Palo Alto Xpanse - Expander Connector Guide
Summary: How to set up and use the Palo Alto Xpanse - Expander connector in Ivanti Neurons RBVM/ASPM/VULN KB.
Overview
Palo Alto Xpanse - Expander collects data about every device connected to the Internet and attributes assets to customers. Expander maintains the inventory associated with a given organization and sends alerts to unexpected, unknown, or risky IT assets that appear in the system.
The Ivanti Neurons RBVM/ASPM/VULN KB platform provides an API-based connector that integrates with Palo Alto Expanse - Expander, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.
User Prerequisites / Expander Setup
Expander is a cloud-based solution. Ivanti Neurons requires a user account with the following access to communicate with and pull data from Expander.
-
Read access to the assets and their associated issues.
-
API access.
Expander Connector API Calls
The following API calls are performed during a connector run to pull security vulnerabilities from Cortex Xpanse into Ivanti Neurons for RBVM.
API Type |
Endpoint |
---|---|
Authentication |
https://expander.expanse.co/api/v1/idToken/ |
Fetch List of Issues |
https://expander.expanse.co/api/v1/issues/issues |
Fetch List of Updates for all the Issues |
https://expander.expanse.co/api/v1/issues/updates |
Platform Setup
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Expander to find the connector.
Locate the Palo Alto Xpanse - Expander card on the page and click Configuration.
In the new window under Connection, complete the required fields, as described below.
-
Name: The connector’s name.
-
URL: The URL to access the Expander API (https://expander.expanse.co).
-
Client Id: Expanse provides the Client Id; follow the documentation for steps to Generate Client Credentials.
-
Client Secret: Expanse provides the Client Secret; follow the documentation for steps to Generate Client Credentials.
-
SSL: Optional instance SSL certificate in base64 format.
-
Network: This connector is available only when using a Mixed network. For more information, see Networks: Overview.
Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Xpanse API calls.
Under Schedule, configure the desired schedule for the connector to retrieve results from the Expander instance. Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).
Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.
Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.
Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.
Optional Configurations
This connector does not include any additional filter options for data ingestion.
Editing a Connector Configuration
Connector configurations can be updated at any time after creation. Go to the Automate > Integrations page and select the specific connector you want to update.
Utilizing the Connector
The data from Palo Alto Networks Cortex Xpanse API is ingested into Ivanti Neurons for RBVM as Hosts and Host Findings. The Scanner Name associated with these scans is Expander. Scanner Name can be used as a filter for Hosts and Host Findings.
Assets
All assets from the Palo Alto Networks Cortex Xpanse API are shown on the Hosts page.
Ivanti Neurons RBVM Tags
The following fields from Cortex Xpanse APIs are converted into RBVM asset tags. These tags can be used for searching, playbook automation, and better visualization in RBVM Dashboards.
-
data > annotations > tags > name
Findings
All findings from the Palo Alto Networks Cortex Xpanse API are shown on the Host Findings page.
Connector Data Mapping
This table showcases the high-level mapping of Xpanse API fields in Ivanti Neurons for RBVM.
RBVM Fields |
Expander Fields |
---|---|
HostName |
data -> domain |
Ip Address |
data -> ip (Available for few assetTypes only |
Expanse Asset Identifier |
If data -> assets -> assetType is 'IpRange' If data -> assets -> assetType is 'Domain' If data -> assets -> assetType is 'Certificate' If data -> assets -> assetType is 'CloudResource' |
Asset Type |
data -> assets -> assetType |
Asset Name |
data -> assets -> displayName |
Scanner Severity |
data -> priority |
Scanner Plugin |
data -> issueType -> name |