Expander Release 2.4 (February 2024) - Release Notes - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander Release Notes

Creation date
Last date published
Release Notes

New Cortex Xpanse features and enhancements in release 2.4 (February 2024).

The table below describes the features and enhancements introduced in the Expander 2.4 (February 2024) release.



Attack Surface Testing (Closed Beta)

Cortex Xpanse can now confirm the presence of vulnerabilities through customer-authorized, benign Attack Surface Testing. Confirming or disproving the presence of a vulnerability allows Xpanse to prioritize risks with more precision and confidence. Attack surface tests are run daily on services exposed to the public internet and can be configured to automatically include new directly-discovered services. This narrows the automation gap between attackers and defenders and enables you to focus on the most impactful remediations.

This is available through a closed Beta. For more information, contact your CS representative.

User-defined IPv4 addresses and ranges

You can now define IPv4 addresses and IPv4 ranges for more granular business unit allocation.

MITRE ATT&CK filters

You can now filter alerts by MITRE ATT&CK Techniques and Tactics.

Incident and Alert PDF Exports

Export individual incidents and alerts in PDF format. These PDF reports contain the most relevant information for the specified incident or alert.

Advanced Playbook Configuration

Advanced Playbook Configuration enables you to customize the Active Response playbook to better fit your organization's requirements and preferences, including customization of the format and content of automated emails and ticket notifications. You also have the ability to associate the playbook with a JIRA project key.

Limit Access to Cortex Xpanse API

You can now limit Cortex Xpanse API access to a specific IP address or IP range by adding them to an Allow list.This ensures better data security and control while facilitating integration with third-party systems and applications.

In-App Help Center

Cortex Xpanse now includes context-specific, in-product documentation that helps you find information about new and existing features, reference material, and common workflows. While you're working in Expander, the documentation will launch relative to your current location in the product.

New pDNS data source

Cortex Xpanse added another pDNS source for subdomain enumeration. This enhancement will increase coverage for subdomains identified on customer networks.

Support for customer-provided IPv6 ranges

Cortex Xpanse supports scanning of customer-provided IPv6 ranges, which means that given an IPv6 range we will identify candidates in that range for scanning, continuously discover new likely targets within those ranges, and provide visibility into the services that are running on those hosts.

Performance improvements

  • The public APIs for fetching services, websites, IP ranges, alerts, and alert details have been made more efficient, improving the performance of these APIs by 70-90%.

  • Front end improvements were made to reduce the latency of loading the AUM widget and Threat Event details by 70-90%.

  • The Prisma Cloud connector now collects data four times per day, improving cloud attribution latency for ephemeral assets.

Active Response improvements

  • Enrichment for Active Directory, Azure Active Directory, and Venafi.

  • Expanded Prisma Cloud enrichment, which adds cloud trail and configuration log analysis to find users who may have modified an instance.

  • Ability to onboard Azure accounts via the top-level organization rather than tenant, which saves time.

Venafi TPP integration

Correlate certificates in the Expander inventory with those in Venafi TTP to help customers understand gaps in their certificate management.

Cortex Xpanse Link, Third-Party Assess, and MSSP on Expander v2

Cortex Xpanse Link, Third-Party Assessment, and Cortex Xpanse for MSSP are now supported on Expander v2, which includes Expander v2 features such as Threat Response Center and IPv6 support. For more information on these products, contact your Palo Alto Network sales representative.

New alert status

Cortex Xpanse has introduced a new alert status called Reopened. The Reopened status is applied to alerts that are observed after having been resolved with one of the following reopenable statuses:

  • Resolved - No Longer Observed

  • Resolved - Remediated Automatically

  • Resolved