Cortex Xpanse

Wizards

Xpanse Attack Surface Management

Fixed an issue where the Cortex Xpanse pack was mentioned as a mandatory pack during the installation.

Wizards

New: Xpanse Attack Surface Management

• New: Welcome to the Deployment Wizard! These steps will guide you through configuring your content pack so you'll have a working use case when the wizard finishes. Make sure to follow the steps in order, you can always continue the wizard where you left off. Learn more about this pack’s deployment in the "Cortex XSOAR Administrator Guide" -> "Set up Your Use Case with the Deployment Wizard".

Integrations

Cortex Xpanse

• Added the Search Limit parameter to set a specific default search limit for commands returning a list of objects. For example: asm-list-external-service, asm-list-external-ip-address-range, asm-list-asset-internet-exposure and asm-list-attack-surface-rule commands.

Integrations

Cortex Xpanse

Updated the fetch logic to no longer contain a one hour offset.

Integrations

Cortex Xpanse

• Updated the Docker image to: demisto/python3:3.10.13.87159.

Integrations

Cortex Xpanse

Added the asm-list-external-websites command to get a list of the external websites assets.

Integrations

Cortex Xpanse

• Updated the Docker image to: demisto/python3:3.10.13.84405.

Integrations

Cortex Xpanse

• Updated the Docker image to: demisto/python3:3.10.13.83255.

Integrations

Cortex Xpanse

Breaking Change: Attack surface rule command changed from asm-list-attack-surface-rules to asm-get-attack-surface-rules.

Integrations

Cortex Xpanse

Added a new argument for asm-list-alerts command.

Integrations

Cortex Xpanse

• Updated the Cortex Xpanse integration to add the following commands:
  • asm-get-incident
  • ip
  • domain
• Updated the asm-list-asset-internet-exposure command to support pagination.

Integrations

Cortex Xpanse

• Added an explanation to only use the standard API key (not the advanced one).
• Updated the Docker image to: demisto/python3:3.10.13.75921.

Incident Fields

• Xpanse Tags
  Updated the field to be searchable.

• Xpanse Provider
  Updated the field to be searchable and to not be scoped to all incident types.

Integrations

Cortex Xpanse

• Updated the default classifier and incoming mapper for the integration.

Mappers

Xpanse - Incoming Mapper

• Updated the targets for several fields for improved accuracy and formatting.

Integrations

Cortex Xpanse

• Fixed an issue in the arguments for asm-list-alerts.
• Updated the Docker image to: demisto/python3:3.10.13.72123.

Mappers

Xpanse - Incoming Mapper

• Updated the mapping for tags.

Integrations

Cortex Xpanse

• Updated the Docker image to: demisto/python3:3.10.12.68714.

Integrations

Cortex Xpanse

Updated the Cortex Xpanse integration to add the following commands:

• asm-update-alerts

Incident Fields

Updated the following incident fields to provide improved tracking of Cortex Xpanse details:

• Xpanse Asset IDs
• Xpanse Business Units
• Xpanse Country Code
• Xpanse Remediation Guidance
• Xpanse Description

Integrations

Cortex Xpanse

Updated the Cortex Xpanse integration to add the following commands:

• asm-list-attack-surface-rules
• asm-tag-asset-assign
• asm-tag-asset-remove
• asm-tag-range-assign
• asm-tag-range-remove
• asm-list-incidents
• asm-update-incident
• Updated the Docker image to: demisto/python3:3.10.12.66339.

Layouts

• Xpanse Alert Layout
  Updated the Cortex Xpanse alert layout to include several new fields.

Mappers

Xpanse - Incoming Mapper

Updated the mapper to include several new fields:

• Xpanse Asset IDs
• Xpanse Business Units
• Xpanse Country Code
• Xpanse Remediation Guidance
• Xpanse Description

Integrations

Cortex Xpanse

• Updated the Docker image to: demisto/python3:3.10.12.63474.

Dashboards

New: Cortex Xpanse Overview Dashboard

Added a dashboard that provides a high level view of incidents from Cortex Xpanse.

Incident Fields

Updated the following incident fields to provide improved tracking of Cortex Xpanse details:

• Xpanse Protocol
• Xpanse Service Validation
• Xpanse Service ID
• Xpanse Provider
• Xpanse Service Classifications

Incident Types

• Xpanse Alert
  Added a new default playbook was added to a new version of the base incident type.

Layouts

• Xpanse Alert Layout
  Updated the Cortex Xpanse alert layout to include several new fields.

Playbooks

New: Xpanse - Alert Enrichment

Added a new playbook with additional enrichment via cloud service providers and other applicable IT and security tools.

New: Xpanse - Alert Handler

Added a default alert handling playbook for Cortex Xpanse alerts.

New: Xpanse - NMap - Detect Service

Added a new playbook that looks at what ASM sub-type the alert is and uses NMap to do a validation scan.

New: Xpanse - Alert Self-Enrichment

Added a new enrichment playbook on the alert itself using Cortex Xpanse APIs.

Widgets

New: Xpanse Incidents by Provider

Added a new widget that includes provider names for all Cortex Xpanse incidents.

New: Xpanse Problematic IPs

Added a new widget that highlights the most common IPs involved in Cortex Xpanse incidents.

New: Xpanse Incident Count by Business Unit

Added a new widget that highlights the most common business units involved in Cortex Xpanse incidents.

New: Unassigned Active Xpanse Incidents

Added a new widget that includes the number of active Cortex Xpanse incidents without an assignee.

New: Assigned Active Xpanse Incidents

Added a new widget that includes the number of active Cortex Xpanse incidents with an assignee.

New: Exposed Ports in Xpanse Incidents

Added a new widget that highlights the most common Cortex Xpanse incidents by port.

New: Xpanse Incidents by Protocol

Added a new widget that highlights the most common Cortex Xpanse incidents by protocol.

New: New Xpanse High & Critical Incidents

Added a new widget that includes a timeline view of new high and critical severity Cortex Xpanse incidents.

Integrations

Cortex Xpanse

• Updated the Docker image to: demisto/python3:3.10.11.54132.