Skip to main content

XM Cyber

This Integration is part of the XM Cyber Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights. This integration was integrated and tested with version 1.43.0.355 of XMCyber

Configure XM Cyber in Cortex#

ParameterDescriptionRequired
API KeyTrue
URLTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
Fetch incidentsFalse
Incident typeFalse
Maximum number of incidents per fetchFalse
First fetchFalse
Source ReliabilityReliability of the source providing the intelligence data.False
False
False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xmcyber-affected-critical-assets-list#


List critical assets at risk from an entity and the complexity of the attack

Base Command#

xmcyber-affected-critical-assets-list

Input#

Argument NameDescriptionRequired
timeIdThe relevant period of time. The options are timeAgo_days_7 (past 7 days) timeAgo_days_14, timeAgo_days_30, or monthly_YYYY_MM for a given year and month.Optional
entityIdEntity ID.Required

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.criticalAssetsAtRiskList.nameStringCompromising Technique name
XMCyber.Entity.criticalAssetsAtRiskList.averageNumberAverage attack complexity
XMCyber.Entity.criticalAssetsAtRiskList.minimumNumberMinimum attack complexity

xmcyber-affected-entities-list#


List all entities at risk from an entity and the complexity of the attack

Command Example#

!xmcyber-affected-critical-assets-list entityId=872743867762485580

Context Example#

{
"XMCyber": {
"criticalAssetsAtRiskList": [
{
"average": 2,
"minimum": 2,
"name": "SQLSERVERB"
},
{
"average": 2,
"minimum": 2,
"name": "USERAA35"
},
{
"average": 4,
"minimum": 4,
"name": "USERAA03"
},
{
"average": 4,
"minimum": 4,
"name": "USERBB37"
},
{
"average": 4,
"minimum": 4,
"name": "WSUSA"
},
{
"average": 4.67,
"minimum": 4,
"name": "FileServerA"
},
],
"entityId": "872743867762485580"
}
}

Human Readable Output#

found 6 affected critical assets from 872743867762485580. Top 5:

Asset Display NameAverage ComplexityMinimum Complexity
SQLSERVERB22
USERAA3522
USERAA0344
USERBB3744
WSUSA44

Base Command#

xmcyber-affected-entities-list

Input#

Argument NameDescriptionRequired
timeIdThe relevant period of time. The options are timeAgo_days_7 (past 7 days) timeAgo_days_14, timeAgo_days_30, or monthly_YYYY_MM for a given year and month.Optional
entityIdEntity ID.Required

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.entitiesAtRiskList.nameStringCompromising Techinique Name
XMCyber.Entity.entitiesAtRiskList.techniqueStringThe attack technique which compromised the entity

Command Example#

!xmcyber-affected-entities-list entityId=872743867762485580

Context Example#

{
"XMCyber": {
"entitiesAtRiskList": [
{
"name": "SQLSERVERB",
"technique": "Microsoft SQL Credentials Usage"
},
{
"name": "share",
"technique": "Taint Shared Content"
}
],
"entityId": "872743867762485580"
}
}

Human Readable Output#

found 2 affected entities from 872743867762485580. Top 5:

Display NameTechnique
SQLSERVERBMicrosoft SQL Credentials Usage
shareTaint Shared Content

xmcyber-version-supported#


Check if current XM version supports Cortex Xsoar integration

Base Command#

xmcyber-version-supported

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
XMCyber.Version.validBooleanFlag that indicates if the version is valid

Command Example#

!xmcyber-version-supported

Context Example#

{
"XMCyber": {
"IsVersion": {
"valid": true
}
}
}

Human Readable Output#

Results#

valid
true

xmcyber-version-get#


Get current xm version

Base Command#

xmcyber-version-get

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
XMCyber.Version.systemStringGet current system version

Command Example#

!xmcyber-version-get

Context Example#

{
"XMCyber": {
"Version": {
"db": "4.2.3",
"north": "1.0.3369+6514",
"south": "2.1.967.352",
"system": "1.38.0.12861",
"updater": "1.4.134.11886"
}
}
}

Human Readable Output#

Results#

dbnorthsouthsystemupdater
4.2.31.0.3369+65142.1.967.3521.38.0.128611.4.134.11886

xmcyber-enrich-from-ip#


Return data on Entity by IP from XM Cyber

Base Command#

xmcyber-enrich-from-ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Optional

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.nameStringEntity Name
XMCyber.Entity.isAssetBooleanEntity is a critical asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
XMCyber.Entity.averageComplexityNumberAverage complexity to compromise this entity
XMCyber.Entity.criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
XMCyber.Entity.averageComplexityLevelStringLevel of the average complexity to compromise this entity
XMCyber.Entity.compromisingTechniques.techniqueStringTechnique compromising this entity
XMCyber.Entity.compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
XMCyber.Entity.typeStringEntity Type
XMCyber.Entity.reportStringLink to the Entity Report
IP.AddressStringIP address.
Endpoint.HostnameStringThe hostname to matching the IP in XM Cyber
Endpoint.IPStringIP address
Endpoint.OSStringOS of the matched endpoint

xmcyber-enrich-from-entityId#


Return data on Entity by entityId from XM Cyber

Base Command#

xmcyber-enrich-from-entityId

Input#

Argument NameDescriptionRequired
entityIdList of entityIds.Optional

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.nameStringEntity Name
XMCyber.Entity.isAssetBooleanEntity is a critical asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
XMCyber.Entity.averageComplexityNumberAverage complexity to compromise this entity
XMCyber.Entity.criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
XMCyber.Entity.averageComplexityLevelStringLevel of the average complexity to compromise this entity
XMCyber.Entity.compromisingTechniques.techniqueStringTechnique compromising this entity
XMCyber.Entity.compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
XMCyber.Entity.typeStringEntity Type
XMCyber.Entity.reportStringLink to the Entity Report
Host.HostnameStringThe name of the host.
Host.IDStringThe unique ID within the tool retrieving the host.
Host.IPStringThe IP address of the host.

xmcyber-enrich-from-hostname#


Return data on Entity by hostname from XM Cyber

Base Command#

xmcyber-enrich-from-hostname

Input#

Argument NameDescriptionRequired
entityIdList of entityIds.Optional

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.nameStringEntity Name
XMCyber.Entity.isAssetBooleanEntity is a critical asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
XMCyber.Entity.averageComplexityNumberAverage complexity to compromise this entity
XMCyber.Entity.criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
XMCyber.Entity.averageComplexityLevelStringLevel of the average complexity to compromise this entity
XMCyber.Entity.compromisingTechniques.techniqueStringTechnique compromising this entity
XMCyber.Entity.compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
XMCyber.Entity.typeStringEntity Type
XMCyber.Entity.reportStringLink to the Entity Report
Host.HostnameStringThe name of the host.
Host.IDStringThe unique ID within the tool retrieving the host.
Host.IPStringThe IP address of the host.

xmcyber-enrich-from-fields#


Return data on an XM entity

Base Command#

xmcyber-enrich-from-fields

Input#

Argument NameDescriptionRequired
fieldsComma-separated list of fields to search for the entity.Required
valuesComma-separated list of values (in the same order than the fields list) used to search for the entity.Required

Context Output#

PathTypeDescription
XMCyber.Entity.idStringXMCyber Entity ID
XMCyber.Entity.nameStringEntity Name
XMCyber.Entity.isAssetBooleanEntity is a critical asset
XMCyber.Entity.affectedEntitiesNumberNumber of unique entities at risk from this entity
XMCyber.Entity.averageComplexityNumberAverage complexity to compromise this entity
XMCyber.Entity.criticalAssetsAtRiskNumberNumber of unique critical assets at risk from this entity
XMCyber.Entity.averageComplexityLevelStringLevel of the average complexity to compromise this entity
XMCyber.Entity.compromisingTechniques.techniqueStringTechnique compromising this entity
XMCyber.Entity.compromisingTechniques.countNumberNumber of vectors with this technique compromising this entity
XMCyber.Entity.typeStringEntity Type
XMCyber.Entity.reportStringLink to the Entity Report
Host.HostnameStringThe name of the host.
Host.IDStringThe unique ID within the tool retrieving the host.
Host.IPStringThe IP address of the host.