Expanse v2

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

The Expanse v2 integration for Cortex XSOAR leverages the Expander API to create incidents from Expanse issues. It also leverages Expanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Expanse Expander and risky flow detected by Expanse Behavior.

This integration was developed and tested with Expanse Expander and Behavior.

Expanse is a Palo Alto Networks company.

Supported Cortex XSOAR versions: 6.0.0 and later.

Configure ExpanseV2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ExpanseV2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    urlYour server URLTrue
    apikeyAPI KeyTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
    isFetchFetch incidentsFalse
    incidentTypeIncident typeFalse
    max_fetchMaximum number of incidents per fetchFalse
    first_fetchFirst fetch timeFalse
    priorityFetch Expanse issues with PriorityFalse
    activity_statusFetch Expanse issues with Activity StatusFalse
    progress_statusFetch Expanse issues with Progress StatusFalse
    business_unitFetch issues with Business Units (comma separated string)False
    tagFetch issues with Tags (comma separated string)False
    issue_typeFetch issue with Types (comma separated string)False
    mirror_directionIncident Mirroring DirectionFalse
    sync_ownersSync Incident OwnersFalse
    incoming_tagsTag(s) for mirrored commentsFalse
    sync_tagsMirror out Entries with tag(s)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

expanse-get-issues#


Retrieve issues

Base Command#

expanse-get-issues

Input#

Argument NameDescriptionRequired
limitMaximum number of issues to retrieve.Optional
content_searchReturns only results whose contents match the given query.Optional
providerReturns only results that were found on the given providers (comma separated string).Optional
business_unitReturns only results with a business unit whose name falls in the provided list (comma separated string).Optional
assigneeReturns only results whose assignee's username matches one of the given usernames. Use "Unassigned" to fetch issues that are not assigned to any user.Optional
issue_typeReturns only results whose issue type name matches one of the given types (comma separated string).Optional
inet_searchReturns results whose identifier includes an IP matching the query. Search for results in a given IP/CIDR block using a single IP (d.d.d.d), a dashed IP range (d.d.d.d-d.d.d.d), a CIDR block (d.d.d.d/m), a partial CIDR (d.d.), or a wildcard (d.d.*.d).Optional
domain_searchReturns results whose identifier includes a domain matching the query.Optional
port_numberReturns only results whose identifier includes one of the given port numbers (comma separated list).Optional
priorityReturns only results whose priority matches one of the given values (comma separated string, options are 'Low', 'Medium', 'High', 'Critical').Optional
progress_statusReturns only results whose progress status matches one of the given values (comma separated string, options are 'New', 'Investigating', 'InProgress', 'AcceptableRisk', 'Resolved').Optional
activity_statusReturns only results whose activity status matches one of the given values. Possible values are: Active, Inactive.Optional
tagReturns only results that are associated with the provided tag names (comma separated string).Optional
created_beforeReturns only results created before the provided timestamp (ISO8601 format YYYY-MM-DDTHH:MM:SSZ).Optional
created_afterReturns only results created after the provided timestamp (ISO8601 format YYYY-MM-DDTHH:MM:SSZ).Optional
modified_beforeReturns only results modified before the provided timestamp (ISO8601 format YYYY-MM-DDTHH:MM:SSZ).Optional
modified_afterReturns only results modified after the provided timestamp (ISO8601 format YYYY-MM-DDTHH:MM:SSZ).Optional
sortSort by specified properties. Possible values are: created, -created, modified, -modified, activityStatus, -assigneeUsername, priority, -priority, progressStatus, -progressStatus, activityStatus, -activityStatus, headline, -headline. Default is created.Optional

Context Output#

PathTypeDescription
Expanse.Issue.activityStatusStringActivity status of issue, whether the issue is active or inactive
Expanse.Issue.annotations.tags.idStringThe Internal Expanse tag id of the customer added tag
Expanse.Issue.annotations.tags.nameStringThe tag name of the customer added tag
Expanse.Issue.assets.assetKeyStringKey used to access the asset in the respective Expanse asset API
Expanse.Issue.assets.assetTypeStringThe type of asset the issue primarily relates to
Expanse.Issue.assets.displayNameStringA friendly name for the asset
Expanse.Issue.assets.idStringInternal Expanse ID the asset
Expanse.Issue.assigneeUsernameStringThe username of the user that has been assigned to the issue
Expanse.Issue.businessUnits.idStringThe internal Expanse ID for the business unit the affected asset belongs to
Expanse.Issue.businessUnits.nameStringThe name of the business unit the affected asset belongs to
Expanse.Issue.categoryStringThe general category of the issue
Expanse.Issue.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate
Expanse.Issue.certificate.idStringThe Internal Expanse certificate ID
Expanse.Issue.certificate.issuerStringThe issuer in the certificate
Expanse.Issue.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate
Expanse.Issue.certificate.issuerCountryStringThe issuer country in the certificate
Expanse.Issue.certificate.issuerEmailStringThe issuer email in the certificate
Expanse.Issue.certificate.issuerLocalityStringThe issuer locality in the certificate
Expanse.Issue.certificate.issuerNameStringThe issuer name in the certificate
Expanse.Issue.certificate.issuerOrgStringThe issuer org in the certificate
Expanse.Issue.certificate.issuerOrgUnitStringThe issuer org unit in the certificate
Expanse.Issue.certificate.issuerStateStringThe issuer state in the certificate
Expanse.Issue.certificate.md5HashStringThe md5hash in the certificate
Expanse.Issue.certificate.pemSha1StringThe pemSha1 in the certificate
Expanse.Issue.certificate.pemSha256StringThe pemSha256 in the certificate
Expanse.Issue.certificate.publicKeyStringThe public key in the certificate
Expanse.Issue.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate
Expanse.Issue.certificate.publicKeyBitsNumberThe public key bits in the certificate
Expanse.Issue.certificate.publicKeyModulusStringThe public key modulus in the certificate
Expanse.Issue.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate
Expanse.Issue.certificate.publicKeySpkiStringThe public key Spki in the certificate
Expanse.Issue.certificate.serialNumberStringThe serial number in the certificate
Expanse.Issue.certificate.signatureAlgorithmStringThe signature algorithm in the certificate
Expanse.Issue.certificate.subjectStringThe subject in the certificate
Expanse.Issue.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate
Expanse.Issue.certificate.subjectCountryStringThe subject country in the certificate
Expanse.Issue.certificate.subjectEmailStringThe subject email in the certificate
Expanse.Issue.certificate.subjectLocalityStringThe subject locality in the certificate
Expanse.Issue.certificate.subjectNameStringThe subject name in the certificate
Expanse.Issue.certificate.subjectOrgStringThe subject org in the certificate
Expanse.Issue.certificate.subjectOrgUnitStringThe subject org unit in the certificate
Expanse.Issue.certificate.subjectStateStringThe subject state in the certificate
Expanse.Issue.certificate.validNotAfterDateThe valid not after date in the certificate
Expanse.Issue.certificate.validNotBeforeDateThe valid not before date in the certificate
Expanse.Issue.certificate.versionStringThe version in the certificate
Expanse.Issue.createdDateWhen the issue instance was created
Expanse.Issue.domainStringDomain name of the issue
Expanse.Issue.headlineStringA brief summary of the issue
Expanse.Issue.helpTextStringWhy Expanse this type of issue should be avoided
Expanse.Issue.idStringThe internal Expanse ID of the issue
Expanse.Issue.initialEvidence.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.idStringThe Internal Expanse certificate ID in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerStringThe issuer in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerCountryStringThe issuer country in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerEmailStringThe issuer email in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerLocalityStringThe issuer locality in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerNameStringThe issuer name in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerOrgStringThe issuer org in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerOrgUnitStringThe issuer org unit in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerStateStringThe issuer state in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.md5HashStringThe md5hash in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.pemSha1StringThe pemSha1 in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.pemSha256StringThe pemSha256 in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyStringThe public key in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyBitsNumberThe public key bits in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyModulusStringThe public key modulus in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeySpkiStringThe public key Spki in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.serialNumberStringThe serial number in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.signatureAlgorithmStringThe signature algorithm in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectStringThe subject in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectCountryStringThe subject country in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectEmailStringThe subject email in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectLocalityStringThe subject locality in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectNameStringThe subject name in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectOrgStringThe subject org in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectOrgUnitStringThe subject org unit in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectStateStringThe subject state in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.validNotAfterDateThe valid not after date in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.validNotBeforeDateThe valid not before date in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.versionStringThe version in the certificate in the initial observation
Expanse.Issue.initialEvidence.cipherSuiteStringThe cipher suite in the initial observation
Expanse.Issue.initialEvidence.configuration._typeStringThe type of configuration data in the initial observation
Expanse.Issue.initialEvidence.configuration.validWhenScannedBooleanWhether the configuration was valid in the initial observation
Expanse.Issue.initialEvidence.discoveryTypeStringThe discovery type in the initial observation
Expanse.Issue.initialEvidence.domainStringThe domain name in the initial observation
Expanse.Issue.initialEvidence.evidenceTypeStringThe evidence type of the initial observation
Expanse.Issue.initialEvidence.exposureIdStringThe exposure ID in the initial observation
Expanse.Issue.initialEvidence.exposureTypeStringThe exposure type in the initial observation
Expanse.Issue.initialEvidence.geolocation.latitudeNumberThe latitude in the initial observation
Expanse.Issue.initialEvidence.geolocation.longitudeNumberThe longitude in the initial observation
Expanse.Issue.initialEvidence.geolocation.cityStringThe city name in the initial observation
Expanse.Issue.initialEvidence.geolocation.regionCodeStringThe region code in the initial observation
Expanse.Issue.initialEvidence.geolocation.countryCodeStringThe country code in the initial observation
Expanse.Issue.initialEvidence.ipStringThe IPv4 address in the initial observation
Expanse.Issue.initialEvidence.portNumberNumberThe port number in the initial observation
Expanse.Issue.initialEvidence.portProtocolStringThe port protocol in the initial observation
Expanse.Issue.initialEvidence.serviceIdStringThe Service ID in the initial observation
Expanse.Issue.initialEvidence.serviceProperties.serviceProperties.nameStringThe service property name in the initial observation
Expanse.Issue.initialEvidence.serviceProperties.serviceProperties.reasonStringThe service property reason in the initial observation
Expanse.Issue.initialEvidence.timestampDateThe timestamp of the initial observation
Expanse.Issue.initialEvidence.tlsVersionStringThe TLS version found in the initial observation
Expanse.Issue.ipStringThe IPv4 address last associated with the issue
Expanse.Issue.issueType.archivedBooleanWhether the issue type is archived
Expanse.Issue.issueType.idStringThe ID of the issue type
Expanse.Issue.issueType.nameStringThe name of the issue type
Expanse.Issue.latestEvidence.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.idStringThe Internal Expanse certificate ID in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerStringThe issuer in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerCountryStringThe issuer country in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerEmailStringThe issuer email in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerLocalityStringThe issuer locality in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerNameStringThe issuer name in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerOrgStringThe issuer org in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerOrgUnitStringThe issuer org unit in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerStateStringThe issuer state in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.md5HashStringThe md5hash in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.pemSha1StringThe pemSha1 in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.pemSha256StringThe pemSha256 in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyStringThe public key in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyBitsNumberThe public key bits in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyModulusStringThe public key modulus in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeySpkiStringThe public key Spki in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.serialNumberStringThe serial number in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.signatureAlgorithmStringThe signature algorithm in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectStringThe subject in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectCountryStringThe subject country in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectEmailStringThe subject email in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectLocalityStringThe subject locality in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectNameStringThe subject name in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectOrgStringThe subject org in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectOrgUnitStringThe subject org unit in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectStateStringThe subject state in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.validNotAfterDateThe valid not after date in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.validNotBeforeDateThe valid not before date in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.versionStringThe version in the certificate in the most recent observation
Expanse.Issue.latestEvidence.cipherSuiteStringThe cipher suite detected during the most recent observation
Expanse.Issue.latestEvidence.configuration._typeStringThe type of configuration data in the most recent observation
Expanse.Issue.latestEvidence.configuration.validWhenScannedBooleanWhether the configuration was valid in the most recent observation
Expanse.Issue.latestEvidence.discoveryTypeStringThe discovery type in the most recent observation
Expanse.Issue.latestEvidence.domainStringThe domain name in the most recent observation
Expanse.Issue.latestEvidence.evidenceTypeStringThe evidence type of the most recent observation
Expanse.Issue.latestEvidence.exposureIdStringThe exposure ID in the most recent observation
Expanse.Issue.latestEvidence.exposureTypeStringThe exposure type in the most recent observation
Expanse.Issue.latestEvidence.geolocation.latitudeNumberThe latitude in the most recent observation
Expanse.Issue.latestEvidence.geolocation.longitudeNumberThe latitude in the most recent observation
Expanse.Issue.latestEvidence.geolocation.cityStringThe city name in the most recent observation
Expanse.Issue.latestEvidence.geolocation.regionCodeStringThe region code in the most recent observation
Expanse.Issue.latestEvidence.geolocation.countryCodeStringThe country code in the most recent observation
Expanse.Issue.latestEvidence.ipStringThe IPv4 address in the most recent observation
Expanse.Issue.latestEvidence.portNumberNumberThe port number in the most recent observation
Expanse.Issue.latestEvidence.portProtocolStringThe port protocol in the most recent observation
Expanse.Issue.latestEvidence.serviceIdStringThe Service ID in the most recent observation
Expanse.Issue.latestEvidence.serviceProperties.serviceProperties.nameStringThe service property name in the most recent observation
Expanse.Issue.latestEvidence.serviceProperties.serviceProperties.reasonStringThe service property reason in the most recent observation
Expanse.Issue.latestEvidence.timestampDateThe timestamp of the most recent observation
Expanse.Issue.latestEvidence.tlsVersionStringThe TLS version found in the most recent observation
Expanse.Issue.modifiedDateThe timestamp of when the issue was last modified
Expanse.Issue.portNumberNumberThe port number the issue was detected on
Expanse.Issue.portProtocolStringThe port protocol the issue was detected on
Expanse.Issue.priorityStringThe priority of the issue
Expanse.Issue.progressStatusStringThe progress status of the issue
Expanse.Issue.providers.idStringThe ID of the provider the issue was detected on
Expanse.Issue.providers.nameStringThe name of the provider the issue was detected on

Command Example#

!expanse-get-issues limit="1" provider="Amazon Web Services" sort="-created"

Context Example#

{
"Expanse": {
"Issue": {
"activityStatus": "Active",
"annotations": {
"tags": []
},
"assets": [
{
"assetKey": "gdRHmkxmGwWpaUtAuge6IQ==",
"assetType": "Certificate",
"displayName": "*.thespeedyou.com",
"id": "724a1137-ee3f-381f-95f2-ea0441db22d0"
}
],
"assigneeUsername": "Unassigned",
"businessUnits": [
{
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev"
}
],
"category": "Attack Surface Reduction",
"certificate": {
"formattedIssuerOrg": "GeoTrust",
"id": "81d4479a-4c66-3b05-a969-4b40ba07ba21",
"issuer": "C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3",
"issuerAlternativeNames": "",
"issuerCountry": "US",
"issuerEmail": null,
"issuerLocality": null,
"issuerName": "GeoTrust SSL CA - G3",
"issuerOrg": "GeoTrust Inc.",
"issuerOrgUnit": null,
"issuerState": null,
"md5Hash": "gdRHmkxmGwWpaUtAuge6IQ==",
"pemSha1": "p0y_sHlFdp5rPOw8aWrH2Qc331Q=",
"pemSha256": "w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 2048,
"publicKeyModulus": "bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=",
"serialNumber": "34287766128589078095374161204025316200",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=*.thespeedyou.com",
"subjectAlternativeNames": "*.thespeedyou.com thespeedyou.com",
"subjectCountry": "IN",
"subjectEmail": null,
"subjectLocality": "Pune",
"subjectName": "*.thespeedyou.com",
"subjectOrg": "Sears IT and Management Services India Pvt. Ltd.",
"subjectOrgUnit": "Management Services",
"subjectState": "Maharashtra",
"validNotAfter": "2017-01-18T23:59:59Z",
"validNotBefore": "2015-01-19T00:00:00Z",
"version": "3"
},
"created": "2020-09-23T01:44:37.415249Z",
"domain": null,
"headline": "Insecure TLS at 52.6.192.223:443",
"helpText": "This service should not be visible on the public Internet.",
"id": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"initialEvidence": {
"certificate": {
"formattedIssuerOrg": null,
"id": "81d4479a-4c66-3b05-a969-4b40ba07ba21",
"issuer": "C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3",
"issuerAlternativeNames": "",
"issuerCountry": "US",
"issuerEmail": null,
"issuerLocality": null,
"issuerName": "GeoTrust SSL CA - G3",
"issuerOrg": "GeoTrust Inc.",
"issuerOrgUnit": null,
"issuerState": null,
"md5Hash": "gdRHmkxmGwWpaUtAuge6IQ==",
"pemSha1": "p0y_sHlFdp5rPOw8aWrH2Qc331Q=",
"pemSha256": "w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 2048,
"publicKeyModulus": "bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=",
"serialNumber": "34287766128589078095374161204025316200",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=*.thespeedyou.com",
"subjectAlternativeNames": "*.thespeedyou.com thespeedyou.com",
"subjectCountry": "IN",
"subjectEmail": null,
"subjectLocality": "Pune",
"subjectName": "*.thespeedyou.com",
"subjectOrg": "Sears IT and Management Services India Pvt. Ltd.",
"subjectOrgUnit": "Management Services",
"subjectState": "Maharashtra",
"validNotAfter": "2017-01-18T23:59:59Z",
"validNotBefore": "2015-01-19T00:00:00Z",
"version": "3"
},
"cipherSuite": "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"configuration": {
"_type": "WebServerConfiguration",
"applicationServerSoftware": "",
"certificateId": "74K3sPuBY6wi7US9poLZdg==",
"hasApplicationServerSoftware": false,
"hasServerSoftware": true,
"hasUnencryptedLogin": false,
"htmlPasswordAction": "",
"htmlPasswordField": "",
"httpAuthenticationMethod": "",
"httpAuthenticationRealm": "",
"httpHeaders": [
{
"name": "Set-Cookie",
"value": "JSESSIONID=6E9656EFE98ED2DD7447C779504A4994; Path=/; Secure; HttpOnly"
},
{
"name": "X-FRAME-OPTIONS",
"value": "DENY"
},
{
"name": "Content-Type",
"value": "text/html;charset=UTF-8"
},
{
"name": "Content-Language",
"value": "en-US"
},
{
"name": "Transfer-Encoding",
"value": "chunked"
},
{
"name": "Vary",
"value": "Accept-Encoding"
},
{
"name": "Date",
"value": "xxxxxxxxxx"
},
{
"name": "Server",
"value": "WSO2 Carbon Server"
}
],
"httpStatusCode": "200",
"isLoadBalancer": false,
"loadBalancer": "",
"loadBalancerPool": "",
"serverSoftware": "WSO2 Carbon Server"
},
"discoveryType": "DirectlyDiscovered",
"domain": null,
"evidenceType": "ScanEvidence",
"exposureId": "af2672a7-cf47-3a6d-9ecd-8c356d57d250",
"exposureType": "HTTP_SERVER",
"geolocation": null,
"ip": "52.6.192.223",
"portNumber": 443,
"portProtocol": "TCP",
"serviceId": "355452a1-a39b-369e-9aad-4ca129ec9422",
"serviceProperties": {
"serviceProperties": [
{
"name": "ExpiredWhenScannedCertificate",
"reason": "{\"validWhenScanned\":false}"
},
{
"name": "MissingCacheControlHeader",
"reason": null
},
{
"name": "MissingContentSecurityPolicyHeader",
"reason": null
},
{
"name": "MissingPublicKeyPinsHeader",
"reason": null
},
{
"name": "MissingStrictTransportSecurityHeader",
"reason": null
},
{
"name": "MissingXContentTypeOptionsHeader",
"reason": null
},
{
"name": "MissingXXssProtectionHeader",
"reason": null
},
{
"name": "ServerSoftware",
"reason": "{\"serverSoftware\":\"WSO2 Carbon Server\"}"
},
{
"name": "WildcardCertificate",
"reason": "{\"validWhenScanned\":false}"
}
]
},
"timestamp": "2020-08-24T00:00:00Z",
"tlsVersion": "TLS 1.2"
},
"ip": "52.6.192.223",
"issueType": {
"archived": null,
"id": "InsecureTLS",
"name": "Insecure TLS"
},
"latestEvidence": {
"certificate": {
"formattedIssuerOrg": null,
"id": "81d4479a-4c66-3b05-a969-4b40ba07ba21",
"issuer": "C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3",
"issuerAlternativeNames": "",
"issuerCountry": "US",
"issuerEmail": null,
"issuerLocality": null,
"issuerName": "GeoTrust SSL CA - G3",
"issuerOrg": "GeoTrust Inc.",
"issuerOrgUnit": null,
"issuerState": null,
"md5Hash": "gdRHmkxmGwWpaUtAuge6IQ==",
"pemSha1": "p0y_sHlFdp5rPOw8aWrH2Qc331Q=",
"pemSha256": "w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 2048,
"publicKeyModulus": "bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=",
"serialNumber": "34287766128589078095374161204025316200",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=*.thespeedyou.com",
"subjectAlternativeNames": "*.thespeedyou.com thespeedyou.com",
"subjectCountry": "IN",
"subjectEmail": null,
"subjectLocality": "Pune",
"subjectName": "*.thespeedyou.com",
"subjectOrg": "Sears IT and Management Services India Pvt. Ltd.",
"subjectOrgUnit": "Management Services",
"subjectState": "Maharashtra",
"validNotAfter": "2017-01-18T23:59:59Z",
"validNotBefore": "2015-01-19T00:00:00Z",
"version": "3"
},
"cipherSuite": "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"configuration": {
"_type": "WebServerConfiguration",
"applicationServerSoftware": "",
"certificateId": "74K3sPuBY6wi7US9poLZdg==",
"hasApplicationServerSoftware": false,
"hasServerSoftware": true,
"hasUnencryptedLogin": false,
"htmlPasswordAction": "",
"htmlPasswordField": "",
"httpAuthenticationMethod": "",
"httpAuthenticationRealm": "",
"httpHeaders": [
{
"name": "Set-Cookie",
"value": "JSESSIONID=E5948E498E58CFB6413087A3D3D2908C; Path=/; Secure; HttpOnly"
},
{
"name": "Location",
"value": "https://52.6.192.223/carbon/admin/index.jsp"
},
{
"name": "Content-Type",
"value": "text/html;charset=UTF-8"
},
{
"name": "Content-Length",
"value": "0"
},
{
"name": "Date",
"value": "xxxxxxxxxx"
},
{
"name": "Server",
"value": "WSO2 Carbon Server"
}
],
"httpStatusCode": "302",
"isLoadBalancer": false,
"loadBalancer": "",
"loadBalancerPool": "",
"serverSoftware": "WSO2 Carbon Server"
},
"discoveryType": "DirectlyDiscovered",
"domain": null,
"evidenceType": "ScanEvidence",
"exposureId": "af2672a7-cf47-3a6d-9ecd-8c356d57d250",
"exposureType": "HTTP_SERVER",
"geolocation": null,
"ip": "52.6.192.223",
"portNumber": 443,
"portProtocol": "TCP",
"serviceId": "355452a1-a39b-369e-9aad-4ca129ec9422",
"serviceProperties": {
"serviceProperties": [
{
"name": "ExpiredWhenScannedCertificate",
"reason": "{\"validWhenScanned\":false}"
},
{
"name": "ServerSoftware",
"reason": "{\"serverSoftware\":\"WSO2 Carbon Server\"}"
},
{
"name": "WildcardCertificate",
"reason": "{\"validWhenScanned\":false}"
}
]
},
"timestamp": "2020-09-22T00:00:00Z",
"tlsVersion": "TLS 1.2"
},
"modified": "2020-12-18T18:11:18.399257Z",
"portNumber": 443,
"portProtocol": "TCP",
"priority": "Medium",
"progressStatus": "InProgress",
"providers": [
{
"id": "AWS",
"name": "Amazon Web Services"
}
]
}
}
}

Human Readable Output#

Expanse Issues#

IdHeadlineIssue TypeCategoryIpPort ProtocolPort NumberDomainCertificatePriorityProgress StatusActivity StatusProvidersAssignee UsernameBusiness UnitsCreatedModifiedAnnotationsAssetsHelp Text
2b0ea80c-2277-34dd-9c55-005922ba640aInsecure TLS at 52.6.192.223:443id: InsecureTLS
name: Insecure TLS
archived: null
Attack Surface Reduction52.6.192.223TCP443id: 81d4479a-4c66-3b05-a969-4b40ba07ba21
md5Hash: gdRHmkxmGwWpaUtAuge6IQ==
issuer: C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3
issuerAlternativeNames:
issuerCountry: US
issuerEmail: null
issuerLocality: null
issuerName: GeoTrust SSL CA - G3
issuerOrg: GeoTrust Inc.
formattedIssuerOrg: GeoTrust
issuerOrgUnit: null
issuerState: null
publicKey: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB
publicKeyAlgorithm: RSA
publicKeyRsaExponent: 65537
signatureAlgorithm: SHA256withRSA
subject: C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=.thespeedyou.com
subjectAlternativeNames:
.thespeedyou.com thespeedyou.com
subjectCountry: IN
subjectEmail: null
subjectLocality: Pune
subjectName: *.thespeedyou.com
subjectOrg: Sears IT and Management Services India Pvt. Ltd.
subjectOrgUnit: Management Services
subjectState: Maharashtra
serialNumber: 34287766128589078095374161204025316200
validNotBefore: 2015-01-19T00:00:00Z
validNotAfter: 2017-01-18T23:59:59Z
version: 3
publicKeyBits: 2048
pemSha256: w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=
pemSha1: p0y_sHlFdp5rPOw8aWrH2Qc331Q=
publicKeyModulus: bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d
publicKeySpki: 5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=
MediumInProgressActive{'id': 'AWS', 'name': 'Amazon Web Services'}Unassigned{'id': 'f738ace6-f451-4f31-898d-a12afa204b2a', 'name': 'PANW VanDelay Dev'}2020-09-23T01:44:37.415249Z2020-12-18T18:11:18.399257Ztags:{'id': '724a1137-ee3f-381f-95f2-ea0441db22d0', 'assetKey': 'gdRHmkxmGwWpaUtAuge6IQ==', 'assetType': 'Certificate', 'displayName': '*.thespeedyou.com'}This service should not be visible on the public Internet.

expanse-get-issue-updates#


Retrieve updates for an Expanse issue.

Base Command#

expanse-get-issue-updates

Input#

Argument NameDescriptionRequired
issue_idExpanse issue ID to retrieve updates for.Required
update_typesUpdate types to retrieve (comma separated string. Valid options are 'Assignee', 'Comment', 'Priority', 'ProgressStatus', 'ActivityStatus').Optional
created_afterReturns only updates created after the provided timestamp (ISO8601 format YYYY-MM-DDTHH:MM:SSZ).Optional
limitMaximum number of results to retrieve.Optional

Context Output#

PathTypeDescription
Expanse.IssueUpdate.createdDateThe timestamp of when the Issue update occurred
Expanse.IssueUpdate.idStringThe unique ID of the issue update event
Expanse.IssueUpdate.issue_idStringThe unique ID of the issue that was updated
Expanse.IssueUpdate.previousValueStringThe previous value of the field that was updated
Expanse.IssueUpdate.updateTypeStringThe type of update that occurred, valid types are ProgressStatus, ActivityStatus, Priority, Assignee, and Comment
Expanse.IssueUpdate.user.usernameStringThe username of the user who made the update
Expanse.IssueUpdate.valueStringThe new value of the field that was updated

Command Example#

!expanse-get-issue-updates issue_id="2b0ea80c-2277-34dd-9c55-005922ba640a" update_types="Comment,ProgressStatus" created_after="2020-12-07T09:34:36.20917328Z" limit="2"

Context Example#

{
"Expanse": {
"IssueUpdate": [
{
"created": "2020-12-18T18:13:21.301817Z",
"id": "b3825b75-97c5-488b-bc1e-e6347fa8ff23",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": {
"username": "demo+api.external.vandelay+panw@expanseinc.com"
},
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-18T18:13:24.311442Z",
"id": "2577ff9b-43bf-4472-b2a5-c4eaec79a5ce",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": "InProgress",
"updateType": "ProgressStatus",
"user": {
"username": "demo+api.external.vandelay+panw@expanseinc.com"
},
"value": "InProgress"
}
]
}
}

Human Readable Output#

Results#

createdidissueIdpreviousValueupdateTypeuservalue
2020-12-18T18:13:21.301817Zb3825b75-97c5-488b-bc1e-e6347fa8ff232b0ea80c-2277-34dd-9c55-005922ba640aCommentusername: demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment
2020-12-18T18:13:24.311442Z2577ff9b-43bf-4472-b2a5-c4eaec79a5ce2b0ea80c-2277-34dd-9c55-005922ba640aInProgressProgressStatususername: demo+api.external.vandelay+panw@expanseinc.comInProgress

expanse-get-issue-comments#


Retrieve issue comments (subset of updates)

Base Command#

expanse-get-issue-comments

Input#

Argument NameDescriptionRequired
issue_idExpanse issue ID to retrieve updates for.Required
created_afterReturns only comments created after the provided timestamp (ISO8601 format YYYY-MM-DDTHH:MM:SSZ).Optional

Context Output#

PathTypeDescription
Expanse.IssueComment.createdDateThe timestamp of when the Issue update occurred
Expanse.IssueComment.idStringThe unique ID of the issue update event
Expanse.IssueComment.issue_idStringThe unique ID of the issue that was updated
Expanse.IssueComment.previousValueStringThe previous value of the field that was updated
Expanse.IssueComment.updateTypeStringThe type of update that occurred, valid types are ProgressStatus, ActivityStatus, Priority, Assignee, and Comment
Expanse.IssueComment.user.usernameStringThe username of the user who made the update
Expanse.IssueComment.valueStringThe new value of the field that was updated

Command Example#

!expanse-get-issue-comments issue_id="2b0ea80c-2277-34dd-9c55-005922ba640a" created_after="2020-12-07T09:34:36.20917328Z"

Context Example#

{
"Expanse": {
"IssueComment": [
{
"created": "2020-12-07T10:53:31.168649Z",
"id": "4f764ed5-1a51-413c-94b4-ec50cae9b8ba",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-07T11:03:05.724596Z",
"id": "b51b0312-e2c0-41f3-b59c-fe5da4167ebd",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-07T12:02:37.202021Z",
"id": "faf8840f-c41a-4049-9fd4-58e6bd039fc7",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-07T12:17:31.781217Z",
"id": "dcf95534-851b-432b-afe6-8898f89043b2",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-14T18:31:39.117534Z",
"id": "f246ed63-9ae2-4d12-88aa-2e8ec383c56f",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-18T18:03:30.331013Z",
"id": "97a5e56c-2363-4aaa-a869-d007f74de97a",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-18T18:04:06.920178Z",
"id": "58c76133-70a0-40f0-b1af-11abbd51ae46",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-18T18:08:11.503224Z",
"id": "9ccac6c8-1a15-4f79-8de2-0e068713d3b4",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-18T18:11:15.311531Z",
"id": "60e0f9af-a622-49d2-a394-7ec28e349eb0",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
},
{
"created": "2020-12-18T18:13:21.301817Z",
"id": "b3825b75-97c5-488b-bc1e-e6347fa8ff23",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": "demo+api.external.vandelay+panw@expanseinc.com",
"value": "XSOAR Test Playbook Comment"
}
]
}
}

Human Readable Output#

Expanse Issue Comments#

UserValueCreated
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-07T10:53:31.168649Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-07T11:03:05.724596Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-07T12:02:37.202021Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-07T12:17:31.781217Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-14T18:31:39.117534Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-18T18:03:30.331013Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-18T18:04:06.920178Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-18T18:08:11.503224Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-18T18:11:15.311531Z
demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment2020-12-18T18:13:21.301817Z

expanse-update-issue#


Update a property of an Expanse issue.

Base Command#

expanse-update-issue

Input#

Argument NameDescriptionRequired
issue_idExpanse issue ID to update.Required
update_typeType of update. Possible values are: Assignee, Comment, Priority, ProgressStatus.Required
valueUpdated value.Required

Context Output#

PathTypeDescription
Expanse.IssueUpdate.createdDateThe timestamp of when the Issue update occurred
Expanse.IssueUpdate.idStringThe unique ID of the issue update event
Expanse.IssueUpdate.issue_idStringThe unique ID of the issue that was updated
Expanse.IssueUpdate.previousValueStringThe previous value of the field that was updated
Expanse.IssueUpdate.updateTypeStringThe type of update that occurred, valid types are ProgressStatus, ActivityStatus, Priority, Assignee, and Comment
Expanse.IssueUpdate.user.usernameStringThe username of the user who made the update
Expanse.IssueUpdate.valueStringThe new value of the field that was updated

Command Example#

!expanse-update-issue issue_id="2b0ea80c-2277-34dd-9c55-005922ba640a" update_type="Comment" value="XSOAR Test Playbook Comment"

Context Example#

{
"Expanse": {
"IssueUpdate": {
"created": "2020-12-18T18:13:21.301817Z",
"id": "b3825b75-97c5-488b-bc1e-e6347fa8ff23",
"issueId": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"previousValue": null,
"updateType": "Comment",
"user": {
"username": "demo+api.external.vandelay+panw@expanseinc.com"
},
"value": "XSOAR Test Playbook Comment"
}
}
}

Human Readable Output#

Results#

createdidissueIdpreviousValueupdateTypeuservalue
2020-12-18T18:13:21.301817Zb3825b75-97c5-488b-bc1e-e6347fa8ff232b0ea80c-2277-34dd-9c55-005922ba640aCommentusername: demo+api.external.vandelay+panw@expanseinc.comXSOAR Test Playbook Comment

expanse-get-issue#


Retrieve Expanse issue by issue ID.

Base Command#

expanse-get-issue

Input#

Argument NameDescriptionRequired
issue_idID of the Expanse issue to retrieve.Required

Context Output#

PathTypeDescription
Expanse.Issue.activityStatusStringActivity status of issue, whether the issue is active or inactive
Expanse.Issue.annotations.tags.idStringThe Internal Expanse tag id of the customer added tag
Expanse.Issue.annotations.tags.nameStringThe tag name of the customer added tag
Expanse.Issue.assets.assetKeyStringKey used to access the asset in the respective Expanse asset API
Expanse.Issue.assets.assetTypeStringThe type of asset the issue primarily relates to
Expanse.Issue.assets.displayNameStringA friendly name for the asset
Expanse.Issue.assets.idStringInternal Expanse ID the asset
Expanse.Issue.assigneeUsernameStringThe username of the user that has been assigned to the issue
Expanse.Issue.businessUnits.idStringThe internal Expanse ID for the business unit the affected asset belongs to
Expanse.Issue.businessUnits.nameStringThe name of the business unit the affected asset belongs to
Expanse.Issue.categoryStringThe general category of the issue
Expanse.Issue.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate
Expanse.Issue.certificate.idStringThe Internal Expanse certificate ID
Expanse.Issue.certificate.issuerStringThe issuer in the certificate
Expanse.Issue.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate
Expanse.Issue.certificate.issuerCountryStringThe issuer country in the certificate
Expanse.Issue.certificate.issuerEmailStringThe issuer email in the certificate
Expanse.Issue.certificate.issuerLocalityStringThe issuer locality in the certificate
Expanse.Issue.certificate.issuerNameStringThe issuer name in the certificate
Expanse.Issue.certificate.issuerOrgStringThe issuer org in the certificate
Expanse.Issue.certificate.issuerOrgUnitStringThe issuer org unit in the certificate
Expanse.Issue.certificate.issuerStateStringThe issuer state in the certificate
Expanse.Issue.certificate.md5HashStringThe md5hash in the certificate
Expanse.Issue.certificate.pemSha1StringThe pemSha1 in the certificate
Expanse.Issue.certificate.pemSha256StringThe pemSha256 in the certificate
Expanse.Issue.certificate.publicKeyStringThe public key in the certificate
Expanse.Issue.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate
Expanse.Issue.certificate.publicKeyBitsNumberThe public key bits in the certificate
Expanse.Issue.certificate.publicKeyModulusStringThe public key modulus in the certificate
Expanse.Issue.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate
Expanse.Issue.certificate.publicKeySpkiStringThe public key Spki in the certificate
Expanse.Issue.certificate.serialNumberStringThe serial number in the certificate
Expanse.Issue.certificate.signatureAlgorithmStringThe signature algorithm in the certificate
Expanse.Issue.certificate.subjectStringThe subject in the certificate
Expanse.Issue.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate
Expanse.Issue.certificate.subjectCountryStringThe subject country in the certificate
Expanse.Issue.certificate.subjectEmailStringThe subject email in the certificate
Expanse.Issue.certificate.subjectLocalityStringThe subject locality in the certificate
Expanse.Issue.certificate.subjectNameStringThe subject name in the certificate
Expanse.Issue.certificate.subjectOrgStringThe subject org in the certificate
Expanse.Issue.certificate.subjectOrgUnitStringThe subject org unit in the certificate
Expanse.Issue.certificate.subjectStateStringThe subject state in the certificate
Expanse.Issue.certificate.validNotAfterDateThe valid not after date in the certificate
Expanse.Issue.certificate.validNotBeforeDateThe valid not before date in the certificate
Expanse.Issue.certificate.versionStringThe version in the certificate
Expanse.Issue.createdDateWhen the issue instance was created
Expanse.Issue.domainStringDomain name of the issue
Expanse.Issue.headlineStringA brief summary of the issue
Expanse.Issue.helpTextStringWhy Expanse this type of issue should be avoided
Expanse.Issue.idStringThe internal Expanse ID of the issue
Expanse.Issue.initialEvidence.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.idStringThe Internal Expanse certificate ID in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerStringThe issuer in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerCountryStringThe issuer country in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerEmailStringThe issuer email in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerLocalityStringThe issuer locality in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerNameStringThe issuer name in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerOrgStringThe issuer org in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerOrgUnitStringThe issuer org unit in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.issuerStateStringThe issuer state in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.md5HashStringThe md5hash in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.pemSha1StringThe pemSha1 in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.pemSha256StringThe pemSha256 in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyStringThe public key in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyBitsNumberThe public key bits in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyModulusStringThe public key modulus in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.publicKeySpkiStringThe public key Spki in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.serialNumberStringThe serial number in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.signatureAlgorithmStringThe signature algorithm in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectStringThe subject in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectCountryStringThe subject country in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectEmailStringThe subject email in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectLocalityStringThe subject locality in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectNameStringThe subject name in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectOrgStringThe subject org in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectOrgUnitStringThe subject org unit in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.subjectStateStringThe subject state in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.validNotAfterDateThe valid not after date in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.validNotBeforeDateThe valid not before date in the certificate in the initial observation
Expanse.Issue.initialEvidence.certificate.versionStringThe version in the certificate in the initial observation
Expanse.Issue.initialEvidence.cipherSuiteStringThe cipher suite in the initial observation
Expanse.Issue.initialEvidence.configuration._typeStringThe type of configuration data in the initial observation
Expanse.Issue.initialEvidence.configuration.validWhenScannedBooleanWhether the configuration was valid in the initial observation
Expanse.Issue.initialEvidence.discoveryTypeStringThe discovery type in the initial observation
Expanse.Issue.initialEvidence.domainStringThe domain name in the initial observation
Expanse.Issue.initialEvidence.evidenceTypeStringThe evidence type of the initial observation
Expanse.Issue.initialEvidence.exposureIdStringThe exposure ID in the initial observation
Expanse.Issue.initialEvidence.exposureTypeStringThe exposure type in the initial observation
Expanse.Issue.initialEvidence.geolocation.latitudeNumberThe latitude in the initial observation
Expanse.Issue.initialEvidence.geolocation.longitudeNumberThe longitude in the initial observation
Expanse.Issue.initialEvidence.geolocation.cityStringThe city name in the initial observation
Expanse.Issue.initialEvidence.geolocation.regionCodeStringThe region code in the initial observation
Expanse.Issue.initialEvidence.geolocation.countryCodeStringThe country code in the initial observation
Expanse.Issue.initialEvidence.ipStringThe IPv4 address in the initial observation
Expanse.Issue.initialEvidence.portNumberNumberThe port number in the initial observation
Expanse.Issue.initialEvidence.portProtocolStringThe port protocol in the initial observation
Expanse.Issue.initialEvidence.serviceIdStringThe Service ID in the initial observation
Expanse.Issue.initialEvidence.serviceProperties.serviceProperties.nameStringThe service property name in the initial observation
Expanse.Issue.initialEvidence.serviceProperties.serviceProperties.reasonStringThe service property reason in the initial observation
Expanse.Issue.initialEvidence.timestampDateThe timestamp of the initial observation
Expanse.Issue.initialEvidence.tlsVersionStringThe TLS version found in the initial observation
Expanse.Issue.ipStringThe IPv4 address last associated with the issue
Expanse.Issue.issueType.archivedBooleanWhether the issue type is archived
Expanse.Issue.issueType.idStringThe ID of the issue type
Expanse.Issue.issueType.nameStringThe name of the issue type
Expanse.Issue.latestEvidence.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.idStringThe Internal Expanse certificate ID in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerStringThe issuer in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerCountryStringThe issuer country in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerEmailStringThe issuer email in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerLocalityStringThe issuer locality in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerNameStringThe issuer name in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerOrgStringThe issuer org in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerOrgUnitStringThe issuer org unit in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.issuerStateStringThe issuer state in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.md5HashStringThe md5hash in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.pemSha1StringThe pemSha1 in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.pemSha256StringThe pemSha256 in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyStringThe public key in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyBitsNumberThe public key bits in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyModulusStringThe public key modulus in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.publicKeySpkiStringThe public key Spki in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.serialNumberStringThe serial number in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.signatureAlgorithmStringThe signature algorithm in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectStringThe subject in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectCountryStringThe subject country in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectEmailStringThe subject email in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectLocalityStringThe subject locality in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectNameStringThe subject name in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectOrgStringThe subject org in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectOrgUnitStringThe subject org unit in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.subjectStateStringThe subject state in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.validNotAfterDateThe valid not after date in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.validNotBeforeDateThe valid not before date in the certificate in the most recent observation
Expanse.Issue.latestEvidence.certificate.versionStringThe version in the certificate in the most recent observation
Expanse.Issue.latestEvidence.cipherSuiteStringThe cipher suite detected during the most recent observation
Expanse.Issue.latestEvidence.configuration._typeStringThe type of configuration data in the most recent observation
Expanse.Issue.latestEvidence.configuration.validWhenScannedBooleanWhether the configuration was valid in the most recent observation
Expanse.Issue.latestEvidence.discoveryTypeStringThe discovery type in the most recent observation
Expanse.Issue.latestEvidence.domainStringThe domain name in the most recent observation
Expanse.Issue.latestEvidence.evidenceTypeStringThe evidence type of the most recent observation
Expanse.Issue.latestEvidence.exposureIdStringThe exposure ID in the most recent observation
Expanse.Issue.latestEvidence.exposureTypeStringThe exposure type in the most recent observation
Expanse.Issue.latestEvidence.geolocation.latitudeNumberThe latitude in the most recent observation
Expanse.Issue.latestEvidence.geolocation.longitudeNumberThe latitude in the most recent observation
Expanse.Issue.latestEvidence.geolocation.cityStringThe city name in the most recent observation
Expanse.Issue.latestEvidence.geolocation.regionCodeStringThe region code in the most recent observation
Expanse.Issue.latestEvidence.geolocation.countryCodeStringThe country code in the most recent observation
Expanse.Issue.latestEvidence.ipStringThe IPv4 address in the most recent observation
Expanse.Issue.latestEvidence.portNumberNumberThe port number in the most recent observation
Expanse.Issue.latestEvidence.portProtocolStringThe port protocol in the most recent observation
Expanse.Issue.latestEvidence.serviceIdStringThe Service ID in the most recent observation
Expanse.Issue.latestEvidence.serviceProperties.serviceProperties.nameStringThe service property name in the most recent observation
Expanse.Issue.latestEvidence.serviceProperties.serviceProperties.reasonStringThe service property reason in the most recent observation
Expanse.Issue.latestEvidence.timestampDateThe timestamp of the most recent observation
Expanse.Issue.latestEvidence.tlsVersionStringThe TLS version found in the most recent observation
Expanse.Issue.modifiedDateThe timestamp of when the issue was last modified
Expanse.Issue.portNumberNumberThe port number the issue was detected on
Expanse.Issue.portProtocolStringThe port protocol the issue was detected on
Expanse.Issue.priorityStringThe priority of the issue
Expanse.Issue.progressStatusStringThe progress status of the issue
Expanse.Issue.providers.idStringThe ID of the provider the issue was detected on
Expanse.Issue.providers.nameStringThe name of the provider the issue was detected on

Command Example#

!expanse-get-issue issue_id="2b0ea80c-2277-34dd-9c55-005922ba640a"

Context Example#

{
"Expanse": {
"Issue": {
"activityStatus": "Active",
"annotations": {
"tags": []
},
"assets": [
{
"assetKey": "gdRHmkxmGwWpaUtAuge6IQ==",
"assetType": "Certificate",
"displayName": "*.thespeedyou.com",
"id": "724a1137-ee3f-381f-95f2-ea0441db22d0"
}
],
"assigneeUsername": "Unassigned",
"businessUnits": [
{
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev"
}
],
"category": "Attack Surface Reduction",
"certificate": {
"formattedIssuerOrg": "GeoTrust",
"id": "81d4479a-4c66-3b05-a969-4b40ba07ba21",
"issuer": "C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3",
"issuerAlternativeNames": "",
"issuerCountry": "US",
"issuerEmail": null,
"issuerLocality": null,
"issuerName": "GeoTrust SSL CA - G3",
"issuerOrg": "GeoTrust Inc.",
"issuerOrgUnit": null,
"issuerState": null,
"md5Hash": "gdRHmkxmGwWpaUtAuge6IQ==",
"pemSha1": "p0y_sHlFdp5rPOw8aWrH2Qc331Q=",
"pemSha256": "w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 2048,
"publicKeyModulus": "bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=",
"serialNumber": "34287766128589078095374161204025316200",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=*.thespeedyou.com",
"subjectAlternativeNames": "*.thespeedyou.com thespeedyou.com",
"subjectCountry": "IN",
"subjectEmail": null,
"subjectLocality": "Pune",
"subjectName": "*.thespeedyou.com",
"subjectOrg": "Sears IT and Management Services India Pvt. Ltd.",
"subjectOrgUnit": "Management Services",
"subjectState": "Maharashtra",
"validNotAfter": "2017-01-18T23:59:59Z",
"validNotBefore": "2015-01-19T00:00:00Z",
"version": "3"
},
"created": "2020-09-23T01:44:37.415249Z",
"domain": null,
"headline": "Insecure TLS at 52.6.192.223:443",
"helpText": "This service should not be visible on the public Internet.",
"id": "2b0ea80c-2277-34dd-9c55-005922ba640a",
"initialEvidence": {
"certificate": {
"formattedIssuerOrg": null,
"id": "81d4479a-4c66-3b05-a969-4b40ba07ba21",
"issuer": "C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3",
"issuerAlternativeNames": "",
"issuerCountry": "US",
"issuerEmail": null,
"issuerLocality": null,
"issuerName": "GeoTrust SSL CA - G3",
"issuerOrg": "GeoTrust Inc.",
"issuerOrgUnit": null,
"issuerState": null,
"md5Hash": "gdRHmkxmGwWpaUtAuge6IQ==",
"pemSha1": "p0y_sHlFdp5rPOw8aWrH2Qc331Q=",
"pemSha256": "w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 2048,
"publicKeyModulus": "bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=",
"serialNumber": "34287766128589078095374161204025316200",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=*.thespeedyou.com",
"subjectAlternativeNames": "*.thespeedyou.com thespeedyou.com",
"subjectCountry": "IN",
"subjectEmail": null,
"subjectLocality": "Pune",
"subjectName": "*.thespeedyou.com",
"subjectOrg": "Sears IT and Management Services India Pvt. Ltd.",
"subjectOrgUnit": "Management Services",
"subjectState": "Maharashtra",
"validNotAfter": "2017-01-18T23:59:59Z",
"validNotBefore": "2015-01-19T00:00:00Z",
"version": "3"
},
"cipherSuite": "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"configuration": {
"_type": "WebServerConfiguration",
"applicationServerSoftware": "",
"certificateId": "74K3sPuBY6wi7US9poLZdg==",
"hasApplicationServerSoftware": false,
"hasServerSoftware": true,
"hasUnencryptedLogin": false,
"htmlPasswordAction": "",
"htmlPasswordField": "",
"httpAuthenticationMethod": "",
"httpAuthenticationRealm": "",
"httpHeaders": [
{
"name": "Set-Cookie",
"value": "JSESSIONID=6E9656EFE98ED2DD7447C779504A4994; Path=/; Secure; HttpOnly"
},
{
"name": "X-FRAME-OPTIONS",
"value": "DENY"
},
{
"name": "Content-Type",
"value": "text/html;charset=UTF-8"
},
{
"name": "Content-Language",
"value": "en-US"
},
{
"name": "Transfer-Encoding",
"value": "chunked"
},
{
"name": "Vary",
"value": "Accept-Encoding"
},
{
"name": "Date",
"value": "xxxxxxxxxx"
},
{
"name": "Server",
"value": "WSO2 Carbon Server"
}
],
"httpStatusCode": "200",
"isLoadBalancer": false,
"loadBalancer": "",
"loadBalancerPool": "",
"serverSoftware": "WSO2 Carbon Server"
},
"discoveryType": "DirectlyDiscovered",
"domain": null,
"evidenceType": "ScanEvidence",
"exposureId": "af2672a7-cf47-3a6d-9ecd-8c356d57d250",
"exposureType": "HTTP_SERVER",
"geolocation": null,
"ip": "52.6.192.223",
"portNumber": 443,
"portProtocol": "TCP",
"serviceId": "355452a1-a39b-369e-9aad-4ca129ec9422",
"serviceProperties": {
"serviceProperties": [
{
"name": "ExpiredWhenScannedCertificate",
"reason": "{\"validWhenScanned\":false}"
},
{
"name": "MissingCacheControlHeader",
"reason": null
},
{
"name": "MissingContentSecurityPolicyHeader",
"reason": null
},
{
"name": "MissingPublicKeyPinsHeader",
"reason": null
},
{
"name": "MissingStrictTransportSecurityHeader",
"reason": null
},
{
"name": "MissingXContentTypeOptionsHeader",
"reason": null
},
{
"name": "MissingXXssProtectionHeader",
"reason": null
},
{
"name": "ServerSoftware",
"reason": "{\"serverSoftware\":\"WSO2 Carbon Server\"}"
},
{
"name": "WildcardCertificate",
"reason": "{\"validWhenScanned\":false}"
}
]
},
"timestamp": "2020-08-24T00:00:00Z",
"tlsVersion": "TLS 1.2"
},
"ip": "52.6.192.223",
"issueType": {
"archived": null,
"id": "InsecureTLS",
"name": "Insecure TLS"
},
"latestEvidence": {
"certificate": {
"formattedIssuerOrg": null,
"id": "81d4479a-4c66-3b05-a969-4b40ba07ba21",
"issuer": "C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3",
"issuerAlternativeNames": "",
"issuerCountry": "US",
"issuerEmail": null,
"issuerLocality": null,
"issuerName": "GeoTrust SSL CA - G3",
"issuerOrg": "GeoTrust Inc.",
"issuerOrgUnit": null,
"issuerState": null,
"md5Hash": "gdRHmkxmGwWpaUtAuge6IQ==",
"pemSha1": "p0y_sHlFdp5rPOw8aWrH2Qc331Q=",
"pemSha256": "w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=",
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 2048,
"publicKeyModulus": "bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=",
"serialNumber": "34287766128589078095374161204025316200",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=*.thespeedyou.com",
"subjectAlternativeNames": "*.thespeedyou.com thespeedyou.com",
"subjectCountry": "IN",
"subjectEmail": null,
"subjectLocality": "Pune",
"subjectName": "*.thespeedyou.com",
"subjectOrg": "Sears IT and Management Services India Pvt. Ltd.",
"subjectOrgUnit": "Management Services",
"subjectState": "Maharashtra",
"validNotAfter": "2017-01-18T23:59:59Z",
"validNotBefore": "2015-01-19T00:00:00Z",
"version": "3"
},
"cipherSuite": "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"configuration": {
"_type": "WebServerConfiguration",
"applicationServerSoftware": "",
"certificateId": "74K3sPuBY6wi7US9poLZdg==",
"hasApplicationServerSoftware": false,
"hasServerSoftware": true,
"hasUnencryptedLogin": false,
"htmlPasswordAction": "",
"htmlPasswordField": "",
"httpAuthenticationMethod": "",
"httpAuthenticationRealm": "",
"httpHeaders": [
{
"name": "Set-Cookie",
"value": "JSESSIONID=E5948E498E58CFB6413087A3D3D2908C; Path=/; Secure; HttpOnly"
},
{
"name": "Location",
"value": "https://52.6.192.223/carbon/admin/index.jsp"
},
{
"name": "Content-Type",
"value": "text/html;charset=UTF-8"
},
{
"name": "Content-Length",
"value": "0"
},
{
"name": "Date",
"value": "xxxxxxxxxx"
},
{
"name": "Server",
"value": "WSO2 Carbon Server"
}
],
"httpStatusCode": "302",
"isLoadBalancer": false,
"loadBalancer": "",
"loadBalancerPool": "",
"serverSoftware": "WSO2 Carbon Server"
},
"discoveryType": "DirectlyDiscovered",
"domain": null,
"evidenceType": "ScanEvidence",
"exposureId": "af2672a7-cf47-3a6d-9ecd-8c356d57d250",
"exposureType": "HTTP_SERVER",
"geolocation": null,
"ip": "52.6.192.223",
"portNumber": 443,
"portProtocol": "TCP",
"serviceId": "355452a1-a39b-369e-9aad-4ca129ec9422",
"serviceProperties": {
"serviceProperties": [
{
"name": "ExpiredWhenScannedCertificate",
"reason": "{\"validWhenScanned\":false}"
},
{
"name": "ServerSoftware",
"reason": "{\"serverSoftware\":\"WSO2 Carbon Server\"}"
},
{
"name": "WildcardCertificate",
"reason": "{\"validWhenScanned\":false}"
}
]
},
"timestamp": "2020-09-22T00:00:00Z",
"tlsVersion": "TLS 1.2"
},
"modified": "2020-12-18T18:13:24.311442Z",
"portNumber": 443,
"portProtocol": "TCP",
"priority": "Medium",
"progressStatus": "InProgress",
"providers": [
{
"id": "AWS",
"name": "Amazon Web Services"
}
]
}
}
}

Human Readable Output#

Expanse Issues#

IdHeadlineIssue TypeCategoryIpPort ProtocolPort NumberDomainCertificatePriorityProgress StatusActivity StatusProvidersAssignee UsernameBusiness UnitsCreatedModifiedAnnotationsAssetsHelp Text
2b0ea80c-2277-34dd-9c55-005922ba640aInsecure TLS at 52.6.192.223:443id: InsecureTLS
name: Insecure TLS
archived: null
Attack Surface Reduction52.6.192.223TCP443id: 81d4479a-4c66-3b05-a969-4b40ba07ba21
md5Hash: gdRHmkxmGwWpaUtAuge6IQ==
issuer: C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3
issuerAlternativeNames:
issuerCountry: US
issuerEmail: null
issuerLocality: null
issuerName: GeoTrust SSL CA - G3
issuerOrg: GeoTrust Inc.
formattedIssuerOrg: GeoTrust
issuerOrgUnit: null
issuerState: null
publicKey: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv8cw0HvfztMNtUU6tK7TSo0Ij1k+MwL+cYSTEl7f5Lc/v0Db9Bg3YI7ALlw3VLnJ3oWxiwwCJMLbOBmVr7tSrPBU7dFUh0UIS6LulVYe16fKb1MBUmMq9WckGHF6+bnXrP/xb9X77RiqP0HhRbv7s/3m2ZruIHZ334mm1shnO65vyCvrOHXZQWl8SSk7fHBebRgEcqBM+w0VKV1Uy6U3b7AKWAsbibEHHCuGYFV+OaJxO7/18tJBNwJSX7lDnMOOxoCY2Jcafr/j5gb8O75OH2uxyg2bV7huwm7obYWP9Glw6b9KMdl55CsQHPNW3NW1AnCbAJFvDszl+Op96XNcHQIDAQAB
publicKeyAlgorithm: RSA
publicKeyRsaExponent: 65537
signatureAlgorithm: SHA256withRSA
subject: C=IN,ST=Maharashtra,L=Pune,O=Sears IT and Management Services India Pvt. Ltd.,OU=Management Services,CN=.thespeedyou.com
subjectAlternativeNames:
.thespeedyou.com thespeedyou.com
subjectCountry: IN
subjectEmail: null
subjectLocality: Pune
subjectName: *.thespeedyou.com
subjectOrg: Sears IT and Management Services India Pvt. Ltd.
subjectOrgUnit: Management Services
subjectState: Maharashtra
serialNumber: 34287766128589078095374161204025316200
validNotBefore: 2015-01-19T00:00:00Z
validNotAfter: 2017-01-18T23:59:59Z
version: 3
publicKeyBits: 2048
pemSha256: w_LuhDoJupBuXxDW5gzATkB6TL0IsdQK09fuQsLGj-g=
pemSha1: p0y_sHlFdp5rPOw8aWrH2Qc331Q=
publicKeyModulus: bfc730d07bdfced30db5453ab4aed34a8d088f593e3302fe718493125edfe4b73fbf40dbf41837608ec02e5c3754b9c9de85b18b0c0224c2db381995afbb52acf054edd1548745084ba2ee95561ed7a7ca6f530152632af5672418717af9b9d7acfff16fd5fbed18aa3f41e145bbfbb3fde6d99aee207677df89a6d6c8673bae6fc82beb3875d941697c49293b7c705e6d180472a04cfb0d15295d54cba5376fb00a580b1b89b1071c2b8660557e39a2713bbff5f2d2413702525fb9439cc38ec68098d8971a7ebfe3e606fc3bbe4e1f6bb1ca0d9b57b86ec26ee86d858ff46970e9bf4a31d979e42b101cf356dcd5b502709b00916f0ecce5f8ea7de9735c1d
publicKeySpki: 5yD3VMYLV6A4CelOIlekrA1ByPGO769aG16XHfMixnA=
MediumInProgressActive{'id': 'AWS', 'name': 'Amazon Web Services'}Unassigned{'id': 'f738ace6-f451-4f31-898d-a12afa204b2a', 'name': 'PANW VanDelay Dev'}2020-09-23T01:44:37.415249Z2020-12-18T18:13:24.311442Ztags:{'id': '724a1137-ee3f-381f-95f2-ea0441db22d0', 'assetKey': 'gdRHmkxmGwWpaUtAuge6IQ==', 'assetType': 'Certificate', 'displayName': '*.thespeedyou.com'}This service should not be visible on the public Internet.

expanse-list-businessunits#


List available business units from Expanse.

Base Command#

expanse-list-businessunits

Input#

Argument NameDescriptionRequired
limitMaximum number of results to retrieve.Optional

Context Output#

PathTypeDescription
Expanse.BusinessUnit.idStringBusiness unit ID
Expanse.BusinessUnit.nameStringBusiness unit name

Command Example#

!expanse-list-businessunits limit="2"

Context Example#

{
"Expanse": {
"BusinessUnit": [
{
"id": "c4de7fad-cde1-46cf-8725-a5999533db59",
"name": "PANW VanDelay Import-Export Dev"
},
{
"id": "c94c50ca-124f-4983-8da5-1756138e2252",
"name": "PANW Acme Latex Supply Dev"
}
]
}
}

Human Readable Output#

Results#

idname
c4de7fad-cde1-46cf-8725-a5999533db59PANW VanDelay Import-Export Dev
c94c50ca-124f-4983-8da5-1756138e2252PANW Acme Latex Supply Dev

expanse-list-providers#


List available providers from Expanse.

Base Command#

expanse-list-providers

Input#

Argument NameDescriptionRequired
limitMaximum number of results to retrieve.Optional

Context Output#

PathTypeDescription
Expanse.Provider.idStringProvider ID
Expanse.Provider.nameStringProvider name

Command Example#

!expanse-list-providers limit="2"

Context Example#

{
"Expanse": {
"Provider": [
{
"id": "AlibabaCloud",
"name": "Alibaba Cloud"
},
{
"id": "AWS",
"name": "Amazon Web Services"
}
]
}
}

Human Readable Output#

Results#

idname
AlibabaCloudAlibaba Cloud
AWSAmazon Web Services

expanse-list-tags#


List available tags from Expanse.

Base Command#

expanse-list-tags

Input#

Argument NameDescriptionRequired
limitMaximum number of results to retrieve.Optional

Context Output#

PathTypeDescription
Expanse.Tag.createdDateThe date in which the tag was first created
Expanse.Tag.descriptionStringThe description associated with the tag
Expanse.Tag.disabledBooleanIf the tag should be hidden as a tag option in the Expander UI
Expanse.Tag.idStringThe Expanse ID for the tag
Expanse.Tag.modifiedDateThe date in which metadata about the tag was last modified
Expanse.Tag.nameStringThe display name for the tag
Expanse.Tag.tenantIdStringThe tenant ID associated with the tag

Command Example#

!expanse-list-tags limit="2"

Context Example#

{
"Expanse": {
"Tag": [
{
"created": "2020-12-07T12:18:38.047826Z",
"description": "XSOAR Test Tag",
"disabled": false,
"id": "a96792e9-ac04-338e-bd7f-467e395c3739",
"modified": "2020-12-07T12:18:38.047826Z",
"name": "xsoar-test-tag-new",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
},
{
"created": "2020-12-07T09:42:40.456398Z",
"description": "XSOAR Test Playbook Tag",
"disabled": false,
"id": "e00bc79d-d367-36f4-824c-042836fef5fc",
"modified": "2020-12-07T09:42:40.456398Z",
"name": "xsoar-test-pb-tag",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
}
]
}
}

Human Readable Output#

Results#

createddescriptiondisabledidmodifiednametenantId
2020-12-07T12:18:38.047826ZXSOAR Test Tagfalsea96792e9-ac04-338e-bd7f-467e395c37392020-12-07T12:18:38.047826Zxsoar-test-tag-newf738ace6-f451-4f31-898d-a12afa204b2a
2020-12-07T09:42:40.456398ZXSOAR Test Playbook Tagfalsee00bc79d-d367-36f4-824c-042836fef5fc2020-12-07T09:42:40.456398Zxsoar-test-pb-tagf738ace6-f451-4f31-898d-a12afa204b2a

expanse-assign-tags-to-asset#


Assign tags to an Expanse asset.

Base Command#

expanse-assign-tags-to-asset

Input#

Argument NameDescriptionRequired
asset_typeType of Expanse asset to assign the tag to. Possible values are: IpRange, Certificate, Domain.Required
asset_idID of the asset to assign the tags to.Required
tagsIDs of the tags to assign to the asset (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to assign to the asset (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-assign-tags-to-asset asset_type="IpRange" asset_id="0a8f44f9-05dc-42a3-a395-c83dad49fadf" tags="e00bc79d-d367-36f4-824c-042836fef5fc"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-unassign-tags-from-asset#


Unassign tags from an Expanse Asset.

Base Command#

expanse-unassign-tags-from-asset

Input#

Argument NameDescriptionRequired
asset_typeType of Expanse asset to unassign the tags from. Possible values are: IpRange, Certificate, Domain.Required
asset_idID of the asset to unassign the tags from.Required
tagsIDs of the tags to unassign from the asset (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to unassign from the asset (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-unassign-tags-from-asset asset_type="IpRange" asset_id="0a8f44f9-05dc-42a3-a395-c83dad49fadf" tags="e00bc79d-d367-36f4-824c-042836fef5fc"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-assign-tags-to-iprange#


Assign tags to an Expanse IP range.

Base Command#

expanse-assign-tags-to-iprange

Input#

Argument NameDescriptionRequired
asset_idID of the IP range to assign tags to.Required
tagsIDs of the tags to assign to the IP range (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to assign to the IP range (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-assign-tags-to-iprange asset_id="0a8f44f9-05dc-42a3-a395-c83dad49fadf" tag_names="xsoar-test-pb-tag"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-unassign-tags-from-iprange#


Unassign tags from an Expanse IP range.

Base Command#

expanse-unassign-tags-from-iprange

Input#

Argument NameDescriptionRequired
asset_idID of the IP range to unassign tags from.Required
tagsIDs of the tags to unassign from the IP range (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to unassign from the IP range (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-unassign-tags-from-iprange asset_id="0a8f44f9-05dc-42a3-a395-c83dad49fadf" tag_names="xsoar-test-pb-tag"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-assign-tags-to-certificate#


Assign tags to an Expanse certificate.

Base Command#

expanse-assign-tags-to-certificate

Input#

Argument NameDescriptionRequired
asset_idID of the certificate to assign tags to.Required
tagsIDs of the tags to assign to the certificate (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to assign to the certificate (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-assign-tags-to-certificate asset_id="30a111ae-39e2-3b82-b459-249bac0c6065" tag_names="xsoar-test-pb-tag"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-unassign-tags-from-certificate#


Unassign tags from an Expanse certificate.

Base Command#

expanse-unassign-tags-from-certificate

Input#

Argument NameDescriptionRequired
asset_idID of the certificate to assign tags to.Required
tagsIDs of the tags to unassign from the certificate (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to unassign from the certificate (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-unassign-tags-from-certificate asset_id="30a111ae-39e2-3b82-b459-249bac0c6065" tag_names="xsoar-test-pb-tag"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-assign-tags-to-domain#


Assign tags to an Expanse domain.

Base Command#

expanse-assign-tags-to-domain

Input#

Argument NameDescriptionRequired
asset_idID of the domain to assign tags to.Required
tagsIDs of the tags to assign to the domain (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to assign to the domain (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-assign-tags-to-domain asset_id="142194a1-f443-3878-8dcc-540f4061c5f5" tag_names="xsoar-test-pb-tag"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-unassign-tags-from-domain#


Unassign tags from an Expanse domain.

Base Command#

expanse-unassign-tags-from-domain

Input#

Argument NameDescriptionRequired
asset_idID of the domain to unassign tags from.Required
tagsIDs of the tags to unassign from the domain (comma separated string). If used in combination with 'tag_names' the lists of tags are merged.Optional
tag_namesNames of the tags to unassign from the domain (comma separated string). If used in combination with 'tags' the lists of tags are merged.Optional

Context Output#

PathTypeDescription

Command Example#

!expanse-unassign-tags-from-domain asset_id="142194a1-f443-3878-8dcc-540f4061c5f5" tag_names="xsoar-test-pb-tag"

Context Example#

{}

Human Readable Output#

Operation complete

expanse-create-tag#


Create a new tag in Expanse.

Base Command#

expanse-create-tag

Input#

Argument NameDescriptionRequired
nameName of the tag (less than 128 characters).Required
descriptionDescription of the tag (less than 512 characters).Optional

Context Output#

PathTypeDescription
Expanse.Tag.createdDateThe date in which the tag was first created
Expanse.Tag.descriptionStringThe description associated with the tag
Expanse.Tag.disabledBooleanIf the tag should be hidden as a tag option in the Expander UI
Expanse.Tag.idStringThe Expanse ID for the tag
Expanse.Tag.modifiedDateThe date in which metadata about the tag was last modified
Expanse.Tag.nameStringThe display name for the tag
Expanse.Tag.tenantIdStringThe tenant ID associated with the tag

Command Example#

!expanse-create-tag name="xsoar-test-tag-new" description="XSOAR Test Tag"

Context Example#

{}

Human Readable Output#

Tag already exists

expanse-get-iprange#


Retrieve Expanse IP ranges by asset id or search parameters.

Base Command#

expanse-get-iprange

Input#

Argument NameDescriptionRequired
idAsset ID of the Expanse IP range to retrieve. If provided, other search parameters are ignored.Optional
business_unitsReturns only results whose Business Unit's ID falls in the provided list. (comma separated string). Cannot be used with the 'business_unit_names' argument.Optional
business_unit_namesReturns only results whose Business Unit's ID falls in the provided list. (comma separated string). Cannot be used with the 'business_units' argument.Optional
inetSearch for given IP/CIDR block using a single IP (d.d.d.d), a dashed IP range (d.d.d.d-d.d.d.d), a CIDR block (d.d.d.d/m), a partial CIDR (d.d.), or a wildcard (d.d.*.d).Optional
limitMaximum number of entries to retrieve.Optional
tagsReturns only results whose Tag ID falls in the provided list. (comma separated string). Cannot be used with the 'tag_names' argument.Optional
tag_namesReturns only results whose Tag name falls in the provided list. (comma separated string). Cannot be used with the 'tags' argument.Optional
includeInclude "none" or any of the following options in the response (comma separated) - annotations, severityCounts, attributionReasons, relatedRegistrationInformation, locationInformation. Default is none.Optional
limitMaximum number of results to retrieve.Optional

Context Output#

PathTypeDescription
Expanse.IPRange.annotations.additionalNotesStringCustomer provided annotation details for an IP range
Expanse.IPRange.annotations.contactsStringCustomer provided point-of-contact details for an IP range
Expanse.IPRange.annotations.tagsStringCustomer provided tags for an IP range
Expanse.IPRange.attributionReasons.reasonStringThe reasons why an IP range is attributed to the customer
Expanse.IPRange.businessUnits.idStringBusiness Units that the IP range has been assigned to
Expanse.IPRange.businessUnits.nameStringBusiness Units that the IP range has been assigned to
Expanse.IPRange.createdDateThe date that the IP range was added to the Expander instance
Expanse.IPRange.idStringInternal Expanse ID for the IP Range
Expanse.IPRange.ipVersionStringThe IP version of the IP range
Expanse.IPRange.locationInformation.geolocation.cityStringThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.countryCodeStringThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.latitudeNumberThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.longitudeNumberThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.regionCodeStringThe IP range geolocation
Expanse.IPRange.locationInformation.ipStringThe IP range geolocation
Expanse.IPRange.modifiedDateThe date on which the IP range was last ingested into Expander
Expanse.IPRange.rangeIntroducedDateThe date that the IP range was added to the Expander instance
Expanse.IPRange.rangeSizeNumberThe number of IP addresses in the IP range
Expanse.IPRange.rangeTypeStringIf the IP range is Expanse-generated parent range or a customer-generated custom range
Expanse.IPRange.relatedRegistrationInformation.countryStringThe country within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.endAddressStringThe end address within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.handleStringThe handle within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.ipVersionStringThe IP version within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.nameStringThe name within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.parentHandleStringThe parent handle within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.addressStringThe address within the registry entities of the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.emailStringThe email within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.events.actionStringThe events action within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.events.actorStringThe events actor within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.events.dateDateThe events date within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.firstRegisteredDateThe first registered date within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.formattedNameStringThe formatted name within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.handleStringThe handle within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.idStringThe ID within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.lastChangedDateThe last changed date within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.orgStringThe org within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.phoneStringThe phone number within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.relatedEntityHandlesStringThe related entity handles within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.remarksStringThe remarks within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.rolesStringThe roles within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.statusesStringThe statuses within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.remarksStringThe remarks within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.startAddressStringThe start address within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.updatedDateDateThe last update date within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.whoisServerStringThe Whois server within the IP range registration information
Expanse.IPRange.responsiveIpCountNumberThe number of IPs responsive on the public Internet within the IP range
Expanse.IPRange.severityCounts.countNumberThe number of exposures observed on the IP range
Expanse.IPRange.severityCounts.typeStringThe severity level of the exposures observed on the IP range
DBotScore.ScoreNumberThe actual score.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.

Command Example#

!expanse-get-iprange limit="1" include="none" limit="1"

Context Example#

{
"DBotScore": {
"Indicator": "1.179.133.112/29",
"Score": 0,
"Type": [
"cidr"
],
"Vendor": "ExpanseV2"
},
"Expanse": {
"IPRange": {
"businessUnits": [
{
"id": "c94c50ca-124f-4983-8da5-1756138e2252",
"name": "PANW Acme Latex Supply Dev"
}
],
"cidr": "1.179.133.112/29",
"created": "2020-09-22",
"customChildRanges": [],
"id": "0a8f44f9-05dc-42a3-a395-c83dad49fadf",
"ipVersion": "4",
"modified": "2020-12-18",
"rangeIntroduced": "2020-09-22",
"rangeSize": 8,
"rangeType": "parent",
"responsiveIpCount": 0
}
}
}

Human Readable Output#

Expanse IP Range List#

businessUnitscidrcreatedcustomChildRangesidipVersionmodifiedrangeIntroducedrangeSizerangeTyperesponsiveIpCount
{'id': 'c94c50ca-124f-4983-8da5-1756138e2252', 'name': 'PANW Acme Latex Supply Dev'}1.179.133.112/292020-09-220a8f44f9-05dc-42a3-a395-c83dad49fadf42020-12-182020-09-228parent0

expanse-get-domain#


Retrieve Expanse domains by domain name or search parameters.

Base Command#

expanse-get-domain

Input#

Argument NameDescriptionRequired
domainDomain name to retrieve (exact match). If provided, other search parameters are ignored.Optional
last_observed_dateLast date the domain was observed by Expanse (Format is YYYY-MM-DD).Optional
searchSearch domain names that match the specified substring.Optional
limitMaximum number of entries to retrieve.Optional
has_dns_resolutionRetrieve only domains with or without DNS resolution. Possible values are: true, false.Optional
has_active_serviceRetrieve only domains with or without an active service discovered by Expanse. Possible values are: true, false.Optional
has_related_cloud_resourcesRetrieve only domains with or without cloud resources discovered by Expanse. Possible values are: true, false.Optional
tagsReturns only results whose Tag ID falls in the provided list. (comma separated string). Cannot be used with the 'tag_names' argument.Optional
tag_namesReturns only results whose Tag name falls in the provided list. (comma separated string). Cannot be used with the 'tags' argument.Optional
business_unitsReturns only results whose Business Unit's ID falls in the provided list. (comma separated string). Cannot be used with the 'business_unit_names' argument.Optional
business_unit_namesReturns only results whose Business Unit's name falls in the provided list. (comma separated string). Cannot be used with the 'business_units' argument.Optional
providersReturns only results whose Provider's ID falls in the provided list. (comma separated string). Cannot be used with the 'provider_names' argument.Optional
provider_namesReturns only results whose Provider's name falls in the provided list. (comma separated string). Cannot be used with the 'providers' argument.Optional

Context Output#

PathTypeDescription
Expanse.Domain.annotations.noteStringCustomer provided annotation details for a domain
Expanse.Domain.annotations.contacts.idStringID for customer provided contact details for a domain
Expanse.Domain.annotations.contacts.nameStringCustomer provided contact details for a domain
Expanse.Domain.annotations.tags.idStringID for customer added tag on a domain in Expander
Expanse.Domain.annotations.tags.nameStringCustomer added tag on a domain in Expander
Expanse.Domain.businessUnits.idStringBusiness Units that the domain has been assigned to
Expanse.Domain.businessUnits.nameStringBusiness Units that the domain has been assigned to
Expanse.Domain.businessUnits.tenantIdStringTenant ID for business Units that the domain has been assigned to
Expanse.Domain.dateAddedDateThe date that the domain was added to the Expander instance
Expanse.Domain.details.recentIps.assetKeyStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.assetTypeStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.businessUnits.idStringBusiness Units for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.businessUnits.nameStringBusiness Units for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.businessUnits.tenantIdStringTenant information for business Units that the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.commonNameStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.domainStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.ipStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.lastObservedDateAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.provider.idStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.provider.nameStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.tenant.idStringTenant information for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.tenant.nameStringTenant information for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.tenant.tenantIdStringTenant information for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.typeStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.dnsResolutionStatusStringLatest DNS resolution status
Expanse.Domain.firstObservedDateThe date that the domain was first observed
Expanse.Domain.hasLinkedCloudResourcesBooleanWhether the domain has any linked cloud resources associated with it
Expanse.Domain.idStringInternal Expanse ID for Domain
Expanse.Domain.domainStringThe domain value
Expanse.Domain.isCollapsedBooleanWhether or not the subdomains of the domain are collapsed
Expanse.Domain.isPaidLevelDomainBooleanWhether or not the domain is a PLD
Expanse.Domain.lastObservedDateThe date that the domain was most recently observed
Expanse.Domain.lastSampledIpStringThe last observed IPv4 address for the domain
Expanse.Domain.lastSubdomainMetadata.collapseTypeStringSub-domain metadata
Expanse.Domain.lastSubdomainMetadata.numSubdomainsNumberSub-domain metadata
Expanse.Domain.lastSubdomainMetadata.numDistinctIpsNumberSub-domain metadata
Expanse.Domain.lastSubdomainMetadata.dateDateSub-domain metadata
Expanse.Domain.providers.idStringInformation about the hosting provider of the IP the domain resolves to
Expanse.Domain.providers.nameStringInformation about the hosting provider of the IP the domain resolves to
Expanse.Domain.serviceStatusStringDetected service statuses for the domain
Expanse.Domain.sourceDomainStringThe source domain for the domain object
Expanse.Domain.tenant.idStringTenant information for the domain
Expanse.Domain.tenant.nameStringTenant information for the domain
Expanse.Domain.tenant.tenantIdStringTenant information for the domain
Expanse.Domain.whois.admin.cityStringThe admin city in the Whois information for the domain
Expanse.Domain.whois.admin.countryStringThe admin country in the Whois information for the domain
Expanse.Domain.whois.admin.emailAddressStringThe admin email address in the Whois information for the domain
Expanse.Domain.whois.admin.faxExtensionStringThe admin fax extension in the Whois information for the domain
Expanse.Domain.whois.admin.faxNumberStringThe admin fax number in the Whois information for the domain
Expanse.Domain.whois.admin.nameStringThe admin name in the Whois information for the domain
Expanse.Domain.whois.admin.organizationStringThe admin organization in the Whois information for the domain
Expanse.Domain.whois.admin.phoneExtensionStringThe admin phone extension in the Whois information for the domain
Expanse.Domain.whois.admin.phoneNumberStringThe admin phone number in the Whois information for the domain
Expanse.Domain.whois.admin.postalCodeStringThe admin postal code in the Whois information for the domain
Expanse.Domain.whois.admin.provinceStringThe admin province in the Whois information for the domain
Expanse.Domain.whois.admin.registryIdStringThe admin registry ID in the Whois information for the domain
Expanse.Domain.whois.admin.streetStringThe admin street in the Whois information for the domain
Expanse.Domain.whois.creationDateDateThe creation date in the Whois information for the domain
Expanse.Domain.whois.dnssecStringThe dnssec in the Whois information for the domain
Expanse.Domain.whois.domainStringThe domain in the Whois information for the domain
Expanse.Domain.whois.domainStatusesStringThe domain statuses in the Whois information for the domain
Expanse.Domain.whois.nameServersStringThe name servers in the Whois information for the domain
Expanse.Domain.whois.registrant.cityStringThe registrant city in the Whois information for the domain
Expanse.Domain.whois.registrant.countryStringThe registrant country in the Whois information for the domain
Expanse.Domain.whois.registrant.emailAddressStringThe registrant email address in the Whois information for the domain
Expanse.Domain.whois.registrant.faxExtensionStringThe registrant fax extension in the Whois information for the domain
Expanse.Domain.whois.registrant.faxNumberStringThe registrant fax number in the Whois information for the domain
Expanse.Domain.whois.registrant.nameStringThe registrant name in the Whois information for the domain
Expanse.Domain.whois.registrant.organizationStringThe registrant organization in the Whois information for the domain
Expanse.Domain.whois.registrant.phoneExtensionStringThe registrant phone extension in the Whois information for the domain
Expanse.Domain.whois.registrant.phoneNumberStringThe registrant phone number in the Whois information for the domain
Expanse.Domain.whois.registrant.postalCodeStringThe registrant postal code in the Whois information for the domain
Expanse.Domain.whois.registrant.provinceStringThe registrant province in the Whois information for the domain
Expanse.Domain.whois.registrant.registryIdStringThe registrant registry ID in the Whois information for the domain
Expanse.Domain.whois.registrant.streetStringThe registrant street in the Whois information for the domain
Expanse.Domain.whois.registrar.abuseContactEmailStringThe registrar abuse contact email in the Whois information for the domain
Expanse.Domain.whois.registrar.abuseContactPhoneStringThe registrar abuse contact phone in the Whois information for the domain''
Expanse.Domain.whois.registrar.formattedNameStringThe registrar formatted name Whois information for the domain
Expanse.Domain.whois.registrar.ianaIdStringThe registrar iana ID in the Whois information for the domain
Expanse.Domain.whois.registrar.nameStringThe registrar name in the Whois information for the domain
Expanse.Domain.whois.registrar.registrationExpirationDateDateThe registrar registration expiration date in the Whois information for the domain
Expanse.Domain.whois.registrar.urlStringThe registrar URL in the Whois information for the domain
Expanse.Domain.whois.registrar.whoisServerStringThe registrar Whois server in the Whois information for the domain
Expanse.Domain.whois.registryDomainIdStringThe registry domain ID in the Whois information for the domain
Expanse.Domain.whois.registryExpiryDateDateThe registry expiry date in the Whois information for the domain
Expanse.Domain.whois.resellerStringThe reseller in the Whois information for the domain
Expanse.Domain.whois.tech.cityStringThe tech city in the Whois information for the domain
Expanse.Domain.whois.tech.countryStringThe tech country in the Whois information for the domain
Expanse.Domain.whois.tech.emailAddressStringThe tech email address in the Whois information for the domain
Expanse.Domain.whois.tech.faxExtensionStringThe tech fax extension in the Whois information for the domain
Expanse.Domain.whois.tech.faxNumberStringThe tech fax number in the Whois information for the domain
Expanse.Domain.whois.tech.nameStringThe tech name in the Whois information for the domain
Expanse.Domain.whois.tech.organizationStringThe tech organization in the Whois information for the domain
Expanse.Domain.whois.tech.phoneExtensionStringThe tech phone extension in the Whois information for the domain
Expanse.Domain.whois.tech.phoneNumberStringThe tech phone number in the Whois information for the domain
Expanse.Domain.whois.tech.postalCodeStringThe tech postal code in the Whois information for the domain
Expanse.Domain.whois.tech.provinceStringThe tech province in the Whois information for the domain
Expanse.Domain.whois.tech.registryIdStringThe tech registry ID in the Whois information for the domain
Expanse.Domain.whois.tech.streetStringThe tech street in the Whois information for the domain
Expanse.Domain.whois.updatedDateDateThe updated date in the Whois information for the domain
Expanse.Domain.details.cloudResources.idStringThe cloud resource ID
Expanse.Domain.details.cloudResources.tenant.idStringTenant information for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.tenant.nameStringTenant information for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.tenant.tenantIdStringTenant information for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.businessUnits.idStringBusiness Units that the cloud resource has been assigned to
Expanse.Domain.details.cloudResources.businessUnits.nameStringBusiness Units that the cloud resource has been assigned to
Expanse.Domain.details.cloudResources.businessUnits.tenantIdStringTenant information businessUnits that the cloud resource as been assigned to
Expanse.Domain.details.cloudResources.dateAddedDateThe date that the cloud resource was added to the Expander instance
Expanse.Domain.details.cloudResources.firstObservedDateThe date that the cloud resource was first observed
Expanse.Domain.details.cloudResources.lastObservedDateThe date that the domain was most recently observed
Expanse.Domain.details.cloudResources.instanceIdStringInstance ID for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.typeStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.ipsStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.domainStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.provider.idStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.provider.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.regionStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.vpc.idStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.vpc.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.accountIntegration.idStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.accountIntegration.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.recentIps.assetKeyStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.assetTypeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.businessUnits.idStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Domain.details.cloudResources.recentIps.businessUnits.nameStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Domain.details.cloudResources.recentIps.businessUnits.tenantIdStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Domain.details.cloudResources.recentIps.commonNameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.domainStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.ipStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.lastObservedDateAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.provider.idStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.provider.nameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.tenant.idStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.tenant.nameStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.tenant.tenantIdStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.typeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.annotations.noteStringCustomer provided annotation details for a domain
Expanse.Domain.details.cloudResources.annotations.contacts.idStringID for customer provided contact details for a domain
Expanse.Domain.details.cloudResources.annotations.contacts.nameStringCustomer provided contact details for a domain
Expanse.Domain.details.cloudResources.annotations.tags.idStringID for customer added tag on a domain in Expander
Expanse.Domain.details.cloudResources.annotations.tags.nameStringCustomer added tag on a domain in Expander
Domain.NameStringThe domain name, for example: "google.com".
Domain.DNSStringA list of IP objects resolved by DNS.
Domain.DetectionEnginesNumberThe total number of engines that checked the indicator.
Domain.PositiveDetectionsNumberThe number of engines that positively detected the indicator as malicious.
Domain.CreationDateDateThe date that the domain was created.
Domain.UpdatedDateStringThe date that the domain was last updated.
Domain.ExpirationDateDateThe expiration date of the domain.
Domain.DomainStatusDateThe status of the domain.
Domain.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.SubdomainsStringSubdomains of the domain.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.DomainStatusStringThe status of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number of the registrant.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: "GoDaddy"
Domain.WHOIS.Registrar.AbuseEmailStringThe email address of the contact for reporting abuse.
Domain.WHOIS.Registrar.AbusePhoneStringThe phone number of contact for reporting abuse.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.HistoryStringList of Whois objects
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!expanse-get-domain limit="1"

Context Example#

{
"DBotScore": {
"Indicator": "*.108.pets.com",
"Score": 0,
"Type": "domainglob",
"Vendor": "ExpanseV2"
},
"Domain": {
"Admin": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"CreationDate": "1994-11-21T05:00:00Z",
"DomainStatus": "clientDeleteProhibited clientTransferProhibited clientUpdateProhibited",
"ExpirationDate": "2018-11-20T05:00:00Z",
"Name": "*.108.pets.com",
"NameServers": [
"NS1.MARKMONITOR.COM",
"NS2.MARKMONITOR.COM",
"NS3.MARKMONITOR.COM",
"NS4.MARKMONITOR.COM",
"NS5.MARKMONITOR.COM",
"NS6.MARKMONITOR.COM",
"NS7.MARKMONITOR.COM"
],
"Organization": "PetSmart Home Office, Inc.",
"Registrant": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "MarkMonitor Inc."
},
"UpdatedDate": "2016-10-19T09:12:50Z",
"WHOIS": {
"Admin": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"CreationDate": "1994-11-21T05:00:00Z",
"DomainStatus": "clientDeleteProhibited clientTransferProhibited clientUpdateProhibited",
"ExpirationDate": "2018-11-20T05:00:00Z",
"NameServers": [
"NS1.MARKMONITOR.COM",
"NS2.MARKMONITOR.COM",
"NS3.MARKMONITOR.COM",
"NS4.MARKMONITOR.COM",
"NS5.MARKMONITOR.COM",
"NS6.MARKMONITOR.COM",
"NS7.MARKMONITOR.COM"
],
"Registrant": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "MarkMonitor Inc."
},
"UpdatedDate": "2016-10-19T09:12:50Z"
}
},
"Expanse": {
"Domain": {
"annotations": {
"contacts": [],
"note": "",
"tags": []
},
"businessUnits": [
{
"id": "c4de7fad-cde1-46cf-8725-a5999533db59",
"name": "PANW VanDelay Import-Export Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
},
{
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
}
],
"dateAdded": "2020-09-22T21:23:02.372Z",
"details": null,
"dnsResolutionStatus": [
"HAS_DNS_RESOLUTION"
],
"domain": "*.108.pets.com",
"firstObserved": "2020-09-22T06:10:31.787Z",
"hasLinkedCloudResources": false,
"id": "142194a1-f443-3878-8dcc-540f4061c5f5",
"isCollapsed": false,
"isPaidLevelDomain": false,
"lastObserved": "2020-09-22T06:10:31.787Z",
"lastSampledIp": "72.52.10.14",
"lastSubdomainMetadata": null,
"providers": [
{
"id": "Akamai",
"name": "Akamai Technologies"
}
],
"serviceStatus": [
"NO_ACTIVE_SERVICE",
"NO_ACTIVE_ON_PREM_SERVICE",
"NO_ACTIVE_CLOUD_SERVICE"
],
"sourceDomain": "pets.com",
"tenant": {
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
},
"whois": [
{
"admin": {
"city": "Phoenix",
"country": "UNITED STATES",
"emailAddress": "legal@petsmart.com",
"faxExtension": "",
"faxNumber": "16235806109",
"name": "Admin Contact",
"organization": "PetSmart Home Office, Inc.",
"phoneExtension": "",
"phoneNumber": "16235806100",
"postalCode": "85027",
"province": "AZ",
"registryId": null,
"street": "19601 N 27th Ave,"
},
"creationDate": "1994-11-21T05:00:00Z",
"dnssec": null,
"domain": "pets.com",
"domainStatuses": [
"clientDeleteProhibited clientTransferProhibited clientUpdateProhibited"
],
"nameServers": [
"NS1.MARKMONITOR.COM",
"NS2.MARKMONITOR.COM",
"NS3.MARKMONITOR.COM",
"NS4.MARKMONITOR.COM",
"NS5.MARKMONITOR.COM",
"NS6.MARKMONITOR.COM",
"NS7.MARKMONITOR.COM"
],
"registrant": {
"city": "Phoenix",
"country": "UNITED STATES",
"emailAddress": "legal@petsmart.com",
"faxExtension": "",
"faxNumber": "16235806109",
"name": "Admin Contact",
"organization": "PetSmart Home Office, Inc.",
"phoneExtension": "",
"phoneNumber": "16235806100",
"postalCode": "85027",
"province": "AZ",
"registryId": null,
"street": "19601 N 27th Ave,"
},
"registrar": {
"abuseContactEmail": null,
"abuseContactPhone": null,
"formattedName": null,
"ianaId": null,
"name": "MarkMonitor Inc.",
"registrationExpirationDate": null,
"url": null,
"whoisServer": "whois.markmonitor.com"
},
"registryDomainId": null,
"registryExpiryDate": "2018-11-20T05:00:00Z",
"reseller": null,
"tech": {
"city": null,
"country": null,
"emailAddress": null,
"faxExtension": null,
"faxNumber": null,
"name": null,
"organization": null,
"phoneExtension": null,
"phoneNumber": null,
"postalCode": null,
"province": null,
"registryId": null,
"street": null
},
"updatedDate": "2016-10-19T09:12:50Z"
}
]
}
}
}

Human Readable Output#

Expanse Domain List#

annotationsbusinessUnitsdateAddeddetailsdnsResolutionStatusdomainfirstObservedhasLinkedCloudResourcesidisCollapsedisPaidLevelDomainlastObservedlastSampledIplastSubdomainMetadataprovidersserviceStatussourceDomaintenantwhois
contacts:
tags:
note:
{'id': 'c4de7fad-cde1-46cf-8725-a5999533db59', 'name': 'PANW VanDelay Import-Export Dev', 'tenantId': 'f738ace6-f451-4f31-898d-a12afa204b2a'},
{'id': 'f738ace6-f451-4f31-898d-a12afa204b2a', 'name': 'PANW VanDelay Dev', 'tenantId': 'f738ace6-f451-4f31-898d-a12afa204b2a'}
2020-09-22T21:23:02.372ZHAS_DNS_RESOLUTION*.108.pets.com2020-09-22T06:10:31.787Zfalse142194a1-f443-3878-8dcc-540f4061c5f5falsefalse2020-09-22T06:10:31.787Z72.52.10.14{'id': 'Akamai', 'name': 'Akamai Technologies'}NO_ACTIVE_SERVICE,
NO_ACTIVE_ON_PREM_SERVICE,
NO_ACTIVE_CLOUD_SERVICE
pets.comid: f738ace6-f451-4f31-898d-a12afa204b2a
name: PANW VanDelay Dev
tenantId: f738ace6-f451-4f31-898d-a12afa204b2a
{'domain': 'pets.com', 'registryDomainId': None, 'updatedDate': '2016-10-19T09:12:50Z', 'creationDate': '1994-11-21T05:00:00Z', 'registryExpiryDate': '2018-11-20T05:00:00Z', 'reseller': None, 'registrar': {'name': 'MarkMonitor Inc.', 'formattedName': None, 'whoisServer': 'whois.markmonitor.com', 'url': None, 'ianaId': None, 'registrationExpirationDate': None, 'abuseContactEmail': None, 'abuseContactPhone': None}, 'domainStatuses': ['clientDeleteProhibited clientTransferProhibited clientUpdateProhibited'], 'nameServers': ['NS1.MARKMONITOR.COM', 'NS2.MARKMONITOR.COM', 'NS3.MARKMONITOR.COM', 'NS4.MARKMONITOR.COM', 'NS5.MARKMONITOR.COM', 'NS6.MARKMONITOR.COM', 'NS7.MARKMONITOR.COM'], 'registrant': {'name': 'Admin Contact', 'organization': 'PetSmart Home Office, Inc.', 'street': '19601 N 27th Ave,', 'city': 'Phoenix', 'province': 'AZ', 'postalCode': '85027', 'country': 'UNITED STATES', 'phoneNumber': '16235806100', 'phoneExtension': '', 'faxNumber': '16235806109', 'faxExtension': '', 'emailAddress': 'legal@petsmart.com', 'registryId': None}, 'admin': {'name': 'Admin Contact', 'organization': 'PetSmart Home Office, Inc.', 'street': '19601 N 27th Ave,', 'city': 'Phoenix', 'province': 'AZ', 'postalCode': '85027', 'country': 'UNITED STATES', 'phoneNumber': '16235806100', 'phoneExtension': '', 'faxNumber': '16235806109', 'faxExtension': '', 'emailAddress': 'legal@petsmart.com', 'registryId': None}, 'tech': {'name': None, 'organization': None, 'street': None, 'city': None, 'province': None, 'postalCode': None, 'country': None, 'phoneNumber': None, 'phoneExtension': None, 'faxNumber': None, 'faxExtension': None, 'emailAddress': None, 'registryId': None}, 'dnssec': None}

expanse-get-associated-domains#


Returns all the Expanse domains which have been seen with the specified certificate or IP address.

Base Command#

expanse-get-associated-domains

Input#

Argument NameDescriptionRequired
common_nameThe common name of the certificate to search domains for. Fuzzy matching is done on this name, however query times can grow quite large when searching for short strings. Ex. "*.myhost.com" is a better search term than "host".Optional
ipThe IP address to search domains for.Optional
limitMaximum number of matching certificates to retrieve.Optional
domains_limitMaximum number of domains per certificate to retrieve.Optional

Context Output#

PathTypeDescription
Expanse.AssociatedDomain.nameStringName of the domain.
Expanse.AssociatedDomain.IPStringIP Address the domain resolved to.
Expanse.AssociatedDomain.certificateStringExpanse ID of the certificate associated to this domain.
Domain.NameStringThe domain name, for example: "google.com".
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!expanse-get-associated-domains ip="1.1.1.1"

Context Example#

{
"DBotScore": {
"Indicator": "test.developers.company.com",
"Score": 0,
"Type": "domain",
"Vendor": "ExpanseV2"
},
"Domain": {
"Name": "test.developers.company.com"
},
"Expanse": {
"AssociatedDomain": {
"IP": [
"1.1.1.1"
],
"certificate": [],
"name": "test.developers.company.com"
}
}
}

Human Readable Output#

Expanse Domains matching Certificate Common Name: None#

nameIPcertificate
test.developers.company.com1.1.1.1

expanse-get-certificate#


Retrieve Expanse certificates by MD5 hash or search parameters.

Base Command#

expanse-get-certificate

Input#

Argument NameDescriptionRequired
md5_hashMD5 Hash of the certificate. If provided, other search parameters are ignored.Optional
last_observed_dateLast date the domain was observed by Expanse (Format is YYYY-MM-DD), to be used with domain argument.Optional
searchSearch for certificates with the specified substring in common name.Optional
limitMaximum number of entries to retrieve.Optional
has_certificate_advertisementRetrieve only certificates actively/not actively advertised. Possible values are: true, false.Optional
has_active_serviceRetrieve only certificates with or without an active service discovered by Expanse. Possible values are: true, false.Optional
has_related_cloud_resourcesRetrieve only certificates with or without cloud resources discovered by Expanse. Possible values are: true, false.Optional
tagsReturns only results whose Tag ID falls in the provided list. (comma separated string). Cannot be used with the 'tag_names' argument.Optional
tag_namesReturns only results whose Tag name falls in the provided list. (comma separated string). Cannot be used with the 'tags' argument.Optional
business_unitsReturns only results whose Business Unit's ID falls in the provided list. (comma separated string). Cannot be used with the 'business_unit_names' argument.Optional
business_unit_namesReturns only results whose Business Unit's name falls in the provided list. (comma separated string). Cannot be used with the 'business_units' argument.Optional
providersReturns only results whose Provider's ID falls in the provided list. (comma separated string). Cannot be used with the 'provider_names' argument.Optional
provider_namesReturns only results whose Provider's name falls in the provided list. (comma separated string). Cannot be used with the 'providers' argument.Optional

Context Output#

PathTypeDescription
Expanse.Certificate.annotations.noteStringCustomer provided annotation details for a certificate
Expanse.Certificate.annotations.contacts.idStringID for customer provided contact details for a certificate
Expanse.Certificate.annotations.contacts.nameStringCustomer provided contact details for a certificate
Expanse.Certificate.annotations.tags.idStringID for customer added tag on a certificate in Expander
Expanse.Certificate.annotations.tags.nameStringCustomer added tag on a certificate in Expander
Expanse.Certificate.businessUnits.idStringBusiness Units that the certificate has been assigned to
Expanse.Certificate.businessUnits.nameStringBusiness Units that the certificate has been assigned to
Expanse.Certificate.businessUnits.tenantIdStringTenant information for business units that the certificate has been assigned to
Expanse.Certificate.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate
Expanse.Certificate.certificate.idStringThe certificate ID
Expanse.Certificate.certificate.issuerStringThe issuer in the certificate
Expanse.Certificate.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate
Expanse.Certificate.certificate.issuerCountryStringThe issuer country in the certificate
Expanse.Certificate.certificate.issuerEmailStringThe issuer email in the certificate
Expanse.Certificate.certificate.issuerLocalityStringThe issuer locality in the certificate
Expanse.Certificate.certificate.issuerNameStringThe issuer name in the certificate
Expanse.Certificate.certificate.issuerOrgStringThe issuer org in the certificate
Expanse.Certificate.certificate.issuerOrgUnitStringThe issuer org unit in the certificate
Expanse.Certificate.certificate.issuerStateStringThe issuer state in the certificate
Expanse.Certificate.certificate.md5HashStringThe md5hash in the certificate
Expanse.Certificate.certificate.pemSha1StringThe pemSha1 in the certificate
Expanse.Certificate.certificate.pemSha256StringThe pemSha256 in the certificate
Expanse.Certificate.certificate.publicKeyStringThe public key in the certificate
Expanse.Certificate.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate
Expanse.Certificate.certificate.publicKeyBitsNumberThe public key bits in the certificate
Expanse.Certificate.certificate.publicKeyModulusStringThe public key modulus in the certificate
Expanse.Certificate.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate
Expanse.Certificate.certificate.publicKeySpkiStringThe public key Spki in the certificate
Expanse.Certificate.certificate.serialNumberStringThe serial number in the certificate
Expanse.Certificate.certificate.signatureAlgorithmStringThe signature algorithm in the certificate
Expanse.Certificate.certificate.subjectStringThe subject in the certificate
Expanse.Certificate.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate
Expanse.Certificate.certificate.subjectCountryStringThe subject country in the certificate
Expanse.Certificate.certificate.subjectEmailStringThe subject email in the certificate
Expanse.Certificate.certificate.subjectLocalityStringThe subject locality in the certificate
Expanse.Certificate.certificate.subjectNameStringThe subject name in the certificate
Expanse.Certificate.certificate.subjectOrgStringThe subject org in the certificate
Expanse.Certificate.certificate.subjectOrgUnitStringThe subject org unit in the certificate
Expanse.Certificate.certificate.subjectStateStringThe subject state in the certificate
Expanse.Certificate.certificate.validNotAfterDateThe valid not after date in the certificate
Expanse.Certificate.certificate.validNotBeforeDateThe valid not before date in the certificate
Expanse.Certificate.certificate.versionStringThe version in the certificate
Expanse.Certificate.certificateAdvertisementStatusStringCertificate advertisement statuses
Expanse.Certificate.commonNameStringCommon Name for the certificate
Expanse.Certificate.dateAddedDateThe date that the certificate was added to the Expander instance
Expanse.Certificate.details.base64EncodedStringAdditional details for the certificate
Expanse.Certificate.details.recentIps.assetKeyStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.assetTypeStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.businessUnits.idStringBusiness Units that the recent IPs linked to the certificate has been assigned to
Expanse.Certificate.details.recentIps.businessUnits.nameStringBusiness Units that the recent IPs linked to the certificate has been assigned to
Expanse.Certificate.details.recentIps.businessUnits.tenantIdStringTenant information for business Units that the recent IPs linked to the certificate has been assigned to
Expanse.Certificate.details.recentIps.commonNameStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.domainStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.ipStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.lastObservedDateAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.provider.idStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.provider.nameStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.tenant.idStringTenant information for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.tenant.nameStringTenant information for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.tenant.tenantIdStringTenant information for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.typeStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.firstObservedDateThe date that the certificate was first observed
Expanse.Certificate.hasLinkedCloudResourcesBooleanWhether the certificate has any linked cloud resources associated with it
Expanse.Certificate.idStringInternal Expanse ID for Certificate
Expanse.Certificate.lastObservedDateThe date that the certificate was most recently observed
Expanse.Certificate.propertiesStringExpanse tagged properties of the certificate
Expanse.Certificate.providers.idStringThe Provider information for the certificate
Expanse.Certificate.providers.nameStringThe Provider information for the certificate
Expanse.Certificate.serviceStatusStringDetected service statuses for the certificate
Expanse.Certificate.tenant.idStringTenant information for the certificate
Expanse.Certificate.tenant.nameStringTenant information for the certificate
Expanse.Certificate.tenant.tenantIdStringTenant information for the certificate
Expanse.Certificate.details.cloudResources.idStringThe cloud resource ID
Expanse.Certificate.details.cloudResources.tenant.idStringTenant information for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.tenant.nameStringTenant information for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.tenant.tenantIdStringTenant information for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.businessUnits.idStringBusiness Units that the cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.businessUnits.nameStringBusiness Units that the cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.businessUnits.tenantIdStringTenant information businessUnits that the cloud resource as been assigned to
Expanse.Certificate.details.cloudResources.dateAddedDateThe date that the cloud resource was added to the Expander instance
Expanse.Certificate.details.cloudResources.firstObservedDateThe date that the cloud resource was first observed
Expanse.Certificate.details.cloudResources.lastObservedDateThe date that the certificate was most recently observed
Expanse.Certificate.details.cloudResources.instanceIdStringInstance ID for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.typeStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.ipsStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.domainStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.provider.idStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.provider.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.regionStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.vpc.idStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.vpc.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.accountIntegration.idStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.accountIntegration.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.recentIps.assetKeyStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.assetTypeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.businessUnits.idStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.recentIps.businessUnits.nameStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.recentIps.businessUnits.tenantIdStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.recentIps.commonNameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.domainStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.ipStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.lastObservedDateAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.provider.idStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.provider.nameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.tenant.idStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.tenant.nameStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.tenant.tenantIdStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.typeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.annotations.noteStringCustomer provided annotation details for a certificate
Expanse.Certificate.details.cloudResources.annotations.contacts.idStringID for customer provided contact details for a certificate
Expanse.Certificate.details.cloudResources.annotations.contacts.nameStringCustomer provided contact details for a certificate
Expanse.Certificate.details.cloudResources.annotations.tags.idStringID for customer added tag on a certificate in Expander
Expanse.Certificate.details.cloudResources.annotations.tags.nameStringCustomer added tag on a certificate in Expander
Certificate.NameStringName (CN or SAN) appearing in the certificate.
Certificate.SubjectDNStringThe Subject Distinguished Name of the certificate.

This field includes the Common Name of the certificate. | | Certificate.PEM | String | Certificate in PEM format. | | Certificate.IssuerDN | String | The Issuer Distinguished Name of the certificate. | | Certificate.SerialNumber | String | The Serial Number of the certificate. | | Certificate.ValidityNotAfter | Date | End of certificate validity period. | | Certificate.ValidityNotBefore | Date | Start of certificate validity period. | | Certificate.SubjectAlternativeName.Value | String | Name of the SAN. | | Certificate.SHA256 | String | SHA256 Fingerprint of the certificate in DER format. | | Certificate.SHA1 | String | SHA1 Fingerprint of the certificate in DER format. | | Certificate.MD5 | String | MD5 Fingerprint of the certificate in DER format. | | Certificate.PublicKey.Algorithm | String | Algorithm used for public key of the certificate. | | Certificate.PublicKey.Length | Number | Length in bits of the public key of the certificate. | | Certificate.PublicKey.Modulus | String | Modulus of the public key for RSA keys. | | Certificate.PublicKey.Exponent | Number | Exponent of the public key for RSA keys. | | Certificate.PublicKey.PublicKey | String | The public key for DSA/Unknown keys. | | Certificate.SPKISHA256 | String | SHA256 fingerprint of the certificate Subject Public Key Info. | | Certificate.Signature.Algorithm | String | Algorithm used in the signature of the certificate. | | Certificate.Malicious.Vendor | String | The vendor that reported the file as malicious. | | Certificate.Malicious.Description | String | A description explaining why the file was determined to be malicious. | | DBotScore.Score | Number | The actual score. | | DBotScore.Vendor | String | The vendor used to calculate the score. | | DBotScore.Indicator | String | The indicator that was tested. | | DBotScore.Type | String | The indicator type. |

Command Example#

!expanse-get-certificate limit="1"

Context Example#

{
"Certificate": {
"IssuerDN": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"MD5": "d4c65570578b04b69bde30beff3f6de5",
"Name": [
"10.254.254.254"
],
"PublicKey": {
"Algorithm": "RSA",
"Exponent": 65537,
"Length": 1024,
"Modulus": "a0:1c:f5:ac:95:17:36:d6:f1:b4:12:a9:8d:c8:73:e2:23:73:20:7a:be:40:11:72:44:d5:85:12:d9:5e:27:9d:21:27:80:4f:5f:e4:68:63:5e:c6:e6:97:2b:68:28:f4:2d:ee:dc:9f:de:59:b4:f9:25:4e:f3:3e:ff:c2:2b:98:8a:a8:6c:0d:0a:f8:23:09:9b:d2:df:69:22:31:7e:16:7f:c7:e8:3b:bd:31:f2:20:61:ea:1d:93:89:3e:24:15:33:a7:7f:10:8b:50:3c:e1:01:a7:51:90:e3:c6:04:37:e5:4b:55:37:15:f8:e3:83:4c:be:bd:7b:81:fd:a1:91",
"PublicKey": "30:81:9f:30:0d:06:09:2a:86:48:86:f7:0d:01:01:01:05:00:03:81:8d:00:30:81:89:02:81:81:00:a0:1c:f5:ac:95:17:36:d6:f1:b4:12:a9:8d:c8:73:e2:23:73:20:7a:be:40:11:72:44:d5:85:12:d9:5e:27:9d:21:27:80:4f:5f:e4:68:63:5e:c6:e6:97:2b:68:28:f4:2d:ee:dc:9f:de:59:b4:f9:25:4e:f3:3e:ff:c2:2b:98:8a:a8:6c:0d:0a:f8:23:09:9b:d2:df:69:22:31:7e:16:7f:c7:e8:3b:bd:31:f2:20:61:ea:1d:93:89:3e:24:15:33:a7:7f:10:8b:50:3c:e1:01:a7:51:90:e3:c6:04:37:e5:4b:55:37:15:f8:e3:83:4c:be:bd:7b:81:fd:a1:91:02:03:01:00:01"
},
"SHA1": "9867b47d69cd5632b39642ae83111ed4ccdea05a",
"SHA256": "cbb0fe776ca808694dfd99cf59f4cf9278da4af4fab49b57b6aa83067223fd9b",
"SPKISHA256": "631dc65da0ebd34092d588969da71ecaf4d8348b2660e18e4f71b82374b109ad",
"SerialNumber": "12064359",
"Signature": {
"Algorithm": "SHA256withRSA"
},
"SubjectDN": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"ValidityNotAfter": "2112-06-12T00:39:31Z",
"ValidityNotBefore": "2013-11-18T00:39:31Z"
},
"DBotScore": {
"Indicator": "cbb0fe776ca808694dfd99cf59f4cf9278da4af4fab49b57b6aa83067223fd9b",
"Score": 0,
"Type": "certificate",
"Vendor": "ExpanseV2"
},
"Expanse": {
"Certificate": {
"annotations": {
"contacts": [],
"note": "",
"tags": []
},
"businessUnits": [
{
"id": "c94c50ca-124f-4983-8da5-1756138e2252",
"name": "PANW Acme Latex Supply Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
}
],
"certificate": {
"formattedIssuerOrg": null,
"id": "d4c65570-578b-34b6-9bde-30beff3f6de5",
"issuer": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"issuerAlternativeNames": "",
"issuerCountry": "CN",
"issuerEmail": null,
"issuerLocality": "GD",
"issuerName": "10.254.254.254",
"issuerOrg": "CHINA-ISI",
"issuerOrgUnit": "CHINA-ISI",
"issuerState": "GZ",
"md5Hash": "1MZVcFeLBLab3jC-_z9t5Q==",
"pemSha1": "mGe0fWnNVjKzlkKugxEe1MzeoFo=",
"pemSha256": "y7D-d2yoCGlN_ZnPWfTPknjaSvT6tJtXtqqDBnIj_Zs=",
"publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgHPWslRc21vG0EqmNyHPiI3Mger5AEXJE1YUS2V4nnSEngE9f5GhjXsbmlytoKPQt7tyf3lm0+SVO8z7/wiuYiqhsDQr4Iwmb0t9pIjF+Fn/H6Du9MfIgYeodk4k+JBUzp38Qi1A84QGnUZDjxgQ35UtVNxX444NMvr17gf2hkQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 1024,
"publicKeyModulus": "a01cf5ac951736d6f1b412a98dc873e22373207abe40117244d58512d95e279d2127804f5fe468635ec6e6972b6828f42deedc9fde59b4f9254ef33effc22b988aa86c0d0af823099bd2df6922317e167fc7e83bbd31f22061ea1d93893e241533a77f108b503ce101a75190e3c60437e54b553715f8e3834cbebd7b81fda191",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "Yx3GXaDr00CS1YiWnaceyvTYNIsmYOGOT3G4I3SxCa0=",
"serialNumber": "12064359",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"subjectAlternativeNames": "",
"subjectCountry": "CN",
"subjectEmail": null,
"subjectLocality": "GD",
"subjectName": "10.254.254.254",
"subjectOrg": "CHINA-ISI",
"subjectOrgUnit": "CHINA-ISI",
"subjectState": "GZ",
"validNotAfter": "2112-06-12T00:39:31Z",
"validNotBefore": "2013-11-18T00:39:31Z",
"version": "3"
},
"certificateAdvertisementStatus": [
"NO_CERTIFICATE_ADVERTISEMENT"
],
"commonName": "10.254.254.254",
"dateAdded": "2020-09-22T21:23:06.866Z",
"details": null,
"firstObserved": null,
"hasLinkedCloudResources": false,
"id": "30a111ae-39e2-3b82-b459-249bac0c6065",
"lastObserved": null,
"properties": [
"LONG_EXPIRATION",
"SELF_SIGNED",
"SHORT_KEY"
],
"providers": [
{
"id": "Unknown",
"name": "None"
}
],
"serviceStatus": [
"NO_ACTIVE_SERVICE",
"NO_ACTIVE_ON_PREM_SERVICE",
"NO_ACTIVE_CLOUD_SERVICE"
],
"tenant": {
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
}
}
}
}

Human Readable Output#

Expanse Certificate List#

annotationsbusinessUnitscertificatecertificateAdvertisementStatuscommonNamedateAddeddetailsfirstObservedhasLinkedCloudResourcesidlastObservedpropertiesprovidersserviceStatustenant
contacts:
tags:
note:
{'id': 'c94c50ca-124f-4983-8da5-1756138e2252', 'name': 'PANW Acme Latex Supply Dev', 'tenantId': 'f738ace6-f451-4f31-898d-a12afa204b2a'}md5Hash: 1MZVcFeLBLab3jC-_z9t5Q==
id: d4c65570-578b-34b6-9bde-30beff3f6de5
issuer: C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254
issuerAlternativeNames:
issuerCountry: CN
issuerEmail: null
issuerLocality: GD
issuerName: 10.254.254.254
issuerOrg: CHINA-ISI
formattedIssuerOrg: null
issuerOrgUnit: CHINA-ISI
issuerState: GZ
publicKey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgHPWslRc21vG0EqmNyHPiI3Mger5AEXJE1YUS2V4nnSEngE9f5GhjXsbmlytoKPQt7tyf3lm0+SVO8z7/wiuYiqhsDQr4Iwmb0t9pIjF+Fn/H6Du9MfIgYeodk4k+JBUzp38Qi1A84QGnUZDjxgQ35UtVNxX444NMvr17gf2hkQIDAQAB
publicKeyAlgorithm: RSA
publicKeyRsaExponent: 65537
signatureAlgorithm: SHA256withRSA
subject: C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254
subjectAlternativeNames:
subjectCountry: CN
subjectEmail: null
subjectLocality: GD
subjectName: 10.254.254.254
subjectOrg: CHINA-ISI
subjectOrgUnit: CHINA-ISI
subjectState: GZ
serialNumber: 12064359
validNotBefore: 2013-11-18T00:39:31Z
validNotAfter: 2112-06-12T00:39:31Z
version: 3
publicKeyBits: 1024
pemSha256: y7D-d2yoCGlN_ZnPWfTPknjaSvT6tJtXtqqDBnIj_Zs=
pemSha1: mGe0fWnNVjKzlkKugxEe1MzeoFo=
publicKeyModulus: a01cf5ac951736d6f1b412a98dc873e22373207abe40117244d58512d95e279d2127804f5fe468635ec6e6972b6828f42deedc9fde59b4f9254ef33effc22b988aa86c0d0af823099bd2df6922317e167fc7e83bbd31f22061ea1d93893e241533a77f108b503ce101a75190e3c60437e54b553715f8e3834cbebd7b81fda191
publicKeySpki: Yx3GXaDr00CS1YiWnaceyvTYNIsmYOGOT3G4I3SxCa0=
NO_CERTIFICATE_ADVERTISEMENT10.254.254.2542020-09-22T21:23:06.866Zfalse30a111ae-39e2-3b82-b459-249bac0c6065LONG_EXPIRATION,
SELF_SIGNED,
SHORT_KEY
{'id': 'Unknown', 'name': 'None'}NO_ACTIVE_SERVICE,
NO_ACTIVE_ON_PREM_SERVICE,
NO_ACTIVE_CLOUD_SERVICE
id: f738ace6-f451-4f31-898d-a12afa204b2a
name: PANW VanDelay Dev
tenantId: f738ace6-f451-4f31-898d-a12afa204b2a

certificate#


Provides data enrichment for an X509 Certificate from Expanse.

Base Command#

certificate

Input#

Argument NameDescriptionRequired
certificateMD5, SHA-1, SHA-256 or SHA-512 hash of the certificate to enrich.
If MD5 is given, the command will check directly with Expanse API otherwise
the script looks first for an indicator with the given hash to retrieve the
corresponding MD5 hash.
.
Optional
set_expanse_fieldsIf set to true, the command updates the Expanse custom fields of the indicator.
Only if an indicator already exists.
. Possible values are: true, false.
Optional

Context Output#

PathTypeDescription
Expanse.Certificate.annotations.noteStringCustomer provided annotation details for a certificate
Expanse.Certificate.annotations.contacts.idStringID for customer provided contact details for a certificate
Expanse.Certificate.annotations.contacts.nameStringCustomer provided contact details for a certificate
Expanse.Certificate.annotations.tags.idStringID for customer added tag on a certificate in Expander
Expanse.Certificate.annotations.tags.nameStringCustomer added tag on a certificate in Expander
Expanse.Certificate.businessUnits.idStringBusiness Units that the certificate has been assigned to
Expanse.Certificate.businessUnits.nameStringBusiness Units that the certificate has been assigned to
Expanse.Certificate.businessUnits.tenantIdStringTenant information for business units that the certificate has been assigned to
Expanse.Certificate.certificate.formattedIssuerOrgStringThe formatted issuer org in the certificate
Expanse.Certificate.certificate.idStringThe certificate ID
Expanse.Certificate.certificate.issuerStringThe issuer in the certificate
Expanse.Certificate.certificate.issuerAlternativeNamesStringThe issuer alternative names in the certificate
Expanse.Certificate.certificate.issuerCountryStringThe issuer country in the certificate
Expanse.Certificate.certificate.issuerEmailStringThe issuer email in the certificate
Expanse.Certificate.certificate.issuerLocalityStringThe issuer locality in the certificate
Expanse.Certificate.certificate.issuerNameStringThe issuer name in the certificate
Expanse.Certificate.certificate.issuerOrgStringThe issuer org in the certificate
Expanse.Certificate.certificate.issuerOrgUnitStringThe issuer org unit in the certificate
Expanse.Certificate.certificate.issuerStateStringThe issuer state in the certificate
Expanse.Certificate.certificate.md5HashStringThe md5hash in the certificate
Expanse.Certificate.certificate.pemSha1StringThe pemSha1 in the certificate
Expanse.Certificate.certificate.pemSha256StringThe pemSha256 in the certificate
Expanse.Certificate.certificate.publicKeyStringThe public key in the certificate
Expanse.Certificate.certificate.publicKeyAlgorithmStringThe public key algorithm in the certificate
Expanse.Certificate.certificate.publicKeyBitsNumberThe public key bits in the certificate
Expanse.Certificate.certificate.publicKeyModulusStringThe public key modulus in the certificate
Expanse.Certificate.certificate.publicKeyRsaExponentNumberThe public key RSA exponent in the certificate
Expanse.Certificate.certificate.publicKeySpkiStringThe public key Spki in the certificate
Expanse.Certificate.certificate.serialNumberStringThe serial number in the certificate
Expanse.Certificate.certificate.signatureAlgorithmStringThe signature algorithm in the certificate
Expanse.Certificate.certificate.subjectStringThe subject in the certificate
Expanse.Certificate.certificate.subjectAlternativeNamesStringThe subject alternative names in the certificate
Expanse.Certificate.certificate.subjectCountryStringThe subject country in the certificate
Expanse.Certificate.certificate.subjectEmailStringThe subject email in the certificate
Expanse.Certificate.certificate.subjectLocalityStringThe subject locality in the certificate
Expanse.Certificate.certificate.subjectNameStringThe subject name in the certificate
Expanse.Certificate.certificate.subjectOrgStringThe subject org in the certificate
Expanse.Certificate.certificate.subjectOrgUnitStringThe subject org unit in the certificate
Expanse.Certificate.certificate.subjectStateStringThe subject state in the certificate
Expanse.Certificate.certificate.validNotAfterDateThe valid not after date in the certificate
Expanse.Certificate.certificate.validNotBeforeDateThe valid not before date in the certificate
Expanse.Certificate.certificate.versionStringThe version in the certificate
Expanse.Certificate.certificateAdvertisementStatusStringCertificate advertisement statuses
Expanse.Certificate.commonNameStringCommon Name for the certificate
Expanse.Certificate.dateAddedDateThe date that the certificate was added to the Expander instance
Expanse.Certificate.details.base64EncodedStringAdditional details for the certificate
Expanse.Certificate.details.recentIps.assetKeyStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.assetTypeStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.businessUnits.idStringBusiness Units that the recent IPs linked to the certificate has been assigned to
Expanse.Certificate.details.recentIps.businessUnits.nameStringBusiness Units that the recent IPs linked to the certificate has been assigned to
Expanse.Certificate.details.recentIps.businessUnits.tenantIdStringTenant information for business Units that the recent IPs linked to the certificate has been assigned to
Expanse.Certificate.details.recentIps.commonNameStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.domainStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.ipStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.lastObservedDateAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.provider.idStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.provider.nameStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.tenant.idStringTenant information for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.tenant.nameStringTenant information for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.tenant.tenantIdStringTenant information for the recent IPs linked to the certificate
Expanse.Certificate.details.recentIps.typeStringAdditional details for the recent IPs linked to the certificate
Expanse.Certificate.firstObservedDateThe date that the certificate was first observed
Expanse.Certificate.hasLinkedCloudResourcesBooleanWhether the certificate has any linked cloud resources associated with it
Expanse.Certificate.idStringInternal Expanse ID for Certificate
Expanse.Certificate.lastObservedDateThe date that the certificate was most recently observed
Expanse.Certificate.propertiesStringExpanse tagged properties of the certificate
Expanse.Certificate.providers.idStringThe Provider information for the certificate
Expanse.Certificate.providers.nameStringThe Provider information for the certificate
Expanse.Certificate.serviceStatusStringDetected service statuses for the certificate
Expanse.Certificate.tenant.idStringTenant information for the certificate
Expanse.Certificate.tenant.nameStringTenant information for the certificate
Expanse.Certificate.tenant.tenantIdStringTenant information for the certificate
Expanse.Certificate.details.cloudResources.idStringThe cloud resource ID
Expanse.Certificate.details.cloudResources.tenant.idStringTenant information for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.tenant.nameStringTenant information for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.tenant.tenantIdStringTenant information for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.businessUnits.idStringBusiness Units that the cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.businessUnits.nameStringBusiness Units that the cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.businessUnits.tenantIdStringTenant information businessUnits that the cloud resource as been assigned to
Expanse.Certificate.details.cloudResources.dateAddedDateThe date that the cloud resource was added to the Expander instance
Expanse.Certificate.details.cloudResources.firstObservedDateThe date that the cloud resource was first observed
Expanse.Certificate.details.cloudResources.lastObservedDateThe date that the certificate was most recently observed
Expanse.Certificate.details.cloudResources.instanceIdStringInstance ID for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.typeStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.ipsStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.domainStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.provider.idStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.provider.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.regionStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.vpc.idStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.vpc.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.accountIntegration.idStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.accountIntegration.nameStringAdditional details for the cloud resource linked to the certificate
Expanse.Certificate.details.cloudResources.recentIps.assetKeyStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.assetTypeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.businessUnits.idStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.recentIps.businessUnits.nameStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.recentIps.businessUnits.tenantIdStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Certificate.details.cloudResources.recentIps.commonNameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.domainStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.ipStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.lastObservedDateAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.provider.idStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.provider.nameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.tenant.idStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.tenant.nameStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.tenant.tenantIdStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.recentIps.typeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Certificate.details.cloudResources.annotations.noteStringCustomer provided annotation details for a certificate
Expanse.Certificate.details.cloudResources.annotations.contacts.idStringID for customer provided contact details for a certificate
Expanse.Certificate.details.cloudResources.annotations.contacts.nameStringCustomer provided contact details for a certificate
Expanse.Certificate.details.cloudResources.annotations.tags.idStringID for customer added tag on a certificate in Expander
Expanse.Certificate.details.cloudResources.annotations.tags.nameStringCustomer added tag on a certificate in Expander
Certificate.NameStringName (CN or SAN) appearing in the certificate.
Certificate.SubjectDNStringThe Subject Distinguished Name of the certificate.

This field includes the Common Name of the certificate. | | Certificate.PEM | String | Certificate in PEM format. | | Certificate.IssuerDN | String | The Issuer Distinguished Name of the certificate. | | Certificate.SerialNumber | String | The Serial Number of the certificate. | | Certificate.ValidityNotAfter | Date | End of certificate validity period. | | Certificate.ValidityNotBefore | Date | Start of certificate validity period. | | Certificate.SubjectAlternativeName.Value | String | Name of the SAN. | | Certificate.SHA256 | String | SHA256 Fingerprint of the certificate in DER format. | | Certificate.SHA1 | String | SHA1 Fingerprint of the certificate in DER format. | | Certificate.MD5 | String | MD5 Fingerprint of the certificate in DER format. | | Certificate.PublicKey.Algorithm | String | Algorithm used for public key of the certificate. | | Certificate.PublicKey.Length | Number | Length in bits of the public key of the certificate. | | Certificate.PublicKey.Modulus | String | Modulus of the public key for RSA keys. | | Certificate.PublicKey.Exponent | Number | Exponent of the public key for RSA keys. | | Certificate.PublicKey.PublicKey | String | The public key for DSA/Unknown keys. | | Certificate.SPKISHA256 | String | SHA256 fingerprint of the certificate Subject Public Key Info. | | Certificate.Signature.Algorithm | String | Algorithm used in the signature of the certificate. | | Certificate.Malicious.Vendor | String | The vendor that reported the file as malicious. | | Certificate.Malicious.Description | String | A description explaining why the file was determined to be malicious. | | DBotScore.Score | Number | The actual score. | | DBotScore.Vendor | String | The vendor used to calculate the score. | | DBotScore.Indicator | String | The indicator that was tested. | | DBotScore.Type | String | The indicator type. |

Command Example#

!certificate certificate="d4c65570578b04b69bde30beff3f6de5" set_expanse_fields="false"

Context Example#

{
"Certificate": {
"IssuerDN": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"MD5": "d4c65570578b04b69bde30beff3f6de5",
"Name": [
"10.254.254.254"
],
"PublicKey": {
"Algorithm": "RSA",
"Exponent": 65537,
"Length": 1024,
"Modulus": "a0:1c:f5:ac:95:17:36:d6:f1:b4:12:a9:8d:c8:73:e2:23:73:20:7a:be:40:11:72:44:d5:85:12:d9:5e:27:9d:21:27:80:4f:5f:e4:68:63:5e:c6:e6:97:2b:68:28:f4:2d:ee:dc:9f:de:59:b4:f9:25:4e:f3:3e:ff:c2:2b:98:8a:a8:6c:0d:0a:f8:23:09:9b:d2:df:69:22:31:7e:16:7f:c7:e8:3b:bd:31:f2:20:61:ea:1d:93:89:3e:24:15:33:a7:7f:10:8b:50:3c:e1:01:a7:51:90:e3:c6:04:37:e5:4b:55:37:15:f8:e3:83:4c:be:bd:7b:81:fd:a1:91",
"PublicKey": "30:81:9f:30:0d:06:09:2a:86:48:86:f7:0d:01:01:01:05:00:03:81:8d:00:30:81:89:02:81:81:00:a0:1c:f5:ac:95:17:36:d6:f1:b4:12:a9:8d:c8:73:e2:23:73:20:7a:be:40:11:72:44:d5:85:12:d9:5e:27:9d:21:27:80:4f:5f:e4:68:63:5e:c6:e6:97:2b:68:28:f4:2d:ee:dc:9f:de:59:b4:f9:25:4e:f3:3e:ff:c2:2b:98:8a:a8:6c:0d:0a:f8:23:09:9b:d2:df:69:22:31:7e:16:7f:c7:e8:3b:bd:31:f2:20:61:ea:1d:93:89:3e:24:15:33:a7:7f:10:8b:50:3c:e1:01:a7:51:90:e3:c6:04:37:e5:4b:55:37:15:f8:e3:83:4c:be:bd:7b:81:fd:a1:91:02:03:01:00:01"
},
"SHA1": "9867b47d69cd5632b39642ae83111ed4ccdea05a",
"SHA256": "cbb0fe776ca808694dfd99cf59f4cf9278da4af4fab49b57b6aa83067223fd9b",
"SPKISHA256": "631dc65da0ebd34092d588969da71ecaf4d8348b2660e18e4f71b82374b109ad",
"SerialNumber": "12064359",
"Signature": {
"Algorithm": "SHA256withRSA"
},
"SubjectDN": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"ValidityNotAfter": "2112-06-12T00:39:31Z",
"ValidityNotBefore": "2013-11-18T00:39:31Z"
},
"DBotScore": {
"Indicator": "cbb0fe776ca808694dfd99cf59f4cf9278da4af4fab49b57b6aa83067223fd9b",
"Score": 0,
"Type": "certificate",
"Vendor": "ExpanseV2"
},
"Expanse": {
"Certificate": {
"annotations": {
"contacts": [],
"note": "",
"tags": [
{
"id": "e00bc79d-d367-36f4-824c-042836fef5fc",
"name": "xsoar-test-pb-tag"
}
]
},
"businessUnits": [
{
"id": "c94c50ca-124f-4983-8da5-1756138e2252",
"name": "PANW Acme Latex Supply Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
}
],
"certificate": {
"formattedIssuerOrg": null,
"id": "d4c65570-578b-34b6-9bde-30beff3f6de5",
"issuer": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"issuerAlternativeNames": "",
"issuerCountry": "CN",
"issuerEmail": null,
"issuerLocality": "GD",
"issuerName": "10.254.254.254",
"issuerOrg": "CHINA-ISI",
"issuerOrgUnit": "CHINA-ISI",
"issuerState": "GZ",
"md5Hash": "1MZVcFeLBLab3jC-_z9t5Q==",
"pemSha1": "mGe0fWnNVjKzlkKugxEe1MzeoFo=",
"pemSha256": "y7D-d2yoCGlN_ZnPWfTPknjaSvT6tJtXtqqDBnIj_Zs=",
"publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgHPWslRc21vG0EqmNyHPiI3Mger5AEXJE1YUS2V4nnSEngE9f5GhjXsbmlytoKPQt7tyf3lm0+SVO8z7/wiuYiqhsDQr4Iwmb0t9pIjF+Fn/H6Du9MfIgYeodk4k+JBUzp38Qi1A84QGnUZDjxgQ35UtVNxX444NMvr17gf2hkQIDAQAB",
"publicKeyAlgorithm": "RSA",
"publicKeyBits": 1024,
"publicKeyModulus": "a01cf5ac951736d6f1b412a98dc873e22373207abe40117244d58512d95e279d2127804f5fe468635ec6e6972b6828f42deedc9fde59b4f9254ef33effc22b988aa86c0d0af823099bd2df6922317e167fc7e83bbd31f22061ea1d93893e241533a77f108b503ce101a75190e3c60437e54b553715f8e3834cbebd7b81fda191",
"publicKeyRsaExponent": 65537,
"publicKeySpki": "Yx3GXaDr00CS1YiWnaceyvTYNIsmYOGOT3G4I3SxCa0=",
"serialNumber": "12064359",
"signatureAlgorithm": "SHA256withRSA",
"subject": "C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254",
"subjectAlternativeNames": "",
"subjectCountry": "CN",
"subjectEmail": null,
"subjectLocality": "GD",
"subjectName": "10.254.254.254",
"subjectOrg": "CHINA-ISI",
"subjectOrgUnit": "CHINA-ISI",
"subjectState": "GZ",
"validNotAfter": "2112-06-12T00:39:31Z",
"validNotBefore": "2013-11-18T00:39:31Z",
"version": "3"
},
"certificateAdvertisementStatus": [
"NO_CERTIFICATE_ADVERTISEMENT"
],
"commonName": "10.254.254.254",
"dateAdded": "2020-09-22T21:23:06.866Z",
"details": {
"base64Encoded": "",
"cloudResources": [],
"recentIps": []
},
"firstObserved": null,
"hasLinkedCloudResources": false,
"id": "30a111ae-39e2-3b82-b459-249bac0c6065",
"lastObserved": null,
"properties": [
"LONG_EXPIRATION",
"SELF_SIGNED",
"SHORT_KEY"
],
"providers": [
{
"id": "Unknown",
"name": "None"
}
],
"serviceStatus": [
"NO_ACTIVE_SERVICE",
"NO_ACTIVE_ON_PREM_SERVICE",
"NO_ACTIVE_CLOUD_SERVICE"
],
"tenant": {
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
}
}
}
}

Human Readable Output#

Expanse Certificate List#

annotationsbusinessUnitscertificatecertificateAdvertisementStatuscommonNamedateAddeddetailsfirstObservedhasLinkedCloudResourcesidlastObservedpropertiesprovidersserviceStatustenant
contacts:
tags: {'id': 'e00bc79d-d367-36f4-824c-042836fef5fc', 'name': 'xsoar-test-pb-tag'}
note:
{'id': 'c94c50ca-124f-4983-8da5-1756138e2252', 'name': 'PANW Acme Latex Supply Dev', 'tenantId': 'f738ace6-f451-4f31-898d-a12afa204b2a'}md5Hash: 1MZVcFeLBLab3jC-_z9t5Q==
id: d4c65570-578b-34b6-9bde-30beff3f6de5
issuer: C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254
issuerAlternativeNames:
issuerCountry: CN
issuerEmail: null
issuerLocality: GD
issuerName: 10.254.254.254
issuerOrg: CHINA-ISI
formattedIssuerOrg: null
issuerOrgUnit: CHINA-ISI
issuerState: GZ
publicKey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgHPWslRc21vG0EqmNyHPiI3Mger5AEXJE1YUS2V4nnSEngE9f5GhjXsbmlytoKPQt7tyf3lm0+SVO8z7/wiuYiqhsDQr4Iwmb0t9pIjF+Fn/H6Du9MfIgYeodk4k+JBUzp38Qi1A84QGnUZDjxgQ35UtVNxX444NMvr17gf2hkQIDAQAB
publicKeyAlgorithm: RSA
publicKeyRsaExponent: 65537
signatureAlgorithm: SHA256withRSA
subject: C=CN,ST=GZ,L=GD,O=CHINA-ISI,OU=CHINA-ISI,CN=10.254.254.254
subjectAlternativeNames:
subjectCountry: CN
subjectEmail: null
subjectLocality: GD
subjectName: 10.254.254.254
subjectOrg: CHINA-ISI
subjectOrgUnit: CHINA-ISI
subjectState: GZ
serialNumber: 12064359
validNotBefore: 2013-11-18T00:39:31Z
validNotAfter: 2112-06-12T00:39:31Z
version: 3
publicKeyBits: 1024
pemSha256: y7D-d2yoCGlN_ZnPWfTPknjaSvT6tJtXtqqDBnIj_Zs=
pemSha1: mGe0fWnNVjKzlkKugxEe1MzeoFo=
publicKeyModulus: a01cf5ac951736d6f1b412a98dc873e22373207abe40117244d58512d95e279d2127804f5fe468635ec6e6972b6828f42deedc9fde59b4f9254ef33effc22b988aa86c0d0af823099bd2df6922317e167fc7e83bbd31f22061ea1d93893e241533a77f108b503ce101a75190e3c60437e54b553715f8e3834cbebd7b81fda191
publicKeySpki: Yx3GXaDr00CS1YiWnaceyvTYNIsmYOGOT3G4I3SxCa0=
NO_CERTIFICATE_ADVERTISEMENT10.254.254.2542020-09-22T21:23:06.866ZrecentIps:
cloudResources:
base64Encoded:
false30a111ae-39e2-3b82-b459-249bac0c6065LONG_EXPIRATION,
SELF_SIGNED,
SHORT_KEY
{'id': 'Unknown', 'name': 'None'}NO_ACTIVE_SERVICE,
NO_ACTIVE_ON_PREM_SERVICE,
NO_ACTIVE_CLOUD_SERVICE
id: f738ace6-f451-4f31-898d-a12afa204b2a
name: PANW VanDelay Dev
tenantId: f738ace6-f451-4f31-898d-a12afa204b2a

expanse-get-risky-flows#


Retrieve risky flows detected by Expanse Behavior.

Base Command#

expanse-get-risky-flows

Input#

Argument NameDescriptionRequired
limitMaximum number of flows to retrieve.Optional
risk_ruleRetrieve only flows matching this risk rule ID.Optional
internal_ip_rangeFilter by internal IP range. Supported formats a.b.c.d, a.b.c.d/e, a.b.c.d-a.b.c.d, a., a.*.Optional
tag_namesFilter by tag names (comma separated string).Optional
created_beforeCreated Before date (supports ISO8601 format).Optional
created_afterCreated After date (supports ISO8601 format).Optional

Context Output#

PathTypeDescription
Expanse.RiskyFlow.ackedBooleanWhether the risky flow was acked
Expanse.RiskyFlow.businessUnit.idStringThe business unit id of the asset involved in the risky flow
Expanse.RiskyFlow.businessUnit.nameStringThe business unit name of the asset involved in the risky flow
Expanse.RiskyFlow.createdDateThe timestamp when the risky flow was found and created by Expanse
Expanse.RiskyFlow.externalAddressStringThe external IPv4 address involved in the risky flow
Expanse.RiskyFlow.externalCountryCodeStringThe external country code of the IPv4 involved in the risky flow
Expanse.RiskyFlow.externalCountryCodesStringThe external country codes of the IPv4 involved in the risky flow
Expanse.RiskyFlow.externalPortNumberThe external port of the communication involved in the risky flow
Expanse.RiskyFlow.flowDirectionStringThe direction of the risky flow
Expanse.RiskyFlow.idStringThe internal ID of the risky flow
Expanse.RiskyFlow.internalAddressStringThe internal IPv4 address involved in the risky flow
Expanse.RiskyFlow.internalCountryCodeStringThe internal country code of the IPv4 involved in the risky flow''
Expanse.RiskyFlow.internalCountryCodesStringThe internal country codes of the IPv4 involved in the risky flow
Expanse.RiskyFlow.internalPortNumberThe internal port of the communication involved in the risky flow
Expanse.RiskyFlow.internalTags.ipRangeStringAny tags associated with with the internal asset involved in the risky flow
Expanse.RiskyFlow.observationTimestampDateThe timestamp when the risky flow took place
Expanse.RiskyFlow.protocolStringThe protocol of the risky flow
Expanse.RiskyFlow.riskRule.additionalDataFieldsStringAdditional data fields associated with the risk rule for the risky flow
Expanse.RiskyFlow.riskRule.descriptionStringThe risk rule description for the risky flow
Expanse.RiskyFlow.riskRule.idStringThe risk rule ID for the risky flow
Expanse.RiskyFlow.riskRule.nameStringThe risk rule name for the risky flow
Expanse.RiskyFlow.tenantBusinessUnitIdStringThe tenant ID that the risky flow affects
Expanse.RiskyFlow.internalDomainsStringThe internal domains associated with the risky flow
Expanse.RiskyFlow.internalExposureTypesStringThe known exposure types associated with the asset involved in the risky flow

Command Example#

!expanse-get-risky-flows limit=1

Context Example#

{
"Expanse": {
"RiskyFlow": {
"acked": true,
"businessUnit": {
"id": "a823144b-ef1a-4c34-8c02-d080cb4fc4e8",
"name": "Company Test"
},
"created": "2020-12-18T03:50:10.490005Z",
"externalAddress": "8.8.8.8",
"externalCountryCode": "DE",
"externalCountryCodes": [
"DE"
],
"externalPort": 443,
"flowDirection": "OUTBOUND",
"id": "898b267f-e0cf-35d4-bfe3-4089fbe10c55",
"internalAddress": "1.1.1.1",
"internalCountryCode": "DE",
"internalCountryCodes": [
"DE"
],
"internalDomains": [],
"internalExposureTypes": [],
"internalPort": 42630,
"internalTags": {
"ipRange": []
},
"observationTimestamp": "2020-12-17T20:13:28.192Z",
"protocol": "TCP",
"riskRule": {
"additionalDataFields": "[]",
"description": "Connections to Tor",
"id": "392d03de-ea20-4637-bf17-d419aaaeec19",
"name": "Connections to Tor"
},
"tenantBusinessUnitId": "a823144b-ef1a-4c34-8c02-d080cb4fc4e8"
}
}
}

Human Readable Output#

Results#

ackedbusinessUnitcreatedexternalAddressexternalCountryCodeexternalCountryCodesexternalPortflowDirectionidinternalAddressinternalCountryCodeinternalCountryCodesinternalDomainsinternalExposureTypesinternalPortinternalTagsobservationTimestampprotocolriskRuletenantBusinessUnitId
trueid: a823144b-ef1a-4c34-8c02-d080cb4fc4e8
name: Company Test
2020-12-18T03:50:10.490005Z1.1.1.1DEDE443OUTBOUND898b267f-e0cf-35d4-bfe3-4089fbe10c551.1.1.1DEDE42630ipRange:2020-12-17T20:13:28.192ZTCPid: 392d03de-ea20-4637-bf17-d419aaaeec19
name: Connections to Tor
description: Connections to Tor
additionalDataFields: []
a823144b-ef1a-4c34-8c02-d080cb4fc4e8

expanse-list-risk-rules#


List risk rules from Expanse Behavior.

Base Command#

expanse-list-risk-rules

Input#

Argument NameDescriptionRequired
limitMaximum number of entries to retrieve.Optional

Context Output#

PathTypeDescription
Expanse.RiskRule.abbreviatedNameStringThe abbreviated name of the risk rule
Expanse.RiskRule.businessUnits.idStringThe business unit ID that the risk rule applies to
Expanse.RiskRule.dataFieldsStringThe data fields of the risk rule
Expanse.RiskRule.descriptionStringThe description of the risk rule
Expanse.RiskRule.directionStringThe directionality of the risk rule
Expanse.RiskRule.idStringThe risk rule ID
Expanse.RiskRule.nameStringThe risk rule name

Command Example#

!expanse-list-risk-rules limit=3

Context Example#

{
"Expanse.RiskRule(val.id == obj.id)": [
{
"abbreviatedName": "Connections to Kaspersky",
"businessUnits": [
{
"id": "a823144b-ef1a-4c34-8c02-d080cb4fc4e8"
}
],
"dataFields": "[]",
"description": "Connections to Kaspersky",
"direction": "OUTBOUND",
"id": "81b9f50f-2eab-4101-b8c8-c902842887c5",
"name": "Connections to Kaspersky"
},
{
"abbreviatedName": "Outbound Flows from Serve",
"businessUnits": [
{
"id": "a823144b-ef1a-4c34-8c02-d080cb4fc4e8"
}
],
"dataFields": "[]",
"description": "Outbound Flows from Servers (eg, File Downloads and Web Browsing)",
"direction": "OUTBOUND",
"id": "feae9144-bbfe-4681-8a1e-c426d1de0e54",
"name": "Outbound Flows from Servers"
},
{
"abbreviatedName": "Connections to and from B",
"businessUnits": [
{
"id": "a823144b-ef1a-4c34-8c02-d080cb4fc4e8"
}
],
"dataFields": "[]",
"description": "Connections to and from Blacklisted Countries (Belarus, Côte d'Ivoire, Cuba, Democratic Republic of the Congo, Iran, Iraq, Liberia, North Korea, South Sudan, Sudan, Syria, Zimbabwe)",
"direction": "EITHER",
"id": "392d03de-ea20-4637-bf17-d419aaaeec19",
"name": "Connections to and from Blacklisted Countries"
}
]
}

Human Readable Output#

Results#

abbreviatedNamebusinessUnitsdataFieldsdescriptiondirectionidname
Connections to Kaspersky{'id': 'a823144b-ef1a-4c34-8c02-d080cb4fc4e8'}[]Connections to KasperskyOUTBOUND81b9f50f-2eab-4101-b8c8-c902842887c5Connections to Kaspersky
Outbound Flows from Serve{'id': 'a823144b-ef1a-4c34-8c02-d080cb4fc4e8'}[]Outbound Flows from Servers (eg, File Downloads and Web Browsing)OUTBOUNDfeae9144-bbfe-4681-8a1e-c426d1de0e54Outbound Flows from Servers
Connections to and from B{'id': 'a823144b-ef1a-4c34-8c02-d080cb4fc4e8'}[]Connections to and from Blacklisted Countries (Belarus, Côte d'Ivoire, Cuba, Democratic Republic of the Congo, Iran, Iraq, Liberia, North Korea, South Sudan, Sudan, Syria, Zimbabwe)EITHER392d03de-ea20-4637-bf17-d419aaaeec19Connections to and from Blacklisted Countries

domain#


Provides data enrichment for domains.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain name to enrich.Required

Context Output#

PathTypeDescription
Expanse.Domain.annotations.noteStringCustomer provided annotation details for a domain
Expanse.Domain.annotations.contacts.idStringID for customer provided contact details for a domain
Expanse.Domain.annotations.contacts.nameStringCustomer provided contact details for a domain
Expanse.Domain.annotations.tags.idStringID for customer added tag on a domain in Expander
Expanse.Domain.annotations.tags.nameStringCustomer added tag on a domain in Expander
Expanse.Domain.businessUnits.idStringBusiness Units that the domain has been assigned to
Expanse.Domain.businessUnits.nameStringBusiness Units that the domain has been assigned to
Expanse.Domain.businessUnits.tenantIdStringTenant ID for business Units that the domain has been assigned to
Expanse.Domain.dateAddedDateThe date that the domain was added to the Expander instance
Expanse.Domain.details.recentIps.assetKeyStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.assetTypeStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.businessUnits.idStringBusiness Units for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.businessUnits.nameStringBusiness Units for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.businessUnits.tenantIdStringTenant information for business Units that the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.commonNameStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.domainStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.ipStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.lastObservedDateAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.provider.idStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.provider.nameStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.tenant.idStringTenant information for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.tenant.nameStringTenant information for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.tenant.tenantIdStringTenant information for the recent IPs that the domain resolved to
Expanse.Domain.details.recentIps.typeStringAdditional details for the recent IPs that the domain resolved to
Expanse.Domain.dnsResolutionStatusStringLatest DNS resolution status
Expanse.Domain.firstObservedDateThe date that the domain was first observed
Expanse.Domain.hasLinkedCloudResourcesBooleanWhether the domain has any linked cloud resources associated with it
Expanse.Domain.idStringInternal Expanse ID for Domain
Expanse.Domain.domainStringThe domain value
Expanse.Domain.isCollapsedBooleanWhether or not the subdomains of the domain are collapsed
Expanse.Domain.isPaidLevelDomainBooleanWhether or not the domain is a PLD
Expanse.Domain.lastObservedDateThe date that the domain was most recently observed
Expanse.Domain.lastSampledIpStringThe last observed IPv4 address for the domain
Expanse.Domain.lastSubdomainMetadata.collapseTypeStringSub-domain metadata
Expanse.Domain.lastSubdomainMetadata.numSubdomainsNumberSub-domain metadata
Expanse.Domain.lastSubdomainMetadata.numDistinctIpsNumberSub-domain metadata
Expanse.Domain.lastSubdomainMetadata.dateDateSub-domain metadata
Expanse.Domain.providers.idStringInformation about the hosting provider of the IP the domain resolves to
Expanse.Domain.providers.nameStringInformation about the hosting provider of the IP the domain resolves to
Expanse.Domain.serviceStatusStringDetected service statuses for the domain
Expanse.Domain.sourceDomainStringThe source domain for the domain object
Expanse.Domain.tenant.idStringTenant information for the domain
Expanse.Domain.tenant.nameStringTenant information for the domain
Expanse.Domain.tenant.tenantIdStringTenant information for the domain
Expanse.Domain.whois.admin.cityStringThe admin city in the Whois information for the domain
Expanse.Domain.whois.admin.countryStringThe admin country in the Whois information for the domain
Expanse.Domain.whois.admin.emailAddressStringThe admin email address in the Whois information for the domain
Expanse.Domain.whois.admin.faxExtensionStringThe admin fax extension in the Whois information for the domain
Expanse.Domain.whois.admin.faxNumberStringThe admin fax number in the Whois information for the domain
Expanse.Domain.whois.admin.nameStringThe admin name in the Whois information for the domain
Expanse.Domain.whois.admin.organizationStringThe admin organization in the Whois information for the domain
Expanse.Domain.whois.admin.phoneExtensionStringThe admin phone extension in the Whois information for the domain
Expanse.Domain.whois.admin.phoneNumberStringThe admin phone number in the Whois information for the domain
Expanse.Domain.whois.admin.postalCodeStringThe admin postal code in the Whois information for the domain
Expanse.Domain.whois.admin.provinceStringThe admin province in the Whois information for the domain
Expanse.Domain.whois.admin.registryIdStringThe admin registry ID in the Whois information for the domain
Expanse.Domain.whois.admin.streetStringThe admin street in the Whois information for the domain
Expanse.Domain.whois.creationDateDateThe creation date in the Whois information for the domain
Expanse.Domain.whois.dnssecStringThe dnssec in the Whois information for the domain
Expanse.Domain.whois.domainStringThe domain in the Whois information for the domain
Expanse.Domain.whois.domainStatusesStringThe domain statuses in the Whois information for the domain
Expanse.Domain.whois.nameServersStringThe name servers in the Whois information for the domain
Expanse.Domain.whois.registrant.cityStringThe registrant city in the Whois information for the domain
Expanse.Domain.whois.registrant.countryStringThe registrant country in the Whois information for the domain
Expanse.Domain.whois.registrant.emailAddressStringThe registrant email address in the Whois information for the domain
Expanse.Domain.whois.registrant.faxExtensionStringThe registrant fax extension in the Whois information for the domain
Expanse.Domain.whois.registrant.faxNumberStringThe registrant fax number in the Whois information for the domain
Expanse.Domain.whois.registrant.nameStringThe registrant name in the Whois information for the domain
Expanse.Domain.whois.registrant.organizationStringThe registrant organization in the Whois information for the domain
Expanse.Domain.whois.registrant.phoneExtensionStringThe registrant phone extension in the Whois information for the domain
Expanse.Domain.whois.registrant.phoneNumberStringThe registrant phone number in the Whois information for the domain
Expanse.Domain.whois.registrant.postalCodeStringThe registrant postal code in the Whois information for the domain
Expanse.Domain.whois.registrant.provinceStringThe registrant province in the Whois information for the domain
Expanse.Domain.whois.registrant.registryIdStringThe registrant registry ID in the Whois information for the domain
Expanse.Domain.whois.registrant.streetStringThe registrant street in the Whois information for the domain
Expanse.Domain.whois.registrar.abuseContactEmailStringThe registrar abuse contact email in the Whois information for the domain
Expanse.Domain.whois.registrar.abuseContactPhoneStringThe registrar abuse contact phone in the Whois information for the domain''
Expanse.Domain.whois.registrar.formattedNameStringThe registrar formatted name Whois information for the domain
Expanse.Domain.whois.registrar.ianaIdStringThe registrar iana ID in the Whois information for the domain
Expanse.Domain.whois.registrar.nameStringThe registrar name in the Whois information for the domain
Expanse.Domain.whois.registrar.registrationExpirationDateDateThe registrar registration expiration date in the Whois information for the domain
Expanse.Domain.whois.registrar.urlStringThe registrar URL in the Whois information for the domain
Expanse.Domain.whois.registrar.whoisServerStringThe registrar Whois server in the Whois information for the domain
Expanse.Domain.whois.registryDomainIdStringThe registry domain ID in the Whois information for the domain
Expanse.Domain.whois.registryExpiryDateDateThe registry expiry date in the Whois information for the domain
Expanse.Domain.whois.resellerStringThe reseller in the Whois information for the domain
Expanse.Domain.whois.tech.cityStringThe tech city in the Whois information for the domain
Expanse.Domain.whois.tech.countryStringThe tech country in the Whois information for the domain
Expanse.Domain.whois.tech.emailAddressStringThe tech email address in the Whois information for the domain
Expanse.Domain.whois.tech.faxExtensionStringThe tech fax extension in the Whois information for the domain
Expanse.Domain.whois.tech.faxNumberStringThe tech fax number in the Whois information for the domain
Expanse.Domain.whois.tech.nameStringThe tech name in the Whois information for the domain
Expanse.Domain.whois.tech.organizationStringThe tech organization in the Whois information for the domain
Expanse.Domain.whois.tech.phoneExtensionStringThe tech phone extension in the Whois information for the domain
Expanse.Domain.whois.tech.phoneNumberStringThe tech phone number in the Whois information for the domain
Expanse.Domain.whois.tech.postalCodeStringThe tech postal code in the Whois information for the domain
Expanse.Domain.whois.tech.provinceStringThe tech province in the Whois information for the domain
Expanse.Domain.whois.tech.registryIdStringThe tech registry ID in the Whois information for the domain
Expanse.Domain.whois.tech.streetStringThe tech street in the Whois information for the domain
Expanse.Domain.whois.updatedDateDateThe updated date in the Whois information for the domain
Expanse.Domain.details.cloudResources.idStringThe cloud resource ID
Expanse.Domain.details.cloudResources.tenant.idStringTenant information for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.tenant.nameStringTenant information for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.tenant.tenantIdStringTenant information for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.businessUnits.idStringBusiness Units that the cloud resource has been assigned to
Expanse.Domain.details.cloudResources.businessUnits.nameStringBusiness Units that the cloud resource has been assigned to
Expanse.Domain.details.cloudResources.businessUnits.tenantIdStringTenant information businessUnits that the cloud resource as been assigned to
Expanse.Domain.details.cloudResources.dateAddedDateThe date that the cloud resource was added to the Expander instance
Expanse.Domain.details.cloudResources.firstObservedDateThe date that the cloud resource was first observed
Expanse.Domain.details.cloudResources.lastObservedDateThe date that the domain was most recently observed
Expanse.Domain.details.cloudResources.instanceIdStringInstance ID for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.typeStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.ipsStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.domainStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.provider.idStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.provider.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.regionStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.vpc.idStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.vpc.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.accountIntegration.idStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.accountIntegration.nameStringAdditional details for the cloud resource linked to the domain
Expanse.Domain.details.cloudResources.recentIps.assetKeyStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.assetTypeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.businessUnits.idStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Domain.details.cloudResources.recentIps.businessUnits.nameStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Domain.details.cloudResources.recentIps.businessUnits.tenantIdStringBusiness Units that the recent IPs linked to the linked cloud resource has been assigned to
Expanse.Domain.details.cloudResources.recentIps.commonNameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.domainStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.ipStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.lastObservedDateAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.provider.idStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.provider.nameStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.tenant.idStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.tenant.nameStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.tenant.tenantIdStringTenant information for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.recentIps.typeStringAdditional details for the recent IPs linked to the linked cloud resource
Expanse.Domain.details.cloudResources.annotations.noteStringCustomer provided annotation details for a domain
Expanse.Domain.details.cloudResources.annotations.contacts.idStringID for customer provided contact details for a domain
Expanse.Domain.details.cloudResources.annotations.contacts.nameStringCustomer provided contact details for a domain
Expanse.Domain.details.cloudResources.annotations.tags.idStringID for customer added tag on a domain in Expander
Expanse.Domain.details.cloudResources.annotations.tags.nameStringCustomer added tag on a domain in Expander
Domain.NameStringThe domain name, for example: "google.com".
Domain.DNSStringA list of IP objects resolved by DNS.
Domain.DetectionEnginesNumberThe total number of engines that checked the indicator.
Domain.PositiveDetectionsNumberThe number of engines that positively detected the indicator as malicious.
Domain.CreationDateDateThe date that the domain was created.
Domain.UpdatedDateStringThe date that the domain was last updated.
Domain.ExpirationDateDateThe expiration date of the domain.
Domain.DomainStatusDateThe status of the domain.
Domain.NameServersStringName servers of the domain.
Domain.OrganizationStringThe organization of the domain.
Domain.SubdomainsStringSubdomains of the domain.
Domain.Admin.CountryStringThe country of the domain administrator.
Domain.Admin.EmailStringThe email address of the domain administrator.
Domain.Admin.NameStringThe name of the domain administrator.
Domain.Admin.PhoneStringThe phone number of the domain administrator.
Domain.Registrant.CountryStringThe country of the registrant.
Domain.Registrant.EmailStringThe email address of the registrant.
Domain.Registrant.NameStringThe name of the registrant.
Domain.Registrant.PhoneStringThe phone number for receiving abuse reports.
Domain.WHOIS.DomainStatusStringThe status of the domain.
Domain.WHOIS.NameServersStringName servers of the domain.
Domain.WHOIS.CreationDateDateThe date that the domain was created.
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated.
Domain.WHOIS.ExpirationDateDateThe expiration date of the domain.
Domain.WHOIS.Registrant.NameStringThe name of the registrant.
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant.
Domain.WHOIS.Registrant.PhoneStringThe phone number of the registrant.
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: "GoDaddy"
Domain.WHOIS.Registrar.AbuseEmailStringThe email address of the contact for reporting abuse.
Domain.WHOIS.Registrar.AbusePhoneStringThe phone number of contact for reporting abuse.
Domain.WHOIS.Admin.NameStringThe name of the domain administrator.
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator.
Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator.
Domain.WHOIS.HistoryStringList of Whois objects
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!domain domain="*.108.pets.com"

Context Example#

{
"DBotScore": {
"Indicator": "*.108.pets.com",
"Score": 0,
"Type": "domainglob",
"Vendor": "ExpanseV2"
},
"Domain": {
"Admin": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"CreationDate": "1994-11-21T05:00:00Z",
"DomainStatus": "clientDeleteProhibited clientTransferProhibited clientUpdateProhibited",
"ExpirationDate": "2018-11-20T05:00:00Z",
"Name": "*.108.pets.com",
"NameServers": [
"NS1.MARKMONITOR.COM",
"NS2.MARKMONITOR.COM",
"NS3.MARKMONITOR.COM",
"NS4.MARKMONITOR.COM",
"NS5.MARKMONITOR.COM",
"NS6.MARKMONITOR.COM",
"NS7.MARKMONITOR.COM"
],
"Organization": "PetSmart Home Office, Inc.",
"Registrant": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "MarkMonitor Inc."
},
"UpdatedDate": "2016-10-19T09:12:50Z",
"WHOIS": {
"Admin": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"CreationDate": "1994-11-21T05:00:00Z",
"DomainStatus": "clientDeleteProhibited clientTransferProhibited clientUpdateProhibited",
"ExpirationDate": "2018-11-20T05:00:00Z",
"NameServers": [
"NS1.MARKMONITOR.COM",
"NS2.MARKMONITOR.COM",
"NS3.MARKMONITOR.COM",
"NS4.MARKMONITOR.COM",
"NS5.MARKMONITOR.COM",
"NS6.MARKMONITOR.COM",
"NS7.MARKMONITOR.COM"
],
"Registrant": {
"Country": "UNITED STATES",
"Email": "legal@petsmart.com",
"Name": "Admin Contact",
"Phone": "16235806100"
},
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "MarkMonitor Inc."
},
"UpdatedDate": "2016-10-19T09:12:50Z"
}
},
"Expanse": {
"Domain": {
"annotations": {
"contacts": [],
"note": "",
"tags": [
{
"id": "e00bc79d-d367-36f4-824c-042836fef5fc",
"name": "xsoar-test-pb-tag"
}
]
},
"businessUnits": [
{
"id": "c4de7fad-cde1-46cf-8725-a5999533db59",
"name": "PANW VanDelay Import-Export Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
},
{
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
}
],
"dateAdded": "2020-09-22T21:23:02.372Z",
"details": {
"cloudResources": [],
"recentIps": []
},
"dnsResolutionStatus": [
"HAS_DNS_RESOLUTION"
],
"domain": "*.108.pets.com",
"firstObserved": "2020-09-22T06:10:31.787Z",
"hasLinkedCloudResources": false,
"id": "142194a1-f443-3878-8dcc-540f4061c5f5",
"isCollapsed": false,
"isPaidLevelDomain": false,
"lastObserved": "2020-09-22T06:10:31.787Z",
"lastSampledIp": "72.52.10.14",
"lastSubdomainMetadata": null,
"providers": [
{
"id": "Akamai",
"name": "Akamai Technologies"
}
],
"serviceStatus": [
"NO_ACTIVE_SERVICE",
"NO_ACTIVE_ON_PREM_SERVICE",
"NO_ACTIVE_CLOUD_SERVICE"
],
"sourceDomain": "pets.com",
"tenant": {
"id": "f738ace6-f451-4f31-898d-a12afa204b2a",
"name": "PANW VanDelay Dev",
"tenantId": "f738ace6-f451-4f31-898d-a12afa204b2a"
},
"whois": [
{
"admin": {
"city": "Phoenix",
"country": "UNITED STATES",
"emailAddress": "legal@petsmart.com",
"faxExtension": "",
"faxNumber": "16235806109",
"name": "Admin Contact",
"organization": "PetSmart Home Office, Inc.",
"phoneExtension": "",
"phoneNumber": "16235806100",
"postalCode": "85027",
"province": "AZ",
"registryId": null,
"street": "19601 N 27th Ave,"
},
"creationDate": "1994-11-21T05:00:00Z",
"dnssec": null,
"domain": "pets.com",
"domainStatuses": [
"clientDeleteProhibited clientTransferProhibited clientUpdateProhibited"
],
"nameServers": [
"NS1.MARKMONITOR.COM",
"NS2.MARKMONITOR.COM",
"NS3.MARKMONITOR.COM",
"NS4.MARKMONITOR.COM",
"NS5.MARKMONITOR.COM",
"NS6.MARKMONITOR.COM",
"NS7.MARKMONITOR.COM"
],
"registrant": {
"city": "Phoenix",
"country": "UNITED STATES",
"emailAddress": "legal@petsmart.com",
"faxExtension": "",
"faxNumber": "16235806109",
"name": "Admin Contact",
"organization": "PetSmart Home Office, Inc.",
"phoneExtension": "",
"phoneNumber": "16235806100",
"postalCode": "85027",
"province": "AZ",
"registryId": null,
"street": "19601 N 27th Ave,"
},
"registrar": {
"abuseContactEmail": null,
"abuseContactPhone": null,
"formattedName": null,
"ianaId": null,
"name": "MarkMonitor Inc.",
"registrationExpirationDate": null,
"url": null,
"whoisServer": "whois.markmonitor.com"
},
"registryDomainId": null,
"registryExpiryDate": "2018-11-20T05:00:00Z",
"reseller": null,
"tech": {
"city": null,
"country": null,
"emailAddress": null,
"faxExtension": null,
"faxNumber": null,
"name": null,
"organization": null,
"phoneExtension": null,
"phoneNumber": null,
"postalCode": null,
"province": null,
"registryId": null,
"street": null
},
"updatedDate": "2016-10-19T09:12:50Z"
}
]
}
}
}

Human Readable Output#

Expanse Domain List#

annotationsbusinessUnitsdateAddeddetailsdnsResolutionStatusdomainfirstObservedhasLinkedCloudResourcesidisCollapsedisPaidLevelDomainlastObservedlastSampledIplastSubdomainMetadataprovidersserviceStatussourceDomaintenantwhois
contacts:
tags: {'id': 'e00bc79d-d367-36f4-824c-042836fef5fc', 'name': 'xsoar-test-pb-tag'}
note:
{'id': 'c4de7fad-cde1-46cf-8725-a5999533db59', 'name': 'PANW VanDelay Import-Export Dev', 'tenantId': 'f738ace6-f451-4f31-898d-a12afa204b2a'},
{'id': 'f738ace6-f451-4f31-898d-a12afa204b2a', 'name': 'PANW VanDelay Dev', 'tenantId': 'f738ace6-f451-4f31-898d-a12afa204b2a'}
2020-09-22T21:23:02.372ZrecentIps:
cloudResources:
HAS_DNS_RESOLUTION*.108.pets.com2020-09-22T06:10:31.787Zfalse142194a1-f443-3878-8dcc-540f4061c5f5falsefalse2020-09-22T06:10:31.787Z72.52.10.14{'id': 'Akamai', 'name': 'Akamai Technologies'}NO_ACTIVE_SERVICE,
NO_ACTIVE_ON_PREM_SERVICE,
NO_ACTIVE_CLOUD_SERVICE
pets.comid: f738ace6-f451-4f31-898d-a12afa204b2a
name: PANW VanDelay Dev
tenantId: f738ace6-f451-4f31-898d-a12afa204b2a
{'domain': 'pets.com', 'registryDomainId': None, 'updatedDate': '2016-10-19T09:12:50Z', 'creationDate': '1994-11-21T05:00:00Z', 'registryExpiryDate': '2018-11-20T05:00:00Z', 'reseller': None, 'registrar': {'name': 'MarkMonitor Inc.', 'formattedName': None, 'whoisServer': 'whois.markmonitor.com', 'url': None, 'ianaId': None, 'registrationExpirationDate': None, 'abuseContactEmail': None, 'abuseContactPhone': None}, 'domainStatuses': ['clientDeleteProhibited clientTransferProhibited clientUpdateProhibited'], 'nameServers': ['NS1.MARKMONITOR.COM', 'NS2.MARKMONITOR.COM', 'NS3.MARKMONITOR.COM', 'NS4.MARKMONITOR.COM', 'NS5.MARKMONITOR.COM', 'NS6.MARKMONITOR.COM', 'NS7.MARKMONITOR.COM'], 'registrant': {'name': 'Admin Contact', 'organization': 'PetSmart Home Office, Inc.', 'street': '19601 N 27th Ave,', 'city': 'Phoenix', 'province': 'AZ', 'postalCode': '85027', 'country': 'UNITED STATES', 'phoneNumber': '16235806100', 'phoneExtension': '', 'faxNumber': '16235806109', 'faxExtension': '', 'emailAddress': 'legal@petsmart.com', 'registryId': None}, 'admin': {'name': 'Admin Contact', 'organization': 'PetSmart Home Office, Inc.', 'street': '19601 N 27th Ave,', 'city': 'Phoenix', 'province': 'AZ', 'postalCode': '85027', 'country': 'UNITED STATES', 'phoneNumber': '16235806100', 'phoneExtension': '', 'faxNumber': '16235806109', 'faxExtension': '', 'emailAddress': 'legal@petsmart.com', 'registryId': None}, 'tech': {'name': None, 'organization': None, 'street': None, 'city': None, 'province': None, 'postalCode': None, 'country': None, 'phoneNumber': None, 'phoneExtension': None, 'faxNumber': None, 'faxExtension': None, 'emailAddress': None, 'registryId': None}, 'dnssec': None}

ip#


Provides data enrichment for IPs.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP to enrich.Required

Context Output#

PathTypeDescription
Expanse.IP.ipStringThe IPv4 address of the asset
Expanse.IP.assetKeyStringKey used to access the asset in the respective Expanse asset API
Expanse.IP.assetTypeStringThe type of asset
Expanse.IP.businessUnits.idStringThe internal Expanse ID for the business unit the asset belongs to
Expanse.IP.businessUnits.nameStringThe name of the business unit the asset belongs to
Expanse.IP.businessUnits.tenantIdStringThe ID of the tenant that the asset belongs to
Expanse.IP.commonNameStringThe certificate common name of the asset
Expanse.IP.domainStringThe domain name of the asset
Expanse.IP.lastObservedDateThe last observed IPv4 address of the asset
Expanse.IP.provider.idStringThe ID of the provider the asset was detected on
Expanse.IP.provider.nameStringThe name of the provider the asset was detected on
Expanse.IP.tenant.idStringThe internal Expanse ID of the tenant that the asset belongs to
Expanse.IP.tenant.nameStringThe name of the tenant that the asset belongs to
Expanse.IP.tenant.tenantIdStringThe ID of the tenant that the asset belongs to
Expanse.IP.typeStringThe type of asset that the IPv4 address relates to
IP.AddressStringIP address
IP.ASNStringThe autonomous system name for the IP address, for example: "AS8948".
IP.HostnameStringThe hostname that is mapped to this IP address.
IP.Geo.LocationStringThe geolocation where the IP address is located, in the format: latitude:longitude.
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Geo.DescriptionStringAdditional information about the location.
IP.DetectionEnginesNumberThe total number of engines that checked the indicator.
IP.PositiveDetectionsNumberThe number of engines that positively detected the indicator as malicious.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!ip ip="1.1.1.1"

Context Example#

{
"DBotScore": {
"Indicator": "1.1.1.1",
"Score": 0,
"Type": "ip",
"Vendor": "ExpanseV2"
},
"Expanse": {
"IP": {
"assetKey": "test.developers.company.com",
"assetType": "DOMAIN",
"businessUnits": [
{
"id": "a823144b-ef1a-4c34-8c02-d080cb4fc4e",
"name": "Company Test",
"tenantId": "a823144b-ef1a-4c34-8c02-d080cb4fc4e"
}
],
"commonName": null,
"domain": "test.developers.company.com",
"ip": "1.1.1.1",
"lastObserved": "2020-12-16T07:10:36.961Z",
"provider": {
"id": "AWS",
"name": "Amazon Web Services"
},
"tenant": {
"id": "a823144b-ef1a-4c34-8c02-d080cb4fc4e",
"name": "Company Test",
"tenantId": "a823144b-ef1a-4c34-8c02-d080cb4fc4e"
},
"type": "DOMAIN_RESOLUTION"
}
},
"IP": {
"Address": "1.1.1.1",
"Hostname": "test.developers.company.com"
}
}

Human Readable Output#

Expanse IP List#

assetKeyassetTypebusinessUnitscommonNamedomainiplastObservedprovidertenanttype
test.developers.company.comDOMAIN{'id': 'a823144b-ef1a-4c34-8c02-d080cb4fc4e', 'name': 'Company Test', 'tenantId': 'a823144b-ef1a-4c34-8c02-d080cb4fc4e'}test.developers.company.com1.1.1.12020-12-16T07:10:36.961Zid: AWS
name: Amazon Web Services
id: a823144b-ef1a-4c34-8c02-d080cb4fc4e
name: Company Test
tenantId: a823144b-ef1a-4c34-8c02-d080cb4fc4e
DOMAIN_RESOLUTION

cidr#


Provides data enrichment for CIDR blocks using Expanse IP Range.

Base Command#

cidr

Input#

Argument NameDescriptionRequired
cidrThe CIDR block to enrich.Optional
includeInclude "none" or any of the following options (comma separated) - annotations, severityCounts, attributionReasons, relatedRegistrationInformation, locationInformation. Default is severityCounts,annotations,attributionReasons,relatedRegistrationInformation,locationInformation.Optional

Context Output#

PathTypeDescription
Expanse.IPRange.annotations.additionalNotesStringCustomer provided annotation details for an IP range
Expanse.IPRange.annotations.contactsStringCustomer provided point-of-contact details for an IP range
Expanse.IPRange.annotations.tagsStringCustomer provided tags for an IP range
Expanse.IPRange.attributionReasons.reasonStringThe reasons why an IP range is attributed to the customer
Expanse.IPRange.businessUnits.idStringBusiness Units that the IP range has been assigned to
Expanse.IPRange.businessUnits.nameStringBusiness Units that the IP range has been assigned to
Expanse.IPRange.createdDateThe date that the IP range was added to the Expander instance
Expanse.IPRange.idStringInternal Expanse ID for the IP Range
Expanse.IPRange.ipVersionStringThe IP version of the IP range
Expanse.IPRange.locationInformation.geolocation.cityStringThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.countryCodeStringThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.latitudeNumberThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.longitudeNumberThe IP range geolocation
Expanse.IPRange.locationInformation.geolocation.regionCodeStringThe IP range geolocation
Expanse.IPRange.locationInformation.ipStringThe IP range geolocation
Expanse.IPRange.modifiedDateThe date on which the IP range was last ingested into Expander
Expanse.IPRange.rangeIntroducedDateThe date that the IP range was added to the Expander instance
Expanse.IPRange.rangeSizeNumberThe number of IP addresses in the IP range
Expanse.IPRange.rangeTypeStringIf the IP range is Expanse-generated parent range or a customer-generated custom range
Expanse.IPRange.relatedRegistrationInformation.countryStringThe country within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.endAddressStringThe end address within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.handleStringThe handle within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.ipVersionStringThe IP version within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.nameStringThe name within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.parentHandleStringThe parent handle within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.addressStringThe address within the registry entities of the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.emailStringThe email within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.events.actionStringThe events action within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.events.actorStringThe events actor within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.events.dateDateThe events date within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.firstRegisteredDateThe first registered date within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.formattedNameStringThe formatted name within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.handleStringThe handle within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.idStringThe ID within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.lastChangedDateThe last changed date within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.orgStringThe org within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.phoneStringThe phone number within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.relatedEntityHandlesStringThe related entity handles within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.remarksStringThe remarks within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.rolesStringThe roles within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.registryEntities.statusesStringThe statuses within the registry entities of the e IP range registration information
Expanse.IPRange.relatedRegistrationInformation.remarksStringThe remarks within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.startAddressStringThe start address within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.updatedDateDateThe last update date within the IP range registration information
Expanse.IPRange.relatedRegistrationInformation.whoisServerStringThe Whois server within the IP range registration information
Expanse.IPRange.responsiveIpCountNumberThe number of IPs responsive on the public Internet within the IP range
Expanse.IPRange.severityCounts.countNumberThe number of exposures observed on the IP range
Expanse.IPRange.severityCounts.typeStringThe severity level of the exposures observed on the IP range
DBotScore.ScoreNumberThe actual score.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.

Command Example#

!cidr cidr="1.179.133.112/29"

Context Example#

{
"DBotScore": {
"Indicator": "1.179.133.112/29",
"Score": 0,
"Type": [
"cidr"
],
"Vendor": "ExpanseV2"
},
"Expanse": {
"IPRange": {
"annotations": {
"additionalNotes": "",
"pointsOfContact": [],
"tags": [
{
"created": "2020-12-07",
"id": "e00bc79d-d367-36f4-824c-042836fef5fc",
"modified": "2020-12-07",
"name": "xsoar-test-pb-tag"
}
]
},
"attributionReasons": [
{
"reason": "This parent range is attributed via IP network registration records for 1.179.133.116\u20131.179.133.119"
},
{
"reason": "This parent range is attributed via IP network registration records for 1.179.133.112\u20131.179.133.115"
}
],
"businessUnits": [
{
"id": "c94c50ca-124f-4983-8da5-1756138e2252",
"name": "PANW Acme Latex Supply Dev"
}
],
"cidr": "1.179.133.112/29",
"created": "2020-09-22",
"customChildRanges": [],
"id": "0a8f44f9-05dc-42a3-a395-c83dad49fadf",
"ipVersion": "4",
"locationInformation": [],
"modified": "2020-12-18",
"rangeIntroduced": "2020-09-22",
"rangeSize": 8,
"rangeType": "parent",
"relatedRegistrationInformation": [
{
"country": "th",
"endAddress": "1.179.133.115",
"handle": "1.179.133.112 - 1.179.133.115",
"ipVersion": "4",
"name": "saim-synthetic-latex",
"parentHandle": "",
"registryEntities": [
{
"address": "",
"email": "",
"events": [],
"firstRegistered": null,
"formattedName": "",
"handle": "",
"id": "125d112c-1169-3025-89e7-4c8c5a16db0b",
"lastChanged": null,
"org": "",
"phone": "",
"relatedEntityHandles": [
""
],
"remarks": "",
"roles": [
"administrative"
],
"statuses": ""
},
{
"address": "",
"email": "",
"events": [],
"firstRegistered": null,
"formattedName": "",
"handle": "",
"id": "13cb65ca-9572-394b-b385-b2bd15aceb95",
"lastChanged": null,
"org": "",
"phone": "",
"relatedEntityHandles": [
""
],
"remarks": "",
"roles": [
"technical"
],
"statuses": ""
},
{
"address": "TOT Public Company Limited\n89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND ",
"email": "apipolg@tot.co.th, abuse@totisp.net",
"events": [
{
"action": "last changed",
"actor": "null",
"date": "2017-06-21T07:19:22Z",
"links": []
}
],
"firstRegistered": null,
"formattedName": "IRT-TOT-TH",
"handle": "IRT-TOT-TH",
"id": "3c5ef28b-64d7-3d1f-b343-a31078292b04",
"lastChanged": "2017-06-21",
"org": "",
"phone": "",
"relatedEntityHandles": [],
"remarks": "",
"roles": [
"abuse"
],
"statuses": ""
}
],
"remarks": "saim synthetic latex,Nong Khaem Province",
"startAddress": "1.179.133.112",
"updatedDate": "2020-09-22",
"whoisServer": "whois.apnic.net"
},
{
"country": "th",
"endAddress": "1.179.133.119",
"handle": "1.179.133.116 - 1.179.133.119",
"ipVersion": "4",
"name": "siam-synthetic-latex",
"parentHandle": "",
"registryEntities": [
{
"address": "",
"email": "",
"events": [],
"firstRegistered": null,
"formattedName": "",
"handle": "",
"id": "125d112c-1169-3025-89e7-4c8c5a16db0b",
"lastChanged": null,
"org": "",
"phone": "",
"relatedEntityHandles": [
""
],
"remarks": "",
"roles": [
"administrative"
],
"statuses": ""
},
{
"address": "",
"email": "",
"events": [],
"firstRegistered": null,
"formattedName": "",
"handle": "",
"id": "13cb65ca-9572-394b-b385-b2bd15aceb95",
"lastChanged": null,
"org": "",
"phone": "",
"relatedEntityHandles": [
""
],
"remarks": "",
"roles": [
"technical"
],
"statuses": ""
},
{
"address": "TOT Public Company Limited\n89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND ",
"email": "apipolg@tot.co.th, abuse@totisp.net",
"events": [
{
"action": "last changed",
"actor": "null",
"date": "2017-06-21T07:19:22Z",
"links": []
}
],
"firstRegistered": null,
"formattedName": "IRT-TOT-TH",
"handle": "IRT-TOT-TH",
"id": "3c5ef28b-64d7-3d1f-b343-a31078292b04",
"lastChanged": "2017-06-21",
"org": "",
"phone": "",
"relatedEntityHandles": [],
"remarks": "",
"roles": [
"abuse"
],
"statuses": ""
}
],
"remarks": "siam synthetic latex,Nong Khaem Province",
"startAddress": "1.179.133.116",
"updatedDate": "2020-09-22",
"whoisServer": "whois.apnic.net"
}
],
"responsiveIpCount": 0,
"severityCounts": [
{
"count": 0,
"type": "CRITICAL"
},
{
"count": 0,
"type": "ROUTINE"
},
{
"count": 0,
"type": "UNCATEGORIZED"
},
{
"count": 0,
"type": "WARNING"
}
]
}
}
}

Human Readable Output#

Expanse IP Range List#

annotationsattributionReasonsbusinessUnitscidrcreatedcustomChildRangesidipVersionlocationInformationmodifiedrangeIntroducedrangeSizerangeTyperelatedRegistrationInformationresponsiveIpCountseverityCounts
tags: {'id': 'e00bc79d-d367-36f4-824c-042836fef5fc', 'created': '2020-12-07', 'modified': '2020-12-07', 'name': 'xsoar-test-pb-tag'}
additionalNotes:
pointsOfContact:
{'reason': 'This parent range is attributed via IP network registration records for 1.179.133.116–1.179.133.119'},
{'reason': 'This parent range is attributed via IP network registration records for 1.179.133.112–1.179.133.115'}
{'id': 'c94c50ca-124f-4983-8da5-1756138e2252', 'name': 'PANW Acme Latex Supply Dev'}1.179.133.112/292020-09-220a8f44f9-05dc-42a3-a395-c83dad49fadf42020-12-182020-09-228parent{'handle': '1.179.133.112 - 1.179.133.115', 'startAddress': '1.179.133.112', 'endAddress': '1.179.133.115', 'ipVersion': '4', 'country': 'th', 'name': 'saim-synthetic-latex', 'parentHandle': '', 'whoisServer': 'whois.apnic.net', 'updatedDate': '2020-09-22', 'remarks': 'saim synthetic latex,Nong Khaem Province', 'registryEntities': [{'id': '125d112c-1169-3025-89e7-4c8c5a16db0b', 'handle': '', 'address': '', 'email': '', 'events': [], 'firstRegistered': None, 'formattedName': '', 'lastChanged': None, 'org': '', 'phone': '', 'remarks': '', 'statuses': '', 'relatedEntityHandles': [''], 'roles': ['administrative']}, {'id': '13cb65ca-9572-394b-b385-b2bd15aceb95', 'handle': '', 'address': '', 'email': '', 'events': [], 'firstRegistered': None, 'formattedName': '', 'lastChanged': None, 'org': '', 'phone': '', 'remarks': '', 'statuses': '', 'relatedEntityHandles': [''], 'roles': ['technical']}, {'id': '3c5ef28b-64d7-3d1f-b343-a31078292b04', 'handle': 'IRT-TOT-TH', 'address': 'TOT Public Company Limited\n89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND ', 'email': 'apipolg@tot.co.th, abuse@totisp.net', 'events': [{'action': 'last changed', 'actor': 'null', 'date': '2017-06-21T07:19:22Z', 'links': []}], 'firstRegistered': None, 'formattedName': 'IRT-TOT-TH', 'lastChanged': '2017-06-21', 'org': '', 'phone': '', 'remarks': '', 'statuses': '', 'relatedEntityHandles': [], 'roles': ['abuse']}]},
{'handle': '1.179.133.116 - 1.179.133.119', 'startAddress': '1.179.133.116', 'endAddress': '1.179.133.119', 'ipVersion': '4', 'country': 'th', 'name': 'siam-synthetic-latex', 'parentHandle': '', 'whoisServer': 'whois.apnic.net', 'updatedDate': '2020-09-22', 'remarks': 'siam synthetic latex,Nong Khaem Province', 'registryEntities': [{'id': '125d112c-1169-3025-89e7-4c8c5a16db0b', 'handle': '', 'address': '', 'email': '', 'events': [], 'firstRegistered': None, 'formattedName': '', 'lastChanged': None, 'org': '', 'phone': '', 'remarks': '', 'statuses': '', 'relatedEntityHandles': [''], 'roles': ['administrative']}, {'id': '13cb65ca-9572-394b-b385-b2bd15aceb95', 'handle': '', 'address': '', 'email': '', 'events': [], 'firstRegistered': None, 'formattedName': '', 'lastChanged': None, 'org': '', 'phone': '', 'remarks': '', 'statuses': '', 'relatedEntityHandles': [''], 'roles': ['technical']}, {'id': '3c5ef28b-64d7-3d1f-b343-a31078292b04', 'handle': 'IRT-TOT-TH', 'address': 'TOT Public Company Limited\n89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND ', 'email': 'apipolg@tot.co.th, abuse@totisp.net', 'events': [{'action': 'last changed', 'actor': 'null', 'date': '2017-06-21T07:19:22Z', 'links': []}], 'firstRegistered': None, 'formattedName': 'IRT-TOT-TH', 'lastChanged': '2017-06-21', 'org': '', 'phone': '', 'remarks': '', 'statuses': '', 'relatedEntityHandles': [], 'roles': ['abuse']}]}
0{'type': 'CRITICAL', 'count': 0},
{'type': 'ROUTINE', 'count': 0},
{'type': 'UNCATEGORIZED', 'count': 0},
{'type': 'WARNING', 'count': 0}

expanse-get-domains-for-certificate#


Returns all domains which have been seen with the specified certificate.

Required Permissions#

none

Base Command#

expanse-get-domains-for-certificate

Input#
Argument NameDescriptionRequired
common_nameThe certificate common nameRequired
Context Output#
PathTypeDescription
Expanse.IPDomains.SearchTermstringThe common name that was searched
Expanse.IPDomains.TotalDomainCountnumberThe number of domains fo