Palo Alto Xpanse - Expander Connector Guide

How to set up and use the Palo Alto Xpanse - Expander connector in RiskSense.

Overview

Palo Alto Xpanse - Expander collects data about every device connected to the Internet and attributes assets to customers. Expander maintains the inventory associated with a given organization and sends alerts to unexpected, unknown, or risky IT assets that appear in the system.

The RiskSense platform provides an API-based connector that integrates with Palo Alto Expanse - Expander, enabling customers to bring in their findings. It allows customers to gain visibility into their overall risk due to vulnerabilities in their endpoint and a more straightforward, more efficient way to manage those vulnerabilities.

User Prerequisites/Expander Setup

Expander is a cloud-based solution. RiskSense requires a user account with the following access to communicate with and pull data from Expander.

  • Read access to the assets and their associated issues.
  • API access.

Expander Connector API Calls

The following API calls are performed during a connector run to pull security vulnerabilities from Expander into RiskSense.

API Type

Endpoint

Authentication

https://expander.expanse.co/api/v1/idToken/

Fetch List of Issues

https://expander.expanse.co/api/v1/issues/issues

Fetch List of Updates for all the Issues

https://expander.expanse.co/api/v1/issues/updates

Configuring the Expander Connector in RiskSense

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations-1

Using the search bar in the upper-right corner of the Integrations page, type Expander to find the connector.

Expander Connector - Search for Connector

Locate the Palo Alto Xpanse - Expander card on the page and click Configuration.

Expander Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

  • Name: The connector’s name.
  • URL: The URL to access the Expander API (https://expander.expanse.co).
  • API Token: Expanse provides the bearer token as part of the onboarding process for API access.
  • SSL: Optional instance SSL certificate in base64 format.
  • Network: This connector is available only when using a Mixed network. Refer to this link for more information on mixed networks.

Expander Connector - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make Expander API calls.

Expander Connector - Test Credentials

Under Schedule, configure the desired schedule for the connector to retrieve results from the Expander instance. Users can optionally turn on Enable auto URBA (Update Remediation by Assessment).

Expander Connector - Schedule Options

Click the Save button to save the connector’s configuration and create the connector. Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Clicking the History button displays the connector details for each pull. The Sync button allows users to perform on-demand sync. The Edit button allows the user to edit the connector configuration. The Delete button allows the user to delete the connector.

Expander Connector - Configured Connector

Once files have been processed on the Uploads page, view the ingested data by navigating to the Hosts and Host Findings pages.

Mapping Expander fields in RiskSense

This table showcases the high-level mapping of Expander API fields in RiskSense.

RiskSense Fields

Expander Fields

HostName

data -> domain

Ip Address

data -> ip (Available for few assetTypes only

Expanse Asset Identifier

If data -> assets -> assetType is 'IpRange'
data -> assets -> displayName

If data -> assets -> assetType is 'Domain'
data -> assets -> assetKey

If data -> assets -> assetType is 'Certificate'
data -> assets -> assetKey

If data -> assets -> assetType is 'CloudResource'
data -> assets -> assetKey

Asset Type

data -> assets -> assetType

Asset Name

data -> assets -> displayName

Scanner Severity

data -> priority

Scanner Plugin

data -> issueType -> name

RiskSense Tags

The following fields from Expander APIs are converted into RiskSense tags. You can use these tags for searching, playbook automation, and better visualization in RiskSense Dashboards.

  • data > annotations > tags > name

Common Fields in RiskSense

The following fields in RiskSense are defined for Expander, along with their default values.

  • The Scanner Name is Expander.