Expander Release 2.5 (April 2024) - Release Notes - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander Release Notes

Creation date
Last date published
Release Notes

New Cortex Xpanse features and enhancements in release 2.5 (April 2024).

The table below describes the features and enhancements introduced in the Expander 2.5 (April 2024) release.



Attack Surface Testing (GA)

Cortex Xpanse can now confirm the presence of vulnerabilities through customer-authorized, benign Attack Surface Testing. Confirming or disproving the presence of a vulnerability allows Xpanse to prioritize risks with more precision and confidence. Attack surface tests are run daily on services exposed to the public internet and can be configured to automatically include new directly-discovered services. This narrows the automation gap between attackers and defenders and enables you to focus on the most impactful remediations.

ASN data

Gain additional context for investigating alerts with Autonomous System Number (ASN) data filters and details. Xpanse now supports filtering based on ASN data in the Inventory and provides ASN details on the details pane for IPv4 ranges and responsive IPs.

New incident and alert pivots

You can now pivot from an incident or alert to related alerts, services, and websites based on the associated IP address or domain.

New outbound integrations

  • Rapid7 InsightVM—This integration replicates Attack Surface Management (ASM) assets (IP addresses, domains) within Rapid7 to be used as scan targets.

Active Response enhancement

Building on the XDR enrichment added to Active Response in release 2.4, Cortex Xpanse now supports endpoint-based mitigation playbooks on some ASM alert types, giving defenders flexibility in how they respond to internet-exposed risks.

API Key with multiple roles

Create a single API key with multiple roles allowing you to use dynamic RBAC management, reduce administrative overhead, and improve security by minimizing key proliferation.

Custom incident and alert statuses and resolution types

To help align the incident and alert management process with your organization's security practices, you can now create custom statuses and custom resolution types.

New authentication controls

New authentication control options provide additional security features to help prevent security breaches.

  • Passwordless Authentication

    You now have the option to require non-password credentials for SSO authentication. If selected, this option requires users to choose intrinsically safer authentication factors, such as biometric authentication, to access Cortex Xpanse.

  • Force Authentication

    You now have the option to require users to reauthenticate to access the Cortex Xpanse tenant, even if they have already authenticated to access other applications.

Cortex Xpanse API updates

Following are some of the key updates to the Cortex Xpanse API.

The following endpoints were introduced:

  • Get Vulnerability Tests

  • Bulk Update Vulnerability Tests

  • Override Business Units for Assets

The following fields were added to the Get All Services response:

  • vulnerability test status

  • confirmed_vulnerable_cve_ids

  • confirmed_not_vulnerable_cve_ids

The Get Service Details endpoint will now return vulnerability test results from the last 14 days for all the service IDs provided. These results can be found in the vulnerability_test_results fields in the response.

The following fields were added to the Get All Assets response:

  • aws_cloud_tags

  • azure_cloud_tags

  • certificate_details

  • certificate_expiry_date

  • creation_time

  • date_added

  • extended_properties

  • external_ips

  • gcp_cloud_tags

  • geo_region

  • hierarchy

  • internal_ips

  • hierarchy,

  • open_ports

  • project_name

  • sub_region

  • vpc_name_id

The following filters were added to Get All Assets endpoint:

  • asm_id_list

  • aws_cloud_tags

  • gcs_cloud_tags

  • azure_cloud_tags

The following fields were added to the Get Asset Details response:

  • certificate_expiry_date

  • date_added