Review the descriptions of the fields in the Alerts table.
The Alerts page in Expander displays a table of all alerts in Cortex Xpanse.
The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager.
Field | Description |
|---|---|
Alert ID | A unique identifier that Cortex Xpanse assigns to each alert. |
Alert Name | Matches the service name, which is service type and the specific domain:port or IP:port pair for the service. |
Alert Source | Indicates whether the underlying asset was discovered through an Xpanse scan or a cloud integration (Prisma Cloud, MS Azure, GCP, AWS). |
Asset IDs | Unique identifier for the underlying asset. |
Attack Surface Rule | The attack surface rule that triggered the creation of the alert. |
Attack Surface Rule Category | An Xpanse categorization, typically based on input from customers or published materials such the the BOD-22-01 or BOD-23-02 from CISA. |
Business Units | The business units assigned to the assets associated with the alert. |
Cloud Providers | The cloud provider used to collect the cloud assets. |
Country | Location of the service based on IP geolocation information. |
Description | Text summary of the event including the alert source, alert name, severity, and file path. |
Domain Names | The domain on which an alert was triggered. |
Excluded | Whether the alert is excluded by an exclusion configuration. |
External ID | Unique identifier for the alert. |
Has Service | Indicates whether the alert is associated with a service and provides a link to the service information. |
Incident Assigned Email | Email address of the user assigned to the related incident. |
Incident Assigned User | User assigned to the related incident. |
Incident ID | The ID of any incident that includes this alert. |
Incident Resolved Timestamp | Timestamp of when the related incident was resolved. |
Incident Status | Status of the related incident. |
IPv4 Addresses | List of the IPv4 addresses associated with this asset. |
IPv6 Addresses | List of the IPv6 addresses associated with this asset. |
Last Observed | Timestamp of when Xpanse last observed this alert. |
MITRE ATT&CK Tactic | Displays MITRE ATT&CK tactics associated with the alert. |
MITRE ATT&CK Technique | Displays the MITRE ATT&CK technique and sub-technique with the alert. |
Playbook Run Status | Status of the Active Response playbook running on this alert. |
Port Number | Number of the port that the service is running on. |
Port Protocol | The protocol detected on the service. |
Prisma Cloud Management Status | Indicates the origin of the data. Applies only to tenants with a Prisma Cloud integration.
|
Resolution Status | The status that was assigned to this alert when it was triggered or last modified. See Alert Status for descriptions of each status. Right-click an alert to Change Status. |
Service IDs | Unique ID associated with the service. |
Severity | The severity that was assigned to this alert when it was triggered or modified: Low, Medium, High, or Critical. Right-click an alert to Change Severity. |
Starred | Whether the alert is starred by starring configuration. |
Tags | The asset tags associated with the alert. |
Timestamp | The date and time when the alert was triggered. Right-click to Show rows 30 days prior or 30 days after the selected timestamp field value. |
Website IDs | Unique ID associated with the website. |