Enhancing Critical Risk Detection with Cortex Xpanse Attack Surface Rules

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L5 Sessionator



This blog written by Andrew Scott and published on June 30, 2024.



Organizations are constantly scaling their IT infrastructure to meet the demands of cloud and hybrid work, but this acceleration also leads to unintended growth in their attack surface.


According to our latest research, attackers successfully exploited some of the latest critical vulnerabilities and exposures within hours of their disclosure.


Attackers are using automation to actively find the path of least resistance, while security teams are still struggling to inventory all their internet-facing assets and identify potential security risks across on-prem and cloud. To help defenders fight back effectively, Cortex Xpanse has continuously evolved its industry-leading attack surface management (ASM) product.


Today, we are announcing an expansion to our Attack Surface Rules which help customers automatically find their critical exposures and risks. In our latest announcement, we delivered our 800th surface rule for our customers using Expander and the ASM Module in XSIAM.


Attack Surface Rules allow for the identification of risks on an organization's internet-facing attack surface. Our attack surface rules library consists of numerous rule categories, such as:


  • Insecure detections, which indicate a vulnerability due to an observed version or configuration of a service
  • Unsafe protocol and service detections, including unencrypted protocols like Telnet and FTP, exposed database servers, and unintentionally revealed admin interfaces
  • Rules to detect and alert on exposed IoT devices, embedded devices, and operational technology (OT)
  • Certificate and cryptographic hygiene enumeration
  • Common web application weaknesses
  • And more


As a part of this release, the Cortex product and research teams have conducted a thorough review of all existing attack surface rules to ensure that no critical threat goes unsurfaced. As a result, we will adjust the default enablement status of many rules and update our operational guidance.


In July, we plan to approximately double the number of attack surface rules that are enabled by default. Our updated criteria for the default-enabled rules set includes:


  • All High-severity rules that are not considered noisy. Ex: Insecure Jenkins Server
  • All Medium severity rules that are uncommon and significant. Ex: SAP Employee Self-Service Portal
  • All OT and IoT-related rules which are not typically exposed to the internet but are actionable if accidentally accessible. Ex: Schneider Electric Modicon MC80 PLC


This new methodology aims to ensure that customers do not miss any critical findings due to a disabled rule. Our analysis indicates that enabling these low-volume but high-criticality rules will have no downsides. However, missing these crucial misconfigured exposures could be disastrous for organizations. Since we have observed a low prevalence of the majority of these risks on the public internet, we expect this change to have minimal, if any, impact on most customers.


Current Expander or the ASM Module in XSIAM users who have made changes to their attack surface rules configuration will not have their changes overwritten by this update. Additionally, our 2.6 release includes several other improvements, such as automated inventory tag rules, additional inventory fields, new active response enhancements, an updated API, and more.


What’s New in Cortex Xpanse 2.6?


  • Inventory Tag Rules: Automate the tagging of assets with Inventory Tag Rules (formerly called asset tag rules). These rules enable you to define custom tags and custom rules for automatically assigning tags to IPv4 addresses, IPv4 ranges, domains, certificates, and Prisma Cloud resources.
  • Auto-patching with Active Response: Automatically patch insecure OpenSSH via AWS System Manager.
  • New Inventory Fields: Gain additional context for investigating assets with new fields that have been added to tables in the inventory, including domain registrant organization, domain admin organization, certificate expiry date, certificate hash
  • New Alerts Fields: Easily investigate and remediate alerts with remediation guidance and certificate subject organization.
  • Cortex Xpanse API Updates: Create custom IPv4 ranges and reassign assets to different business units using new API improvements.
  • Threat Response Center Enhancements: Expander's threat response center is getting several styling and quality-of-life enhancements, including SBAC support. The Threat Response Center will also be available within the ASM Module in XSIAM.


To learn more about these new capabilities and features, please see the Cortex Xpanse 2.6 Release Notes or contact your Customer Support Team.

Register or Sign-in
Top Liked Authors