Professional Documents
Culture Documents
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve companies.
Last Revised
October 31, 2022
For addional informaon on how to use new features, refer to the Cortex Xpanse
Expander User Guide.
5
Expander Release Informaon
Feature Descripon
Feature Descripon
Responsive IP asset type added to Asset Responsive IPs have been added as an asset
Inventory type in the Asset Inventory. Responsive IPs are
dynamically created when Xpanse detects a
responsive service running on an IP address
associated with one of your organizaon's IP
Ranges. Responsive IPs are linked to these IP
Ranges and inherit details from their associated
range, such as registraon details and any
assigned tags. Responsive IPs become inacve
Feature Descripon
30 days aer all related services become
inacve.
Feature Descripon
Feature Descripon
available, links to Palo Alto Networks Unit 42
research on that issue.
Remediaon guidance can be found in the How
to Remediate secon of the issue details page
in Expander.
Note that not all issues have remediaon
guidance yet. Cortex Xpanse will connue to
add remediaon guidance for more issues in
future releases.
Feature Descripon
Improved heuriscs for discovering services We improved the logic for loading issues
and assets produced by integraons and services on assets collected through
our integraons to reduce instances of false
posives.
Expander ITSM v3.0 for SNOW The Expander integraon for ServiceNow
enables you to create Incidents based on issue
updates in Expander, so you can quickly track,
assign, and remediate risky assets or services
that are exposed to the public Internet.
This integeraon provides the ability to modify
Incident severity based on issue update type
or cricality and the ability to customize which
issue update types create Incidents within
ServiceNow.
What’s new in this release?
• Support for the latest version of SNOW
Plaorm - San Diego, Rome, Quebec
• Client Credenal support
Feature Descripon
Aack Surface Management for Remote • The Map widget on the Remote Aack
Workers Enhancements Surface dashboard now supports
clickthrough acons to navigate to the
Aack Surface Networks or Devices pages.
• The ASM for Remote Workers integraon
now supports Prisma Access and
GlobalProtect as data sources for collecng
informaon on remote workers.
Feature Descripon
Aack Surface Management for Remote The Aack Surface Management for Remote
Workers Workers feature has been expanded to support
GlobalProtect™ as a data source. This API
integraon between Cortex Xpanse and
GlobalProtect enables you to idenfy and alert
on security issues on remote worker systems
and network environments. See Remote Aack
Surface Overview for more informaon.
Home Page Dashboard PDF Report The Cortex Xpanse Home Page Dashboard can
now be exported as a PDF report. Any sengs
or filters that are set on the home page will be
represented in the PDF.
Remote Aack Surface Workforce Devices The Remote Aack Surface Workforce Devices
search improvement content search was updated to allow searching
using internal IP addresses.
Service Details page improvements • A map view has been added to the service
details page.
• Associated Network informaon has been
updated to include findings related to the
Cortex XDR integraon.
Asset Search Improvements New search facets were added to all of the
asset list views in Expander to guide users in
their searches for asset informaon. The search
field will dynamically update and suggest which
field should be filtered on based on the value.
Update to definion of Acve status Due to some inconsistencies in the way that
dashboards have been reporng, we have
updated the definion of an Acve asset
to mean "has a service". This change will be
reflected across dashboards that filter on
Status.
Feature Descripon
• Microso OWA policy has been updated to
idenfy numbers
• Puppet Infrastructure
• MongoDB Mongo-Express
• Services Hosted in Adversary Country policy
updated to include On Prem assets only
• HashiCorp Vault
• OpenVMS Operang System
• Gitea
• IBM Planning Analycs
• Apache Shiro
• ForgeRock Access Management (AM) Server
• Github Enterprise
• Argo CD
• SAP NetWeaver Applicaon Server—This
policy was updated to enable version
numbers to be extracted under certain
circumstances.
• Zoho ManageEngine ADManager
• Insecure Cisco Small Business RV Series
Router—This policy was updated to detect
CVE-2019-1653.
• NetGear ProSafe—NetGear ProSafe under
Soware idenfied in BOD 22-01
• Sophos XG Series Firewall—This policy
idenfies a Sophos XG Series firewall, model
number is idenfied where available.
• Sophos XGS Series Firewall—This policy
idenfies a Sophos XGS Series firewall,
model and serial number are idenfied
where available.
• Sophos SG Series Firewall—This policy
idenfies a Sophos SG Series firewall, model
and serial number are idenfied where
available.
• Zoho ManageEngine Desktop Central MSP
—This policy idenfies the presence of
Desktop Central MSP on a host; the web UI
may also be surfaced.
• Zoho ManageEngine Desktop Central
Feature Descripon
• Adobe Commerce—This policy idenfies
indicators for both Magento Open Source
and Adobe Commerce. Version numbers are
not idenfied.
• Zabbix IT Monitoring Soware
Feature Descripon
Aack Surface Management for Remote • A map view has been added to the
Workers Enhancements Workforce Network and Workforce Device
detail pages
• The Remote Aack Surface dashboard was
updated to include Network accounts for
acve networks only
• The Remote Aack Surface Workforce
Networks list page now allows filtering
based on status
• An acvity status bar was added to the
Workforce Networks and Workforce
Devices details pages to indicate whether
the asset is acve, how many days it has
been acve, and the date range
• Provider informaon has been added
to Workforce Networks and Workforce
Devices list views and details pages
Feature Descripon
• Symantec Messaging Gateway
• VMware Workspace ONE UEM
• ISC BIND 9
• Insecure ISC BIND 9—idenfies BIND 9
servers vulnerable to CVE-2021-25219
• Atlassian Bitbucket
• Microso Azure CycleCloud
• IBM MQ
• AppGate SDP
• Wordpress Server policy updated to add the
version extractor
• Hikvision Device
• Insecure Atlassian Confluence Servers policy
updated to idenfy versions before 7.4.10
and from 7.5.0 to 7.12.5
• Insecure OpenSSH
• Insecure Node.js policy updated to idenfy
versions 12.0.0-12.22.4, 14.0.0-14.17.4,
and 16.0.0-16.6.1
Feature Descripon
• The Service details page was updated to
include detected issues associated with the
service.
Feature Descripon
Increase resoluon of scan mestamps to the This update enables Xpanse to provide more
nearest minute precise detail about the latest me an Issue
was scanned.
Support for searching on policy descripon On the Policies page, support has been added
for searching on policy descripon field.
ASM for Remote Workers enhancements • A toggle was added to the map view in the
Remote Aack Surface dashboard to allow
for viewing Networks and Devices.
• In the Peer Remote Devices table, each row
now clicks through to the Device details
page and each IP address clicks through to
the IP address details page.
• The Workforce Device table columns have
been updated. The Business Unit, Internal
IP, and OS are being removed and new
columns for source and network Locaon
have been added.
• A trend count and indicator was added to
the Total Workforce Networks dashboard
widget.
Feature Descripon
• Cisco IOS
• Apache Hadoop Yarn Resource Manager
• GitBucket
• Schneider Electric EcoStruxure IT Gateway
• Microso Dynamics NAV
• VMWare RabbitMQ Management Plugin
• Cisco Email Security Appliance (ESA)
• MikroTik Router—idenfies MikroTik
Routers and administraon portals
(RouterOS).
• Insecure MikroTik Router—idenfies
insecure versions of MikroTik RouterOS
through 6.42.
• H2 Database Console
• OctoberCMS—an open-source Content
Management System
Feature Descripon
New login page design Cortex® Xpanse™ has updated the design of
the Expander login page.
Expander API documentaon has moved Expander API documentaon can now be
to the Palo Alto Networks Developer Docs found at hps://cortex.pan.dev/. Our old API
website documentaon links have been updated to
redirect to this new locaon.
Toggle between On Prem and Cloud on the You can now toggle between On Prem and
Home Page map widget Cloud issues on the Home Page map widget.
Support for Microso Edge browser Microso Edge is now a fully supported
browser for Cortex Xpanse Expander.
Feature Descripon
• Insecure TLS - Strict
• Insecure TLS policy was updated
• OGW Non-Compliant Issue policy was
updated
• Zoho ManageEngine ServiceDesk Plus MSP
• Java Applicaon
• VMWare Workspace ONE Access Server
• VMware vCenter and VMware vSphere
policy updates
• VMware vRealize Suite Lifecycle Manager
• Nes Router
• Prisma Cloud
• Citrix XenServer
• Fornet ForOS
• MobileIron Sentry
• Zoho ManageEngine AssetExplorer
• Updates to the Zoho ServiceDesk Plus
Policy
Feature Descripon
Aack Surface Management for Remote The ASM for Remote Workers module is an API
Workers integraon between Cortex® Xpanse™ and
Cortex XDR that combines an organizaon's
endpoint details collected by Cortex XDR
with public asset informaon discovered
by Xpanse. For informaon about ASM for
Feature Descripon
Remote Workers, including the new Remote
Aack Surface dashboard in Expander, see the
Remote Aack Surface Overview secon in the
Cortex Xpanse User Guide.
New Expander Home Page The new Expander Home Page dashboard
focuses on a number of crical use cases that
make it faster to navigate to the most valuable
sets of data. For more informaon about
the Home Page dashboard and widgets, see
Expander Home Page.
Drill through Home Page Map widget to You can now drill through the Expander Home
Issues Page map widget to filter issues by the country
they are observed in.
Mean Time to Remediate (MTTR) Widget Fixed minor bugs with MTTR calculaon,
Updates added a table to display the number of inacve
issues by priority, and added an explanaon
about how we calculate MTTR. For details
about the (MTTR) widget on the Home Page
dashboard, see the secon in Expander Home
Page Dashboard.
User alert if no permission to edit Home Page If you do not have permission to edit the
Dashboard Preferences Home Page Dashboard Preferences, the
Dashboard Preferences page will display a
banner indicang that you don’t have edit
permission and the funconality on the
page will be disabled. See Expander Home
Page Filters and Dashboard Preferences for
more informaon about seng Dashboard
Preferences for the Home Page.
New Compliance Dashboard widget This new widget on the Compliance Dashboard
groups violaons by asset in order to enable
users to priorize a given asset and remediate
everything associated with it. Users can also
drill through this widget back to the Issues
module filtered by the asset that accounts for
the most violaons.
Policies CSV Export You can now export the list of Policies to a CSV
file to review them.
Feature Descripon
• Cisco Identy Services Engine (ISE)
• Updates to the versions categorized under
the Insecure Drupal Webserver policy
• Draytek Vigor Router
• Suspected honeypots are now excluded
from triggering other Issues
• Palo Alto Networks GlobalProtect Portal
• Zoho ManageEngine ServiceDesk Plus
Feature Descripon
Behavior data can now be downloaded as a You can now download Behavior alerts as
CSV file a CSV file directly from the Behavior tab in
Expander.
Feature Descripon
Feature Descripon
• Golang Go
• Update to Insecure Microso Exchange
Server policy in response to recent CVEs
Updated CSV Export All CSV exports have been updated to include
significantly more fields from the Xpanse
API, beer handle very large exports, and
deliver exports via email if they are too large
to complete in the browser. See CSV Exportfor
more informaon.
NIST 800-171 and CMMC L1-L5 Compliance Mapping and documentaon for NIST 800-171
Frameworks and CMMC L1-L5 compliance frameworkshave
been updated and are generally available.
Users can choose to automacally turn on all Under the sengs page, users who have the
new policies ability to enable and disable policies for their
organizaon can now automacally opt-in to
all newly published policies.
Feature Descripon
filter for issues and are included in the Issue
details for reference.
Feature Descripon
Links to IP address and IP range details All links to the IP address and IP range details
pages more visible pages within Expander now show a navigaon
arrow next to them to make them more
prominent.
Behavior risk rules with the term “Blacklist” Behavior Risk Rules using the term
are renamed “Blacklisted” have been renamed to use “Block
Listed”.
Configurable columns for Issues list view As with the Services list view, you can now
choose and order the columns displayed on the
Issues list view.
Feature Descripon
Update to the IP Ranges API The IP Ranges API has been rewrien and
replaced, which should result in significantly
faster performance for larger users.
Update to Related Registraon Records On the details page for a custom IP range,
the Related Registraon Records secon will
display the related registraon records for
specified custom range only. It will no longer
display the registraon records for the enre
parent range.
Update default filtering for Services Directly Discovered is now the default
Discovery Method filter for Services.
Addion of Has Issue column and filter to A new filter called Has Issue has been added to
Domains and Cerficates tabs the Assets>Cerficates and Assets>Domains
tabs. These links in the Issue column click
through to the Issues page with a filter applied
by asset. This funconality will be coming to IP
Ranges in the future.
Feature Descripon
Exact searching for domains in Issues and You can now search for an exact match for
Services modules domain names on the Issues and Services
pages by placing your query in quotes.
For example, searches for “example.com”
will return only matches for example.com
and will NOT return results such as
subdomain.example.com. This update is
accessible via UI and API.
Addion of "Has Issue" column and filter to NIST 800-53 Compliance Assessments
Domains and Cerficates dashboard now includes addional policies that
we have been releasing to Expander as well as
updates to mappings for previous policies in an
effort to make the data more operaonal.
Feature Descripon
Unmanaged Cloud feature availability The Unmanaged Cloud feature is now available
to all customers. The Unmanaged Cloud
Overview dashboard will also be displayed for
all customers, but will not have any data unl a
Prisma API key has been added.
Feature Descripon
Update Select All to always be visible in Updated the Issue Type and Service
drop-down menus Classificaon drop-down menus to improve
filtering. With this change, the All Opons
selecon at the top of the drop-down is always
visible, eliminang the need to scroll to the top
of the list to select or deselect it.
Registrant and Issuer Filters A new filter was added to the Assets>Domains
page for Domain Registrar and a new filter
was added to the Assets>Cerficates page
for Cerficate Issuers. You can now drill down
from the Aack Surface Overview dashboard
to those two modules.
Account ID filter for Cloud Resources A new filter was added to the Assets>Managed
Cloud Resources page for CSP account IDs,
enabling cloud resources to be filtered by the
originang account for the resource.
Default list view size The default list views (Issues, Services, Policies,
etc.) have been updated to show 50 per page,
instead of 20.
Tech Partners Page Palo Alto Networks Tech Partners site is the
new home for our third-party integraon
documentaon.
Feature Descripon
Feature Descripon
• Insecure OpenSSH
• Co-Located F5 BIG-IP TMUI
• VMware Workspace One Administrave
Configurator
• Exim Mail Transfer Agent
• WordPress Administraon Page
• VMware Carbon Black
• Cisco Data Center Network Manager
• PostgreSQL pgweb Login Portal
• PostgreSQL pgAdmin Login Portal
• Redis Enterprise Login Portal
• Redis Commander Login Portal
• PhpRedis Login Portal
• HashiCorp Consul Login Portal
• Atlassian Jira Server
• Cisco NX-OS
• PHP
• VMware Workspace One Administrave
Configurator
Feature Descripon
Feature Descripon
Feature Descripon
Feature Descripon
• F5 BIG-IP TMUI—Updates to the exisng
policy.
• HPE ProLiant Server—This policy detects
HPE ProLiant Servers. It is off by default.
• Insecure SIP Server—This is a new policy
specifically to detect insecure SIP servers.
It is a subset of the previously exisng SIP
Server policy. It is off by default
• Microso Exchange, OWA—We improved
detecon of our exisng Microso
Exchange and Outlook Web Access (OWA)
policies.
• Insecure Microso Exchange Server—This
issue flags on-premises Microso Exchange
Servers that are vulnerable to the zero-day
exploits described by Microso in March
2021 and used by the Hafnium threat actor
(HAFNIUM targeng Exchange Servers
with 0-day exploits – Microso Security).
The vulnerabilies idenfied by Microso
are CVE-2021-26855, CVE-2021-26857,
CVE-2021-26858, and CVE-2021-27065. It
is on by default.
Dashboards: Services Count and Providers Users can now click on the summary Services
Chart Now Include Drill-through count or the Go to... link in the Providers chart
in the Aack Surface Overview dashboard in
order to review more details about the relevant
Services within the List View.
Update to Issues List view Based on user feedback that the First Added
column was occasionally confusing, we have
replaced it with the column First Observed.
IP Details Page The new IP Details page has shipped. This page
allows users to pivot around a single device
(IP address) and look for all the related issues,
services, cerficates, domains, etc.
Feature Descripon
Feature Descripon
an adversary to bypass authencaon and
impersonate clients or servers.
• SonicWall Secure Mobile Access VPN—
Low – SonicWall released an urgent security
noce of an ongoing invesgaon into
probable zero-day vulnerabilies with
its SMA 100 Series products. SonicWall
SMA is a remote access gateway offering
applicaon-level VPN, granular access
control, and device authorizaon to access
corporate resources hosted on-prem, and
in cloud and hybrid data centers. The SMA
100 series (SMA 200, SMA 210, SMA
400, SMA 410, SMA 500v model vpns)
running SMA 8.x/9.x/10.x remains under
invesgaon and should be acknowledged
as potenally insecure. This issue finds
SonicWall Secure Mobile Access (SMA)
VPN devices. While this issue does not
find model numbers, some server/soware
numbers and versions of soware on login
pages are able to be discovered, and are
displayed where observed.
• UPDATED: Oracle WebLogic Server—
Medium – This issue has been updated
with enhanced signatures to find addional
WebLogic servers.
• Oracle Fusion Middleware—Medium
– Oracle Fusion Middleware is a suite
of products from Oracle Corporaon
that facilitates infrastructure to create
business applicaons. It can communicate
with mulple services, including Oracle
WebLogic (a Java EE applicaon server),
HTTP servers, integraon services, business
intelligence, and content management.
This issue idenfies web servers that have
Fusion Middleware deployed by idenfying
the Oracle Fusion Middleware splash/
documentaon page.
• Cisco SD-WAN—Medium – Cisco SD-WAN
is a soware-defined wide area network
management soluon that is managed
through Cisco’s vManage interface. While
this issue does not find versions of the SD-
WAN soware, it idenfies the Cisco SD-
WAN login-page.
Feature Descripon
• Schneider Electric PowerChute—Medium
– PowerChute Business Edion is a
Schneider Electric soware product for
UPS management, graceful shutdown and
energy management capabilies. This issue
idenfies agent web UI and logging features
of PowerChute 9.2.1 and below.
• Adobe Experience Manager—Medium
• Cisco Integrated Management Controller
(IMC)—Medium – This issue idenfies
Cisco Integrated Management Controllers
(CIMC/IMC), a baseboard management
controller that provides embedded server
management for Cisco UCS C-Series Rack
Servers and Cisco UCS S-Series Storage
Servers. There are several vulnerabilies
in the API subsystem of CIMC, though
this issue does not specifically flag the
vulnerable version types.
• SAP BusinessObjects BI Plaorm —Medium
– SAP BusinessObjects Business Intelligence
Plaorm is a centralized suite for data
reporng, visualizaon, sharing, and analysis
with BusinessObjects WebIntelligence,
Analycs Cloud, and SAP Crystal Reports.
This issue enumerates instances of the
SAP BusinessObjects Central Management
Console (CMC), a web-based tool used to
perform administrave tasks, including user
management, content management, and
server management.
Select All Opon added to Dropdown Filters We have added a more convenient select all
buon at the top of every drop-down filter,
which can be used to more easily select either
very few values or nearly all (“n-1”) values.
Aack Surface Overview Dashboard now We have updated the default status filter for
Defaults to “All Statuses” the Aack Surface Overview to All Statuses to
improve customer convenience.
Feature Descripon
Feature Descripon
proxy for finding the Tomcat Management
Portal as the landing page contains a buon
with a link to the management app. While
the discovery scan does not actually “click
the buon” to download and run the
management app, it flags the presence of
the buon displayed on the default landing
page. Compromise of a Tomcat landing
page could allow an adversary to connect
to the management portal, change the
configuraon, upload new applicaons, or
run arbitrary code on the server.
Dashboard Time Series Export Opons Users can now export Expander dashboard
me series charts as png, svg, or csv.
Add “No Risk” Progress Status Users now have an addional Progress Status
within the Closed sub-category to classify
Issues determined to have migang controls
or valid policy excepons without declaring
them to be Acceptable Risk or Resolved.
Sengs Page Redesign Users can now find their Issues digest and
change password sengs within a top-level tab
in Expander.
For addional informaon on how to use new features, refer to the Cortex Xpanse
Assess User Guide.
35
Assess Release Informaon
Feature Descripon
Feature Descripon
Responsive IP asset type added to Asset Responsive IPs have been added as an asset
Inventory type in the Asset Inventory. Responsive IPs
are dynamically created when Xpanse detects
a responsive service running on an IP address
associated with one of your organizaon's IP
Ranges. Responsive IPs are linked to these
IP Ranges and inherit details from their
associated range, such as registraon details
and any assigned tags. Responsive IPs become
inacve 30 days aer all related services
become inacve.
Feature Descripon
Feature Descripon
Feature Descripon
Feature Descripon
• Dashboards —The Dashboards module
provides reporng on the current and
historical state of an organizaon's Assets,
Services, and Issues, giving insight into
trends and helping leaders idenfy key
topics and business units to focus on
to improve the security posture of their
organizaon.
See the Cortex Xpanse Assess User Guide for
more informaon.
43
New Issue Policies
Refer to the Cortex Xpanse User Guideor Cortex Xpanse Assess User Guide for more informaon
about policies.