Skip to main content

XM Cyber

This Integration is part of the XM Cyber Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

XMCyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on changes in the overall risk score, risk to assets, or impacting attack techniques. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident. This integration was integrated and tested with version 1.43.0.355 of XMCyber

Configure XM Cyber on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for XM Cyber.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    API KeyTrue
    URLTrue
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
    Fetch incidentsFalse
    Incident typeFalse
    Maximum number of incidents per fetchFalse
    First fetchFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xmcyber-affected-critical-assets-list#


List critical assets at risk from an entity and the complexity of the attack

Base Command#

xmcyber-affected-critical-assets-list

Input#

Argument NameDescriptionRequired
timeIdThe relevant period of time. The options are timeAgo_days_7 (past 7 days) timeAgo_days_14, timeAgo_days_30, or monthly_YYYY_MM for a given year and month.Optional
entityIdEntity ID.Required

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.criticalAssetsAtRiskList.nameStringCompromising Technique Name
XMCyber.Entity.criticalAssetsAtRiskList.averageNumberAverage attack complexity
XMCyber.Entity.criticalAssetsAtRiskList.minimumNumberMinimum attack complexity

xmcyber-affected-entities-list#


List all entities at risk from an entity and the complexity of the attack

Command Example#

!xmcyber-affected-critical-assets-list entityId=872743867762485580

Context Example#

{
"XMCyber": {
"criticalAssetsAtRiskList": [
{
"average": 2,
"minimum": 2,
"name": "SQLSERVERB"
},
{
"average": 2,
"minimum": 2,
"name": "USERAA35"
},
{
"average": 4,
"minimum": 4,
"name": "USERAA03"
},
{
"average": 4,
"minimum": 4,
"name": "USERBB37"
},
{
"average": 4,
"minimum": 4,
"name": "WSUSA"
},
{
"average": 4.67,
"minimum": 4,
"name": "FileServerA"
},
],
"entityId": "872743867762485580"
}
}

Human Readable Output#

found 6 affected critical assets from 872743867762485580. Top 5:

Asset Display NameAverage ComplexityMinimum Complexity
SQLSERVERB22
USERAA3522
USERAA0344
USERBB3744
WSUSA44

Base Command#

xmcyber-affected-entities-list

Input#

Argument NameDescriptionRequired
timeIdThe relevant period of time. The options are timeAgo_days_7 (past 7 days) timeAgo_days_14, timeAgo_days_30, or monthly_YYYY_MM for a given year and month.Optional
entityIdEntity ID.Required

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.entitiesAtRiskList.nameStringCompromising Techinique Name
XMCyber.Entity.entitiesAtRiskList.techniqueStringThe attack technique which compromised the entity

Command Example#

!xmcyber-affected-entities-list entityId=872743867762485580

Context Example#

{
"XMCyber": {
"entitiesAtRiskList": [
{
"name": "SQLSERVERB",
"technique": "Microsoft SQL Credentials Usage"
},
{
"name": "share",
"technique": "Taint Shared Content"
}
],
"entityId": "872743867762485580"
}
}

Human Readable Output#

found 2 affected entities from 872743867762485580. Top 5:

Display NameTechnique
SQLSERVERBMicrosoft SQL Credentials Usage
shareTaint Shared Content

xmcyber-version-supported#


Check if current XM version supports Cortex Xsoar integration

Base Command#

xmcyber-version-supported

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
XMCyber.Version.validBooleanFlag that indicates if the version is valid

Command Example#

!xmcyber-version-supported

Context Example#

{
"XMCyber": {
"IsVersion": {
"valid": true
}
}
}

Human Readable Output#

Results#

valid
true

xmcyber-version-get#


Get current xm version

Base Command#

xmcyber-version-get

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
XMCyber.Version.systemStringGet current system version

Command Example#

!xmcyber-version-get

Context Example#

{
"XMCyber": {
"Version": {
"db": "4.2.3",
"north": "1.0.3369+6514",
"south": "2.1.967.352",
"system": "1.38.0.12861",
"updater": "1.4.134.11886"
}
}
}

Human Readable Output#

Results#

dbnorthsouthsystemupdater
4.2.31.0.3369+65142.1.967.3521.38.0.128611.4.134.11886

xmcyber-enrich-from-ip#


Return data on Entity by IP from XM Cyber

Base Command#

xmcyber-enrich-from-ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Optional

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.nameStringEntity Name
XMCyber.Entity.isAssetBooleanIs Entity a Critical Asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
XMCyber.Entity.averageComplexityNumberAverage complexity to compromise this entity
XMCyber.Entity.criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
XMCyber.Entity.averageComplexityLevelStringLevel of the average complexity to compromise this entity
XMCyber.Entity.compromisingTechniques.nameStringTechnique compromising this entity
XMCyber.Entity.compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
XMCyber.Entity.typeStringEntity Type
XMCyber.Entity.reportStringLink to the Entity Report
IP.AddressStringIP address.
Endpoint.HostnameStringThe hostname to matching the IP in XM Cyber
Endpoint.IPStringIP address
Endpoint.OSStringOS of the matched endpoint

xmcyber-enrich-from-entityId#


Return data on Entity by entityId from XM Cyber

Base Command#

xmcyber-enrich-from-entityId

Input#

Argument NameDescriptionRequired
entityIdList of entityIds.Optional

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.nameStringEntity Name
XMCyber.Entity.isAssetBooleanIs Entity a Critical Asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
XMCyber.Entity.averageComplexityNumberAverage complexity to compromise this entity
XMCyber.Entity.criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
XMCyber.Entity.averageComplexityLevelStringLevel of the average complexity to compromise this entity
XMCyber.Entity.compromisingTechniques.nameStringTechnique compromising this entity
XMCyber.Entity.compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
XMCyber.Entity.typeStringEntity Type
XMCyber.Entity.reportStringLink to the Entity Report
Host.HostnameStringThe name of the host.
Host.IDStringThe unique ID within the tool retrieving the host.
Host.IPStringThe IP address of the host.

xmcyber-enrich-from-hostname#


Return data on Entity by hostname from XM Cyber

Base Command#

xmcyber-enrich-from-hostname

Input#

Argument NameDescriptionRequired
entityIdList of entityIds.Optional

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.nameStringEntity Name
XMCyber.Entity.isAssetBooleanIs Entity a Critical Asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
XMCyber.Entity.averageComplexityNumberAverage complexity to compromise this entity
XMCyber.Entity.criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
XMCyber.Entity.averageComplexityLevelStringLevel of the average complexity to compromise this entity
XMCyber.Entity.compromisingTechniques.nameStringTechnique compromising this entity
XMCyber.Entity.compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
XMCyber.Entity.typeStringEntity Type
XMCyber.Entity.reportStringLink to the Entity Report
Host.HostnameStringThe name of the host.
Host.IDStringThe unique ID within the tool retrieving the host.
Host.IPStringThe IP address of the host.