Handle Expanse Incident - Attribution Only Deprecated
Deprecated. No available replacement. Shorter version of Handle Expanse Incident playbook with only the Attribution part. There are several phases: 1. Enrichment: all the related information from the incident is extracted and related Indicators (of types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. 2. Validation: the found IP and FQDN are correlated with the information available in other products: - Firewall logs from Strata Logging Service, Panorama and Splunk - User information from Active Directory - Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2) - IP and FQDN from Prisma Cloud inventory 3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company). 4. Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.
Cortex Xpanse by Palo Alto Networks (Deprecated) · 89 tasks · 8 inputs · 0 outputs
Inputs
TagPrefix— Prefix for XSOAR related Expanse tagsIPRangeLowConfidenceTagList— Comma separated list of tags to be used to identify IP ranges attributed with low confidenceInvalidTag— Tag to be used for Expanse assets that do not belong to org (set when the Analyst selects Invalid in the OU data collection)WriteToExpanse— Write data back to Expanse?OrganizationUnitsToOwnerName— Name of XSOAR List that contains the mapping between OU and OwnersOrganizationUnitsToTagName— Name of XSOAR List that contains the mapping between OU and Tag namesNumberOfDaysInThePast— How many days to go back in time when searching logsShadowITIncidentType— If set, specifies the type of Incident that gets automatically created during the Shadow IT flow. If not set, the Incident is to be created manually.
Commands used
closeInvestigation
createNewIncident
expanse-assign-tags-to-asset
expanse-create-tag
expanse-get-issue-comments
expanse-update-issue
getList
linkIncidents
setIncident