Skip to main content

Expanse Expander Feed

This Integration is part of the Expanse v2 Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database.

This integration was developed and tested with version 2 of Expander Asset API.

Expanse is a Palo Alto Networks company.

Supported Cortex XSOAR versions: 6.0.0 and later.

Configure Expanse Expander Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Expanse Expander Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlYour server URLTrue
apikeyAPI KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
feedFetch indicatorsFalse
max_fetchThe maximum number of indicators to fetch.False
min_last_observedRetrieve indicators observed in the last specified number of daysFalse
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedBypassExclusionListBypass exclusion listFalse
feedReliabilitySource ReliabilityTrue
feedReputationIndicator ReputationFalse
feedTagsTagsFalse
tlp_colorTraffic Light Protocol ColorFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

feedexpanse-get-indicators#


Retrieve discovered IPs/IP Ranges/Domains/Certificates

Base Command#

feedexpanse-get-indicators

Input#

Argument NameDescriptionRequired
max_indicatorsThe maximum number of results to return per typeOptional
ipRetrieve discovered IPsOptional
domainRetrieve discovered DomainsOptional
certificateRetrieve discovered certificatesOptional
iprangeRetrieve IP RangesOptional

Context Output#

There is no context output for this command.

Command Example#

!feedexpanse-get-indicators max_indicators=1 certificate=yes ip=yes domain=yes

Human Readable Output#

Expanse Indicators (capped at 1)#

valuetype
198.51.100.220IP
e0ce1c7a7e02d3a9f361a760e9f2ab22fe3d7e9a9ee9188386b1abff44be6b5fCertificate
test.example.comDomain
198.51.100..0/24CIDR