Active Response FAQ - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Below are answers to the most frequently asked questions about the Cortex Xpanse Active Response Module.


What is the Active Response module?

The Active Response module is an add-on for Cortex Xpanse Expander that provides built-in automation capabilities and playbooks to augment alert investigation and where applicable, fully remediate risks automatically. See Active Response for more information.


How does Active Response work?

The Active Response module works by starting an automation playbook as soon as a new alert is created. This happens regardless of the type of Attack Surface Rule that causes an alert to be generated. The automation playbook progresses through a set of stages in which various automation integrations may be utilized to collect data, send Xpanse data to another system, or take a remediation action. See How Active Response Works for details.

The primary Active Response playbook, Cortex ASM - ASM Alert, contains sub-playbooks that organize all of the playbook content for maintenance and legibility purposes. This Active Response playbook also supports many different branches or paths that can be taken depending on the types of configured integrations, the type of alert, and input provided by the analyst.


How many playbooks do I get?

There is only one playbook that gets assigned to all ASM alerts, regardless of type. It’s named Cortex ASM - ASM Alert.

The Active Response module also includes many sub-playbooks to accomplish various component tasks.The Xpanse team recommends measuring the value of the Active Response module based on outcomes and capabilities rather than the total number of included playbooks.


How can I edit the playbooks?

The Active Response module does not allow editing of playbooks directly, but you can configure custom email and ticketing notifications that the playbook will send. See Playbook Configuration.

If you have any feedback for functionality you’d like to see included in Active Response, please let your Customer Success manager know. The Xpanse team is eager to hear your feedback.

For organizations with automation needs that require sufficient customization, Cortex XSIAM with the Attack Surface Management module or Cortex XSOAR combined with Cortex Xpanse Expander may be promising solutions.


How do I make sure I have the latest content?

New content for the Active Response module is published as soon as it becomes available, with updates as frequently as every week. Your content will update automatically once a week.

If you'd like to update your content before the automatic update happens or to check whether new content is available, you can go to Marketplace in Expander, and select the Installed Content Packs tab.

Here the “Cortex Attack Surface Management” pack should be listed and will indicate if an update is available. Selecting the pack and clicking the update button will force the Active Response content to be updated.

Updating the content does not automatically restart playbooks that have already begun execution on an alert.


Why don’t I see an option to automatically remediate?

For the various attack surface rules that support fully automated remediation, there are specific criteria that must be met in order for these options to be available. This extra precaution helps ensure that your critical production services are not unintentionally interrupted. 

As an example, the automated remediation criteria for RDP on AWS includes:

  • Service must be running on an AWS EC2 instance from an account that has been configured with read/write access.

  • At least one potential service owner must have been discovered.

  • The associated service or asset must be a non-production instance. This is determined by a tag on the associated asset that contains the term “dev” that is found via a CSP or VM integration and Xpanse attributing the “Development Environment” service classification to the associated service.

See Automated Remediation Capabilities Matrix for details about automated remediation options and requirements.


Can I disable Active Response?

Active Response cannot currently be disabled. However, if you don’t configure any automation integrations the playbooks will not be able to take any actions on your behalf and can safely be ignored.


I see a playbook error; what do I do?

The suggested troubleshooting action for a playbook error is to restart the playbook. You can do this by navigating to the playbook sub-tab for the alert, and clicking the Restart button in the playbook view. Once you confirm this action, the playbook will be restarted. Any data collected by the previous playbook execution may be lost.


When will you support X, Y, Z integration?

The Xpanse team will continually deliver on a roadmap of integrations to be incorporated into the Active Response module. We will regularly reassess and make sure that this roadmap reflects customer needs.

If you have any feedback regarding functionality you’d like to see included in Active Response or integrations you’d like to see supported, please let your Customer Success manager know. The Xpanse team is eager to hear your feedback.


Can I get the Active Response module if I’m an XSOAR customer?

Unfortunately, no. The primary playbook that has been developed for Active Response is intended to only be executed within Expander or XSIAM.

However, much of the content that has been developed for Active Response is also available for XSOAR customers to utilize as the building blocks for their own playbooks. The AWS Enrichment and Remediation pack is an example of one of these utility packs.


Can I get the Active Response module if I’m an XSIAM customer?

XSIAM customers who have purchased the Attack Surface Management module add-on can install Active Response content from the Marketplace. All content and dependencies can be added by installing the Cortex Attack Surface Management pack.