Details
Content
Dependencies
Version History

XSOAR is a comprehensive SOAR platform that integrates different security tools to centralize incident management, driving better detection, investigation, and response to suspicious activity across your organization.The integration uses attack graph context and prioritization data that XSOAR receives from XM CEM, and also allows XSOAR to feed relevant entities back to CEM to be defined as breach points in CEM scenarios.

Product/Integration Overview

XM Cyber continuously identifies attack paths to critical assets. This integration retrieves events for newly at-risk critical assets, newly discovered choke points, and changes in overall risk score. Incidents are also enriched with incoming attack vectors to affected endpoints and a list of critical assets exposed by the incident.

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch.
New lateral movement exposure triggers alerts and options to change policy, and scan endpoints.
Incidents from EDRs are enriched with critical asset information and, if the severity is high, then action can be taken.

Dashboard

XM Cyber Dashboard: This dashboard displays the information from the XM Cyber CEM integration for Security Score, Choke Points by Severity, Critical Assets by Severity, and Top Compromising Exposures.

Product/Integration Overview

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch.
New lateral movement exposure triggers alerts and options to change policy, and scan endpoints.
Incidents from EDRs are enriched with critical asset information and, if the severity is high, then action can be taken.

Dashboard

XM Cyber Dashboard: This dashboard displays the information from the XM Cyber CEM integration for Security Score, Choke Points by Severity, Critical Assets by Severity, and Top Compromising Exposures.

Automations

Name	Description
XMCyberDashboard	Return the specific data for the XM Cyber Dashboard.

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents

Dashboards

Name	Description
XM Cyber Dashboard

Incident Fields

Name	Description
Entity is a critical asset
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
XM Cyber security score trend
Critical Assets at Risk Level
XM Cyber critical assets trend
Technique Best Practice
Entity IP Address
Entity name
XM Cyber dashboard
Affected Entities
Affected Entities List
XM Cyber current security score
XM Cyber advices
Entity ID
XM Cyber MITRE
Entity report	Link to the Entity report in XM Cyber
XM Cyber description
Critical assets at risk
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
Entity type
XM Cyber avg. complexity score
Choke points
Technique name
XM Cyber security score grade
XM Cyber report
XM Cyber avg. complexity level

Incident Types

Name	Description
XM Cyber Choke Point
XM Cyber Technique
XM Cyber Security Score
XM Cyber Critical Asset

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.
XM Cyber CEM (Partner Contribution)	The XM Cyber integration connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, while also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.

Layouts

Name	Description
XM Cyber Technique Layout	Contains a tab XMCyber with fields for XM Cyber Technique Incident
XM Cyber Security Score	Contains a tab XMCyber with fields for XM Cyber Score Incident
XM Cyber Layout	Contains a tab XMCyber with fields for XM Cyber Incident

Playbooks

Name	Description
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Incident Enrichment - XM Cyber	This playbook enriches the incident using the hostname indicators and user data and increases the severity based on the calculated risk score and pushes breach points of the identified entities to XM Cyber.
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise

Automations

Name	Description
XMCyberDashboard	Return the specific data for the XM Cyber Dashboard.

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents

Incident Fields

Name	Description
Entity report	Link to the Entity report in XM Cyber
Entity ID
XM Cyber avg. complexity score
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
XM Cyber description
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
Critical Assets at Risk Level
Technique Best Practice
Entity name
XM Cyber dashboard
Critical assets at risk
XM Cyber critical assets trend
Entity type
XM Cyber avg. complexity level
Affected Entities List
XM Cyber security score grade
Technique name
XM Cyber report
Affected Entities
Entity is a critical asset
XM Cyber current security score
XM Cyber security score trend
Choke points
XM Cyber advices
XM Cyber MITRE

Incident Types

Name	Description
XM Cyber Security Score
XM Cyber Critical Asset
XM Cyber Technique
XM Cyber Choke Point

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.
XM Cyber CEM (Partner Contribution)	The XM Cyber integration connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, while also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.

Playbooks

Name	Description
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Alert Enrichment - XM Cyber	This playbook enriches the alert using the hostname indicators and user data and increases the severity based on the calculated risk score and pushes breach points of the identified entities to XM Cyber.
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Atlassian Jira	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Rapid7 InsightVM	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

2.0.1 - 10150329 (June 14, 2026)

Integrations

XM Cyber CEM

Updated the XMCyberCEM integration to retrieve security score through the new endpoint.
Updated the Docker image to: demisto/python3:3.12.13.10047619.

Related pull requests:
- 44607
- 44617

Download

2.0.0 - 8038839 (March 31, 2026)

Dashboards

New: XM Cyber Dashboard

New: Added a new dashboard- XM Cyber Dashboard that shows the information by utilizing the XM Cyber CEM integration for Security Score, Choke Points by Severity, Critical Assets by Severity, and Top Compromising Exposures.

Integrations

New: XM Cyber CEM

New: Added a new integration- XM Cyber CEM that connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, and also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.
Added the following commands:
- xmcyber-enrich-incident
- xmcyber-push-breach-point
- xmcyber-remove-breach-point
- xmcyber-calculate-risk-score
- xmcyber-get-dashboard-data

Playbooks

New: Incident Enrichment - XM Cyber

This playbook enriches the incident using the hostname indicators and user data and increases the severity based on the calculated risk score and pushes breach points of the identified entities to XM Cyber.

Scripts

New: XMCyberDashboard

New: Added a new script- XMCyberDashboard that returns the specific data for the XM Cyber Dashboard.

Related pull requests:
- 43248
- 42866

Download

1.0.35 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.0.34 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.0.33 - 4770511 (September 4, 2025)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

2.0.1 - 10150329 (June 14, 2026)

Integrations

XM Cyber CEM

Updated the XMCyberCEM integration to retrieve security score through the new endpoint.
Updated the Docker image to: demisto/python3:3.12.13.10047619.

Related pull requests:
- 44607
- 44617

Download

2.0.0 - 8038839 (March 31, 2026)

Integrations

New: XM Cyber CEM

New: Added a new integration- XM Cyber CEM that connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, and also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.
Added the following commands:
- xmcyber-enrich-incident
- xmcyber-push-breach-point
- xmcyber-remove-breach-point
- xmcyber-calculate-risk-score
- xmcyber-get-dashboard-data

Playbooks

New: Incident Enrichment - XM Cyber

Scripts

New: XMCyberDashboard

New: Added a new script- XMCyberDashboard that returns the specific data for the XM Cyber Dashboard.

Related pull requests:
- 43248
- 42866

Download

1.0.35 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.0.34 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.0.33 - 4761438 (September 4, 2025)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 25, 2020
Last Release	June 14, 2026

Breach And Attack Simulation

Compliance

Incident Response

Threat Intelligence Management

Vulnerability Management

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.