Automated Remediation Capabilities Matrix - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-11-12
Category
User Guide
Solution
Cloud
Abstract

Learn about the specific ASM automated remediation and enrichment capabilities and criteria.

This document describes the Active Response fully automated remediation and enrichment coverage for attack surface alerts discovered by Cortex Xpanse.

The following definitions are used:

  • Attack Surface Rule—The Attack Surface Rule that triggered the creation of an alert.

  • Automated Remediation Method—The method Cortex Xpanse uses to automatically remediate or rectify an attack surface alert.

  • Automated Remediation Criteria—The conditions that must be met for the automated remediation options to be available for execution.

This document contains the following information:

Automated remediation options and criteria

Abstract

Learn about the fully automated remediation options for attack surface alerts, including remediation methods, relevant attack surface rules, and automated remediation criteria.

The table below lists the fully automated remediation options that are currently available with Active Response, including the remediation methods, relevant attack surface rules, and automated remediation criteria.

Attack Surface Rule

Automated Remediation Method

Automated Remediation Criteria

  • Elasticsearch

  • Insecure Bitvise SSH Server

  • Insecure OpenSSH

  • Insecure SFTPGo

  • Kubernetes ControlPlane Component

  • LDAP Server

  • Libssh

  • MongoDB Server

  • MySQL Server

  • Netbios Name Server

  • Nfs Rpcbind Server

  • OpenSSH

  • Postgres Server

  • RDP Server

  • Rpcbind Server

  • Smb Server

  • SNMP Server

  • SSH Server

  • SSH Terrapin Attack

  • Telnet

  • TFTP Server

  • Unencrypted FTP Server

Restrict port access

  1. Service must be running on an AWS EC2 instance, Google GCE instance, or Azure VM on an account that has been configured with read/write access. Additionally, we can support On Prem assets that are managed with Palo Alto Networks Firewalls.

  2. At least one potential service owner must have been discovered.

  3. The associated service or asset must be a non-production instance. This is determined by either:

    1. A tag on the associated asset that is indicative of being a development server, from a CSP or VM integration. Development servers have no external users and run no production workflows. These servers may be tagged “dev” or other non-production terms like “pre-production”, “user acceptance testing”, or “qa”.

    2. Xpanse attributing the “Development Environment” service classification to the associated service using purely public information.

      • This can be disabled by setting the BypassDevCheck playbook input.

Insecure OpenSSH

Patching vulnerable software

  1. Service must be running on an AWS EC2 instance.

  2. Attack surface rule ID has to be Insecure OpenSSH.

  3. AWS EC2 of platform type Linux Ubuntu.

  4. AWS SSM agent is active.

  5. At least one potential service owner must have been discovered.

  6. The associated service or asset must be a non-production instance. This is determined by either:

    • A tag on the associated asset that is indicative of being a development server, from a CSP or VM integration. Development servers have no external users and run no production workflows. These servers may be tagged “dev” or other non-production terms like “pre-production”, “user acceptance testing”, or “qa”.

    • Xpanse attributes the “Development Environment” service classification to the associated service using purely public information.

      • This can be disabled by setting the BypassDevCheck playbook input.

  • Elasticsearch

  • Insecure Bitvise SSH Server

  • Insecure OpenSSH

  • Insecure SFTPGo

  • Kubernetes ControlPlane Component

  • LDAP Server

  • Libssh

  • MongoDB Server

  • MySQL Server

  • Netbios Name Server

  • Nfs Rpcbind Server

  • OpenSSH

  • Postgres Server

  • RDP Server

  • Rpcbind Server

  • Smb Server

  • SNMP Server

  • SSH Server

  • SSH Terrapin Attack

  • Telnet

  • TFTP Server

  • Unencrypted FTP Server

Isolate endpoint from the network

  1. Service must NOT be running on an AWS EC2 instance, Google GCE instance, Azure Compute VM, or managed On-Premise with Palo Alto Networks Firewalls.

  2. The asset must be managed by Cortex XSIAM Endpoint Security or Cortex XDR Prevent or Pro.

  3. At least one potential service owner must have been discovered.

  4. The associated service or asset must be a non-production instance. This is determined by either:

    • A tag on the associated asset that is indicative of being a development server, from a CSP or VM integration. Development servers have no external users and run no production workflows. These servers may be tagged “dev” or other non-production terms like “pre-production”, “user acceptance testing”, or “qa”.

    • Xpanse attributes the “Development Environment” service classification to the associated service using purely public information.

      • This can be disabled by setting the BypassDevCheck playbook input.

Unclaimed S3 Bucket

Placeholder S3 Bucket Created

The AWS S3 integration has been configured with read/write access.

Automated Remediation Methods

Abstract

Details about how each of the fully automated attack surface management remediation methods work.

The table below provides details about each of the Active Response fully automated remediation methods.

Automated Remediation Method

Details

Restrict Port Access

This method varies based on the available control surface and the asset associated with the alert.

  • AWS

    EC2: Replaces the security group that is allowing the risky service to be exposed to the public internet with a new security group that only allows access via an internal network. See additional playbook details here.

  • Google Cloud

    GCE: The remediation steps for risks exposed on Google Cloud GCE operate by tagging the GCE instance with a network tag referencing two new firewall rules—one to allow internal traffic to the exposed port and the other to block the port from internet access. The new firewall rules follow this naming convention remediation-<allow|block>-<vpc name>-port-<port#>-<tcp|udp>. See additional playbook details here.

  • Azure

    VM: The remediation steps for risks exposed on Azure VM instances operate by adding new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules give access only to a private IP address range and block traffic that's exposed to the public internet (using the private IP of the VM as stated in Azure documentation). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allow traffic from a private IP address and blocks the rest of the RDP traffic. The new firewall rules follow this naming convention: remediation-<allow|block>-port-<port#>-<tcp|udp>.

    Conditions and limitations:

    • Limited to one resource group

    • 200 Azure rules viewed at once to find offending rule.

    • 2 priorities lower than the offending rule priority must be available.

    • Adds rules to NSGs associated to NICs.

    See additional playbook details here.

  • Palo Alto Networks NGFW

    Automated remediation will create a new firewall rule on the top of the ruleset called xpanse-ar-rule -<alert id>.

    This rule will block internet traffic to the IP address of <ip> for port <port>-<protocol>.

    Conditions:

    • Network Address Translation(NAT) is not occurring before the firewall (it can be done by the firewall itself).

    • Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW).

    • !pan-os-security-policy-match fails if any firewall is disconnected (Panorama).

    • Matching on different rules for different firewalls not supported (Panorama).

    • Multiple rules with the same name in different device-groups not supported (Panorama).

    • !pan-os-list-services will fail if there are no services in a specific device-group (Panorama).

Isolate Endpoint from the Network

This method is available when the requirements for the Restrict Port Access method have not been met and the asset associated with the alert has a Cortex XDR or XSIAM endpoint security agent.

Note

This remediation method operates by isolating the asset that is exposed to the public internet and halting all network access on the endpoint except for traffic to Cortex XSIAM or XDR. See additional playbook details here.

Patch vulnerable software

This method is available when the AWS Systems Manager agent is active, platform requirements (Ubuntu) are met and for attack surface Insecure OpenSSH.

The remediation is applied by upgrading the existing vulnerable Insecure OpenSSH software to a newer, patchable version.

Create placeholder S3 Bucket

This method is used solely for remediating Unclaimed S3 Bucket alerts.

These alerts are resolved by creating an empty S3 bucket with no external access that matches the organization’s undefined DNS CNAME record. See additional playbook details here.

Supported Automation Integrations

Abstract

View the list of supported ASM automation integrations and enrichment values.

The table below lists the supported Active Response automation integrations, the possible enrichment values for each integration, and the permission requirements.

Integration Name

Category

Utilization

Required Permission

Active Directory Query v2 (on-prem)

Active Directory

Enrichment

  • User’s display name

  • User’s manager display name

  • User’s manager email

  • Service Owner details

This integration requires an engine to be configured. Documentation for engine deployment and configuration can be found here.

Enrichment requires the following:

  • Ability to get detailed information about user accounts from on-prem AD.

Find details on the configuration of this integration here.

Atlassian Jira v2/v3

ITSM

Enrichment

  • N/A

Also used to create Jira issues (i.e. tickets)

If using the on-premises version of Jira (Jira Server), this integration requires an engine to be configured. Documentation for engine deployment and configuration can be found here.

Task creation requires the following:

  • The "Create Issues" permission must be granted to the user or service account used for authentication.

Learn more about Jira permissions.

For details on the configuration of this integration, see:

AWS - EC2

Cloud

Enrichment

  • Internal IP Addresses

  • EC2 Instance ID

  • EC2 Instance tags

  • Associated EC2 NIC ID(s)

  • Associated EC2 Security Group ID(s)

  • Associated EC2 VPC ID(s)

  • Cloud Region, AZ and Network ID(s)

Also used for remediation.

Enrichment requires the following actions:

  • ec2:DescribeInstances

  • ec2:DescribeSecurityGroups

Remediation requires the following actions:

  • ec2:DescribeInstances

  • ec2:DescribeSecurityGroups

  • ec2:CreateSecurityGroup

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:RevokeSecurityGroupIngress

  • ec2:RevokeSecurityGroupEgress

  • ec2:ModifyNetworkInterfaceAttribute

Learn more about AWS EC2 actions here.

To associate EC2 instances that are associated with a public IP address, use the AWS Public IP Insights API.

To be able to make API calls from a single AWS user for all accounts in an organization, an AssumeRole must be configured to allow access. The AssumeRole must then be added as a parent playbook input AWSAssumeRoleName.

Required Permissions (for organizational scope only):

  • AssumeRole with these permissions (and others listed) for all accounts in organization

  • ec2:DescribeRegions - Enrichment

  • ec2:DescribeIpamResourceDiscoveries - Enrichment

  • ec2:GetIpamDiscoveredPublicAddresses - Enrichment

See more details on the configuration of this integration here.

AWS - Organizations

Cloud

Enrichment

  • Account hierarchy details

Enrichment requires the following actions:

  • organizations:ListRoots

  • organizations:ListAccounts

  • organizations:ListParents

  • organizations:DescribeOrganization

  • organizations:DescribeOrganizationalUnit

  • organizations:DescribeAccount

See more details on the configuration of this integration here.

AWS - S3

Cloud

Enrichment

  • N/A

Used for validation and remediation

Remediation requires the following:

  • s3:CreateBuckets

  • 3:ListAllMyBuckets

Learn more about AWS S3 actions here.

See more details on the configuration of this integration here.

AWS - SSM

Cloud

Enrichment

  • SSM Instance ID

  • SSM Agent status

  • SSM Platform Name

  • SSM Platform Type

  • SSM Platform Version

Remediation

  • Upgrade package to new patched version.

Enrichment requires the following:

  • ssm:ListInventoryEntries

Remediation requires the following:

  • ssm:SendCommand

  • ssm:ListInventoryEntries

  • ssm:ListCommands

See more details on the configuration of this integration here.

Azure Active Directory Identity And Access

Cloud

Enrichment

  • Global Admins role details and IDs

Enrichment requires the following Azure permissions:

  • RoleManagement.Read.Directory

  • Directory.Read.All

  • RoleManagement.ReadWrite.Directory

  • Directory.ReadWrite.All

Learn more about Azure Active Directory permissions here.

Find more details on the configuration of this integration here.

Azure Active Directory Users

Active Directory

Enrichment

  • Global Admins Names and Emails

  • User's display name

  • Service Owner details

Enrichment requires the following Azure permissions:

  • User.Read.All

  • User.ReadWrite.All

  • Directory.Read.All

  • Directory.ReadWrite.All

Learn more about MS Graph User permissions here.

Find details on the configuration of this integration here.

Azure Compute v2

Cloud

Enrichment

  • Azure Compute instance name

  • Azure Compute instance Resource Group

  • Azure Compute instance associated NIC

  • Azure Compute private IP

  • Azure Compute instance ID

  • Azure Cloud region

  • Azure Cloud subscription

Enrichment requires the following Azure permissions:

  • Microsoft.Compute/virtualMachines/read

  • Microsoft.Network/networkInterfaces/read

  • Microsoft.Network/ipAllocations/read

Learn more about Azure permissions.

Find details on the configuration of this integration here.

Azure Network Security Groups

Cloud

Enrichment

  • N/A

Used for Azure remediation

Remediation requires the following Azure permissions:

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/networkSecurityGroups/write

Learn more about Azure Network Security Group permissions.

Find details on the configuration of this integration here.

Azure Resource Graph

Cloud

Enrichment

  • Asset hierarchy details

To use Resource Graph, you must have appropriate rights in Azure role-based access control (Azure RBAC) with at least read access to the resources you want to query. No results are returned if you don't have at least read permissions to the Azure object or object group.

Find details on the configuration of this integration here.

Cortex Attack Surface Management

Vulnerability Management

This integration authenticates the limited XSOAR functionality Active Response is built on to access service and asset details stored in your ASM instance.  It is also used for internal API calls such as those used for remediation guidance, remediation path rules, and remediation confirmation scanning.

Within the Xpanse interface, navigate to SettingsIntegrationsAPI Keys to create a new API key for this integration.  It will need to be a standard API key with a minimum role of “analyst”.

See more details on the configuration of this integration here.

Cortex XDR

Endpoint

Enrichment

  • Internal IP Addresses

  • XDR Endpoint ID

  • XDR Endpoint and Server Tags

  • XDR Endpoint Asset ID

  • XDR Endpoint Asset Name

  • Service Owner details (currently logged in user)

Enrichment requires the following:

  • Advanced API key configured on XDR

  • Minimal role is Viewer

  • Click “Copy API URL” to get the server URL for the integration

For more information see this documentation.

See more details on the configuration of this integration here.

GCP IAM

Cloud

Enrichment

  • Service Owner details

  • Folder hierarchy details

  • Folder labels

Enrichment requires the following IAM permissions:

  • resourcemanager.projects.getIamPolicy

See more details on the configuration of this integration here.

Google Cloud Compute

Cloud

Enrichment

  • Associated Firewall ID

  • Internal IP Addresses

  • VM instance tags

  • Cloud Project and Zone

  • VM instance ID

  • Associated VPC ID

  • Potential offending firewall rule names

  • Associated Network ID(s)

  • Associated Zone ID(s)

Used for GCP remediation

Enrichment requires the following compute permissions:

  • compute.instances.list

  • compute.instances.get

Remediation requires the following compute permissions:

  • compute.instances.list

    compute.instances.get

    compute.firewalls.list

    compute.firewalls.create

    compute.instances.setTags

For support at the Folder/Organization level, we also recommend adding the Cloud Asset Owner role to the Service Account.

See more details on the configuration of this integration here.

Palo Alto Networks PAN-OS

Network Security

Enrichment

  • Firewall Rule Name

Used for NGFW remediation

This integration requires an engine to be configured in order to use. Documentation for engine deployment and configuration can be found here.

Enrichment requires the following permissions:

  • Configuration

Remediation requires the following permissions:

  • Configuration

  • Commit

These permissions are best fulfilled by the Device Administrator role. Learn more about the PAN-OS and Panorama API.

See more details on the configuration of this integration here.

Prisma Cloud

Cloud

Enrichment

  • Cloud Resource Information (Instance identifier)

  • CSP tags

  • Service Ownership details from CSP logs in PrismaCloud

Enrichment requires the following: 

  • “Investigate.Running Queries” permission and access to designated accounts within Prisma Cloud.

The minimum available roles is “Account Group Read Only”. Learn more about Prisma Cloud roles.

Qualys

Vulnerability Management

Enrichment

  • Qualys asset information (OS, Name, Scan details, Owner)

  • Qualys asset tags

Enrichment requires the following:

  • The “view vulnerabilities” permission which is minimally scoped to the “Remediation User” role.

  • Access to the asset allowed via TBUS.

Learn more about Qualys permissions and scope controls.

Find details on the configuration of this integration here.

Rapid7 InsightVM

Vulnerability Management

Enrichment

  • Rapid7 asset information (OS, Name, Asset Site)

  • Rapid7 asset tags

Enrichment requires the following:

  • The “View Group Asset Data” permission which can minimally be scoped to the “User” role.

Learn more about Rapid7 permissions and roles here.

Find details on the configuration of this integration here.

ServiceNow CMDB

Asset Management

Enrichment

  • CMDB CI Sys ID

  • CMDB Parent Sys ID

  • CMDB NIC Sys ID

  • CMDB Assignment Sys ID

Enrichment requires the following:

  • A minimum of the cmdb_read role.

Learn more about ServiceNow roles.

Find details on the configuration of this integration here.

ServiceNow v2

ITSM

Enrichment

  • Service owner details based on identified “assigned_to” values

Also used to create ServiceNow incidents (i.e. tickets).

Note: Setting the "NotificationTicketType" input field from “incident” to “sn_si_incident” will allow this integration to create new incidents within the ServiceNow SIR product. If this input field is left unchanged the incident will be created within the ITSM product.

Incident creation requires the following:

  • A minimum of the itil role.

Learn more about ServiceNow roles.

Find details on the configuration of this integration here.

Slack v3

Messaging and Conferencing

Enrichment

  • N/A

Also used to create Slack messages.

Messaging requires the creation of a custom app that is added to one or more channels and with the following minimal permissions:

  • chat:write

Find details on the configuration of this integration here.

Splunk

SIEM

Enrichment

  • Service Owner details

Enrichment requires the splunk “user” role at a minimum and access to any necessary indexes.

Learn more about Splunk roles.

See more details on the configuration of this integration here.

Tenable.io

Vulnerability Management

Enrichment

  • Tenable Asset ID

  • Tenable asset tags

  • Service Owner details

Enrichment requires the following:

  • Asset.view privilege must be assigned to the user role

  • The assigned user must have access to the asset via permissions

Learn more about Tenable.io privileges and permissions.

Find details on the configuration of this integration here.

Venafi

Identity

Enrichment

Enrichment requires the following permissions:

  • Read access with scope:certificates

Find more information about scope here.

Find details on the configuration of this integration here.

Active response templates

The table below describes the default format and wording for emails and tickets created by Cortex Xpanse for ASM alerts. To create custom emails and tickets, see Playbook Configuration.

Field

Value

Notification Email Subject

A new security risk was identified on an external service owned by your team

Notification Email Body HTML

Infosec identified a security risk on an external service potentially owned by your team:

${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance}

Remediation Notification Email Subject

A new security risk was addressed on an external service owned by your team

Remediation Notification Email Body HTML

<!DOCTYPE html>
      <html lang="en">
      <body>
          <p>
              Infosec identified a security risk on an external service 
               potentially owned by your team:<br><b>${alert.name}</b>
          </p>
          <p>
              <b>Alert Details:</b> ${alert.details}<br>
              <b>Action Taken:</b> ${alert.asmremediation.[0].Action}<br>
              <b>Action Outcome:</b> ${alert.asmremediation.[0].Outcome}<br>
          </p>
      </body>
      </html>

ServiceNow Incident Title

Cortex ASM Alert:

${alert.name}

ServiceNow Incident Description

Infosec identified a security risk on an external service potentially owned by your team:

${alert.name}<br><br>

Description:

 ${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance}