Cortex Attack Surface Management

Details
Content
Dependencies
Version History

Content for working with Attack Surface Management (ASM).

The Cortex Attack Surface Management pack is supported by Cortex Xpanse Expander and the (Attack Surface Management) ASM module for Cortex XSIAM.

Cortex Xpanse Expander and the Attack Surface Management (ASM) module for Cortex XSIAM are both best in class External Attack Surface Management solutions that strive to proactively reduce the frequency and severity of security incidents caused by internet-exposed risks. These solutions deliver comprehensive attack surface visibility by combining thorough, ML-enhanced asset attribution with continuous attack surface assessment. Any discovered risks are prioritized using contextual information and exploitability data, and findings are actioned through curated, automated playbooks to investigate, remediate, and summarize every new alert.

What does this pack do?

This pack contains all of the integrations, automations, and playbooks necessary to fully automate the investigation, remediation, verification, and reporting on ASM risks within Cortex Xpanse Expander and Cortex XSIAM. Currently our pack:

Enriches services, assets, and alerts based on out-of-the-box integrations with sources like CMDBs, Cloud Service Providers, VM solutions, and more.
Uses ML assisted analysis to identify critical context useful for analyst decision making.
Keeps human analysts in the loop to direct the desired remediation action depending on the type of risk and discovered context.
Includes automated notification and ticket creation workflows for delegating remediation tasks to the appropriate service owners.
Includes full automated remediation options for automatically removing risky services from the public internet.
Sends out a notification to identified service owners via email about the remediation action taken.
Supports validation re-scanning to ensure that remediation efforts have been applied successfully.
Includes PDF reporting capabilities for preserving and communicating the investigation summary.

How to use it?

The Active Response playbook contains a set of sub-playbooks, which support many different remediation paths that can be taken depending on the types of configured integrations, the type of alert, and input provided by the analyst.

For setting up the Active Response module for Xpanse, a guide on how to configure the Active Response module can we found here.

Aditionally, a list of integrations used for the Active Response playbook can be found here. These are needed for different enrichment and remediation possibilities.

Demo Video

Automated Remediation Requirements

Automated remediation is only possible when the right conditions are met. These are the current requirements:

One of the following attack surface rule IDs:
- Insecure OpenSSH
- OpenSSH
- SSH Server
- SNMP Server
- RDP Server
- Telnet Server
- Unencrypted FTP Server
- Mysql Server
- Mongo Server
- Postgres Server
- Elasticsearch Server
- Unclaimed S3 Bucket*
Asset one of the following:
- AWS EC2 Instance
- Azure Compute Instance
- GCP Compute Engine (VM)
- On-prem asset protected with a Palo Alto Networks Firewall
Service owner information found through one of the following:
- Active Directory
- AWS IAM
- Azure IAM
- GCP IAM
- Prisma Cloud
- Rapid7 InsightVM (Nexpose)
- Splunk
- ServiceNow CMDB
- ServiceNow ITSM
- Tenable.io Assets
- Qualys
Indicators of a non-production host:
- "dev" or related words found in environment-related tags associated with the asset (case insensitive)
- Has an active "DevelopmentEnvironment" classification from processing of public data
- Optional: this check can be disabled with the BypassDevCheck parent playbook input

* The Unclaimed S3 Bucket attack surface rule ID only requires AWS-S3 integration to be enabled.

What is included in this pack?

The main active response playbook is the Cortex ASM - ASM Alert playbook. This playbook contains a set of sub-playbooks and automation scripts, which support many different remediation paths that can be taken depending on the types of configured integrations, the type of alert, and input provided by the analyst. After the final stage, the alert is resolved.

Playbooks
Automation Scripts
Layouts
- ASM Alert Layout

Playbooks

Cortex ASM - Active Directory Enrichment

A playbook that given the email address enriches Service owner in Azure and On-Prem directory.

Cortex ASM - Active Directory Enrichment

Cortex ASM - ASM Alert

A playbook that enriches asset information for ASM alerts and provides the means for remediation.

Cortex ASM - ASM Alert

Cortex ASM - AWS Enrichment

A playbook that given the IP address enriches AWS information relevant to ASM alerts.

Cortex ASM - AWS Enrichment

Cortex ASM - Azure Enrichment

A playbook that given the IP address enriches Azure information relevant to ASM alerts.

Cortex ASM - Azure Enrichment

Cortex ASM - Cortex Endpoint Enrichment

This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes.

Cortex ASM - Cortex Endpoint Enrichment

Cortex ASM - Cortex Endpoint Remediation

This playbook is used for remediating a single exposed Cortex Endpoint (XSIAM/XDR) by isolating the endpoint from the network using the "Isolate Endpoint" feature in XSIAM (see XSIAM details) and XDR (see XDR details).

Cortex ASM - Cortex Endpoint Remediation

Cortex ASM - Detect Service

A playbook that utilizes the Remediation Confirmation Scan service to check for mitigated vulnerabilities.

Cortex ASM - Detect Service

Cortex ASM - Email Notification

A playbook that is used to send email notifications to service owners to notify them of their internet exposures.

Cortex ASM - Email Notification

Cortex ASM - Enrichment

A playbook that is used as a container folder for all enrichments of ASM alerts.

Cortex ASM - Enrichment

Cortex ASM - GCP Enrichment

A playbook that given the IP address enriches GCP information relevant to ASM alerts.

Cortex ASM - GCP Enrichment

Cortex ASM - Jira Notification

A playbook that is used to create Jira tickets directed toward service owners to notify them of their internet exposures.

Cortex ASM - Jira Notification

Cortex ASM - On Prem Enrichment

A playbook that given an IP address, port, and protocol of a service, enriches using on-prem integrations to find the related firewall rule and other related information.

Cortex ASM - On Prem Enrichment

Cortex ASM - On Prem Remediation

A playbook that adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures.

Cortex ASM - On Prem Remediation

Cortex ASM - Prisma Cloud Enrichment

Playbook that given the IP address enriches Prisma Cloud information relevant to ASM alerts.

Cortex ASM - Prisma Cloud Enrichment

Cortex ASM - Qualys Enrichment

Playbook that given the IP address enriches Qualys information relevant to ASM alerts.

Cortex ASM - Qualys Enrichment

Cortex ASM - Rapid7 Enrichment

A playbook that given the IP address enriches Rapid7 information relevant to ASM alerts.

Cortex ASM - Rapid7 Enrichment

Cortex ASM - Remediation Confirmation Scan

A playbook that creates an ASM Remediation Confirmation Scan using an existing service ID, if the scan does not already exist;. It then polls for results of a scan.

Cortex ASM - Remediation Confirmation Scan

Cortex ASM - Remediation Guidance

A playbook that pulls remediation guidance off of a list based on ASM RuleID to be used in service owner notifications (email or ticketing system).

Cortex ASM - Remediation Guidance

Cortex ASM - Remediation Objectives

A playbook that populates the remediation objectives field that is used to display the remediation actions to the end user.

Cortex ASM - Remediation Objectives

Cortex ASM - Remediation Path Rules

A playbook that returns "RemediationAction" options based on the return from the Remediation Path Rules API, or defaults to data collection task options from the "Cortex ADM - Decision" sub-playbook.

Cortex ASM - Remediation Path Rules

Cortex ASM - Remediation

A playbook that is used as a container folder for all remediation of ASM alerts.

Cortex ASM - Remediation

Cortex ASM - Service Ownership

Playbook that identifies and recommends the most likely owners of a given service.

Cortex ASM - Remediation

Cortex ASM - ServiceNow CMDB Enrichment

A playbook that given the IP address enriches ServiceNow CMDB information relevant to ASM alerts.

Cortex ASM - ServiceNow CMDB Enrichment

Cortex ASM - ServiceNow ITSM Enrichment

A playbook that given the search terms enriches ServiceNow ITSM service owner information relevant to ASM alerts.

Cortex ASM - ServiceNow ITSM Enrichment

Cortex ASM - ServiceNow Notification

A playbook that is used to create ServiceNow tickets directed toward service owners to notify them of their internet exposures.

Cortex ASM - ServiceNow Notification

Cortex ASM - Splunk Enrichment

A playbook that given the IP address enriches Splunk information relevant to ASM alerts.

Cortex ASM - Splunk Enrichment

Cortex ASM - Tenable.io Enrichment

A playbook that given the IP address enriches Tenable.io information relevant to ASM alerts.

Cortex ASM - Tenable.io Enrichment

Automation Scripts

GenerateASMReport

An automation used to generate an ASM alert summary report with important information found via the playbook run.

GenerateASMReport

InferWhetherServiceIsDev

An automation that identifies whether the service is a "development" server. Development servers have no external users and run no production workflows. These servers might be named "dev", but they might also be named "qa", "pre-production", "user acceptance testing", or use other non-production terms. This automation uses both public data visible to anyone (active_classifications as derived by Xpanse ASM) as well as checking internal data for AI-learned indicators of development systems (asm_tags as derived from integrations with non-public systems).

InferWhetherServiceIsDev

RankServiceOwners

An automation that recommends the most likely service owners from those surfaced by Cortex ASM Enrichment and updates content.

GetProjectOwners

This automation parses a GCP service account email for the project ID, then looks up the project owners and adds them to a list of potential service owners for ranking.

RemediationPathRuleEvaluation

An automation that is used to find a matching remediation path rule based on criteria. If multiple rules match, it will return the most recently created rule. This assumes that the rules passed in are filtered to correlate with the alert's attack surface rule (Xpanse only).

RemediationPathRuleEvaluation

Layouts

ASM Alert Layout

This layout is provides enrichment information such as system IDs, tags, and service owners for a given Attack Surface Management alert.

Automations

Name	Description
GetProjectOwners	Parse a GCP service account email for the project name, then lookup project owners and add them to a list of potential service owners for ranking.
RCSScan	This script starts an RCS scan and sets the scan ID in context.
InferWhetherServiceIsDev	Identify whether the service is a "development" server. Development servers have no external users and run no production workflows. These servers might be named "dev", but they might also be named "qa", "pre-production", "user acceptance testing", or use other non-production terms. This automation uses both public data visible to anyone (`active_classifications` as derived by Xpanse ASM) as well as checking internal data for AI-learned indicators of development systems (`asm_tags` as derived from integrations with non-public systems).
GenerateASMReport	Generate an ASM Alert Summary report.
RankServiceOwners	Recommend most likely service owners from those surfaced by Cortex ASM Enrichment.
RemediationPathRuleEvaluation	For a given alert and remediation path rules that are defined for that alert's attack surface rule, this script takes each remediation path rule and looks at the rule criteria to see if the rule matches for the given alert. If multiple rules match, it will return the most recently created rule. This assumes that the rules passed in are filtered to correlate with the alert's attack surface rule.
SnmpDetection	Deprecated. No available replacement.

Incident Fields

Name	Description
ASM - System IDs	Related system identifiers.
ASM - Remediation Path Rule	Shows information on matching remediation path rule
ASM - Attack Surface Rule Description	Store the description of an Attack Surface Rule
ASM - Provider	Service provider(s) for ASM asset.
ASM - Attack Surface Rule Category	The category associated with an Attack Surface Rule
ASM - Tags	Tags from objects that can be used to determine other information (if server is Dev for example)
ASM - Attack Surface Rule ID	UUID for ASM rule.
ASM - Asset ID	UUID for ASM Asset.
ASM - Service Owner	Potential service owners gathered through playbook
ASM - Alert Summary	Summary report of alert.
ASM - Remediation	Collect information on remediation action(s).
ASM - Remediation Objectives	Remediation objectives uses to display the remediation actions to the end user.
ASM - Private IP	Field for private IP addresses found.
ASM - Service ID	UUID for ASM Service
ASM - Service Owner Unranked Raw	Original set of potential service owners gathered through playbook. This field contains all the service owners collected by the playbook in asmserviceowner as well as additional users that may help identify likely owners (e.g. service accounts).
ASM - Dev Check	Whether the asset is most likely used for solely development/non-production purposes, including uses like testing, staging, QA, sandbox, and user acceptance testing
ASM - Cloud	Information on cloud assets
ASM - Enrichment Status	A field to gather information on whether or not an integration perform enrichment for ASM.
ASM - Attack Surface Rule Remediation Guidance	The remediation guidance information associated with an Attack Surface Rule
ASM - Service Detection	A post remediation scan to check if service is still detectable.
ASM - Related	Related or duplicate objects
ASM - Data Collection	Collect information on data collection tasks.
ASM - Dev Check Details	A field to determine whether the asset is most likely used for solely development/non-production purposes, including uses like testing, staging, QA, sandbox, and user acceptance testing. Why reasons and confidence.
ASM - Asset Hierarchy	ASM field for an assets hierarchy path
ASM - Attack Surface Rule Priority	Used to store the priority assigned to a particular Attack Surface Rule
ASM - Protocol	Network protocol for ASM asset.
ASM - Playbook Stage	information on playbook progression (stages complete and what time)
ASM - Notification	Information on notification(s) sent via the ASM playbook

Integrations

Name	Description
Cortex Attack Surface Management	Integration to pull assets and other ASM related information.

Layoutrule

Name	Description
ASM Layout Rule	Rule for applying ASM Alert Layout to ASM alert source

Layouts

Name	Description
ASM Alert Layout	A layout used for ASM alerts in XSIAM.

Lists

Name	Description
RemediationGuidance

Playbooks

Name	Description
Cortex ASM - Extract IP Indicator	Deprecated. No available replacement. Identifies IPv4 Address associated with Alert and creates a new Indicator.
Cortex ASM - On Prem Enrichment	Given an IP address, port, and protocol of a service, this playbook enriches on-prem integrations to find the related firewall rule and other related information. Conditions: Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). !pan-os-security-policy-match fails if any firewall is disconnected (Panorama). Matching on different rules for different firewalls not supported (Panorama).
Cortex ASM - ServiceNow Notification	This playbook is used to create ServiceNow tickets directed toward service owners to notify them of their internet exposures.
Cortex ASM - GCP Enrichment	Given the IP address this playbook enriches GCP and Firewall information.
Cortex ASM - Rapid7 Enrichment	Given the IP address this playbook enriches Rapid7 InsightVM (Nexpose) information relevant to ASM alerts.
Cortex ASM - Email Notification	This playbook is used to send email notifications to service owners to notify them of their internet exposures.
Cortex ASM - Remediation Guidance	This playbook pulls remediation guidance off of a list based on ASM RuleID to be used in service owner notifications (email or ticketing system).
Cortex ASM - Jira Notification	This playbook is used to create Jira tickets directed toward service owners to notify them of their internet exposures.
Cortex ASM - Tenable.io Enrichment	Given the IP address this playbook enriches Tenable.io information relevant to ASM alerts.
Cortex ASM - Cortex Endpoint Enrichment	This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes.
Cortex ASM - Remediation Confirmation Scan	Playbook for Remediation Confirmation Scan (RCS) creation and polling.
Cortex ASM - CMDB Enrichment	Deprecated. No available replacement. This playbook will look up a CI in ServiceNow CMDB by IP.
Cortex ASM - SNMP Check	Deprecated. No available replacement.
Cortex ASM - Detect Service	Playbook that looks to see if a service ID exists and chooses to start a Remediation Confirmation Scan.
Cortex ASM - Enrichment	Used as a container folder for all enrichments of ASM alerts.
Cortex ASM - Qualys Enrichment	Given the IP address this playbook enriches information from Qualys assets.
Cortex ASM - ServiceNow CMDB Enrichment	Given the IP address this playbook enriches ServiceNow CMDB information relevant to ASM alerts.
Cortex ASM - Remediation Objectives	Playbook that populates the remediation objectives field that is used to display the remediation actions to the end user.
Cortex ASM - ServiceNow ITSM Enrichment	Given search terms, this playbook will query ServiceNow ticket descriptions and short descriptions over the last 30 days and set users that were found in the assigned_to field in those ServiceNow tickets. Note, the max amount of tickets returned from querying is 100.
Cortex ASM - On Prem Remediation	This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures. Conditions: Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). Multiple rules with the same name in different device-groups not supported (Panorama). !pan-os-list-services will fail if there are no services in a specific device-group (Panorama).
Cortex ASM - Cortex Endpoint Remediation	This playbook is used to isolate a single Cortex Endpoint (XSIAM/XDR) for remediation purposes.
Cortex ASM - Decision	Deprecated. No available replacement. This playbook returns "RemediationAction" options based on meeting "Automated Remediation Requirements" (https://github.com/demisto/content/tree/master/Packs/CortexAttackSurfaceManagement#automated-remediation-requirements) as well as whether ServiceNowV2 integration is set up. Possible return values are: Prompt base - data collection task with only email/manual options. Prompt all options - data collection task with all options (meets Automated Remediation requirements and ServiceNow is enabled). Prompt no snow - all options except ServiceNow (Automated Remediation requirements are met). Prompt no ar - all options except Automated Remediation (ServiceNow is enabled).
Cortex ASM - ASM Alert	This playbook handles ASM alerts by enriching asset information and providing a means of remediating the issue directly or through contacting service owners.
Cortex ASM - Prisma Cloud Enrichment	Given the IP address this playbook enriches information from Prisma Cloud.
Cortex ASM - Service Ownership	Identifies and recommends the most likely owners of the service, additionally citing an explanation and ranking score for each.
Cortex ASM - Azure Enrichment	Given the IP address, this playbook enriches Azure information relevant to ASM alerts.
Cortex ASM - Active Directory Enrichment	Playbook to enriches Service ownership info in Azure and On-Prem Active Directory.
Cortex ASM - Remediation Path Rules	This playbook returns "RemediationAction" options based on the return from the Remediation Path Rules API, or defaults to data collection task.
Cortex ASM - Vulnerability Management Enrichment	Deprecated. No available replacement. This playbook will look up an IP address in Tenable.io or Rapid7 InsightVM.
Cortex ASM - AWS Enrichment	Given the IP address this playbook enriches AWS information relevant to ASM alerts.
Cortex ASM - Splunk Enrichment	Given the IP address this playbook enriches information from Splunk results relevant to ASM alerts.
Cortex ASM - Remediation	This playbook contains all the cloud provider sub playbooks for remediation.

Trigger

Name	Description
ASM	This trigger is responsible for handling ASM alerts

1.7.32 - 956366 (April 15, 2024)