Expander Release 2.2 (June 2023) - Release Notes - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander Release Notes

Creation date
Last date published
Release Notes

New Cortex Xpanse Expander features and enhancements in release 2.2 (June 2023).

The table below describes the features and enhancements introduced in the Expander 2.2 (June 2023) release.



Active Response Module Launch

The free community trial for the Active Response add-on module continues through the end of July 2023. Beginning August 1, customers must purchase an Active Response license in addition to the Expander license.

You can try out Active Response with a 60-day free trial that you activate from within Expander.

See Active Response License to activate your 60-day free trial. See Active Response for information about Active Response.

Active Response Enhancements

Active Response enhancements include the following:

  • Prisma Cloud integration for service owner identification.

  • Jira Cloud integration for ticket creation.

  • Automated remediation support for Mongo Server, PostgreSQL Server, MySql Server, and ElasticSearch Server.

See Active Response for information.

Remediation Confirmation Scanning for Active Response

Improved scan to validate the resolution of alerts . This scan utilizes the same payloads and global scanning infrastructure that was used for service discovery to ensure that the risk has been addressed.

Threat Response Center Enhancements

  • Reporting—You can now share information about global threat events directly from the Threat Response Center by downloading a PDF report from the threat event details page.

  • Trending charts—New trending charts enable you to track your progress in remediating alerts from global threat events.

See Threat Response Center in ASM in XSIAM for more information.Threat Response Center in ASM in XSIAM

Prisma Cloud Integration

Use the Prisma Cloud integration to Identify rogue cloud and shadow IT instances and bring unmanaged assets under management. Xpanse ingests cloud context from Prisma Cloud for Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft (MS) Azure, Alibaba Cloud, and Oracle Cloud Infrastructure.

See Ingest Cloud Resources from Prisma Cloud and Cloud Inventory for details.Cloud Inventory

Xpanse Security Rating

The Cortex Xpanse Security Rating represents the overall hygiene of your organization’s external-facing attack surface. The Security Rating Dashboard enables you to track your security rating over time, compare your rating to industry peers, and break down your security rating by geography, business unit, and hosting provider.

See Security Rating for details.Security Rating

Python Software Development Kit (SDK)

The new Python SDK consists of a collection of tools bundled together in a single, easy-to-install package. The SDK supports the following Expander functionality:

  • Asset Management

  • Incident Management

  • Tag Management

  • Attack Surface Rules

See Cortex Xpanse Python SDK for more information.

Expander API Enhancements

The following APIs were improved with additional fields and filter options:

  • Asset Management APIs

  • Alerts API

  • Incidents API

The following APIs were introduced in this release:

  • Tag Management APIs

  • Remediation Scanning APIs

  • Attack Surface Rules API

  • Get All Websites API

  • Get Website Details API

  • Get Websites Last Assessment

See the Cortex Xpanse API Reference for details.

Asset Tag Rules

Define custom tag rules that apply tags automatically to assets that match your rule criteria, including new assets that are attributed to your organization. Tag rules are supported for IP addresses and IP ranges, enabling you to define custom IP ranges.

See Asset Tagging for more information.

Asset Notes

Add notes to individual assets in Expander.

See Asset Notes for details.Asset Notes

Bulk edit attack surface rules

Enable or disable attack surface rules in bulk.

Improvements to the Inventory navigation

  • The Asset Inventory has been renamed Inventory.

  • The All Assets page was renamed Unified Inventory.

  • The Inventory navigation was reorganized to indicate more clearly which asset types are included on the Unified Inventory page.

  • Cloud Inventory, which include Cloud Compute Instances and Prisma Cloud Resources, was introduced.

Incident Risk Score Improvements

  • Risk scores for active incidents will be recalculated when a scoring rule is created or changed. The updated score will appear in Expander within a few hours.

  • Risk scores and risk explainers will now be available as part of the Incident API.

  • Additional options were introduced for creating risk scoring rules based on service information.

Configure Access Control in the Cortex Gateway

In the Cortex Gateway, you can view and manage permissions, role-based access control (RBAC), and user group settings across all Cortex products.

See the Cortex Gateway Administrator Guide for details.

Other Usability Enhancements

  • Domain-level filters were introduced.

  • IPv4 address filter that enables a CIDR/Range/Wildcard search.

  • Ability to download data in CSV format for most list-view pages in Expander.