XM Cyber
XM Cyber Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights. This integration was integrated and tested with version 1.43.0.355 of XMCyber
#
Configure XM Cyber in CortexParameter | Description | Required |
---|---|---|
API Key | True | |
URL | True | |
Use system proxy settings | False | |
Trust any certificate (not secure) | False | |
Fetch incidents | False | |
Incident type | False | |
Maximum number of incidents per fetch | False | |
First fetch | False | |
Source Reliability | Reliability of the source providing the intelligence data. | False |
False | ||
False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
xmcyber-affected-critical-assets-listList critical assets at risk from an entity and the complexity of the attack
#
Base Commandxmcyber-affected-critical-assets-list
#
InputArgument Name | Description | Required |
---|---|---|
timeId | The relevant period of time. The options are timeAgo_days_7 (past 7 days) timeAgo_days_14, timeAgo_days_30, or monthly_YYYY_MM for a given year and month. | Optional |
entityId | Entity ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Entity.id | String | XMCyber Entity ID |
XMCyber.Entity.criticalAssetsAtRiskList.name | String | Compromising Technique name |
XMCyber.Entity.criticalAssetsAtRiskList.average | Number | Average attack complexity |
XMCyber.Entity.criticalAssetsAtRiskList.minimum | Number | Minimum attack complexity |
#
xmcyber-affected-entities-listList all entities at risk from an entity and the complexity of the attack
#
Command Example!xmcyber-affected-critical-assets-list entityId=872743867762485580
#
Context Example#
Human Readable Outputfound 6 affected critical assets from 872743867762485580. Top 5:
Asset Display Name Average Complexity Minimum Complexity SQLSERVERB 2 2 USERAA35 2 2 USERAA03 4 4 USERBB37 4 4 WSUSA 4 4
#
Base Commandxmcyber-affected-entities-list
#
InputArgument Name | Description | Required |
---|---|---|
timeId | The relevant period of time. The options are timeAgo_days_7 (past 7 days) timeAgo_days_14, timeAgo_days_30, or monthly_YYYY_MM for a given year and month. | Optional |
entityId | Entity ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Entity.id | String | XMCyber Entity ID |
XMCyber.Entity.entitiesAtRiskList.name | String | Compromising Techinique Name |
XMCyber.Entity.entitiesAtRiskList.technique | String | The attack technique which compromised the entity |
#
Command Example!xmcyber-affected-entities-list entityId=872743867762485580
#
Context Example#
Human Readable Outputfound 2 affected entities from 872743867762485580. Top 5:
Display Name Technique SQLSERVERB Microsoft SQL Credentials Usage share Taint Shared Content
#
xmcyber-version-supportedCheck if current XM version supports Cortex Xsoar integration
#
Base Commandxmcyber-version-supported
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Version.valid | Boolean | Flag that indicates if the version is valid |
#
Command Example!xmcyber-version-supported
#
Context Example#
Human Readable Output#
Results
valid true
#
xmcyber-version-getGet current xm version
#
Base Commandxmcyber-version-get
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Version.system | String | Get current system version |
#
Command Example!xmcyber-version-get
#
Context Example#
Human Readable Output#
Results
db north south system updater 4.2.3 1.0.3369+6514 2.1.967.352 1.38.0.12861 1.4.134.11886
#
xmcyber-enrich-from-ipReturn data on Entity by IP from XM Cyber
#
Base Commandxmcyber-enrich-from-ip
#
InputArgument Name | Description | Required |
---|---|---|
ip | List of IPs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Entity.id | String | XMCyber Entity ID |
XMCyber.Entity.name | String | Entity Name |
XMCyber.Entity.isAsset | Boolean | Entity is a critical asset |
XMCyber.Entity.affectedEntities | Number | Number of unique entities at risk from this entity |
XMCyber.Entity.averageComplexity | Number | Average complexity to compromise this entity |
XMCyber.Entity.criticalAssetsAtRisk | Number | Number of unique critical assets at risk from this entity |
XMCyber.Entity.averageComplexityLevel | String | Level of the average complexity to compromise this entity |
XMCyber.Entity.compromisingTechniques.technique | String | Technique compromising this entity |
XMCyber.Entity.compromisingTechniques.count | Number | Number of vectors with this technique compromising this entity |
XMCyber.Entity.type | String | Entity Type |
XMCyber.Entity.report | String | Link to the Entity Report |
IP.Address | String | IP address. |
Endpoint.Hostname | String | The hostname to matching the IP in XM Cyber |
Endpoint.IP | String | IP address |
Endpoint.OS | String | OS of the matched endpoint |
#
xmcyber-enrich-from-entityIdReturn data on Entity by entityId from XM Cyber
#
Base Commandxmcyber-enrich-from-entityId
#
InputArgument Name | Description | Required |
---|---|---|
entityId | List of entityIds. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Entity.id | String | XMCyber Entity ID |
XMCyber.Entity.name | String | Entity Name |
XMCyber.Entity.isAsset | Boolean | Entity is a critical asset |
XMCyber.Entity.affectedEntities | Number | Number of unique entities at risk from this entity |
XMCyber.Entity.averageComplexity | Number | Average complexity to compromise this entity |
XMCyber.Entity.criticalAssetsAtRisk | Number | Number of unique critical assets at risk from this entity |
XMCyber.Entity.averageComplexityLevel | String | Level of the average complexity to compromise this entity |
XMCyber.Entity.compromisingTechniques.technique | String | Technique compromising this entity |
XMCyber.Entity.compromisingTechniques.count | Number | Number of vectors with this technique compromising this entity |
XMCyber.Entity.type | String | Entity Type |
XMCyber.Entity.report | String | Link to the Entity Report |
Host.Hostname | String | The name of the host. |
Host.ID | String | The unique ID within the tool retrieving the host. |
Host.IP | String | The IP address of the host. |
#
xmcyber-enrich-from-hostnameReturn data on Entity by hostname from XM Cyber
#
Base Commandxmcyber-enrich-from-hostname
#
InputArgument Name | Description | Required |
---|---|---|
entityId | List of entityIds. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Entity.id | String | XMCyber Entity ID |
XMCyber.Entity.name | String | Entity Name |
XMCyber.Entity.isAsset | Boolean | Entity is a critical asset |
XMCyber.Entity.affectedEntities | Number | Number of unique entities at risk from this entity |
XMCyber.Entity.averageComplexity | Number | Average complexity to compromise this entity |
XMCyber.Entity.criticalAssetsAtRisk | Number | Number of unique critical assets at risk from this entity |
XMCyber.Entity.averageComplexityLevel | String | Level of the average complexity to compromise this entity |
XMCyber.Entity.compromisingTechniques.technique | String | Technique compromising this entity |
XMCyber.Entity.compromisingTechniques.count | Number | Number of vectors with this technique compromising this entity |
XMCyber.Entity.type | String | Entity Type |
XMCyber.Entity.report | String | Link to the Entity Report |
Host.Hostname | String | The name of the host. |
Host.ID | String | The unique ID within the tool retrieving the host. |
Host.IP | String | The IP address of the host. |
#
xmcyber-enrich-from-fieldsReturn data on an XM entity
#
Base Commandxmcyber-enrich-from-fields
#
InputArgument Name | Description | Required |
---|---|---|
fields | Comma-separated list of fields to search for the entity. | Required |
values | Comma-separated list of values (in the same order than the fields list) used to search for the entity. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
XMCyber.Entity.id | String | XMCyber Entity ID |
XMCyber.Entity.name | String | Entity Name |
XMCyber.Entity.isAsset | Boolean | Entity is a critical asset |
XMCyber.Entity.affectedEntities | Number | Number of unique entities at risk from this entity |
XMCyber.Entity.averageComplexity | Number | Average complexity to compromise this entity |
XMCyber.Entity.criticalAssetsAtRisk | Number | Number of unique critical assets at risk from this entity |
XMCyber.Entity.averageComplexityLevel | String | Level of the average complexity to compromise this entity |
XMCyber.Entity.compromisingTechniques.technique | String | Technique compromising this entity |
XMCyber.Entity.compromisingTechniques.count | Number | Number of vectors with this technique compromising this entity |
XMCyber.Entity.type | String | Entity Type |
XMCyber.Entity.report | String | Link to the Entity Report |
Host.Hostname | String | The name of the host. |
Host.ID | String | The unique ID within the tool retrieving the host. |
Host.IP | String | The IP address of the host. |