Learn about the core concepts, features, and lifecycle of assets within the Asset Inventory.
The Asset Inventory acts as a centralized repository and a single source of truth for all asset-related information in Cortex Cloud. Designed to provide end-to-end asset visibility across the entire enterprise, the inventory covers code, cloud, and runtime in cloud, hybrid, and on-premise environments. Cortex collects, normalizes, and aggregates data from multiple sensors to create a single, holistic profile for each asset.
Asset classification hierarchy
Assets are organized into a strict hierarchy to facilitate filtering and management:
Class: The highest-level grouping based on general purpose or domain, such as Compute, Network, or Data
Category: A more detailed grouping within a class based on normalized function, such as Virtual Machine, Container, or Storage Bucket
Type: The most specific level of classification, representing the provider-specific name for a particular asset, such as an AWS EC2 Instance or GCP Compute Engine Instance
Asset profiles
When Cortex Cloud discovers an asset, it builds a comprehensive profile by stitching together data from multiple sources. This profile consists of:
Core attributes: Essential identifiers like the unique ID, name, and provider
Main attributes: Normalized characteristics and configuration details
Other attributes: Extended fields that provide additional normalized properties
Enrichments: Derived contexts, such as associated security findings or an exposed to the internet status
Raw data: The original, unstructured JSON data collected directly from the source
Key inventory features
The inventory provides several advanced tools for exploring and managing your enterprise:
Interactive filter widgets: The top of the page features interactive widget cards like Provider, Class, and Category that summarize your environment. You can change the attribute displayed for each widget card to customize your view, and you can shrink the widget lane to maximize screen space for the inventory table
Saved views and quick filters: Use pre-defined saved views like Cloud and Enterprise to quickly subset the data, or utilize quick filters to easily isolate assets with Critical Cases or Issues
Dashboard integration: Click the Dashboard button at the top of the page to navigate to a dedicated system dashboard for deeper analysis
Query via XQL: The entire asset inventory is available to be queried via XQL using the
asset_inventorydataset. For advanced identity use cases, such as Cloud Infrastructure Entitlements Management permissions analysis, you should use theciem_permissions_with_last_access dataset.Graph-based asset exploration: When enabled, the inventory supports graph queries via Cypher to explore complex relationships between assets, such as asset-to-asset network paths, identity-to-resource permissions, and network exposure paths.
Direct case and issue correlation: Assets are directly linked to active security investigations, allowing analysts to immediately understand how an asset relates to active threats and view breakdowns of critical cases and issues directly on the asset profile.
Asset groups and tagging: Group assets based on shared attributes to address them collectively, or manually add tags and annotations to build out asset profiles.
Asset lifecycle and cleanup
To maintain an accurate and clutter-free inventory, an automated cleanup process periodically removes outdated assets in the background. If an asset stops reporting, it follows a specific vanish cadence. It goes from Active from 0 to 3 days, Not Seen from 3 to 5 days, Lost from 5 to 7 days, and after 7 days, the asset is no longer shown in the inventory table.