Skip to main content

Expanse Attribution

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. Returns a list of potential owner BUs, owner Users, Device and Notes.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Panorama Query Logs
  • Account Enrichment - Generic v2.1
  • Expanse Check ServiceNow CMDB

Integrations#

This playbook does not use any integrations.

Scripts#

  • ExpanseAggregateAttributionUser
  • ExpanseEnrichAttribution
  • ExpanseAggregateAttributionDevice
  • ExpanseAggregateAttributionIP
  • ExpanseAggregateAttributionCI

Commands#

  • cdl-query-logs
  • splunk-search
  • panorama

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPExpanse Issue IP.${incident.expanseip}Required
DomainExpanse Issue Domain.${incident.expansedomain}Optional
ProviderExpanse Issue Provider.${incident.expanseprovider}Optional
PortExpanse Issue Port.${incident.expanseport}Required
ProtocolExpanse Issue Protocol.${incident.expanseprotocol}Required
InternalIPRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR format, separated by commas. An example of a list of ranges could be: 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16. If a list of IP ranges is not provided, the list provided in the IsIPInRanges script (the known IPv4 private address ranges) is used by default.Optional
NumberOfDaysInThePastNumber of days to look back to for logs.7Optional

Playbook Outputs#

PathDescriptionType
Expanse.AttributionIPIP addressesUnknown
Expanse.AttributionDeviceDevicesUnknown
Expanse.AttributionUserUsersUnknown
Expanse.AttributionCICMDB CIUnknown

Playbook Image#

Expanse Attribution

Edit this page
Report an Issue