Automated Remediation Capabilities Matrix - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-05-22
Category
User Guide
Solution
Cloud
Abstract

Learn about the specific ASM automated remediation and enrichment capabilities and criteria.

This document describes the Active Response fully automated remediation and enrichment coverage for attack surface alerts discovered by Cortex Xpanse.

The following definitions are used:

  • Attack Surface Rule—The Attack Surface Rule that triggered the creation of an alert.

  • Automated Remediation Method—The method Cortex Xpanse uses to automatically remediate or rectify an attack surface alert.

  • Automated Remediation Criteria—The conditions that must be met for the automated remediation options to be available for execution.

This document contains the following information:

Automated Remediation Options and Criteria
Abstract

Learn about the fully automated remediation options for attack surface alerts, including remediation methods, relevant attack surface rules, and automated remediation criteria.

The table below lists the fully automated remediation options that are currently available with Active Response, including the remediation methods, relevant attack surface rules, and automated remediation criteria.

Attack Surface Rule

Automated Remediation Method

Automated Remediation Criteria

  • Insecure OpenSSH

  • OpenSSH

  • RDP Server

  • SNMP Server

  • SSH Server

  • Telnet Server

  • Unencrypted FTP Server

  • Postgres Server

  • MySQL Server

  • MongoDB Server

  • Elasticsearch

Restrict port access

  1. Service must be running on an AWS EC2 instance, Google GCE instance, or Azure VM on an account that has been configured with read/write access.

  2. At least one potential service owner must have been discovered.

  3. The associated service or asset must be a non-production instance. This is determined by either:

    1. A tag on the associated asset that is indicative of being a development server, from a CSP or VM integration. Development servers have no external users and run no production workflows. These servers may be tagged “dev” or other non-production terms like “pre-production”, “user acceptance testing”, or “qa”.

    2. Xpanse attributing the “Development Environment” service classification to the associated service using purely public information.

      • This can be disabled by setting the BypassDevCheck playbook input.

Unclaimed S3 Bucket

Placeholder S3 Bucket Created

The AWS S3 integration has been configured with read/write access.

Automated Remediation Methods
Abstract

Details about how each of the fully automated attack surface management remediation methods work.

The table below provides details about each of the Active Response fully automated remediation methods.

Automated Remediation Method

Details

Restrict port access

This method varies based on the available control surface and the asset associated with the alert.

  • AWS

    EC2: Replaces the security group that is allowing the risky service to be exposed to the public internet with a new security group that only allows access via an internal network. See additional playbook details here.

  • Google Cloud

    GCE: The remediation steps for risks exposed on Google Cloud GCE operate by tagging the GCE instance with a network tag referencing two new firewall rules—one to allow internal traffic to the exposed port and the other to block the port from internet access. The new firewall rules follow this naming convention remediation-<allow|block>-<vpc name>-port-<port#>-<tcp|udp>. See additional playbook details here.

  • Azure

    VM: The remediation steps for risks exposed on Azure VM instances operate by adding new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules give access only to a private IP address range and block traffic that's exposed to the public internet (using the private IP of the VM as stated in Azure documentation). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allow traffic from a private IP address and blocks the rest of the RDP traffic. The new firewall rules follow this naming convention: remediation-<allow|block>-port-<port#>-<tcp|udp>.

    Conditions and limitations:

    • Limited to one resource group

    • 200 Azure rules viewed at once to find offending rule.

    • 2 priorities lower than the offending rule priority must be available.

    • Adds rules to NSGs associated to NICs.

    See additional playbook details here.

  • Palo Alto Networks NGFW

    Automated remediation will create a new firewall rule on the top of the ruleset called xpanse-ar-rule -<alert id>.

    This rule will block internet traffic to the IP address of <ip> for port <port>-<protocol>.

    Conditions:

    • Network Address Translation(NAT) is not occurring before the firewall (it can be done by the firewall itself).

    • Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW).

    • !pan-os-security-policy-match fails if any firewall is disconnected (Panorama).

    • Matching on different rules for different firewalls not supported (Panorama).

    • Multiple rules with the same name in different device-groups not supported (Panorama).

    • !pan-os-list-services will fail if there are no services in a specific device-group (Panorama).

Placeholder S3 Bucket Created

This method is used solely for remediating Unclaimed S3 Bucket alerts.

These alerts are resolved by creating an empty S3 bucket with no external access that matches the organization’s undefined DNS CNAME record. See additional playbook details here.

Supported Automation Integrations
Abstract

The list of supported ASM automation integrations and enrichment values.

The table below lists the supported Active Response automation integrations, the possible enrichment values for each integration, and the permission requirements.

Integration Name

Category

Possible Enrichment Values

Required Permission

Active Directory (on-prem)

Active Directory

Enrichment

  • User’s display name

  • User’s manager display name

  • User’s manager email

  • Service Owner details

Enrichment requires the following:

  • Ability to get detailed information about user accounts from On-Prem AD.

Atlassian Jira v2/v3

ITSM

Enrichment

  • N/A

Also used to create Jira issues (i.e. tickets)

Task creation requires the following:

  • The "Create Issues" permission must be granted to the user or service account used for authentication.

Learn more about Jira permissions.

For details on the configuration of this integration, see:

AWS - EC2

Cloud

Enrichment

  • Internal IP Addresses

  • EC2 Instance ID

  • EC2 Instance tags

  • Associated EC2 NIC ID(s)

  • Associated EC2 Security Group ID(s)

  • Associated EC2 VPC ID(s)

  • Cloud Region, AZ and Network ID(s)

Also used for remediation.

Enrichment requires the following actions:

  • ec2:DescribeInstances

  • ec2:DescribeSecurityGroups

Remediation requires the following actions:

  • ec2:DescribeInstances

  • ec2:DescribeSecurityGroups

  • ec2:CreateSecurityGroup

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:RevokeSecurityGroupIngress

  • ec2:RevokeSecurityGroupEgress

  • ec2:ModifyNetworkInterfaceAttribute

Learn more about AWS EC2 actions here.

To associate EC2 instances that are associated with a public IP address, use the AWS Public IP Insights API.

To be able to make API calls from a single AWS user for all accounts in an organization, an AssumeRole must be configured to allow access. The AssumeRole must then be added as a parent playbook input AWSAssumeRoleName.

Required Permissions (for organizational scope only):

  • AssumeRole with these permissions (and others listed) for all accounts in organization

  • ec2:DescribeRegions - Enrichment

  • ec2:DescribeIpamResourceDiscoveries - Enrichment

  • ec2:GetIpamDiscoveredPublicAddresses - Enrichment

AWS - Organizations

Cloud

Enrichment

  • Account hierarchy details

Enrichment requires the following actions:

  • organizations:ListRoots

  • organizations:ListAccounts

  • organizations:ListParents

  • organizations:DescribeOrganization

  • organizations:DescribeOrganizationalUnit

  • organizations:DescribeAccount

AWS - S3

Cloud

Enrichment

  • N/A

Used for validation and remediation

Remediation requires the following:

  • s3:CreateBuckets

  • 3:ListAllMyBuckets

Learn more about AWS S3 actions here.

Azure Active Directory

Active Directory

Enrichment

  • User's display name

  • Service Owner details

Enrichment requires the following:

  • Ability to get detailed information about user accounts from Azure AD.

Azure Compute

Cloud

Enrichment

  • Azure Compute instance name

  • Azure Compute instance Resource Group

  • Azure Compute instance associated NIC

  • Azure Compute private IP

  • Azure Compute instance ID

  • Azure Cloud region

  • Azure Cloud subscription

Enrichment requires the following Azure permissions:

  • Microsoft.Compute/virtualMachines/read

  • Microsoft.Network/networkInterfaces/read

  • Microsoft.Network/ipAllocations/read

Learn more about Azure permissions.

Azure Network Security Groups

Cloud

Enrichment

  • N/A

Used for Azure remediation

Remediation requires the following Azure permissions:

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/networkSecurityGroups/write

Learn more about Azure Network Security Group permissions.

Cortex XDR

Endpoint

Enrichment

  • Internal IP Addresses

  • XDR Endpoint ID

  • XDR Endpoint and Server Tags

  • XDR Endpoint Asset ID

  • XDR Endpoint Asset Name

  • Service Owner details (currently logged in user)

Enrichment requires the following:

  • Advanced API key configured on XDR

  • Minimal role is Viewer

  • Click “Copy API URL” to get the server URL for the integration

For more information see this documentation.

GCP IAM

Cloud

Enrichment

  • Service Owner details

  • Folder hierarchy details

  • Folder labels

Enrichment requires the following IAM permissions:

  • resourcemanager.projects.getIamPolicy

Google Cloud Compute

Cloud

Enrichment

  • Associated Firewall ID

  • Internal IP Addresses

  • VM instance tags

  • Cloud Project and Zone

  • VM instance ID

  • Associated VPC ID

  • Potential offending firewall rule names

  • Associated Network ID(s)

  • Associated Zone ID(s)

Used for GCP remediation

Enrichment requires the following compute permissions:

  • compute.instances.list

  • compute.instances.get

Remediation requires the following compute permissions:

  • compute.instances.list

    compute.instances.get

    compute.firewalls.list

    compute.firewalls.create

    compute.instances.setTags

For support at the Folder/Organization level, we also recommend adding the Cloud Asset Owner role to the Service Account.

Microsoft Graph Identity and Access

Cloud

Enrichment

  • Global Admins role details and IDs

Enrichment requires the following Azure permissions:

  • RoleManagement.Read.Directory

  • Directory.Read.All

  • RoleManagement.ReadWrite.Directory

  • Directory.ReadWrite.All

Learn more about MS Graph directory permissions.

Microsoft Graph User

Cloud

Enrichment

  • Global Admins Name and Emails

Enrichment requires the following MS Graph User permissions:

  • User.Read.All

  • User.ReadWrite.All

  • Directory.Read.All

  • Directory.ReadWrite.All

Learn more about MS Graph User permissions.

Panorama

Network Security

Enrichment

  • Firewall Rule Name

Used for NGFW remediation

This integration requires an engine to be configured in order to use. Documentation for engine deployment and configuration can be found here.

Enrichment requires the following permissions:

  • Configuration

Remediation requires the following permissions:

  • Configuration

  • Commit

These permissions are best fulfilled by the Device Administrator role. Learn more about the PAN-OS and Panorama API.

Prisma Cloud

Cloud

Enrichment

  • Cloud Resource Information (Instance identifier)

  • CSP tags

  • Service Ownership details from CSP logs in PrismaCloud

Enrichment requires the following: 

  • “Investigate.Running Queries” permission and access to designated accounts within Prisma Cloud.

The minimum available roles is “Account Group Read Only”. Learn more about Prisma Cloud roles.

Qualys

Vulnerability Management

Enrichment

  • Qualys asset information (OS, Name, Scan details, Owner)

  • Qualys asset tags

Enrichment requires the following:

  • The “view vulnerabilities” permission which is minimally scoped to the “Remediation User” role.

  • Access to the asset allowed via TBUS.

Learn more about Qualys permissions and scope controls.

Rapid7 InsightVM

Vulnerability Management

Enrichment

  • Rapid7 asset information (OS, Name, Asset Site)

  • Rapid7 asset tags

Enrichment requires the following:

  • The “View Group Asset Data” permission which can minimally be scoped to the “User” role.

Learn more about Rapid7 permissions and roles here.

ServiceNow CMDB

Asset Management

Enrichment

  • CMDB CI Sys ID

  • CMDB Parent Sys ID

  • CMDB NIC Sys ID

  • CMDB Assignment Sys ID

Enrichment requires the following:

  • A minimum of the cmdb_read role.

Learn more about ServiceNow roles.

ServiceNow v2

ITSM

Enrichment

  • N/A

Also used to create ServiceNow incidents (i.e. ickets)

Incident creation requires the following:

  • A minimum of the itil role.

Learn more about ServiceNow roles.

Splunk

SIEM

Enrichment

  • Service Owner details

Enrichment requires the splunk “user” role at a minimum and access to any necessary indexes.

Learn more about Splunk roles.

Tenable.io

Vulnerability Management

Enrichment

  • Tenable Asset ID

  • Tenable asset tags

  • Service Owner details

Enrichment requires the following:

  • Asset.view privilege must be assigned to the user role

  • The assigned user must have access to the asset via permissions

Learn more about Tenable.io privileges and permissions.

Active Response Templates

The table below describes the default format and wording for emails and tickets created by Cortex Xpanse for ASM alerts. To create custom emails and tickets, see Playbook Configuration.

Field

Value

Notification Email Subject

A new security risk was identified on an external service owned by your team

Notification Email Body HTML

Infosec identified a security risk on an external service potentially owned by your team:

${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance}

Remediation Notification Email Subject

A new security risk was addressed on an external service owned by your team

Remediation Notification Email Body HTML

<!DOCTYPE html>
      <html lang="en">
      <body>
          <p>
              Infosec identified a security risk on an external service 
               potentially owned by your team:<br><b>${alert.name}</b>
          </p>
          <p>
              <b>Alert Details:</b> ${alert.details}<br>
              <b>Action Taken:</b> ${alert.asmremediation.[0].Action}<br>
              <b>Action Outcome:</b> ${alert.asmremediation.[0].Outcome}<br>
          </p>
      </body>
      </html>

ServiceNow Incident Title

Cortex ASM Alert:

${alert.name}

ServiceNow Incident Description

Infosec identified a security risk on an external service potentially owned by your team:

${alert.name}<br><br>

Description:

 ${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance}

Jira Cloud Project ID

XPANSE