Enable ASM automated alert enrichment and remediation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2025-02-12
Category
Administrator Guide
Abstract

Enable the Attack Surface Management alert playbook to automate ASM alert enrichment and remediation.

With Cortex XSIAM you can use the predefined Attack Surface Management (ASM) alert playbook to automate ASM alert enrichment and remediation. ASM alert automation streamlines the remediation process by automatically gathering contextual information about asset owners, business unit associations, and the business impact of exposed assets and by automatically remediating some types of alerts.

To learn more about the types of automated remediation and alert context enrichment that are supported, refer to the Attack Surface Management automation capabilities.Attack Surface Management automation capabilities

Complete the tasks below to enable ASM automated alert enrichment and remediation.

Task 1. Update the Cortex Attack Surface Management content pack

Typically the Cortex Attack Surface Management content pack is installed automatically, but we recommend updating it to the latest version if needed. Perform these steps to update the content pack.

  1. Navigate to MarketplaceBrowse and locate the Cortex Attack Surface Management content pack.

  2. Select the content pack and review the contents and other details. If the content pack needs to be updated, you will see an Update button with the latest version number in upper right corner.

  3. Click Updateto add the content pack to the Cart.

    The Cart displays the number of items you are installing, including any additional required content packs. You can log in and out, but the content packs remain in the Cart until you click either Empty cart or Update.

  4. Click Update.

  5. After installation, click Refresh content.

    You can now start configuring your content and integrations.

Task 2. Generate an API key

Before you can create your Cortex Attack Surface Management instance you must have an API key, API key ID, and server URL. The following steps describe how to generate the API key and API key ID and where to find the server URL. Make a note of each item so you have it ready for Task 3.

  1. Navigate to SettingsConfigurationsIntegrationsAPI Keys.

  2. Click + New Key.

  3. Select the Standard Security Level.

  4. Select a Role that includes edit permissions for attack surface management and vulnerability management features. Instance Administrator typically provides the correct permissions.

  5. Click Generate.

  6. Copy and save the Generated Key.

    You will need to use this API key to add your Cortex Attack Surface Management instance in Task 3.

  7. Click Close.

  8. In the API Keys table, locate the ID field. Make note of your corresponding ID number.

    You will need this API key ID when you add your Cortex Attack Surface Management instance in Task 3.

  9. Click Copy API URL, and save the URL.

Task 3. Add the Cortex Attack Surface Management instance

Add the Cortex Attack Surface Management instance to enable support for additional ASM features and information such as remediation guidance for alerts, remediation confirmation scanning, and additional details about ASM assets and external services.

  1. Navigate to SettingsConfigurationsData CollectionAutomation & Feed Integrations and locate the Cortex Attack Surface Management integration.

    add-instance.png
  2. Click + Add Instance.

  3. Add the Server URL, API Key, and API Key ID. Add other parameters, as required.

    The Server URL is the URL for your Cortex XSIAM tenant with api- prepended, for example, "https://api-xsiam.paloaltonetworks.com".

  4. (Optional) To check that the integration instance is working correctly, click Test.

  5. Save & Exit.

Task 4. Add the playbook trigger for automated ASM alert enrichment

This task adds the predefined trigger for ASM alert automation. This trigger causes the Cortex ASM - ASM Alert playbook and sub-playbooks to run on every new ASM alert. If you want the playbook to run on a subset of ASM alerts, create a custom trigger. See Add a playbook trigger to an alert for more information. For details about the sub-playbooks in the Cortex ASM - ASM Alert playbook, review the content in the Cortex Attack Surface Management content pack in Marketplace.Add a playbook trigger to an alert

  1. Navigate to Incident ResponseCase ConfigurationPlaybook Triggers and click View Recommendations.

  2. In the Playbook Trigger Recommendations dialog box, locate the trigger named ASM and click Add selected triggers.

    This description for this trigger says Recommended for ASM alerts.

  3. Click Save.

add-playbook-trigger.png