Cortex Xpanse by Palo Alto Networks (Deprecated) v1.10.61 Hidden

Deprecated. Use Cortex Xpanse instead.

Author:
Cortex XSOAR
Support:
xsoar
URL:
https://www.paloaltonetworks.com/cortex
Data Enrichment & Threat Intelligence

Dashboards (2)

  • Expanse Incidents
  • Expanse Perimeter

Indicator fields (15)

  • Expanse Asset Type
  • Expanse Business Units
  • Expanse Certificate Advertisement Status
  • Expanse Date Added
  • Expanse Dns Resolution Status
  • Expanse Domain
  • Expanse First Observed
  • Expanse Last Observed
  • Expanse Properties
  • Expanse Provider Name
  • Expanse Service Status
  • Expanse Source Domain
  • Expanse Tags
  • Expanse Tenant Name
  • Expanse Type

Integrations (2)

Widgets (25)

  • Expanse Active Certificates by BU
  • Expanse Active Certificates by BU with Active Service
  • Expanse Active Domain with Bad/Suspicious Reputation
  • Expanse Active Domains by BU
  • Expanse Active Domains by BU with Active Service
  • Expanse Active Expired Certificates by BU
  • Expanse Active Public IP with Bad/Suspicious Reputation
  • Expanse Active public IPs per BU
  • Expanse Confirmed Shadow IT Assets
  • Expanse Incidents On Non Standard Ports
  • Expanse Map
  • Expanse New Certificates by BU
  • Expanse New Domains by BU
  • Expanse New public IPs per BU
  • Expanse Open Incidents
  • Expanse Open Incidents By Organization Unit
  • Expanse Open Incidents By Severity
  • Expanse Open Incidents By Type
  • Expanse Open Incidents Pending Attribution
  • Expanse Open Incidents With Attribution
  • Expanse Open Incidents With High / Critical Severity
  • Expanse Open Incidents by Business Unit
  • Expanse Open Incidents on AWS By Region
  • Expanse Open Incidents on Azure By Region
  • Expanse Open Incidents on GCP By Region

README

Note: This Pack, is intended for use with Cortex Xpanse Expander v1, for customers utilizing Expander 2.X (i.e. Active ASM) with Cortex XSOAR, please utilize the Cortex Xpanse pack.

The Cortex Xpanse pack for Cortex XSOAR provides full coverage of the Cortex Xpanse Expander v1 product and allows SOCs to automate the defense of their company’s attack surface. The integrations included in the pack enable fetching and mirroring of Cortex Xpanse Issues into Cortex XSOAR incidents, and ingestion of indicators (IPs, domains, and certificates) referring to the corporate network perimeter as discovered by Cortex Xpanse, a Palo Alto Networks company.

Through a powerful set of playbooks, analysts can correlate the discovered information with data provided from internal security systems (Palo Alto Networks Cortex Data Lake, Prisma Cloud, and Panorama, Active Directory, Splunk SIEM, etc.) to help pinpoint the right owners of assets and automate remediation.

Note: This Pack, as well as its previously named Expanse v2 Integration, were renamed to Cortex Xpanse. All other content items are still named the same.

What does this pack do?
  • Provides the Cortex Xpanse integration (for Cortex Xpanse Expander), which allows XSOAR to collect Xpanse Issues and bi-directionally mirror them. Several commands are available to search, tag, and update issues and assets in Expander. The integration also supports the services API.
  • Provides a feed integration named Expanse Expander Feed, which is compatible with the Cortex XSOAR Threat Intel Management capabilities to retrieve and store discovered assets (IPs, IP ranges, domains, certificates) in Cortex XSOAR for analysis and correlation.
  • Provides an Expanse Issue incident type with dedicated fields and layouts.
  • Provides a rich set of playbooks and sub-playbooks that handle the investigation and remediation of Xpanse Issues.
  • Provides dashboards that display the network perimeter as discovered by Xpanse and the status of Xpanse Issues.
How to use this pack?
  • After the Xpanse API key is added in the Cortex Xpanse integration and the parameters are set, the Xpanse issues will start getting mapped to the Expanse incident type and the Handle Expanse Incident playbook will automatically be launched.
  • If you are only interested in enrichment and attribution, you can use the Handle Expanse Incident - Attribution Only playbook instead, by assigning it to the Expanse Issue incident type.
  • This pack also includes a generic playbook called Xpanse Incident Handling - Generic. In order to use it, configure the instance without any classifier and choose Xpanse Issue - Generic as the incident type.
Screenshots
  • Expanse Incidents Dashboard: The main dashboard for all the Xpanse incidents.

    Expanse Incidents Dashboard

  • Expanse Incident Layout: The included default layout for Xpanse incidents.

    Expanse Incident Layout

  • Expanse Attribution Report: The report generated by the main playbook attribution stage after checking multiple log sources and Prisma Cloud environments.

    Expanse Attribution Report

  • Handle Expanse Incident - Remediation: An excerpt of the remediation stage of the main playbook. Note the different branches handling notifications, automatic network remediation, and follow up Shadow IT investigation if the asset is marked as Shadow IT by the incident assignee.

    Handle Expanse Incident Remediation

Video

Expanse and Cortex XSOAR