Palo Alto Xpanse - Expander Connector Guide

Summary: How to set up and use the Palo Alto Xpanse - Expander connector in Ivanti Neurons RBVM/ASPM/VULN KB.

Overview

Palo Alto Xpanse - Expander collects data about every device connected to the Internet and attributes assets to customers. Expander maintains the inventory associated with a given organization and sends alerts to unexpected, unknown, or risky IT assets that appear in the system.

The Ivanti Neurons RBVM/ASPM/VULN KB platform provides an API-based connector that integrates with Palo Alto Expanse - Expander, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.

User Prerequisites / Expander Setup

Expander is a cloud-based solution. Ivanti Neurons requires a user account with the following access to communicate with and pull data from Expander.

  • Read access to the assets and their associated issues.

  • API access.

Expander Connector API Calls

The following API calls are performed during a connector run to pull security vulnerabilities from Cortex Xpanse into Ivanti Neurons for RBVM.

API Type

Endpoint

Authentication

https://expander.expanse.co/api/v1/idToken/

Fetch List of Issues

https://expander.expanse.co/api/v1/issues/issues

Fetch List of Updates for all the Issues

https://expander.expanse.co/api/v1/issues/updates

Platform Setup

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations-1

Using the search bar in the upper-right corner of the Integrations page, type Expander to find the connector.

Xpanse Expander - Search for Connector

Locate the Palo Alto Xpanse - Expander card on the page and click Configuration.

Xpanse Expander - Search for Connector

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector’s name.

  • URL: The URL to access the Expander API (https://expander.expanse.co).

  • Client Id: Expanse provides the Client Id; follow the documentation for steps to Generate Client Credentials.

  • Client Secret: Expanse provides the Client Secret; follow the documentation for steps to Generate Client Credentials.

  • SSL: Optional instance SSL certificate in base64 format.

  • Network: This connector is available only when using a Mixed network. For more information, see Networks: Overview.

Palo Alto Xpanse - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Xpanse API calls.

Expander Connector - Test Credentials

Under Schedule, configure the desired schedule for the connector to retrieve results from the Expander instance. Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).

Expander Connector - Schedule Options

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Xpanse Connector - Configured Connector

Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.

Optional Configurations

This connector does not include any additional filter options for data ingestion.

Editing a Connector Configuration

Connector configurations can be updated at any time after creation. Go to the Automate > Integrations page and select the specific connector you want to update.

Utilizing the Connector

The data from Palo Alto Networks Cortex Xpanse API is ingested into Ivanti Neurons for RBVM as Hosts and Host Findings. The Scanner Name associated with these scans is Expander. Scanner Name can be used as a filter for Hosts and Host Findings.

Assets

All assets from the Palo Alto Networks Cortex Xpanse API are shown on the Hosts page.

Ivanti Neurons RBVM Tags

The following fields from Cortex Xpanse APIs are converted into RBVM asset tags. These tags can be used for searching, playbook automation, and better visualization in RBVM Dashboards.

  • data > annotations > tags > name

Findings

All findings from the Palo Alto Networks Cortex Xpanse API are shown on the Host Findings page.

Connector Data Mapping

This table showcases the high-level mapping of Xpanse API fields in Ivanti Neurons for RBVM.

RBVM Fields

Expander Fields

HostName

data -> domain

Ip Address

data -> ip (Available for few assetTypes only

Expanse Asset Identifier

If data -> assets -> assetType is 'IpRange'
data -> assets -> displayName

If data -> assets -> assetType is 'Domain'
data -> assets -> assetKey

If data -> assets -> assetType is 'Certificate'
data -> assets -> assetKey

If data -> assets -> assetType is 'CloudResource'
data -> assets -> assetKey

Asset Type

data -> assets -> assetType

Asset Name

data -> assets -> displayName

Scanner Severity

data -> priority

Scanner Plugin

data -> issueType -> name