Automated Attack Surface Management with Cortex XSOAR + Expanse

Organizations today face a complex threat landscape. From the rapid adoption of cloud technology to the persistent risks relating to the supply chain, it is imperative that enterprises have an unobstructed view of their attack surface. Through our recent acquisition of Expanse, we are now able to offer our customers an outside in view as they defend their environments. Expanse continuously scans the entire internet for all assets owned by a company, allowing an organization to assess vulnerabilities on an ongoing basis. However, monitoring your attack surface is only half the story. Taking action on the vulnerabilities you discover is the other half.

This is why we are excited to announce the launch of the Expanse content pack in the Cortex XSOAR Marketplace, providing security teams with the ability to identify and remediate vulnerabilities with unprecedented speed and confidence. Cortex XSOAR customers are now able to integrate the powerful insights from Expanse into their security orchestration playbooks, enabling a complete, end-to-end view action plan from discovery to remediation.

A Powerful Pairing

Expanse provides a complete and accurate inventory of an organization’s global internet-facing assets and misconfigurations to continuously discover, evaluate, and mitigate an external attack surface. It also flags risky communications, helps evaluate supplier risk, and assesses the cybersecurity risk during mergers and acquisitions without the need for agents/software. While finding problems is crucial, eliminating them before an exploit occurs is essential to preserving the integrity of a company’s security posture. This is where Expanse’s integration with Cortex XSOAR is indispensable--and unique in the security industry. By combining Cortex XSOAR with Expanse, customers will have the ability to create incidents and enrich playbooks with internet asset information provided by Expanse. Security teams leveraging both technologies will be able to respond to Internet-based incidents by taking action, such as triggering scans and creating tickets.

New Expanse Content Pack for Cortex XSOAR

The new Expanse Content Pack for Cortex XSOAR provides full coverage of the Expander and Behavior product capabilities to allow a Security Operations Center (SOC) to automate the defense of its company’s attack surface. Expander identifies and attributes all of an organization's internet-facing assets to identify sanctioned and unsanctioned assets to map the enterprise attack surface. Behavior uses global Internet flow data to surface communications between Internet-connected assets to detect and stop risky or out-of-policy communications that can be exploited for data breaches or ransomware attacks. The issues module, built on top of Expander and Behavior, is a cutting-edge policy engine that automatically detects security policy violations according to the unique needs of the organization. The integrations in the pack fetch and mirror Expanse Issues with Cortex XSOAR incidents, and ingestion of indications (IPs, Domains, and Certificates) discovered by Expanse, along with automated remediation through Cortex XSOAR, help reduce MTTD and MTTR which also boosts SOC analyst productivity.

This pack provides:

  • The Expanse v2 integrations (for Expanse Expander and Behavior), which allows Cortex XSOAR to collect Expanse Issues and bi-directionally mirror them. Several commands are available to search, tag, and update Issues and Assets in Expanse
  • A feed integration named Expanse Expander Feed, which is compatible with the XSOAR Threat Intel Management capabilities to retrieve and store discovered assets (IPs, IP ranges, Domains, and Certificates) in Cortex XSOAR for analysis and correlation
  • An Expanse Issue Incident Type with dedicated fields and layouts
  • A rich set of Playbooks and Sub-playbooks that handle the investigation and remediation of Expanse Issues
  • Dashboards that display the network perimeter as discovered by Expanse and the status of Expanse Issues

Expanse Alerts in Cortex XSOAR

Expanse Alerts in Cortex XSOAR

The Cortex XSOAR + Expanse integration makes Palo Alto Networks the ideal partner to help companies bring security from the inside out and now, from the outside in. This content pack is available in the Cortex XSOAR Marketplace within Cortex XSOAR.

Want to learn more about Cortex XSOAR and the Expanse content pack? Check out the January 2021 Cortex XSOAR Marketplace Webinar (the first of our new series) to see it in action and take a look at this recent informational video!

Don't have Cortex XSOAR? Download our free Community Edition today.