Cortex Xpanse

The Cortex Xpanse pack is supported by Cortex Xpanse Active ASM.

Cortex Xpanse Active ASM is the best in class External Attack Surface Management solutions that strive to proactively reduce the frequency and severity of security incidents caused by internet-exposed risks. These solutions deliver comprehensive attack surface visibility by combining thorough, ML enhanced asset attribution with continuous attack surface assessment. Discovered risks are prioritized using contextual information and exploitability data, and findings are actioned on through curated automated playbooks to investigate, remediate, and summarize every new alert.

Note: This pack supports Cortex Xpanse Active ASM which may also be referred to as Expander v2 or using it's major.minor version, i.e. Expander 2.X.

What does this pack do?

This pack contains an integration for fetching ASM alerts from Cortex Xpanse Active ASM.

Xpanse Overview Dashboard

Playbooks

Expanse - Alert Handler

This playbook is the default handler for Cortex Xpanse alerts that focuses primarily on enrichment.
Xpanse - Alert Handler

Expanse - Alert Enrichment

This playbook handles ASM alerts by enriching asset information via integrations with Cloud Service Providers and other IT and Security tools.
Xpanse - Alert Enrichment

Expanse - Alert Self-Enrichment

This playbook handles ASM alerts by enriching alert information with Xpanse service and asset details.
Xpanse - Alert Self-Enrichment

Expanse - NMap - Detect Service

This playbook confirms the observability of a risk by running a quick port scan using NMap.
Xpanse - NMap - Detect Service

Name	Description
Xpanse - Classifier
Xpanse - Incoming Mapper	Mapper for Xpanse Alerts

Name	Description
Cortex Xpanse Overview Dashboard

Name	Description
Xpanse Attack Surface Rule Name	Attack Surface Rule Name
Xpanse Country Code	Country associated with Xpanse Alert
Xpanse Remediation Guidance	Guidance for responding to Xpanse Alerts
Xpanse Service Details	Service Details
Xpanse Service Validation
Xpanse Domain Asset	Domain Asset Details
Xpanse Responsive IP Asset	Responsive IP Asset Details
Xpanse Service Classifications	Xpanse Service Classifications
Xpanse Progress Status
Xpanse Protocol	Xpanse Protocol
Xpanse IP
Xpanse Business Units
Xpanse Provider	Xpanse Provider
Xpanse Category
Xpanse Cloud Asset	Cloud Asset Details
Xpanse Certificate Asset	Certificate Asset Details
Xpanse Asset IDs
Xpanse Host Name
Xpanse Port
Xpanse Tags
Xpanse Alert ID
Xpanse Service ID	Xpanse Service ID
Xpanse External ID
Xpanse Description

Name	Description
Xpanse Alert

Name	Description
Cortex Xpanse	Integration to pull assets and other ASM related information.
Xpanse Feed	Use this feed to retrieve the discovered IPs/domains/certificates from the Cortex Xpanse asset database.

Name	Description
Xpanse Alert Layout

Name	Description
Xpanse - Alert Self-Enrichment	Enrichment on the alert itself using Cortex Xpanse APIs.
Xpanse - Alert Enrichment	Additional enrichment via cloud service providers and other applicable IT and security tools.
Xpanse - NMap - Detect Service	Playbook that uses NMap to do a validation scan.
Xpanse - Alert Handler	Default alert handling for Cortex Xpanse alerts.

Name	Description
Assigned Active Xpanse Incidents
New Xpanse High & Critical Incidents
Xpanse Incidents by Provider
Unassigned Active Xpanse Incidents
Xpanse Problematic IPs
Xpanse Incident Count by Business Unit
Exposed Ports in Xpanse Incidents
Xpanse Incidents by Protocol

Name	Description
Xpanse Attack Surface Management	Welcome to the Deployment Wizard! These steps will guide you through configuring your content pack so you'll have a working use case when the wizard finishes. Make sure to follow the steps in order, you can always continue the wizard where you left off. Learn more about this pack’s deployment in the "Cortex XSOAR Administrator Guide" -> "Set up Your Use Case with the Deployment Wizard".

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Pack Name	Pack By
AWS Enrichment and Remediation	By: Cortex XSOAR
Azure Enrichment and Remediation	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
GCP Enrichment and Remediation	By: Cortex XSOAR
Nmap	By: Cortex XSOAR

Pack Name	Pack By
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

Incident Fields

Xpanse Remediation Guidance
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Provider
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Alert ID
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Service Validation
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Protocol
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Category
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Cloud Asset
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Service Classifications
Allows the field to be searchable and usable for dashboard graphs.
Xpanse External ID
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Host Name
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Responsive IP Asset
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Country Code
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Service ID
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Business Units
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Certificate Asset
Allows the field to be searchable and usable for dashboard graphs.
Xpanse IP
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Service Details
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Attack Surface Rule Name
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Asset IDs
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Domain Asset
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Description
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Progress Status
Allows the field to be searchable and usable for dashboard graphs.
Xpanse Port
Allows the field to be searchable and usable for dashboard graphs.

Integrations

Added support for looking back and paging for fetching Cortex Xpanse alerts. This helps customers who have a high throughput of alerts in Cortex XSOAR.
Added a new command asm-reset-last-run to reset the fetch incidents commands last run value.

Certification	Certified	Read more
Supported By	Cortex
Created	January 26, 2023
Last Release	November 3, 2025

Cortex Xpanse

What does this pack do?

Playbooks

Expanse - Alert Handler

Expanse - Alert Enrichment

Expanse - Alert Self-Enrichment

Expanse - NMap - Detect Service

Integrations

Cortex Xpanse

Xpanse Feed

Playbooks

Xpanse - Alert Self-Enrichment

Playbooks

Xpanse - Alert Self-Enrichment

Integrations

Cortex Xpanse

Integrations

Cortex Xpanse

Integrations

Xpanse Feed

Integrations

Xpanse Feed

Integrations

Xpanse Feed

Cortex Xpanse

Integrations

Xpanse Feed

Cortex Xpanse

Integrations

Cortex Xpanse

Integrations

Cortex Xpanse

Integrations

Cortex Xpanse

Xpanse Feed

Integrations

Cortex Xpanse

Incident Fields

Integrations

Cortex Xpanse

Incident Fields

Incident Types

Playbooks

Xpanse - Alert Self-Enrichment

Xpanse - Alert Handler

Integrations

Cortex Xpanse

Integrations

Xpanse Feed

Incident Fields

Layouts

Mappers

Xpanse - Incoming Mapper

Playbooks

Xpanse - Alert Self-Enrichment

Xpanse - Alert Handler

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER