Automated Attack Surface Management with Cortex XSOAR + Xpanse

Organizations today face a complex threat landscape. From the rapid adoption of cloud technology to the persistent risks relating to the supply chain, it is imperative that enterprises have an unobstructed view of their attack surface. Through our recent acquisition of Expanse, now Cortex Xpanse, we are now able to offer our customers an outside in view as they defend their environments. Xpanse continuously scans the entire internet for all assets owned by a company, allowing an organization to assess vulnerabilities on an ongoing basis. However, monitoring your attack surface is only half the story. Taking action on the vulnerabilities you discover is the other half.

This is why we are excited to announce the launch of the Xpanse content pack in the Cortex XSOAR Marketplace, providing security teams with the ability to identify and remediate vulnerabilities with unprecedented speed and confidence. Cortex XSOAR customers are now able to integrate the powerful insights from Xpanse into their security orchestration playbooks, enabling a complete, end-to-end view action plan from discovery to remediation.

A Powerful Pairing

Xpanse provides a complete and accurate inventory of an organization’s global internet-facing assets and misconfigurations to continuously discover, evaluate, and mitigate an external attack surface. It also flags risky communications, helps evaluate supplier risk, and assesses the cybersecurity risk during mergers and acquisitions without the need for agents/software. While finding problems is crucial, eliminating them before an exploit occurs is essential to preserving the integrity of a company’s security posture. This is where Xpanse’s integration with Cortex XSOAR is indispensable--and unique in the security industry. By combining Cortex XSOAR with Xpanse, customers will have the ability to create incidents and enrich playbooks with internet asset information provided by Xpanse. Security teams leveraging both technologies will be able to respond to Internet-based incidents by taking action, such as triggering scans and creating tickets.

New Xpanse Content Pack for Cortex XSOAR

The new Xpanse Content Pack for Cortex XSOAR provides full coverage of the Expander and Behavior product capabilities to allow a Security Operations Center (SOC) to automate the defense of its company’s attack surface. Expander identifies and attributes all of an organization's internet-facing assets to identify sanctioned and unsanctioned assets to map the enterprise attack surface. Behavior uses global Internet flow data to surface communications between Internet-connected assets to detect and stop risky or out-of-policy communications that can be exploited for data breaches or ransomware attacks. The issues module, built on top of Expander and Behavior, is a cutting-edge policy engine that automatically detects security policy violations according to the unique needs of the organization. The integrations in the pack fetch and mirror Xpanse Issues with Cortex XSOAR incidents, and ingestion of indications (IPs, Domains, and Certificates) discovered by Expanse, along with automated remediation through Cortex XSOAR, help reduce MTTD and MTTR which also boosts SOC analyst productivity.

This pack provides:

  • The Xpanse v2 integrations (for Xpanse Expander and Behavior), which allows Cortex XSOAR to collect Xpanse Issues and bi-directionally mirror them. Several commands are available to search, tag, and update Issues and Assets in Xpanse
  • A feed integration named Xpanse Expander Feed, which is compatible with the XSOAR Threat Intel Management capabilities to retrieve and store discovered assets (IPs, IP ranges, Domains, and Certificates) in Cortex XSOAR for analysis and correlation
  • An Xpanse Issue Incident Type with dedicated fields and layouts
  • A rich set of Playbooks and Sub-playbooks that handle the investigation and remediation of Xpanse Issues
  • Dashboards that display the network perimeter as discovered by Expanse and the status of Xpanse Issues

Expanse Alerts in Cortex XSOAR

Xpanse Alerts in Cortex XSOAR

The Cortex XSOAR + Xpanse integration makes Palo Alto Networks the ideal partner to help companies bring security from the inside out and now, from the outside in. This content pack is available in the Cortex XSOAR Marketplace within Cortex XSOAR.

Want to learn more about Cortex XSOAR and the Xpanse content pack? Check out the January 2021 Cortex XSOAR Marketplace Webinar (the first of our new series) to see it in action and take a look at this recent informational video!

Don't have Cortex XSOAR? Download our free Community Edition today.