Integrations - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-11-12
Category
User Guide
Solution
Cloud
Abstract

Cortex Xpanse integrates with third-party tools and services to support many use cases.

Cortex Xpanse integrates with third-party tools and services and other Palo Alto Networks products to support many use cases, including the following:

  • Maintain accurate asset inventory—Integrate Expander with IT and IT security systems that require an accurate source of truth of your organization's public-facing assets.

  • Generate notifications—Set up SIEM-configured notifications so you will be alerted on new assets and exposures quickly.

  • Kick off investigations—Kick off investigations of exposures with IT tickets to drive remediation action and reduce the number of exposures on your network edge.

  • Automate remediations—Cortex Xpanse Active Response uses automation integrations with playbooks to augment alert investigation and remediate risks automatically.

Types of Integrations

Cortex Xpanse supports the following types of integrations:

Type of Integration

Description

More Information

Collection Integrations

Cortex Xpanse supports two types of collection integrations:

  • Cloud Inventory integrations that ingest cloud compute instances from the major cloud providers (Amazon Web Services (AWS), Google Cloud Platform (GCP), MS Azure)

  • Prisma Cloud integration that ingests cloud resources from your Prisma Cloud inventory.

Both of these collection integrations bring cloud context into Expander where it can be enriched with ASM data, providing a unified, normalized inventory of your cloud assets.

Automation Integrations

Automation integrations are used by Active Response playbooks to enrich an alert or respond to an alert with an action, such as sending notifications or remediating the alert by directly modifying the configuration of an asset, service, or networking infrastructure.

Outbound Integrations

Outbound integrations push or pull information from Xpanse into a third party security or workflow tool in order to integrate into to an organization’s existing vulnerability or incident response system.

Set up Outbound Integrations

Expander REST APIs

Expander includes a REST API capable of querying, exporting, and interacting with many areas of the product, including assets, services, alerts, and incidents. The API also supports actions such as user management and tagging. In addition to the Expander API, a Python SDK is also available for more rapid development.

Cortex Xpanse Outbound Integrations

Outbound integrations push or pull information from Xpanse into a third party security or workflow tool. These integrations enable you to to integrate Xpanse into to your organization’s existing vulnerability or incident response system. Cortex Xpanse provides the following outbound integrations:

  • Integrate with Cortex XSOAR—Forward risks from Expander to XSOAR via API where you can build custom playbooks to triage and remediate. This integration also includes commands to call Expander APIs for enrichment purposes.

  • Integrate a Syslog Receiver—You can send alert data to third-party systems (such as IBM QRadar and Microsoft Sentinel) using syslog forwarding.

  • Integrate with partner systems—Partner integrations are typically installed on customer systems or installed within vendor solutions through a third-party marketplace.

    Partner Integration

    Description

    More Information

    Jira Server

    Automatically forward new alerts along with guidance and related context from Expander to Jira as new tasks.

    Contact your Customer Success Manager for configuration details.

    QRadar

    Automatically forward Xpanse- discovered risks to QRadar to support alert event creation, asset event creation, offense population, and asset details display.

    Cortex Xpanse for QRadar

    Qualys VM

    Automatically import Xpanse assets as new asset groups in Qualys VMDR for scanning.

    Contact your Customer Success Manager for configuration details.

    Rapid7 InsightVM

    Automatically import assets detected by Cortex Xpanse into Rapid7 InsightVM console to be used as scan targets.

    Cortex Xpanse Integration: InsightVM Documentation and User Guide

    ServiceNow Configuration Compliance (CC)

    Ingest security test results (i.e. alerts) into the ServiceNow CC module, Including checking for impacted assets in CMDB.

    Cortex Xpanse ServiceNow Configuration Compliance Documentation and User Guide v2.0.0

    ServiceNow Configuration Management Database (CMDB)

    Automatically ingest assets discovered by Xpanse to the ServiceNow CMDB. These assets are run through the CMDB’s correlation logic to merge with existing assets.

    Cortex Xpanse Service Graph Connector for Xpanse (SGCX) (v2.0.0) Documentation and User Guide

    Splunk TA v5.0.0

    Forward Xpanse-discovered assets, services, and risks for management, visualization, correlation, and alerting within Splunk.

    The Cortex Xpanse TA can be installed through the Splunk Marketplace.

    Cortex Xpanse Integration Guide for Splunk TA v5.x.x

    Tenable.io

    Forward relevant assets that Xpanse discovers to Tenable.io for more detailed assessment and central vulnerability tracking.

    Cortex Xpanse Integration: Tenable.io

    Contact your Customer Success Manager to proceed with integration configuration.

    Venafi TPP Integration

    Correlate certificates in the Expander inventory with those in Venafi TTP to help customers understand gaps in their certificate management.

    Contact your Customer Success Manager for configuration details.