Skip to main content

Expanse Expander Feed

This Integration is part of the Cortex Xpanse by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database.

This integration was developed and tested with version 2 of Expander Asset API.

Expanse is a Palo Alto Networks company.

Supported Cortex XSOAR versions: 6.0.0 and later.

Configure Expanse Expander Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Expanse Expander Feed.
  3. Click Add instance to create and configure a new integration instance.
urlYour server URLTrue
apikeyAPI KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
feedFetch indicatorsFalse
max_fetchThe maximum number of indicators to fetch.False
min_last_observedRetrieve indicators observed in the last specified number of daysFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedBypassExclusionListBypass exclusion listFalse
feedReliabilitySource ReliabilityTrue
feedReputationIndicator ReputationFalse
tlp_colorTraffic Light Protocol ColorFalse
  1. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Retrieve discovered IPs/IP Ranges/Domains/Certificates

Base Command#



Argument NameDescriptionRequired
max_indicatorsThe maximum number of results to return per typeOptional
ipRetrieve discovered IPsOptional
domainRetrieve discovered DomainsOptional
certificateRetrieve discovered certificatesOptional
iprangeRetrieve IP RangesOptional

Context Output#

There is no context output for this command.

Command Example#

!feedexpanse-get-indicators max_indicators=1 certificate=yes ip=yes domain=yes

Human Readable Output#

Expanse Indicators (capped at 1)#