Meet the New Expander Technical Add-On for Splunk

At Expanse, we’re constantly looking to improve the experience of our customers by innovating on our core products, Expander and Behavior, and by providing integrations with other leading security and IT platforms. To deliver on this commitment, we’re excited to announce we’ve rolled out a new version of the Expander Technical Add-On (TA) for Splunk. This TA is an integration that makes it easier to incorporate data from Expander into your everyday workflows and enrich data from other sources within the Splunk interface.

We all know that organizations today are facing an explosion of Internet-connected assets. From IP addresses, to domains, to certificates, organizations must manage more Internet-connected assets than ever before. Simply setting up agents on endpoints and configuring a firewall isn’t enough anymore — you need continuous, outside-in visibility into your global Internet attack surface. Expanse was created to solve this problem. We provide you with a complete, continuous, and accurate inventory of all of your Internet-connected assets and services. 

With the Expander TA for Splunk, IT Operations teams can correlate data from Expander with other sources to prevent, predict, monitor, and remediate IT problems across all Internet-connected assets. And security teams can further operationalize data from Expander to manage security threats, including threats associated with assets they previously didn’t have visibility into. 

Additional use cases for the Expander TA for Splunk include:

  • Asset lifecycle management: Get a complete, current, and accurate inventory of all of your organization’s Internet-connected assets and services.
  • Attack surface reduction: You can quickly triage any potential security events because you get alerts when exposures appear and disappear.
  • Automatic remediation: Trigger orchestration workflows off of Expander findings for automatic remediation.
  • Enhanced event data: Enrich network assets inside Splunk with service, attribution, and ownership data from Expanse. 
  • Executive reporting: Provide easy-to-understand reports on attack surface reduction progress to executive stakeholders. 
Splunk screenshot
Caption: A sample dashboard of Internet-connected asset data served up in Splunk with the Expander TA.

We’ve made several important improvements over the v1 release of the TA. These include:

  • Support for cloud: In addition to discovering and monitoring on-premise assets, you can now discover and monitor Internet-connected assets across all cloud providers from within Splunk.
  • Event feed: This new feed enables you to take action quickly whenever exposures appear or disappear. 
  • Enriched asset inventory information: You can now access a lookup table that enables you to easily reference Expander asset inventory information. 

If you use Expanse for Internet-wide visibility and Splunk as your SIEM, you’re going to want to check out the Expander TA for Splunk. Whether your IT Operations team needs to conduct a periodic asset audit or you need to feed exposure data to your vulnerability management team, the new TA brings together the best qualities of Expander and Splunk in a unified experience. 

We’ll be continuing to roll out new product experiences and integrations in the coming quarters. Stay tuned for more!