Skip to main content

Cortex Xpanse by Palo Alto Networks

Download With Dependencies

Automate Attack Surface Management to identify Internet assets and quickly remediate misconfigurations with Expanse, a Palo Alto Networks company.

Note: This Pack, is intended for use with Cortex Xpanse Expander v1, for customers utilizing Expander 2.X (i.e. Active ASM) with Cortex XSOAR, please utilize the Cortex Xpanse pack.

The Cortex Xpanse pack for Cortex XSOAR provides full coverage of the Cortex Xpanse Expander v1 product and allows SOCs to automate the defense of their company's attack surface. The integrations included in the pack enable fetching and mirroring of Cortex Xpanse Issues into Cortex XSOAR incidents, and ingestion of indicators (IPs, domains, and certificates) referring to the corporate network perimeter as discovered by Cortex Xpanse, a Palo Alto Networks company.

Through a powerful set of playbooks, analysts can correlate the discovered information with data provided from internal security systems (Palo Alto Networks Cortex Data Lake, Prisma Cloud, and Panorama, Active Directory, Splunk SIEM, etc.) to help pinpoint the right owners of assets and automate remediation.

Note: This Pack, as well as its previously named Expanse v2 Integration, were renamed to Cortex Xpanse. All other content items are still named the same.

What does this pack do?
  • Provides the Cortex Xpanse integration (for Cortex Xpanse Expander), which allows XSOAR to collect Xpanse Issues and bi-directionally mirror them. Several commands are available to search, tag, and update issues and assets in Expander. The integration also supports the services API.
  • Provides a feed integration named Expanse Expander Feed, which is compatible with the Cortex XSOAR Threat Intel Management capabilities to retrieve and store discovered assets (IPs, IP ranges, domains, certificates) in Cortex XSOAR for analysis and correlation.
  • Provides an Expanse Issue incident type with dedicated fields and layouts.
  • Provides a rich set of playbooks and sub-playbooks that handle the investigation and remediation of Xpanse Issues.
  • Provides dashboards that display the network perimeter as discovered by Xpanse and the status of Xpanse Issues.
How to use this pack?
  • After the Xpanse API key is added in the Cortex Xpanse integration and the parameters are set, the Xpanse issues will start getting mapped to the Expanse incident type and the Handle Expanse Incident playbook will automatically be launched.
  • If you are only interested in enrichment and attribution, you can use the Handle Expanse Incident - Attribution Only playbook instead, by assigning it to the Expanse Issue incident type.
  • This pack also includes a generic playbook called Xpanse Incident Handling - Generic. In order to use it, configure the instance without any classifier and choose Xpanse Issue - Generic as the incident type.
  • Expanse Incidents Dashboard: The main dashboard for all the Xpanse incidents.

    Expanse Incidents Dashboard

  • Expanse Incident Layout: The included default layout for Xpanse incidents.

    Expanse Incident Layout

  • Expanse Attribution Report: The report generated by the main playbook attribution stage after checking multiple log sources and Prisma Cloud environments.

    Expanse Attribution Report

  • Handle Expanse Incident - Remediation: An excerpt of the remediation stage of the main playbook. Note the different branches handling notifications, automatic network remediation, and follow up Shadow IT investigation if the asset is marked as Shadow IT by the incident assignee.

    Handle Expanse Incident Remediation


Expanse and Cortex XSOAR




Cortex XSOAR


CertificationRead more
Supported ByCortex
CreatedDecember 23, 2020
Last ReleaseMay 16, 2024

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.