Learn about the specific ASM automated remediation and enrichment capabilities and criteria.
This document describes the Active Response fully automated remediation and enrichment coverage for attack surface alerts discovered by Cortex Xpanse.
The following definitions are used:
Attack Surface Rule—The Attack Surface Rule that triggered the creation of an alert.
Automated Remediation Method—The method Cortex Xpanse uses to automatically remediate or rectify an attack surface alert.
Automated Remediation Criteria—The conditions that must be met for the automated remediation options to be available for execution.
This document contains the following information:
Automated Remediation Options and Criteria
Learn about the fully automated remediation options for attack surface alerts, including remediation methods, relevant attack surface rules, and automated remediation criteria.
The table below lists the fully automated remediation options that are currently available with Active Response, including the remediation methods, relevant attack surface rules, and automated remediation criteria.
Attack Surface Rule | Automated Remediation Method | Automated Remediation Criteria |
---|---|---|
| Restrict port access |
|
Unclaimed S3 Bucket | Placeholder S3 Bucket Created | The AWS S3 integration has been configured with read/write access. |
Automated Remediation Methods
Details about how each of the fully automated attack surface management remediation methods work.
The table below provides details about each of the Active Response fully automated remediation methods.
Automated Remediation Method | Details |
---|---|
Restrict port access | This method varies based on the available control surface and the asset associated with the alert.
|
Placeholder S3 Bucket Created | This method is used solely for remediating Unclaimed S3 Bucket alerts. These alerts are resolved by creating an empty S3 bucket with no external access that matches the organization’s undefined DNS CNAME record. See additional playbook details here. |
Supported Automation Integrations
The list of supported ASM automation integrations and enrichment values.
The table below lists the supported Active Response automation integrations, the possible enrichment values for each integration, and the permission requirements.
Integration Name | Category | Possible Enrichment Values | Required Permission |
---|---|---|---|
Active Directory (on-prem) | Active Directory | Enrichment
| Enrichment requires the following:
|
Atlassian Jira v2/v3 | ITSM | Enrichment
Also used to create Jira issues (i.e. tickets) | Task creation requires the following:
Learn more about Jira permissions. For details on the configuration of this integration, see: |
AWS - EC2 | Cloud | Enrichment
Also used for remediation. | Enrichment requires the following actions:
Remediation requires the following actions:
Learn more about AWS EC2 actions here. To associate EC2 instances that are associated with a public IP address, use the AWS Public IP Insights API. To be able to make API calls from a single AWS user for all accounts in an organization, an AssumeRole must be configured to allow access. The AssumeRole must then be added as a parent playbook input AWSAssumeRoleName. Required Permissions (for organizational scope only):
|
AWS - Organizations | Cloud | Enrichment
| Enrichment requires the following actions:
|
AWS - S3 | Cloud | Enrichment
Used for validation and remediation | Remediation requires the following:
Learn more about AWS S3 actions here. |
Azure Active Directory | Active Directory | Enrichment
| Enrichment requires the following:
|
Azure Compute | Cloud | Enrichment
| Enrichment requires the following Azure permissions:
Learn more about Azure permissions. |
Azure Network Security Groups | Cloud | Enrichment
Used for Azure remediation | Remediation requires the following Azure permissions:
Learn more about Azure Network Security Group permissions. |
Cortex XDR | Endpoint | Enrichment
| Enrichment requires the following:
For more information see this documentation. |
GCP IAM | Cloud | Enrichment
| Enrichment requires the following IAM permissions:
|
Google Cloud Compute | Cloud | Enrichment
Used for GCP remediation | Enrichment requires the following compute permissions:
Remediation requires the following compute permissions:
For support at the Folder/Organization level, we also recommend adding the Cloud Asset Owner role to the Service Account. |
Microsoft Graph Identity and Access | Cloud | Enrichment
| Enrichment requires the following Azure permissions:
Learn more about MS Graph directory permissions. |
Microsoft Graph User | Cloud | Enrichment
| Enrichment requires the following MS Graph User permissions:
Learn more about MS Graph User permissions. |
Panorama | Network Security | Enrichment
Used for NGFW remediation | This integration requires an engine to be configured in order to use. Documentation for engine deployment and configuration can be found here. Enrichment requires the following permissions:
Remediation requires the following permissions:
These permissions are best fulfilled by the Device Administrator role. Learn more about the PAN-OS and Panorama API. |
Prisma Cloud | Cloud | Enrichment
| Enrichment requires the following:
The minimum available roles is “Account Group Read Only”. Learn more about Prisma Cloud roles. |
Qualys | Vulnerability Management | Enrichment
| Enrichment requires the following:
Learn more about Qualys permissions and scope controls. |
Rapid7 InsightVM | Vulnerability Management | Enrichment
| Enrichment requires the following:
Learn more about Rapid7 permissions and roles here. |
ServiceNow CMDB | Asset Management | Enrichment
| Enrichment requires the following:
Learn more about ServiceNow roles. |
ServiceNow v2 | ITSM | Enrichment
Also used to create ServiceNow incidents (i.e. ickets) | Incident creation requires the following:
Learn more about ServiceNow roles. |
Splunk | SIEM | Enrichment
| Enrichment requires the splunk “user” role at a minimum and access to any necessary indexes. Learn more about Splunk roles. |
Tenable.io | Vulnerability Management | Enrichment
| Enrichment requires the following:
Learn more about Tenable.io privileges and permissions. |
Active Response Templates
The table below describes the default format and wording for emails and tickets created by Cortex Xpanse for ASM alerts. To create custom emails and tickets, see Playbook Configuration.
Field | Value |
---|---|
Notification Email Subject | A new security risk was identified on an external service owned by your team |
Notification Email Body HTML | Infosec identified a security risk on an external service potentially owned by your team: ${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance} |
Remediation Notification Email Subject | A new security risk was addressed on an external service owned by your team |
Remediation Notification Email Body HTML | <!DOCTYPE html> <html lang="en"> <body> <p> Infosec identified a security risk on an external service potentially owned by your team:<br><b>${alert.name}</b> </p> <p> <b>Alert Details:</b> ${alert.details}<br> <b>Action Taken:</b> ${alert.asmremediation.[0].Action}<br> <b>Action Outcome:</b> ${alert.asmremediation.[0].Outcome}<br> </p> </body> </html> |
ServiceNow Incident Title | Cortex ASM Alert: ${alert.name} |
ServiceNow Incident Description | Infosec identified a security risk on an external service potentially owned by your team: ${alert.name}<br><br> Description: ${alert.details}<br><br>Remediation Guidance: ${Remediation Guidance} |
Jira Cloud Project ID | XPANSE |