Description
Create an XM Cyber integration that ingests exposure findings, entity inventory, audit trail and security risk score data into Elastic, enabling attack path visibility, vulnerability prioritization and compliance use cases.
Sample data available upon request.
Required data
Field availability to be confirmed against XM Cyber API responses.
| XM Cyber Field |
Expected ECS Mapping |
Availability |
Notes |
| Entity name |
host.name / user.name |
|
Type-dependent (Device vs. AD User) |
| Entity type |
labels.entity_type |
|
Device, AD User, AD Security Group, etc. |
| Compromised status |
event.outcome |
|
Compromised / Not compromised |
| Compromise risk score |
labels.compromise_risk_score |
|
0–100 |
| Choke point score |
labels.choke_point_score |
|
|
| Affected critical assets count |
labels.critical_assets_count |
|
|
| IP address |
host.ip |
|
Visible in entity detail table |
| Exposure name |
event.action |
|
e.g., PrintNightmare, AD DCSync |
| Exposure type |
labels.exposure_type |
|
e.g., hackingTechnique |
| Exposure severity |
vulnerability.severity |
|
Critical, High, Medium, Low, Informative |
| Critical assets at risk |
labels.critical_assets_at_risk |
|
|
| CVE ID |
vulnerability.id |
|
VRM — visible in vulnerability detail table |
| CVSS v4.0 |
vulnerability.score.base |
|
VRM |
| Scenario name |
labels.scenario_name |
|
|
| Scenario risk grade |
labels.risk_grade |
|
A–F scale |
| Scenario risk score |
labels.risk_score |
|
0–100 |
| Audit event type |
event.type |
|
e.g., ACCESS |
| Audit event subtype |
event.action |
|
e.g., XM_LOGIN, LOGOUT |
| Audit username |
user.name |
|
|
| Audit user email |
user.email |
|
|
| Audit source IP |
source.ip |
|
|
| Sensor name |
host.name |
|
|
| Sensor status |
labels.sensor_status |
|
active / inactive |
| Organization security score |
labels.security_score |
|
Main dashboard score, 0–100 |
Dashboard ideas
- Entities Overview: Total entities, critical assets, and choke points; distribution by compromised status and severity; most impacted entities table
- Scenario Exposure Findings: Exposures with most risk to critical assets and choke points; exposure profile detail with severity, complexity, and affected entities
- Security Score Trend: Organization-wide risk score over time (1 month / 3 month / 6 month / 1 year views)
- Audit Trail: Most active users, user activity distribution, 2FA setup trend, most active IPs, audit detail log
- Scenarios Overview: Risk grade distribution, inactive scenario count, lowest-scoring scenarios, scenario detail table
- Sensors Overview: Sensors by OS type and cloud provider, failed sensors by reason, sensors requiring updates, version distribution
- VRM — Vulnerabilities / Devices / Products: CVE inventory by severity and age, new vs. remediated trend, vulnerability funnel by XM enrichment; device and product detail tables with choke point and critical asset context
Use cases
- Attack path correlation: Combine XM Cyber choke point and critical asset data with EDR telemetry to prioritize alert triage based on whether the affected entity sits on an active attack path
- Exposure driven vulnerability prioritization: XM Cyber's VRM surfaces CVEs already enriched with attack path context, enabling SOC teams to prioritize remediation by actual risk rather than CVSS alone
- Entity risk scoring: Use compromise risk scores and choke point status as signals in Elastic's user and entity risk scoring framework
Description
Create an XM Cyber integration that ingests exposure findings, entity inventory, audit trail and security risk score data into Elastic, enabling attack path visibility, vulnerability prioritization and compliance use cases.
Sample data available upon request.
Required data
Field availability to be confirmed against XM Cyber API responses.
host.name/user.namelabels.entity_typeevent.outcomelabels.compromise_risk_scorelabels.choke_point_scorelabels.critical_assets_counthost.ipevent.actionlabels.exposure_typevulnerability.severitylabels.critical_assets_at_riskvulnerability.idvulnerability.score.baselabels.scenario_namelabels.risk_gradelabels.risk_scoreevent.typeevent.actionuser.nameuser.emailsource.iphost.namelabels.sensor_statuslabels.security_scoreDashboard ideas
Use cases