Palo Alto Xpanse - Expander Connector Guide

Summary: How to set up and use the Palo Alto Xpanse - Expander connector in Ivanti Neurons for RBVM/ASOC.


Palo Alto Xpanse - Expander collects data about every device connected to the Internet and attributes assets to customers. Expander maintains the inventory associated with a given organization and sends alerts to unexpected, unknown, or risky IT assets that appear in the system.

The Ivanti Neurons for RBVM/ASOC platform provides an API-based connector that integrates with Palo Alto Expanse - Expander, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.

User Prerequisites/Expander Setup

Expander is a cloud-based solution. Ivanti Neurons requires a user account with the following access to communicate with and pull data from Expander.

  • Read access to the assets and their associated issues.

  • API access.

Expander Connector API Calls

The following API calls are performed during a connector run to pull security vulnerabilities from Expander into Neurons for RBVM/ASOC.

API Type



Fetch List of Issues

Fetch List of Updates for all the Issues

Configuring the Expander Connector in Neurons for RBVM/ASOC

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations-1

Using the search bar in the upper-right corner of the Integrations page, type Expander to find the connector.

Expander Connector - Search for Connector

Locate the Palo Alto Xpanse - Expander card on the page and click Configuration.

Expander Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector’s name.

  • URL: The URL to access the Expander API (

  • Client Id: Expanse provides the Client Id; follow the documentation for steps to Generate Client Credentials.

  • Client Secret: Expanse provides the Client Secret; follow the documentation for steps to Generate Client Credentials.

  • SSL: Optional instance SSL certificate in base64 format.

  • Network: This connector is available only when using a Mixed network. Refer to this link for more information on mixed networks.

Palo Alto Xpanse - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Expander API calls.

Expander Connector - Test Credentials

Under Schedule, configure the desired schedule for the connector to retrieve results from the Expander instance. Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).

Expander Connector - Schedule Options

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Expander Connector - Configured Connector

Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.

Mapping Expander fields in Neurons for RBVM/ASOC

This table showcases the high-level mapping of Expander API fields in Neurons for RBVM/ASOC.

Neurons for RBVM/ASOC Fields

Expander Fields


data -> domain

Ip Address

data -> ip (Available for few assetTypes only

Expanse Asset Identifier

If data -> assets -> assetType is 'IpRange'
data -> assets -> displayName

If data -> assets -> assetType is 'Domain'
data -> assets -> assetKey

If data -> assets -> assetType is 'Certificate'
data -> assets -> assetKey

If data -> assets -> assetType is 'CloudResource'
data -> assets -> assetKey

Asset Type

data -> assets -> assetType

Asset Name

data -> assets -> displayName

Scanner Severity

data -> priority

Scanner Plugin

data -> issueType -> name

Neurons for RBVM/ASOC Tags

The following fields from Expander APIs are converted into Neurons for RBVM/ASOC tags. You can use these tags for searching, playbook automation, and better visualization in Neurons for RBVM/ASOC Dashboards.

  • data > annotations > tags > name

Common Fields in Neurons for RBVM/ASOC

The following fields in Neurons for RBVM/ASOC are defined for Expander, along with their default values.

  • The Scanner Name is Expander.