Skip to main content

XM Cyber

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

XMCyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on changes in the overall risk score, risk to assets, or impacting attack techniques. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident. This integration was integrated and tested with version 1.38 of XMCyber

Configure XMCyber on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for XMCyber.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
apikeyAPI KeyTrue
urlURLTrue
proxyUse system proxy settingsFalse
insecureTrust any certificate (not secure)False
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
max_fetchMaximum number of incidents per fetchFalse
first_fetchFirst fetchFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xmcyber-affected-critical-assets-list#


List critical assets at risk from an entity and the complexity of the attack

Base Command#

xmcyber-affected-critical-assets-list

Input#

Argument NameDescriptionRequired
timeIdtimeId for example timeAgo_days_7Optional
entityIdEntity IDRequired

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.criticalAssetsAtRiskList.nameStringCompromising Techinique Name
XMCyber.Entity.criticalAssetsAtRiskList.averageNumberAverage attack complexity
XMCyber.Entity.criticalAssetsAtRiskList.minimumNumberMinimum attack complexity

Command Example#

!xmcyber-affected-critical-assets-list entityId=872743867762485580

Context Example#

{
"XMCyber": {
"criticalAssetsAtRiskList": [
{
"average": 2,
"minimum": 2,
"name": "SQLSERVERB"
},
{
"average": 2,
"minimum": 2,
"name": "USERAA35"
},
{
"average": 4,
"minimum": 4,
"name": "USERAA03"
},
{
"average": 4,
"minimum": 4,
"name": "USERBB37"
},
{
"average": 4,
"minimum": 4,
"name": "WSUSA"
},
{
"average": 4.67,
"minimum": 4,
"name": "FileServerA"
},
{
"average": 6,
"minimum": 6,
"name": "LNK-Win10"
},
{
"average": 6,
"minimum": 6,
"name": "USERAA04"
},
{
"average": 6,
"minimum": 6,
"name": "USERAA99"
},
{
"average": 6,
"minimum": 6,
"name": "USERBB05"
},
{
"average": 6,
"minimum": 6,
"name": "USERBB07"
},
{
"average": 8,
"minimum": 8,
"name": "TerminalServerA"
},
{
"average": 8,
"minimum": 8,
"name": "USERAA05"
},
{
"average": 10,
"minimum": 10,
"name": "DCA22008R2"
},
{
"average": 10,
"minimum": 10,
"name": "artiom"
},
{
"average": 10,
"minimum": 10,
"name": "maayan-test-user"
},
{
"average": 11,
"minimum": 8,
"name": "artiom AKIA**SLZV"
},
{
"average": 11,
"minimum": 8,
"name": "maayan-test-user AKIA**WGSM"
},
{
"average": 11.33,
"minimum": 6,
"name": "DCA1NEW"
},
{
"average": 12,
"minimum": 12,
"name": "AmazonSSMManagedInstanceCore"
},
{
"average": 12,
"minimum": 12,
"name": "LinuxAgent01"
},
{
"average": 12,
"minimum": 12,
"name": "LinuxAgent02"
},
{
"average": 14,
"minimum": 14,
"name": "IISSERVERB"
},
{
"average": 14,
"minimum": 10,
"name": "ssh-from-model (i-0178d087ca0b118f7)"
},
{
"average": 15,
"minimum": 12,
"name": "model-bucket-comp-by-user"
},
{
"average": 15,
"minimum": 12,
"name": "s3-comp-by-read-data"
},
{
"average": 16,
"minimum": 12,
"name": "ec2_struts_2 (i-00aa84a2ffd5bce67)"
},
{
"average": 18,
"minimum": 14,
"name": "access-to-model-bucket"
},
{
"average": 20,
"minimum": 16,
"name": "model-bucket-from-struts"
},
{
"average": 22,
"minimum": 22,
"name": "USERBB03"
},
{
"average": 24,
"minimum": 24,
"name": "USERBB01"
},
{
"average": 24,
"minimum": 24,
"name": "USERBB32"
},
{
"average": 28,
"minimum": 28,
"name": "USERBB31"
},
{
"average": 28,
"minimum": 28,
"name": "USERBB36"
},
{
"average": 30,
"minimum": 30,
"name": "USERBB27"
},
{
"average": 30,
"minimum": 30,
"name": "USERBB50"
}
],
"entityId": "872743867762485580"
}
}

Human Readable Output#

found 36 affected critical assets from 872743867762485580. Top 5:

Asset Display NameAverage ComplexityMinimum Complexity
SQLSERVERB22
USERAA3522
USERAA0344
USERBB3744
WSUSA44

xmcyber-affected-entities-list#


List all entities at risk from an entity and the complexity of the attack

Base Command#

xmcyber-affected-entities-list

Input#

Argument NameDescriptionRequired
timeIdtimeId for example timeAgo_days_7Optional
entityIdEntity IDRequired

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.entitiesAtRiskList.nameStringCompromising Techinique Name
XMCyber.Entity.entitiesAtRiskList.techniqueStringThe attack technique which compromised the entity

Command Example#

!xmcyber-affected-entities-list entityId=872743867762485580

Context Example#

{
"XMCyber": {
"entitiesAtRiskList": [
{
"name": "SQLSERVERB",
"technique": "Microsoft SQL Credentials Usage"
},
{
"name": "share",
"technique": "Taint Shared Content"
}
],
"entityId": "872743867762485580"
}
}

Human Readable Output#

found 2 affected entities from 872743867762485580. Top 5:

Display NameTechnique
SQLSERVERBMicrosoft SQL Credentials Usage
shareTaint Shared Content

xmcyber-version-supported#


Check if current XM version supports Cortex XSOAR integration

Base Command#

xmcyber-version-supported

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
XMCyber.Version.validBooleanFlag that indicates if the version is valid

Command Example#

!xmcyber-version-supported

Context Example#

{
"XMCyber": {
"IsVersion": {
"valid": true
}
}
}

Human Readable Output#

Results#

valid
true

xmcyber-version-get#


Get current xm version

Base Command#

xmcyber-version-get

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
XMCyber.Version.systemStringGet current system version

Command Example#

!xmcyber-version-get

Context Example#

{
"XMCyber": {
"Version": {
"db": "4.2.3",
"north": "1.0.3369+6514",
"south": "2.1.967.352",
"system": "1.38.0.12861",
"updater": "1.4.134.11886"
}
}
}

Human Readable Output#

Results#

dbnorthsouthsystemupdater
4.2.31.0.3369+65142.1.967.3521.38.0.128611.4.134.11886

ip#


Return data on Entity by IP from XM Cyber

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Optional

Context Output#

PathTypeDescription
entityIdStringXMCyber Entity ID
nameStringEntity Name
isAssetBooleanIs Entity a Critical Asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
averageComplexityNumberAverage complexity to compromise this entity
criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
averageComplexityLevelStringLevel of the average complexity to compromise this entity
compromisingTechniques.nameStringTechnique compromising this entity
compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
entityTypeStringEntity Type
entityReportStringLink to the Entity Report
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressStringIP address.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.ASNStringThe autonomous system name for the IP address.

Command Example#

!ip ip=192.168.170.60

Context Example#

{
"DBotScore": {
"Indicator": "192.168.170.60",
"Score": 3,
"Type": "ip",
"Vendor": "XMCyber"
},
"IP": {
"Address": "192.168.170.60",
"Malicious": {
"Description": "XM Cyber affected assets low",
"Vendor": "XMCyber"
}
},
"XMCyber": {
"affectedEntities": 2,
"averageComplexity": 8.67,
"averageComplexityLevel": "low",
"compromisingTechniques": [
{
"count": 78,
"name": "Script Infector for Shared Files"
},
{
"count": 24,
"name": "Group Policy Modification"
}
],
"criticalAssetsAtRisk": 36,
"criticalAssetsAtRiskLevel": "low",
"displayName": "USERBB02",
"entityId": "872743867762485580",
"entityReport": "https://xmcyber.example.com/#/scenarioHub/entityReport/872743867762485580?timeId=timeAgo_days_7",
"entityType": "Sensor",
"isAsset": true
}
}

Human Readable Output#

Resolved the following entities for IP 192.168.170.60

PropertyValue
Entity Id872743867762485580
Display NameUSERBB02
Entity TypeSensor
Entity ReportUSERBB02

xmcyber-entity-get#


Return data on Entity by IP or Hostname from XM Cyber

Base Command#

xmcyber-entity-get

Input#

Argument NameDescriptionRequired
ipList of IPsOptional
hostnameList of hostnamesOptional
entityIdList of XMCyber Entity IDsOptional

Context Output#

PathTypeDescription
entityIdStringXMCyber Entity ID
nameStringEntity Name
isAssetBooleanIs Entity a Critical Asset
affectedEntitiesNumberNumber of unique entities at risk from this entity
averageComplexityNumberAverage complexity to compromise this entity
criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
averageComplexityLevelStringLevel of the average complexity to compromise this entity
compromisingTechniques.nameStringTechnique compromising this entity
compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
entityTypeStringEntity Type
entityReportStringLink to the Entity Report

Command Example#

!xmcyber-entity-get ip=172.0.0.1 hostname=pc-5123 entityId=872743867762485580

Context Example#

{
"XMCyber": null
}

Human Readable Output#

Matched the following entities

PropertyValue
Entity Id872743867762485580
Display NameUSERBB02
Entity TypeSensor
Entity ReportUSERBB02

hostname#


Return data on Entity by hostname from XM Cyber

Base Command#

hostname

Input#

Argument NameDescriptionRequired
hostnameList of hostnames.Optional

Context Output#

PathTypeDescription
entityIdStringXMCyber Entity ID
nameStringEntity Name
isAssetBooleanIs Entity a Critical Asset
affectedEntitiesNumberNumber of unique entities at risk from this entity
averageComplexityNumberAverage complexity to compromise this entity
criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
averageComplexityLevelStringLevel of the average complexity to compromise this entity
compromisingTechniques.nameStringTechnique compromising this entity
compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
entityTypeStringEntity Type
entityReportStringLink to the Entity Report
Host.DomainStringThe domain of the host.
Host.HostnameStringThe name of the host.
Host.BIOVersionStringThe BIOS version of the host.
Host.IDStringThe unique ID within the tool retrieving the host.
Host.DHCPServerStringThe DHCP server.
Host.IPStringThe IP address of the host.
Host.MACAddressStringThe MAC address of the host.
Host.MemoryStringMemory on the host.
Host.ModelStringThe model of the host.
Host.OSStringHost OS.
Host.OSVersionStringThe OS version of the host.
Host.ProcessorStringThe processor of the host.
Host.ProcessorsNumberThe number of processors that the host is using.

Command Example#

!hostname hostname=USERBB02

Context Example#

{
"Endpoint": {
"Domain": "model3b.domainb.demo",
"Hostname": "USERBB02",
"ID": "872743867762485580",
"IPAddress": [
"192.168.170.60"
],
"OS": "Windows",
"OSVersion": "Windows 7 SP 1.0"
},
"XMCyber": {
"affectedEntities": 2,
"averageComplexity": 8.67,
"averageComplexityLevel": "low",
"compromisingTechniques": [
{
"count": 78,
"name": "Script Infector for Shared Files"
},
{
"count": 24,
"name": "Group Policy Modification"
}
],
"criticalAssetsAtRisk": 36,
"criticalAssetsAtRiskLevel": "low",
"displayName": "USERBB02",
"entityId": "872743867762485580",
"entityReport": "https://xmcyber.example.com/#/scenarioHub/entityReport/872743867762485580?timeId=timeAgo_days_7",
"entityType": "Sensor",
"isAsset": true
}
}

Human Readable Output#

Matched the following entities for hostname USERBB02

PropertyValue
Entity Id872743867762485580
Display NameUSERBB02
Entity TypeSensor
Entity ReportUSERBB02