Search and Filter Bar - 1.0 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Assess User Guide

Product
Cortex XPANSE
Version
1.0
Creation date
2022-08-25
Last date published
2022-12-01
Category
User Guide

The Filter Bar provides a drop-down box for each filter. These criteria are set in the Issues Detail View. To set a single filter, select the Filter drop-down criteria, such as Critical Priority. Once you have selected your filter criteria, click Apply Filters. The following are the available filters:

  • Filtering and Searching—In addition to filtering, Cortex Xpanse provides the ability to conduct extensive searches of Issues content. There are four categories of searches:

    issues-search.png
    • Content search—Cortex Xpanse searches on a broad range of fields for Issues, including name and certificates, such as issuer, full name, countries, org, extensions, public key, and subject. Some things to consider when conducting content searches:

      - If you are looking for domains, IP/CIDR, or ports, using those specialized searches will be much faster, though the Content search will still work.

      - The Content search uses prefixes and phrases, but not suffixes. For example, if you search on “Work” you will receive any issue that contains any word starting with “work”, such as work, workgroup, and workstation. If you search on “Group,” you will not see Issues that contain the “Workgroup.”

    • Domain Search—Domain searches are meant to be targeted searches. Specify the complete domain, such as www.acme.com, if possible. Domain search will also search on the name, such as acme, or a subset of the full domain, such as www.acme or acme.com. Domain Search does not use boolean, such as AND, OR, and NOT, or wildcard, such as ? or *, operators.

    • IP/CIDR—Cortex Xpanse expects a valid IP/CIDR address, such as 1.1.1.1 or 1.1.1.1/16. You may also search on an IP Address range, such as 1.1.1.1 - 1.1.1.16, or you may use a wildcard, such as 1.1.1.*.

    • Port—For a port search, you can enter one port, such as 80, or a set of ports, such as 80, 443, 8080. Cortex Xpanse does not search on a range of port numbers, such as 80 - 100, or support wildcards, such as 80*.

  • Priority—The options for priority are Critical, High, Medium, and Low. Cortex Xpanse automatically sets a priority upon Issue creation. You may set the default priority for an Issue type, such as Elasticsearch Server, RDP Server, and WordPress Server, on the Policies page. Priorities are initially assigned to Low, Medium, or High. A Critical priority is available as a user-assigned action giving you room to escalate important findings and make the easy to filter down to. You may change the priority of an Issue at any time. All priority changes, including modifying user, previous priority level, and time of the change, are automatically logged by Cortex Xpanse.

  • Progress—Setting this filter will limit the list view based on Issue progress. There are two levels to this drop-down:

    • Open Issues

      -New—Cortex Xpanse automatically opens a new Issue with a New status.

      -Investigating—Cortex Xpanse recommends setting an Issue status to Investigating status as a first step to remediating the Issue. Typically, this step involves conducting an investigation to understand the business context of this issue. This information is important to identify potential service owners who may assist in remediation.

      Note

      As soon as a point of contact (POC) is confirmed, specify the contact information to the asset record associated with the Issue.

      -In Progress—Cortex Xpanse recommends setting an Issue status to In Progress as soon as the initial investigation is complete, such as service owners are identified and contacted. The Issue should remain In Progress as long as remediation is ongoing.

    • Closed Issues

      -Resolved—Cortex Xpanse recommends setting an Issue to Resolved once investigation and remediation are complete. It is important to note that if Cortex Xpanse sees the Issue reappear, the Issue will be reopened and assigned a New Issue status. Reopened Issues retain the complete history of comments and status changes.

      -Acceptable Risk—Cortex Xpanse recommends setting an Issue to Acceptable Risk if this Issue meets the organization’s level of acceptable risk. This could mean that the Issue was remediated to a point where it now meets an acceptable risk. It is important to note that an Issue that is set to Acceptable Risk will not trigger new Issues, even though Cortex Xpanse will continue to see this Issue. For this reason, only Issues that cannot be resolved should be set to Acceptable Risk. Otherwise, you should remediate the issue and resolve it completely.

      -No Risk—Cortex Xpanse provides the No Risk status to allow you to mark Issues for which there are mitigating controls or protections in place that are not observable by our platform. Like Acceptable Risk, No Risk will not trigger new Issues, even if Cortex Xpanse continues to see evidence of that kind of problem. Therefore, we urge you to use the No Risk status only when a through investigation has been performed and to periodically re-assess any No Risk Issues to confirm they continue to not pose a risk to your organization.

  • Assignee—Assignees are registered users of the Cortex Xpanse platform.

  • Status—Cortex Xpanse automatically sets an Issue Activity Status based on how recently an Issue was seen:

    • Active—Cortex Xpanse has recently observed evidence indicating that the Issue is still valid.

    • Inactive—An Issue becomes inactive once Cortex Xpanse no longer observes the evidence associated with the asset or service. Clicking Ready to Close displays all Inactive Issues. How long Cortex Xpanse waits before declaring an Issue Inactive is a factor of the type of evidence and scan frequency. There are a number of reasons why this occurs:

      -The asset or service is no longer displaying the evidence because the asset or service is reconfigured. For example:

      1. An expired certificate has been replaced with a fresh certificate.

      2. An unencrypted FTP server has been reconfigured to use only encrypted SFTP.

      3. A web server using insecure TLS/SSL is reconfigured to use only secure cipher suites and versions.

      -The asset or service is no longer responsive or routable via the public Internet. For example:

      1. The service may have been shut down.

      2. The service is now behind a firewall and is not longer routable on the public internet.

      -If the Issue is seen again, Cortex Xpanse automatically changes the Issue to Active status.

  • Business Unit—Filters by the assigned business unit.

  • Provider—Filters by hosting provider.

  • Provider Account—Filters by the specified integrated managed cloud resource from the given provider account.

  • Country—Filters by country based on IP geolocation.

  • Issue Type—The Issue Type filter is located in a panel to the left of the issue list. The Issue Types are grouped into categories. Click the arrow to the left of any category to show the list of all of the Issue Types within that category. You can select one or more individual issue types or issue categories, and then Apply the filter.

    issue-filter-categories.png