Details
Content
Dependencies
Version History

XSOAR is a comprehensive SOAR platform that integrates different security tools to centralize incident management, driving better detection, investigation, and response to suspicious activity across your organization.The integration uses attack graph context and prioritization data that XSOAR receives from XM CEM, and also allows XSOAR to feed relevant entities back to CEM to be defined as breach points in CEM scenarios.

Product/Integration Overview

XM Cyber continuously identifies attack paths to critical assets. This integration retrieves events for newly at-risk critical assets, newly discovered choke points, and changes in overall risk score. Incidents are also enriched with incoming attack vectors to affected endpoints and a list of critical assets exposed by the incident.

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch.
New lateral movement exposure triggers alerts and options to change policy, and scan endpoints.
Incidents from EDRs are enriched with critical asset information and, if the severity is high, then action can be taken.

Dashboard

XM Cyber Dashboard: This dashboard displays the information from the XM Cyber CEM integration for Security Score, Choke Points by Severity, Critical Assets by Severity, and Top Compromising Exposures.

Product/Integration Overview

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch.
New lateral movement exposure triggers alerts and options to change policy, and scan endpoints.
Incidents from EDRs are enriched with critical asset information and, if the severity is high, then action can be taken.

Dashboard

XM Cyber Dashboard: This dashboard displays the information from the XM Cyber CEM integration for Security Score, Choke Points by Severity, Critical Assets by Severity, and Top Compromising Exposures.

Automations

Name	Description
XMCyberDashboard	Return the specific data for the XM Cyber Dashboard.

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment

Dashboards

Name	Description
XM Cyber Dashboard

Incident Fields

Name	Description
XM Cyber advices
XM Cyber dashboard
Entity type
XM Cyber report
Technique Best Practice
XM Cyber description
XM Cyber critical assets trend
XM Cyber current security score
XM Cyber avg. complexity score
Critical Assets at Risk Level
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
Entity name
Affected Entities
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
Affected Entities List
XM Cyber security score grade
XM Cyber avg. complexity level
XM Cyber security score trend
Entity report	Link to the Entity report in XM Cyber
XM Cyber MITRE
Choke points
Entity IP Address
Entity is a critical asset
Entity ID
Technique name
Critical assets at risk

Incident Types

Name	Description
XM Cyber Security Score
XM Cyber Technique
XM Cyber Critical Asset
XM Cyber Choke Point

Integrations

Name	Description
XM Cyber CEM (Partner Contribution)	The XM Cyber integration connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, while also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.

Layouts

Name	Description
XM Cyber Technique Layout	Contains a tab XMCyber with fields for XM Cyber Technique Incident
XM Cyber Layout	Contains a tab XMCyber with fields for XM Cyber Incident
XM Cyber Security Score	Contains a tab XMCyber with fields for XM Cyber Score Incident

Playbooks

Name	Description
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Incident Enrichment - XM Cyber	This playbook enriches the incident using the hostname indicators and user data and increases the severity based on the calculated risk score and pushes breach points of the identified entities to XM Cyber.
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more

Automations

Name	Description
XMCyberDashboard	Return the specific data for the XM Cyber Dashboard.

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment

Incident Fields

Name	Description
Critical assets at risk
Entity type
Entity is a critical asset
Affected Entities List
XM Cyber avg. complexity score
XM Cyber avg. complexity level
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
XM Cyber dashboard
XM Cyber MITRE
XM Cyber advices
Technique name
XM Cyber security score grade
Entity name
Choke points
Affected Entities
XM Cyber description
XM Cyber security score trend
Critical Assets at Risk Level
Entity ID
Entity report	Link to the Entity report in XM Cyber
XM Cyber report
Technique Best Practice
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
XM Cyber current security score
XM Cyber critical assets trend

Incident Types

Name	Description
XM Cyber Security Score
XM Cyber Technique
XM Cyber Critical Asset
XM Cyber Choke Point

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.
XM Cyber CEM (Partner Contribution)	The XM Cyber integration connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, while also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.

Playbooks

Name	Description
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Alert Enrichment - XM Cyber	This playbook enriches the alert using the hostname indicators and user data and increases the severity based on the calculated risk score and pushes breach points of the identified entities to XM Cyber.
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Atlassian Jira	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

2.0.0 - 8038839 (March 31, 2026)

Dashboards

New: XM Cyber Dashboard

New: Added a new dashboard- XM Cyber Dashboard that shows the information by utilizing the XM Cyber CEM integration for Security Score, Choke Points by Severity, Critical Assets by Severity, and Top Compromising Exposures.

Integrations

New: XM Cyber CEM

New: Added a new integration- XM Cyber CEM that connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, and also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.
Added the following commands:
- xmcyber-enrich-incident
- xmcyber-push-breach-point
- xmcyber-remove-breach-point
- xmcyber-calculate-risk-score
- xmcyber-get-dashboard-data

Playbooks

New: Incident Enrichment - XM Cyber

This playbook enriches the incident using the hostname indicators and user data and increases the severity based on the calculated risk score and pushes breach points of the identified entities to XM Cyber.

Scripts

New: XMCyberDashboard

New: Added a new script- XMCyberDashboard that returns the specific data for the XM Cyber Dashboard.

Related pull requests:
- 43248
- 42866

Download

1.0.35 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.0.34 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.0.33 - 4770511 (September 4, 2025)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.0.32 - R3368777 (May 11, 2025)

Integrations

XM Cyber

Metadata and documentation improvements.

Related pull requests:
- 39078

Download

2.0.0 - 8038839 (March 31, 2026)

Integrations

New: XM Cyber CEM

New: Added a new integration- XM Cyber CEM that connects XM Cyber's Continuous Exposure Management (CEM) platform with XSOAR, enhancing your Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response processes with attack graph context and prioritization, and also feeding relevant entities back to CEM to be defined as breach points in CEM scenarios.
Added the following commands:
- xmcyber-enrich-incident
- xmcyber-push-breach-point
- xmcyber-remove-breach-point
- xmcyber-calculate-risk-score
- xmcyber-get-dashboard-data

Playbooks

New: Incident Enrichment - XM Cyber

Scripts

New: XMCyberDashboard

New: Added a new script- XMCyberDashboard that returns the specific data for the XM Cyber Dashboard.

Related pull requests:
- 43248
- 42866

Download

1.0.35 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.0.34 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.0.33 - 4761438 (September 4, 2025)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

1.0.32 - R3368777 (May 11, 2025)

Integrations

XM Cyber

Metadata and documentation improvements.

Related pull requests:
- 39078

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 25, 2020
Last Release	March 31, 2026

Breach And Attack Simulation

Compliance

Incident Response

Threat Intelligence Management

Vulnerability Management

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.