Palo Alto Xpanse - Expander Connector Guide

Summary: How to set up and use the Palo Alto Xpanse - Expander connector in Ivanti Neurons RBVM/ASOC/VULN KB.

Overview

Palo Alto Xpanse - Expander collects data about every device connected to the Internet and attributes assets to customers. Expander maintains the inventory associated with a given organization and sends alerts to unexpected, unknown, or risky IT assets that appear in the system.

The Ivanti Neurons RBVM/ASOC/VULN KB platform provides an API-based connector that integrates with Palo Alto Expanse - Expander, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.

User Prerequisites/Expander Setup

Expander is a cloud-based solution. Ivanti Neurons requires a user account with the following access to communicate with and pull data from Expander.

  • Read access to the assets and their associated issues.

  • API access.

Expander Connector API Calls

The following API calls are performed during a connector run to pull security vulnerabilities from Expander into Neurons RBVM/ASOC/VULN KB.

API Type

Endpoint

Authentication

https://expander.expanse.co/api/v1/idToken/

Fetch List of Issues

https://expander.expanse.co/api/v1/issues/issues

Fetch List of Updates for all the Issues

https://expander.expanse.co/api/v1/issues/updates

Configuring the Expander Connector in Neurons RBVM/ASOC/VULN KB

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations-1

Using the search bar in the upper-right corner of the Integrations page, type Expander to find the connector.

Expander Connector - Search for Connector

Locate the Palo Alto Xpanse - Expander card on the page and click Configuration.

Expander Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector’s name.

  • URL: The URL to access the Expander API (https://expander.expanse.co).

  • Client Id: Expanse provides the Client Id; follow the documentation for steps to Generate Client Credentials.

  • Client Secret: Expanse provides the Client Secret; follow the documentation for steps to Generate Client Credentials.

  • SSL: Optional instance SSL certificate in base64 format.

  • Network: This connector is available only when using a Mixed network. Refer to this link for more information on mixed networks.

Palo Alto Xpanse - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Expander API calls.

Expander Connector - Test Credentials

Under Schedule, configure the desired schedule for the connector to retrieve results from the Expander instance. Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).

Expander Connector - Schedule Options

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Expander Connector - Configured Connector

Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.

Mapping Expander fields in Neurons RBVM/ASOC/VULN KB

This table showcases the high-level mapping of Expander API fields in Neurons RBVM/ASOC/VULN KB.

Neurons RBVM/ASOC/VULN KB Fields

Expander Fields

HostName

data -> domain

Ip Address

data -> ip (Available for few assetTypes only

Expanse Asset Identifier

If data -> assets -> assetType is 'IpRange'
data -> assets -> displayName

If data -> assets -> assetType is 'Domain'
data -> assets -> assetKey

If data -> assets -> assetType is 'Certificate'
data -> assets -> assetKey

If data -> assets -> assetType is 'CloudResource'
data -> assets -> assetKey

Asset Type

data -> assets -> assetType

Asset Name

data -> assets -> displayName

Scanner Severity

data -> priority

Scanner Plugin

data -> issueType -> name

Neurons RBVM/ASOC/VULN KB Tags

The following fields from Expander APIs are converted into Neurons RBVM/ASOC/VULN KB tags. You can use these tags for searching, playbook automation, and better visualization in Neurons RBVM/ASOC/VULN KB Dashboards.

  • data > annotations > tags > name

Common Fields in Neurons RBVM/ASOC/VULN KB

The following fields in Neurons RBVM/ASOC/VULN KB are defined for Expander, along with their default values.

  • The Scanner Name is Expander.