Cortex XSIAM uses the Network Scanner to identify active hosts, services, and vulnerabilities within your internal network (on-premises and cloud). After installing Cortex Network Scanner, you can create one or more scans that you schedule to run periodically or run on demand. Learn more about scan templates, the steps to create and schedule a scan, and the advanced scan settings.
Prerequisites and Setup
Before creating a scan, ensure the appropriate components are configured based on your scan type:
For Network Scans :
Broker VM & Applet: A Broker VM must be active with the Network Scanner applet installed and connected indicated by a green status dot in → → → .
Optional:
Target Groups: Create reusable groups of IP addresses or hostnames.
Credentials: Save SSH (Unix) or SMB (Windows) credentials in +++.
Scan Creation Wizard
To begin, navigate to ++ and click + Create Scan. Select a template based on your objective:
Discovery Scan: Identifies active hosts and gathers high-level OS information.
Vulnerability Scan: Performs deep inspection of services to identify known CVEs and security weaknesses.
Focused Vulnerability Scan: Targets specific vulnerabilities, including emerging threats and zero-day vulnerabilities (ideal for verifying patches or high-priority CVEs).
Policy Audit Scan: Helps you check if a specified Asset Group is in compliance with selected policies and standards. CIS Microsoft Windows 11 Enterprise Benchmark and CIS Microsoft Windows Server 2022 Benchmark are currently supported
General Configuration
Configure the basic identity and timing for the scan:
Name & Description: Provide a unique identifier and optional context.
Scan Scheduling:
Create and save the scan configuration. To launch a scan, right click on the configured scan and select Launch Scan.
Launch Once: Schedules a single execution at a future date/time.
Recurring (Days of Week/Month): Sets a repeating schedule.
Quiet Hours: Define specific time windows where scanning is paused to prevent interference with business operations.
Scope Selection:
Define the boundaries of the scan:
Network: Select the defined network environment to be scanned.
Network Scanner: Choose one or more Broker VMs to execute the scan. Traffic is distributed across selected scanners; ensure firewall rules allow scanner-to-target traffic.
Inclusions:
Target Groups: Select previously configured and saved Targets.
Asset Groups: Select previously saved Asset Groups, managed within the Asset Inventory as Targets .
Manual Targets: Directly enter IP addresses, CIDR ranges, or hostnames.
Exclusions:
Manual Exclusions: List specific IPs or ranges to skip.
Exclusions override Inclusions: When enabled, any asset excluded in one group remains excluded even if it appears in another included group.
Saved Credentials: Select one or more credentials. For security reasons you can add only up to 5 credentials to the scan. The scanner attempts these sequentially on each host until authentication succeeds.
Scan Performance and Optimization
To ensure optimal performance without impacting network stability:
Broker VM Resources: Ensure the scanner host has at least 4 CPU cores and 8GB RAM. 8 core CPU and 16 GB RAM is highly recommended for large scale scans
Recommended Deployment Strategy: Deploy scanners strategically within target security zones to keep traffic local and avoid crossing firewalls.
Firewall Rules: If scanning across network boundaries, allow traffic from the scanner to "Any" application and "Any" service/port on target devices.
Windows Targets: Ensure ports 139 and 445 are open for SMB-based authenticated scans.
Monitoring Results
Once a scan is initiated, you can track its progress in the Scans table.
Reviewing Issues: Completed scan data is integrated into the Vulnerability Management views. Navigate to → to investigate discovered vulnerabilities and unmanaged devices.
Advanced Settings
The following sections describe the advanced scan settings. Most Cortex Network Scanner use cases can use default settings.