Cortex Xpanse attack surface rules can be customized for your organization's specific needs and priorities.
An attack surface rule is a definition managed by Cortex Xpanse that is used to identify risks in an attack surface. It defines what Xpanse is looking for and the associated risk. Xpanse creates an alert when it detects an instance of that rule. For example, Insecure Apache Web Server could be a rule that looks for any instances of Apache with a detected version earlier than 2.30.1, so if Xpanse sees any services that are running an earlier version, Xpanse creates a new alert.
The Attack Surface Rules page ( → ) displays a table view of all the attack surface rules along with key information about each rule. The following table describes each field.
Field | Description |
---|---|
ASM Alert Categories | A categorization done by the Xpanse security research team often with input from customers or in reference to published materials such the the BOD-22-01 or BOD-23-02 from CISA. |
Description | Description of what the attack surface rule is looking for. |
Estimated Alert Count | Estimated number of alerts that Xpanse will create if this attack surface rule is enabled. |
Has Remediation Rule | Indicates whether a remediation path rule has been created for this attack surface rule. Applies only to systems with the Active Response addon module. |
Modified | Date of the most recent update to the attack surface rule. |
Remediation Guidance | Guidance on how to remediate or mitigate the alerts created by this attack surface rule. |
Rule ID | ID for this attack surface rule. |
Rule Name | Name of the attack surface rule. |
Severity | Severity of the risk identified by the attack surface rule. Alerts are created with the same severity as the attack surface rule that triggered them. See Default attack surface rule severity for default severity settings. |
Status | Enabled or Disabled. An enabled attack surface rule creates an alert when it detects an instance of that rule. See Default attack surface rule enablement status for details about the default enablement status. |
There are over 700 attack surface rules, with new rules added frequently. To identify new and recently modified attack surface rules, sort the Attack Surface Rules table by the Modified column.
To request a new attack surface rule, contact your Customer Success representative.
Manage attack surface rules
On the Attack Surface Rules page you can enable or disable rules and change the severity to align with your organization’s specific needs and priorities.
Navigate to
→ .Select one or more rules and right-click to perform one of the following actions:
Enable or Disable the rule—Some rules are enabled by default, but many are designed to be opt-in.
Change the default Severity of the rule—All attack surface rules have a predefined default Severity setting of Low, Medium, or High. Critical is never a predefined default, but you can set it as the default.
When you first enable an attack surface rule, you can expect to see new alerts within 24 hours if any instances of that rule are detected on your attack surface. When you disable an attack surface rule, Cortex Xpanse will stop creating new alerts based on that rule, but any existing open alerts will remain open until you change the status.