XM Cyber

Details
Content
Dependencies
Version History

The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber's insights.

Product/Integration Overview

XMCyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on new critical assets at risk, new choke points, and trends in the overall risk score. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident.

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch
New attack technique triggers alerts and options to change policy, and scan endpoints
Incidents from EDRs are enriched with critical asset information and if the severity is high then action can be taken

Layouts

Name	Description
XM Cyber Technique Layout	Contains a tab XMCyber with fields for XM Cyber Technique Incident
XM Cyber Security Score	Contains a tab XMCyber with fields for XM Cyber Score Incident
XM Cyber Layout	Contains a tab XMCyber with fields for XM Cyber Incident

Incident Fields

Name	Description
Entity ID
XM Cyber security score trend
XM Cyber security score grade
Technique Best Practice
XM Cyber current security score
Affected Entities
XM Cyber avg. complexity score
Entity report	Link to the Entity report in XM Cyber
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
Critical assets at risk
XM Cyber advices
Affected Entities List
Entity is a critical asset
Entity name
XM Cyber critical assets trend
Entity type
XM Cyber dashboard
Technique name
XM Cyber avg. complexity level
XM Cyber report
Entity IP Address
Choke points
Critical Assets at Risk Level
XM Cyber description
XM Cyber MITRE

Incident Types

Name	Description
XM Cyber Choke Point
XM Cyber Technique
XM Cyber Critical Asset
XM Cyber Security Score

Classifiers

Name	Description
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents

Playbooks

Name	Description
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.

Incident Fields

Name	Description
Entity ID
XM Cyber security score trend
XM Cyber security score grade
Technique Best Practice
XM Cyber current security score
Affected Entities
XM Cyber avg. complexity score
Entity report	Link to the Entity report in XM Cyber
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
Critical assets at risk
XM Cyber advices
Affected Entities List
Entity is a critical asset
Entity name
XM Cyber critical assets trend
Entity type
XM Cyber dashboard
Technique name
XM Cyber avg. complexity level
XM Cyber report
Choke points
Critical Assets at Risk Level
XM Cyber description
XM Cyber MITRE

Incident Types

Name	Description
XM Cyber Choke Point
XM Cyber Technique
XM Cyber Critical Asset
XM Cyber Security Score

Classifiers

Name	Description
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents

Playbooks

Name	Description
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Atlassian Jira	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.0.27 - 6299513 (September 12, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.13.73190.

Related pull requests:
- 29597

Download

1.0.26 - 6139598 (August 24, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29188

Download

1.0.25 - 5987442 (August 8, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.67728.

Related pull requests:
- 28833

Download

1.0.24 - R5866730 (July 25, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.65389.

Related pull requests:
- 28434

Download

1.0.23 - R5801668 (July 18, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27689

Download

1.0.22 - 5447040 (June 5, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27215

Download

1.0.21 - 5304600 (May 19, 2023)

Integrations

XM Cyber

Upgraded the Docker image to: demisto/python3:3.10.11.59070.

Related pull requests:
- 26640

Download

1.0.20 - R5170573 (May 2, 2023)

Playbooks

Scan and Isolate - XM Cyber

Switch usage of deprecated Isolate Endpoint - Generic playbook with the Isolate Endpoint - Generic V2 playbook.

Related pull requests:
- 24527

Download

1.0.19 - 4727595 (March 2, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24981

Download

1.0.18 - R4718798 (March 1, 2023)

Layouts

XM Cyber Layout
This item is no longer supported in XSIAM.
XM Cyber Security Score
This item is no longer supported in XSIAM.
XM Cyber Technique Layout
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.0.17 - R4494864 (January 29, 2023)

Incident Fields

Affected Entities List
Choke points
Compromising Techniques
Critical Assets at Risk List
Critical assets at risk
Entity is a critical asset
Entity name
Entity report
Entity type
Technique name
XM Cyber MITRE
XM Cyber advices
XM Cyber avg. complexity level
XM Cyber avg. complexity score
XM Cyber critical assets trend
XM Cyber current security score
XM Cyber dashboard
XM Cyber description
XM Cyber report
XM Cyber security score grade
XM Cyber security score trend

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.8.36650.
Added a new command:
- xmcyber-enrich-from-fields

Layouts

XM Cyber Layout
Added the updated descriptions, explanations and labels.
XM Cyber Security Score
Added the updated labels.
XM Cyber Technique Layout
Added the updated labels.

Playbooks

Endpoint Enrichment By EntityId - XM Cyber

Improved implementation to use new fields name.

Endpoint Enrichment By Hostname - XM Cyber

Improved implementation to use new fields name.

Endpoint Enrichment By IP - XM Cyber

Improved implementation to use new fields name.

Scan and Isolate - XM Cyber

Improved implementation to use new fields name.

Related pull requests:
- 21860

Download

PUBLISHER

XM Cyber

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 25, 2020
Last Release	September 12, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.