Palo Alto Xpanse - Expander V2 Connector Guide

Summary: How to set up and use the Palo Alto Xpanse - Expander V2 connector in Ivanti Neurons RBVM/ASPM/VULN KB.

Overview

Palo Alto Xpanse - Expander V2 collects data about every device connected to the Internet and attributes assets to customers. Expander maintains the inventory associated with a given organization and sends alerts to unexpected, unknown, or risky IT assets that appear in the system.

The Ivanti Neurons RBVM/ASPM/VULN KB platform provides an API-based connector that integrates with Palo Alto Expanse - Expander V2, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.

User Prerequisites / Expander Setup

Expander is a cloud-based solution. Ivanti Neurons requires a user account with the following access to communicate with and pull data from Expander.

Read access to the assets and their associated issues.
API access.

Expander V2 Connector API Calls

The following API calls are performed during a connector run to pull security vulnerabilities from Expander V2 into Ivanti Neurons for RBVM.

API Type	Endpoint
Authentication	https://expander.expanse.co/api/v1/idToken/
Fetch list of all assets or a filtered list of assets	https://expander.expanse.co/api/v1/assets/get_assets_internet_exposure
Fetch extra data fields for a specific incident including alerts and key artifacts	https://expander.expanse.co/api/v1/incidents/ get_incident_extra_data
Fetch details of a single incident or list of incidents	https://expander.expanse.co/api/v1/incidents/ get_incidents/

Platform Setup

Navigate to the Automate > Integrations page.

Using the search bar in the upper-right corner of the Integrations page, type Expander to find the connector.

Locate the Palo Alto Xpanse - Expander V2 card on the page and click Configuration.

In the new window under Connection, complete the required fields, as described below.

Name: The connector’s name.
URL: The URL to access the Expander API (https://expander.expanse.co).
Client Id: Expanse provides the Client Id; follow the documentation for steps to Generate Client Credentials.
Client Secret: Expanse provides the Client Secret; follow the documentation for steps to Generate Client Credentials.
Network: This connector is available only when using a Mixed network. For more information, see Networks: Overview.

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Xpanse API calls.

Under Schedule, configure the desired schedule for the connector to retrieve results from the Expander instance.

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.

Optional Configurations

You can bring in the asset tags into the configuration by selecting "Yes, bring in asset tags" under the Optional Configurations section.

Editing a Connector Configuration

Connector configurations can be updated at any time after creation. Go to the Automate > Integrations page and select the specific connector you want to update.

Utilizing the Connector

The data from Palo Alto Networks Cortex Xpanse API is ingested into Ivanti Neurons for RBVM as Hosts and Host Findings. The Scanner Name associated with these scans is Expander V2. Scanner Name can be used as a filter for Hosts and Host Findings.

Assets

All assets from the Palo Alto Networks Cortex Xpanse API are shown on the Hosts page.

Ivanti Neurons RBVM Tags

The following fields from Cortex Xpanse APIs are converted into RBVM asset tags. These tags can be used for searching, playbook automation, and better visualization in RBVM Dashboards.

data > annotations > tags > name

Findings

All findings from the Palo Alto Networks Cortex Xpanse API are shown on the Manage -> Host Findings page.

Connector Data Mapping

This table showcases the high-level mapping of Xpanse API fields in Ivanti Neurons for RBVM.

Host

RBVM Field	Mapping Field
Expander Agent Id	reply.assets_internet_exposure.agent_id
Expander Annotation	reply.assets_internet_exposure.annotation
Expander Asm Va Score	reply.assets_internet_exposure.asm_va_score
Expander ASN Countries	reply.assets_internet_exposure.asn_countries
Expander ASN Handles	reply.assets_internet_exposure.asn_handles
Expander ASN Record Names	reply.assets_internet_exposure.asn_record_names
Expander ASN Registries	reply.assets_internet_exposure.asn_registries
Expander Asset Explainers	reply.assets_internet_exposure.asset_explainers
Expander AWS Cloud Tags	reply.assets_internet_exposure.aws_cloud_tags
Expander Azure Cloud Tags	reply.assets_internet_exposure.azure_cloud_tags
Expander Business Units Creation Times	reply.assets_internet_exposure.business_units.creation_time
Expander Business Units IDs	reply.assets_internet_exposure.business_units.id
Expander Business Units Names	reply.assets_internet_exposure.business_units.name
Expander Business Units Parent IDs	reply.assets_internet_exposure.business_units.parent_id
Expander Business Units Update Times	reply.assets_internet_exposure.business_units.update_time
Expander Certificate Algorithm	reply.assets_internet_exposure.certificate_algorithm
Expander Certificate Classifications	reply.assets_internet_exposure.certificate_classifications
Expander Certificate Expiry Date	reply.assets_internet_exposure.certificate_expiry_date
Expander Certificate Formatted Issuer Org	reply.assets_internet_exposure.certificate_details.formattedIssuerOrg
Expander Certificate Hash	reply.assets_internet_exposure.certificate_hash
Expander Certificate Issuer	reply.assets_internet_exposure.certificate_issuer
Expander Certificate Issuer Alternative Names	reply.assets_internet_exposure.certificate_details.issuerAlternativeNames
Expander Certificate Issuer Country	reply.assets_internet_exposure.certificate_details.issuerCountry
Expander Certificate Issuer Email	reply.assets_internet_exposure.certificate_details.issuerEmail
Expander Certificate Issuer Locality	reply.assets_internet_exposure.certificate_details.issuerLocality
Expander Certificate Issuer Name	reply.assets_internet_exposure.certificate_details.issuerName
Expander Certificate Issuer Org	reply.assets_internet_exposure.certificate_details.issuerOrg
Expander Certificate Issuer Org Unit	reply.assets_internet_exposure.certificate_details.issuerOrgUnit
Expander Certificate Issuer State	reply.assets_internet_exposure.certificate_details.issuerState
Expander Certificate MD5 Fingerprint	reply.assets_internet_exposure.certificate_details.md5Fingerprint
Expander Certificate Public Key Algorithm	reply.assets_internet_exposure.certificate_public_key_algorithm
Expander Certificate Public Key Bits	reply.assets_internet_exposure.certificate_public_key_bits
Expander Certificate Publickey	reply.assets_internet_exposure.certificate_details.publicKey
Expander Certificate Publickey Algorithm	reply.assets_internet_exposure.certificate_details.publicKeyAlgorithm
Expander Certificate Publickey Bits	reply.assets_internet_exposure.certificate_details.publicKeyBits
Expander Certificate Publickey Modulus	reply.assets_internet_exposure.certificate_details.publicKeyModulus
Expander Certificate Publickey RSA Exponent	reply.assets_internet_exposure.certificate_details.publicKeyRsaExponent
Expander Certificate Publickey SPKI	reply.assets_internet_exposure.certificate_details.publicKeySpki
Expander Certificate Serial Number	reply.assets_internet_exposure.certificate_serial_number
Expander Certificate Sha1 Fingerprint	reply.assets_internet_exposure.certificate_details.sha1Fingerprint
Expander Certificate Sha256 Fingerprint	reply.assets_internet_exposure.certificate_details.sha256Fingerprint
Expander Certificate Signature Algorithm	reply.assets_internet_exposure.certificate_details.signatureAlgorithm
Expander Certificate Subject	reply.assets_internet_exposure.certificate_details.subject
Expander Certificate Subject Alt Names	reply.assets_internet_exposure.certificate_subject_alt_names
Expander Certificate Subject Alternative Names	reply.assets_internet_exposure.certificate_details.subjectAlternativeNames
Expander Certificate Subject Country	reply.assets_internet_exposure.certificate_details.subjectCountry
Expander Certificate Subject Email	reply.assets_internet_exposure.certificate_details.subjectEmail
Expander Certificate Subject Locality	reply.assets_internet_exposure.certificate_details.subjectLocality
Expander Certificate Subject Name	reply.assets_internet_exposure.certificate_details.subjectName
Expander Certificate Subject Org	reply.assets_internet_exposure.certificate_details.subjectOrg
Expander Certificate Subject Org Unit	reply.assets_internet_exposure.certificate_details.subjectOrgUnit
Expander Certificate Subject Organization	reply.assets_internet_exposure.certificate_subject_organization
Expander Certificate Subject Organization Unit	reply.assets_internet_exposure.certificate_subject_organization_unit
Expander Certificate Subject State	reply.assets_internet_exposure.certificate_details.subjectState
Expander Certificate Valid Not After	reply.assets_internet_exposure.certificate_details.validNotAfter
Expander Certificate Valid Not Before	reply.assets_internet_exposure.certificate_details.validNotBefore
Expander Certificate Version	reply.assets_internet_exposure.certificate_details.version
Expander Cloud Id	reply.assets_internet_exposure.cloud_id
Expander Cloud Provider	reply.assets_internet_exposure.cloud_provider
Expander Cloud Resource Type	reply.assets_internet_exposure.cloud_resource_type
Expander Creation Time	reply.assets_internet_exposure.creation_time
Expander Date Added	reply.assets_internet_exposure.date_added
Expander Domain	reply.assets_internet_exposure.domain
Expander Domain Admin Email	reply.assets_internet_exposure.domain_admin_email
Expander Domain Admin Name	reply.assets_internet_exposure.domain_admin_name
Expander Domain Admin Organization	reply.assets_internet_exposure.domain_admin_organization
Expander Domain Administrator City	reply.assets_internet_exposure.domain_details.admin.city
Expander Domain Administrator Country	reply.assets_internet_exposure.domain_details.admin.country
Expander Domain Administrator Emailaddress	reply.assets_internet_exposure.domain_details.admin.emailAddress
Expander Domain Administrator Faxextension	reply.assets_internet_exposure.domain_details.admin.faxExtension
Expander Domain Administrator Faxnumber	reply.assets_internet_exposure.domain_details.admin.faxNumber
Expander Domain Administrator Name	reply.assets_internet_exposure.domain_details.admin.name
Expander Domain Administrator Organization	reply.assets_internet_exposure.domain_details.admin.organization
Expander Domain Administrator Phoneextension	reply.assets_internet_exposure.domain_details.admin.phoneExtension
Expander Domain Administrator Phonenumber	reply.assets_internet_exposure.domain_details.admin.phoneNumber
Expander Domain Administrator Postalcode	reply.assets_internet_exposure.domain_details.admin.postalCode
Expander Domain Administrator Province	reply.assets_internet_exposure.domain_details.admin.province
Expander Domain Administrator Registry ID	reply.assets_internet_exposure.domain_details.admin.registryId
Expander Domain Administrator Street	reply.assets_internet_exposure.domain_details.admin.street
Expander Domain Aligned Registrar	reply.assets_internet_exposure.domain_details.alignedRegistrar
Expander Domain Collection Time	reply.assets_internet_exposure.domain_details.collectionTime
Expander Domain Creation Date	reply.assets_internet_exposure.domain_details.creationDate
Expander Domain DNSSEC	reply.assets_internet_exposure.domain_details.dnssec
Expander Domain Domain Statuses	reply.assets_internet_exposure.domain_details.domainStatuses
Expander Domain Expiry Date	reply.assets_internet_exposure.domain_expiry_date
Expander Domain Name Servers	reply.assets_internet_exposure.domain_details.nameServers
Expander Domain Registrant City	reply.assets_internet_exposure.domain_details.registrant.city
Expander Domain Registrant Country	reply.assets_internet_exposure.domain_details.registrant.country
Expander Domain Registrant Email	reply.assets_internet_exposure.domain_registrant_email
Expander Domain Registrant Email Address	reply.assets_internet_exposure.domain_details.registrant.emailAddress
Expander Domain Registrant Fax Extension	reply.assets_internet_exposure.domain_details.registrant.faxExtension
Expander Domain Registrant Fax Number	reply.assets_internet_exposure.domain_details.registrant.faxNumber
Expander Domain Registrant Name	reply.assets_internet_exposure.domain_registrant_name
Expander Domain Registrant Organization	reply.assets_internet_exposure.domain_registrant_organization
Expander Domain Registrant Phone Extension	reply.assets_internet_exposure.domain_details.registrant.phoneExtension
Expander Domain Registrant Phone Number	reply.assets_internet_exposure.domain_details.registrant.phoneNumber
Expander Domain Registrant Postal Code	reply.assets_internet_exposure.domain_details.registrant.postalCode
Expander Domain Registrant Province	reply.assets_internet_exposure.domain_details.registrant.province
Expander Domain Registrant Registry ID	reply.assets_internet_exposure.domain_details.registrant.registryId
Expander Domain Registrant Street	reply.assets_internet_exposure.domain_details.registrant.street
Expander Domain Registrar Abuse Contact Email	reply.assets_internet_exposure.domain_details.registrar.abuseContactEmail
Expander Domain Registrar Abuse Contact Phone	reply.assets_internet_exposure.domain_details.registrar.abuseContactPhone
Expander Domain Registrar Aligned Name	reply.assets_internet_exposure.domain_details.registrar.alignedName
Expander Domain Registrar IANA ID	reply.assets_internet_exposure.domain_details.registrar.ianaId
Expander Domain Registrar Name	reply.assets_internet_exposure.domain_details.registrar.name
Expander Domain Registrar Registration Expiration Date	reply.assets_internet_exposure.domain_details.registrar.registrationExpirationDate
Expander Domain Registrar URL	reply.assets_internet_exposure.domain_details.registrar.url
Expander Domain Registrar Whois Server	reply.assets_internet_exposure.domain_details.registrar.whoisServer
Expander Domain Registry Domain ID	reply.assets_internet_exposure.domain_details.registryDomainId
Expander Domain Registry Expiry Date	reply.assets_internet_exposure.domain_details.registryExpiryDate
Expander Domain Reseller	reply.assets_internet_exposure.domain_details.reseller
Expander Domain Resolves	reply.assets_internet_exposure.domain_resolves
Expander Domain Retrieved Date	reply.assets_internet_exposure.domain_details.retrievedDate
Expander Domain Tech City	reply.assets_internet_exposure.domain_details.tech.city
Expander Domain Tech Country	reply.assets_internet_exposure.domain_details.tech.country
Expander Domain Tech Emailaddress	reply.assets_internet_exposure.domain_details.tech.emailAddress
Expander Domain Tech Faxextension	reply.assets_internet_exposure.domain_details.tech.faxExtension
Expander Domain Tech Faxnumber	reply.assets_internet_exposure.domain_details.tech.faxNumber
Expander Domain Tech Name	reply.assets_internet_exposure.domain_details.tech.name
Expander Domain Tech Organization	reply.assets_internet_exposure.domain_details.tech.organization
Expander Domain Tech Phoneextension	reply.assets_internet_exposure.domain_details.tech.phoneExtension
Expander Domain Tech Phonenumber	reply.assets_internet_exposure.domain_details.tech.phoneNumber
Expander Domain Tech Postalcode	reply.assets_internet_exposure.domain_details.tech.postalCode
Expander Domain Tech Province	reply.assets_internet_exposure.domain_details.tech.province
Expander Domain Tech Registryid	reply.assets_internet_exposure.domain_details.tech.registryId
Expander Domain Tech Street	reply.assets_internet_exposure.domain_details.tech.street
Expander Domain Updated Date	reply.assets_internet_exposure.domain_details.updatedDate
Expander Extended Properties Last Start Time	reply.assets_internet_exposure.extended_properties.last_start_time
Expander Extended Properties Machine Type	reply.assets_internet_exposure.extended_properties.machine_type
Expander Extended Properties Network Interfaces Id	reply.assets_internet_exposure.extended_properties.network_interfaces.id
Expander Extended Properties Network Interfaces Ip	reply.assets_internet_exposure.extended_properties.network_interfaces.ip
Expander Extended Properties Network Interfaces Name	reply.assets_internet_exposure.extended_properties.network_interfaces.name
Expander Extended Properties Network Interfaces Subnet Id	reply.assets_internet_exposure.extended_properties.network_interfaces.subnet_id
Expander Extended Properties Network Interfaces Vpc Id	reply.assets_internet_exposure.extended_properties.network_interfaces.vpc_id
Expander Extended Properties Private Ips	reply.assets_internet_exposure.extended_properties.private_ips
Expander Extended Properties Public Ips	reply.assets_internet_exposure.extended_properties.public_ips
Expander Extended Properties Volumes Boot	reply.assets_internet_exposure.extended_properties.volumes.boot
Expander Extended Properties Volumes Id	reply.assets_internet_exposure.extended_properties.volumes.id
Expander Extended Properties Volumes Name	reply.assets_internet_exposure.extended_properties.volumes.name
Expander Extended Properties Volumes Type	reply.assets_internet_exposure.extended_properties.volumes.type
Expander External Ips	reply.assets_internet_exposure.external_ips
Expander Externally Detected Providers	reply.assets_internet_exposure.externally_detected_providers
Expander Externally Inferred Cves	reply.assets_internet_exposure.externally_inferred_cves
Expander GCP Cloud Tags	reply.assets_internet_exposure.gcp_cloud_tags
Expander Geo Region	reply.assets_internet_exposure.geo_region
Expander Has Active Externally Services	reply.assets_internet_exposure.has_active_externally_services
Expander Has Alerts	reply.assets_internet_exposure.has_alerts
Expander Has BU Overrides	reply.assets_internet_exposure.has_bu_overrides
Expander Has Incidents	reply.assets_internet_exposure.has_incidents
Expander Has XDR Agent	reply.assets_internet_exposure.has_xdr_agent
Expander Hierarchy	reply.assets_internet_exposure.hierarchy
Expander Internal Ips	reply.assets_internet_exposure.internal_ips
Expander Iot Category	reply.assets_internet_exposure.iot_category
Expander Iot Model	reply.assets_internet_exposure.iot_model
Expander Iot Profile	reply.assets_internet_exposure.iot_profile
Expander Ip Ranges	reply.assets_internet_exposure.ip_ranges
Expander Ips	reply.assets_internet_exposure.ips
Expander IPV6s	reply.assets_internet_exposure.ipv6s
Expander Is Paid Level Domain	reply.assets_internet_exposure.is_paid_level_domain
Expander Mac Addresses	reply.assets_internet_exposure.mac_addresses
Expander Management Status	reply.assets_internet_exposure.management_status
Expander Open Ports	reply.assets_internet_exposure.open_ports
Expander Operation System	reply.assets_internet_exposure.operation_system
Expander Project Name	reply.assets_internet_exposure.project_name
Expander Provider Account	reply.assets_internet_exposure.provider_account
Expander Recent IPs First Observed	reply.assets_internet_exposure.recent_ips.firstObserved
Expander Recent IPs Id	reply.assets_internet_exposure.recent_ips.id
Expander Recent IPs Ip	reply.assets_internet_exposure.recent_ips.ip
Expander Recent IPs Ipv6	reply.assets_internet_exposure.recent_ips.ipv6
Expander Recent IPs Last Observed	reply.assets_internet_exposure.recent_ips.lastObserved
Expander Recent IPs Provider Additionalproviderinfo	reply.assets_internet_exposure.recent_ips.provider.additionalProviderInfo
Expander Recent IPs Provider CDN	reply.assets_internet_exposure.recent_ips.provider.cdn
Expander Recent IPs Provider Display Name	reply.assets_internet_exposure.recent_ips.provider.displayName
Expander Recent IPs Provider ISCDN	reply.assets_internet_exposure.recent_ips.provider.isCdn
Expander Recent IPs Provider Legacyname	reply.assets_internet_exposure.recent_ips.provider.legacyName
Expander Recent IPs Provider Name	reply.assets_internet_exposure.recent_ips.provider.name
Expander Recent IPs Source Name	reply.assets_internet_exposure.recent_ips.source.name
Expander Region	reply.assets_internet_exposure.region
Expander Sensor	reply.assets_internet_exposure.sensor
Expander Service Type	reply.assets_internet_exposure.service_type
Expander Sub Region	reply.assets_internet_exposure.sub_region
Expander VPC Name ID	reply.assets_internet_exposure.vpc_name_id

Host Finding Mapping

RBVM Field	Mapping Field
Expander Aggregated Score	reply.incident.aggregated_score
Expander Alert Categories	reply.incident.alert_categories
Expander Alert ID	reply.incident.xpanse_risk_explainer.riskFactors.alerts.alert_id"
Expander Alerts Action	reply.incident.xpanse_risk_explainer.riskFactors.alerts.action"
Expander Alerts Action Country	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_country"
Expander Alerts Action External Hostname	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_external_hostname"
Expander Alerts Action Local Ip	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_local_ip"
Expander Alerts Action Local Ip V6	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_local_ip_v6"
Expander Alerts Action Local Port	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_local_port"
Expander Alerts Action Pretty	reply.incident.xpanse_risk_explainer.riskFactors.alerts.action_pretty"
Expander Alerts Action Remote Ip	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_remote_ip"
Expander Alerts Action Remote Ip V6	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_remote_ip_v6"
Expander Alerts Action Remote Port	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.action_remote_port"
Expander Alerts Alert Type	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.alert_type"
Expander Alerts Asm Alert Categories	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.asm_alert_categories"
Expander Alerts Asset Ids	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.asset_ids"
Expander Alerts Case Id	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.case_id"
Expander Alerts Category	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.category"
Expander Alerts Certificate Subject Organization	reply.incident.xpanse_risk_explainer.riskFactors.alerts.certificate_subject_organization"
Expander Alerts Cloud Management Status	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.cloud_management_status"
Expander Alerts Cloud Provider	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.cloud_provider"
Expander Alerts Cloud Providers	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.cloud_providers"
Expander Alerts Country Codes	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.country_codes"
Expander Alerts Deduplicate Tokens	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.deduplicate_tokens"
Expander Alerts Domain Names	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.domain_names"
Expander Alerts Dynamic Fields	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.dynamic_fields"
Expander Alerts End Match Attempt Ts	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.end_match_attempt_ts"
Expander Alerts Endpoint Id	reply.incident.xpanse_risk_explainer.riskFactors.alerts.endpoint_id"
Expander Alerts Event Id	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.event_id"
Expander Alerts Event Timestamp	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.event_timestamp"
Expander Alerts Event Type	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.event_type"
Expander Alerts Events Length	reply.incident.xpanse_risk_explainer.riskFactors.alerts.events_length"
Expander Alerts External Id	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.external_id"
Expander Alerts Filter Rule Id	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.filter_rule_id"
Expander Alerts Grouping Status	reply.incident.alerts_grouping_status
Expander Alerts Image Name	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.image_name"
Expander Alerts Integration Source	reply.incident.xpanse_risk_explainer.riskFactors.alerts.integration_source"
Expander Alerts Ipv4 Addresses	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.ipv4_addresses"
Expander Alerts Ipv6 Addresses	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.ipv6_addresses"
Expander Alerts Is Whitelisted	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.is_whitelisted"
Expander Alerts Last Modified Ts	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.last_modified_ts"
Expander Alerts Local Insert Ts	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.local_insert_ts"
Expander Alerts Mac	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.mac"
Expander Alerts Malicious Urls	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.malicious_urls"
Expander Alerts Matching Service Rule Id	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.matching_service_rule_id"
Expander Alerts Matching Status	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.matching_status"
Expander Alerts Mitre Tactic Id And Name	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.mitre_tactic_id_and_name"
Expander Alerts Mitre Technique Id And Name	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.mitre_technique_id_and_name"
Expander Alerts Name	reply.incident.xpanse_risk_explainer.riskFactors.alerts.name"
Expander Alerts Project	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.project"
Expander Alerts Resolution Comment	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.resolution_comment"
Expander Alerts Resource Sub Type	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.resource_sub_type"
Expander Alerts Resource Type	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.resource_type"
Expander Alerts Service Ids	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.service_ids"
Expander Alerts Source	reply.incident.xpanse_risk_explainer.riskFactors.alerts.source"
Expander Alerts Starred	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.starred"
Expander Alerts Tags	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.tags"
Expander Alerts Total Count	reply.incident.xpanse_risk_explainer.riskFactors.alerts.total_count"
Expander Alerts User Name	reply.incident.xpanse_risk_explainer.riskFactors.alerts.user_name"
Expander Alerts Website Ids	reply.incident.xpanse_risk_explainer.riskFactors.alerts.data.website_ids"
Expander Assigned User Mail	reply.incident.assigned_user_mail
Expander Assigned User Pretty Name	reply.incident.assigned_user_pretty_name
Expander Country Codes	reply.incident.country_codes
Expander Detection Time	reply.incident.detection_time
Expander Incident Creation Time	reply.incident.creation_time
Expander Incident Description	reply.incident.description
Expander Incident ID	reply.incident.incident_id
Expander Incident Modification Time	reply.incident.modification_time
Expander Incident Name	reply.incident.incident_name
Expander Incident Severity	reply.incident.severity
Expander Incident Sources	reply.incident.incident_sources
Expander Incident Status	reply.incident.status
Expander Integration Source	reply.incident.integration_source
Expander Ip Range Ids	reply.incident.ip_range_ids
Expander Isconfirmedvulnerable	reply.incident.xpanse_risk_explainer.riskFactors.isConfirmedVulnerable
Expander Manual Description	reply.incident.manual_description
Expander Manual Score	reply.incident.manual_score
Expander Manual Severity	reply.incident.manual_severity
Expander Mitre Tactics Ids And Names	reply.incident.mitre_tactics_ids_and_names
Expander Mitre Techniques Ids And Names	reply.incident.mitre_techniques_ids_and_names
Expander Notes	reply.incident.notes
Expander Resolve Comment	reply.incident.resolve_comment
Expander Resolved Timestamp	reply.incident.resolved_timestamp
Expander Risk Explainer Attribute Names	reply.incident.xpanse_risk_explainer.riskFactors.attributeName
Expander Rule Based Score	Expander Rule Based Score
Expander Service Ids	reply.incident.service_ids
Expander Starred	reply.incident.starred
Expander Starred Manually	reply.incident.starred_manually
Expander Versionmatched	reply.incident.xpanse_risk_explainer.riskFactors.versionMatched
Expander Website Ids	reply.incident.website_ids
Expander Xdr Url	reply.incident.xdr_url
Expander Xpanse Risk Score	reply.incident.xpanse_risk_score