Threat Response Center in ASM in XSIAM - Research and respond to zero-day exploits and global threat events in the Threat Response Center. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-07-10
Category
Administrator Guide
Abstract

Research and respond to zero-day exploits and global threat events in the Threat Response Center.

The Threat Response Center in attack surface management (ASM) in Cortex XSIAM simplifies and streamlines your response to global attack surface threat events and zero-day exploits by aggregating the most important information about the threat and its impact on your organization in one place. From the Threat Response Center, you can accomplish the following:

  • Review a curated list of emergent and global threat events, and quickly identify the events that impact your organization.

  • Research a threat event. The Xpanse Security Research Team provides a threat summary, potential exploit consequences, previous exploit activity, and links to other reputable sources for additional information.

  • Assess the impact of a threat event on your organization. Review a detailed list of the affected software, turn on relevant attack surface rules, identify relevant incidents and alerts, and see how the risk is distributed across your organization.

  • Build a Remediation Plan. The Threat Response Center provides remediation guidance for each event, lists of relevant alerts and incidents by status and assignee, and click-throughs to incident and alert pages to begin remediation.

Notice

Access to the Threat Response Center requires the Attack Surface Management add-on

Danger

You must have a role with Attack Surface Rules permission to access the Attack Surface Threat Response Center. When setting up Roles Based Access Control (RBAC), you can find Attack Surface Rules in the Detection & Threat Intel component.

Which vulnerabilities are included in Emerging Vulnerabilities?

Typically, an emerging vulnerability is a critical or high-risk vulnerability that allows threat actors direct access to assets, leading to widespread impact across corporate networks. Devices and applications impacted by such vulnerabilities are at risk of exploitation remotely over the public-facing internet. These threats often allow threat actors to gain remote control of systems. 

Cortex XSIAM considers the following questions when evaluating the level of risk of a threat event and whether to include it on the Emerging Vulnerabilities page:

  • Is it a vulnerability without a patch?

  • Is it a “Known Exploitable Vulnerability” that has been weaponized by threat actors?

  • Can it be exploited remotely over the internet in an unauthenticated manner?

  • Is a proof of concept readily available? Has active exploitation in the wild been reported?

  • How widespread is the impact of the vulnerability? Does it impact many organizations or is limited to a certain section of the industry?

  • Is the vulnerability in an application or device that is routinely targeted by attackers?

  • Does it have a vendor severity rating of “Critical” or “High”? Does it have a CVSS score of 9 or higher?

  • Are there geo-political factors in play? (For example, is an APT targeting groups or individuals from specific countries or regions?)

How often is the Emerging Vulnerabilities page updated?

Our security research team creates and updates threat events in the Emerging Vulnerabilities page in the following situations:

  • When a new threat event occurs and the security research team determines the event is critical enough to add to Emerging Vulnerabilities.

  • When new information is discovered for existing threat events. The information on a threat event page is updated frequently as a threat evolves and exploit details are made public.