Expanse Attribution

This Playbook is part of the Cortex Xpanse Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. Returns a list of potential owner BUs, owner Users, Device and Notes.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

Panorama Query Logs
Account Enrichment - Generic v2.1
Expanse Check ServiceNow CMDB

Integrations#

This playbook does not use any integrations.

Scripts#

ExpanseAggregateAttributionUser
ExpanseEnrichAttribution
ExpanseAggregateAttributionDevice
ExpanseAggregateAttributionIP
ExpanseAggregateAttributionCI

Commands#

cdl-query-logs
splunk-search
panorama

Playbook Inputs#

Name	Description	Default Value	Required
IP	Expanse Issue IP.	${incident.expanseip}	Required
Domain	Expanse Issue Domain.	${incident.expansedomain}	Optional
Provider	Expanse Issue Provider.	${incident.expanseprovider}	Optional
Port	Expanse Issue Port.	${incident.expanseport}	Required
Protocol	Expanse Issue Protocol.	${incident.expanseprotocol}	Required
InternalIPRange	A list of internal IP ranges to check IP addresses against. The list should be provided in CIDR format, separated by commas. An example of a list of ranges could be: 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16. If a list of IP ranges is not provided, the list provided in the IsIPInRanges script (the known IPv4 private address ranges) is used by default.		Optional
NumberOfDaysInThePast	Number of days to look back to for logs.	7	Optional

Playbook Outputs#

Path	Description	Type
Expanse.AttributionIP	IP addresses	Unknown
Expanse.AttributionDevice	Devices	Unknown
Expanse.AttributionUser	Users	Unknown
Expanse.AttributionCI	CMDB CI	Unknown

Playbook Image#

Expanse Attribution