SecurityScorecard
SecurityScorecard Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Provides commands to access SecurityScorecard's API. This integration was integrated and tested with the latest version of SecurityScorecard's API as of August 2024.
#
Configure SecurityScorecard in CortexParameter | Description | Required |
---|---|---|
SecurityScorecard API Base URL | True | |
Username/Email | The SecurityScorecard username/email. | True |
API Token | True | |
Fetch incidents | False | |
Incidents Fetch Interval | SecurityScorecard is updated on a daily basis therefore there's no need to modify this value. | False |
Fetch Limit | Maximum number of alerts per fetch. The maximum is 50. | False |
First fetch | First fetch query (<number> <time unit>, e.g., 12 hours, 7 days. SecurityScorecard provides a maximum of 7 days back. To ensure no alerts are missed, it's recommended to use a value less than 2 days. | False |
Incident type | False | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Portfolio ID | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
securityscorecard-portfolios-listList all Portfolios.
#
Base Commandsecurityscorecard-portfolios-list
#
InputArgument Name | Description | Required |
---|---|---|
limit | Limit the amount of Portfolios to return. Defaults to 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Portfolio.id | String | Portfolio ID. |
SecurityScorecard.Portfolio.name | String | Portfolio name. |
SecurityScorecard.Portfolio.description | String | Portfolio description. |
SecurityScorecard.Portfolio.privacy | String | Portfolio privacy. Can be either private, shared or team. |
SecurityScorecard.Portfolio.read_only | Boolean | Whether the portfolio is read only. |
#
securityscorecard-portfolio-list-companiesLists all companies in Portfolio.
#
Base Commandsecurityscorecard-portfolio-list-companies
#
InputArgument Name | Description | Required |
---|---|---|
portfolio_id | Portfolio ID. The Portfolio ID can be retrieved using the 'securityscorecard-portfolios-list' command. | Required |
grade | Grade filter. To filter multiple grades, comma-separate them, e.g. A,B. Possible values are: A, B, C, D, E, F. | Optional |
industry | Industry filter. To filter multiple industries, comma-separate them, e.g. education,financial_services. Possible values are: education, financial_services, food, government, healthcare, information_services, manufacturing, retail, technology. | Optional |
vulnerability | Vulnerability filter. | Optional |
issue_type | Comma-separated list of issue types. Possible values are: adware_installation_trail, adware_installation, alleged_breach_incident, chatter, anonymous_proxy, service_cassandra, service_couchdb, attack_detected, attack_feed, new_booter_shell, spa_browser, cdn_hosting, tlscert_expired, tlscert_revoked, tlscert_self_signed, tlscert_excessive_expiration, tlscert_weak_signature, tlscert_no_revocation, service_cloud_provider, csp_no_policy_v2, csp_unsafe_policy_v2, csp_too_broad_v2, marketing_site, cookie_missing_secure_attribute, short_term_lending_site, leaked_credentials, leaked_credentials_info, service_dns, new_defacement, ransomware_victim, domain_uses_hsts_preloading, service_elasticsearch, employee_satisfaction, service_end_of_life, service_end_of_service, exposed_personal_information, exposed_personal_information_info, admin_subdomain_v2, tlscert_extended_validation, service_ftp, patching_cadence_high, web_vuln_host_high, service_vuln_host_high, service_imap, iot_camera, industrial_control_device, insecure_https_redirect_pattern_v2, service_ldap, service_ldap_anonymous, social_network_issues, patching_cadence_low, web_vuln_host_low, service_vuln_host_low, spf_record_malformed, malware_controller, malware_1_day, malware_30_day, malware_365_day, malware_infection, malware_infection_trail, patching_cadence_medium, web_vuln_host_medium, service_vuln_host_medium, service_microsoft_sql, minecraft_server, service_mongodb, no_browser_policy, service_mysql, service_neo4j, service_networking, object_storage_bucket_with_risky_acl, open_resolver, exposed_ports, service_open_vpn, service_oracle_db, outdated_os, outdated_browser, non_malware_events_last_month, service_pop3, service_pptp, phishing, typosquat, service_postgresql, exploited_product, public_text_credit_cards, public_text_database_dump, public_text_hashes, public_text_mention, public_text_password_dump, service_pulse_vpn, service_rdp, ransomware_association, redirect_chain_contains_http_v2, service_redis, remote_access, service_smb, mail_server_unusual_port, service_soap, spf_record_wildcard, spf_record_softfail, spf_record_missing, ssh_weak_protocol, ssh_weak_cipher, ssh_weak_mac, tls_weak_protocol, github_information_leak_disclosure, google_information_leak_disclosure, cookie_missing_http_only, domain_missing_https_v2, suspicious_traffic, tls_ocsp_stapling, tls_weak_cipher, telephony, service_telnet, tor_node_events_last_month, upnp_accessible, unsafe_sri_v2, uce, service_vnc, dnssec_detected, waf_detected_v2, hsts_incorrect_v2, hosted_on_object_storage_v2, references_object_storage_v2, x_content_type_options_incorrect_v2, x_frame_options_incorrect_v2, x_xss_protection_incorrect_v2, service_rsync. | Optional |
had_breach_within_last_days | Domains with breaches in the last X days. Possible values are numbers, e.g. 1000. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Portfolio.Company.domain | String | Company domain. |
SecurityScorecard.Portfolio.Company.name | String | Company name. |
SecurityScorecard.Portfolio.Company.score | Number | Company overall score in numeric form (55-100). |
SecurityScorecard.Portfolio.Company.grade | String | Company overall score in letter grade. |
SecurityScorecard.Portfolio.Company.grade_url | String | Company overall score URL to SVG asset. |
SecurityScorecard.Portfolio.Company.last30days_score_change | Number | Company overall score numeric change (±) in the last month. |
SecurityScorecard.Portfolio.Company.industry | String | Industry category of the domain. |
SecurityScorecard.Portfolio.Company.size | String | Company size, e.g. 'size_more_than_10000'. |
SecurityScorecard.Portfolio.Company.is_custom_vendor | Boolean | Whether the company is a custom vendor. |
SecurityScorecard.Portfolio.Company.total | Number | Total number of companies in Portfolio. |
#
securityscorecard-company-score-getRetrieve company overall score.
#
Base Commandsecurityscorecard-company-score-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Company domain, e.g. google.com. The company must first be added to a Portfolio in order to be able to get its score. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Company.Score.domain | String | Company domain. |
SecurityScorecard.Company.Score.name | String | Company name. |
SecurityScorecard.Company.Score.score | Number | Company overall score in numeric form (55-100). |
SecurityScorecard.Company.Score.grade | String | Company overall score in letter grade form (A-F). |
SecurityScorecard.Company.Score.last30days_score_change | Number | Company overall score numeric change (±) in the last month. |
SecurityScorecard.Company.Score.industry | String | ndustry category of the domain. |
SecurityScorecard.Company.Score.size | String | Company size, e.g. 'size_more_than_10000'. |
#
securityscorecard-company-factor-score-getRetrieve company factor score.
#
Base Commandsecurityscorecard-company-factor-score-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Company domain. | Required |
severity | Issue severity filter. Comma-separated list of the following values: 'positive', 'info', 'low', 'medium', 'high'. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Company.Factor.name | String | Factor name. |
SecurityScorecard.Company.Factor.score | Number | Factor score in numeric form (55-100). |
SecurityScorecard.Company.Factor.grade | String | Factor score in letter grade form (A-F). |
SecurityScorecard.Company.Factor.Issue.type | String | Type of issue found. |
SecurityScorecard.Company.Factor.Issue.count | Number | How many times the issue was found. |
SecurityScorecard.Company.Factor.Issue.severity | String | Severity of the issue. |
SecurityScorecard.Company.Factor.Issue.total_score_impact | Number | Contribution of issue on overall score. |
SecurityScorecard.Company.Factor.Issue.detail_url | String | URL to the details of the issue. |
SecurityScorecard.Company.Factor.total | Number | Number of factors returned. |
#
securityscorecard-company-history-score-getRetrieve company historical scores.
#
Base Commandsecurityscorecard-company-history-score-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Company domain, e.g. google.com . | Required |
from | Initial date for historical data. Value should be in format YYYY-MM-DD . | Optional |
to | End date for historical data. Value should be in format YYYY-MM-DD . | Optional |
timing | Timing granularity. Possible values are: daily, weekly. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Company.ScoreHistory.domain | String | Company domain. |
SecurityScorecard.Company.ScoreHistory.date | Date | Score date. |
SecurityScorecard.Company.ScoreHistory.score | Number | Company historical security score in numeric form (55-100). |
#
securityscorecard-company-history-factor-score-getRetrieve company historical factor scores.
#
Base Commandsecurityscorecard-company-history-factor-score-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Company domain, e.g. google.com. | Required |
from | Initial date for historical data. Value should be in format 'YYYY-MM-DD'. | Optional |
to | End date for historical data. Value should be in format 'YYYY-MM-DD'. | Optional |
timing | Timing granularity. or "monthly". Possible values are: daily, weekly, monthly. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Company.FactorHistory.domain | String | Company domain. |
SecurityScorecard.Company.FactorHistory.date | Date | Score date. |
SecurityScorecard.Company.FactorHistory.Factor.name | Number | Factor name. |
SecurityScorecard.Company.FactorHistory.score | Number | Company historical security score in numeric form (55-100). |
#
securityscorecard-alert-grade-change-createCreate alert based on grade.
#
Base Commandsecurityscorecard-alert-grade-change-create
#
InputArgument Name | Description | Required |
---|---|---|
change_direction | Direction of change. Possible values are: rises, drops. | Required |
score_types | Comma-separated list of risk factors to monitor. Possible values are 'overall', 'any_factor_score', 'network_security', 'dns_health', 'patching_cadence', 'endpoint_security', 'ip_reputation', 'application_security', 'cubit_score', 'hacker_chatter', 'leaked_information', 'social_engineering'. | Required |
target | What do you want to monitor with this alert. This argument is required if the portfolios argument is not specified. Possible values are: my_scorecard, any_followed_company. | Optional |
portfolios | A comma-separated list of Portfolios. to use as a target for the alert. This argument is require if the target argument is not specified. You can get a list of portfolios by running !securityscorecard-portfolios-list . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Alerts.GradeChangeAlert.id | String | Alert ID. |
#
securityscorecard-alert-score-threshold-createCreate alert based threshold met.
#
Base Commandsecurityscorecard-alert-score-threshold-create
#
InputArgument Name | Description | Required |
---|---|---|
change_direction | Direction of change. Possible values are: rises_above, drops_below. | Required |
threshold | The numeric score used as the threshold to trigger the alert. | Required |
score_types | Comma separated list of risk factors to monitor. Possible values are 'overall', 'any_factor_score', 'network_security', 'dns_health', 'patching_cadence', 'endpoint_security', 'ip_reputation', 'application_security', 'cubit_score', 'hacker_chatter', 'leaked_information', 'social_engineering'. For multiple factors, provide comma-separated list, i.e. leaked_information,social_engineering. | Required |
target | What do you want to monitor with this alert. This argument is required if the portfolios argument is not specified. Possible values are: my_scorecard, any_followed_company. | Optional |
portfolios | A comma-separated list of Portfolios. to use as a target for the alert. This argument is require if the target argument is not specified. You can get a list of portfolios by running !securityscorecard-portfolios-list . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Alerts.ScoreThresholdAlert.id | String | Alert ID. |
#
securityscorecard-alert-deleteDelete an alert.
#
Base Commandsecurityscorecard-alert-delete
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Alert ID. | Required |
alert_type | Type of Alert to delete. Possible values are: score, grade. | Required |
#
Context OutputThere is no context output for this command.
#
securityscorecard-alerts-listList alerts triggered in the last week.
#
Base Commandsecurityscorecard-alerts-list
#
InputArgument Name | Description | Required |
---|---|---|
portfolio_id | Portfolio ID. Can be retrieved using !securityscorecard-portfolios-list . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Alerts.Alert.id | String | Alert ID. |
SecurityScorecard.Alerts.Alert.email | String | Alert email recipient. |
SecurityScorecard.Alerts.Alert.change_type | String | Alert change type configured (score or threshold). |
SecurityScorecard.Alerts.Alert.domain | String | Alert domain. |
SecurityScorecard.Alerts.Alert.company_name | String | Alert company name. |
SecurityScorecard.Alerts.Alert.Portfolio.id | array | Alert Portfolio ID. |
SecurityScorecard.Alerts.Alert.my_scorecard | Boolean | Whether the alert was triggered on private scorecard. This depends on whether 'my_scorecard' was added to the optional argument 'target' when creating alerts using the 'securityscorecard-alert-score-threshold-create' and 'securityscorecard-alert-grade-change-create' commands. |
SecurityScorecard.Alerts.Alert.created_at | Date | Timestamp of when the alert was triggered. |
#
securityscorecard-company-services-getRetrieve the service providers of a domain.
#
Base Commandsecurityscorecard-company-services-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Company domain. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Service.vendor_domain | String | Vendor domain, e.g. Google, Amazon. |
SecurityScorecard.Service.client_domain | String | Client domain. This value is identical to the input of the domain argument. |
SecurityScorecard.Service.categories | array | Vendor service provider, e.g. mail_provider, nameserver_provider. |
#
securityscorecard-company-events-getRetrieve a company's historical events.
#
Base Commandsecurityscorecard-company-events-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Company domain, e.g. google.com. | Required |
date_from | Initial date for historical data. Value should be in format 2020-01-30T00:00:00.000Z . | Optional |
date_to | End date for historical data. Value should be in format 2020-01-30T00:00:00.000Z . | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Events.Event.ssc_event_id | string | event id. |
SecurityScorecard.Events.Event.date | date | event date. |
SecurityScorecard.Events.Event.status | unknown | event status. |
SecurityScorecard.Events.Event.issue_count | number | event issue count. |
SecurityScorecard.Events.Event.score_impact | number | event score impact. |
SecurityScorecard.Events.Event.issue_type | string | event issue type. |
SecurityScorecard.Events.Event.severity | string | event severity. |
SecurityScorecard.Events.Event.factor | string | event factor. |
SecurityScorecard.Events.Event.ssc_detail_url | string | event detail url. |
#
securityscorecard-company-findings-getRetrieve an issue_type's historical findings in a scorecard.
#
Base Commandsecurityscorecard-company-findings-get
#
InputArgument Name | Description | Required |
---|---|---|
domain | Retrieve the service providers of a domain. | Required |
date | The effective_date for historical data. Value should be in format 'YYYY-MM-DD'. | Required |
issue_type | Key representing issue type, e.g. api_key_exposed. | Required |
status | group_status filter. Comma-separated list of the following values: 'active', 'inactive', 'all'. | Optional |
#
Context OutputThere is no context output for this command.
#
securityscorecard-issue-metadataRetrieve metadata for an issue type, including description and recommendation.
#
Base Commandsecurityscorecard-issue-metadata
#
InputArgument Name | Description | Required |
---|---|---|
issue_type | Key representing issue type, e.g. api_key_exposed. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityScorecard.Metadata.Issues.key | string | Key representing issue type, e.g. api_key_exposed. |
SecurityScorecard.Metadata.Issues.severity | string | issue severity. |
SecurityScorecard.Metadata.Issues.factor | string | issue factor. |
SecurityScorecard.Metadata.Issues.title | string | issue title. |
SecurityScorecard.Metadata.Issues.short_description | string | issue short description. |
SecurityScorecard.Metadata.Issues.long_description | string | issue long description. |
SecurityScorecard.Metadata.Issues.recommendation | string | issue recommendation. |