Expander Release 2.0 (December 2022) - Release Notes - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander Release Notes

Creation date
Last date published
Release Notes

New Cortex Xpanse Expander features and enhancements released in December 2022.

The table below describes the features and enhancements introduced in the Expander 2.0 release in December 2022.



Cortex Xpanse Active Response Module

The Cortex Xpanse Active Response module automates exposure remediation using out-of-the-box playbooks that run whenever a new alert is created. The playbook execution changes dynamically based on the details of the alert and the integrations that have been configured, and will potentially identify service owners, discover business context, send notifications, and in certain cases, fully remediate misconfigurations via control plane integrations.

At key points in the workflow, the playbook prompts you for input, enabling you to make remediation decisions while still getting the benefits of automation.

Fully automated remediation is available as an option only when the following conditions are met:

  • The AWS EC2 integration is configured.

  • The alert is associated with one of the following attack surface rules:

    • Insecure OpenSSH

    • RDP Server

  • The Asset associated with the alert is an AWS EC2 Instance

  • Service owner information was discovered through one of the following:

    • AWS IAM

    • ServiceNow CMDB

    • Tenable.io Assets

  • We find an indicator that the asset or service is a non-production service

    • We see the string "dev" in any of the tags associated with the asset in AWS or Tenable

See Active Response for Incidents in the Cortex Xpanse Expander User Guide for details.Active Response


The Active Response Module is available as a free community trial for Cortex Xpanse Expander customers until June 2023. Beginning in July 2023 it will become an add-on module that must be purchased.

Web Attack Surface Management

Web ASM continuously discovers and monitors insecure websites, web components, and technologies running on your managed and unmanaged web assets. Web ASM scans your public-facing websites, creating a continuously updated inventory of your web assets, including the server software and other technologies powering your web infrastructure.

The Web ASM Dashboard provides an ongoing view of your web attack surface enabling you to find insights around various areas of web risk and monitor your web resources at a high level and drill down into the details as needed.

See Websites in the Cortex Xpanse Expander User Guide for details.Websites

Enterprise Features

  • User Management—View user details, update user permissions, deactivate users, and hide users in the Expander UI.

  • Role-Based Access Control (RBAC)—Control user access to Expander components by assigning users a role with a specific set of permissions. Expander has a set of predefined roles or you can create custom roles.

  • Scope-Based Access Control (SBAC)—Control user access to data within Expander using tags as a scoping mechanism. SBAC works in conjunction with (RBAC) role-based access control, with RBAC controlling access to components (or screens) in Expander and SBAC controlling the data displayed on the screens.

  • Customizable Dashboards and Reports—Expander provides a set of out-of-the-box dashboards and reports, as well as the ability to create custom dashboards and reports using widgets from the extensive widget library.

  • Boolean Searches—Expander supports Boolean filtering of data on list view pages, such as the Asset Inventory, Incidents, Alerts, and others.

  • Saved Searches—Save and share the filters on list view pages.

Supported Integrations

The following integrations are supported in Expander 2.0:

  • AWS (pulls in cloud compute instances)

  • Azure (pulls in cloud compute instances)

  • GCP (pulls in cloud compute instances)

  • ServiceNow ITSM (push to ticketing system via the Active Response module)

  • ServiceNow CMDB (checks assets in the ServiceNow CMDB)

See Automation Integrations for information about how to install and configure integrations.Automation Integrations