Expander Release 2.6 (June 2024) - Release Notes - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander Release Notes

Product
Cortex XPANSE
Version
2
Creation date
2024-08-21
Last date published
2025-01-15
Category
Release Notes
Solution
Cloud
Abstract

New Cortex Xpanse features and enhancements in release 2.6 (June 2024).

The table below describes the features and enhancements introduced in the Expander 2.6 (June 2024) release.

Note

Cortex Xpanse typically upgrades customers over a three-week time frame. Contact customer success to find out your specific upgrade date.

Feature

Description

Inventory Tag Rules

Automate the tagging of assets with Inventory Tag Rules (formerly called asset tag rules). Inventory Tag Rules enable you to define custom tags and custom rules for assigning tags automatically to IPv4 addresses, domains, certificates, and Prisma Cloud resources.

New Inventory Fields

Gain additional context for investigating assets with new domain and certificate identifier fields that have been added to the Inventory.

New Alerts Fields

New fields have been added to the Alerts table to help you more easily investigate and remediate alerts, including Remediation Guidance and Certificate Subject Organization.

Cortex Xpanse API updates

New and updated API endpoints:

  • Override Business Units for Assets

  • Create User Defined IP Ranges (with tags)

  • Delete Unused Asset Tags

Threat Reports

You can now generate reports on new zero-day threats and impacted assets per business unit. These reports highlight the problem, provide remediation recommendations, and list affected assets in the selected business unit.

SBAC Support for the Threat Response Center

The Threat Response Center now works with scope-based access control (SBAC), which means that scoped users will see all the widgets in the Threat Response Center.

Active Response Improvements

Notifications:

  • You can now set up Slack notifications for newly discovered ASM risks.

Remediation:

  • You can now automate remediation for select attack surface rules via patching for Linux (Ubuntu only) through AWS Systems Manager.

Cortex Xpanse XSOAR pack enhancements

Enhancements to the Cortex Xpanse pack for Cortex XSOAR include:

  • New Xpanse Expander v2 Feed integration

  • New XSOAR layout for Xpanse alerts

  • Indicator extraction support

  • Added new 'Reopened' status for alert fetching

  • Various updates to ASM integration commands

Some high-impact attack surface rules will be enabled for all customers

Cortex Xpanse will be enabling additional attack surface rules for all customers during the Expander 2.6 upgrade. Many of the rules to be enabled are related to the Internet of Things (IoT) and operational technology (OT), in addition to other impactful but uncommon rules. Due to the low prevalence of these applications on the public internet, we anticipate this change having minimal impact for most customers while providing faster visibility into critical risks.

Additionally, we will be disabling the Insecure PHP rule by default.

These rule changes will not override any customer-applied changes to the enablement status or severity for attack surface rules.