.recommendation | string | issue recommendation. |
securityscorecard-alert-rules-list#
List alert subscriptions for the user.
Base Command#
securityscorecard-alert-rules-list
Input#
This command does not require any arguments.
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.AlertRules.Rule.id | String | Alert Rule ID. |
| SecurityScorecard.AlertRules.Rule.name | String | Alert Rule name. |
| SecurityScorecard.AlertRules.Rule.target | String | Target of the Rule. |
| SecurityScorecard.AlertRules.Rule.updated_at | Date | Timestamp when the alert rule was last updated. |
| SecurityScorecard.AlertRules.Rule.paused_at | String | Timestamp when the alert rule was paused. |
securityscorecard-issue-details-get#
Retrieve issue details for a specific issue type and domain.
Base Command#
securityscorecard-issue-details-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | The domain to get the issue details for. | Required |
| issue_type | The issue type to get the details for. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| SecurityScorecard.IssueDetails.issue_id | String | Unique UUID for this measurement. |
| SecurityScorecard.IssueDetails.parent_domain | String | Parent domain aka vendor. |
| SecurityScorecard.IssueDetails.issue_type | String | issue_type of the findings. |
| SecurityScorecard.IssueDetails.count | Number | The number of findings. |
| SecurityScorecard.IssueDetails.group_status | String | If findings are active or not. |
| SecurityScorecard.IssueDetails.first_seen_time | Date | Epoch of observation in nanoseconds. |
| SecurityScorecard.IssueDetails.last_seen_time | Date | Epoch of observation in nanoseconds. |
| SecurityScorecard.IssueDetails.port | Number | Port number of the observation if applicable. |
| SecurityScorecard.IssueDetails.domain | String | Domain of the observation if applicable. |
| SecurityScorecard.IssueDetails.ip | String | IP address of the observation if applicable. |
| SecurityScorecard.IssueDetails.protocol | String | Protocol of the observation if applicable. |
| SecurityScorecard.IssueDetails.observations | String | Observation data in raw JSON format. |