Expanse Attribution Deprecated
Deprecated. No available replacement. Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. Returns a list of potential owner BUs, owner Users, Device and Notes.
Cortex Xpanse by Palo Alto Networks (Deprecated) · 39 tasks · 7 inputs · 4 outputs
Inputs
IP— Expanse Issue IP.Domain— Expanse Issue Domain.Provider— Expanse Issue Provider.Port— Expanse Issue Port.Protocol— Expanse Issue Protocol.InternalIPRange— A list of internal IP ranges to check IP addresses against. The list should be provided in CIDR format, separated by commas. An example of a list of ranges could be: 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16. If a list of IP ranges is not provided, the list provided in the IsIPInRanges script (the known IPv4 private address ranges) is used by default.NumberOfDaysInThePast— Number of days to look back to for logs.
Outputs
Expanse.AttributionIP— IP addressesExpanse.AttributionDevice— DevicesExpanse.AttributionUser— UsersExpanse.AttributionCI— CMDB CI
Commands used
cdl-query-logs
pan-os
splunk-search