Expanse Expander Feed

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database.

This integration was developed and tested with version 2 of Expander Asset API.

Expanse is a Palo Alto Networks company.

Supported Cortex XSOAR versions: 6.0.0 and later.

Configure Expanse Expander Feed on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Expanse Expander Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlYour server URLTrue
apikeyAPI KeyTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
feedFetch indicatorsFalse
max_fetchThe maximum number of indicators to fetch.False
min_last_observedRetrieve indicators observed in the last specified number of daysFalse
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedBypassExclusionListBypass exclusion listFalse
feedReliabilitySource ReliabilityTrue
feedReputationIndicator ReputationFalse
feedTagsTagsFalse
tlp_colorTraffic Light Protocol ColorFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

feedexpanse-get-indicators


Retrieve discovered IPs/IP Ranges/Domains/Certificates

Base Command

feedexpanse-get-indicators

Input

Argument NameDescriptionRequired
max_indicatorsThe maximum number of results to return per typeOptional
ipRetrieve discovered IPsOptional
domainRetrieve discovered DomainsOptional
certificateRetrieve discovered certificatesOptional
iprangeRetrieve IP RangesOptional

Context Output

There is no context output for this command.

Command Example

!feedexpanse-get-indicators max_indicators=1 certificate=yes ip=yes domain=yes

Human Readable Output

Expanse Indicators (capped at 1)

valuetype
198.51.100.220IP
e0ce1c7a7e02d3a9f361a760e9f2ab22fe3d7e9a9ee9188386b1abff44be6b5fCertificate
test.example.comDomain
198.51.100..0/24CIDR