Skip to main content

Extract and Enrich Expanse Indicators

This Playbook is part of the Cortex Xpanse by Palo Alto Networks (Deprecated) Pack.#

Deprecated

No available replacement.

Subplaybook for Handle Expanse Incident playbooks. Extract and Enrich Indicators (CIDRs, IPs, Certificates, Domains and DomainGlobs) from Expanse Incidents. Enrichment is performed via enrichIndicators command and generic playbooks. Returns the enriched indicators.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • IP Enrichment - Generic v2
  • Domain Enrichment - Generic v2

Integrations#

  • ExpanseV2

Scripts#

  • GetDomainDNSDetails
  • SetAndHandleEmpty

Commands#

  • createNewIndicator
  • expanse-get-domain
  • expanse-get-iprange
  • enrichIndicators
  • expanse-get-certificate

Playbook Inputs#

NameDescriptionDefault ValueRequired
Expanse AssetsExpanse Assets to Extract and Enrich.incident.expanseassetOptional
Create IndicatorsCreate Indicators for types that are not handled by AutoExtract, such as Certificates, Domains and DomainGlobs.trueOptional
Expanse IPIP from the Expanse Incident.incident.expanseipOptional

Playbook Outputs#

PathDescriptionType
Expanse.CertificateExpanse Certificate Informationunknown
Expanse.IPRangeExpanse IP Rangeunknown
DomainThe domain objects.unknown
DBotScoreIndicator, Score, Type, and Vendor.unknown
IPThe IP objectsunknown
EndpointThe Endpoint's objectunknown
Expanse.DomainExpanse Domainunknown
DomainDNSDetailsDomain DNS DetailsUnknown

Playbook Image#

Extract and Enrich Expanse Indicators

Edit this page
Report an Issue