Details
Content
Dependencies
Version History

The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber's insights.

Product/Integration Overview

XMCyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on new critical assets at risk, new choke points, and trends in the overall risk score. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident.

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch
New attack technique triggers alerts and options to change policy, and scan endpoints
Incidents from EDRs are enriched with critical asset information and if the severity is high then action can be taken

Product/Integration Overview

Use Cases

New attack path to a critical asset triggers alerts and options to quarantine/disconnect/patch
New attack technique triggers alerts and options to change policy, and scan endpoints
Incidents from EDRs are enriched with critical asset information and if the severity is high then action can be taken

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment

Incident Fields

Name	Description
XM Cyber advices
Entity name
XM Cyber security score trend
Technique Best Practice
Choke points
Affected Entities List
XM Cyber security score grade
Entity report	Link to the Entity report in XM Cyber
Affected Entities
Critical Assets at Risk Level
XM Cyber avg. complexity level
Entity is a critical asset
Critical assets at risk
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
Entity type
XM Cyber dashboard
XM Cyber critical assets trend
XM Cyber MITRE
XM Cyber report
Entity IP Address
XM Cyber description
Technique name
XM Cyber current security score
XM Cyber avg. complexity score
Entity ID
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity

Incident Types

Name	Description
XM Cyber Critical Asset
XM Cyber Choke Point
XM Cyber Technique
XM Cyber Security Score

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.

Layouts

Name	Description
XM Cyber Security Score	Contains a tab XMCyber with fields for XM Cyber Score Incident
XM Cyber Layout	Contains a tab XMCyber with fields for XM Cyber Incident
XM Cyber Technique Layout	Contains a tab XMCyber with fields for XM Cyber Technique Incident

Playbooks

Name	Description
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more

Classifiers

Name	Description
XM Cyber Incident Classifier	Classifies XM Cyber alerts and events into 4 types
XM Cyber Entity from Crowdstrike	Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment
XM Cyber Incident Mapper	Maps fields from XM Cyber incidents

Incident Fields

Name	Description
Technique Best Practice
Entity ID
XM Cyber security score trend
XM Cyber dashboard
Critical Assets at Risk Level
XM Cyber description
Affected Entities List
Technique name
XM Cyber report
Choke points
XM Cyber current security score
Entity name
XM Cyber advices
Entity type
Compromising Techniques	Name of each attack technique that has compromised the entity and the count such attack vectors from the time period
XM Cyber security score grade
Entity report	Link to the Entity report in XM Cyber
Critical assets at risk
XM Cyber MITRE
XM Cyber avg. complexity score
Critical Assets at Risk List	The average and minimum complexities of attacks to assets from this entity
Entity is a critical asset
XM Cyber avg. complexity level
XM Cyber critical assets trend
Affected Entities

Incident Types

Name	Description
XM Cyber Critical Asset
XM Cyber Technique
XM Cyber Security Score
XM Cyber Choke Point

Integrations

Name	Description
XM Cyber (Partner Contribution)	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.

Playbooks

Name	Description
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. Resolve IP address to entity Get entity information for IP addresses regarding impact on critical assets and complexity of compromise

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Atlassian Jira	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Rapid7 InsightVM	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

1.0.30 - 819156 (February 11, 2024)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32816

Download

1.0.29 - 762016 (January 14, 2024)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32183

Download

1.0.28 - 722180 (December 28, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31828

Download

1.0.27 - 6299513 (September 12, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.13.73190.

Related pull requests:
- 29597

Download

1.0.26 - 6139598 (August 24, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29188

Download

1.0.25 - 5987442 (August 8, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.67728.

Related pull requests:
- 28833

Download

1.0.24 - R5866730 (July 25, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.65389.

Related pull requests:
- 28434

Download

1.0.23 - R5801668 (July 18, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27689

Download

1.0.22 - 5447040 (June 5, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27215

Download

1.0.21 - 5304600 (May 19, 2023)

Integrations

XM Cyber

Upgraded the Docker image to: demisto/python3:3.10.11.59070.

Related pull requests:
- 26640

Download

1.0.20 - R5170573 (May 2, 2023)

Playbooks

Scan and Isolate - XM Cyber

Switch usage of deprecated Isolate Endpoint - Generic playbook with the Isolate Endpoint - Generic V2 playbook.

Related pull requests:
- 24527

Download

1.0.19 - 4727595 (March 2, 2023)

Integrations

XM Cyber

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24981

Download

1.0.18 - R4718798 (March 1, 2023)

Layouts

XM Cyber Layout
This item is no longer supported in XSIAM.
XM Cyber Security Score
This item is no longer supported in XSIAM.
XM Cyber Technique Layout
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

PUBLISHER

XM Cyber

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	November 25, 2020
Last Release	February 11, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.