Cortex Xpanse by Palo Alto Networks

Details
Content
Dependencies
Version History

Automate Attack Surface Management to identify Internet assets and quickly remediate misconfigurations with Expanse, a Palo Alto Networks company.

Note: This Pack, is intended for use with Cortex Xpanse Expander v1, for customers utilizing Expander 2.X (i.e. Active ASM) with Cortex XSOAR, please utilize the Cortex Xpanse pack.

The Cortex Xpanse pack for Cortex XSOAR provides full coverage of the Cortex Xpanse Expander v1 product and allows SOCs to automate the defense of their company's attack surface. The integrations included in the pack enable fetching and mirroring of Cortex Xpanse Issues into Cortex XSOAR incidents, and ingestion of indicators (IPs, domains, and certificates) referring to the corporate network perimeter as discovered by Cortex Xpanse, a Palo Alto Networks company.

Through a powerful set of playbooks, analysts can correlate the discovered information with data provided from internal security systems (Palo Alto Networks Cortex Data Lake, Prisma Cloud, and Panorama, Active Directory, Splunk SIEM, etc.) to help pinpoint the right owners of assets and automate remediation.

Note: This Pack, as well as its previously named Expanse v2 Integration, were renamed to Cortex Xpanse. All other content items are still named the same.

What does this pack do?

Provides the Cortex Xpanse integration (for Cortex Xpanse Expander), which allows XSOAR to collect Xpanse Issues and bi-directionally mirror them. Several commands are available to search, tag, and update issues and assets in Expander. The integration also supports the services API.
Provides a feed integration named Expanse Expander Feed, which is compatible with the Cortex XSOAR Threat Intel Management capabilities to retrieve and store discovered assets (IPs, IP ranges, domains, certificates) in Cortex XSOAR for analysis and correlation.
Provides an Expanse Issue incident type with dedicated fields and layouts.
Provides a rich set of playbooks and sub-playbooks that handle the investigation and remediation of Xpanse Issues.
Provides dashboards that display the network perimeter as discovered by Xpanse and the status of Xpanse Issues.

How to use this pack?

After the Xpanse API key is added in the Cortex Xpanse integration and the parameters are set, the Xpanse issues will start getting mapped to the Expanse incident type and the Handle Expanse Incident playbook will automatically be launched.
If you are only interested in enrichment and attribution, you can use the Handle Expanse Incident - Attribution Only playbook instead, by assigning it to the Expanse Issue incident type.
This pack also includes a generic playbook called Xpanse Incident Handling - Generic. In order to use it, configure the instance without any classifier and choose Xpanse Issue - Generic as the incident type.

Screenshots

Expanse Incidents Dashboard: The main dashboard for all the Xpanse incidents.
Expanse Incident Layout: The included default layout for Xpanse incidents.
Expanse Attribution Report: The report generated by the main playbook attribution stage after checking multiple log sources and Prisma Cloud environments.
Handle Expanse Incident - Remediation: An excerpt of the remediation stage of the main playbook. Note the different branches handling notifications, automatic network remediation, and follow up Shadow IT investigation if the asset is marked as Shadow IT by the incident assignee.

Video

Automations

Name	Description
ExpanseGenerateIssueMapWidgetScript	This widget script generates a map of the Open Expanse Issue Incidents with provider On Prem. The map is generated as a static PNG file embedded in Markdown. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ExpanseRefreshIssueAssets	Script to refresh tags and attribution reasons of assets inside Expanse Issue. The script should be used inside the Expanse Issue incident context.
ExpansePrintSuggestions	Generates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner.
ExpanseEvidenceDynamicSection	Dynamic Section script used in Expanse Issue layout to display the Latest Evidence structure.
ExpanseAggregateAttributionUser	Aggregate entries from multiple sources into AttributionUser.
ExpanseAggregateAttributionDevice	Aggregate entries from multiple sources into AttributionDevice.
ExpanseAggregateAttributionCI	Aggregate entries from ServiceNow CMDB into AttributionCI.
MatchIPinCIDRIndicators	Match provided IP address in all the Indicators of type CIDR with the provided tags (longest match).
ExpanseAggregateAttributionIP	Aggregate entries from multiple sources into AttributionIP.
ExpanseEnrichAttribution	This script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details

Classifiers

Name	Description
ExpanseV2 - Classifier
ExpanseV2 - Incoming Mapper

Dashboards

Name	Description
Expanse Perimeter
Expanse Incidents

Incident Fields

Name	Description
Expanse Progress Status
Expanse Shadow IT
Expanse Modified
Expanse Certificate
Expanse Asset
Expanse Latest Evidence
Expanse Assignee
Expanse Provider	Provider of the asset as returned by Expanse
Expanse Asset Owner
Expanse Issue ID
Expanse Issue Type
Expanse Created
Expanse Protocol
Expanse Geolocation
Expanse Business Units
Expanse Initial Evidence
Expanse Asset Organization Unit	Organization Unit this asset belongs to
Expanse Activity Status
Expanse Region
Expanse Domain
Expanse Priority
Expanse IP
Expanse Tags
Expanse Category
Expanse Cloud Management Status
Expanse ML Features
Expanse Port
Expanse Service

Incident Types

Name	Description
Xpanse Issue - Generic
Expanse Issue

Indicator Fields

Name	Description
Expanse Tenant Name
Expanse First Observed
Expanse Certificate Advertisement Status
Expanse Dns Resolution Status
Expanse Source Domain
Expanse Asset Type
Expanse Service Status
Expanse Provider Name
Expanse Tags
Expanse Last Observed
Expanse Date Added
Expanse Properties
Expanse Business Units
Expanse Type
Expanse Domain

Integrations

Name	Description
Cortex Xpanse Legacy	The Xpanse integration for Cortex XSOAR leverages the Expander API to create incidents from Xpanse issues. It also leverages Xpanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Xpanse Expander and risky flows detected by Xpanse Behavior.
Expanse Expander Feed	Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database.

Layouts

Name	Description
Expanse Certificate Indicator Layout
Expanse Issue Layout

Playbooks

Name	Description
Extract and Enrich Expanse Indicators	Subplaybook for Handle Expanse Incident playbooks. Extract and Enrich Indicators (CIDRs, IPs, Certificates, Domains and DomainGlobs) from Expanse Incidents. Enrichment is performed via enrichIndicators command and generic playbooks. Returns the enriched indicators.
Expanse VM Enrich	This Playbook is used to verify that all assets found by Expanse are being scanned by a vulnerability management tool by: Searching the IP and / or domain of the identified Expanse asset in the vulnerability management tool This playbook expects an incident with an IP or a Domain to exist in the context.
Expanse Unmanaged Cloud	Subplaybook for bringing rogue cloud accounts under management.
NSA - 5 Security Vulnerabilities Under Active Nation-State Attack	Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs reported in the US agencies alert. Search for unpatched endpoints vulnerable to the exploits. Search for vulnerable assets facing the internet using Expanse. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Cyber Security Advisory
Xpanse Incident Handling - Generic	A generic playbook for handling Xpanse issues. The logic behind this playbook is to work with an internal exclusions list which will help the analyst to get to a decision or, if configured, close incidents automatically. The phases of this playbook are: 1) Check if assets (IP, Domain or Certificate) associated with the issue are excluded in the exclusions list and optionally, close the incident automatically. 2) Optionally, enrich indicators and calculate the severity of the issue, using sub-playbooks. 3) Optionally, allow the analyst to add associated assets (IP, Domain or Certificate) to the exclusions list. 4) Tag associated assets. 5) Update the status of the issue.
Expanse Find Cloud IP Address Region and Service	Subplaybook for Expanse Enrich Cloud Assets subplaybook. This playbook is used to find the corresponding Public Cloud Region (i.e. AWS us-east-1) and Service (i.e. AWS EC2) for a provided IP Address. It works by correlating the provided IP address with the IP Range Indicators (CIDRs) that can be collected from Public Cloud feeds (i.e. AWS Feed) in XSOAR. CIDR Indicators must be tagged properly using the corresponding tags (i.e. AWS for AWS Feed): tags can be configured in the Feed Integrations and must match the ones provided in the inputs of this playbook. Correlation is done based on the longest match (i.e. smaller CIDR such as /20 range wins over a bigger one such as /16).
Handle Expanse Incident - Attribution Only	Shorter version of Handle Expanse Incident playbook with only the Attribution part. There are several phases: Enrichment: all the related information from the incident is extracted and related Indicators (of types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. Validation: the found IP and FQDN are correlated with the information available in other products: Firewall logs from Strata Logging Service, Panorama and Splunk User information from Active Directory Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2) IP and FQDN from Prisma Cloud inventory Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company). Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.
Expanse Load-Create List	Sub-playbook to support Expanse Handle Incident playbook. Loads a list to be used in the Expanse playbook. Creates the list if it does not exist.
Expanse Attribution	Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. Returns a list of potential owner BUs, owner Users, Device and Notes.
Expanse Enrich Cloud Assets	Subplaybook for Handle Expanse Incident playbooks. This Playbook is meant to be used as a subplaybook to enrich Public Cloud Assets (i.e. IP addresses and FQDNs) by: Searching the corresponding Region and Service by correlating the provided IPs with IP range feeds retrieved from Public Cloud Providers (require TIM and Public Cloud feeds such as AWS Feed integrations to be enabled). Searching IPs and FQDNs in Prisma Cloud inventory (requires Prisma Cloud).
Handle Expanse Incident	Main Playbook to Handle Expanse Incidents. There are several phases: Enrichment: all the related information from the incident is extracted, and related indicators (IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. Validation: the found IP and FQDN are correlated with the information available in other products: Firewall logs from Strata Logging Service, Panorama, and Splunk. User information from Active Directory. Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and service (i.e., us-west-1 on AWS EC2). IP and FQDN from Prisma Cloud inventory. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e., there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the company). Attribution: based on the information collected above, the analyst is prompted to assign this issue to an Organization Unit, which is a group within the company with a specific owner. The analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one. Response: depending on the issue type, several remediation actions can be automatically and manually performed, such as: Tagging the asset in Expanse with a specific Organization Unit tag. Blocking the service on PAN-OS (if a firewall is deployed in front of the service). Creating a new Shadow IT issue (if the asset is detected to be Shadow IT and the analyst confirms it) Adding the service to a Vulnerability Management system Linking the incident to a related Prisma Cloud alert for the asset (if the asset is found under Prisma Cloud inventory) Bringing rogue cloud accounts under management

Widgets

Name	Description
Expanse Open Incidents By Severity
Expanse Open Incidents Pending Attribution
Expanse New Certificates by BU
Expanse Open Incidents on AWS By Region
Expanse New public IPs per BU
Expanse Active Certificates by BU with Active Service
Expanse Confirmed Shadow IT Assets
Expanse Map
Expanse Active Public IP with Bad/Suspicious Reputation
Expanse Incidents On Non Standard Ports
Expanse Active Domains by BU with Active Service
Expanse Open Incidents on Azure By Region
Expanse Open Incidents With Attribution
Expanse Open Incidents With High / Critical Severity
Expanse Active Domains by BU
Expanse Active Certificates by BU
Expanse Open Incidents By Type
Expanse Active Expired Certificates by BU
Expanse Active public IPs per BU
Expanse Open Incidents
Expanse Open Incidents on GCP By Region
Expanse Open Incidents By Organization Unit
Expanse Active Domain with Bad/Suspicious Reputation
Expanse Open Incidents by Business Unit
Expanse New Domains by BU

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Strata Logging Service by Palo Alto Networks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (12)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
AWS Feed	By: Cortex XSOAR
Azure Feed	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR
Shadow IT	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Tenable.io	By: Cortex XSOAR
X509Certificate	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Strata Logging Service by Palo Alto Networks	By: Cortex XSOAR

1.10.52 - R913451 (March 25, 2024)

Cortex Xpanse by Palo Alto Networks

Breaking Changes: The X509 Certificate indicator type has been moved from the "X509 Certificate" content pack to the "Common Types" content pack. Before updating, uninstall the "X509 Certificate" content pack (Common Types will be updated automatically).

Related pull requests:
- 31341

Download

1.10.51 - 867923 (March 4, 2024)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:122.0.6261.88727.

Related pull requests:
- 33175

Download

1.10.50 - 865088 (March 3, 2024)

Scripts

ExpanseEnrichAttribution

Updated the Docker image to: demisto/python3:3.10.13.87159.

ExpanseRefreshIssueAssets

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 33020

Download

1.10.49 - 819156 (February 11, 2024)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:121.0.6167.87281.

Related pull requests:
- 32807

Download

1.10.48 - 775948 (January 21, 2024)

Playbooks

Handle Expanse Incident - Attribution Only

Replaced references to Cortex Data Lake to Strata Logging Service.

Handle Expanse Incident

Replaced references to Cortex Data Lake to Strata Logging Service.

Related pull requests:
- 31064

Download

1.10.47 - 722180 (December 28, 2023)

Scripts

ExpanseEvidenceDynamicSection

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExpanseAggregateAttributionDevice

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExpanseAggregateAttributionIP

Updated the Docker image to: demisto/python3:3.10.13.83255.

MatchIPinCIDRIndicators

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExpansePrintSuggestions

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExpanseAggregateAttributionCI

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExpanseAggregateAttributionUser

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31812

Download

1.10.46 - R7209615 (December 19, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:120.0.6099.83579.

Related pull requests:
- 31460

Download

1.10.45 - 7066068 (December 4, 2023)

Integrations

Cortex Xpanse Legacy

Updated the integration display name from Cortex Xpanse to Cortex Xpanse Legacy

Related pull requests:
- 31234
- 31276

Download

1.10.44 - 6704012 (October 25, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:118.0.5993.78770.

Related pull requests:
- 30260

Download

1.10.43 - R6592021 (October 13, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:117.0.5938.74233.

Related pull requests:
- 29779

Download

1.10.42 - 6238121 (September 5, 2023)

Integrations

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.13.72123.

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29394

Download

1.10.41 - 6069807 (August 16, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:115.0.5790.69036.

Related pull requests:
- 28997

Download

1.10.40 - 5910354 (July 30, 2023)

Integrations

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.12.66339.

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28574

Download

1.10.39 - R5866730 (July 25, 2023)

Scripts

ExpanseAggregateAttributionIP

Updated the Docker image to: demisto/python3:3.10.12.63474.

MatchIPinCIDRIndicators

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExpansePrintSuggestions

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExpanseAggregateAttributionCI

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExpanseAggregateAttributionUser

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28085

Download

1.10.38 - R5692327 (July 5, 2023)

Integrations

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.12.63474.

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.12.63474.

Scripts

ExpanseEvidenceDynamicSection

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExpanseAggregateAttributionDevice

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27707

Download

1.10.37 - 5498982 (June 11, 2023)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.12.62631.
Added support for fetch logs.

Related pull requests:
- 27124

Download

1.10.36 - R5450895 (June 5, 2023)

Integrations

Cortex Xpanse

Added support for Network, Device and ResponsiveIP asset type POC and Tag annotations via the assets v3 API.

Related pull requests:
- 27111
- 26998

Download

1.10.35 - 5404881 (May 30, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:1.0.0.56296.

Related pull requests:
- 26990
- 27124

Download

1.10.34 - R5170573 (May 2, 2023)

Playbooks

Handle Expanse Incident - Attribution Only

Updated the playbook to use Prisma Cloud Correlate Alerts v2 instead of deprecated Prisma Cloud Correlate Alerts playbook.
Updated the inputs not to hold OwnerNotificationBody and OwnerNotificationSubject that are not used in any task.

Handle Expanse Incident

Updated the playbook to use Prisma Cloud Correlate Alerts v2 instead of deprecated Prisma Cloud Correlate Alerts playbook.

Related pull requests:
- 25156

Download

1.10.33 - 5051444 (April 16, 2023)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.11.54132.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25836

Download

1.10.32 - 4910116 (March 27, 2023)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.10.50695.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.10.50695.

Related pull requests:
- 25524

Download

1.10.31 - 4771215 (March 8, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:1.0.0.49453.
Documentation and metadata improvements.

Related pull requests:
- 23716

Download

1.10.30 - 4746941 (March 5, 2023)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.10.48392.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 25037

Download

1.10.29 - R4718798 (March 1, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:1.0.0.48560.

Related pull requests:
- 24693

Download

1.10.28 - R4618697 (February 15, 2023)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:1.0.0.46586.

Related pull requests:
- 24286

Download

1.10.27 - R4413860 (January 17, 2023)

Integrations

Cortex Xpanse

Added support for sections infrastructure.

Related pull requests:
- 23694

Download

1.10.26 - 4384217 (January 12, 2023)

Integrations

Cortex Xpanse

Added the API Key integration parameter to support credentials fetching object.

Expanse Expander Feed

Added the API Key integration parameter to support credentials fetching object.

Related pull requests:
- 23788

Download

1.10.25 - 4372591 (January 11, 2023)

Integrations

Cortex Xpanse

Fixed an issue where the expanse-unassign-tags-from-asset would occasionally time out.

Related pull requests:
- 23705

Download

1.10.24 - R4368875 (January 10, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 23403

Download

1.10.23 - 4227458 (December 15, 2022)

Scripts

ExpanseGenerateIssueMapWidgetScript

Updated the Docker image to: demisto/chromium:1.0.0.41207.

Related pull requests:
- 23066

Download

1.10.22 - 4116031 (November 28, 2022)

Playbooks

Expanse Load-Create List

Changed the playbook input ListValues to optional.
Fixed an issue where when the ListValues was empty, an error occurred.

Related pull requests:
- 22533

Download

1.10.21 - 4026126 (November 13, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.8.37233.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.8.37233.

Related pull requests:
- 22165

Download

1.10.20 - R3994332 (November 8, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.6.33415.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.6.33415.

Related pull requests:
- 21160

Download

1.10.19 - 3515978 (August 23, 2022)

Integrations

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.5.31928.

Related pull requests:
- 20714

Download

1.10.18 - 3427401 (August 9, 2022)

Integrations

Cortex Xpanse

Added support for the integrationReliability, feedExpirationPolicy and feedExpirationInterval integration parameters.
Updated the Docker image to: demisto/python3:3.10.5.31928.

Related pull requests:
- 20361

Download

1.10.17 - 3379905 (August 2, 2022)

Incident Fields

Expanse Category

Related pull requests:
- 20257

Download

1.10.16 - 3208294 (July 5, 2022)

Playbooks

Handle Expanse Incident

Fixed an issue where the playbook was using deprecated Panorama commands.

Expanse Attribution

Fixed an issue where the playbook was using deprecated Panorama commands.

Related pull requests:
- 19338

Download

1.10.15 - 3118515 (June 19, 2022)

Integrations

Expanse Expander Feed

Removed excessive error traceback printing.

Scripts

ExpanseGenerateIssueMapWidgetScript

Removed excessive error traceback printing.
Updated the Docker image to: demisto/chromium:1.0.0.30388.

ExpanseAggregateAttributionIP

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

ExpansePrintSuggestions

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

ExpanseAggregateAttributionUser

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

ExpanseAggregateAttributionDevice

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

ExpanseRefreshIssueAssets

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

ExpanseEvidenceDynamicSection

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

ExpanseAggregateAttributionCI

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

ExpanseEnrichAttribution

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

MatchIPinCIDRIndicators

Removed excessive error traceback printing.
Updated the Docker image to: demisto/python3:3.10.4.30607.

Related pull requests:
- 19507

Download

1.10.14 - 3090372 (June 14, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.4.30607.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.4.30607.

Related pull requests:
- 19552

Download

1.10.13 - 2902879 (May 11, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.4.29342.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.4.29342.

Download

1.10.12 - 2788053 (April 20, 2022)

WARNING: This version is invalid. Please install a different version.

Integrations

Cortex Xpanse

Fixed an issue in expanse-get-domain command, where an unexpected error occurred when no domainStatuses were retrieved from the API call.
Updated the Docker image to: demisto/python3:3.10.4.28442.

Related pull requests:
- 18656
- 20109

Download

1.10.11 - 2784849 (April 19, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.4.28442.

Download

1.10.10 - 2674843 (March 30, 2022)

Integrations

Cortex Xpanse

Added type validations and other internal code improvements.

Scripts

ExpanseEvidenceDynamicSection

Added type validations and other internal code improvements.

Download

1.10.9 - 2624637 (March 22, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.1.27636.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.1.27636.

Download

1.10.8 - R2510561 (March 3, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.1.26972.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.1.26972.

Download

1.10.7 - R2425968 (February 16, 2022)

Incident Fields

Expanse Provider

Download

1.10.6 - 2380698 (February 8, 2022)

Incident Fields

Expanse Category

Download

1.10.5 - 2355875 (February 3, 2022)

Incident Fields

Expanse Category
Expanse Protocol
Expanse Provider
Expanse Domain

Download

1.10.4 - 2353377 (February 3, 2022)

Incident Fields

Expanse Port
Expanse IP

Download

1.10.3 - 2303329 (January 25, 2022)

Incident Fields

Expanse Asset
Maintenance and stability enhancements.

Download

1.10.2 - 2297077 (January 24, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.10.1.25933.

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.10.1.25933.

Download

1.10.1 - R2233034 (January 10, 2022)

Integrations

Cortex Xpanse

Updated the Docker image to: demisto/python3:3.9.9.25564.

Download

1.10.0 - R2146019 (December 21, 2021)

Integrations

Cortex Xpanse

Breaking Changes: The expanse-get-risky-flows and expanse-list-risk-rules commands are no longer supported in the Xpanse API, and have been deprecated.

Playbooks

Handle Expanse Incident - Attribution Only

Breaking Changes: Removed Behavior References

Handle Expanse Incident

Breaking Changes: Removed Behavior References

Download

1.9.4 - 2057109 (December 5, 2021)

Integrations

Expanse Expander Feed

Updated the Docker image to: demisto/python3:3.9.8.24399.

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 23, 2020
Last Release	March 25, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

Tenable Vulnerability Management (formerly Tenable.io)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.