Skip to main content

Expanse Attribution

This Playbook is part of the Cortex Xpanse by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. Returns a list of potential owner BUs, owner Users, Device and Notes.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Panorama Query Logs
  • Account Enrichment - Generic v2.1
  • Expanse Check ServiceNow CMDB


This playbook does not use any integrations.


  • ExpanseAggregateAttributionUser
  • ExpanseEnrichAttribution
  • ExpanseAggregateAttributionDevice
  • ExpanseAggregateAttributionIP
  • ExpanseAggregateAttributionCI


  • cdl-query-logs
  • splunk-search
  • panorama

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPExpanse Issue IP.${incident.expanseip}Required
DomainExpanse Issue Domain.${incident.expansedomain}Optional
ProviderExpanse Issue Provider.${incident.expanseprovider}Optional
PortExpanse Issue Port.${incident.expanseport}Required
ProtocolExpanse Issue Protocol.${incident.expanseprotocol}Required
InternalIPRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR format, separated by commas. An example of a list of ranges could be:,, If a list of IP ranges is not provided, the list provided in the IsIPInRanges script (the known IPv4 private address ranges) is used by default.Optional
NumberOfDaysInThePastNumber of days to look back to for logs.7Optional

Playbook Outputs#

Expanse.AttributionIPIP addressesUnknown
Expanse.AttributionCICMDB CIUnknown

Playbook Image#

Expanse Attribution