Learn about the specific ASM automated remediation and enrichment capabilities and criteria.
This document describes the Active Response fully automated remediation and enrichment coverage for attack surface alerts discovered by Cortex Xpanse.
The following definitions are used:
Attack Surface Rule—The Attack Surface Rule that triggered the creation of an alert.
Automated Remediation Method—The method Cortex Xpanse uses to automatically remediate or rectify an attack surface alert.
Automated Remediation Criteria—The conditions that must be met for the automated remediation options to be available for execution.
This document contains the following information:
Automated remediation options and criteria
Learn about the fully automated remediation options for attack surface alerts, including remediation methods, relevant attack surface rules, and automated remediation criteria.
The table below lists the fully automated remediation options that are currently available with Active Response, including the remediation methods, relevant attack surface rules, and automated remediation criteria.
Attack Surface Rule | Automated Remediation Method | Automated Remediation Criteria |
---|---|---|
| Restrict port access |
|
Insecure OpenSSH | Patching vulnerable software |
|
| Isolate endpoint from the network |
|
Unclaimed S3 Bucket | Placeholder S3 Bucket Created | The AWS S3 integration has been configured with read/write access. |
Automated Remediation Methods
Details about how each of the fully automated attack surface management remediation methods work.
The table below provides details about each of the Active Response fully automated remediation methods.
Automated Remediation Method | Details |
---|---|
Restrict Port Access | This method varies based on the available control surface and the asset associated with the alert.
|
Isolate Endpoint from the Network | This method is available when the requirements for the Restrict Port Access method have not been met and the asset associated with the alert has a Cortex XDR or XSIAM endpoint security agent. NoteThis remediation method operates by isolating the asset that is exposed to the public internet and halting all network access on the endpoint except for traffic to Cortex XSIAM or XDR. See additional playbook details here. |
Patch vulnerable software | This method is available when the AWS Systems Manager agent is active, platform requirements (Ubuntu) are met and for attack surface Insecure OpenSSH. The remediation is applied by upgrading the existing vulnerable Insecure OpenSSH software to a newer, patchable version. |
Create placeholder S3 Bucket | This method is used solely for remediating Unclaimed S3 Bucket alerts. These alerts are resolved by creating an empty S3 bucket with no external access that matches the organization’s undefined DNS CNAME record. See additional playbook details here. |
Supported Automation Integrations
View the list of supported ASM automation integrations and enrichment values.
The table below lists the supported Active Response automation integrations, the possible enrichment values for each integration, and the permission requirements.
Integration Name | Category | Utilization | Required Permission |
---|---|---|---|
Active Directory Query v2 (on-prem) | Active Directory | Enrichment
| This integration requires an engine to be configured. Documentation for engine deployment and configuration can be found here. Enrichment requires the following:
Find details on the configuration of this integration here. |
Atlassian Jira v2/v3 | ITSM | Enrichment
Also used to create Jira issues (i.e. tickets) | If using the on-premises version of Jira (Jira Server), this integration requires an engine to be configured. Documentation for engine deployment and configuration can be found here. Task creation requires the following:
Learn more about Jira permissions. For details on the configuration of this integration, see: |
AWS - EC2 | Cloud | Enrichment
Also used for remediation. | Enrichment requires the following actions:
Remediation requires the following actions:
Learn more about AWS EC2 actions here. To associate EC2 instances that are associated with a public IP address, use the AWS Public IP Insights API. To be able to make API calls from a single AWS user for all accounts in an organization, an AssumeRole must be configured to allow access. The AssumeRole must then be added as a parent playbook input AWSAssumeRoleName. Required Permissions (for organizational scope only):
See more details on the configuration of this integration here. |
AWS - Organizations | Cloud | Enrichment
| Enrichment requires the following actions:
See more details on the configuration of this integration here. |
AWS - S3 | Cloud | Enrichment
Used for validation and remediation | Remediation requires the following:
Learn more about AWS S3 actions here. See more details on the configuration of this integration here. |
AWS - SSM | Cloud | Enrichment
Remediation
| Enrichment requires the following:
Remediation requires the following:
See more details on the configuration of this integration here. |
Azure Active Directory Identity And Access | Cloud | Enrichment
| Enrichment requires the following Azure permissions:
Learn more about Azure Active Directory permissions here. Find more details on the configuration of this integration here. |
Azure Active Directory Users | Active Directory | Enrichment
| Enrichment requires the following Azure permissions:
Learn more about MS Graph User permissions here. Find details on the configuration of this integration here. |
Azure Compute v2 | Cloud | Enrichment
| Enrichment requires the following Azure permissions:
Learn more about Azure permissions. Find details on the configuration of this integration here. |
Azure Network Security Groups | Cloud | Enrichment
Used for Azure remediation | Remediation requires the following Azure permissions:
Learn more about Azure Network Security Group permissions. Find details on the configuration of this integration here. |
Azure Resource Graph | Cloud | Enrichment
| To use Resource Graph, you must have appropriate rights in Azure role-based access control (Azure RBAC) with at least read access to the resources you want to query. No results are returned if you don't have at least read permissions to the Azure object or object group. Find details on the configuration of this integration here. |
Cortex Attack Surface Management | Vulnerability Management | This integration authenticates the limited XSOAR functionality Active Response is built on to access service and asset details stored in your ASM instance. It is also used for internal API calls such as those used for remediation guidance, remediation path rules, and remediation confirmation scanning. | Within the Xpanse interface, navigate to → → to create a new API key for this integration. It will need to be a standard API key with a minimum role of “analyst”.See more details on the configuration of this integration here. |
Cortex XDR | Endpoint | Enrichment
| Enrichment requires the following:
For more information see this documentation. See more details on the configuration of this integration here. |
GCP IAM | Cloud | Enrichment
| Enrichment requires the following IAM permissions:
See more details on the configuration of this integration here. |
Google Cloud Compute | Cloud | Enrichment
Used for GCP remediation | Enrichment requires the following compute permissions:
Remediation requires the following compute permissions:
For support at the Folder/Organization level, we also recommend adding the Cloud Asset Owner role to the Service Account. See more details on the configuration of this integration here. |
Palo Alto Networks PAN-OS | Network Security | Enrichment
Used for NGFW remediation | This integration requires an engine to be configured in order to use. Documentation for engine deployment and configuration can be found here. Enrichment requires the following permissions:
Remediation requires the following permissions:
These permissions are best fulfilled by the Device Administrator role. Learn more about the PAN-OS and Panorama API. See more details on the configuration of this integration here. |
Prisma Cloud | Cloud | Enrichment
| Enrichment requires the following:
The minimum available roles is “Account Group Read Only”. Learn more about Prisma Cloud roles. |
Qualys | Vulnerability Management | Enrichment
| Enrichment requires the following:
Learn more about Qualys permissions and scope controls. Find details on the configuration of this integration here. |
Rapid7 InsightVM | Vulnerability Management | Enrichment
| Enrichment requires the following:
Learn more about Rapid7 permissions and roles here. Find details on the configuration of this integration here. |
ServiceNow CMDB | Asset Management | Enrichment
| Enrichment requires the following:
Learn more about ServiceNow roles. Find details on the configuration of this integration here. |
ServiceNow v2 | ITSM | Enrichment
Also used to create ServiceNow incidents (i.e. tickets). Note: Setting the "NotificationTicketType" input field from “incident” to “sn_si_incident” will allow this integration to create new incidents within the ServiceNow SIR product. If this input field is left unchanged the incident will be created within the ITSM product. | Incident creation requires the following:
Learn more about ServiceNow roles. Find details on the configuration of this integration here. |
Slack v3 | Messaging and Conferencing | Enrichment
Also used to create Slack messages. | Messaging requires the creation of a custom app that is added to one or more channels and with the following minimal permissions:
Find details on the configuration of this integration here. |
Splunk | SIEM | Enrichment
| Enrichment requires the splunk “user” role at a minimum and access to any necessary indexes. Learn more about Splunk roles. See more details on the configuration of this integration here. |
Tenable.io | Vulnerability Management | Enrichment
| Enrichment requires the following:
Learn more about Tenable.io privileges and permissions. Find details on the configuration of this integration here. |
Venafi | Identity | Enrichment | Enrichment requires the following permissions:
Find more information about scope here. Find details on the configuration of this integration here. |
Active response templates
The table below describes the default format and wording for emails and tickets created by Cortex Xpanse for ASM alerts. To create custom emails and tickets, see Playbook Configuration.
Field | Value |
---|---|
Notification Email Subject | A new security risk was identified on an external service owned by your team |
Notification Email Body HTML | Infosec identified a security risk on an external service potentially owned by your team: ${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance} |
Remediation Notification Email Subject | A new security risk was addressed on an external service owned by your team |
Remediation Notification Email Body HTML | <!DOCTYPE html> <html lang="en"> <body> <p> Infosec identified a security risk on an external service potentially owned by your team:<br><b>${alert.name}</b> </p> <p> <b>Alert Details:</b> ${alert.details}<br> <b>Action Taken:</b> ${alert.asmremediation.[0].Action}<br> <b>Action Outcome:</b> ${alert.asmremediation.[0].Outcome}<br> </p> </body> </html> |
ServiceNow Incident Title | Cortex ASM Alert: ${alert.name} |
ServiceNow Incident Description | Infosec identified a security risk on an external service potentially owned by your team: ${alert.name}<br><br> Description: ${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance} |