Unified VRM Integrations
      Back to home
      1. Knowledge Base
      2. Unified VRM Integrations

      Palo Alto Networks Cortex XSOAR Integration Instructions

      Synopsis

      NopSec Unified VRM (UVRM) customers can achieve integration between UVRM and Palo Alto Networks' Cortex XSOAR (XSOAR) by having XSOAR query UVRM’s APIs to obtain a list of assets, each asset’s associated vulnerabilities, and each vulnerability’s risk profile. This documentation is focused upon how to obtain the information you require from UVRM. 

       

      Before You Begin:

      1. Please request a UVRM API key from NopSec’s Customer Service team at support@nopsec.com.
      2. Please bring up the following page with UVRM’s API documentation: https://uvrm.nopsec.com/api/export/swagger
      3. Optional: For information about XSOAR and how to bring UVRM data into XSOAR, you can refer to the XSOAR documentation at https://xsoar.pan.dev/docs/reference/index or the following tutorial at https://xsoar.pan.dev/docs/tutorials/tut-integration-ui.

       

      Getting Started

      All UVRM API requests should use the following base URL: https://uvrm.nopsec.com/api/export

      Below is an example of how you can use UVRM’s APIs to obtain a list of vulnerabilities and each vulnerability’s risk profile for a given asset. You will need to insert your API key where the words “API_KEY_HERE” appear. 

      curl -X GET "https://uvrm.nopsec.com/api/export/asset/search?ip_address=10.10.1.10" -H  "accept: application/json" -H  "X-UVRM-API-KEY: {API_KEY_HERE}"

      This command produces the following output, which has information on the requested host and the vulnerabilities on the host:

       

      [

        {

          "id": 1001,

          "ip_address": "10.10.1.10",

          "hostname": "sample.nopsec.com",

          "netbios_name": null,

          "business_risk_score": 52,

          "business_risk_grade": "C",

          "open_vulns": [

            {

              "id": 44061,

              "title": "Red Hat Update for kernel (RHSA-2016:2105) (Dirty Cow)",

              "port": "",

              "service": "RedHat",

              "protocol": null,

              "nopsec_risk_score": 10,

              "nopsec_risk_grade": "Urgent",

              "has_malware": true,

              "enable_remote_attack": false,

              "enable_phishing_attack": false,

              "enable_lateral_movement": false,

              "last_detected_date": "2018-11-23",

              "first_detected_date": "2018-11-23",

              "risk_accepted": true,

              "false_positive": false,

              "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.<P>\nA race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)<P>\n<BR>Affected Products\n<BR>Red Hat Enterprise Linux Server 6 x86_64\n<BR>Red Hat Enterprise Linux Server 6 i386\n<BR>Red Hat Enterprise Linux Workstation 6 x86_64\n<BR>Red Hat Enterprise Linux Workstation 6 i386\n<BR>Red Hat Enterprise Linux Desktop 6 x86_64\n<BR>Red Hat Enterprise Linux Desktop 6 i386\n<BR>Red Hat Enterprise Linux for IBM z Systems 6 s390x\n<BR>Red Hat Enterprise Linux for Power, big endian 6 ppc64\n<BR>Red Hat Enterprise Linux for Scientific Computing 6 x86_64",

              "impact": "An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.",

              "has_patch": true,

              "cve_ids": "CVE-2016-5195",

              "cvss_score": 7.2,

              "cvssv3_score": 7.8

            },

            {

              "id": 44075,

              "title": "Red Hat Update for kernel (RHSA-2017:2863)",

              "port": "",

              "service": "RedHat",

              "protocol": null,

              "nopsec_risk_score": 0.6,

              "nopsec_risk_grade": "Low",

              "has_malware": false,

              "enable_remote_attack": false,

              "enable_phishing_attack": false,

              "enable_lateral_movement": false,

              "last_detected_date": "2018-11-23",

              "first_detected_date": "2018-11-23",

              "risk_accepted": false,

              "false_positive": false,

              "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.<P>\nKernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate)<P>\nAffected Products<BR>\n\n    Red Hat Enterprise Linux Server 6 x86_64<BR>\n    Red Hat Enterprise Linux Server 6 i386<BR>\n    Red Hat Enterprise Linux Workstation 6 x86_64<BR>\n    Red Hat Enterprise Linux Workstation 6 i386<BR>\n    Red Hat Enterprise Linux Desktop 6 x86_64<BR>\n    Red Hat Enterprise Linux Desktop 6 i386<BR>\n    Red Hat Enterprise Linux for IBM z Systems 6 s390x<BR>\n    Red Hat Enterprise Linux for Power, big endian 6 ppc64<BR>\n    Red Hat Enterprise Linux for Scientific Computing 6 x86_64<BR>",

              "impact": "An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash.",

              "has_patch": true,

              "cve_ids": "CVE-2017-7541",

              "cvss_score": 7.2,

              "cvssv3_score": 7.8

            },

            {

              "id": 44077,

              "title": "Red Hat Update for kernel (RHSA-2017:3200)",

              "port": "",

              "service": "RedHat",

              "protocol": null,

              "nopsec_risk_score": 10,

              "nopsec_risk_grade": "Critical",

              "has_malware": false,

              "enable_remote_attack": false,

              "enable_phishing_attack": false,

              "enable_lateral_movement": false,

              "last_detected_date": "2018-11-23",

              "first_detected_date": "2018-11-23",

              "risk_accepted": false,

              "false_positive": false,

              "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.<P>\n A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important)<BR>\nAn exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important)<BR>\nA divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)<P>\nAffected Products:<BR>\n\n    Red Hat Enterprise Linux Server 6 x86_64<BR>\n    Red Hat Enterprise Linux Server 6 i386<BR>\n    Red Hat Enterprise Linux Workstation 6 x86_64<BR>\n    Red Hat Enterprise Linux Workstation 6 i386<BR>\n    Red Hat Enterprise Linux Desktop 6 x86_64<BR>\n    Red Hat Enterprise Linux Desktop 6 i386<BR>\n    Red Hat Enterprise Linux for IBM z Systems 6 s390x<BR>\n    Red Hat Enterprise Linux for Power, big endian 6 ppc64<BR>\n    Red Hat Enterprise Linux for Scientific Computing 6 x86_64<BR>",

              "impact": "A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.",

              "has_patch": true,

              "cve_ids": "CVE-2017-1000111,CVE-2017-1000112,CVE-2017-14106",

              "cvss_score": 7.2,

              "cvssv3_score": 7.8

            },

            {

              "id": 44074,

              "title": "Red Hat Update for nss (RHSA-2017:2832)",

              "port": "",

              "service": "RedHat",

              "protocol": null,

              "nopsec_risk_score": 0.4,

              "nopsec_risk_grade": "Low",

              "has_malware": false,

              "enable_remote_attack": true,

              "enable_phishing_attack": false,

              "enable_lateral_movement": false,

              "last_detected_date": "2018-11-23",

              "first_detected_date": "2018-11-23",

              "risk_accepted": false,

              "false_positive": false,

              "description": "Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.<P>\nA use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805)<P>\n<BR>Affected Products:\n<BR>Red Hat Enterprise Linux Server 7 x86_64\n<BR>Red Hat Enterprise Linux Server 6 x86_64\n<BR>Red Hat Enterprise Linux Server 6 i386\n<BR>Red Hat Enterprise Linux Server - Extended Update Support 7.4 x86_64\n<BR>Red Hat Enterprise Linux Server - AUS 7.4 x86_64\n<BR>Red Hat Enterprise Linux Workstation 7 x86_64\n<BR>Red Hat Enterprise Linux Workstation 6 x86_64\n<BR>Red Hat Enterprise Linux Workstation 6 i386\n<BR>Red Hat Enterprise Linux Desktop 7 x86_64\n<BR>Red Hat Enterprise Linux Desktop 6 x86_64\n<BR>Red Hat Enterprise Linux Desktop 6 i386\n<BR>Red Hat Enterprise Linux for IBM z Systems 7 s390x\n<BR>Red Hat Enterprise Linux for IBM z Systems 6 s390x\n<BR>Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.4 s390x\n<BR>Red Hat Enterprise Linux for Power, big endian 7 ppc64\n<BR>Red Hat Enterprise Linux for Power, big endian 6 ppc64\n<BR>Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.4 ppc64\n<BR>Red Hat Enterprise Linux for Scientific Computing 7 x86_64\n<BR>Red Hat Enterprise Linux for Power, little endian 7 ppc64le\n<BR>Red Hat Enterprise Linux for Scientific Computing 6 x86_64\n<BR>Red Hat Enterprise Linux EUS Compute Node 7.4 x86_64\n<BR>Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.4 ppc64le\n\n\n<BR>Red Hat Enterprise Linux Server (for IBM Power LE) - 4 Year Extended Update Support 7.4 ppc64le\n<BR>Red Hat Enterprise Linux Server - 4 Year Extended Update Support 7.4 x86_64",

              "impact": "A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application.",

              "has_patch": true,

              "cve_ids": "CVE-2017-7805",

              "cvss_score": 5,

              "cvssv3_score": 7.5

            }

          ]

        }

      ]

       

      Troubleshooting

      The following are important error codes generated by the API:

      400 - Bad request. If you encounter this error code, please recheck your syntax. If you are unable to determine the source of the error, please contact NopSec’s Customer Service team at support@nopsec.com.

      404 - No data. You have made a valid request with the API, but the particular object or attribute you requested does not exist. Please retry your request with another object and/or attribute.