* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [News and Events](https://www2.paloaltonetworks.com/blog/security-operations/category/news-and-events/)
* Enhancing Critical Risk D...

# Enhancing Critical Risk Detection with Cortex Xpanse Attack Surface Rules

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fenhancing-critical-risk-detection-with-cortex-xpanse-attack-surface-rules%2F)  
[](https://twitter.com/share?text=Enhancing+Critical+Risk+Detection+with+Cortex+Xpanse+Attack+Surface+Rules&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fenhancing-critical-risk-detection-with-cortex-xpanse-attack-surface-rules%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fenhancing-critical-risk-detection-with-cortex-xpanse-attack-surface-rules%2F&title=Enhancing+Critical+Risk+Detection+with+Cortex+Xpanse+Attack+Surface+Rules&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/enhancing-critical-risk-detection-with-cortex-xpanse-attack-surface-rules/&ts=markdown)  
\[\](mailto:?subject=Enhancing Critical Risk Detection with Cortex Xpanse Attack Surface Rules)  
Link copied  
By [Andrew Scott](https://www.paloaltonetworks.com/blog/author/andrew-scott/?ts=markdown "Posts by Andrew Scott")  
Jun 30, 2024  
4 minutes  
[News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[ASM](https://www.paloaltonetworks.com/blog/tag/asm/?ts=markdown)  
[Attack Surface Management](https://www.paloaltonetworks.com/blog/tag/attack-surface-management/?ts=markdown)  
[Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown)

Organizations are constantly scaling their IT infrastructure to meet the demands of cloud and hybrid work, but this acceleration also leads to unintended growth in their attack surface.

According to [our latest research](https://www.paloaltonetworks.com/blog/2023/09/attack-surface-threat-report-highlights-need-for-asm/), attackers successfully exploited some of the latest critical vulnerabilities and exposures within hours of their disclosure.

Attackers are using automation to actively find the path of least resistance, while security teams are still struggling to inventory all their internet-facing assets and identify potential security risks across on-prem and cloud. To help defenders fight back effectively, Cortex Xpanse has continuously evolved its [industry-leading](https://www.paloaltonetworks.com/blog/security-operations/palo-alto-networks-leads-the-pack-in-kuppingercoles-asm-leadership-compass/) attack surface management (ASM) product.

Today, we are announcing an expansion to our Attack Surface Rules which help customers automatically find their critical exposures and risks. In our latest announcement, we delivered our 800th surface rule for our customers using Expander and the ASM Module in XSIAM.

Attack Surface Rules allow for the identification of risks on an organization's internet-facing attack surface. Our attack surface rules library consists of numerous rule categories, such as:

* Insecure detections, which indicate a vulnerability due to an observed version or configuration of a service
* Unsafe protocol and service detections, including unencrypted protocols like Telnet and FTP, exposed database servers, and unintentionally revealed admin interfaces
* Rules to detect and alert on exposed IoT devices, embedded devices, and operational technology (OT)
* Certificate and cryptographic hygiene enumeration
* Common web application weaknesses
* And more

As a part of this release, the Cortex product and research teams have conducted a thorough review of all existing attack surface rules to ensure that no critical threat goes unsurfaced. As a result, we will adjust the default enablement status of many rules and update our operational guidance.

In July, we plan to approximately double the number of attack surface rules that are enabled by default. Our updated criteria for the default-enabled rules set includes:

* All High-severity rules that are not considered noisy. Ex: Insecure Jenkins Server
* All Medium severity rules that are uncommon and significant. Ex: SAP Employee Self-Service Portal
* All OT and IoT-related rules which are not typically exposed to the internet but are actionable if accidentally accessible. Ex: Schneider Electric Modicon MC80 PLC

This new methodology aims to ensure that customers do not miss any critical findings due to a disabled rule. Our analysis indicates that enabling these low-volume but high-criticality rules will have no downsides. However, missing these crucial misconfigured exposures could be disastrous for organizations. Since we have observed a low prevalence of the majority of these risks on the public internet, we expect this change to have minimal, if any, impact on most customers.

Current Expander or the ASM Module in XSIAM users who have made changes to their attack surface rules configuration will not have their changes overwritten by this update. Additionally, our 2.6 release includes several other improvements, such as automated inventory tag rules, additional inventory fields, new active response enhancements, an updated API, and more.

## What's New in Cortex Xpanse 2.6?

* **Inventory Tag Rules:** Automate the tagging of assets with Inventory Tag Rules (formerly called asset tag rules). These rules enable you to define custom tags and custom rules for automatically assigning tags to IPv4 addresses, IPv4 ranges, domains, certificates, and Prisma Cloud resources.
* \*\*Auto-patching with Active Response:\*\*Automatically patch insecure OpenSSH via AWS System Manager.
* \*\*New Inventory Fields:\*\*Gain additional context for investigating assets with new fields that have been added to tables in the inventory, including domain registrant organization, domain admin organization, certificate expiry date, certificate hash
* **New Alerts Fields:** Easily investigate and remediate alerts with remediation guidance and certificate subject organization.
* **Cortex Xpanse API Updates:** Create custom IPv4 ranges and reassign assets to different business units using new API improvements.
* **Threat Response Center Enhancements**: Expander's threat response center is getting several styling and quality-of-life enhancements, including SBAC support. The Threat Response Center will also be available within the ASM Module in XSIAM.

**To learn more about these new capabilities and features, please see the [Cortex Xpanse 2.6 Release Notes](https://docs-cortex.paloaltonetworks.com/r/Beta/Cortex-XPANSE/2/Cortex-Xpanse-Expander-Release-Notes/Cortex-Xpanse-Expander-Release-Information) or contact your [Customer Support Team](https://urldefense.com/v3/__https://u18414439.ct.sendgrid.net/ls/click?upn=5FITEUMzDMkXYQ5uKAwx-2F4ogRnahJs0Je-2FWnFxs6ii-2F-2BmrZBar8eTALC1HvHye-2F0CfNlckRv-2B1Sn9eSB-2B0k-2F-2Fw-3D-3DVRvN_Vk24aaPHJSdLt9xObRI3EacGds8QKVVSVILRbtPQPRZXvwSi2UcWs0TdxYq4mjCQ9YyCzuuLvwU3gZMoRLED0VQTjh7HYSbqOVcFUr5ldgqcEYWUZNddclFadSTucJ9BfqEFcGFoTm9eKCHFii-2BweX7Wuca7dPKUFUJc0uUnDr5c1YuGHwYtsH0ltPB8h8XZyeRuwe5t7vCLlDvCSeBDPf9Hicb-2FIrlrnBOZlXMTUR3r9PYGJLT-2FQMW2VD4VX-2B-2F7JjNM9YpzpKuEOpZ8And3IUk9RgIC8c3KnyN3yju5Y5cO8qAG2MgtgQDn3SfwwUg67BB0StHMpcjnz3VVdWZF4wHftMQVbpH5RHXHrDcZX22mBShXQTaqqtNKUpHdBv4IuWQQViCO7RSWIbjpqJMzZ8T-2B2q19OuImgp0LyooDO0TiK4-2BXieVjHo17TWXsN5opxSLGaxpAXkJO-2BQ4ttGR4Fg-3D-3D__;!!Mt_FR42WkD9csi9Y!dMdcpMc9n3lDft4bWfJqQdIlB5DxqlyXnEswJQg_pP9nmsgbeyNiNhO_1IThOpgwrW2eBzAHSBQt1DHNNpg3nb8ZmfHfsu8wEJgO21o$).**

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### How Palo Alto Networks Cortex Helps Federal Agencies Comply with CISA's Binding Operational Directive 23-01](https://www2.paloaltonetworks.com/blog/security-operations/how-palo-alto-networks-cortex-helps-federal-agencies-comply-with-cisas-binding-operational-directive-23-01/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Prevent Critical Exposures for Employees on Unsecure Remote Networks Using ASM for Remote Workers Coverage](https://www2.paloaltonetworks.com/blog/security-operations/attack-surface-management-for-remote-workers/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex Xpanse Protects Against Malicious Domain Takeover Techniques](https://www2.paloaltonetworks.com/blog/security-operations/cortex-xpanse-protects-against-malicious-domain-takeover-techniques/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Xpanse Covers Top Vulnerabilities Warned of by CISA](https://www2.paloaltonetworks.com/blog/security-operations/xpanse-covers-top-vulnerabilities-warned-of-by-cisa/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### MOVEit or Lose it: Securing assets from critical MOVEit flaw with Xpanse ASM](https://www2.paloaltonetworks.com/blog/security-operations/moveit-or-lose-it-securing-assets-from-critical-moveit-flaw-with-xpanse-asm/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex Xpanse: Two-Time Leader, Outperformer, Market-Beater](https://www2.paloaltonetworks.com/blog/security-operations/cortex-xpanse-only-leader-and-outperformer-in-gigaom-radar-asm-evaluation/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language