Cortex Xpanse User Guide

Cortex® Xpanse™ User Guide
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentaon

• For the most recent version of this guide or for access to related documentaon, visit the Technical
Documentaon portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us at
documentaon@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve companies.
Last Revised
October 3, 2022
Cortex® Xpanse™ User Guide 2 ©2022 Palo Alto Networks, Inc.

Table of Contents
Cortex® Xpanse™ Overview........................................................................... 5
Cortex® Xpanse™........................................................................................................................6
Cortex Xpanse Products............................................................................................................ 7
Account Access............................................................................................................................ 8
Expander Access...............................................................................................................8
User Management............................................................................................................ 8
Change Your Password.................................................................................................13
Noficaon Configuraon.......................................................................................................14
Cortex Xpanse Product Policies.............................................................................................15
API Use Policy................................................................................................................ 15
Data Retenon Policy................................................................................................... 15
Cortex Xpanse Product Security................................................................................ 16
Browser Support Policy................................................................................................16
Cortex® Xpanse™ Expander......................................................................... 17

Expander Overview...................................................................................................................18
What is Expander?........................................................................................................ 18
Who is Expander for?...................................................................................................18
Why is Expander valuable?......................................................................................... 18
Expander High-Level Funconality............................................................................19
Assets........................................................................................................................................... 20
Asset Inventory and Asset Type List Views............................................................ 20
Search and Filter Assets...............................................................................................21
Annotaons..................................................................................................................... 23
Exporng Data................................................................................................................26
Create a Custom IP Range.......................................................................................... 26
Assets Detail View.........................................................................................................27
Assets API........................................................................................................................32
Issues............................................................................................................................................ 33
Issue Data Structure......................................................................................................33
Issues API.........................................................................................................................34
Requesng Changes to Your Organizaon's Issue Policies..................................34
List View...........................................................................................................................34
Issues Detail View......................................................................................................... 39
Email Digests...................................................................................................................41
Remediaon Playbook.................................................................................................. 42
Services........................................................................................................................................ 45
Services Concepts..........................................................................................................45

Table of Contents
Services vs Issues...........................................................................................................47
Services Feature Walkthrough....................................................................................47
Inferred CVEs..................................................................................................................51
Dashboards..................................................................................................................................56
Cortex Xpanse Home Page......................................................................................... 56
Issues Overview Dashboard........................................................................................65
Aack Surface Overview Dashboard........................................................................67
Unmanaged Cloud Overview Dashboard.................................................................71
Compliance Assessments Dashboard........................................................................73
Remote Aack Surface Overview........................................................................... 100
Reports.......................................................................................................................................107
Network Mapping................................................................................................................... 108
How are assets aributed to your organizaon?................................................ 108
How can you contest assets?...................................................................................108
Human-in-the-Loop.....................................................................................................108
Data............................................................................................................................................ 110
Scanning.........................................................................................................................110
Known Assets Monitoring.........................................................................................110
Ports and Protocols.....................................................................................................111
GeoIP Collecon..........................................................................................................111
IP Registraon Records..............................................................................................112
Cerficates.................................................................................................................... 112
Domains......................................................................................................................... 112
CSV Export............................................................................................................................... 113
APIs and Integraons.............................................................................................................114
Cortex® Xpanse™ APIs and Integraons................................................ 115

Expander APIs and Integraons.......................................................................................... 116
Expander APIs.............................................................................................................. 116
Integraons................................................................................................................... 121
AWS Cloud Connector...............................................................................................136
Prisma Cloud API Connectors.................................................................................. 137
Cortex XDR API Connector...................................................................................... 145
GlobalProtect API Connector................................................................................... 147
Support............................................................................................................. 149
Contact Support...................................................................................................................... 150
Glossary............................................................................................................151
Glossary Terms.........................................................................................................................152

Cortex® Xpanse™ Overview
> Cortex® Xpanse™
> Cortex Xpanse Products
> Account Access
> Noficaon Configuraon
> Cortex Xpanse Product Policies
5
Cortex® Xpanse™
Cortex® Xpanse™ is an aack surface management plaorm that collects and correlates acve
and passive informaon about every device and service connected to the public Internet. Using
this informaon, Cortex Xpanse aributes assets to specific organizaons, idenfying weaknesses
in your organizaon’s known infrastructure and helping you discover and protect previously
unknown Internet-connected systems. Cortex Xpanse is agentless and SaaS-based, requiring
zero hardware or soware installaon to provide you with a comprehensive view of all of your
internet-connected assets. Cortex Xpanse provides four key modules that enable organizaons to
track and secure their internet-facing assets and infrastructure.
• Assets—The Assets module provides an inventory of all internet assets that Expanse has
aributed to an organizaon, including their IP ranges, cerficates, domains, and cloud
resources.
• Services—The Services module provides an inventory of all soware and services that are
connected to the public-facing internet including observable details about soware versions,
configuraons, and framework technologies.
• Issues—The Issues module and the flexible Policy Engine idenfy security and configuraon
problems within an organizaon's Assets and Services, providing a workflow where analysts
can invesgate, priorize, track their efforts to remediate outstanding problems, and
independently confirm they have been corrected.
• Dashboards—The Dashboards module provides reporng on the current and historical state
of an organizaon's Assets, Services, and Issues, giving insight into trends and helping leaders
idenfy key topics and business units to focus on to improve the security posture of their
organizaon.

Cortex Xpanse Products

Cortex® Xpanse™ is comprised of the following products:
• Expander— Soware-as-a-service (SaaS) web applicaon and series of APIs that connuously
discover and monitor your on-prem and cloud assets across the internet. Integraon with
Cortex XSOAR, Cortex XDR, Prisma Cloud, and other workflow products like SIEMS and ITSMs
allows our aack surface management (ASM) findings to enhance security workflows, and
secure unknown, unmanaged risks on your cloud aack surface.
• Link—SaaS web applicaon that connuously idenfies internet assets, risky services or
misconfiguraons in third pares to help secure a supply chain or idenfy risk for M&A due
diligence. For more informaon on Link, contact your Cortex Xpanse representave.
• Assess—SaaS web applicaon that provides a comprehensive, point-in-me assessment of your
organizaon’s aack surface. Provides the ability to run a new assessment to update the data,
as needed. APIs and integraons are not included with Assess.
• Third Party Assess—SaaS web applicaon that provides a comprehensive, point-in-me
assessment of a third party's internet assets, risky services or misconfiguraons to help secure
a supply chain or idenfy risk for M&A due diligence.

Account Access
• Expander Access
• User Management
• Change Your Password
Expander Access
To get your inial Cortex® Xpanse™ Expander account access, work through your CSM to create
your unique log-in.
You can access your Expander account at our website. When you connect for the first me, you
will be prompted to change your password.
User Management
Cortex Xpanse supports self-service user management, which enables you to add new users,
remove users, and change the permissions of exisng users in Expander. Exisng Expander users,
who were added to the system before self-service user management was introduced, will also
appear in the User Management user list and can be edited or removed as needed.
You must have Manage Users permission on your own account before you can access the User
Management pane in Expander. The following secons provide more informaon about self-
service user management:
• Add New Users
• Change User Permissions
• Delete Users
Add New Users

Cortex Xpanse enables you to add and manage users yourself in the Expander web applicaon.
You must have Manage Users permission on your own user account in order to add new users.
If you use a 3rd-party single-sign on (SSO) applicaon (for example, Okta) along with Cortex
Xpanse, you will have to set up new users in the SSO applicaon before they will be able to log in
to Cortex Xpanse Expander.

STEP 1 | In Cortex Xpanse Expander click the Sengs icon ( ) and then select User Management.
STEP 2 | In the User Management window, click Create user.

The Create User window opens.
STEP 3 | Enter the email address for the new user.
STEP 4 | Set the permissions for the user.

• Manage users—Permits a user to add users, delete users, and change user permissions.
• Edit policy management sengs—Permits a user to edit the policy sengs on the Policies
tab.
• Create client credenals—Permits a user to create and revoke their own client credenals.
See Expander APIs for more informaon.
• Admin client credenals—Permits a user to view and revoke client credenals for all users in
their group.

STEP 5 | Click Create User.

An email will be sent to the user requesng that they log in and reset their password. The new
user will appear in the user list with the status Pending Password Reset unl the password is
reset.
If you use 3rd-party SSO, the new user will not receive an email, but they will appear in the
user list with the status Pending SSO First Login unl they log into Expander with their SSO
credenals.
STEP 6 | If you want to resend the password reset email to a new user in the Pending Password Reset
state, click the ellipses ( ) associated with the user in the user list and select Resend Email.
Once the user has reset their password or logged in using their 3rd-party SSO, their email will
appear in the user list with the status Acve.
Change User Permissions

Cortex Xpanse enables you to change user permissions and delete users through the web
applicaon. You must have Manage Users permission on your own user account in order to access
the User Management window.
The list of users will display.
STEP 2 | To change a user’s permissions, click the ellipses ( ) associated with the user you want to
edit and select Edit User.

STEP 3 | Edit the permissions for the user.
• Manage users—Permits a user to add users, delete users, and change user permissions.
• Edit policy management sengs—Permits a user to edit the policy sengs on the Policies
tab.
• Create client credenals—Permits a user to create and revoke their own client credenals.
See Expander APIs for more informaon.
• Admin client credenals—Permits a user to view and revoke client credenals for all users in
their group.
Changes to permission sengs take effect immediately.
STEP 4 | To delete the user from the system, click Delete User.
Delete User takes effect immediately, and the user will no longer be able to log in.
Delete Users
Cortex Xpanse enables you to delete Expander users in your organizaon. You must have Manage
Users permission on your own user account in order to delete users.

STEP 2 | Select the checkboxes for the users you want to delete.
STEP 3 | Click Delete User, and then in the pop-up window click Delete to confirm.
You can also delete a user by clicking the ellipses ( ) associated with that user in the user list
and selecng Delete User.
Deleng a user will not delete their client credenals. Client credenals will connue
to work unl they have been revoked by a user with AAdmin Client Credenals
permission. See Revoke Client Credenals for more informaon.

Change Your Password

When logging into your Cortex® Xpanse™ account, there is an opon on the login screen that
says, Don’t remember your password?. Use this link get an automac password reset link.

Noficaon Configuraon
Cortex® Xpanse™ Expander automacally sends emails based on appearance and disappearance
triggers. To enable this feature, select Sengs > Noficaon Configuraon. You are able to set:
• Exposure changes—Appearance or Disappearance.
• Frequency—Daily, Weekly, Monthly.
• Filters—Business Units and On-Prem Exposure Types.

Cortex Xpanse Product Policies

• API Use Policy
• Seat Limit Policy
• Data Retenon Policy
• Cortex Xpanse Product Security
• Browser Support Policy
API Use Policy

The Cortex® Xpanse™ Expander API provides customers with flexibility in how they use,
consume, and store the data Cortex Xpanse makes available to them. In order to maintain
consistency of the API’s performance across Cortex Xpanse’s customer base, we reserve the
right to rate limit a customer’s API calls and/or throughput. If you have any concerns about API
performance or you require addional bandwidth, contact your Technical Account Manager.
Data Retenon Policy

• Inial Data Load—At the start of a subscripon, Cortex® Xpanse™ provides customers
with six months of historical data in the customer’s Cortex Xpanse account regarding the
customer’s idenfied exposures (except with respect to cloud-based exposures, for which
Cortex Xpanse can only provide thirty days of historical data upon the inial idenficaon of
those exposures). Similarly, as new events or newly idenfied address ranges are discovered
during the subscripon, Cortex Xpanse provides customers with six months of historical
exposure data from the date the range was added to Cortex Xpanse.
• Ongoing Data Retenon—Going forward, Cortex Xpanse stores up to 18 months of
informaon in the customer’s Cortex Xpanse account for on-premise exposures and up to
1 month of informaon for their cloud exposures. Detailed data will be removed aer that
me, though some metrics and reporng can be preserved. Cortex Xpanse reserves the right
to remove data sooner than 18 months depending on the size of a customer’s network. The
table below provides examples of the amount of on-premise data available in Cortex Xpanse at
different mes during a subscripon:
Subscripon Time Data Available
0 – 1 month 6 months
6 months 12 months
12 months 18 months
24 months 18 months
You can store the detailed data longer by pulling this informaon via Cortex Xpanse Expander’s
APIs and storing the data themselves.

Cortex Xpanse Product Security

Cortex® Xpanse™ defines your public internet aack surface and tells you what you need to do
to minimize risk. You’ll know what to do first, how to fix it, and what it means to your organizaon.
To keep your informaon safe, Cortex Xpanse is designed with mulple layers of protecon,
distributed across a scalable, secure infrastructure.
These layers of protecon include:
• Cortex Xpanse data at rest are encrypted using 256-bit Advanced Encrypon Standard (AES).
Cortex Xpanse data is stored in a combinaon of Amazon Web Services (AWS) and Google
Cloud Plaorm (GCP).
• Cortex Xpanse uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to protect data
in transit between Cortex Xpanse applicaon and Cortex Xpanse servers.
• SSL/TSL creates a secure tunnel protected by 128-bit or higher Advanced Encrypon Standard
(AES) encrypon.
• Two-factor authorizaon (2FA) and Single sign-on (SSO) is available for an extra layer of
security at login.
• Cortex Xpanse applicaons and infrastructure are regularly tested for security vulnerabilies
and hardened to enhance security and protect against aacks.
Browser Support Policy

Cortex® Xpanse™ products support the latest versions of the following browsers:
• Google Chrome
• Mozilla Firefox
• Microso Edge
We understand that many of our customers have stringent browser support policies. In the future,
we plan to support more browsers. Unl then if you experience any issues that are browser
related, contact Customer Support and we will do our best to resolve them.

Cortex® Xpanse™ Expander
> Expander Overview > Reports
> Assets > Network Mapping
> Issues > Data
> Services > CSV Export
> Dashboards > APIs and Integraons
17
Expander Overview
• What is Expander?
• Who is Expander for?
• Why is Expander valuable?
• Expander High-Level Funconality
What is Expander?
Expander is Cortex® Xpanse™'s marquee soware-as-a-service (SaaS) web applicaon and API
that discovers, monitors, and tracks your global Internet aack surface, idenfying new, exisng,
and unknown assets, and helping customers reduce exposure to aackers.
Expander is agentless and SaaS-based, requiring zero hardware or soware install to provide you
with a complete, real-me view of all of your Internet-connected assets and what’s talking to
them.
Expander is powered by Cortex Xpanse’s global Internet intelligence plaorm that connuously
collects and correlates petabytes of acve and passive informaon about every device and service
connected to the public Internet. Using this informaon, Cortex Xpanse intelligently aributes
assets to specific organizaons, helping customers discover and protect previously unknown
Internet-connected systems.
Who is Expander for?

Cortex® Xpanse™ Expander supports all members of security operaons (SecOps), network
operaons (NetOps), IT operaons (ITOps), incident response (IR), risk management, and IT
execuves.
Why is Expander valuable?

Cortex® Xpanse™ Expander gives security, and IT operaons teams the visibility they need to
reduce risk to the business by focusing remediaon efforts on crical exposures and assets out
of compliance with policy. Expander can automacally update your asset lists and processes,
providing a single source of truth about assets that e to your organizaon, including on-premises,
through partners, and in cloud providers.
Business use cases for Expander include:
• Monitoring, tracking, and reporng on your complete global Internet aack surface.
• Securing previously unknown or unmonitored assets by bringing them under IT control.
• Quanfying risks that Internet-connected devices pose to your organizaon.
• Taking acon to reduce risk before damage occurs.
• Improving the effecveness and efficiency of security policies and IT operaons.

Expander High-Level Funconality

Cortex® Xpanse™ combines a historical and current index of every asset on the public Internet
with other enriching datasets to help organizaons idenfy assets, exposures, misconfiguraons,
and policy deviaons. Armed with this product, IT operaons and security staff can perform the
following tasks:
• Maintain a connuously up-to-date inventory of all Internet-connected assets.
• Idenfy Cloud and On-Premise assets that do not comply with company policy.
• Reduce your aack surface area by priorizing exposures for remediaon based on risk.
• Track digital assets like IP addresses, cerficates, domains, and their registraons.
• Integrate asset and exposure context into exisng security tools via the API.

Assets
Asset idenficaon is foundaonal for informaon security. In fact, the first item on both the CIS
Controls and the NIST Cybersecurity Framework (NCSF) is asset idenficaon. Cortex Xpanse
provides a comprehensive inventory of all discoverable assets for your organizaon in addion to
list views organized by asset type (such as IP Ranges, Domains, Cerficates). The Inventory and
asset list views display key informaon about each asset, such asset type, number of services and
issues associated with the asset, issue priority, and other important informaon. Cortex Xpanse
provides extensive search, filtering, and sorng capabilies on asset list views, enabling you to
more efficiently idenfy, priorize, and remediate security issues. Addionally, you can view the
details about any asset by clicking on the row for that asset in the Inventory or asset list view.
The following topics explain the asset idenficaon capabilies in Cortex Xpanse:
• Asset Inventory and Asset Type List Views
• Search and Filter Assets
• Annotaons
• Create a Custom IP Range
• Exporng Data
• Assets Detail View
• Assets API
Asset Inventory and Asset Type List Views

Cortex Xpanse provides a complete inventory of the discoverable assets for your organizaon,
as well as separate list views for each asset type. The Inventory and asset type list views are
organized on tabs under Assets, as shown in the figure below.
The following list provides a descripon of each tab under Assets:

• Inventory—Displays a comprehensive list of your assets along with key data about each asset,
enabling you to search, sort, and filter your enre asset list from one interface.
• IP Ranges—Displays all IP addresses, in the form of ranges, that Cortex® Xpanse™ has
aributed to your organizaon. For more details on IP Ranges, see IP Registraon Records.

• Domains—Displays all domains that Cortex Xpanse has aributed to your organizaon and
whether Cortex Xpanse has a recent resoluon for each domain. This includes whether the
resoluon is associated with an acve Service. If you have integrated cloud accounts, this tab
will show you which domains have associated managed cloud resources. For more details on
domains, see Domains.
• Cerficates—Displays all cerficates that Cortex Xpanse has aributed to your organizaon
and whether Cortex Xpanse has seen each cerficate adversed recently. This includes
whether the adversement is associated with an acve Service. If you have integrated cloud
accounts, this tab will show you which cerficates have associated managed cloud resources.
For more details on cerficates, see Cerficates.
• Remote Aack Surface—Provides an inventory of your Workforce Networks and Workforce
Devices. The Remote Aack Surface asset tab is available only to customers who have
API integraon between Cortex Xpanse and Cortex XDR™ or GlobalProtect™. For more
informaon about Remote Aack Surface management, see Remote Aack Surface Overview.
• Workforce Networks—A network is a collecon of devices that share a single public IP
address. The Workforce Networks tab displays a complete list of the networks that your
Workforce Devices appear on.
• Workforce Devices—Displays a complete inventory of all your remote workforce devices
with Cortex XDR installed.
• Cloud Resources—Displays an inventory of assets Cortex Xpanse was able to idenfy for your
organizaon based on assets in known and sanconed cloud accounts. For more informaon
on Managed Cloud Resources, see Cloud Service Provider Integraon.
Search and Filter Assets

Cortex Xpanse provides extensive filter and search capabilies for Assets. The filter and search
opons change based on the selected Assets tab, for example, the IPs/CIDR search opon is
available on the IP Ranges tab, but is not available on the Cerficates tab. The filter bar at the top
of each tab provides a search box and a drop-down box for each filter.
Search Assets
Cortex Xpanse supports the opons listed below for searching assets on the Inventory tab
and asset type tabs. The search opons that are available vary depending on the asset tab
being searched. The Content search opon searches the content in the asset data. The other
search opons (such as Asset Type, Issue Priority, Provider, etc) provide the same results as the
corresponding drop-down filters.
• Content—Searches the content of key asset fields, such as Name and Business Unit.
• Asset Type—Applies the Asset Type filter.
• Domain—Domain searches should be targeted searches. Specify the complete domain, such
as www.acme.com, if possible. Domain search will also search on the name, such as acme, or
a subset of the full domain, such as www.acme or acme.com. Domain search does not use
boolean, such as AND, OR, and NOT, or wildcard, such as ? or *, operators.
• IPs/CIDR —Cortex Xpanse expects a valid IP or CIDR address, such as 1.1.1.1 or 1.1.1.1/16.
You may also search on an IP Address range, such as 1.1.1.1 - 1.1.1.16, or use a wildcard, such
as 1.1.1.*.

• Issue Priority—Applies the Issue Priority filter.

• Provider—Applies the Provider filter.
• Tag—Applies the Tag filter.
• Has Service—Applies the Has Service filter.
• Has Issue—Applies the Has Issue filter.
• Network Type—Applies the Network Type filter.
• Device Type—Applies the Device Type filter.
• Status—Applies the Status filter.
Filter Assets
Cortex® Xpanse™ supports the following filters for filtering assets on the Inventory tab and asset
type tabs. The filters opons that are available vary depending on the tab. To apply a filter, select
one or more filter opons from the drop-down box and then click Apply.
• Adverses—Cortex® Xpanse™ will find Internet services adversing cerficates. There are two
opons for this filter, yes and no.
• Analysis—When Cortex Xpanse analyzes a cerficate, there are mulple characteriscs
checked. The current list is Expired, Healthy, Self-signed, Domain-control validated, Wildcard,
Insecure Signature, Short Public Key, and Long Expiraon.
• Asset Type—Filters on one or more of the selected asset types.
• Business Unit—Cortex Xpanse provides a filter bar to specify business unit names. You may
also select one or more business units from the list of business units in the Cortex Xpanse
database.
• Has Issue—Filters by whether or not the asset is associated with an acve issue.
• Has Related Managed Cloud Resources—When cerficates and domains are associated with
managed cloud resources, the cerficate or domain has related managed cloud resources. Like
the adverses filter, this filter has two opons, yes, and no. When done selecng a has related
managed cloud resources status, select Apply to acvate the filter.
• Has Service—When a cerficate, domain, or managed cloud resource is associated with Service
Assets, the asset has service. This filter has two opons, yes, and no.
• Issue Priority—Filters on the priority of the issues associated with the asset.
• Network Type—Filters on Corporate, Remote, or All Network Types. A network is a collecon
of devices sharing a single IP address. Cortex Xpanse categorizes networks as either
"Corporate" or "Remote" depending on whether the IP address of the network overlaps with
any of your other assets in Cortex Xpanse or has no known associaon with your organizaon.
• Provider—Search the list of providers or select one or more providers in the drop-down list.
• Resolves—Cortex Xpanse will resolve domain names. There are two opons for this filter: yes
and no. Yes means the domain has resolved in the past 30 days.
• Source—Filters based on how the assets were found. The source indicates that the assets were
discovered by Xpanse or provided manually, while the other sources (Prisma Cloud, Prisma
Access, Strata GlobalProtect, Cortex XDR) are all integraons that can generate addional
assets in your inventory.

• Status—Filters based on whether we believe the asset is acve or not. Some assets, such as
networks and cerficates can be inacve based on a lack of observaons. Available values are
Acve and Inacve.
• Tag—Search for a specific tag, or select one or more tags from the list of tags in the Cortex
Xpanse database. Note that tags are not case sensive.
• Time Period filter—To filter on the me since last observaon, Cortex Xpanse provides the
following me periods: 7 days, 2 weeks, 1 month, 6 months, 1 year, and All. You can only select
one me period.
• View by Use Case—Some of the most commonly used filter combinaons.
Annotaons
Cortex® Xpanse™ provides the ability to annotate records from the List View for all tabs. To
annotate a row in the List View, click on the box next to the row in your selected tab, or perform a
bulk selecon.
• Add Annotaons
• Remove Annotaons
Bulk Select
Cortex® Xpanse™ provides the opon to bulk select IP Ranges, Cerficates, Domains, Managed
Cloud Resources, and Remote Aack Surface networks and devices. The following task explains
how to bulk select IP Ranges.
STEP 1 | Choose individual ranges by selecng the boxes next to the IP Ranges.
STEP 2 | To select all IP Ranges you’ve selected on this page or across all pages, click the drop-down
marker next to the checkbox in the table header. You are presented with two opons:
• Select all on this page
• Select items that match filters across all pages—This opon lets you select a single set of
assets from mulple pages in the List View.
STEP 3 | Once you have selected a row or mulple rows via bulk select, there are two opons to apply
your changes:
• Add Annotaon
• Remove Annotaon

Add Annotaons
In Cortex Xpanse Expander, you can add two types of annotaons from the list view, either Tags
or Contacts.
The following table provides restricons and recommendaons for annotaon fields.
Field Sub-field Recommendaons and

Restricons
Tags — Max characters is 128. Max

tags per asset is 100.
Notes — Max characters is 1024.
Contacts Email Required field. The max POCs

per asset is 100.
Contacts Full Name Not required. Cortex Xpanse

recommends first and last
name.
Contacts Role Not required. Cortex Xpanse

recommends including
the contact’s role in the
organizaon.
Contacts Phone Number Not required. Cortex Xpanse

recommends including
country code plus xxx-xxx-
xxxx format.
STEP 1 | Select the row or mulple rows via Bulk Select that you want to annotate, and click Add
Annotaons.
The Tags and Contacts tabs are displayed where you can add an annotaon.

STEP 2 | You can add the following annotaons in the Tags and Contacts tabs tab.
• Tags tab—(Oponal) Specify in the Tags field the tag(s) that you want to add or create.
Tags are not case sensive.
Tags are available in other views in 24-48 hours aer being added. The changes
are automacally applied to any related user-defined Custom Ranges under the
selected Parent IP Range. This will be reflected through the count of the IP ranges
that will be affected.
• Contacts tab—(Oponal) You can set any of the following annotaons:
-Email—Specify the email address of the new contact that you are adding.
-Full Name—(Oponal) Specify the full name of the new contact including a first name and
last name.
-Role—(Oponal) Specify the new contact’s role.
-Phone Number—(Oponal) Specify the phone number of the new contact, including
country code and the XXX-XXX-XXXX format.
STEP 3 | Apply annotaon changes by clicking Apply to X Items.
Remove Annotaons
You can remove annotaons from the Tags or Contacts tabs.
STEP 1 | Select the row or mulple rows via Bulk Select that you want to remove, and click Remove
Annotaons.
The Tags and Contacts tabs are displayed where you can remove an annotaon.
STEP 2 | You can remove annotaons in the Tags and Contacts tabs.
• Tags tab—Specify in the Tags to be Removed field the tag(s) that you want to remove.
Expander automacally displays a list of exisng tags. As you type, the list automacally
filters on the characters you enter. Cortex® Xpanse™ Expander displays a list of Tags
Common to Selected Rows to make removing tags easier.
• Contacts tab—Specify in the Contacts to be Removed field, the email address(es) of the
contact you want to remove. When the field is selected, a list of exisng emails addresses
for the current contacts are displayed. Cortex® Xpanse™ Expander displays a list of
Contacts Common to Selected Rows to make removing contacts easier.

STEP 3 | Apply annotaon changes by clicking Apply to X Items.
Exporng Data
Cortex® Xpanse™ provides the ability to export data in CSV format from the following List View
pages on the Assets tab:
• Inventory
• IP Ranges
• Cerficates
The Cerficates data export provides two opons:
• Cerficates as CSV—Exports all cerficates based on search and filter sengs.
• All Cerficate Adversements as CSV—Exports all adversed cerficates in your instance
that adversed in the last 7 days. This is equivalent to seng Adverses = True in the
Cerficates as CSV export. This export includes the IP address that adversed the
cerficate. For this export, Cortex® Xpanse™ ignores the filter sengs in the List View and
exports the enre list. This is a helpful feature because the Cerficates as CSV export does
not contain the export's adversing IP addresses.
• Domains
The Domains data export provides two opons:
• Domain as CSV—Exports all domains based on search and filter sengs.
• All Domain Resoluons as CSV—Exports all resolved domains in your instance that resolved
in the last 7 days. This is equivalent to seng Resolves = True in the Domain as CSV export.
This export includes the IP to which the IP resolved. As the toolp indicates, for this export,
Cortex® Xpanse™ ignores the filter sengs in the List View and exports the enre list. This
is a helpful feature because the Domain as CSV export does not contain the resolving IPs in
the export.
• Managed Cloud Resources
• Remote Aack Surface
• Workforce Networks
• Workforce Devices
For more informaon about exporng data in CSV format from Cortex Xpanse, see CSV Export.
Create a Custom IP Range

Cortex Xpanse provides the ability to create custom IP address ranges on the IP Ranges tab under
Assets and on IP Range detail view pages.
To create a custom IP range, click on Create Custom Range on the IP Ranges list view or detail
view page. The applicaon opens a Custom Range Window with the following opons for
creang a custom IP address range:

• Custom Ranges—On the IP Ranges List View, Expanse provides the capability to create a
custom range based on IP Address, number of IPs, and tags:
• First IP—Specify a valid IP/CIDR. Please note that unlike with IP/CIDR searches, you may
not use wildcard characters.
• Last IP—Specify a valid IP Address. If you entered a CIDR in the First IP, Cortex Xpanse
automacally calculates the Last IP.
• Number of IPs—Cortex Xpanse automacally calculates the number of IPs.
• Tags—Expander provides the opon of selecng tags from its database. Click on the search bar,
and Expander displays a list of all tags. Select the tag and then click Add.
Once you click Create, Cortex Xpanse adds a new Custom Range lisng to the IP Ranges List
View.
To differenate between standard ranges and custom ranges, Cortex Xpanse denotes parent and
subset custom ranges with an icon to the le of the First IP Address.
IP Range icon IP Range icon definion
IP Range record with no custom ranges.
Parent IP range. Custom ranges created from

this range appear directly below it in the list
view.
User-defined Custom Range that is a subset of

the Parent range above it in the list view.
Assets Detail View

Each asset type (IP Ranges, Cerficates, Domains, Managed Cloud Resources, and Remote Aack
Surface) displays a detailed view when clicking into a row on the Inventory or a list view.
• IP Ranges Detail View
• Cerficates Detail View
• Domains Detail View
• Managed Cloud Resources Detail View
• Workforce Network Detail View
• Workforce Device Detail View
IP Ranges Detail View

Each IP range denotes the starng IP address, ending IP address, and the total number of IP
addresses based on the CIDR, such as /32 = 1, /30=4, /29 =8, and /24=256.
Using the IP Ranges assets tab, you can examine each stac IP range Cortex® Xpanse™ associates
with your business. You can also see why that IP range was aributed to your organizaon, view

registraon informaon for the IP range, and view or add Annotaons for the IP range, and Create
a Custom IP Range.
The IP Ranges detail view provides the following informaon:
• The first and last IP addresses for the range.
• Size—The number of IP addresses in the range.
• IP Observed (30 days)—The number of mes this range was observed by Cortex® Xpanse™ in
the past 30 days.
• Date Added—The first me that Cortex Xpanse idenfied this IP Range.
• Related Services—The number of services found on this IP range. Click the number to display
the list of related services along with informaon about those services.
• Related Issues—The number of issues found on this IP range. Click the number to display the
list of related issues along with informaon about those issues.
• Ownership Summary—Business units associated with the IP Range.
• Aribuon—Indicates the reason for aribuon. This informaon comes from the Asset
informaon.
• Registraon—Cortex® Xpanse™ pulls registraon informaon from public RIR (Regional
Internet Registries) databases, including ARIN, RIPE, APNIC, LACNIC, and AFRINIC. Expander
displays the registraon informaon in the expanded asset view for an IP Range. Registry
informaon in your Expander instance is updated approximately biweekly.
As part of the registraon data, Cortex Xpanse includes a network record and an organizaon
record for the IP range. Cortex Xpanse pulls informaon from a combinaon of Registraon
Data Access Protocol (RDAP) and Whois data to collect the informaon.
• GeoIP/ Locaon Data—If Cortex Xpanse has seen the IP Address in the past 30 days, the city
associated with the IP Address is listed. For more informaon on GeoIP, see GeoIP Collecon.
• Annotaons—View or update the Tags, Notes, or Contacts associated with the IP range.
Cerficates Detail View

The Cerficates detail view contains the following secons:
• Copy Link—At the top of the cerficate detail page is a Copy Link buon. Click on this buon
to copy the address of this cerficate detail page to your clipboard.
• Cerficate Status--Indicates whether the cerficate is Acve or Expired and for how long.

• Cerficate Details—Provides informaon about seven potenal security concerns and status
for adversement and service.
• Related Services—The number of services found on this cerficate. Click the number to display
• Related Issues—The number of issues found on this cerficate. Click the number to display the
list of related issues along with informaon about those issues.
• Ownership Summary—Business units associated with the IP Range.
• Cerficate Details—Cortex® Xpanse™ extracts the following detailed informaon from the
cerficate, directly:
• Subject
• Cerficate Issuer
• Fingerprint
• Public Key
• Signature
• Annotaons—View or update the Tags, Notes, or Contacts associated with the cerficate.
Domains Detail View

The Domains detail view contains the following informaon:
• Copy Link—At the top of the cerficate detail page is a Copy Link buon. Click on this buon
to copy the address of this cerficate detail page to your clipboard.
• Domain
• Provider(s)—Cloud provider name or “Other”.
• Business Unit(s)
• First Observed
• Last Observed
• Resolves (Last 30 Days) Yes/No
• Are Subdomains Collapsed Yes/No—Yes means that Cortex Xpanse saw over 1000 subdomains
of the PLD. Expander automacally collapses the domains to streamline the detail view. No
means that Expander shows all the subdomains that Cortex Xpanse has seen for the PLD.
• Related Services—The number of services found on this domain. Click the number to display
• Related Issues—The number of issues found on this domain. Click the number to display the list
of related issues along with informaon about those issues.
• Ownership Summary—Business units associated with the domain.
• Cortex Xpanse provides domain registraon informaon from WHOIS, including the following:
• Registraon
• Registrant
• Admin
• Observed IP Addresses

Managed Cloud Resources Detail View

The Managed Cloud Resources detail view contains the following secons:
• Copy Link—At the top of the Managed Cloud Resources detail page is a Copy Link buon.
Click on this buon to copy the address of this managed cloud resource detail page to your
clipboard.
• Cortex® Xpanse™ summarizes the following informaon for the managed cloud resource:
• Instance ID
• Resource Type
• Date Added
• First Observed
• Last Observed
• Region
• IP Address(es)
• Domain
• VPC Name/ID
• Provider Account
• Business Unit(s)
• Related Services—The number of services found on this cloud resource. Click the number to
display the list of related services along with informaon about those services.
• Related Issues—The number of issues found on this cloud resource. Click the number to display
the list of related issues along with informaon about those issues.
• Ownership Summary—Business units associated with the cloud resource.
Workforce Network Detail View

A Network is a collecon of your Remote Devices that share a Public IP address, and is
categorized as either Corporate or Remote depending on whether the Public IP address of the
Network overlaps with any of your organizaon’s other assets. For more informaon about
Cortex® Xpanse™ remote worker aack surface management, refer to Remote Aack Surface
Overview. The Network detail view provides the following informaon about each of your
networks:
• Acvity Status Bar—indicates whether the asset is acve or inacve, how many days it has
been acve or inacve, and the date range

• Network Details—displays detailed informaon about the Network, such as the Public IP
address, Network Type, Provider (if available), and Source.
• Related Services—indicates whether there are services running on the network, with a link to
the list of services.
• Related Issues—indicates whether there are issues related to the network, with a link to the list
of issues.
• Remote Devices—list of Remote Devices on the network.
• Map—indicates the locaon of the Network.

• Annotaons—View or add tags, notes, and contacts to the Network record.
Workforce Device Detail View

The Workforce Device detail view provides the following informaon:
• Acvity Status Bar—indicates whether the asset is acve or inacve, how many days it has
been acve or inacve, and the date range

• Device Details—includes detailed informaon about the device, including Device Name,
Public IP address, Network Type, Device Type, and Provider. The available details may vary
depending on the source of the data.
• Peer Remote Devices—list of addional remote devices on the same Network.

• Observed IP Addresses—list of Public IP addresses the device has used in the last 30 days, with
the locaon and date for each IP address used.
• Map—indicates the locaon of the Device.
• Annotaons—View or add tags, notes, contacts to the remote device record.
Assets API
The Cortex® Xpanse™ Expander APIs facilitate ght integraon into your security ecosystem.
Xpanse currently supports two acve versions of the Asset API. For all new customers or
customers doing new development ulizing Xpanse assets, we highly recommend using the Assets
v3 API.
• The Assets v3 API supports all asset types currently in Xpanse (IP Ranges, Domains, Cerficates,
Cloud Resources, Networks, and Devices) and will be extended to support any new types
of assets added in the future. The Assets v3 API exposes all asset types through a common
interface with a generic model - reducing fricon for developing against mulple asset types.
Assets v3 endpoints can be idenfied by the path prefix “api/v3/assets”.
• The Assets v2 API, as the legacy version is known, supports IP Ranges, Domains, Cerficates,
and Cloud Resources. We do not recommend the Assets v2 API for new development unless
Custom IP Ranges are required since this capability is not supported in the v3 API. Assets v2
endpoints can be idenfied by the path prefix “api/v2/assets”.

Issues
Issues are the problems idenfied by Cortex® Xpanse™ within Services and Assets. These Assets
are the inventory of items that Cortex Xpanse aributes to your organizaon. Assets include
domains, cerficates, IP ranges, and services aributed to your organizaon. Services are the
inventory of all responsive soware and devices that aributed to your organizaon, some of
which may be well configured and secure, and others which may exhibit evidence of problems —
which are flagged as Issues.
Issues and Assets may not be in a 1:1 relaonship. An Asset may have mulple Issues and an Issue
can have mulple associated assets. Cortex Xpanse connuously monitors for changes in exisng
Issues and the existence of new Issues. When looking for new Issues, Cortex Xpanse looks both
for the presence of Issues with inherently risky services, such as Telnet, and for evidence on
otherwise roune – typically non-risky – services, such as a web server, that indicate potenal
security problems.
• Issue Data Structure
• Issues API
• Requesng Changes to Your Organizaon's Issue Policies
• List View
• Issues Detail View
• Email Digests
Issue Data Structure

Each Issue has the following standard components. For more details on each component, see List
View and Issues Detail View:
• Issue Name—Combinaon of the Issue Type, such as Insecure TLS, and either a Domain, such
as dev.acme.com, or an IP address. Issues on a customer’s On-premise IP Range include the
corresponding IP in the Issue Name. If the Issue is hosted in the Cloud and aributed via a
Domain, then the corresponding domain appears in the Issue Name. Issue Names end with the
port number. IP and Domain are also available as separate fields for API usage.
• Acvity Status—Cortex® Xpanse™ automacally sets an Issue Acvity Status based on how
recently we saw the Issue.
• Priority—The opons for priority are Crical, High, Medium, and Low. Cortex Xpanse
automacally sets a priority upon Issue creaon. Users can then modify the priority of an Issue
as they see fit. A custom default priority for all new Issues of a given type can be set on the
Policies page.
• Progress Status—Issues are either Open or Closed. Each designaon includes different progress
status sengs, such as New, Invesgang, In Progress, Resolved, No Risk, and Acceptable
Risk.
• Assigned To—You may assign an Issue to any Cortex Xpanse user. If the assignee turns on Email
Digests, they will receive all updates to their assigned Issues.
• First Added—This is the date that Cortex Xpanse first idenfied the Issue.

• Evidence—Cortex Xpanse bases evidence on our scan results. The evidence varies with the
kind of Asset and evidence type. Evidence is available in the Issue Detail view and via the
Expander API.
• Associated Assets—Issues include all associated Assets. There is addional informaon for
each Asset, including Aribuon Reasons, Registraon Records, Business Units, Tags, and
Hosng Provider.
• Cloud Management Status—An issue's cloud management status tells you if the asset
underlying the issue has been onboarded into the Prisma Cloud instance(s) that you have
connected to Cortex Xpanse. To connect a Prisma Cloud instance, see Prisma Cloud API
Connectors. The Cloud Management Status has three possible values: Unmanaged Cloud (the
underlying asset is not in Prisma Cloud), Managed Cloud (the underlying asset is in Prisma
Cloud), and Not Applicable (the disncon is not relevant). You can filter by cloud management
status in either the Services UI or API.
Issues API
All Issue details are available via the Cortex® Xpanse™ Expander API. To learn more, explore the
Issues API.
Requesng Changes to Your Organizaon's Issue Policies

The single most powerful feature of Cortex® Xpanse™ Issues is its ability to be customized for
your organizaon's specific needs and priories. Cortex Xpanse provides an in-product Policy
module where users are able to:
• Turn the Policy On or Off—Many Policies are turned on by default, but some are designed to be
opt-in.
• Change the default Priority—All Policies have an Cortex Xpanse-defined default Priority seng
of Low, Medium, or High. Crical is never a Cortex Xpanse-defined default. You may request
changes to these sengs, including making Crical the default Priority seng.
• Set the default Assignee for all new Issue under a given Policy—Any Issue triggered by a Policy
can have automac assignment to a Cortex Xpanse user. For more informaon about assigning
Issues, see Assignee.
Addional Issue policy customizaon requests can be sent directly to your Engagement Manager.
We are always interested in hearing what kinds of threats are relevant and most important to you.
Policies create Issues and we connually update this list of Available Issue Policies as we add
addional detecon capabilies to the plaorm. The intent of seng policies is to reduce risk
associated with your aack surface.
List View
The Issues List View is the primary portal for working with Issues. The List View is divided into
three secons:
• Mini-dashboard—The mini-dashboard displays Issue counts to help track new, open, closed,
unassigned and assigned-to-you Issues.
• Search and Filter Bar—This secon across the top of the page provides opons to filter specific
items and search for specific terms to narrow the number of Issues displayed on the Issues List.

• Issues List View—This secon displays a list of Issues. You can sort the Issues list by column
heading where applicable.
Mini-dashboard
The mini-dashboard at the top of the screen provides a quick overview of Issue counts. These
counts are global. You can click on each count to filter the Issue List View.
To refresh the mini-dashboard, click on the refresh icon on the far right of the panel.
There are five counts displayed on the mini-dashboard:
• Assigned to me—This count shows the number of Issues assigned to you.
• New—This count shows all Issues with a Progress Status of New.
Clicking this count displays the list of all new issues for triage purposes.
• Open—This count shows all Issues with a Progress Status of New, Invesgang, or In Progress.
• Unassigned—This count shows all Issues that are not currently assigned to anyone.
• Ready to Close—This count shows Issues that are Inacve. Use this count to quickly review
items that might be ready to be closed as Resolved or as Acceptable Risk.
Search and Filter Bar

The Filter Bar provides a drop-down box for each filter. These criteria are set in the Issues Detail
View. To set a single filter, select the Filter drop-down criteria, such as Crical Priority. Once you
have selected your filter criteria, click Apply Filters. The following are the available filters:
• Filtering and Searching—In addion to filtering, Cortex Xpanse provides the ability to conduct
extensive searches of Issues content. There are four categories of searches:
• Content search—Cortex Xpanse searches on a broad range of fields for Issues, including
name and cerficates, such as issuer, full name, countries, org, extensions, public key, and
subject. Some things to consider when conducng content searches:
- If you are looking for domains, IP/CIDR, or ports, using those specialized searches will be
much faster, though the Content search will sll work.
- The Content search uses prefixes and phrases, but not suffixes. For example, if you search
on “Work” you will receive any issue that contains any word starng with “work”, such as

work, workgroup, and workstaon. If you search on “Group,” you will not see Issues that
contain the “Workgroup.”
• Domain Search—Domain searches are meant to be targeted searches. Specify the complete
domain, such as www.acme.com, if possible. Domain search will also search on the name,
such as acme, or a subset of the full domain, such as www.acme or acme.com. Domain
Search does not use boolean, such as AND, OR, and NOT, or wildcard, such as ? or *,
operators.
• IP/CIDR—Cortex Xpanse expects a valid IP/CIDR address, such as 1.1.1.1 or 1.1.1.1/16.
You may also search on an IP Address range, such as 1.1.1.1 - 1.1.1.16, or you may use a
wildcard, such as 1.1.1.*.
• Port—For a port search, you can enter one port, such as 80, or a set of ports, such as 80,
443, 8080. Cortex Xpanse does not search on a range of port numbers, such as 80 - 100, or
support wildcards, such as 80*.
• Cloud Management Status—Filters on Unmanaged Cloud (public-facing assets that were found
exclusively by Xpanse) and Managed Cloud (assets that are listed in Prisma).
• Priority—The opons for priority are Crical, High, Medium, and Low. Cortex® Xpanse™
automacally sets a priority upon Issue creaon. You may set the default priority for an Issue
type, such as Elascsearch Server, RDP Server, and WordPress Server, on the Policies page.
Priories are inially assigned to Low, Medium, or High. A Crical priority is available as a user-
assigned acon giving you room to escalate important findings and make the easy to filter
down to. You may change the priority of an Issue at any me. All priority changes, including
modifying user, previous priority level, and me of the change, are automacally logged by
Cortex Xpanse.
• Progress—Seng this filter will limit the list view based on Issue progress. There are two levels
to this drop-down:
• Open Issues
-New—Cortex Xpanse automacally opens a new Issue with a New status.
-Invesgang—Cortex Xpanse recommends seng an Issue status to Invesgang status as
a first step to remediang the Issue. Typically, this step involves conducng an invesgaon
to understand the business context of this issue. This informaon is important to idenfy
potenal service owners who may assist in remediaon.
As soon as a point of contact (POC) is confirmed, specify the contact informaon to

the asset record associated with the Issue.
-In Progress—Cortex Xpanse recommends seng an Issue status to In Progress as soon as

the inial invesgaon is complete, such as service owners are idenfied and contacted. The
Issue should remain In Progress as long as remediaon is ongoing.
• Closed Issues
-Resolved—Cortex Xpanse recommends seng an Issue to Resolved once invesgaon
and remediaon are complete. It is important to note that if Cortex Xpanse sees the Issue
reappear, the Issue will be reopened and assigned a New Issue status. Reopened Issues
retain the complete history of comments and status changes.
-Acceptable Risk—Cortex Xpanse recommends seng an Issue to Acceptable Risk if this
Issue meets the organizaon’s level of acceptable risk. This could mean that the Issue was

remediated to a point where it now meets an acceptable risk. It is important to note that an
Issue that is set to Acceptable Risk will not trigger new Issues, even though Cortex Xpanse
will connue to see this Issue. For this reason, only Issues that cannot be resolved should be
set to Acceptable Risk. Otherwise, you should remediate the issue and resolve it completely.
-No Risk—Cortex Xpanse provides the No Risk status to allow you to mark Issues for which
there are migang controls or protecons in place that are not observable by our plaorm.
Like Acceptable Risk, No Risk will not trigger new Issues, even if Cortex Xpanse connues
to see evidence of that kind of problem. Therefore, we urge you to use the No Risk status
only when a through invesgaon has been performed and to periodically re-assess any No
Risk Issues to confirm they connue to not pose a risk to your organizaon.
• Assignee—Assignees are registered users of the Cortex Xpanse plaorm.
• Status—Cortex Xpanse automacally sets an Issue Acvity Status based on how recently an
Issue was seen:
• Acve—Cortex Xpanse has recently observed evidence indicang that the Issue is sll valid.
• Inacve—An Issue becomes inacve once Cortex Xpanse no longer observes the evidence
associated with the asset or service. Clicking Ready to Close displays all Inacve Issues.
How long Cortex Xpanse waits before declaring an Issue Inacve is a factor of the type of
evidence and scan frequency. There are a number of reasons why this occurs:
-The asset or service is no longer displaying the evidence because the asset or service is
reconfigured. For example:
1. An expired cerficate has been replaced with a fresh cerficate.
2. An unencrypted FTP server has been reconfigured to use only encrypted SFTP.
3. A web server using insecure TLS/SSL is reconfigured to use only secure cipher suites and
versions.
-The asset or service is no longer responsive or routable via the public Internet. For example:
1. The service may have been shut down.
2. The service is now behind a firewall and is not longer routable on the public internet.
-If the Issue is seen again, Cortex Xpanse automacally changes the Issue to Acve status.
• Business Unit—Filters by the assigned business unit.
• Provider—Filters by hosng provider.
• Provider Account—Filters by the specified integrated managed cloud resource from the given
provider account.
• Tag—Filters by tags that have been applied to the Issues.
• Remote Aack Surface—Filters for devices on remote networks or corporate networks.
Devices on Remote Networks includes issues on devices on a public IP address that is
currently unmanaged or not owned by your organizaon. Devices on Corporate Networks
includes issues on devices that are on a public IP address that is owned or managed by your
organizaon, including remote devices through VPNs.
• Country—Filters by country based on IP geolocaon.
• Issue Type—The Issue Type filter is located in a panel to the le of the issue list. The Issue
Types are grouped into categories. Click the arrow to the le of any category to show the list of

all of the Issue Types within that category. You can select one or more individual issue types or
issue categories, and then Apply the filter.
Issues List View

The issues list view displays all issues in a table format. From the issues list view, you can perform
a several acons, including the following:
• Select an individual issue
• Change the Status, Priority, Progress, and assignment of individual issues
• Conduct bulk edits of issues
• Export the issues list as a CSV file.
Bulk Edit
Cortex® Xpanse™ offers the ability to conduct bulk edits on Issues. To make a bulk selecon of
mulple Issues:
• Choose individual Issues by clicking on the box next to the Issue Name, or to select all Issues
on the page, click the checkbox in the table header.
• Apply your changes:

• Assign To—The drop-down lets you select an assignee. Select the assignee and then click
Apply to x Items, where x is the number of selected Issues.
• Change Progress—The drop-down lets you set the progress for the Issues. Select the
progress and then click Apply to x Items, where x is the number of selected Issues.

Issues Detail View

To see the issues detail page, click a row on the issues list view. The issue detail view page is
divided into the following secons:
• Toolbar—The toolbar allows you to change the Priority, Progress, and Assigned to values for
the issue and to print or copy a link to the issue detail page.
• Issue Overview and Policy Details—Provides overview informaon, such as the status and
cloud management status of the issue, and a descripon of the policy that triggered the issue.
• How to Remediate—Provides high-level instrucons for remediang the issue.
• Evidence—Provides the evidence that Cortex® Xpanse™ uses to aribute and assess the Issue.
• History—This secon provides a meline of all changes to the Issue.
Toolbar
The Toolbar secon allows you to change the following sengs for the Issue:
• Issue Priority
• Progress Status
• Assigned To
• Copy Link—Clicking on this buon copies a link to the Issue onto the clipboard to share with
other Cortex® Xpanse™ users.
Issue Overview and Policy Details

The issue overview and Policy Details secons of the issue details page provides the following
informaon about the issue:
• Issue type and locaon—Provided in the format <IssueType> at <IssueLocaon:Port>.
• Acvity Status—Indicates the current status of the Issue. There are two states:
• Acve—When an issue is acve, an addional field indicates when issue was first added.
• Inacve—When an issue is Inacve, an addional field indicates when the issue was first
acve.
• Cloud Management Status—Indicates whether the issue is for a Managed Cloud or Unmanaged
Cloud asset. This field displays cloud management status only if the Unmanaged Cloud module
has been set up. If the Unmanaged Cloud module has not been set up, this field indicates Not
Applicable.
• ID—Unique idenfier for the issue. This idenfier appears in the issue URL.
• Policy Details—Descripon of the policy that triggered the creaon of the issue.
The figure below shows the issue overview and policy details secons of the issue details page.

How to Remediate
The How to Remediate secon of the issue details page provides remediaon guidance, which is
a set of high-level, aconable steps recommended by Cortex Xpanse for remediang the issue.
These instrucons are not specific to your organizaon, but are based on the policy that triggered
the issue.
Not all issues have remediaon instrucons yet. Cortex Xpanse will connue to add
remediaon instrucons for more issues in future releases.
Evidence
The Evidence secon of the Issue Detail provides the evidence that Cortex® Xpanse™ uses to
aribute and assess the Issue, and contains the following informaon:
• Review Issue Evidence
• Evidence Type—This field indicates the specific type of evidence that underlies the Issue.
There are two primary Issue types:
-Scan Evidence—This field comes from Cortex Xpanse's scans of the organizaon's Assets.
-Asset Evidence—This field comes from publicly available informaon including DNS
records, IP range registraon records, content in cerficates, and other internet registraon
records.
• Service Classificaons—Informaon about the soware running on the service.
• Associated Assets—These are the underlying Assets associated with the Issue. Click the
Associated Asset tle to see all informaon associated with that Asset.
• Ownership Link—Clicking this link will also take you to the corresponding Asset detail page.
• Aribuon Reasons—Entries under the ownership link indicate the reason for aribuon. This
informaon is copied from the Asset informaon.

• Points of Contact
• If the Asset has a point of contact, this informaon is displayed.
• To add an Asset point of contact, click the Ownership Link and scroll to the Create
new or add exisng contacts. Assigning contacts to an asset is crical to expedite Issue
invesgaon and remediaon.
• Registraon Informaon—Provides registraon records for IP ranges, cerficates, and domains
related to the issue.
• Business Units—The "business unit" is the parent organizaon that owns the asset. This may be
your core company or one of your subsidiaries. A business unit assignment occurs during the
network mapping process. To change the business unit assigned to a given asset, talk to your
Engagement Manager.
• Tags—Tags are one of three means to annotate assets. The other two opons are points of
contact and notes.
History
On the right side of the Detail View is a panel that displays a comment box and a history/log for
the Issue:
• Comments—Use the Comments box to enter comments on the Issue. Be explicit with your
entries to indicate changes made and the raonale behind the changes. Also, Comments is an
excellent way to track remediaon progress.
• Comments Log—Below the new comment box is a meline history of any changes to the
Issue’s Priority, Progress Status, Assignee, Acvity Status, and who made the change. Also, any
comments added are included in the Comments Log.
Email Digests
An Issues Digest Email is a daily email subscripon. The intent of the Issues Digest Email is to
keep you informed about new issues and any changes to issues assigned to you.
To turn Email Digests on and off:
• Click the gear icon in the main navigaon and select the Email Digests opon. There are two
checkboxes:
• New Issues—Check this box to receive a daily summary of all new Issues.
• My Issues—Check this box to receive a daily summary of all changes to Issues assigned to
you.
Who receives Issues Digest emails?
Everyone with email digests turned on receives noce of new Issues and changes to issues
assigned to them.
What informaon does an Issues Digest contain?
Issues Digest emails contain informaon about all new Issues. Plus, for all assigned Issues, the
digest includes a summary of changes to the following:
• Progress Status—Any change in status is noted.
• Priority—Any change in Issue priority.

• Assignee
• You receive a list of Issues newly assigned to you since the last email digest.
• You receive a list of Issues formerly assigned to you that are now assigned to someone else
since the last email digest.
• New comments—Any new comments that were added to an Issue assigned to you.
Cortex® Xpanse™ does not include noficaons for changes that you made to your assigned
Issues in the Email Digest. When there are a large number of Issue changes or new Issues, Cortex
Xpanse sends numeric summaries.
Remediaon Playbook
Remediaon is an essenal process of Cortex® Xpanse™ Expander. Assess crical Issues
immediately and remediate quickly.
A large part of remediaon is informaon sharing. Cortex Xpanse Expander provides mulple
means to share remediaon status. A goal of sharing and workflow is to avoid duplicaon of effort
and increase the ability to manage Issues over me.
Central to good remediaon pracce is tracking acons and maintaining up-to-date contact
informaon. Cortex Xpanse Expander provides the capability to do both when remediang Issues.
• Who is the Remediaon Playbook for?
• Devise your Remediaon Game Plan
• Seng Issue Status to track progress
• Registraon Records and Business Units to Invesgate Affected Assets
• Invesgang/Adding a Point of Contact to an Asset
• Assigning Issues to a Cortex Xpanse User for Invesgaon and Follow-Up
• Issue Email Updates
• Tracking Progress Through Comments
• Resolved vs. Acceptable Risk Progress Statuses When Closing Issues
• Integrate with your ITSM Soluon
Who is the Remediaon Playbook for?

The primary users of remediaon are SOC operators, and the incident response team responsible
for remediang vulnerabilies and exploits.
Devise your Remediaon Game Plan

The first step to remediaon is understanding the Issues that Cortex® Xpanse™ surfaces.
For some issues, Cortex Xpanse provides remediaon guidance, which is a set of high-level,
aconable steps recommended by Cortex Xpanse for remediang the issue. You can find the
remediaon guidance in the How to Remediate secon of the issue details page for an issue.

Although not all issues have remediaon guidance yet, Cortex Xpanse will connue to add
guidance to addional issues in future releases.
For issues that do not have remediaon guidance, consider your remediaon soluon approaches.
At the most basic level, remediaon requires one of the following acons:
• Blocking access to the asset via a firewall rule update.
• Changing the configuraon of the asset to no longer expose the port or protocol, such as
disabling RDP, SSH, or Telnet.
• Modifying the configuraon to protect the exposed port or protocol beer, such as encrypng
FTP.
• Updang or applying a patch to the soware to fix a vulnerable soware version.
Seng Issue Status to track progress

Throughout the remediaon process, analysts use Issue Progress Status as the primary indicator
of the Issue’s remediaon progress.
Issue Progress Status opons are New, Invesgang, In Progress, Acceptable Risk, and Resolved.
For more informaon on Progress Status, see Search and Filter Bar.
Registraon Records and Business Units to Invesgate Affected Assets

Soon aer beginning a remediaon acon, operators want to examine the underlying Asset’s
ownership associated with the Issue. The Business Unit that owns the Asset is displayed on
the List View and the Issue Detail View. A Business Unit is a designaon to classify assets, and
Cortex® Xpanse™ tracks business units to idenfy the organizaon that owns the assets.
To define business units, work with your CSM.

Invesgang/Adding a Point of Contact to an Asset

In addion to understanding the Business Unit ownership, it is vital to maintain an updated point
of contact for the Asset. To review/edit a point of contact:
1. Select the Issue from the Issue List View to open the Issue Detail View.
2. Scroll down and select Ownership for the associated IP range. This link takes you to the
detailed view of the related Asset.
3. Scroll down unl you see Contacts.
4. To see/update an exisng contact, click the contact box. If you need to add a contact to the
Asset, click the + on the screen’s right side.
Assigning Issues to a Cortex Xpanse User for Invesgaon and Follow-Up

Central to any Issue remediaon is assigning the Issue to team members for invesgaon and
follow-up. Cortex® Xpanse™ provides the ability to assign an Issue to another Cortex Xpanse
user.
To assign an Issue to a Cortex Xpanse user.
• Click the drop-down for Assigned To to select the user you want to assign for remediaon.
• In addion to assigning Issues to Cortex Xpanse users, you can also update the Point of
Contact for an Asset for non-Cortex Xpanse users
Issue Email Updates

When the Operator assigns an Issue to an Cortex® Xpanse™ user, that user can track the Issue
status by signing up for Digest Emails. These daily emails inform the user of any changes to their
assigned Issues. For more informaon, Email Digests.
Tracking Progress Through Comments

As the Issue remediaon process proceeds, it is vital that the team track every Issue status,
priority, and invesgaon update. Cortex® Xpanse™ automacally logs every Progress Status,
Priority, and Assignee change on the Issue Updates Timeline to facilitate tracking the remediaon
history. For more informaon about status, priority, and assignees, see Search and Filter Bar.
Also, in the Issue Detail View, there is a panel to specify comments about the issue. For more
informaon, History.
Resolved vs. Acceptable Risk Progress Statuses When Closing Issues

At the end of a remediaon process, operators can determine the Issue is Resolved, or the Issue is
an Acceptable Risk. Both sengs close the remediaon, but Cortex® Xpanse™ acts differently if
the Issue arise again:
• Resolved—Set the Issue Status to Resolved if you want Cortex Xpanse to reopen the Issue
when Cortex Xpanse observes the problem in the future.
• Acceptable Risk—Set the Issue Status to Acceptable Risk if you do not want updates if
Cortex Xpanse either connues to observe the Issue or if the Issue reappears in the future.
Acceptable Risk allows you to determine that an Issue is OK even though you have not
resolved the underlying problem. Because the underlying problem persists, Cortex Xpanse
highly recommends performing a periodic audit of items marked Acceptable Risk.

Services
The Services Assets module represents the complete inventory of all of the public internet facing
services aributed to your organizaon observed by Cortex® Xpanse™. A Service can be any
internet facing device or soware that communicates on a domain:port or IP:port pair. The
Services view allows IT and security teams to assess their total internet aack surface in detail.
Some use cases include:
• Answering quesons about what kinds of soware and devices are being used.
• Searching for specific soware, technology, or configuraons.
• Discovering unused technology deployments or legacy soware in need of updang.
• Discovering Services that violate specific company policies which need to be turned into Issues.
• Invesgang the soware your Services are powered by.
Services also acts as one of the data sources for the Issues Policy engine.
The following topics relate to the Services Assets module observed by Cortex Xpanse:
• Services Concepts
• Services vs Issues
• Services Feature Walkthrough
• Inferred CVEs
Services Concepts
These are the following services concepts:
• Acvity Status
• Discovery Methods
• Service Classificaons
• Cloud Management Status
Acvity Status
A Service can have one of two acvity statuses, Acve or Inacve.
• Acve Services—Acve means that the service has been observed recently.
• Inacve Services—Inacve Services are Services that Cortex® Xpanse™ believes are no longer
on the internet.
The default Services list view only shows Acve Services. You can use the Status filter drop-down
to review any Inacve Services that Cortex Xpanse is no longer detecng.
Discovery Methods
Services are marked with one of two kinds of discovery methods depending on the level of
confidence Cortex® Xpanse™ has in aribung it to your organizaon.

• Directly Aributed—These Services are definively associated with an Asset that Cortex
Expanse believes belongs to your organizaon.
Examples include:
• It is hosted on one of your on prem IP ranges.
• The Service adverses one of your organizaon's cerficates.
• It is on a managed cloud resource that is known to be yours.
• Co-located with your Services—A co-located service itself does not present direct evidence
that it is owned by your organizaon. Yet, these Services are running on the same IP as a
different service that is directly aributed to your organizaon. In a mul-tenant hosng
environment these co-located services may belong to other organizaons but can somemes
pose adjacency risks to your services hosted on that IP. Because they have no definive
fingerprint of ownership, co-located services are excluded from the Services List view by
default. You can review them by selecng the Co-located with your Services opon from the
Discovery Method filter drop-down. If your organizaon has “single-tenant environment only”
policies with 3rd party hosng providers you can use this funconality to idenfy possible
violaons of that policy.
Service Classificaons
Service Classificaons are the facts that Cortex® Xpanse™ has been able to infer about each of
your Services by examining a response for fingerprints. Classificaons cover a variety of topics
including:
• Idenfying specific soware and versions.
• Configuraon details of note.
• Nong when Services do not implement various best pracces like web security headers or
cerficate security standards.
Some Classificaons merely note that a fact is true or false, like Missing Cache Control Header.
Other Classificaons provide addional informaon, such as a version number for “nginx Server”.
These details are viewable on the Services Details Page by clicking the name of the Service in the
Services List View.
Cloud Management Status

A service's cloud management status tells you if the service has been onboarded into the Prisma
Cloud instance(s) that you have connected to Cortex® Xpanse™ Expander. To connect a Prisma
Cloud instance, see Prisma Cloud API Connectors.
The Cloud Management Status has three possible values:
• Unmanaged Cloud—The service is not in Prisma Cloud.
• Managed Cloud—The service is in Prisma Cloud.
• Not Applicable—The disncon is not relevant.
You can filter by the Cloud Management Status in either the Services user interface or API.

Services vs Issues
Both Services and the Issues modules allow you to review items that are aributed to your
organizaon that are exposed to the public internet.
The Issues module idenfies specific security problems and violaons of your organizaon’s policy
and helps you track progress on efforts to remediate those problems.
The Services provides you with a complete inventory of all Services that Cortex® Xpanse™ has
observed without security judgements. You can use Services to search for items for which there
are not currently Issue Policies or to conduct technology usage audits.
Cortex Expanse can convert any Service Classificaons that are relevant to your organizaon’s
security policies into Issue Policies that will automacally flag new instances that appear on
your network within the Issues module. We are also connuously developing new Service
Classificaons to support inventory and security use cases. Contact your account manager to
discuss your needs or ideas.
Services Feature Walkthrough

To navigate to the Services modules click Assets in the primary navigaon menu and then click
Services in the secondary navigaon.
• Search
• Filtering
• Column Customizaon
• Table Details

• CSV Export
• Service Details Page
Search
Services includes a variety of search opons including:
• Content Search—The default search mode and allows you to search across the widest set of
data. Fields covered by content search include:
• Service ID
• Service type
• Service classificaons
• Port number
• Recent IPs
• Recent domains
• Provider
• Cerficate serial number
• Cerficate subject name
• Cerficate common name
• TLS versions, such as TLS 1.0
• TLS cipher suites
• Tags
• Domain Search—Domain searches are meant to be targeted searches. Specify the complete
domain, such as www.acme.com, if possible. The domain search does not use boolean, such as
AND, OR, or NOT, or wildcard, such as "?” or “*”, operators.
• IP / CIDR Search—Cortex® Xpanse™ expects a valid IP/CIDR address (1.1.1.1 or 1.1.1.1/16).
You may also search on an IP Address range, such as 1.1.1.1 – 1.1.1.16, or you may use a
wildcard, such as 1.1.1.*.
• Port Number Search—For a port search, you can specify one port, such as 80, or a set of ports,
such as 80, 443, 8080. Cortex Expanse does not search on a range of port numbers, such as 80
– 100, or support wildcards, such as 80*.
Filtering
The Services module provides several filters to help you find relevant items.
Filtering opons
• Recap the filter documentaon that overlap with Issues.

• New filters that need documentaon.

• Service Classificaons
• Countries
-Derived from geo-ip informaon.
-Not all Services will have geo-ip informaon and standard caveat: It is not always accurate.
• Discovery Methods
• Ability to customize the displayed filter drop-downs.
Column Customizaon
Many Service Classificaons contain extra detail informaon that can be useful to review when
auding or triaging your inventory. The Services List page provides the ability to customize the
columns that you can see in the table view. To customize the table click the Column buon in the
filter toolbar.
A dialog box with the columns available based on your current filter selecons opens.
The Customize Column Display dialog box enables you to perform the following funcons:
• Reorder the columns by using the drag handles in the Acve Columns secon of the dialog box.
• Choose which columns to display in the List View by selecng the checkboxes in the Available
Columns secon.

• Select the Save as my default checkbox at the boom to keep your choices for future Cortex®
Xpanse™ sessions.
Table Details
The Services table includes the standard funcons of all list pages in the Cortex® Xpanse™ web
applicaon, including:
• The ability to sort on select columns by clicking the header of the column.
• The ability to navigate from page to page by using the paginator control at the upper right
corner of the table.
• The ability to adjust the number of rows shown in the table by using the Rows drop-down
menu at the upper right near the paginaon control.
Each Service shown in the table will have a summary row that shows all of the relevant
Classificaons for that Service. More specific informaon can be found by clicking the name of the
Service to navigate to the details page.
The Locaon column link opens a new tab to Google Maps showing you the approximate locaon
of the service based on geo-IP informaon.
CSV Export
Services data can be exported to a CSV file from the List View page. CSV Export files can contain
up to 30,000 Service records, including Service Classificaon names. Addional data can be
accessed via API. Refer to CSV Export for more informaon about exporng data.
Service Details Page

The Service Details page is divided into a series of panels that provide more informaon and
details about the Service and related organizaon assets.
• Service Details Panel—Provides the following informaon about the Service itself:
• Acve vs Inacve—The current Acve or Inacve status of the Service.
• Port and IP—The most recent IP and port for the Service.
• Observaon dates—The date the service was first observed and most recently observed on
the public internet.
• Discovery Type—The method that Cortex® Xpanse™ used to idenfy and aribute this
service to your organizaon. For more informaon, see Discovery Methods.
• Recent IPs, Domains, and Cerficates—Tables of recent IPs the service was sighted on,
domains that have recently resolved to the IP of the service, and any cerficates that have
been adversed at that IP address. Services hosted on cloud providers (any hosng services
outside your organizaon’s On-prem IP space) that are aributed by cerficate or domain
name are most likely to have this informaon.
• Service Classificaons and Details—The next secon in the Service Details page is the Service
Classificaons, which is a summary of all of the Service Classificaons that Cortex Expanse
has inferred about this Service. This will include informaon about soware components or
packages idenfied, common configuraon problems, and security best-pracces details on
the Service. Some Classificaons will have addional informaon in the Service Classificaon
Details secon. The informaon presented here will vary by the type of Service, but will oen

include informaon like version numbers and details of Service configuraon parsed from scan
data.
• Associated Asset Panels—The final secon of the Service Details page includes panels for each
of the Assets associated with the Service. Each panel will show the tags, business units, and
notes for that Asset. These assets can include an associated:
• IP Range—If a Service is located in your organizaon's on-prem IP space, this panel shows
the relevant range registraon records for that IP number.
• Domain—If a Service is associated with a domain known to belong to your organizaon, its
registraon records are displayed. Domains that happen to resolve to the Service’s current
IP that are NOT a contribung reason why the Service is associated with your organizaon
by Cortex Expanse are not displayed in this secon.
• Cerficate—If a Service adverses a cerficate known to belong to your organizaon it is
displayed. Cerficates are one of the ways that Cortex Expanse discovers and aributes
assets to your organizaon in the cloud.
• Managed Cloud Resources—If a cloud Service is aributed to your organizaon by one of
our direct integraons with a cloud provider, the relevant managed cloud resource details
will be shown in this panel.
Inferred CVEs
Common Vulnerabilies and Exposures (CVE) is a system for referencing publicly disclosed
soware security vulnerabilies. Individual vulnerabilies are commonly referred to as CVEs, and
each one is uniquely idenfied by a CVE ID, such as CVE-2020-1234.
Cortex Xpanse aempts to match each service with CVEs that might be present on that service.
We refer to any potenal matches as Inferred CVEs. We perform this matching using the service
name and version informaon that is available to our scanners.
We categorize Inferred CVE matches as High, Medium, or Low Confidence based on the version
informaon that is available on the service and from the Naonal Vulnerability Database (NVD).
• High Confidence—Precise version informaon is available both from the service and from NVD.
• Medium Confidence—Part of the version informaon from the service matches the NVD entry
for the CVE, but the version informaon from the service has addional characters
• Low Confidence—Either the service or the NVD entry for the CVE does not have sufficient
version informaon to be a higher confidence match.
The table below provides examples of Inferred CVE matches.
Service informaon CVE informaon Match Result Details

available from Xpanse available from NVD
Scan
Apache v 2.4.50 CVE-2021-41773 No Match Because the CPE

informaon from
Affects
NVD indicates a
cpe:2.3:a:apache:hp_server:2.4.49:*:*:*:*:*:*:*
version of Apache
that is different than
the one we saw in


Scan
the scan, this does
not match.
Apache v 2.4.49 CVE-2021-41773 High Confidence Because the CPE

Match informaon from
Affects
NVD matches the
version of Apache
indicated from the
scan, this is a high
confidence match.
Apache v 2.4.49c CVE-2021-41773 Medium Confidence Because the version

Match numbers from the
Affects
service and the
NVD informaon
match, except for the
addional character
in the version from
the service, this is a
medium confidence
match.
Apache (no version CVE-2021-41773 Low Confidence Because the CPE

number detected) Match informaon from
Affects
NVD matches the
soware name of
the service, but we
do not have any
informaon on the
version, this is a low
confidence match.

Match informaon from
Affects
NVD matches the
cpe:2.3:a:apache:hp_server:*:*:*:*:*:*:*:*
version of Apache
(up to and including
indicated from the
2.4.52)
scan, this is a high
confidence match.

(Running on Red Hat Match informaon from
Affects
Enterprise Linux 6 NVD matches the
(RHEL6), which is not version of apache
(up to and including
affected by this CVE) indicated from
2.4.52)
the scan, this is a
high confidence


Scan
match.Xpanse
cannot determine if
migang controls
are in place or the
underlying OS, so
this pairing will sll
generate a high
confidence match.
Apache (any version CVE-2012-3526 Low Confidence Because this CVE

number) Match does not indicate
Affects
any specific version
number, we consider
it to be a low
confidence match
for any version of
Apache hp_server,
regardless of version
informaon.
In general, an Inferred CVE might impact your service, but addional invesgaon is required to
confirm that the CVE is actually present.
Cortex Xpanse is making ongoing improvements to CVE version matching. In general, we aim to
err on the side of overmatching, so you don’t miss a vulnerable service in need of patching. If you
noce a version that is incorrectly matched or not matched, please contact your CSM and let them
know.
Within the Services module of Cortex Xpanse you can Search for a Specific CVE ID and see the list
of services the CVE may be impacng. You can also View the Inferred CVEs for a Service that may
be impacng a specific service. CVE informaon does not appear in the Issues module of Cortex
Xpanse.
Search for a Specific CVE ID

You can search for a CVE within the Services module of Cortex Xpanse only.
STEP 1 | Navigate to the Services tab.

STEP 2 | Enter the CVE ID in the search box.

Be sure to use the complete CVE ID syntax in the format CVE-yyyy-xxxxx, where:
• CVE is the CVE ID prefix.
• yyyy is the calendar year when the CVE was issued.
• xxxxx is a set of numeric digits. This field has a variable length, but the minimum is four
digits.
You can search for more than one CVE by entering the CVE IDs in the search box as a comma-
delimited list.
Cortex Xpanse will display the list of services that potenally have the Inferred CVE.
STEP 3 | Oponally, export the list of services by clicking Export CSV.
View the Inferred CVEs for a Service

The Inferred CVEs that may impact a specific service are listed on the Services details page in
Cortex Xpanse. A service can have several soware packages running on it, so it is common for
there to be Inferred CVEs for different products impacng a single service.
STEP 1 | Navigate to the Services tab in Cortex Xpanse.
STEP 2 | From the list of services, select a service by clicking on the relevant row.
The Inferred CVEs column in the service list indicates how many Inferred CVEs are potenally
affecng that service.
STEP 3 | On the Service details page, scroll to the Inferred Potenal CVEs secon, and expand the list.
For each Inferred CVE, Cortex Xpanse provides the informaon listed in the following table to
help you determine which of the Inferred CVEs should be addressed.
Field Descripon
CVE ID The CVE ID is linked to the CVE entry in the

Naonal Vulnerability Database
CVSS v3 Score The Common Vulnerability Scoring

System (CVSS) is an industry standard for
assessing the severity of soware security

Field Descripon
vulnerabilies. CVSS scores range from 0 to
10, with 10 being the most severe. For the
specific metrics used to calculate a CVSS v3
score, see hps://www.first.org/cvss/.
N/A indicates that the CVE doesn’t have a
CVSS v3 score.
CVSS v2 Score The Common Vulnerability Scoring

System (CVSS) is an industry standard for
assessing the severity of soware security
vulnerabilies. CVSS scores range from 0 to
10, with 10 being the most severe. For the
specific metrics used to calculate a CVSS v2
score, see hps://www.first.org/cvss/.
N/A indicates that the CVE doesn’t have a
CVSS v2 score.
Confidence Confidence in the CVE inference

• High—An exact version match
• Medium—An approximate version match
• Low—A match based on product name only
For more informaon about Inferred CVE
match confidence, see Inferred CVEs.
Inferred From Lists the product name and version

informaon that Cortex Xpanse used to make
the CVE inference.
• Product name and version number—
Matched on both product name and
version.
• Product name only—Matched on product
name only because the service doesn’t
adverse version informaon.
• Product name and Non-version-specific
CVE—Matched on product name only
because the Naonal Vulnerability
Database CVE definion does not include
version numbers.

Dashboards
Cortex® Xpanse™ Expander Dashboards currently show trends through yesterday any
changes made to records within Cortex Expander can take up to 24 hours to be reflected
within the Dashboards view.
• Cortex Xpanse Home Page

• Issues Overview Dashboard
• Aack Surface Overview Dashboard
• Unmanaged Cloud Overview Dashboard
• Compliance Assessments Dashboard
• Remote Aack Surface Overview
Cortex Xpanse Home Page

The Home Page dashboard in Cortex® Xpanse™ addresses key aack surface management use
cases, including the following:
• Review your network inventory distribuon for both Cloud and On Prem Assets
• Track your highest priority issues and how they are trending over me
• Quickly access issues associated with recent CVEs and see new policies that Cortex Xpanse has
released
• Monitor your Mean Time to Remediate (MTTR) metrics across different issue priories in order
to drive improvement and remediate crical issues faster
• Understand how your On Prem issues are geolocated across the globe
• Highlight your riskiest cloud provider based on the percentage of issues it's carrying relave to
all of the issues and misconfiguraons across your cloud footprint
• Track the issue types that are being remediated by users across the network
• Review the services which Cortex Xpanse has discovered but are not being managed by Prisma
Cloud
• Drill into your Shadow IT by customizing your approved providers, domain registrars, and
cerficate issuers
• Review cerficate issues across your network
• Monitor Unclaimed S3 buckets that could leave you vulnerable to subdomain hijacking
In addion to providing a broad overview of your aack surface, the Home Page dashboard also
provides the ability to drill down into the details for all of data that is displayed.
For more details about the Cortex Xpanse Home Page dashboard, see the following topics:
• Home Page Filters and Dashboard Preferences
• Home Page Dashboard

Home Page Filters and Dashboard Preferences

You can set filters and preferences to customize the data displayed on the Cortex® Xpanse™
Home Page dashboard. The Home Page dashboard filters and preferences, along with the Last
Updated date, are at the top of the Home Page.
• Use the dropdown filters to filter the Home Page dashboard content by Status, Business Units,
and Tags.
• Last Updated provides the date of the most recent refresh for the dashboard data. Changes to
data may take 24 hours to appear in the dashboard.
• Set up your Dashboard Preferences using the steps that follow.
Eding the Dashboard Preferences requires permission. The preferences are not user-
specific—once they are set they apply to all users.
The Dashboard Preferences apply to the Home Page dashboard only; they do not affect the
other dashboards in the Cortex Xpanse web applicaon.
STEP 1 | Click Dashboard Preferences to open the Dashboard Preferences screen.
STEP 2 | Use the arrows to specify your Approved Providers, Top Issue Types, Approved Cerficate
Issuers, and Approved Domain Registars, and then Save your preferences.
Expander Home Page Dashboard

The Cortex® Xpanse™ Expander Home Page dashboard displays the widgets described in the
secons below. Note that you can download an image of any widget in the dashboard in SVG or
PNG format by clicking the download icon ( ).
You can customize the data that is displayed in the Home Page dashboard by configuring your
Dashboard Preferences and seng the filters. See Home Page Filters and Dashboard Preferences
for more informaon.

Total On Prem Assets
Displays the total number of directly discovered On Prem hosted assets, as well as the breakdown
of On Prem assets by acve Services, Cerficates, Domains, and individual IP addresses. The
trend, which is the change in the Total On Prem Assets count over the last 30 days, is displayed to
the right of the total count.
• Click a bar in the chart or the count for any category (Services (acve), Cerficates, Domains,
IPs) to display the list view of that category with the On Prem Provider filter applied.
Total Cloud Assets
Displays the total number of cloud assets as well as the breakdown of cloud assets by acve
Services, Cerficates, Domains, and Individual Cloud Resources. The trend, which is the change in
the Total Cloud Assets count in the last 30 days, is displayed to the right of the total count.
• Click a bar in the chart or the count for any category (Services, Cerficates, Domains, and
Cloud Resources) to display the list view of that category with the Cloud Providers filter
applied.

Active High+ Priority Issues
Displays informaon about the number of Acve Issues with a priority of High or Crical.
If you did not set your Top Issues Types in Dashboard Preferences, the data in this widget is based
on all your Acve Issues with a priority of High or Crical. The total count is the number of your
High+ Acve issues. The trend, which is the change in the count over the last 30 days, is displayed
to the right of the total count. The table displays the top five Issue Types based on the number of
Acve Issues.
If you set your Top Issue Types in the Dashboard Preferences, the data in this widget is based on
the issues for your selected Top Issue Types. In this case the total count is the number of Acve
Issues for your selected Top Issue Types only. The table displays the top five of your selected Top
Issue Types in order based on the number of Acve Issues. If you have selected fewer than five
Top Issue Types, only the ones you have selected will be shown in the table.
• If you did not set Top Issue Types in the Dashboard Preferences, clicking the total count will
display the Issues list filtered by High and Crical priority, Open Issues progress, and Acve
status.
If you set the Top Issue Types, clicking the total count displays the Issues list filtered by your
selected Issue Types, Open Issues progress, and Acve status.
• Clicking a Top Issue Type count in the table displays the Issues list filtered on the type, High
and Crical priority, Open Issues progress, and Acve status.
• Hovering over the chart displays the issue count for a specific date.
• If you set the Top Issue Types, clicking All Issues displays the Issues list filtered by your selected
Issue Types, Open Issues progress, and Acve status.

New CVE Policy Available
Displays the most recently released CVE-related policy from Cortex Xpanse and the number of
Acve issues based on that policy. The table displays the last five policies, whether they are ON or
OFF for your organizaon, and the number of Acve issues for those policies that are ON.
If you don’t have permission to see the Policy module in Expander, the table will not be
displayed.
• Click the latest CVE policy at the top of the widget to display the Issues list filtered by that
issue type and Acve status.
• Click the count of any of the New Policies to display the issues list filtered by that issue type
and Acve status.
• Click All Policies to display the Policies list.
Mean Time to Remediate
The Mean Time to Remediate (MTTR) widget shows how quickly your organizaon is remediang
issues. We define MTTR as the me it takes for an issue to go from Acve to Inacve. If an
Inacve issue becomes Acve again, MTTR is the me from when the issue re-enters the Acve
state to when it becomes Inacve again.
The table on the le displays the total number of Inacve issues for each priority. The totals are
for On Prem issues or Cloud issues, depending on which one you selected using the toggle.
The table on the right shows the percentage and number of Inacve issues broken down by
priority and MTTR range.
• Toggle between On Prem and Cloud issues.

• Mouseover the percentages in the table to display the number of issues with that priority and
MTTR range.
• Click the totals in the issue count table to display the Issues list filtered by Inacve status, the
priority you selected, and On Prem or Cloud providers, depending on what which one you
selected using the toggle.
• Click Open and Closed Inacve Issues to display the issues list filtered on Inacve status.
Top 5 Countries with On Prem Issues
Displays the issue counts for the five countries with the most On Prem and Cloud issues.
• Toggle between On Prem and Cloud issues.
• Click a highlighted country to display the list of Acve issues filtered by On Prem or Cloud and
by country.
• Click Locaon Overview to display the Issues Overview Dashboard.
Riskiest Cloud Provider
The Riskiest Cloud Provider is the provider (excluding Other) with the highest number of Issues
with Medium or higher priority. The trend, which is the change in the number of Medium or higher
issues for that provider in the last 30 days, is displayed next to the provider name. In the chart,
each percentage is the % of cloud issues associated with that provider relave to all Medium or
higher priority cloud issues.
• Click the name of the Riskiest Cloud Provider (in the upper le) to display the Issues list filtered
by that provider, Acve status, and Medium or higher priority.
• Click any provider on the chart to display the Issues list filtered by that provider, Acve status,
and Medium or higher priority.
• Click Cloud Issues to display the Issues list filtered by all Cloud Providers, Acve status, and
Medium or higher priority.

Remediated Issues
Displays the top ten issue types for Closed Issues with Medium or higher priority. For each issue
type the number of issues is broken down by Closed Issue Progress Status (Acceptable Risk, No
Risk, Resolved).
• Click a bar in the chart to display the list of issues filtered by issue type and the relevant
progress status.
• Click Closed Issues List to display the Issues list filtered by all Closed Issues Statuses.
Unmanaged Services
Displays the total number of directly discovered services that are not managed by Prisma Cloud.
The number to the right of the total shows the change in the total count in the last 30 days. The
chart displays the top 10 cloud providers based on the number of unmanaged, directly discovered
services.
• Click the Unmanaged Services total count to display the Services list filtered on Directly
Discovered Discovery Status andUnmanaged Cloud Cloud Management Status.
• Click a bar in the chart to display the Services list filtered by the provider.
• Click Unmanaged Services List to display the Services list filtered by Directly Discovered
Discovery Status andUnmanaged Cloud Cloud Management Status.
If you do not have the integraon with Prisma Cloud, a note indicang that Prisma Cloud
integraon is required will be displayed.

Total Providers
Displays the Cloud Service Providers your organizaon is using. The total count is the number of
providers that are hosng services (excluding Other) for your organizaon. Approved Providers
are displayed in shades of blue; Unapproved Providers are displayed in shades of red. The red or
blue is darker if the percentage of services hosted by that provider is higher. The size of each le is
based on the percentage of total services hosted by that provider.
If you have not selected your approved providers in the Dashboard Preferences, all les in this
chart will be red (unapproved).
If you have selected your approved cloud service providers in the Dashboard Preferences,
approved providers will be blue. All other providers will be a shade of red.
The trend, which is the change in the total count in the last 30 days, appears to the right of the
total count.
• Click the total count to display the Services list filtered on Directly Discovered and Cloud
Providers (excluding Other).
• Click a le in the chart to display the Services list filtered by that cloud provider and Directly
Discovered.
• Click All Services to display the Services list filtered on Directly Discovered and Cloud
Providers (excluding Other).
All Domain Registrars
Displays the total number of registrars that your domains are using. The trend, which is the change
in the total number of registrars in the last 30 days, is shown to the right of the total count. The
ten registrars with the most domains are displayed on the chart.
IF you did NOT specify Approved Registrars in the Dashboard Preferences, all of the dots on the
chart will be red (unapproved).

If you specified your Approved Registrars in the Dashboard Preferences, your Approved Registrars
will have blue dots and the others will have red (unapproved).
• Click the total count to display the Domains list.
• Click any dot in the chart to display the Domains list filtered by that registrar.
• Click All Domains to display the Domains list.
All Certificate Issuers
Displays total number of cerficate issuers. The trend, which shows the change in the number
of cerficate issuers in the last 30 days, is to the right of the total count. The bar chart shows
the ten issuers with most cerficates, with red bars indicang Unapproved Issuers and blue bars
indicang Approved Issuers.
If you did not specify Approved Cerficate Issuers in Dashboard Preferences, then all cerficate
issuers are considered Unapproved, and all of the bars in the bar chart will be red (Unapproved
Issuers).
If you specified your Approved Cerficate Issuers in Dashboard Preferences, then only the
Approved Issuers will have blue bars, and all the rest will be red (Unapproved Issuers).
• Click the total count to display the Cerficates list.
• Click any bar in the chart to display the Cerficates list filtered by that issuer.
• Click All Cerficate Issuers to display the Cerficates list.
All Certificate Issues
Displays the total number of Acve issues for all cerficate issue types. The trend, which is the
change in the total number of Acve cerficate issues in the last 30 days, is displayed to the right
of the total count. The chart shows the Acve cerficate issues broken down by issue type.

• Click the total count to display the issues list filtered by all cerficate issue types.
• Click any bar in the chart to display the issues list filtered by that issue type.
• Click Open Cerficate Issues to display the issues list filtered by all cerficate issue types.
Unclaimed S3 Buckets in 30 Days
Displays the number of issues of the issue type Unclaimed S3 Buckets. The trend, which is the
change in the total in the last 30 days, is displayed to the right of the total.
• Click the count to display the issues list filtered on the Unclaimed S3 buckets issue type.
Issues Overview Dashboard

The Issues Overview filters default to Status = Active. Change this filter if you are
instead interested in trends for all Issues, including Inacve or Acve.
The Issues Overview dashboard provides a powerful overview of Issues trends. Including 30-day
trends, breakdowns by priority and progress, current assignee, and top issue types.
• Monitoring network risk over me—The Issues Overview dashboard graphically displays
trends in your network risk. Customers use this informaon to track and priorize their
remediaon efforts. Such charts can also illuminate spikes in Issue counts that warrant
invesgaon.
• Understanding the drivers behind Issue trends—This dashboard view includes many filters for
examining the drivers behind observed Issue trends.
• Measuring team progress—Through the Progress and Assignee charts, SecOps teams can track
their progress remediang Issues.
• Reporng within the organizaon—Cortex® Xpanse™ customers use the nave reporng and
API interface to create aconable reports and visualizaons for other teams and execuves,
such as CISO, CIO, CEO, CDO, and CPO. Teams typically include Incident Response (IR), Risk
Management, IT Operaons, and Applicaon Development. Reporng can be used as “state
of the network” reports, providing snapshots of counts (at a given me) to help with security
strategies and resource planning.
Issues Overview Dashboard Layout

The Issues Overview provides a page divided into three secons:
• Filter Bar Secon—This secon across the top of the page provides opons to filter on Cortex®
Xpanse™ Issues, which in turn modify the dashboard displays.
• Summary Charts Secon—These charts show the previous thirty days of Issues that Cortex
Xpanse tracks, including Open Crical/High, All Open, and All Closed.
• Progress Charts Secon—These charts present Issues broken on Priority by Progress and
Assignee by Progress.

• Top Issue Type Charts Secon—These charts show the Top Issue Types for Open Crical/High
Issues and Close Issues.
Issues Overview Filter Bar Secon
Some charts on the page are restricted to specific Priories or Progress Statuses, keep this
in mind when interpreng results.
• Status Filter—Status may be Acve or Inacve. Acve status indicates that the Issue was
considered Acve during the last Dashboard update. When done selecng business unit filter
opons, select Apply to acvate the filter.
This filter is set to Acve when first navigang to the page.
• Business Units filter—Cortex® Xpanse™ provides a drop-down menu to select one or more
business units from the list of business units in the Cortex Xpanse database. When done
selecng business unit filter opons, select Apply to acvate the filter.
• Tags Filter—Like the Business Units Filter, Cortex Xpanse provides a drop-down menu to select
one or more tags from the list of tags in the Cortex Xpanse database. When done selecng tag
filter opons, select Apply to acvate the filter.
• Issue Type Filter—Like the Business Units Filter, Cortex Xpanse provides a drop-down menu to
select one or more Issue Types. When done selecng filter opons, select Apply to acvate the
filter.
• Providers Filter—Like the Business Units Filter, Cortex Xpanse provides a drop-down menu to
select one or more Providers. When done selecng filter opons, select Apply to acvate the
filter.
Customize Filter Display
Cortex® Xpanse™ provides an opon to customize the filter display. By clicking the Filters gear,
you can specify which filters are displayed in the dashboard. You also have an opon to Save as
my default to make this selecon your default Issues Overview dashboard filter seng.
Share Dashboard
Cortex® Xpanse™ provides the opon to share the current dashboard with the Share Dashboard
icon. Click this icon, and Cortex Xpanse copies a link to your clipboard for sharing. Since the link
reflects all filter sengs, this is a great way to share your current dashboard view.

Aack Surface Overview Dashboard

The Aack Surface Overview dashboard provides a way to get a clear aack surface overview,
delivering 30-day views of crical assets. Dashboards are extremely helpful in managing your
aack surface. Specific uses of dashboards include:
• Monitoring progress toward aack surface annotaon and enrichment—The Aack Surface
Overview dashboard graphically displays trends in your aack surface (services, domains,
cerficates, OnPrem IPs). Customers use this informaon to track their remediaon progress
and efforts. Such charts can also illuminate spikes in asset counts that warrant invesgaon.
• Comparing across business units—All dashboard reporng includes filters to isolate one
business unit from another. Managers can use filters to compare business unit progress and
reallocate resources as necessary.
• Measuring team progress—Through tags, SecOps teams can track asset exposure at a granular
level to monitor the team’s progress.
• Reporng within the organizaon—Cortex® Xpanse™ customers use the nave reporng and
API interface to create aconable reports and visualizaons for other teams and execuves,
such as CISO, CIO, CEO, CDO, and CPO. Teams typically include Incident Response (IR), Risk
Management, IT Operaons, and Applicaon Development. Reporng can be used as “state
of the network” reports, providing snapshots of counts (at a given me) to help with security
strategies and resource planning. Reporng can also include results of a Cortex Xpanse asset
audit, highlighng how many addional assets that Xpanse could idenfy for customers. An
asset audit is essenal to jusfy the ROI of an engagement.
Aack Surface Overview Dashboard Layout

The Aack Surface Overview dashboard includes the following secons:
• Filter Bar Secon—This secon across the top of the page provides opons to filter on Cortex®
Xpanse™ asset records, which in turn modify the dashboard displays.
• Summary Charts Secon—These charts show the previous thirty days of Assets that Cortex
Xpanse tracks, including Services, Domains, Cerficates, and OnPrem IPs.
• Top Count Summaries Secon—These charts present the top 5 Domain Registrars, Cerficate
Issuer Organizaons, and Providers.

• Tag Coverage Secon—Summarizes the tagging of assets by asset type over type.
Filter Bar Section

• The Filter Bar provides a drop-down box for each filter. These criteria come from the Assets
Detail View. To establish a single filter, select the Filter drop-down criteria, such assets tagged

as data center. To set all requirements for a specific filter drop-down, click Select All. Once you
have selected your filter criteria, click Apply Filters. The following are the available filters:
• Status Filter—Status may be acve or inacve. Acve status indicates domains that resolve
and cerficates that adverse. Note that OnPrem IPs do not have a status seng. Select a
status seng and select Apply to acvate the filter.
• Business Units filter—Cortex® Xpanse™ provides a drop-down menu to select one or more
business units from the list of business units in the Cortex Xpanse database. When done
selecng business unit filter opons, select Apply to acvate the filter.
• Tags Filter—Like the Business Units Filter, Cortex Xpanse provides a drop-down menu to
select one or more tags from the list of tags in the Cortex Xpanse database. When done
selecng tag filter opons, select Apply to acvate the filter.
Share Dashboard
Cortex® Xpanse™ provides the opon to share the current dashboard with the Share Dashboard
icon. Click this icon, and Cortex Xpanse copies a link to your clipboard for sharing. Since the link
reflects all filter sengs, this is a great way to share your current dashboard view.
Summary Charts Section
Each of the charts in this secon presents the previous thirty days of Assets that Cortex®
Xpanse™ tracks, including Services, Domains, Cerficates, and OnPrem IPs. At the top le of each
chart is the current total. Note, this number reflects your Cortex Xpanse inventory as of yesterday.
Therefore, there can be a slight discrepancy between the count on the summary chart and the
appropriate Asset List View page.
• Services—Service Assets represent your Internet-exposed services as aributed by Domains,

Cerficates, and OnPrem IPs.
• Domain—For more informaon on domains, see Assets Domains.
• Cerficate—For more informaon on cerficates, see Assets Cerficates.
• OnPrem IPs—For more informaon about on-prem IPs, see Assets IP Ranges.
Top Count Summaries Section
The Top Count Summaries secon provides a quick view of top domain registrars, cerficate
issuer organizaons, and providers over the past 30 days.

• Top Domain Registrars—For more informaon on domain registrars, see Domains Detail View.
• Top Cerficate Issuer Organizaons—For more informaon on cerficate issuer organizaons,
see Cerficates Details informaon.
• Top Providers—Displays the top providers of cloud assets. For more informaon on providers,
see Assets Detail View.
Tag Coverage Section
The Tag Coverage dashboard shows the change in the number of tags selected in the filter opons
over the past 30 days (count and percentage). The Tag Coverage dashboard provides specific
informaon based on your tagging, for example the number of OnPrem IPs that have been
validated or the number of OnPrem IPs in your manufacturing business unit have been validated.
With this dashboard, you quickly see which asset types (Domains, Cerficates, and OnPrem IPs)
experienced the most tagging changes. Note that by default the count and percentage is the
number of assets with at least one tag.
However, if selecng one or more specific tags, then the table shows the number of assets with
at least one of the specified tags. The only excepon is untagged, which is not counted unless it is
the only selecon in the filter. To see how many assets are untagged, select only this opon from
the tag filter drop-down menu.

Unmanaged Cloud Overview Dashboard

This dashboard is available to Cortex® Xpanse™ customers that also use Prisma Cloud. Let your
Cortex Expanse Engagement Manager know if you have Prisma Cloud and are interested in
enabling this dashboard.
The Unmanaged Cloud dashboard provides a powerful overview of Cortex Xpanse-discovered
Services and Issues that are not under the management of your Prisma Cloud deployment.
Therefore, allowing customers to quanfy the scope and risk of their unmanaged cloud services,
as well as providing aconable details on Services that may need to be brought under Prisma
management.
The dashboard also provide complimentary insight into Services and Issues that are under the
management of your Prisma deployment.
Cloud management status is not applied to Services deployed in the provider OnPrem or
the provider Other. This dashboard therefore excludes Services on those two providers.
Unmanaged Cloud Overview Dashboard Layout

The Unmanaged Cloud Overview provides a page divided into two secons:
• Title and Summary Stascs Secon—This secon across the top of the page provides
informaon about the last data refresh, a share buon, and summary counts for key metrics
about your cloud services.
• Unmanaged Cloud Charts Secon—These charts provide informaon on both managed and
unmanaged cloud services.
Title and Summary Statistics Section
This secon of the Unmanaged Cloud Overview dashboard displays high-level informaon about
managed and unmanaged cloud services.
• Last Updated Date—This area shows the date of the most recent refresh for the dashboard's
data. Clicking on the informaon icon provides addional detail.
• Share Buon—Clicking this buon copies a dashboard link to the user's clipboard. The share
link can only be accessed by other users within the same Cortex® Xpanse™ Expander tenant.
• Total Unmanaged Cloud Services—This metric shows the number of unmanaged cloud services
and the percentage of cloud services this makes up.
• Issues on Unmanaged Cloud Services—This metric shows the number of Issues on unmanaged
cloud services and the percentage of cloud issues this makes up.
• Managed Cloud Services—This metric shows the number of cloud services under Prisma
management and the percentage of cloud services this makes up.

Unmanaged Cloud Charts Section

• Percentage Distribuon of Unmanaged Cloud Services on Prisma Providers—This chart shows
the distribuon of your cloud services that Cortex® Xpanse™ has discovered on Prisma-
compable providers, but are not under the management of your exisng Prisma accounts.
• Unmanaged Cloud Services on non-Prisma Providers—This chart shows the distribuon of

your cloud services that are not on Prisma managed providers. Click on a given horizontal bar
to drill-through to Services details.

• Issues on Cloud Services by Priority—This chart shows the distribuon of Issues on cloud
services by priority, separated by management status. Click on a given vercal bar to drill-
through to Services details.
• Unmanaged Cloud Services Over Time—This chart shows the percentage of your cloud
services that have been unmanaged over me. The chart goes back 29 days and shows the
percentage change from the beginning of the chart to the end.
Compliance Assessments Dashboard

Not all policies are mapped to the compliance frameworks as they are released. Cortex®
Xpanse™ connues to update the mapping as frequently as possible in order to ensure the
dashboard is up to date based on the latest policies released in the plaorm.
The Compliance Assessment dashboard takes a compliance-focused lens and applies it to the
Issues policies in Cortex Xpanse, so customers can beer understand how the issues on their
external network impact compliance controls.
Currently available assessments:
• NIST 800-53
• NIST 800-171
• CMMC L1-L5

Cortex Xpanse worked with its internal subject maer experts as well as third party experts
to develop these mappings against our policies assuming that all assets have been inventoried
already. The mapping focuses on which policies may need to be reviewed which could have led
to a given service or issue being exposed to the Internet. On the summary tab, a reviewer may
noce similar sets of detecons for all issues. This is intenonal as more informaon gathering
and invesgaon via a security impact analysis (SIA) should be conducted to rule out the worst
case scenario. As part of your invesgaon via the SIA, give consideraon for each control in each
framework that is mapped as applicable to your security and compliance objecves.
Compliance Assessment Dashboard Content

The Compliance Assessment dashboard provides informaon about how Issues idenfied by
Xpanse impact standard compliance controls. You can filter the dashboard using the dropdown
menu to show compliance violaon informaon for the following compliance frameworks:
• NIST 800-53
• CMMC L1-L5
• NIST 800-171
At the top of the Compliance Assessment dashboard are addional dashboard filters, the Share
Dashboard buon, and Last Updated date.
• Use the dropdown filters to filter the data in the Compliance Assessment dashboard by
Business Unit, Tag, and Provider.
• Click Share Dashboard to copy the link to the dashboard, including your current filter sengs,
to your clipboard.
The Compliance Assessment dashboard includes the following widgets:

• Potenal Violaons by Priority Donut Chart—Potenal compliance assessment violaons by

Issue priority.
• Drill down to the issues page with preset filters by clicking on any of the numbers in the
chart
• Potenal Violaons by Business Unit—Break down of potenal violaons by business unit.

• Potenal Violaons by Tags—Break down of potenal violaons by tags.
• Potenal Control Violaons Detail Table—Shows Control Families within the assessment
framework that shows counts of violaons by Issue priority and which way those counts are
trending.
• Trends for counts are based on the change in the last seven days.
• If you hover over the number, it will describe the trend and change over the seven-day
period.
• The counts here WILL NOT match the counts in Issues. One issue can account for mulple
compliance violaons.
• All numbers in the table can be drilled into which takes the User to the Issues module with
preset filters based on the count they selected to invesgate
• Each Control Family can be drilled into for a more granular break down by Control where
all charts will be adjusted to reflect only the counts/metrics associated with that Control
Family.

• Top Assets with Issues—Lists the ten assets with the most compliance violaons, and includes
the following informaon:
• Violaons—Total number of violaons for that asset
• Controls Impacted—The list of controls impacted by those violaons
• Total Issues—The total number of issues for that asset. Clicking the Total Issues count
displays the Issues list filtered by the IP address or domain of the asset.
• Issue Priority—The breakdown of issues by priority. Clicking an Issue Priority number
displays the Issue list filtered by the IP address or domain of the asset and the issue priority.
CMMC L1-L5 Unevaluated Controls

Not all compliance violaons can be detected from our scan data. Cortex® Xpanse™ provides an
external view of your aack surface. The controls listed below would require data from internal
scans or checks against internal controls and processes where Xpanse does not have visibility.
Therefore, Xpanse cannot make a determinaon regarding compliance with these specific controls.
The following controls, organized by control family, are unevaluated by the Cortex Xpanse
Compliance Assessment > CMMC L1-L5 dashboard.
Table 1: Access Control
AC.1.004 Control CUI posted or processed on publicly

accessible systems.
AC.3.019 Terminate (automacally) a user session aer

a defined condion.
AC.3.020 Control connecon of mobile devices.
AC.3.021 Authorize remote execuon of privileged

commands and remote access to security-
relevant informaon.
AC.3.022 Encrypt CUI on mobile devices.
AC.4.032 Restrict remote network access based on

organizaonally defined risk factors such
as me of day, locaon of access, physical
locaon, network connecon state, and

measured properes of the current user and

role.
AC.5.024 Idenfy and migate risk associated with

unidenfied wireless access points connected
to the network.
Table 2: Asset Management
AM.4.226 Employ a capability to discover and idenfy

systems with specific component aributes
(e.g., firmware level, OS type) within your
inventory
Table 3: Awareness and Training
AT.2.056 Ensure that managers, systems administrators,

and users of organizaonal systems are made
aware of the security risks associated with
their acvies and of the applicable policies,
standards, and procedures related to the
security of those systems.
AT.2.057 Ensure that personnel are trained to carry out

their assigned informaon security-related
dues and responsibilies.
AT.3.058 Provide security awareness training on

recognizing and reporng potenal indicators
of insider threat.
Table 4: Audit and Accountability
AU.2.041 Ensure that the acons of individual system

users can be uniquely traced to those users so
they can be held accountable for their acons.
AU.2.042 Create, protect, and retain informaon system

audit records to the extent needed to enable
the monitoring, analysis, invesgaon, and
reporng of unlawful unauthorized system
acvity.
AU.2.043 Provide system capability that compares and

synchronizes internal system clocks with an

authoritave source to generate me stamps

for audit records.
AU.3.045 Review and update events.
AU.3.046 Alert in the event of an audit process failure.
AU.3.048 Collect audit informaon (e.g., logs) into one

or more central repositories.
AU.3.049 Protect audit informaon and audit tools

from unauthorized access, modificaon, and
deleon.
AU.3.050 Limit management of audit funconality to a

subset of privileged users.
AU.3.051 Correlate audit review, analysis, and reporng

processes for invesgaon and response to
indicaons of suspicious, or unusual acvity.
AU.3.052 Provide audit reducon and report generaon

to support on-demand analysis and reporng.
AU.5.055 Idenfy assets not reporng audit logs and

assure appropriate organizaonally defined
systems are logging.
Table 5: Configuration Management
CM.2.063 Control and monitor user-installed soware.
CM.2.065 Track, review, approve/ or disapprove, and

audit log changes to organizaonal systems.
CM.2.066 Analyze the security impact of changes prior

to implementaon.
CM.3.067 Define, document, approve, and enforce

physical and logical access restricons
associated with changes to organizaonal
systems.
CM.3.068 Restrict, disable, prevent the use of

nonessenal programs, funcons, ports,
protocols, and services.
CM.3.069 Apply deny-by-excepon (block list) policy

to prevent the use of unauthorized soware

or deny-all, permit-by-excepon (allow list)

policy to allow the execuon of authorized
soware.
CM.4.073 Employ an applicaon allow list and an

applicaon veng process for systems
idenfied by the organizaon.
CM.2.063 Control and monitor user-installed soware.
CM.2.065 Track, review, approve/ or disapprove, and

audit log changes to organizaonal systems.
CM.2.066 Analyze the security impact of changes prior

to implementaon.
CM.3.067 Define, document, approve, and enforce

systems.
CM.3.068 Restrict, disable, prevent the use of

CM.3.069 Apply deny-by-excepon (block list) policy

or deny-all, permit-by-excepon (allow list)
soware.
CM.4.073 Employ an applicaon allow list and an

applicaon veng process for systems
idenfied by the organizaon.
Table 7: Identification and Authentication
IA.1.076 Idenfy system users, processes acng on

behalf of users, devices.
IA.3.083 Use mul-factor authencaon for local and

network access to privileged accounts and for
network access to non-privileged accounts.

IA.3.084 Employ replay-resistant authencaon

mechanisms for network access to privileged
and non-privileged accounts.
IA.3.085 Prevent reuse of idenfiers for a defined

period.
IA.3.086 Disable idenfiers aer a defined period of

inacvity.
Table 8: Incident Response
IR.2.092 Establish an operaonal incident-handling

capability for organizaonal systems that
includes preparaon, detecon, analysis,
containment, recovery, and user response
acvies.
IR.3.098 Track, document, and report incidents to

designated officials and/or authories both
internal and external to the organizaon.
IR.3.099 Test the organizaonal incident response

capability.
IR.4.100 Use knowledge of aacker taccs, techniques,

and procedures in incident response planning
and execuon.
IR.5.108 Establish and maintain a Cyber Incident

Response Team (CIRT) that can invesgate
an issue physically or virtually at any locaon
within 24 hours.
IR.5.110 Perform unannounced operaonal exercises

to demonstrate technical and procedural
responses.
Table 9: Maintenance
MA.2.111 Perform maintenance on organizaonal

systems.
MA.2.112 Provide controls on the tools, techniques,

mechanisms, and personnel used to conduct
system maintenance.

MA.2.113 Require mul-factor authencaon to

establish nonlocal maintenance sessions via
external network connecons and terminate
such connecons when nonlocal maintenance
is complete.
MA.2.114 Supervise the maintenance acvies of

maintenance personnel without required
access authorizaon.
MA.3.115 Ensure equipment removed for off-site

maintenance is sanized of any CUI.
MA.3.116 Check media containing diagnosc and test

programs for malicious code before the media
are used in the organizaonal systems.
Table 10: Media Protection
MP.1.118 Sanize or destroy informaon system media

containing CUI before disposal or release for
reuse.
MP.2.119 Protect (i.e., physically control and securely

store) system media containing CUI, both
paper and digital.
MP.2.120 Limit access to CUI on informaon system

media to authorized users.
MP.2.121 Control the use of removable media on system

components.
MP.3.122 Mark media with necessary CUI markings and

distribuon limitaons.
MP.3.123 Prohibit the use of portable storage devices

when such devices have no idenfiable owner.
MP.3.124 Control access to media containing CUI and

maintain accountability for media during
transport outside of controlled areas.
MP.3.125 Implement cryptographic mechanisms to

protect the confidenality of CUI stored
on digital media during transport unless
otherwise protected by alternave physical
safeguards.

Table 11: Physical Protection
PE.1.133 Maintain audit logs of physical access.
PE.2.135 Protect and monitor the physical facility and

support infrastructure for organizaonal
systems.
PE.3.136 Enforce safeguarding measures for CUI at

alternate work sites.
Table 12: Recovery
RE.3.139 Regularly perform complete, comprehensive

and resilient data backups as organizaonally-
defined.
RE.5.140 Ensure informaon processing facilies meet

organizaonally-defined informaon security
connuity, redundancy and availability
requirements.
Table 13: Risk Management
RM.3.144 Periodically perform risk assessments to

idenfy and priorize risks according to the
defined risk categories, risk sources and risk
measurement criteria.
Table 14: Security Assessment
CA.2.157 Develop, document, and periodically

update system security plans that describe
system boundaries, system environments of
operaon, how security requirements are
implemented, and the relaonships with or
connecons to other systems.
CA.2.158 Periodically assess the security controls in

organizaonal systems to determine if the
controls are effecve in their applicaon.
CA.2.159 Develop and implement plans of acon

designed to correct deficiencies and reduce

or eliminate vulnerabilies in organizaonal

systems.
CA.3.161 Monitor security controls on an ongoing basis

to ensure the connued effecveness of the
controls.
CA.4.164 Conduct penetraon tesng periodically,

leveraging automated scanning tools and ad
hoc tests using human experts.
Table 15: Situational Awareness
SA.4.173 Design network and system security

capabilies to leverage, integrate, and share
indicators of compromise.
Table 16: System and Communication Protection
SC.3.177 Employ FIPS-validated cryptography when

used to protect the confidenality of CUI.
SC.3.180 Employ architectural designs, soware

development techniques and systems
engineering principles that promote effecve
informaon security within organizaonal
systems.
SC.3.181 Separate user funconality from informaon

system management funconality.
SC.3.182 Prevent unauthorized and unintended

informaon transfer via shared system
resources.
SC.3.183 Deny network communicaons traffic by

default and allow network communicaons
traffic by excepon (i.e., deny all, permit by
excepon).
SC.3.184 Prevent remote devices from simultaneously

establishing non-remote connecons with
organizaonal systems and communicang
via some other connecon to resources in
external networks (i.e., split tunneling).
SC.3.185 Implement cryptographic mechanisms to

prevent unauthorized disclosure of CUI during

transmission unless otherwise protected by

alternave physical safeguards.
SC.3.186 Terminate network connecons associated

with communicaons sessions at the end
of the sessions or aer a defined period of
inacvity.
SC.3.188 Control and monitor the use of mobile code.
SC.3.189 Control and monitor the use of Voice over

Internet Protocol (VoIP) technologies.
SC.3.190 Protect the authencity of communicaons

sessions.
SC.3.191 Protect the confidenality of CUI at rest.
NIST 800-53 Unevaluated Controls

Not all compliance violaons can be detected from our scan data. Cortex Xpanse provides an
The following controls, organized by control family, are unevaluated by the Expander Compliance
Assessment > NIST 800-53 dashboard.
AC-1 Access Control Policy and Procedures
AC-5 Separaon of Dues
AC-7 Unsuccessful Login Aempts
AC-9 Previous Logon (Access) Noficaon
AC-10 Concurrent Session Control
AC-16 Security Aributes
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Informaon Systems
AC-21 Informaon Sharing

AC-22 Publicly Accessible Content
AC-23 Data Mining Protecon
AC-24 Access Control Decisions
AC-25 Reference Monitor
AU-1 Audit and Accountability Policy and

Procedures
AU-4 Audit Storage Capacity
AU-7 Audit Reducon and Report Generaon
AU-8 Time Stamps
AU-9 Protecon of Audit Informaon
AU-11 Audit Record Retenon
AU-13 Monitoring for Informaon Disclosure
AU-14 Session Audit
AU-15 Alternate Audit Capability
AU-16 Cross-Organizaonal Auding
Table 19: Awareness and Training (entire Family)
AT-1 Security Awareness and Training Policy and

Procedures
AT-2 Security Awareness Training
AT-3 Role-Based Security Training
AT-4 Security Training Records
CM-1 Configuraon Management Policy and

Procedures

CM-5 Access Restricons for Change
CM-9 Configuraon Management Plan
CM-11 User-Installed Soware
Table 21: Contingency Planning
CP-1 Conngency Planning Policy and Procedures
CP-3 Conngency Training
CP-4 Conngency Plan Tesng
CP-6 Alternate Storage Site
CP-7 Alternate Processing Site
CP-8 Telecommunicaons Services
CP-11 Alternate Communicaons Protocols
CP-12 Safe Mode
CP-13 Alternave Security Mechanisms
IA-1 Idenficaon and Authencaon Policy and

Procedures
IA-9 Service Idenficaon and Authencaon
IA-10 Adapve Idenficaon and Authencaon
IA-11 Re-authencaon
IR-1 Incident Response Policy and Procedures
IR-2 Incident Response Training
IR-3 Incident Response Tesng
IR-10 Integrated Informaon Security Analysis Team

MA-1 System Maintenance Policy and Procedures
MA-3 Maintenance Tools
MA-4 Nonlocal Maintenance
MA-5 Maintenance Personnel
MA-6 Timely Maintenance
MP-1 Media Protecon Policy and Procedures
MP-2 Media Access
MP-3 Media Marking
MP-4 Media Storage
MP-5 Media Transport
MP-7 Media Use
MP-8 Media Downgrading
Table 26: Personnel Security (entire Family)
PS-1 Personnel Security Policy and Procedures
PS-2 Posion Risk Designaon
PS-3 Personnel Screening
PS-4 Personnel Terminaon
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 Third-Party Personnel Security
PS-8 Personnel Sancons

Table 27: Physical and Environmental Protection
PE-1 Physical and Environmental Protecon Policy

and Procedures
PE-2 Physical Access Authorizaons
PE-4 Access Control for Transmission Medium
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access
PE-8 Visitor Access Records
PE-9 Power Equipment and Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighng
PE-13 Fire Protecon
PE-14 Temperature and Humidity Controls
PE-15 Water Damage Protecon
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18 Locaon of Informaon System Components
PE-19 Informaon Leakage
PE-20 Asset Monitoring and Tracking
Table 28: Planning
PL-1 Security Planning Policy and Procedures
PL-4 Rules of Behavior
PL-7 Security Concept of Operaons
PL-8 Informaon Security Architecture

PL-9 Central Management
Table 29: Program Management (entire Family)
PM-1 Informaon Security Program Plan
PM-2 Senior Informaon Security Officer
PM-3 Informaon Security Resources
PM-4 Plan of Acon and Milestones Process
PM-5 Informaon System Inventory
PM-6 Informaon Security Measures of

Performance
PM-7 Enterprise Architecture
PM-8 Crical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorizaon Process
PM-11 Mission/Business Process Definion
PM-12 Insider Threat Program
PM-13 Informaon Security Workforce
PM-14 Tesng, Training, & Monitoring
PM-15 Contacts with Security Groups and

Associaons
PM-16 Threat Awareness Program
Table 30: Risk Assessment
RA-1 Risk Assessment Policy and Procedures
RA-2 Security Categorizaon
RA-6 Technical Surveillance Countermeasures

Survey

Table 31: Security Assessment and Authorization
CA-1 Security Assessment and Authorizaon

Policies and Procedures
CA-2 Security Assessments
CA-5 Plan of Acon and Milestones
CA-6 Security Authorizaon
CA-9 Internal System Connecons
SC-2 Applicaon Paroning
SC-3 Security Funcon Isolaon
SC-4 Informaon in Shared Resources
SC-6 Resource Availability
SC-11 Trusted Path
SC-16 Transmission of Security Aributes
SC-18 Mobile Code
SC-19 Voice Over Internet Protocol
SC-20 Secure Name /Address Resoluon Service

(Authoritave Source)
SC-21 Secure Name /Address Resoluon Service

(Recursive or Caching Resolver)
SC-22 Architecture and Provisioning for Name/

Address Resoluon Service
SC-23 Session Authencity
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Honeypots
SC-29 Heterogeneity

SC-30 Concealment and Misdirecon
SC-31 Covert Channel Analysis
SC-32 Informaon System Paroning
SC-34 Non-Modifiable Executable Programs
SC-35 Honeyclients
SC-36 Distributed Processing and Storage
SC-37 Out-of-Band Channels
SC-38 Operaons Security
SC-39 Process Isolaon
SC-40 Wireless Link Protecon
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-43 Usage Restricons
SC-44 Detonaon Chambers
Table 33: System and Information Integrity
SI-1 System and Informaon Integrity Policy and

Procedures
SI-5 Security Alerts, Advisories, and Direcves
SI-6 Security Funcon Verificaon
SI-7 Soware, Firmware, and Informaon Integrity
SI-11 Error Handling
SI-12 Informaon Handling and Retenon
SI-13 Predictable Failure Prevenon
SI-14 Non-Persistence
SI-15 Informaon Output Filtering

SI-16 Memory Protecon
SI-17 Fail-Safe Procedures
Table 34: System and Services Acquisition
SA-2 Allocaon of Resources
SA-5 Informaon System Documentaon
SA-9 External Informaon System Services
SA-13 Trustworthiness
SA-14 Cricality Analysis
SA-15 Development Process, Standards, and Tools
SA-18 Tamper Resistance and Detecon
SA-19 Component Authencity
SA-20 Customized Development of Crical

Components
SA-21 Developer Screening
NIST 800-171 Unevaluated Controls

Not all compliance violaons can be detected from our scan data. Cortex Xpanse provides an
The following controls, organized by control family, are unevaluated by the Expander Compliance
Assessment > NIST 800-171 dashboard.
3.1.9 Provide privacy and security noces

consistent with applicable CUI rules.
3.1.10 Use session lock with paern-hiding displays

to prevent access/viewing of data aer period
of inacvity.
3.1.11 Terminate (automacally) a user session aer

a defined condion.

3.1.14 Route remote access via managed access

control points.
3.1.15 Authorize remote execuon of privileged

commands and remote access to security-
relevant informaon.
3.1.16 Authorize wireless access prior to allowing

such connecons.
3.1.17 Protect wireless access using authencaon

and encrypon.
3.1.18 Control connecon of mobile devices.
3.1.19 Encrypt CUI on mobile devices.
3.1.20 Verify and control/limit connecons to and

use of external informaon systems.
3.1.21 Limit use of portable storage devices on

external systems.
3.1.22 Control CUI posted or processed on publicly

accessible systems.
Table 36: Awareness and Training
3.2.1 Ensure that managers, systems administrators,

and users of organizaonal systems are made
aware of the security risks associated with
their acvies and of the applicable policies,
standards, and procedures related to the
security of those systems.
3.2.2 Ensure that personnel are trained to carry out

their assigned informaon security-related
dues and responsibilies.
3.2.3 Provide security awareness training on

recognizing and reporng potenal indicators
of insider threat.
3.3.1 Create, protect, and retain informaon system

audit records to the extent needed to enable

the monitoring, analysis, invesgaon, and

reporng of unlawful unauthorized system
acvity.
3.3.2 Ensure that the acons of individual system

users can be uniquely traced to those users so
they can be held accountable for their acons.
3.3.3 Review and update events.
3.3.4 Alert in the event of an audit process failure.
3.3.5 Correlate audit review, analysis, and reporng

processes for invesgaon and response to
indicaons of suspicious, or unusual acvity.
3.3.6 Provide audit reducon and report generaon

to support on-demand analysis and reporng.
3.3.7 Provide system capability that compares and

synchronizes internal system clocks with an
authoritave source to generate me stamps
for audit records.
3.3.8 Protect audit informaon and audit tools

from unauthorized access, modificaon, and
deleon.
3.3.9 Limit management of audit funconality to a

subset of privileged users.
3.4.3 Track, review, approve/ or disapprove, and

audit log changes to orgaizaonal systems.
3.4.4 Analyze the security impact of changes prior

to implementaon.
3.4.5 Define, document, approve, and enforce

systems.
3.4.7 Restrict, disable, prevent the use of


3.4.8 Apply deny-by-excepon (blacklisng) policy

or deny-all, permit-by-excepon (whitelisng)
soware.
3.4.9 Control and monitor user-installed soware.
3.5.1 Idenfy system users, processes acng on

behalf of users, devices.
3.5.3 Use mulfactor authencaon for local and

network access to privileged accounts and for
network access to non-privileged accounts.
3.5.4 Employ replay-resistant authencaon

mechanisms for network access to privileged
and non-privileged accounts.
3.5.5 Prevent reuse of idenfiers for a defined

period.
3.5.6 Disable idenfiers aer a defined period of

inacvity.
3.5.7 Enforce a minimum password complexity and

change of characters when new passwords
are created.
3.5.8 Prohibit password reuse for a specified

number of generaons.
3.5.9 Allow temporary password use for system

logons with an immediate change to a
permanent password.
3.5.10 Store and transmit only cryptographically-

protected of passwords.
3.5.11 Obscure feedback of authencaon

informaon.

3.6.1 Establish an operaonal incident-handling

capability for organizaonal systems that
includes preparaon, detecon, analysis,
containment, recovery, and user response
acvies.
3.6.2 Track, document, and report incidents to

designated officials and/or authories both
internal and external to the organizaon.
3.6.3 Test the organizaonal incident response

capability.
3.7.1 Perform maintenance on organizaonal

systems.
3.7.2 Provide controls on the tools, techniques,

mechanisms, and personnel used to conduct
system maintenance.
3.7.3 Ensure equipment removed for off-site

maintenance is sanized of any CUI.
3.7.4 Check media containing diagnosc and test

programs for malicious code before the media
are used in the organizaonal systems.
3.7.5 Require mulfactor authencaon to establish

nonlocal maintenance sessions via external
network connecons and terminate such
connecons when nonlocal maintenance is
complete.
3.7.6 Supervise the maintenance acvies of

maintenance personnel without required
access authorizaon.
3.8.1 Protect (i.e., physically control and securely

store) system media containing CUI, both
paper and digital.

3.8.2 Limit access to CUI on informaon system

media to authorized users.
3.8.3 Sanize or destroy informaon system media

containing CUI before disposal or release for
reuse.
3.8.4 Mark media with necessary CUI markings and

distribuon limitaons.
3.8.5 Control access to media containing CUI and

maintain accountability for media during
transport outside of controlled areas.
3.8.6 Implement cryptographic mechanisms to

protect the confidenality of CUI stored
on digital media during transport unless
otherwise protected by alternave physical
safeguards.
3.8.7 Control the use of removable media on system

components.
3.8.8 Prohibit the use of portable storage devices

when such devices have no idenfiable owner.
Table 43: Recovery
3.8.9 Protect the confidenality of backup CUI at

storage locaons.
Table 44: Personnel Security
3.9.1 Screen individuals prior to authorizing access

to organizaonal systems containing CUI.
3.9.2 Ensure that organizaonal systems containing

CUI are protected during and aer personnel
acons such as terminaons and transfers.
Table 45: Physical Protection
3.10.1 Limit physical access to organizaonal

systems, equipment, and the respecve
operang environments to authorized
individuals.

3.10.2 Protect and monitor the physical facility and

support infrastructure for organizaonal
systems.
3.10.4 Maintain audit logs of physical access.
3.10.6 Enforce safeguarding measures for CUI at

alternate work sites.
Table 46: Security Assessment
3.12.1 Periodically assess the security controls in

organizaonal systems to determine if the
controls are effecve in their applicaon.
3.12.2 Develop and implement plans of acon

designed to correct deficiencies and reduce
or eliminate vulnerabilies in organizaonal
systems.
3.12.3 Monitor security controls on an ongoing basis

to ensure the connued effecveness of the
controls.
3.12.4 Develop, document, and periodically

update system security plans that describe
system boundaries, system environments of
operaon, how security requirements are
implemented, and the relaonships with or
connecons to other systems.
3.13.2 Employ architectural designs, soware

development techniques, and systems
engineering principles that promote effecve
informaon security within organizaonal
systems.
3.13.3 Separate user funconality from informaon

system management funconality.
3.13.4 Prevent unauthorized and unintended

informaon transfer via shared system
resources.

3.13.6 Deny network communicaons traffic by

default and allow network communicaons
traffic by excepon (i.e., deny all, permit by
excepon).
3.13.7 Prevent remote devices from simultaneously

establishing non-remote connecons with
organizaonal systems and communicang
via some other connecon to resources in
external networks (i.e., split tunneling).
3.13.8 Implement cryptographic mechanisms to

prevent unauthorized disclosure of CUI during
transmission unless otherwise protected by
alternave physical safeguards.
3.13.9 Terminate network connecons associated

with communicaons sessions at the end
of the sessions or aer a defined period of
inacvity.
3.13.11 Employ FIPS-validated cryptography when

used to protect the confidenality of CUI.
3.13.13 Control and monitor the use of mobile code.
3.13.14 Control and monitor the use of Voice over

Internet Protocol (VoIP) technologies.
3.13.15 Protect the authencity of communicaons

sessions.
3.13.16 Protect the confidenality of CUI at rest.
Table 48: System and Information Integrity
3.14.6 Monitor organizaonal systems including

inbound and outbound communicaons
traffic, to detect aacks and indicators of
potenal aacks.
Remote Aack Surface Overview

The Remote Aack Surface dashboard provides a consolidated view of your remote worker aack
surface using device data from a remote aack surface connector combined with public internet
informaon discovered by Cortex® Xpanse™. This API integraon between Cortex Xpanse and
Cortex XDR or GlobalProtect enables you to idenfy and alert on security issues on remote
worker systems and network environments.
The following secons provide details about Aack Surface Management for Remote Workers, the
Remote Aack Surface dashboard, and how to configure a remote aack surface connector:
• Remote Aack Surface with Cortex XDR
• Remote Aack Surface with GlobalProtect
• Remote Aack Surface Use Cases
• Remote Aack Surface Assets
• Remote Aack Surface Dashboard
• Cortex XDR API Connector
• GlobalProtect API Connector
Remote Aack Surface with Cortex XDR

The Cortex XDR™ Agent can be installed on workstaons, servers, cloud instances, and mobile
devices. Cortex Xpanse ingests this data for all devices that have a public IP address and have
communicated with the Cortex XDR server in the last 48 hours to idenfy remote workforce
devices associated with your organizaon. Cortex Xpanse displays all of the networks that your
Cortex XDR devices are connected to and categorizes each network as either Remote (if the
network’s IP address does not overlap with your organizaon’s asset map) or Corporate (if the
network IP address overlaps with your organizaon's asset map). Cortex Xpanse also enables you
to drill down into each network to see the list of individual devices using that network.
Cortex Xpanse cross references Cortex XDR endpoint data with its own global scan data
to idenfy issues and services running on the networks where employees are located. This
funconality enables you to view the risky Services and Issues associated with your remote
worker networks and devices. Security risks idenfied by Cortex Xpanse on your remote networks
can be remediated directly on the device via Cortex XDR or via network configuraon.
Remote Aack Surface with GlobalProtect

GlobalProtect is a powerful VPN technology offered by Palo Alto Networks that can be deployed
through Next-Gen Firewalls (NGFW) and Prisma Access. Cortex Xpanse ingests this data for
all devices that have iniated a session with GlobalProtect within the last 24 hours to idenfy
devices that belong to your organizaon. Cortex Xpanse displays all of the networks that your
GlobalProtect devices are connected to and categorizes each network as either Remote (if the
network’s IP address does not overlap with your organizaon’s asset map) or Corporate (if the
network IP address overlaps with your organizaon's asset map). Cortex Xpanse also enables you
to drill down into each network to see the list of individual devices using it.
Cortex Xpanse cross references GlobalProtect client data with its own global scan data to idenfy
issues and services running on the networks where employees are located. This funconality
enables you to find the risky services and issues associated with your remote worker networks
and devices.
Remote Aack Surface Assets

Using the device data from Cortex XDR™ or GlobalProtect, Cortex® Xpanse™ idenfies the
following Remote Aack Surface asset types:
• Workforce Device—Device on which the XDR agent is installed. All Workforce Devices
have a public IP address that is either part of a Remote Network or, if the public IP address
overlaps with your organizaon’s asset map, a Corporate Network. Cortex Xpanse categorizes
Workforce Devices as Assets.
• Network—A Network is a collecon of Workforce Devices that share a Public IP address.
Devices cannot belong to more than one Network at a me; however, devices can move from
one Network to another. A Network can be either Corporate or Remote depending on whether
the Public IP address of the Network overlaps with any of the organizaon’s other assets.
Cortex Xpanse categorizes Networks as Assets.
• Corporate Network—A Corporate Network is a type of Network that includes all devices
that connect to the Internet through a public IP address that is owned or managed by the
organizaon, including Remote Devices connected to the VPN. Ownership of the IP address
is inferred by the overlap between a Network and other assets in Xpanse.
• Remote Network—A Remote Network is a type of Network in which all devices connect to
the Internet through a public IP address that is not owned or managed by your organizaon.
An example of a Remote Network is an employee using their home ISP connecon without
connecng to the VPN.
Remote Aack Surface Use Cases

Cortex® Xpanse™ supports a number of use cases to protect your remote aack surface.
Use Case Xpanse + Cortex XDR Xpanse +

GlobalProtect
Reveal risks and reduce the aack surface

related to the remote employee environment
Xpanse ingests Cortex XDR endpoint data and
GlobalProtect client data and combines it with
its global scan results to find risky services
and issues. Xpanse creates new Services and
Issues in Expander, which you can remediate
through XDR or network configuraon.
Idenfy the internal and external IP mapping of

your remote workforce
For issues detected on networks where a
Cortex XDR agent is installed or GlobalProtect
client is deployed, Cortex Xpanse will know
the most recent internal IP address of the
device, which can aid in invesgaon and
remediaon.
Ensure employees are using a VPN service

Cortex Xpanse creates new Remote Device
records for each Cortex XDR endpoint and
maintains a history of IP addresses the
endpoint has used. These IP addresses can
Use Case Xpanse + Cortex XDR Xpanse +

GlobalProtect
be compared to your global VPN network to
ensure employees are using the VPN service.
Discover the gaps in coverage of Cortex XDR

agents in your organizaon
Cortex Xpanse can idenfy services
running on core infrastructure that lack a
corresponding Cortex XDR Agent. Within
Expander you can filter Services and Issues
by whether or not a Cortex XDR Agent is
present.
Remote Aack Surface Dashboard

The Cortex® Xpanse™ Remote Aack Surface dashboard provides a consolidated view of your
remote worker aack surface, with the ability to drill down into the details of the issues, services,
devices, and networks that make up your remote aack surface.
The Cortex® Xpanse™ Remote Aack Surface dashboard is available to customers who
have API integraon between Cortex Xpanse and Cortex XDR™ or GlobalProtect™. For
informaon see Cortex XDR API Connector and GlobalProtect API Connector.
At the top of the Remote Aack Surface dashboard page are the dashboard filters, the Share
Dashboard buon, and Last Updated date.
• Use the dropdown filters to filter the data in the Remote Aack Surface dashboard.
• Click Share Dashboard to copy the link to the dashboard, including your current filter sengs,
to your clipboard.
Remote Attack Surface Dashboard Widgets

The Remote Aack Surface dashboard contains the following widgets:
• Acve Workforce Networks
Displays the number of acve Workforce Networks, as well as a breakdown of Corporate and
Remote Networks.
• Click the Acve Networks count to display the list of your Workforce Networks with the
status Acve.
• Click the Remote or Corporate counts to display the list of acve Workforce Networks with
the Remote or Corporate network type filter applied.
• Click All Workforce Networks to display the list of all your networks.
• Total Workforce Devices
Displays the overall number of your Workforce Devices, as well as a breakdown of workforce
devices on your Remote and Corporate Networks. The change in the Total Workforce Devices
count in the last 30 days is displayed next to the overall count. The graph displays the overall
Total Workforce Device trend over me.
• Click the Total Workforce Devices count to display a complete list of your workforce
devices.
• Mouse over the graph to display the Workforce Device count for a specific date.
• Click the Remote Network or Corporate Network device counts to display the device list
with the Remote Network or Corporate Network filter applied.
• Click All Workforce Devices to display the complete list of your Workforce Devices.
• Total Acve Issues

Displays the number of acve issues on your workforce networks, as well as a list of the top
5 issue types. The change in the Total Acve Issues count in the last 30 days is displayed next
to the overall count. The graph displays the trend in Acve Network Issues on your workforce
networks over me.
• Mouse over the graph to display the number of Acve Issues on your workforce networks
on a specific date.
• Click the Acve Issues counts for the Top Issue Types to display the Issues list with the Issue
Type filter applied.
• Click All Acve Issues to display the complete list of Acve Issues on your workforce
networks.
• Total Acve Services
Displays the total number of acve services running on your workforce networks, as well as a
list of the top 5 Service Classificaons.
The change in the Total Acve Services count in the last 30 days is displayed next to the overall
count. The graph displays the trend in Acve Services on your workforce networks over me.
• Click in the graph to display the number of Acve Services on your workforce networks on a
specific day.
• Click the Total Acve Services count to display the complete list of Issues on your workforce
networks.
• Click All Acve Issues to display the complete list of Acve Issues on your workforce
networks.
• Remote Aack Surface Map
Displays a map view of the locaons of your Corporate and Remote Networks.
• Mouse over a locaon to see the number of Corporate and Remote Networks.
• Workforce Issues by Severity
Displays the number Workforce Issues broken down by severity.
• Click the Issue counts to display the Workforce Issues list filtered by Crical and High,
Medium, or Low severity.
• Top Networks with Crical and High Issues
Displays the eight networks with highest number of crical and high issues. For each network,
the network IP, the number of crical and high issues, and the number of crical and high
issues over the last seven days is displayed.
• Click the Network Public IP to display the Network details page for that network.
• Click the issue count to display the Issues list filtered by the Network Public IP and a crical
or high severity.
• Click All Networks with Crical/High Issues to display the Issues list filtered by Workforce
Networks and crical and high severity.
• Open Issues Progress

Displays the number of Acceptable Risk, No Risk, and Resolved issues for the top 10 Issue
types for your workforce devices.
• Click in the bar graph to display the list of Workforce Issues with the relevant Issue Type and
Progress filters applied.
• Click Open Issues In Progress to display the list of Workforce Issues with the In Progress
filter applied.
Reports
The Reports tab in the Cortex Xpanse applicaon is the home of the Report Center. The Report
Center is where you can access CSV exports and other reports that you have iniated on any page
in Xpanse. For example, if you click Export CSV on the Issues or Assets tab, that CSV report will
appear in the Report Center. When you generate a smaller report (one that takes 5 seconds or less
to generate), the report will download directly to your downloads folder as soon as it is ready. For
larger reports, you will receive a noficaon in the applicaon that the report has been iniated
and an email noficaon when the report is ready to download. Both small and large reports can
also be downloaded from the Report Center as soon as the Status in Report Center shows as
Completed and the download icon ( )is displayed.
The Report Center provides a running list of all the reports generated by Xpanse users in your
organizaon. For each report in the list, Report Center displays the Report Type, the list of filters
that were applied when the report was iniated, report Status, and other informaon. A download
icon appears next to the report when it has reached the Completed status.
Network Mapping
At the beginning of every engagement, Cortex® Xpanse™ intelligently aributes assets to specific
organizaons, helping customers discover and protect previously unknown Internet-connected
systems. Cortex Expanse's network mapping allows organizaons to understand their true public-
facing network perimeter. This involves answering the following quesons:
• How are assets aributed to your organizaon?
• How can you contest assets?
• Human-in-the-Loop
How are assets aributed to your organizaon?

All assets include an aribuon reason in the top secon of the asset details secon. The
aribuon secon describes the reason Cortex® Xpanse™ aributed that asset to your company.
Cortex Xpanse uses a variety of methods to aribute IP range assets to organizaons. These
reasons include:
• IP Registraon—The IP range’s registry informaon menons informaon about your
organizaon. Cortex Xpanse pulls from all regional internet registry databases, including ARIN,
RIPE, APNIC, LACNIC, and AFRINIC. Registry informaon in your Cortex Xpanse instance is
updated approximately biweekly.
• ASN Adversement—An autonomous system number (ASN) assigned to you adverses the IP
range as a BGP prefix.
• Cerficate—That IP range adversed one of your cerficates.
• DNS—A DNS record points to an IP in that IP range. Cortex Xpanse gets its domains and DNS
data from a combinaon of acve and passive global collecon techniques.
• Self-Provided—The asset was on an IP address list provided to Cortex Xpanse by your
organizaon or by Xpanse for a reason other than those listed above.
How can you contest assets?

If there is an asset idenfied by Cortex® Xpanse™ that appears to not belong to your
organizaon, contact your TAM to remove this range from your asset list.
Human-in-the-Loop
A human-in-the-loop interprets and manages the Cortex® Xpanse™ automated network mapping
analysis.
Your Internet-facing assets are always under aack from targeted and opportunisc aackers.
Without a connuously updated, accurate inventory of those assets, you leave unknown or
unmonitored assets exposed to threats. Cortex Xpanse discovers and helps remediate any
exposures on those assets.
A primary advantage of Cortex Xpanse is combining leading-edge automated network mapping
analysis with expert insights and validaon. Cortex Xpanse’s experts understand the intricacies
and idiosyncrasies of asset scanning and aribuon. The end-result for Cortex Xpanse customers
is fewer false posives and development of naming schemas and paerns that lead to broader
asset discovery than what you see with fully automated scanning engines alone.
Data
Cortex® Xpanse™ uses data collected from global internet scans as well open-source intelligence
about the internet to maintain a complete inventory of all the internet-facing assets that belong to
an organizaon. The following topics describe some of the data and data collecon methods that
Cortex Xpanse uses to map your aack surface:
• Scanning
• Known Assets Monitoring
• Ports and Protocols
• GeoIP Collecon
• IP Registraon Records
• Cerficates
• Domains
Scanning
Cortex® Xpanse™ scans the internet at varying cadences based on the protocol. At the slowest,
Cortex Xpanse scans twice a week across IPv4. At the fastest, Cortex Xpanse scans mulple mes
per day (RDP, for example). In addion to the twice a week global minimum, Xpanse scans known
customer assets and cloud ranges daily.
Cortex Xpanse uses mulple techniques to scan the internet and provide an aacker’s view of
your aack surface. Xpanse offers two types of scans:
• Global—The global scan is performed twice a week by default and provides the internet-scale
data we use for all customer networks.
• KAM (Known Assets Monitoring)—KAM monitors known assets at a higher scanning cadence
and with faster data delivery for customers who opt in. Refer to Known Assets Monitoring
(KAM) for details.
All Cortex Xpanse scans are CFAA-compliant, meaning there is no fuzzing of network services,
authencaon tesng, DDoS tesng, packet manipulaon, or penetraon tesng.
Known Assets Monitoring

Cortex® Xpanse™ performs global scans twice a week by default. For customers who opt in,
Cortex Xpanse performs targeted scanning of known assets daily. Known Assets Monitoring
(KAM) brings three significant benefits to the data delivered by Cortex Xpanse:
• Addional ports and protocols
• Port/protocol pairs not included in global scans, including port 25/SMTP, 500/UDP
• SMB version enumeraon
• TLS/SSL scanning
• Determinaon of supported cipher suites and protocol versions for TLS/SSL services
• Frequent scanning and data delivery

• Faster data delivery for reduced me to noficaon of new exposures
Ports and Protocols

Cortex® Xpanse™ detects protocol-validated services on the IPv4 space of the internet through
a series of specialized payloads that target specific port-protocol pairs. Following are examples of
some of the protocols and ports on which Cortex Xpanse checks for acve services throughout a
standard global scan.
The following lists are not exhausve. For current and complete lists, contact your
Customer Success Team.
• Sample protocols: SSL, FTS, SSH, Telnet, HTTP, POP3, RDP, FTP, XMPP, Postgres, VNC, UDP,
ICMP etc
• Sample Ports: 0, 20, 21, 22, 23, 25, 53, 67, 68, 80, 81, 82, 83, 88, 110, 111, 118, 123, 135,
137, 138, 139, 143, 161, 179, 389, 401, 443, 444, 445, 465, 500, 502, 554, 587, 593, 808,
873, 888, 943, 987, 990, 993, 995, 1000, 1024, 1025, 1026, 1028, 1112, 1234, 1250, 1433,
1434, 1443, 1521, 1717, 1723, 1900, 1911, 2001, 2002, 2078, 2080, 2082, 2083, 2084,
2085, 2086, 2087, 2096, 2121, 2160, 2161, 2222, 2323, 2443, 2483, 2484, 2525, 3000,
3052, 3306, 3333, 3388, 3389, 3390, 3443, 3493, 3905, 3909, 3917, 3929, 3975, 3978,
4002, 4100, 4117, 4172, 4343, 4430, 4433, 4443, 4444, 4500, 4506, 4567, 4786, 4911,
5000, 5001, 5060, 5061, 5222, 5269, 5351, 5353, 5432, 5443, 5555, 5632, 5800, 5900,
5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909, 5910, 5916, 5984, 5985, 5986,
6001, 6002, 6363, 6379, 6443, 7001, 7080, 7170, 7443, 7547, 7777, 8000, 8005, 8008,
8009, 8010, 8015, 8020, 8080, 8081, 8082, 8083, 8085, 8088, 8090, 8094, 8139, 8140,
8159, 8194, 8195, 8196, 8197, 8198, 8209, 8210, 8211, 8212, 8213, 8214, 8215, 8216,
8217, 8218, 8219, 8220, 8282, 8290, 8291, 8292, 8293, 8294, 8333, 8443, 8444, 8530,
8531, 8800, 8880, 8887, 8888, 8899, 8991, 8999, 9000, 9002, 9042, 9080, 9091, 9092,
9100, 9200, 9418, 9443, 9444, 9595, 9983, 9997, 10000, 10010, 10443, 11211, 11495,
11553, 12345, 16010, 17185, 17516, 17778, 18080, 18574, 20249, 21242, 22460, 25789,
25827, 27017, 28080, 30005, 30006, 30010, 30083, 30303, 32400, 37443, 37777, 38080,
38520, 40000, 40005, 42713, 44344, 44818, 47001, 47693, 47808, 49501, 49502, 50001,
50067, 50070, 50580, 50805, 50995, 50996, 50997, 51005, 51007, 51200, 51401, 52200,
52311, 52590, 52869, 53300, 53524, 53631, 54041, 54498, 54528, 55918, 56222, 58000,
58603, 60000, 60243, 60443, 61337, 62078
GeoIP Collecon
GeoIP collecon lets Cortex® Xpanse™ customers confirm that their representaon of their
network distribuon is consistent with what they believe their global footprint to be. GeoIP data
is especially important for security organizaons to idenfy compliance violaons, such as data
residing in restricted locaons, and drive efficient remediaons-- customers leverage geoIP to
determine infrastructure locaon, who owns the asset, and where to route noficaons.
Cortex Xpanse’s geolocaon data is displayed at the highest level of granularity for a given IP
address. Geolocaon data refreshes every two weeks. You can view GeoIP data in the Cortex
Xpanse web applicaon on the Assets Details page under Assets.
IP Registraon Records
Cortex® Xpanse™ collects registraon informaon from various publicly available sources
including ARIN, RIPE, APNIC, LACNIC, and AFRINIC. Registry informaon in your Cortex
Xpanse is updated approximately biweekly. You can view registraon data in Cortex Xpanse web
applicaon on the Asset Details page under Assets.
The Registraon Record on the IP Range includes:
• Network—Name, Handle, Start Address, End Address, and Last Refreshed
• Organizaon Name—Name, Handle, Email, Phone, Address, Last Changed
Cerficates
Selecng any cerficate in the Table View brings up a Cerficate Details modal, with informaon
about that cerficate.
Cortex® Xpanse™ tracks the following informaon for each cerficate:
• Issuer, Issuer Country, Issuer Organizaon, Issuer State
• Public key, Public Key Algorithm
• Subject, Subject Alternave Names, Subject Organizaon, Subject Country, Subject State
• Serial Number
• Valid Not Before, Valid Not Aer
• Version
• Common Name
Cortex Xpanse automacally tracks several “crypto health” checks for cerficates. Cortex Xpanse
performs the following checks for each cerficate:
• Is Self-Signed?
• Is Wildcard?
• Is Domain Control Validated?
• Expired When Scanned?
• Public Key Bits
• Signature Algorithm
Domains
Cortex® Xpanse™ gets its domains and DNS data from a combinaon of acve and passive global
collecon techniques. For DNS scanning, Cortex Xpanse sends a BIND version query as the
payload. This approach sll idenfies DNS servers that are not BIND compliant as their response
informs Cortex Xpanse of a DNS server’s existence.
Users find domain informaon in mulple locaons in the Cortex Xpanse Expander user interface.
For example, the hostname on the IP modal for many exposures indicates the domain. Also, the
cloud domain assets view displays domains.
CSV Export
Cortex® Xpanse™ Expander provides the ability to export data in CSV format from List View
pages on the Issues, Services, and Assets tabs.
The fields included in the CSV file exports are derived directly from Xpanse’s API models, which
can be reviewed in our Swagger Expander API Documentaon. If a field is missing from the
export that appears in the data model, it’s likely because it cannot be enumerated properly in CSV
row format. If you see JSON blobs in your CSV file, it is because for certain data types, one row
can have many values. To connect this data together, we have to group the many values in one
cell.
To export data, click Export CSV on the selected list view page.
If the export takes fewer than 10 seconds, the CSV file will download directly from the browser. If
the export takes longer than 10 seconds, you will get an email with a link to download the export.
Exports larger than 200MB are split into mulple CSV files and included in a zip file to ensure they
can be opened with Microso Excel.
If you don’t see the CSV export email in your inbox, check your email spam folder.
Parcularly large exports can take up to eight hours to complete. If your export hasn’t completed
aer eight hours, please reach out to your Xpanse point of contact for help.
APIs and Integraons

APIs and integraons are fundamental to your operaonalizaon of Cortex® Xpanse™ Expander.
The Cortex Xpanse Expander API exposes several RESTful endpoints to you, providing all the data
available in the Cortex Xpanse Expander user interface and more about your organizaon’s assets
and exposures.
Cortex Xpanse Expander has two supported integraons— a Splunk Technical Add-On and an
AWS integraon. You can and should use the Cortex Xpanse Expander API to feed exposure
informaon to other external applicaons and systems for which Cortex Xpanse does not provide
a direct integraon.
Cortex Xpanse Expander supports single sign-on (SSO) to integrate with enterprise identy
services.
For more informaon, see Cortex® Xpanse™ APIs and Integraons.
Cortex® Xpanse™ APIs and
Integraons
Geng up and running with Cortex® Xpanse™ APIs and integraons includes the
following:
> Expander APIs

> Integraons
> AWS Cloud Connector
> Prisma Cloud API Connectors
> Cortex XDR API Connector
> GlobalProtect API Connector
115
Cortex® Xpanse™ APIs and Integraons
Expander APIs and Integraons

Geng up and running with Cortex® Xpanse™ Expander APIs and integraons includes the
following informaon:
• Expander APIs
• Integraons
• AWS Cloud Connector
• Prisma Cloud API Connectors
Expander APIs
You can find informaon about Cortex® Xpanse™ Expander APIs in the following topics:
• Who are Expander APIs for?
• Expander High-Level Funconality
• Value Delivered
• Expander API Documentaon
• Request a Refresh Token (Deprecated)
• Use the Expander API
• Expander API Endpoints
• Addional Support
Who are Expander APIs for?

Mulple teams within IT use Cortex® Xpanse™’s APIs. Teams include:
• SOC—To integrate Cortex Xpanse Expander data with the security ecosystem, such as SIEM,
Threat Feeds, and Analycs.
• Incident Response (IR)—To pull in data for forensic analysis.
• IT Operaons—To use data to validate and help manage the IT infrastructure footprint.
• AppDev—To keep tabs on AppDev resources exposed externally.
• Compliance—To track the exposure of regulated assets, such as assets that contain PCI or
HIPAA sensive data.
Expander High-Level Funconality

Cortex Xpanse combines a historical and current index of every asset on the public Internet with
other enriching datasets to help organizaons idenfy assets, exposures, misconfiguraons,
and policy deviaons. Armed with this product, IT operaons and security staff can perform the
following tasks:
• Maintain a connuously up-to-date inventory of all Internet-connected assets.
• Idenfy Cloud and On-Premise assets that do not comply with company policy.
• Reduce your aack surface area by priorizing exposures for remediaon based on risk.
• Track digital assets like IP addresses, cerficates, domains, and their registraons.
• Integrate asset and exposure context into exisng security tools via the API.
Value Delivered
The Cortex® Xpanse™ Expander APIs facilitate ght integraon into your security ecosystem.
There are many ways the Cortex Xpanse Expander API integrates with exisng security and IT
systems. The following are current ways that Cortex Xpanse Expander customers leverage the
Cortex Xpanse Expander API:
• IT Service Management (ITSM)—Many Cortex Xpanse Expander customers integrate with an
ITSM plaorm, such as ServiceNow, to automacally open trouble ckets for Cortex Xpanse
Expander-idenfied exposures. See Expander APIs and Integraons for details.
• Security Informaon and Event Management (SIEMs)—An Expander exposure can
automacally generate an event in your SIEM. See Expander APIs and Integraons for details.
• Configuraon Management Database (CMDB)—Through direct CMDB integraon, you can
automacally add new Cortex Xpanse Expander-idenfied assets to your CMDB. See Expander
APIs and Integraons for details.
• Vulnerability Management Soluons (VM)—Vulnerability management systems, such as
Nessus, Rapid7, and Qualys, only scan assets they can find. Integraon with Cortex Xpanse
Expander keeps VM systems up to date on all organizaonal assets, including crical assets
exposed to the public Internet. See Expander APIs and Integraons for details.
• IaaS Cloud Service Providers—Ensure all Cortex Xpanse-idenfied cloud assets are tracked and
monitored in sanconed IaaS accounts.
• Direct integraon for AWS—The Cortex Xpanse Cloud Monitoring Integraon enables Cortex
Xpanse Expander to show an audit of assets Cortex Xpanse was able to idenfy for your
organizaon based on assets your organizaon is tracking in known and sanconed AWS
accounts. See AWS Cloud Connector for details.
• Cloud Threat Detecon—Cortex Xpanse Expander can update other cloud threat detecon
tools to make sure that threat assessment and response includes all Cortex Xpanse Expander-
idenfied cloud assets.
• Seng up custom alerts and dashboards—Using the Cortex Xpanse Expander API, you can
set up custom alerts and dashboards for senior management, incident response (IR), and
compliance teams.
Expander API Documentaon

All documentaon for the Cortex® Xpanse™ Expander API is available in Swagger. See the
Expander API Documentaon.
Request a Refresh Token (Deprecated)
Cortex® Xpanse™ is moving away from refresh tokens for API access credenals and
implemenng the OAuth2.0 standard client credenals grant type. Self-service client
credenals are currently supported for the Cortex Xpanse SDK and custom integraons.
You are not required to use client credenals at this me, but it is recommended. Support
for client credenals for Cortex Xpanse-built integraons will be added in a future release.
We will nofy you when your Cortex Xpanse integraon is ready for use with client
credenals.
The Cortex® Xpanse™ Expander API is only available via HTTPS. The API provides authencaon
via long-lived refresh tokens and short-lived JWTs.
If you require a new refresh token or need to rotate your exisng refresh token, contact your
Customer Success Manager.
Generate Client Credenals
credenals.
Self-service client credenals enable Cortex® Xpanse™ Expander administrators to generate and
revoke API credenals within the Expander UI. These credenals can be used for any API-related
applicaon, including the following:
• Use of the Xpanse SDK
• Use of custom integraons or scripts
• Use of Xpanse integraons (Client credenal support to be added in an upcoming release.)
To get started with self-service client credenals you must be an Expander administrator or reach
out to your Cortex Xpanse CSM for access. There are two levels of permission associated with this
feature:
1. Individual client credenals permission — Allows you to create and revoke your own Cortex
Xpanse client credenals.
2. Administrator client credenals permission — Allows you to create and revoke your own
Cortex Xpanse client credenals, and also view and revoke client credenals created by other
users from your organizaon.
If you are unsure whether you have the necessary permission for generang client credenals,
navigate to the Sengs tab in Expander and look for the Client Credenals opon in the le
navigaon pane.
STEP 1 | Navigate to the Sengs tab, and select Client Credenals in the le navigaon pane.
In the Client Credenals window, you will see the list of credenals that you previously
created. If you have administrator-level client credenals permission, you will also see
credenals that were generated by other users in your organizaon
STEP 2 | Click Generate Credenals.

Note that each user is limited to 10 client credenals at any one me.
The Client Credenals/Add New window opens.
STEP 3 | Enter a Client Name.

Client names must be all lowercase. Your client name will be automacally prefixed with
“xpanse_expander_”.
STEP 4 | Enter a Descripon that will provide addional context for yourself and other administrators
in your organizaon regarding the purpose of this credenal.
STEP 5 | Click Generate credenals.

The Client Idenfier and Client Secret will be displayed.
STEP 6 | Copy and securely store both the Client Idenfier and Client Secret.
You will not be given another opportunity to retrieve the Client Secret, and Cortex Xpanse has
no access to the Client Secret. Be sure to follow your organizaonal policies with respect to the
storage and use of your new credenals.
If you misplace or lose your Client Secret, a new client credenal must be generated.
Cortex Xpanse has no way to retrieve your Client Secret.
You can now use your Cortex Xpanse client credenal. For informaon about using your
credenals with an Xpanse-supported integraon, see the corresponding integraon guide on the
Palo Alto Networks Technology Partner portal.. For more informaon about using your credenals
with the Xpanse SDK or a custom integraon, see the Cortex Xpanse developer documentaon.
If you want to revoke a Cortex Xpanse client credenal, see Revoke Client Credenals.
Revoke Client Credenals

If you have individual client credenals permission, you can view and revoke the Cortex®
Xpanse™ client credenals that you created. If you have administrator client credenals
permission, you can view and revoke Cortex Xpanse client credenals for that were created by
anyone in your organizaon.
Revoking a client credenal is a permanent acon, and cannot be undone.
STEP 1 | Navigate to the Sengs tab, and select Client Credenals in the le navigaon pane.
In the Client Credenals window, the list of credenals that you created are displayed. If you
have administrator client credenals permission, you will also see the credenals generated by
other users in your organizaon
STEP 2 | Click the 3-dot menu on the right side of the credenal you want to revoke, and then click
Revoke.
STEP 3 | When prompted, confirm that you want to permanently revoke the credenal.
For more informaon about Cortex Xpanse self-serve client credenals, see Generate Client
Credenals.
Use the Expander API

For guidance on using your Cortex Xpanse client credenal to interact with the Expander API, see
the following resources:
• For informaon about using your credenals with the Xpanse SDK or a custom integraon, see
the Cortex Xpanse developer documentaon.
• For informaon about using your credenals with an Xpanse-supported integraon, see the
corresponding integraon guide on the Palo Alto Networks Technology Partner portal.
Addional Support
If you need help accessing or using with the Cortex® Xpanse™ Expander API, contact your CSM.
Integraons
To increase value to our customers, Cortex® Xpanse™ is connually adding integraons to
Cortex® Xpanse™ Expander. The following is informaon on geng up and running with current
Cortex Xpanse Expander integraons.
• Integraon Use Cases
• SIEMS
• ITSM Systems
• SOARs
• Vulnerability Management
• CMDBs
• IPAMs
Integraon Use Cases

The daily operaons of Cortex® Xpanse™ Expander should be central to security operaons.
Connual assessment, evaluaon, and remediaon of the organizaon’s exposed edge is an
essenal pracce for SecOps.
The primary use cases for out-of-the-box and custom integraons between Cortex Xpanse
Expander and your security ecosystems include:
1. Maintain Accurate Asset Inventory—Cortex Xpanse Expander customers are connually
integrang Cortex Xpanse Expander with IT and IT security systems that require an accurate
source of truth of an organizaon's public-facing assets.
2. Generate Alerts—Noficaons help speed up awareness of new assets and exposures, and
Cortex Xpanse Expanse customers set up SIEM-configured noficaons to be alerted on new
assets and exposures quickly.
3. Kick Off Invesgaons—Cortex Xpanse Expanse customers kick off invesgaons of exposures
via ckets to drive remediaon acon and reduce the number of exposures on their network
edge.
4. Automate Remediaons—Cortex Xpanse Expanse customers create run-books and rules that
automate the remediaons of certain types of exposures.
SIEMS
Cortex® Xpanse™ Expander supports integraon with these SIEMS (Security Informaon Event
Management Systems):
• Splunk TA
• IBM QRadar
Splunk TA
The following topics relate to Cortex® Xpanse™ Expander integraon with Splunk TA:
• Who is Splunk TA for?
• Splunk TA High-Level Funconality
• Value Delivered
• Geng an API Token
• Splunk TA Add-On Installaon
Who is Splunk TA for?
Mulple teams within IT use Cortex® Xpanse™ Expander's Splunk TA. Teams include:
• SOC—To integrate Cortex Xpanse Expander data with the security ecosystem and triage alerts.
• Incident Response (IR)—To pull in data for forensic analysis.
Splunk TA High-Level Functionality
Cortex® Xpanse™ Expander’s add-on Splunk integraon allows you to consume and access
Cortex® Xpanse™ Expander alerts and data through Splunk.
Splunk represents “events” as JSON objects. Associated informaon to those events are the
JSON object’s values. You can query Splunk events using Splunk queries. For more help on Splunk
data querying, refer to the appropriate Splunk data querying documentaon or ask your Splunk
technical contact.
For addional informaon on how to use Splunk more generally, see Splunk’s general
documentaon site.
Value Delivered
Examples of goals and outcomes for customers using Cortex® Xpanse™ Expander’s add-on to
Splunk include:
• Ease-of-use for data querying in a commonly-used SIEM.
• Centralized alerng
• Centralized locaon for security-related data.
• Ability to correlate Expander vulnerabilies to internal events tracked in Splunk.
Getting an API Token

The Cortex® Xpanse™ Expander Splunk TA requires an Cortex Xpanse Expander API token for
installaon.
The Cortex Xpanse Expander API is only available via HTTPS. The API provides authencaon via
long-lived bearer tokens and short-lived JWTs.
Cortex Xpanse Expanse provides the bearer token as part of the onboarding process for API
access. Cortex Xpanse Expanse rotates the bearer token periodically while maintaining an overlap
period for the current bearer token. Cortex Xpanse Expanse informs you before bearer token
rotaon. Also, you can request rotaon of the bearer token for internal governance reasons.
Splunk TA Add-On Installation
To install the Cortex® Xpanse™ Expander Splunk TA.
1. In the Splunk homepage, navigate to the app directory by clicking the Apps icon.
2. Click Browse more apps, and search for Expanse to find the Cortex Xpanse Expander add-on.
3. To install the Cortex Xpanse Expander add-on, click Install.
4. If the app is not viewable in the App store, you can download the Add-On by browsing to
hps://splunkbase.splunk.com/app/4622/ .
5. Once installed, click Go Home. The Cortex Xpanse Expander add-on is now ready to configure.
The Cortex Xpanse Expander add-on is not a standalone app, but rather an add-on that
you can configure to serve as a Splunk data input. Therefore, there is no separate user
interface for the add-on and clicking Open the App does not show anything.
To configure Cortex Xpanse Expander data as the Data Input.

1. Once you’ve installed your add-on, find the navigaon bar at the top of the screen, and select
“Sengs” → “Data” → “Data inputs” to access the Splunk Data Input Management page.
2. In the Data Input Management page, under Local inputs, select Expanse Expander > New to
begin to configure your Cortex Xpanse Expander data as a Splunk data input.
3. The Cortex Xpanse Expander URL field automacally populates with the Cortex Xpanse
Expander’s API endpoint URL. Specify your API token in the appropriate field.
4. (OPTIONAL) You can make the Cortex Xpanse Expander Add-on proxy aware by inpung an
oponal proxy server URL (proxy_url) and the path to a custom CA you trust, in PEM format
(custom_ca_pem_path).
5. (OPTIONAL) You can configure your Cortex Xpanse Expander data input to refresh using
a me window filter strategy (refresh_me_window_filter_days), refresh by liming the
number of results per API call (refresh_page_size), and use a custom data update interval
(update_interval_hours ).
6. Click Next . Your Qadium Expander data is now set up as a Splunk data input.
7. In the homepage, click Search and Reporng to navigate to the Search page and begin
querying.
8. Using Splunk data query pracces, you can now access and query your Cortex Xpanse
Expander data through Splunk.
Additional Support
If you need help interfacing with the Cortex® Xpanse™Expander Splunk TA, contact your TAM.
IBM QRadar
Cortex® Xpanse™ Expander integrates with IBM QRadar.
• Who is the Xpanse IBM QRadar App for?
• High-Level Funconality
• Value Delivered
• Xpanse QRadar App Installaon
Who is the Xpanse IBM QRadar App for?
The Cortex® Xpanse™ QRadar App supports mulple teams, including:
• Security Operaons Center (SOC)—The SOC team uses the QRadar App to integrate Cortex
Xpanse Expander data into the organizaon’s security ecosystem to help triage alerts.
• Incident Response (IR)—The IR team uses the QRadar App to pull in Cortex Xpanse Expander
data to add context during incident response.
High-Level Functionality
The Cortex® Xpanse™ QRadar App integraon enables you to consume and access Cortex
Xpanse data through QRadar. QRadar ingests data as log events and assigns them to two separate
Log Sources called ExpanseExpander. Once ingested, QRadar can correlate Cortex Xpanse
events with other events or alerts based on offense rule configuraons.
For more informaon, see this blog post announcing the Cortex Xpanse-IBM QRadar integraon.
Value Delivered
The primary benefits of using the Cortex® Xpanse™ QRadar App include:
• Ease-of-use for data querying in a popular SIEM.
• Centralized alerng that includes Cortex Xpanse Expander data.

• Centralized locaon for security-related data.
• The ability to correlate Cortex Xpanse Expander vulnerabilies to internal events that QRadar
tracks.
The Cortex® Xpanse™ QRadar App requires an Cortex Xpanse Expander API token for
installaon.
Cortex Xpanse provides the Bearer, such as Refresh, token as part of the onboarding process for
API access. Cortex Xpanse rotates the Bearer token periodically while maintaining an overlap
period for the current Bearer token. Cortex Xpanse informs you before the Bearer token rotaon.
Also, you can request rotaon of the Bearer token for internal governance reasons.
Xpanse QRadar App Installation
You can download a full Installaon and User Guide for the Cortex® Xpanse™ QRadar App. See
the Expanse App Installaon and User Guide For IBM QRadar Plaorm.
Additional Support
If you need help interfacing with the Cortex® Xpanse™ QRadar App, contact your Engagement
Manager.
ITSM Systems
Cortex® Xpanse™ supports integraon with these IT Service Management (ITSM) Systems:
• ServiceNow ITSM
• Jira Cloud
ServiceNow ITSM
The following topics relate to Cortex® Xpanse™ integraon with ServiceNow as an ITSM:
• Who is the Xpanse ServiceNow App for?
• Value Delivered
• Xpanse ServiceNow App Installaon
• Xpanse ServiceNow App Configuraon
Who is the Xpanse ServiceNow App for?
The Cortex® Xpanse™ ServiceNow ITSM App’s primary users are the Service Desk, IT, and
DevOps teams that manage IT assets’ configuraon and patching. Through this App, these users
automacally receive incidents based on new exposure appearances or reappearances that match
the customer’s severity thresholds configuraon.
The Cortex® Xpanse™ ServiceNow ITSM App allows users to create new incidents in ServiceNow
ITSM based on exposure events from Cortex Xpanse. With this funconality, users can enhance
their exisng ITSM processes with new data from Cortex Xpanse.
For more informaon, see this blog post announcing the Cortex Xpanse-ServiceNow integraon.
Value Delivered
The primary benefits of using the Cortex® Xpanse™ ServiceNow ITSM App include:
• Allowing IT and security teams to leverage Cortex Xpanse findings without modifying their
exisng remediaon processes.
• Reducing MTTR for Exposures by ulizing exisng ITSM processes and automang response
priorizaon.
The Cortex® Xpanse™ ServiceNow ITSM App requires an Cortex Xpanse Expander API token for
installaon.
period for the current Bearer token. Cortex Xpanse informs you before Bearer token rotaon.
Also, you can request rotaon of the Bearer token for internal governance reasons.
Xpanse ServiceNow App Installation
Installaon of the Cortex® Xpanse™ ServiceNow ITSM App is a three-step process.
STEP 1 | Navigate to the ServiceNow Store, and search for Expander.
STEP 2 | Select Expander > Get.
STEP 3 | Specify the admin credenals for your organizaon and follow the installaon prompts.
Xpanse ServiceNow App Configuration

Once you have installed the Cortex® Xpanse™ ServiceNow App, do the following to configure the
App:
STEP 1 | In the Filter Navigator, search for Incident Mappings. There are mappings defined as
defaults, but these can be changed by clicking on the underlined Exposure Level, modifying
the mapping using the drop-down, and clicking Update. Unmapped exposure levels do not
have an incident level defined.
STEP 2 | In the Filter Navigator, search for Event Types, and select Event Types. There are default
values for which event types should trigger incidents. To change these default sengs,
simply click the event type, and select or clear the Create Incident checkbox. When finished,
click Update to propagate the change. Updang this default seng affects future incident
creaon only. Incidents are not recorded for unmapped event types.
STEP 3 | In the Filter Navigator on the le pane, search for Expander. Under the Expander secon,
select Expander Properes.
STEP 4 | Click the Expanse API Token field (listed as x_429990_expanse_a.api_token) and under
Value, specify the Expander API Bearer token. To complete this step, click Update at the top
right of the window, saving your Expander API token for the ServiceNow integraon to use
when calling Expander APIs. This update kicks off the ingeson of Expander data to generate
ServiceNow incidents.
Additional Support
If you need help installing, configuring, or ulizing the Cortex® Xpanse™ ServiceNow ITSM App,
contact your Engagement Manager.
Jira Cloud
The following topics relate to Cortex® Xpanse™ integraon with Jira Cloud as an ITSM:
• Who is the Xpanse Jira Cloud App for?
• Value Delivered
• Xpanse Jira Cloud Installaon
• Xpanse Jira Cloud Configuraon
• Run the Xpanse Jira Cloud App
Who is the Xpanse Jira Cloud App for?
The Jira Cloud Integraon’s primary users are the Service Desk, IT, and DevOps teams that
manage IT Asset configuraon and patching. With this integraon, Jira automacally creates
tasks based on new exposure appearances or reappearances that match a customer’s configurable
condions around exposure types, exposure severity, and business units.
The Cortex® Xpanse™ Jira Cloud Integraon automacally creates new Jira tasks based on
exposure events from Cortex Xpanse. With this funconality, users can enhance their exisng Jira
processes with new data from Cortex Xpanse.
For more informaon, see this blog post announcing the Cortex Xpanse-Jira Cloud integraon.
Value Delivered
The primary benefits of using the Cortex® Xpanse™ Jira Cloud Integraon include:
• Allowing IT and security teams to leverage Cortex Xpanse findings without modifying their
exisng remediaon processes.
• Reducing MTTR for Exposures by ulizing exisng Jira processes and automang response
priorizaon.
Xpanse Jira Cloud Installation
Your Engagement Manager will deliver a user guide and the Integraon as a Python package in a
compressed tar.gz format. You can run the Integraon navely on the host using python 3.6+,
or run it within a Docker container. If you plan to run the Integraon in a Docker container, ensure
that Docker is installed. For more informaons on how to install Docker on your host, see Get
Docker.
STEP 1 | Extract the tar.gz file with the command tar -xvf expanse_jira_cloud.tar.gz.
STEP 2 | If you plan to run the Integraon navely using python 3.6+, install the dependencies using
the command pip install -r requirements.txt.
Xpanse Jira Cloud Configuration

Cortex® Xpanse™ Jira Cloud App is configured aer installaon.
STEP 1 | Go to hps://id.atlassian.com/manage/api-tokens and follow the instrucons to generate a
new API token.
STEP 2 | Follow the user guide or README file instrucons to create and configure the
expanse.yml file. There are several sengs in the file:
1. You must specify the Jira and Expanse API tokens, and the Jira URL.
2. There are several oponal values to configure how the Integraon behaves. Configurable
behaviors include:
• How far back in me to populate events.
• Which Jira project to use.
• Whether Jira should create custom fields.
• How oen to check for new events.
• Several filtering opons to determine which Cortex® Xpanse™ events trigger new Jira
tasks.
3. (Oponal) Set environment variables for any sensive values if they have not already been
set in the expanse.yml file.
Run the Xpanse Jira Cloud App

You can run the Cortex® Xpanse™ Jira Cloud Integraon navely on Python and Docker.
STEP 1 | To run the Cortex® Xpanse™ Jira Cloud Integraon navely on Python.
1. Update your python path to include all of the bundled files using the command export
PYTHONPATH=$PYTHONPATH:$(pwd).
2. Start running the integraon script with the command python expanse_jira.
(Oponal) Use a tool or command to manage the long-running script. Examples of these
include tmux or nohup.
STEP 2 | To run the Cortex® Xpanse™ Jira Cloud Integraon navely on Docker, use the following
command in the extracted directory: docker build -t expanse_jira . && docker
run -it expanse_jira
Additional Support
If you need help installing, configuring, or ulizing the Cortex® Xpanse™ Jira Cloud Integraon,
SOARs
Cortex® Xpanse™ supports integraon with these Security Orchestraon Automaon and
Response (SOAR) plaorms:
•
• Cortex XSOAR (Demisto)
• Splunk Phantom
Cortex XSOAR (Demisto)
The following topics relate to Cortex® Xpanse™ integraon with Cortex XSOAR:
• Who is the Xpanse Cortex XSOAR Integraon for?
• Value Delivered
• Xpanse Cortex XSOAR Installaon
Who is the Xpanse Cortex XSOAR Integration for?
Mulple teams can ulize Cortex® Xpanse™'s Cortex XSOAR Integraon. Teams include:
• SOC—The SOC can ingest Cortex Xpanse data to generate incidents and playbooks. SOC
teams can also benefit by using the available commands included with the integraon to enrich
Cortex XSOAR incidents with exposure and asset data.
• Threat Hunng—Teams may automate finding asset details and related data quickly.
The Cortex® Xpanse™ Cortex XSOAR integraon allows you to consume Cortex Xpanse data in
Cortex XSOAR and automacally generate new incidents based on your configuraon sengs.
Users can also run mulple enrichment commands to bring addional data from Cortex Xpanse
into Cortex XSOAR. These commands can be automated as part of playbooks or used to provide
ad-hoc enrichment during an incident invesgaon.
For more informaon, see this blog post announcing the Cortex Xpanse-Cortex XSOAR
integraon.
Value Delivered
The primary benefits of using the Cortex® Xpanse™ Cortex XSOAR integraon include:
• Creang incidents automacally by defining custom alert criteria for Cortex Xpanse data.
• Enriching incidents from other sources using Cortex Xpanse data.
• Automang invesgaon and remediaon for Cortex Xpanse-triggered incidents.
• Reducing MTTR for Issues by automang response.
credenals.
Xpanse Cortex XSOAR Installation
To install the Cortex® Xpanse™ Cortex XSOAR Integraon.
STEP 1 | In Cortex XSOAR, select Seng > Integraons > Servers & Services, and search for Cortex
Xpanse.
STEP 2 | Click Add Instance to create a new instance configuraon.
STEP 3 | Add the Refresh token provided by your Engagement Manger to the API Key field.
STEP 4 | (Oponal) Configure the integraon to fetch incidents by selecng Fetches incidents.
Additional Support
If you need help installing, configuring, or ulizing the Cortex® Xpanse™ Cortex XSOAR
Integraon, contact your Engagement Manager.
Splunk Phantom
The following topics relate to Cortex® Xpanse™ integraon with Splunk Phantom:
• Who is the Xpanse Phantom App for?
• Value Delivered
• Cortex Xpanse Phantom App Installaon
Who is the Xpanse Phantom App for?
Mulple teams can ulize the Cortex® Xpanse™ Phantom App. Teams include:
• SOC—To pair with Splunk to ingest Cortex Xpanse Expander data to generate incidents and
playbooks. SOC teams can also enrich incidents from different sources with Expander issues
and other asset data.
• Threat Hunng—Teams may automate to quickly find all of the asset details or other related
data.
When paired with the Splunk Cortex® Xpanse™ Technical Add-on (TA), the Cortex Xpanse
Phantom App lets Splunk users consume Cortex Xpanse data to generate new events and cases
based on your priories automacally.
The Phantom app also lets users run enrichment commands to ingest addional data from Cortex
Xpanse into Phantom. Users can automate these commands as part of a playbook or provide ad-
hoc enrichment during event/case invesgaons.
For more informaon, see this blog post announcing the Cortex Xpanse-Splunk Phantom
integraon.
Value Delivered
The primary benefits of using the Cortex® Xpanse™ Phantom App include:
• Defining custom alerng criteria in Splunk for Phantom event forwarding on data from Cortex
Xpanse.
• Enriching other events/cases using Cortex Xpanse data.
• Automang invesgaon and remediaon for Cortex Xpanse-triggered incidents.
• Reducing MTTR for Issues by automang response.
credenals.
Cortex Xpanse Phantom App Installation

To install the Cortex® Xpanse™ Cortex XSOAR Integraon.
STEP 1 | In Phantom, navigate to the Apps page, where you can either click the Apps icon in the drop-
down or navigate to hps://PHANTOM_URL/apps/.
STEP 2 | Click the Unconfigured Apps tab and search for Cortex Xpanse.
STEP 3 | Click Configure New Asset.
STEP 4 | In the Asset Info tab, specify a name, descripon, and oponal tags for your new Cortex
Xpanse asset.
STEP 5 | In the Asset Sengs tab, specify your Cortex Xpanse Refresh token in the Token to
authencate field.
STEP 6 | Click Save to complete the installaon.
STEP 7 | (Oponal) Click Test Connecvity to ensure the integraon is configured correctly.
Additional Support
If you need help installing, configuring, or ulizing the Cortex® Xpanse™ Phantom App, contact
your Engagement Manager.
Vulnerability Management
Cortex® Xpanse™ supports integraon with these Vulnerability Management (VM) plaorms:
• Tenable.io
• Rapid7 InsightVM
Tenable.io
The following topics relate to Cortex® Xpanse™ integraon with Tenable.io:
• Who is the Cortex Xpanse Tenable.io Integraon for?
• Value Delivered
• Geng Started
Who is the Cortex Xpanse Tenable.io Integration for?
Mulple teams can ulize the Cortex® Xpanse™ Tenable.io Integraon. The primary users of this
Integraon are the Threat and Vulnerability Management (TVM) teams. With this Integraon,
TVM teams beer understand their organizaon’s aack surface by including Cortex Xpanse
discovered assets in their VM discovery scans. This integraon helps them idenfy the severity of
the problem more precisely and reduce the number of untracked external assets.
This Integraon enables TVM teams to synchronize their Cortex® Xpanse™ assets with their
Tenable.io instance automacally. Specifically, the Integraon ensures that tenable.io maintains an
accurate inventory of the organizaon's public-facing assets. An accurate inventory is essenal for
Tenable Cloud Scanners to provide more precise — and comprehensive — vulnerability assessment
data.
Value Delivered
The primary benefits of using the Cortex® Xpanse™ Tenable.io Integraon include:
• Higher fidelity vulnerability scan data for external IP addresses and domains.
• Improved ability to track the health of an organizaon’s public aack surface accurately.
• More easily doing ad-hoc scans of IPs that Cortex Xpanse believes can be risky.
• Bringing Cortex Xpanse business context into the Tenable ecosystem.
Getting Started
Cortex® Xpanse™ hosts the Tenable.io Integraon. Work with your Engagement Manager
to deliver a set of Tenable.io API Keys and other configuraon opons to get started. Your
Engagement Manager handles the setup and lets you know when you should begin seeing Cortex
Xpanse assets appear in your Tenable.io instance.
Additional Support
If you need help installing, configuring, or ulizing the Cortex® Xpanse™ Tenable.io Integraon,
Rapid7 InsightVM
The following topics relate to Cortex® Xpanse™ integraon with Rapid7 InsightVM:
• Who is the Xpanse Rapid7 InsightVM Integraon for?
• Value Delivered
• Cortex Xpanse Rapid7 InsightVM Installaon
• Xpanse Rapid7 InsightVM Configuraon
• Run Xpanse Rapid7 InsightVM Integraon

Who is the Xpanse Rapid7 InsightVM Integration for?
Mulple teams can ulize the Cortex® Xpanse™ Rapid7 InsightVM Integraon. The primary
users of this Integraon are the Threat and Vulnerability Management (TVM) teams. With this
Integraon, TVM teams beer understand their organizaon’s aack surface by including Cortex
Xpanse discovered assets in their VM discovery scans. This integraon helps them idenfy the
severity of the problem more precisely and reduce the number of untracked external assets.
This integraon enables TVM teams to synchronize their Cortex® Xpanse™ assets with their
Rapid7 InsightVM console. Specifically, the Integraon ensures that InsightVM maintains an
accurate inventory of the organizaon's public-facing assets. An accurate inventory is essenal
for Rapid7’s Cloud Scan Engine to provide more precise — and comprehensive — vulnerability
assessment data.
Value Delivered
The primary benefits of using the Cortex® Xpanse™ Rapid7 InsightVM Integraon include:
• Higher fidelity vulnerability scan data for external IP addresses and domains.
• Improved ability to track the health of an organizaon’s public aack surface accurately.
• More easily conducng ad-hoc scans of IPs that Cortex Xpanse believes can be risky.
• Bringing Cortex Xpanse business context into the Rapid7 ecosystem.
The Cortex® Xpanse™ Rapid7 InsightVM Integraon requires an Cortex Xpanse Expander API
token for installaon.
period for the current Bearer token. Cortex Xpanse informs customers before Bearer token
rotaon. Also, you can request rotaon of the Bearer token for internal governance reasons.
Cortex Xpanse Rapid7 InsightVM Installation

Your Engagement Manager delivers the Integraon as a .zip file that contains all of the necessary
contents to run the integraon. The Integraon requires that Docker is installed on the host and
allocated with at least 1GB of memory. For more informaon on how to install Docker on your
host, see Get Docker.
To install the Integraon, extract the contents of the zip directory.
Xpanse Rapid7 InsightVM Configuration
The configuraon for the Cortex® Xpanse™ Rapid7 InsightVM Integraon uses the config.yml
file and environment variables. The config.yml included with the Integraon contains
informaon about all configurable values, but you are also encouraged to refer to the User guide
your Cortex Xpanse Engagement Manager provides.
Run Xpanse Rapid7 InsightVM Integration
To run the Integraon, you can execute the following command in the extracted directory:
docker build -t expanse-insightvm . && docker run –name expanse-
insightvm expanse-insightvm
Additional Support
If you need help installing, configuring, or ulizing the Cortex® Xpanse™ Rapid7 InsightVM
Integraon, contact your Engagement Manager.
CMDBs
You can create new inventory asset entries for Cortex® Xpanse™ Expander-idenfied assets
and add context from Cortex Xpanse Expander data to exisng asset entries via a Configuraon
Management Database (CMDBs) integraon.
This aligns with the Maintain Accurate Asset Inventory use case outlined in the Integraon Use
Cases, where Cortex Xpanse customers are connually integrang Cortex Xpanse Expander with
IT and IT security systems that require an accurate source of truth of an organizaon’s public-
facing assets.
IPAMs
You can create new inventory asset entries for Cortex® Xpanse™ Expander-idenfied assets
and add context from Cortex Xpanse Expander data to exisng asset entries via an IP Address
Management (IPAMs) integraon.
This aligns with the Maintain Accurate Asset Inventory use case outlined in the Integraon Use
Cases, where Cortex Xpanse customers are connually integrang Cortex Xpanse Expander with
IT and IT security systems that require an accurate source of truth of an organizaon’s public-
facing assets.
AWS Cloud Connector

The following topics relate to the Cortex Xpanse Cloud Connector for AWS:
• Value Delivered
• Xpanse Cloud Monitoring Connector Configuraon
• Documentaon
High-Level Funconality
Cortex® Xpanse™ provides a beta Cloud Connector for AWS. The Cortex Xpanse Cloud
Monitoring Connector enables Cortex Xpanse Expander to show an audit of assets Cortex Xpanse
was able to idenfy for your organizaon based on assets your organizaon is tracking in known
and sanconed AWS accounts. Your organizaon can use this informaon to address (take down
or move to a sanconed AWS account) rogue assets.
Cortex Xpanse idenfies – within the Origin field – Cortex Xpanse-discovered assets as Cortex
Xpanse idenfied and assets pulled from a customer’s AWS Cloud Connector as Customer
provided.
Value Delivered
You can use this integraon to:
• Add context to cloud assets and exposures that are only available in AWS, such as instance ID
and resource type.
• Audit all publicly accessible AWS resources and any exposures on those resources.
• Compare what you are already tracking in your known IaaS accounts with what Cortex
Xpanse idenfies independently. As part of aribuon, when using the Expander AWS Cloud
Connector, Expander pulls public resources from your AWS instances and then delineates
between “AWS Idenfied” and “Cortex Xpanse Idenfied” cloud assets. Expander provides a
great way to audit what you believe is running on AWS and what Cortex Xpanse finds on AWS.
You’re sll covered even without the AWS Cloud Connector since Cortex Xpanse sll scans all
AWS assets.
• Take down or move rogue assets from unsanconed to sanconed AWS accounts.
• Improve the visibility and effecveness of security products that use APIs to build the asset list
they monitor.
Xpanse Cloud Monitoring Connector Configuraon

Seng up the Cortex® Xpanse™ Cloud Monitoring Connector requires a Cortex Xpanse AWS
account view-only API access to your AWS account(s). To complete this setup, you need full IAM
permissions in each monitored account.
For more background on best pracces around granng account access to a third party, read the
AWS IAM documentaon first.
Documentaon
Cortex® Xpanse™ Cloud Monitoring Connector documentaon with step-by-step direcons is
available via your TAM. Upon general availability, full set up direcons will be available here upon
commercial release.
Prisma Cloud API Connectors

Cortex® Xpanse™ can ingest cloud context, like publicly exposed cloud services, through Prisma
Cloud in Amazon Web Services, Google Cloud Plaorm, Microso Azure, Alibaba Cloud, and
Oracle Cloud Infrastructure.
The Cortex® Xpanse™ API Connector for Prisma Cloud is a mul-purpose integraon that enables
you to accomplish the following:
• Add context to cloud assets, services, and issues that are only available in your IaaS provider,
such as instance ID and resource type.
• Audit all publicly accessible IaaS resources and any services or issues on those resources.
• Compare what you are already tracking in your known IaaS accounts with what Cortex®
Xpanse™ idenfies independently.
• Take down or move rogue assets from unsanconed to sanconed IaaS accounts.
• Improve the visibility and effecveness of security products that use APIs to build the asset list
they monitor.
Cortex Xpanse Expander loads services and issues on everything ingested and marks the services
and issues that are discovered by Cortex Xpanse and not present in Prisma Cloud as Unmanaged
Cloud. Cortex Xpanse also provides a summary dashboard, called Unmanaged Cloud Overview,
and the ability to filter on Cloud Management Status in Services and Issues.
To set up the integraon between Cortex Xpanse and Prisma Cloud, perform the following tasks:
• Generate an API Access Key in Prisma Cloud
• Configure the Xpanse Prisma Cloud API Connector
Generate an API Access Key in Prisma Cloud

Before configuring the Prisma Cloud API connector in Cortex Xpanse Expander, you must
generate an API access key in Prisma Cloud. While generang the API access key, gather the
following informaon which will be required to create the API connector in Expander:
• Access Key ID
• Secret Access Key
• Prisma Cloud API URL for your tenant
STEP 1 | Log into Prisma Cloud CSPM as an Administrator level user.
STEP 2 | Select Sengs from the le-side menu.
STEP 3 | Within Sengs, go to Account Groups and click Add Account Group.
STEP 4 | Name the new account group, and select the cloud accounts that you want to be accessible
for this group.
STEP 5 | Aer creang the new Account Group, select Access Controls > Roles from the le-side
menu. Click Add to add a new role.
STEP 6 | Give your new role a descripve Name, select the permissions desired (the Xpanse
integraon requires a minimum of Account Group Read Only) and select your newly created
Account Group (from step 4) as the Account Group.
STEP 7 | Aer creang the new role, go to Access Control > Users. Click Add and select Service
Account.
STEP 8 | Give your new service account a descripve Service Account Name and select your newly
created role as the assigned Role. Click Next.
STEP 9 | On the Access Key Details screen, provide an Access Key Name for the generated access key.
We recommend that you do not Enable Expiraon for this access key since it will cause the
connector to fail in Xpanse when the key expires.
STEP 10 | Copy the generated Access Key ID and Secret Access Key and keep them secure. You will
use these to configure a new API connector within Xpanse.
STEP 11 | Find the correct API URL to use by referencing this table.
hps://prisma.pan.dev/api/cloud/api-urls/
Configure the Xpanse Prisma Cloud API Connector

Before configuring the Prisma Cloud API connector in Cortex Xpanse, you must generate an API
access key and secret key in Prisma Cloud. See Generate an API Access Key in Prisma Cloud.
Complete this task in Cortex Xpanse Expander to configure the API connector for Prisma Cloud.
STEP 1 | In Expander, navigate to Sengs, and click Add API Key.
STEP 2 | On the API Connectors page, select Prisma Cloud as the source type, and then click Next.
STEP 3 | On the API Connectors/Source Type/Add New window, complete the informaon as
follows:
1. Enter a descripve Name of your choice.
2. In the Access Key ID field, enter your Prisma Cloud API access key ID.
3. In the Secret Key field, enter your Prisma Cloud secret key.
4. In the Service URL field, enter the URL for your Prisma Cloud instance.
5. In the Business Unit field, select the business unit you’d like to associate the devices with
in Xpanse.
STEP 4 | Click Add API Key to add the connector.

Prisma Cloud data may take up to 48 hours to be ingested into your Cortex Xpanse Expander
instance.
Cortex XDR API Connector

Aack Surface Management (ASM) for Remote Workers is an API integraon between Cortex
Xpanse and Cortex XDR or GlobalProtect that enables you to idenfy and alert on security issues
on remote worker systems and network environments.
The Cortex Xpanse integraon with Cortex XDR enables you to perform the following key tasks to
secure your remote worker aack surface:
• Idenfy risks and reduce aack surface related to your remote employee environments
• Idenfy the gaps in coverage of Cortex XDR agents in your organizaon
• Idenfy the internal and external IP mapping of your remote workforce
• Ensure employees are using VPN services
• Improve MTTR by providing addional network data to incidents idenfied by Cortex XDR.
To set up the integraon between Cortex Xpanse and Cortex XDR, perform the following tasks:
• Generate an API Key in Cortex XDR
• Configure the Xpanse XDR API Connector
For more informaon about ASM for Remote Workers and the Remote Aack Surface Dashboard
in Cortex Xpanse Expander, see Remote Aack Surface Overview.
Generate an API Key in Cortex XDR

Before configuring the Cortex® XDR™ API connector in Cortex Xpanse™, you must generate an
API key in Cortex XDR. While generang the API key, gather the following informaon which will
be required to create the API connector:
• Cortex XDR API key
• Cortex XDR API key ID
• URL for your Cortex XDR instance
STEP 1 | Within Cortex XDR, click the gear icon in the top menu bar and select Configuraons.
STEP 2 | In the Configuraons menu, select API Keys, which appears in the Integraons secon.
STEP 3 | In the API Keys window, click the +New Key buon to create a new API key.
The Generate API Key window will open.
STEP 4 | Select the Standard Security Level.
STEP 5 | Select a role for the API key. The Cortex Xpanse integraon with Cortex XDR requires a role
with Endpoint Management permission under Views. Aer selecng the role, click Generate.
STEP 6 | Aer you’ve generated the key, copy the API key value presented and keep it secure.
STEP 7 | Return to the API Keys window, and select the API key you just generated. Click the Copy
URL buon to copy the URL for your Cortex XDR instance. Also make note of the API key
ID, which appears in the API Keys table.
Aer compleng these steps and collecng the relevant informaon, you are ready to create the
Cortex XDR API connector in Cortex Xpanse.
For addional informaon about Cortex XDR APIs, refer to Get Started with Cortex XDR APIs.
Configure the Xpanse XDR API Connector

Before configuring the Cortex® XDR™ API connector in Cortex Xpanse, you must generate an API
key in Cortex XDR.
Complete this task in Cortex Xpanse Expander to configure the API connector for Cortex XDR.
STEP 1 | In Expander, navigate to Sengs, and select API Connectors.
STEP 2 | When the API Connectors page opens, click Add API Key, select Cortex XDR as the source
type, and then click Next.
STEP 3 | In the Add New window, complete the informaon as follows:

1. Enter the Name of your choice.
2. In the Access Key ID field, enter your XDR API key ID.
3. In the Secret Key field, enter your XDR API key.
4. In the Service URL field, enter the URL for your XDR instance.
5. In the Business Unit field, select the business unit you’d like to associate the devices with
in Xpanse.
STEP 4 | Click Add API Key to add the connector. Cortex XDR data may take up to 48 hours to be
ingested into your Cortex Xpanse Expander instance.
For more informaon about Xpanse ASM for Remote Workers and the Expander ASM for Remote
Workers dashboard, see Remote Aack Surface Overview.
GlobalProtect API Connector

Aack Surface Management for Remote Workers provides a view of your remote worker aack
surface using device data from a remote aack surface connector combined with public internet
informaon discovered by Cortex® Xpanse™. This API integraon between Cortex Xpanse and
Cortex XDR or GlobalProtect enables you to idenfy and alert on security issues on remote
worker systems and network environments.
To set up the Cortex Xpanse integraon with GlobalProtect, contact your Customer Success
Manager.
To set up the Cortex Xpanse integraon with Cortex XDR, see Cortex XDR API Connector.
For more informaon about ASM for Remote Workers and the Remote Aack Surface Dashboard
in Cortex Xpanse Expander, see Remote Aack Surface Overview.
Support
Cortex® Xpanse™ prides itself on its customer support. Engagements that have
an assigned Technical Account Manager (TAM) can work with that individual for
onboarding, training, enablement, and ongoing support. Our TAMs are product and
security experts and are a great resource to customers.
Geng support is essenal for all users of Cortex Xpanse Expander. For interacon
with the Cortex Xpanse team, Cortex Xpanse recommends there be a primary and
secondary contact at the customer for direct interacon. This contact informaon will
help the Cortex Xpanse Technical Account Manager (TAM) build a working relaonship
with the customer, and make sure that support requests and responses are expedited
and not duplicated.
> Contact Support
149
Support
Contact Support
Contact Cortex® Xpanse™ Expander support at expanse-support@paloaltonetworks.com
or reach out to your Technical Account Manager for any of the following reasons.
• Provisioning new Cortex Xpanse users
• Reporng bugs
• Contesng asset aribuons
• Geng help
• Providing product feedback
Glossary
> Glossary Terms
151
Glossary
Glossary Terms
• Annotaon—Annotaon is the addion of text comments to add context to assets. There are
three types of asset annotaon: tags, points of contact, and notes.
• API—Cortex Xpanse provides customers with an API (Applicaon Programming Interface)
for retrieving Cortex Xpanse Expander informaon. For more informaon, see APIs and
Integraons.
• API Endpoint—The Cortex Xpanse Expander API exposes several RESTful endpoints to
customers. For more informaon, see APIs and Integraons.
• ASN—Autonomous system number (ASNs) are important because the ASN uniquely idenfies
each network on the Internet. An autonomous system (AS) is a collecon of connected Internet
Protocol (IP) roung prefixes under the control of one or more network operators on behalf of
a single administrave enty or domain. There can be mulple AS supported by the ISP, and
the ISP must have an officially registered autonomous system number (ASN). A unique ASN is
allocated to each AS for use in BGP roung.
• Asset—An asset is an IP address, cerficate, or domain residing on-premise or in the Cloud.
• BACnet—BACnet is a building automaon and control network protocol generally associated
with enterprise heang, air condioning, and refrigeraon systems. Unauthorized access to
BACnet systems could allow an aacker to control crical temperature and air flow systems
such as data center HVACs and could cause harm to crical infrastructure servers and other
network equipment.
• Business Unit—A Business Unit is a designaon to classify assets. Cortex Xpanse Expander
tracks business units as a means to idenfy owning organizaons of these assets. Business
unit tagging becomes extremely important when an organizaon has subsidiaries and groups
established through M&A acvies. To define business units, work with your TAM.
• Cerficate—Cerficates (also known as digital or public key cerficates) are used when
establishing encrypted communicaon channels to idenfy and authencate a trusted party.
The most common use of cerficates is for SSL/TLS, HTTPS, FTPS, SSH, and VPN connecons.
The most common use of cerficates is for HTTPS-based web sites, which allow a web
browser to validate that an HTTPS web server is an authenc web site. Cortex Xpanse tracks
the following informaon for each cerficate: Issuer, Issuer Country, Issuer Organizaon,
Issuer State, Public key, Public Key Algorithm, Subject, Subject Alternave Names, Subject
Organizaon, Subject Country, Subject State, and several “crypto health” checks.
• Common Name —Common Name is a standard field on SSL/TLS cerficates. It is typically
composed of Host & Domain Name, oen looking like yourco.com or “yourco.com.” Cortex
Xpanse uses the common name field as one of the means to aribute assets to an organizaon.
• Cloud—From the Cortex Xpanse perspecve, the cloud refers to assets that are not running
on-prem. This includes Cloud Service Providers, CDNs, consumer dynamic IP space (Comcast,
AT&T), and others. According to NIST, cloud compung has five essenal characteriscs: on-
demand self-service, broad network access, resource pooling, rapid elascity, and metered
service. Cloud compung typically encompasses three broad types of services: Infrastructure as
a Service (IaaS), Plaorm as a Service (PaaS), and Soware as a Service (SaaS). Cortex Xpanse
tracks all IaaS assets and can idenfy some assets in PaaS and SaaS.
Glossary
• Cloud IP—Cortex Xpanse Expander displays specific IP addresses aributed to cloud providers
either because your organizaon’s cerficate was adversed on a cloud provider IP address or
because your organizaon’s domain resolves to the cloud provider IP address space.
• Cloud Domain—Cloud domains are domains aributed to an organizaon that resolves to cloud
provider IP address space.
• CMDB—A configuraon management database (CMDB) is the central repository of asset
informaon for most organizaons. Cortex Xpanse provides mulple means to integrate with
CMDBs. For more informaon, see APIs and Integraons.
• Crical—Cortex Xpanse classifies exposures into three categories: crical, warning, and roune.
A crical exposure is a responsive protocol that should never connect to the public Internet.
Invesgate crical exposures ASAP.
• Crypto Health—Crypto health is a general term referring to the overall configuraon and status
of crypto-related factors. Cortex Xpanse automacally tracks several “crypto health” checks for
cerficates, including self-signed, wildcard, domain control validated, expired when scanned,
and public key bits and signature algorithm.
• Current—When working with exposures, Cortex Xpander provides a me period filter. The
Time period selector determines the date range over which exposures are observed. Selecng
“Current” displays (in Map or Table view) the currently acve exposures at your network edge.
Adjusng the me period displays all acve exposures over the selected meframe. "Current"
is defined as observed in the last 3 days for customers who are on daily targeted scans, and as
last 10 days for customers who are not. See the Data secon for more informaon on scanning
cadence.
• Development Environment—Development environments are web services that appear to be
a tesng or staging environment. Cortex Xpander infers development servers based on terms
in the dev environment's cerficate or domain like “test” or “UAT.” Development, staging, and
test environments are oen not maintained to the same security standards as producon
infrastructure, yet may sll hold sensive data. These sites may also hold sensive soware
code and configuraons that could improve an adversary's ability to target the producon
environment. Such environments generally should not be available from outside the corporate
network unless there is a compelling business reason.
• Domain—In general, a domain name idenfies a network domain following the rules and
procedures of the Domain Name System (DNS). Cortex Xpanse gets its domains and DNS
data from a combinaon of acve and passive global collecon techniques. Operators can
find domain informaon in mulple locaons in the Cortex Xpanse Expander user interface.
For example, the hostname on the IP modal for many exposures indicates the domain. Also,
domains display on the cloud domain assets view.
• Ethernet/IP—EtherNet/IP is a protocol used in the configuraon and automaon of industrial
control systems. EtherNet/IP can be used to gather informaon about crical control systems
or to reconfigure control systems, and should never be accessible to the general public.
• Exposure—An exposure is a service or configuraon of a service that is publicly accessible on a
customer’s network edge with an associated severity level—crical, warning, or roune.
• Flow—A flow is a direconal movement of IP data across the Internet. Cortex Xpanse obtains
flow data via mulple relaonships with Tier 1 ISPs. Through these relaonships, Cortex
Xpanse has access to a sample of approximately 80% of global flows.
• GeoIP—GeoIP data correlate an IP address with a physical (geographic) locaon. Cortex
Xpanse geolocaon data for responsive IPs are collected from the best commercially available
Glossary
geolocaon data source and displayed at the highest level of granularity that we receive for a
given IP GeoIP data collecon lets Cortex Xpanse customers confirm that their representaon
of their network distribuon is consistent with what they believe their global footprint to be.
GeoIP data is especially important for security organizaons to idenfy compliance violaons
(e.g., data residing in restricted locaons) and drive efficient remediaons: infrastructure
locaon, who owns the asset and where to route noficaons.
• IP address—An Internet Protocol (IP) address is a numerical label assigned to network-
connected devices (physical and virtual). Cortex Xpanse currently tracks IP version 4 (IPv4)
addresses.
• IP Modal—The IP modal displays detailed informaon about an exposure. The IP Modal
displays meline changes, exposure details, addional informaon, and remediaon
informaon.
• IP Registraon—The IP range’s registry informaon menons informaon about your
organizaon. Cortex Xpanse pulls from all regional internet registry databases, including ARIN,
RIPE, APNIC, LACNIC, and AFRINIC.
• Leaked Internal IP—Internal IPs are for internal roung, and when Cortex Xpanse observes an
internal IP address, this is a possible indicaon that the device is internal and not meant to be
public facing. Leaked internal IP addresses also give adversaries targeng informaon. Cortex
Xpanse recommends removing any leaked internal IPs so they are not externally visible.
• Memcached–—Memcached is a free and open source distributed memory caching system. Like
databases, they potenally contain private informaon, and therefore should not be externally
accessible.
• Modbus—Modbus TCP is an industry-standard communicaon protocol for use with
connecng industrial electronic devices over Ethernet. Some industrial devices control crical
and valuable assets, yet rarely have much in the way of applicaon-level security. Modbus TCP
has no built-in security systems making it extremely vulnerable. Modbus devices should only be
accessible by devices on the same local network.
• MSSQL—Microso SQL (MSSQL) Server is Microso’s enterprise relaonal database
management system. MSSQL servers (indeed, SQL servers of any kind) should not be publicly
accessible over the internet, as they are vulnerable to a variety of documented exploits.
• MySQL—MySQL is an Open Source relaonal database management system that is maintained
by Oracle Corporaon. MySQL servers should not be publicly accessible over the internet.
• NetBIOS Name—NetBIOS name servers provide name resoluon on local networks. Externally-
accessible NetBIOS servers pose a significant security risk, as they leak informaon about
users, hostnames, internal ip addresses, services, and operang systems on a local network.
• On-premise—On-premise refers to an organizaon’s assets that reside at organizaon owned
or leased facilies.
• Open port—An open port is a responsive port but not one that is necessarily running a service.
When Cortex Xpanse scans a device, we validate the protocol response to verify the service
running on the device. For example, we do not assume that an open port 23 is running Telnet.
We conduct a full protocol handshake to verify that Telnet is running. By verifying service,
Cortex Xpanse virtually eliminates false posives for protocols.
• Payload—Payload refers to the handshake, and associated data Cortex Xpanse uses when
scanning a port. Payloads aempt to establish a full protocol handshake with the desnaon IP
address. This process results in higher confidence findings.
Glossary
• Port—TCP and UDP use port numbers to idenfy sending and receiving applicaon endpoints
on a host. Each side of a TCP connecon has an associated 16-bit unsigned port number
(0-65535) reserved by the sending or receiving applicaon.
• Port-Protocol Pair—Cortex Xpanse’s Internet Sensing plaorm detects protocol-validated
services on the IPv4 space of the Internet through a series of specialized payloads that target
specific port-protocol pairs.
• Protocol—Protocol refers to transport layer protocols of TCP and IP. The protocol defines the
rules of communicaon and can be either connecon-oriented (TCP) or conneconless (UDP).
Cortex Xpanse discovers and tracks 30+ protocols. The most common protocols include FTP,
HTTP, HTTPS, POP3, IMAP, SSL, Telnet, RDP, SIP, and DNS.
• RDP—Remote Desktop Protocol (RDP) servers provide remote access to a computer over a
network connecon. Externally accessible RDP servers pose a significant security risk as they
are frequent targets by aackers and are vulnerable to a variety of documented exploits.
• Remediaon Status—Users assign remediaon status to exposures. Expander provides
six levels of remediaon status to facilitate remediaon workflow: None, Invesgang,
Invesgated, Remediaon-in-progress, Remediaon check, and Resolved.
• Roune—Cortex Xpanse classifies exposures into three categories: crical, warning, and
roune. Roune exposures are informaonal.
• Serial Number—Serial numbers are unique idenfiers for cerficates issued by a Cerficate
Authority (CA).
• SIEM—Security Informaon and Event Management (SIEM) system. Cortex Xpanse provides
mulple opons to integrate with on-premise and cloud-based SIEMs. For more informaon,
see APIs and Integraons.
• SIP—Session Iniaon Protocol (SIP) is a protocol that is generally used in Voice Over IP
Systems. Early SIP systems only used 40 bit encrypon and was subject to call hijacking and
MITM aacks. More recent implementaons generally use128 bit by default. A suite of tools
from SipVicious makes SIP more prone and easier to aack when found. Best pracce is to
maintain SIP systems behind a firewall or through VPN, but if it is required that SIP be exposed
to the Internet, then the use of high entropy passwords, lockout policy, and traffic inspecon is
recommended.
• SMB—The Server Message Block (SMB) protocol provides remote computers access to local
files, printers, and other exposures. Aackers can use SMB access to pivot to other internal
systems, and they may maintain silent access for long periods of me.
• SNMP—The Simple Network Management Protocol (SNMP) provides soware version and
configuraon informaon for network devices. The informaon provided over SNMP can be
parcularly valuable to aackers, so devices should not respond to SNMP requests from the
global Internet.
• SSO—Single sign-on (SSO) is the ability to access mulple related, yet independent, soware
systems. With this property, a user logs in with a single ID and password to gain access to any
of several related systems. Expander supports single sign-on (SSO) to integrate with enterprise
identy services. With this feature, users can use their organizaon’s credenals for sign-on to
Cortex Xpanse Expander.
• Tag—A tag is an asset annotaon. Tags are used to help add context to assets. For example,
users can tag an asset as belonging to a specific data center or tagged as “PCI” or “HIPAA” to
denote privacy protecon requirements.
Glossary
• Telnet—Telnet provides unencrypted remote shell access. The presence of externally-accessible

Telnet servers poses significant risk of data and credenal loss if they are in use.
• Unencrypted FTP—Without adequate encrypon, FTP data is at risk of compromise, the, and
more.
• UPnP—The Universal Plug and Play protocol allows devices to export services. Certain UPnP
libraries are known to be vulnerable to public exploits. UPnP devices should only be accessible
by devices on the same local area network, not by hosts on the public internet.
• Valid Not Before, Valid Not Aer—Cerficates have a lifespan. The not before date is the
earliest me and date the cerficate is valid. Typically, this is set a few hours aer issuing to
avoid any issues with distribuon. The not aer date is the date on which the cerficate is no
longer valid. Unlike food expiraon dates, one should never use cerficates past the no longer
valid date.
• Version—Version most oen applies to a soware release. Cortex Xpanse tracks versions for
mulple items, including BIND, SIP servers, web server soware, and cipher suites.
• VNC servers—Virtual Network Compung (VNC) is a graphical remote-access system. In
corporate environments, Remote Desktop, SSH, or other soluons should be used instead, so a
VNC exposure may be a misconfiguraon or an unauthorized installaon.
• VxWorks—VxWorks is an embedded operang system deployed on a variety of devices.
VxWorks devices are rarely intenonally exposed to the public internet.
• Warning—Cortex Xpanse classifies exposures into three categories: crical, warning, and
roune. A warning exposure is an indicaon of misconfiguraon that could pose a risk. For
example, self-signed cerficates, unencrypted logins, and leaked internal IP addresses. Internal
IPs are for internal roung, and when Cortex Xpanse observes an internal IP address, this is
a possible indicaon that the device is internal and not intended to be public facing. Leaked
internal IP addresses also give adversaries targeng informaon. Cortex Xpanse recommends
removing any leaked internal IPs, so they are not externally visible.

Cortex Xpanse User Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cortex Xpanse User Guide

Uploaded by

Copyright:

Available Formats

Cortex® Xpanse™ User Guide

About the Documentaon

Cortex® Xpanse™ User Guide 2 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ Expander......................................................................... 17

Cortex® Xpanse™ User Guide 3 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ APIs and Integraons................................................ 115

Cortex® Xpanse™ User Guide 4 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ User Guide 6 ©2022 Palo Alto Networks, Inc.

Cortex Xpanse Products

Cortex® Xpanse™ User Guide 7 ©2022 Palo Alto Networks, Inc.

Add New Users

Cortex® Xpanse™ User Guide 8 ©2022 Palo Alto Networks, Inc.

STEP 2 | In the User Management window, click Create user.

STEP 3 | Enter the email address for the new user.

STEP 4 | Set the permissions for the user.

Cortex® Xpanse™ User Guide 9 ©2022 Palo Alto Networks, Inc.

STEP 5 | Click Create User.

Change User Permissions

Cortex® Xpanse™ User Guide 10 ©2022 Palo Alto Networks, Inc.

STEP 3 | Edit the permissions for the user.

Cortex® Xpanse™ User Guide 11 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ User Guide 12 ©2022 Palo Alto Networks, Inc.

Change Your Password

Cortex® Xpanse™ User Guide 13 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ User Guide 14 ©2022 Palo Alto Networks, Inc.

Cortex Xpanse Product Policies

API Use Policy

Data Retenon Policy

Subscripon Time Data Available

Cortex® Xpanse™ User Guide 15 ©2022 Palo Alto Networks, Inc.

Cortex Xpanse Product Security

Browser Support Policy

Cortex® Xpanse™ User Guide 16 ©2022 Palo Alto Networks, Inc.

Who is Expander for?

Why is Expander valuable?

Cortex® Xpanse™ User Guide 18 ©2022 Palo Alto Networks, Inc.

Expander High-Level Funconality

Cortex® Xpanse™ User Guide 19 ©2022 Palo Alto Networks, Inc.

Asset Inventory and Asset Type List Views

The following list provides a descripon of each tab under Assets:

Cortex® Xpanse™ User Guide 20 ©2022 Palo Alto Networks, Inc.

Search and Filter Assets

Cortex® Xpanse™ User Guide 21 ©2022 Palo Alto Networks, Inc.

• Issue Priority—Applies the Issue Priority ﬁlter.

Cortex® Xpanse™ User Guide 22 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ User Guide 23 ©2022 Palo Alto Networks, Inc.

Field Sub-ﬁeld Recommendaons and

Tags — Max characters is 128. Max

Notes — Max characters is 1024.

Contacts Email Required ﬁeld. The max POCs

Contacts Full Name Not required. Cortex Xpanse

Contacts Role Not required. Cortex Xpanse

Contacts Phone Number Not required. Cortex Xpanse

Cortex® Xpanse™ User Guide 24 ©2022 Palo Alto Networks, Inc.

STEP 3 | Apply annotaon changes by clicking Apply to X Items.

Cortex® Xpanse™ User Guide 25 ©2022 Palo Alto Networks, Inc.

STEP 3 | Apply annotaon changes by clicking Apply to X Items.

Create a Custom IP Range

Cortex® Xpanse™ User Guide 26 ©2022 Palo Alto Networks, Inc.

IP Range icon IP Range icon deﬁnion

IP Range record with no custom ranges.

Parent IP range. Custom ranges created from

User-deﬁned Custom Range that is a subset of