Details
Content
Dependencies
Version History

The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber's insights.

Product/Integration Overview

XMCyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on new critical assets at risk, new choke points, and trends in the overall risk score. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident.

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch
New attack technique triggers alerts and options to change policy, and scan endpoints
Incidents from EDRs are enriched with critical asset information and if the severity is high then action can be taken

Product/Integration Overview

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch
New attack technique triggers alerts and options to change policy, and scan endpoints
Incidents from EDRs are enriched with critical asset information and if the severity is high then action can be taken

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment

Incident Fields

Name	Description
Entity report	Link to the Entity report in XM Cyber
Technique name
XM Cyber description
XM Cyber critical assets trend
Affected Entities
XM Cyber security score grade
Entity name
Critical assets at risk
Choke points
XM Cyber current security score
Affected Entities List
Entity IP Address
XM Cyber MITRE
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
Entity type
Critical Assets at Risk Level
Entity ID
XM Cyber security score trend
XM Cyber report
XM Cyber advices
XM Cyber dashboard
Technique Best Practice
XM Cyber avg. complexity score
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
XM Cyber avg. complexity level
Entity is a critical asset

Incident Types

Name	Description
XM Cyber Security Score
XM Cyber Technique
XM Cyber Choke Point
XM Cyber Critical Asset

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.

Layouts

Name	Description
XM Cyber Security Score	Contains a tab XMCyber with fields for XM Cyber Score Incident
XM Cyber Layout	Contains a tab XMCyber with fields for XM Cyber Incident
XM Cyber Technique Layout	Contains a tab XMCyber with fields for XM Cyber Technique Incident

Playbooks

Name	Description
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents

Incident Fields

Name	Description
Entity name
XM Cyber avg. complexity score
Entity report	Link to the Entity report in XM Cyber
Critical Assets at Risk Level
Affected Entities List
Entity is a critical asset
Critical assets at risk
XM Cyber MITRE
Technique Best Practice
XM Cyber avg. complexity level
XM Cyber critical assets trend
XM Cyber advices
Entity ID
Choke points
Technique name
XM Cyber report
XM Cyber description
XM Cyber current security score
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
Entity type
XM Cyber security score grade
Affected Entities
XM Cyber security score trend
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
XM Cyber dashboard

Incident Types

Name	Description
XM Cyber Technique
XM Cyber Choke Point
XM Cyber Critical Asset
XM Cyber Security Score

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.

Playbooks

Name	Description
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Atlassian Jira	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 25, 2020
Last Release	July 18, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.