Expanse

Overview


The Expanse App for Demisto leverages the Expander API to retrieve network exposures and create incidents in Demisto. This application also allows for IP, Domain, Certificate, and Behavior enrichment, retrieving assets and exposures information drawn from Expanse’s unparalleled view of the Internet. This integration was integrated and tested with Expanse Events API v1, Assets API v2, and Behavior API v1.

Use Cases


Configure Expanse on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Expanse.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • API Key
    • Fetch incidents
    • Include Behavior data in incidents
    • Trust any certificate (not secure)
    • Use system proxy settings
    • How many events to pull from Expander per run
    • How many days to pull past events on first run
    • Minimum severity of Expanse Exposure to create an incident for
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


{
'eventType': 'ON_PREM_EXPOSURE_APPEARANCE',
'eventTime': '2020-02-05T00:00:00Z',
'businessUnit': {
'id': 'a1f0f39b-f358-3c8c-947b-926887871b88',
'name': 'VanDelay Import-Export'
},
'payload': {
'_type': 'ExposurePayload',
'id': 'b0acfbc5-4d55-3fdb-9155-4927eab91218',
'exposureType': 'NTP_SERVER',
'ip': '203.215.173.113',
'port': 123,
'portProtocol': 'UDP',
'exposureId': '6bedf636-5b6a-3b47-82a5-92b511c0649b',
'domainName': None,
'scanned': '2020-02-05T00:00:00Z',
'geolocation': {
'latitude': 33.7,
'longitude': 73.17,
'city': 'ISLAMABAD',
'regionCode': '',
'countryCode':
'PK'
},
'configuration': {
'_type': 'NtpServerConfiguration',
'response': {
'ntp': {
'leapIndicator': 0,
'mode': 4,
'poll': 4,
'precision': -19,
'stratum': 5,
'delay': 0,
'dispersion': 22,
'version': 4,
'originateTime': '2004-11-24T15:12:11.444Z',
'receiveTime': '2020-02-05T14:25:08.963Z',
'updateTime': '2020-02-05T14:25:01.597Z',
'transmitTime': '2020-02-05T14:25:08.963Z',
'reference': {
'ref_ip': {
'reference': {
'ipv4': '127.127.1.1'
}
}
},
'extentionData': None,
'keyIdentifier': None,
'messageDigest': None
}
}
},
'severity': 'ROUTINE',
'tags': {
'ipRange': ['untagged']
},
'providers': ['InternallyHosted'],
'certificatePem': None,
'remediationStatuses': []
},
'id': 'b4a1e2e6-165a-31a5-9e6a-af286adc3dcd'
}

Fetched Behavior Incident Data


{
"id": "c9704240-5021-321e-a82b-32865e07d541",
"tenantBusinessUnitId": "04b5140e-bbe2-3e9c-9318-a39a3b547ed5",
"businessUnit": {
"id": "6b73ef6c-b230-3797-b321-c4a340169eb7",
"name": "Acme Latex Supply"
},
"riskRule": {
"id": "02b6c647-65f4-4b69-b4b0-64af34fd1b29",
"name": "Connections to and from Blacklisted Countries",
"description": "Connections to and from Blacklisted Countries (Belarus, Côte d'Ivoire, Cuba, Democratic Republic of the Congo, Iran, Iraq, Liberia, North Korea, South Sudan, Sudan, Syria, Zimbabwe)",
"additionalDataFields": "[]"
},
"internalAddress": "184.174.38.51",
"internalPort": 35125,
"externalAddress": "217.218.108.188",
"externalPort": 443,
"flowDirection": "OUTBOUND",
"acked": true,
"protocol": "TCP",
"externalCountryCodes": [
"IR"
],
"internalCountryCodes": [
"US"
],
"externalCountryCode": "IR",
"internalCountryCode": "US",
"internalExposureTypes": [],
"internalDomains": [],
"internalTags": {
"ipRange": []
},
"observationTimestamp": "2020-03-23T14:59:04.211Z",
"created": "2020-03-24T02:45:28.450131Z"
}

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. ip
  2. domain
  3. expanse-get-certificate
  4. expanse-get-behavior
  5. expanse-get-exposures
  6. expanse-get-domains-for-certificate

1. ip


ip command

Required Permissions

none

Base Command

ip

Input
Argument NameDescriptionRequired
ipip addressRequired
Context Output
PathTypeDescription
IP.AddressStringInternet Protocol Address
IP.Geo.LocationStringThe geolocation where the IP address is located, in the format: latitude:longitude
IP.Geo.CountryStringThe country in which the IP address is located.
IP.Geo.DescriptionStringAdditional information about the location
Expanse.IP.AddressStringInternet Protocol Address
Expanse.IP.VersionStringInternet Protocol Address Version
Expanse.IP.BusinessUnitsStringExpanse Business Units this IP belongs to
Expanse.IP.IPRange.StartAdressStringFirst IP address in IP Network this IP address belongs to
Expanse.IP.IPRange.EndAddressStringLast IP address in IP Network this IP address belongs to
Expanse.IP.IPRange.RangeSizeNumberNumber of IP addresses in IP Network this IP address belongs to
Expanse.IP.IPRange.ResponsiveIPCountNumberNumber of responsive IP addresses in IP Network this IP address belongs to
Expanse.IP.IPRange.RangeIntroducedDateDate the IP network this IP address belongs to was introduced to Expanse
Expanse.IP.IPRange.AttributionReasonsStringThe reason why this IP belongs to the IP Range
Expanse.IP.Geo.LatitudeStringGeo coordinates: Latitude of IP address
Expanse.IP.Geo.LongitudeStringGeo coordinates: Longitude of IP address
Expanse.IP.Geo.CityStringGeo coordinates city for this IP address
Expanse.IP.Geo.RegionCodeStringGeo coordinates Region Code for this IP address
Expanse.IP.Geo.CountryCodeStringGeo coordinates Country Code for this IP address
Expanse.IP.Annotations.TagsStringCustomer defined Tags from Expanse related to this IP Range
Expanse.IP.Annotations.AdditionalNotesStringCustomer defined Notes from Expanse related to this IP Range
Expanse.IP.Annotations.PointsOfContactStringCustomer defined Points of Contact from Expanse related to this IP Range
Expanse.IP.SeverityCounts.CRITICALNumberCount of CRITICAL Events for this IP address
Expanse.IP.SeverityCounts.ROUTINENumberCount of ROUTINE Events for this IP address
Expanse.IP.SeverityCounts.WARNINGNumberCount of WARNING Events for this IP address
Expanse.IP.Geo.DescriptionStringAdditional information about the location
Expanse.IP.Geo.CountryStringThe country in which the IP address is located.
Command Example

!ip ip=74.142.119.130

Context Example
{
"IP": {
"Geo": {
"Country": "US",
"Description": "AKRON",
"Location": "41.0433:-81.5239"
},
"Address": "74.142.119.130"
},
"DBotScore": {
"Vendor": "Expanse",
"Indicator": "74.142.119.130",
"Score": 0,
"Type": "ip"
},
"Expanse.IP": {
"Version": "4",
"Annotations": {
"AdditionalNotes": "",
"Tags": [],
"PointsOfContact": []
},
"BusinessUnits": [
"Acme Latex Supply"
],
"SeverityCounts": {
"CRITICAL": 2,
"WARNING": 4,
"ROUTINE": 2
},
"Address": "74.142.119.130",
"Geo": {
"City": "AKRON",
"Description": "AKRON",
"CountryCode": "US",
"Longitude": -81.5239,
"RegionCode": "OH",
"Location": "41.0433:-81.5239",
"Latitude": 41.0433
},
"IPRange": {
"AttributionReasons": [
"This parent range is attributed via IP network registration records for 74.142.119.128\u201374.142.119.135"
],
"ResponsiveIPCount": 1,
"EndAddress": "74.142.119.135",
"RangeIntroduced": "2019-08-02",
"StartAddress": "74.142.119.128",
"RangeSize": 8
}
}
}
Human Readable Output

IP information for: 74.142.119.130

AddressAnnotationsBusinessUnitsGeoIPRangeSeverityCountsVersion
74.142.119.130AdditionalNotes: null
PointsOfContact: null
Tags: null
Acme Latex SupplyDescription: AKRON
Latitude: 41.0433
Longitude: -81.5239
City: AKRON
RegionCode: OH
CountryCode: US
Location: 41.0433:-81.5239
StartAddress: 74.142.119.128
EndAddress: 74.142.119.135
RangeSize: 8
ResponsiveIPCount: 2
RangeIntroduced: 2019-08-02
AttributionReasons: This parent range is attributed via IP network registration records for 74.142.119.128–74.142.119.135
CRITICAL: 1
ROUTINE: 4
WARNING: 2
4

2. domain


domain command

Required Permissions

none

Base Command

domain

Input
Argument NameDescriptionRequired
domaindomain to searchRequired
Context Output
PathTypeDescription
Domain.NameStringThe domain name, for example: "google.com
Domain.DNSStringA list of IP objects resolved by DNS
Domain.CreationDateDateThe date that the domain was created
Domain.DomainStatusStringThe status of the domain
Domain.ExpirationDateDateThe expiration date of the domain
Domain.NameServersStringName servers of the domain
Domain.OrganizationStringThe organization of the domain
Domain.Admin.CountryStringThe country of the domain administrator
Domain.Admin.EmailStringThe email of the domain administrator
Domain.Admin.NameStringThe name of the domain administrator
Domain.Admin.PhoneStringThe phone of the domain administrator
Domain.Registrant.CountryStringThe country of the registrant
Domain.Registrant.EmailStringThe email of the registrant
Domain.Registrant.NameStringThe name of the registrant
Domain.Registrant.PhoneStringThe phone of the registrant
Domain.WHOIS.DomainStatusStringThe status of the domain
Domain.WHOIS.NameServersStringA list of name servers, for example: "ns1.bla.com, ns2.bla.com"
Domain.WHOIS.CreationDateDateThe date that the domain was created
Domain.WHOIS.UpdatedDateDateThe date that the domain was last updated
Domain.WHOIS.ExpirationDateDateThe date that the domain expires
Domain.WHOIS.Registrant.EmailStringThe email address of the registrant
Domain.WHOIS.Registrant.NameStringThe name of the registrant
Domain.WHOIS.Registrant.PhoneStringThe phone of the registrant
Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: "GoDaddy"
Domain.WHOIS.Registrar.AbuseEmailStringThe email address of the contact for reporting abuse
Domain.WHOIS.Registrar.AbusePhoneUnknownThe phone number of contact for reporting abuse
Domain.WHOIS.Admin.NameStringThe name of the domain administrator
Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator
Domain.WHOIS.Admin.PhoneUnknownThe phone number of the domain administrator
Expanse.Domain.NameStringThe domain name, for example: "google.com
Expanse.Domain.DateAddedDateDate the domain was added to Expanse
Expanse.Domain.FirstObservedDateDate Expanse first observed the domain
Expanse.Domain.LastObservedDateDate Expanse last observed the domain
Expanse.Domain.HasLinkedCloudResourcesBooleanDoes this domain have linked cloud resources ?
Expanse.Domain.SourceDomainStringTop level domain
Expanse.Domain.TenantStringCustomer defined Tenant from Expanse
Expanse.Domain.BusinessUnitsStringCustomer defined Business Units from Expanse
Expanse.Domain.DNSSECStringDNSSEC info
Expanse.Domain.RecentIPsStringAny recent IP addresses Expanse has seen for this domain
Expanse.Domain.CloudResourcesStringAny Cloud Resources Expanse has seen for this domain
Expanse.Domain.LastSubdomainMetadataStringAny recent subdomain metadata Expanse has seen for this domain
Expanse.Domain.ServiceStatusStringService Status Expanse sees for this domain
Expanse.Domain.LastSampledIPStringLast seen IP address for this domain
Expanse.Domain.DNSStringA list of IP objects resolved by DNS
Expanse.Domain.CreationDateDateThe date that the domain was created
Expanse.Domain.DomainStatusStringThe status of the domain
Expanse.Domain.ExpirationDateDateThe expiration date of the domain
Expanse.Domain.NameServersStringName servers of the domain
Expanse.Domain.OrganizationStringThe organization of the domain
Expanse.Domain.Admin.CountryStringThe country of the domain administrator
Expanse.Domain.Admin.EmailStringThe email address of the domain administrator
Expanse.Domain.Admin.NameStringThe name of the domain administrator
Expanse.Domain.Admin.PhoneStringThe phone number of the domain administrator
Expanse.Domain.Registrant.CountryStringThe country of the registrant
Expanse.Domain.Registrant.EmailStringThe email address of the registrant
Expanse.Domain.Registrant.NameStringThe name of the registrant
Expanse.Domain.Registrant.PhoneStringThe phone number for receiving abuse reports
Expanse.Domain.WHOIS.DomainStatusStringThe status of the domain
Expanse.Domain.WHOIS.NameServersStringA list of name servers, for example: "ns1.bla.com, ns2.bla.com"
Expanse.Domain.WHOIS.CreationDateDateThe date that the domain was created
Expanse.Domain.WHOIS.UpdatedDateStringThe date that the domain was last updated
Expanse.Domain.WHOIS.ExpirationDateStringThe date that the domain expires
Expanse.Domain.WHOIS.Registrant.EmailStringThe email address of the registrant
Expanse.Domain.WHOIS.Registrant.NameStringThe name of the registrant
Expanse.Domain.WHOIS.Registrant.PhoneStringThe phone number of the registrant
Expanse.Domain.WHOIS.Registrar.NameStringThe name of the registrar, for example: "GoDaddy"
Expanse.Domain.WHOIS.Registrar.AbuseEmailStringThe email address of the contact for reporting abuse
Expanse.Domain.WHOIS.Registrar.AbusePhoneStringThe phone number of contact for reporting abuse
Expanse.Domain.WHOIS.Admin.NameStringThe name of the domain administrator
Expanse.Domain.WHOIS.Admin.EmailStringThe email address of the domain administrator
Expanse.Domain.WHOIS.Admin.PhoneStringThe phone number of the domain administrator
Command Example

!domain domain=atlas.enron.com

Context Example
{
"Domain": {
"Name": "atlas.enron.com",
"Admin": {
"Phone": "14806242599",
"Country": "UNITED STATES",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
},
"DomainStatus": [
"HAS_DNS_RESOLUTION"
],
"NameServers": [
"NS73.DOMAINCONTROL.COM",
"NS74.DOMAINCONTROL.COM"
],
"ExpirationDate": "2019-10-10T04:00:00Z",
"DNS": [],
"Organization": "Domains By Proxy, LLC",
"CreationDate": "1995-10-10T04:00:00Z",
"Registrant": {
"Phone": "14806242599",
"Country": "UNITED STATES",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
},
"WHOIS": {
"Admin": {
"Phone": "14806242599",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
},
"DomainStatus": [
"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited"
],
"NameServers": [
"NS73.DOMAINCONTROL.COM",
"NS74.DOMAINCONTROL.COM"
],
"UpdatedDate": "2015-07-29T16:20:56Z",
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GoDaddy.com, LLC"
},
"ExpirationDate": "2019-10-10T04:00:00Z",
"CreationDate": "1995-10-10T04:00:00Z",
"Registrant": {
"Phone": "14806242599",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
}
}
},
"Expanse.Domain": {
"LastSubdomainMetadata": null,
"WHOIS": {
"Admin": {
"Phone": "14806242599",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
},
"DomainStatus": [
"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited"
],
"NameServers": [
"NS73.DOMAINCONTROL.COM",
"NS74.DOMAINCONTROL.COM"
],
"UpdatedDate": "2015-07-29T16:20:56Z",
"Registrar": {
"AbuseEmail": null,
"AbusePhone": null,
"Name": "GoDaddy.com, LLC"
},
"ExpirationDate": "2019-10-10T04:00:00Z",
"CreationDate": "1995-10-10T04:00:00Z",
"Registrant": {
"Phone": "14806242599",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
}
},
"DNSSEC": null,
"DomainStatus": [
"HAS_DNS_RESOLUTION"
],
"HasLinkedCloudResources": false,
"SourceDomain": "enron.com",
"LastObserved": "2020-01-02T09:30:00.374Z",
"ExpirationDate": "2019-10-10T04:00:00Z",
"CloudResources": [],
"Tenant": "VanDelay Industries",
"Name": "atlas.enron.com",
"Admin": {
"Phone": "14806242599",
"Country": "UNITED STATES",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
},
"LastSampledIP": "192.64.147.150",
"BusinessUnits": [
"VanDelay Industries"
],
"DNS": [],
"RecentIPs": [],
"Organization": "Domains By Proxy, LLC",
"DateAdded": "2020-01-04T04:57:48.580Z",
"NameServers": [
"NS73.DOMAINCONTROL.COM",
"NS74.DOMAINCONTROL.COM"
],
"FirstObserved": "2020-01-02T09:30:00.374Z",
"ServiceStatus": [
"NO_ACTIVE_SERVICE",
"NO_ACTIVE_CLOUD_SERVICE",
"NO_ACTIVE_ON_PREM_SERVICE"
],
"CreationDate": "1995-10-10T04:00:00Z",
"Registrant": {
"Phone": "14806242599",
"Country": "UNITED STATES",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "Registration Private"
}
},
"DBotScore": {
"Vendor": "Expanse",
"Indicator": "atlas.enron.com",
"Score": 0,
"Type": "url"
}
}
Human Readable Output

Domain information for: atlas.enron.com

AdminBusinessUnitsCloudResourcesCreationDateDNSDNSSECDateAddedDomainStatusExpirationDateFirstObservedHasLinkedCloudResourcesLastObservedLastSampledIPLastSubdomainMetadataNameNameServersOrganizationRecentIPsRegistrantServiceStatusSourceDomainTenantWHOIS
Country: UNITED STATES
Email: ENRON.COM@domainsbyproxy.com
Name: Registration Private
Phone: 14806242599
VanDelay Industries1995-10-10T04:00:00Z2020-01-04T04:57:48.580ZHAS_DNS_RESOLUTION2019-10-10T04:00:00Z2020-01-02T09:30:00.374Zfalse2020-01-02T09:30:00.374Z192.64.147.150atlas.enron.comNS73.DOMAINCONTROL.COM,
NS74.DOMAINCONTROL.COM
Domains By Proxy, LLCCountry: UNITED STATES
Email: ENRON.COM@domainsbyproxy.com
Name: Registration Private
Phone: 14806242599
NO_ACTIVE_SERVICE,
NO_ACTIVE_CLOUD_SERVICE,
NO_ACTIVE_ON_PREM_SERVICE
enron.comVanDelay IndustriesDomainStatus: clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited
NameServers: NS73.DOMAINCONTROL.COM,
NS74.DOMAINCONTROL.COM
CreationDate: 1995-10-10T04:00:00Z
UpdatedDate: 2015-07-29T16:20:56Z
ExpirationDate: 2019-10-10T04:00:00Z
Registrant: {"Email": "ENRON.COM@domainsbyproxy.com", "Name": "Registration Private", "Phone": "14806242599"}
Registrar: {"Name": "GoDaddy.com, LLC", "AbuseEmail": null, "AbusePhone": null}
Admin: {"Name": "Registration Private", "Email": "ENRON.COM@domainsbyproxy.com", "Phone": "14806242599"}

3. expanse-get-certificate


expanse-get-certificate command

Required Permissions

none

Base Command

expanse-get-certificate

Input
Argument NameDescriptionRequired
common_namedomain to searchRequired
Context Output
PathTypeDescription
Expanse.Certificate.SearchTermstringThe common name searched for
Expanse.Certificate.CommonNamestringThe certificate common name
Expanse.Certificate.FirstObserveddateCertificate first observation date
Expanse.Certificate.LastObserveddateCertificate last observation date
Expanse.Certificate.DateAddeddateDate certificate was added to Expanse
Expanse.Certificate.ProviderstringThe certificate provider
Expanse.Certificate.NotValidBeforedateCertificate not-valid-before date
Expanse.Certificate.NotValidAfterdateCertificate not-valid-after date
Expanse.Certificate.PropertiesstringCertificate properties
Expanse.Certificate.MD5HashstringCertificate MD5 Hash
Expanse.Certificate.PublicKeyAlgorithmstringCertificate public key algorithm used
Expanse.Certificate.PublicKeyBitsnumberPublic key size
Expanse.Certificate.BusinessUnitsstringBusiness Unit for certificate
Expanse.Certificate.CertificateAdvertisementStatusstringIs Certificate advertised
Expanse.Certificate.ServiceStatusstringAny detected services for the certificate
Expanse.Certificate.RecentIPsstringAny recent IPs the certificate was detected on
Expanse.Certificate.CloudResourcesstringAny cloud resources returning the certificate
Expanse.Certificate.PemSha1stringSHA1 hash of the certificate PEM
Expanse.Certificate.PemSha256stringSHA256 hash of the certificate PEM
Expanse.Certificate.Issuer.NamestringCertificate Issuer name
Expanse.Certificate.Issuer.EmailstringCertificate Issuer email
Expanse.Certificate.Issuer.CountrystringCertificate Issuer country
Expanse.Certificate.Issuer.OrgstringCertificate Issuer Org
Expanse.Certificate.Issuer.UnitstringCertificate Issuer Unit
Expanse.Certificate.Issuer.AltNamesstringCertificate Issuer alternative names
Expanse.Certificate.Issuer.RawstringCertificate Issuer raw details
Expanse.Certificate.Subject.NamestringCertificate Subject name
Expanse.Certificate.Subject.EmailstringCertificate Subject email
Expanse.Certificate.Subject.CountrystringCertificate Subject country
Expanse.Certificate.Subject.OrgstringCertificate Subject Org
Expanse.Certificate.Subject.UnitstringCertificate Subject Unit
Expanse.Certificate.Subject.AltNamesstringCertificate Subject alternative names
Expanse.Certificate.Subject.RawstringCertificate Subject raw details
Command Example

!expanse-get-certificate common_name=atlas.enron.com

Context Example
{
"Expanse.Certificate": {
"BusinessUnits": "VanDelay Industries",
"CertificateAdvertisementStatus": "NO_CERTIFICATE_ADVERTISEMENT",
"CloudResources": "",
"CommonName": "atlas.enron.com",
"DateAdded": "2019-11-21T09:14:27.308679Z",
"FirstObserved": "2019-11-21T09:14:27.308679Z",
"Issuer": {
"AltNames": "",
"Country": "US",
"Email": null,
"Name": "Let's Encrypt Authority X3",
"Org": "Let's Encrypt",
"Raw": "C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3",
"Unit": null
},
"LastObserved": ""2019-12-19T09:13:47.208679Z",
"MD5Hash": "VEwAbJfmIFAVcZ_x4lm42g==",
"NotValidAfter": "2019-03-31T00:27:46Z",
"NotValidBefore": "2018-12-31T00:27:46Z",
"PemSha1": "3LAYlmV3xtn4ONJ3C9JN_ogz0u8=",
"PemSha256": "kyERnydF-dzOuCCpG4jDnkGr4fI2a--lBZQz2hyhb30=",
"Properties": "EXPIRED",
"Provider": "None",
"PublicKeyAlgorithm": "RSA",
"PublicKeyBits": 2048,
"RecentIPs": "",
"SearchTerm": "atlas.enron.com",
"ServiceStatus": "NO_ACTIVE_SERVICE,NO_ACTIVE_ON_PREM_SERVICE,NO_ACTIVE_CLOUD_SERVICE",
"Subject": {
"AltNames": "atlas.enron.com",
"Country": "US",
"Email": "ENRON.COM@domainsbyproxy.com",
"Name": "atlas.enron.com",
"Org": "ENRON",
"Raw": "CN=api-dev.radioshack.com",
"Unit": null
}
}
}
Human Readable Output

Certificate information for: atlas.enron.com

BusinessUnitsCertificateAdvertisementStatusCloudResourcesCommonNameDateAddedFirstObservedIssuerLastObservedMD5HashNotValidAfterNotValidBeforePemSha1PemSha256PropertiesProviderPublicKeyAlgorithmPublicKeyBitsRecentIPsSearchTermServiceStatusSubject
VanDelay IndustriesNO_CERTIFICATE_ADVERTISEMENTatlas.enron.com2019-11-21T09:14:27.308679ZName: Let's Encrypt Authority X3
Email: null
Country: US
Org: Let's Encrypt
Unit: null
AltNames:
Raw: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
VEwAbJfmIFAVcZ_x4lm42g==2019-03-31T00:27:46Z2018-12-31T00:27:46Z3LAYlmV3xtn4ONJ3C9JN_ogz0u8=kyERnydF-dzOuCCpG4jDnkGr4fI2a--lBZQz2hyhb30=EXPIREDNoneRSA2048atlas.enron.comNO_ACTIVE_SERVICE,NO_ACTIVE_ON_PREM_SERVICE,NO_ACTIVE_CLOUD_SERVICEName: atlas.enron.com
Email: ENRON.COM@domainsbyproxy.com
Country: US
Org: null
Unit: null
AltNames: atlas.enron.com
Raw: CN=atlas.enron.com

4. expanse-get-behavior


expanse-get-behavior command

Required Permissions

none

Base Command

expanse-get-behavior

Input
Argument NameDescriptionRequired
ipip to searchRequired
start_timeISO-8601 UTC timestamp denoting the earliest behavior data to fetchRequired
Context Output
PathTypeDescription
Expanse.Behavior.SearchTermstringIP used to search
Expanse.Behavior.InternalAddressstringIP internal to Organization
Expanse.Behavior.InternalCountryCodestringInternal IP Country Geolocation country
Expanse.Behavior.BusinessUnitstringBuisness unit of IP
Expanse.Behavior.InternalDomainsstringKnown domains associated with IP
Expanse.Behavior.InternalIPRangesstringKnown Internal IP ranges containing IP
Expanse.Behavior.InternalExposureTypesstringKnown Exposures for IP
Expanse.Behavior.ExternalAddressesstringExternal IP addresses with known communication to IP
Expanse.Behavior.FlowSummariesstringSummaries of most recents risky flows for IP
Expanse.Behavior.FlowsstringArray of Flow Objects
Expanse.Behavior.Flows.InternalAddressstringInternal IP address for flow
Expanse.Behavior.Flows.InternalPortnumberInternal Port for flow
Expanse.Behavior.Flows.InternalCountryCodestringInternal country code for flow
Expanse.Behavior.Flows.ExternalAddressstringExternal IP address for flow
Expanse.Behavior.Flows.ExternalPortnumberExternal Port for flow
Expanse.Behavior.Flows.ExternalCountryCodestringExternal country code for flow
Expanse.Behavior.Flows.TimestampdateTimestamp of flow
Expanse.Behavior.Flows.ProtocolstringProtocol of flow (UDP, TCP)
Expanse.Behavior.Flows.DirectionstringDirection of flow
Expanse.Behavior.Flows.RiskRulestringRisk rule violated by flow
Command Example

!expanse-get-behavior ip=74.142.119.130 start_time=7

Context Example
{
"BusinessUnit": "VanDelay Industries",
"ExternalAddresses": "66.110.49.36,66.110.49.72",
"FlowSummaries": "74.142.119.130:57475 (US) -\u003e 66.110.49.72:443 (CA) TCP violates Outbound Flows from Servers at 2020-04-05T21:18:56.889Z\n74.142.119.130:61694 (US) -\u003e 66.110.49.36:443 (CA) TCP violates Outbound Flows from Servers at 2020-04-05T21:03:50.867Z\n",
"Flows": [
{
"Direction": "OUTBOUND",
"ExternalAddress": "66.110.49.72",
"ExternalCountryCode": "CA",
"ExternalPort": 443,
"InternalAddress": "74.142.119.130",
"InternalCountryCode": "US",
"InternalPort": 57475,
"Protocol": "TCP",
"RiskRule": "Outbound Flows from Servers",
"Timestamp": "2020-04-05T21:18:56.889Z"
},
{
"Direction": "OUTBOUND",
"ExternalAddress": "66.110.49.36",
"ExternalCountryCode": "CA",
"ExternalPort": 443,
"InternalAddress": "74.142.119.130",
"InternalCountryCode": "US",
"InternalPort": 61694,
"Protocol": "TCP",
"RiskRule": "Outbound Flows from Servers",
"Timestamp": "2020-04-05T21:03:50.867Z"
}
],
"InternalAddress": "74.142.119.130",
"InternalCountryCode": "US",
"InternalDomains": "",
"InternalExposureTypes": "HttpServer",
"InternalIPRanges": "",
"SearchTerm": "74.142.119.130"
}
Human Readable Output

Expanse Behavior information for: 74.142.119.130

BusinessUnitExternalAddressesFlowSummariesInternalAddressInternalCountryCodeInternalDomainsInternalExposureTypesInternalIPRangesSearchTerm
VanDelay Industries66.110.49.36,66.110.49.7274.142.119.130:57475 (US) -> 66.110.49.72:443 (CA) TCP violates Outbound Flows from Servers at 2020-04-05T21:18:56.889Z
74.142.119.130:61694 (US) -> 66.110.49.36:443 (CA) TCP violates Outbound Flows from Servers at 2020-04-05T21:03:50.867Z
74.142.119.130USHttpServer74.142.119.130

4. expanse-get-exposures


expanse-get-exposures command

Required Permissions

none

Base Command

expanse-get-exposures

Input
Argument NameDescriptionRequired
ipip to searchRequired
Context Output
PathTypeDescription
Expanse.Exposures.SearchTermstringIP used to search
Expanse.Exposures.TotalExposureCountnumberThe total count of exposures for the IP
Expanse.Exposures.CriticalExposureCountnumberThe total count of CRITICAL exposures for the IP
Expanse.Exposures.WarningExposureCountnumberThe total count of WARNING exposures for the IP
Expanse.Exposures.RoutineExposureCountnumberThe total count of ROUTINE exposures for the IP
Expanse.Exposures.UnknownExposureCountnumberThe total count of UNKNOWN exposures for the IP
Expanse.Exposures.ExposureSummariesstringSummaries of exposures for the IP address
Expanse.Exposures.ExposuresunknownArray of Exposures for the IP address
Expanse.Exposures.Exposures.ExposureTypestringExposure type of the Exposure
Expanse.Exposures.Exposures.BusinessUnitstringBusiness Unit of the Exposure
Expanse.Exposures.Exposures.IpstringIP Address the Exposure was found on
Expanse.Exposures.Exposures.PortstringPort the Exposure was found on
Expanse.Exposures.Exposures.SeveritystringSeverity of the Exposure
Expanse.Exposures.Exposures.CertificateunknownCertificate details associated with Exposure
Expanse.Exposures.Exposures.FirstObservsationunknownFirst Observation of the Exposure
Expanse.Exposures.Exposures.LastObservsationunknownLast Observation of the Exposure
Expanse.Exposures.Exposures.StatusunknownStatus details of the Exposure
Expanse.Exposures.Exposures.ProviderunknownProvider details of the Exposure
Command Example

!expanse-get-exposures ip=33.2.243.123

Context Example
{
"CriticalExposureCount": 0,
"ExposureSummaries": "NTP_SERVER exposure on 33.2.243.123:UDP123",
"Exposures": [
{
"BusinessUnit": "VanDelay Industries",
"Certificate": null,
"ExposureType": "NTP_SERVER",
"FirstObservsation": {
"configuration": {
"certificate": null,
"response": {
"ntp": {
"delay": 0,
"dispersion": 65537,
"extentionData": null,
"keyIdentifier": null,
"leapIndicator": 3,
"messageDigest": null,
"mode": 4,
"originateTime": "2004-11-24T15:12:11.444Z",
"poll": 4,
"precision": -18,
"receiveTime": "2019-02-01T00:32:17.693Z",
"reference": {
"ref_str": {
"reference": ""
}
},
"stratum": 0,
"transmitTime": "2019-02-01T00:32:17.693Z",
"updateTime": "2036-02-07T06:28:16Z",
"version": 4
}
}
},
"geolocation": {
"city": "VICTOR",
"countryCode": "US",
"latitude": 42.982,
"longitude": -77.4245,
"regionCode": "NY"
},
"hostname": null,
"id": "2d349139-1111-3c92-a168-557d34729bf8",
"ip": "33.2.243.123",
"portNumber": 123,
"portProtocol": "UDP",
"qrispTaskId": 21716146,
"scanned": "2019-02-01T00:19:16Z"
},
"Ip": "33.2.243.123",
"LastObservsation": {
"configuration": {
"certificate": null,
"response": {
"ntp": {
"delay": 0,
"dispersion": 65537,
"extentionData": null,
"keyIdentifier": null,
"leapIndicator": 3,
"messageDigest": null,
"mode": 4,
"originateTime": "2004-11-24T15:12:11.444Z",
"poll": 4,
"precision": -18,
"receiveTime": "2020-05-05T16:05:36.606Z",
"reference": {
"ref_str": {
"reference": ""
}
},
"stratum": 0,
"transmitTime": "2020-05-05T16:05:36.606Z",
"updateTime": "2036-02-07T06:28:16Z",
"version": 4
}
}
},
"geolocation": {
"city": "VICTOR",
"countryCode": "US",
"latitude": 42.982,
"longitude": -77.4245,
"regionCode": "NY"
},
"hostname": null,
"id": "69a0159b-facc-3c55-b71d-3e6b8ae9252b",
"ip": "33.2.243.123",
"portNumber": 123,
"portProtocol": "UDP",
"qrispTaskId": 41755001,
"scanned": "2020-05-05T16:03:30Z"
},
"Port": "UDP123",
"Provider": null,
"Severity": "ROUTINE",
"Status": {
"remediation": [],
"snooze": []
}
}
],
"RoutineExposureCount": 1,
"SearchTerm": "33.2.243.123",
"TotalExposureCount": 1,
"UnknownExposureCount": 0,
"WarningExposureCount": 0
}
Human Readable Output

Expanse Exposure information for: 33.2.243.123

CriticalExposureCountExposureSummariesRoutineExposureCountSearchTermTotalExposureCountUnknownExposureCountWarningExposureCount
0NTP_SERVER exposure on 33.2.243.123:UDP123133.2.243.123100

4. expanse-get-domains-for-certificate


expanse-get-domains-for-certificate command

Required Permissions

none

Base Command

expanse-get-domains-for-certificate

Input
Argument NameDescriptionRequired
common_nameThe certificate common nameRequired
Context Output
PathTypeDescription
Expanse.IPDomains.SearchTermstringThe common name that was searched
Expanse.IPDomains.TotalDomainCountnumberThe number of domains found matching the specified certificate
Expanse.IPDomains.FlatDomainListnumberAn array of all domain names found. This is truncated at 50
Expanse.IPDomains.DomainListnumberAn array of domain objects. This is truncated at 50
Command Example

!expanse-get-domains-for-certificate common_name="*.us.expanse.co"

Context Example
{
"SearchTerm": "*.us.expanse.co",
"TotalDomainCount": 2,
"FlatDomainList": ["california.us.expanse.co", "dc.us.expanse.co"]
"DomainList": [
{
"ip": "33.2.243.123",
"domain": "california.us.expanse.co",
"type": "DOMAIN_RESOLUTION",
"assetType": "DOMAIN",
"assetKey": "california.us.expanse.co",
"provider": {
"id": "AWS",
"name": "Amazon Web Services"
},
"lastObserved": "2020-06-22T05:20:32.883Z",
"tenant": {
"id": "4b7efca7-c595-408e-b4d1-634080e48367",
"name": "Palo Alto Networks",
"tenantId": "4b7efca7-c595-408e-b4d1-634080e48367"
},
"businessUnits": [
{
"id": "a1f0f39b-f358-3c8c-947b-926887871b88",
"name": "VanDelay Import-Export"
"tenantId": "a1f0f39b-f358-3c8c-947b-926887871b88"
}
],
"commonName": null
},
{
"ip": "33.2.243.123",
"domain": "dc.us.expanse.co",
"type": "DOMAIN_RESOLUTION",
"assetType": "DOMAIN",
"assetKey": "dc.us.expanse.co",
"provider": {
"id": "AWS",
"name": "Amazon Web Services"
},
"lastObserved": "2020-06-21T07:20:32.883Z",
"tenant": {
"id": "4b7efca7-c595-408e-b4d1-634080e48367",
"name": "Palo Alto Networks",
"tenantId": "4b7efca7-c595-408e-b4d1-634080e48367"
},
"businessUnits": [
{
"id": "a1f0f39b-f358-3c8c-947b-926887871b88",
"name": "VanDelay Import-Export"
"tenantId": "a1f0f39b-f358-3c8c-947b-926887871b88"
}
],
"commonName": null
}
]
}
Human Readable Output

Expanse Domains matching Certificate Common Name: *.us.expanse.co

FlatDomainListSearchTermTotalDomainCount
california.us.expanse.co, dc.us.expanse.co*.us.expanse.co2

Additional Information


Known Limitations


Troubleshooting


Contact Details


For Product Support, please contact your Technical Account Manager or email help@expanseinc.com