Alert Fields - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Review the descriptions of the fields in the Alerts table.

The Alerts page in Expander displays a table of all alerts in Cortex Xpanse.

The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager.



Alert ID

A unique identifier that Cortex Xpanse assigns to each alert.

Alert Name

Matches the service name, which is service type and the specific domain:port or IP:port pair for the service.

Alert Source

Indicates whether the underlying asset was discovered through an Xpanse scan or a cloud integration (Prisma Cloud, MS Azure, GCP, AWS).

Asset IDs

Unique identifier for the underlying asset.

Attack Surface Rule

The attack surface rule that triggered the creation of the alert.

Attack Surface Rule Category

An Xpanse categorization, typically based on input from customers or published materials such the the BOD-22-01 or BOD-23-02 from CISA.

Business Units

The business units assigned to the assets associated with the alert.

Cloud Providers

The cloud provider used to collect the cloud assets.


Location of the service based on IP geolocation information.


Text summary of the event including the alert source, alert name, severity, and file path.

Domain Names

The domain on which an alert was triggered.


Whether the alert is excluded by an exclusion configuration.

External ID

Unique identifier for the alert.

Has Service

Indicates whether the alert is associated with a service and provides a link to the service information.

Incident Assigned Email

Email address of the user assigned to the related incident.

Incident Assigned User

User assigned to the related incident.

Incident ID

The ID of any incident that includes this alert.

Incident Resolved Timestamp

Timestamp of when the related incident was resolved.

Incident Status

Status of the related incident.

IPv4 Addresses

List of the IPv4 addresses associated with this asset.

IPv6 Addresses

List of the IPv6 addresses associated with this asset.

Last Observed

Timestamp of when Xpanse last observed this alert.


Displays MITRE ATT&CK tactics associated with the alert.

MITRE ATT&CK Technique

Displays the MITRE ATT&CK technique and sub-technique with the alert.

Playbook Run Status

Status of the Active Response playbook running on this alert.

Port Number

Number of the port that the service is running on.

Port Protocol

The protocol detected on the service.

Prisma Cloud Management Status

Indicates the origin of the data. Applies only to tenants with a Prisma Cloud integration.

  • Unmanaged Cloud: Cloud assets discovered by Xpanse that are not present or supported in your Prisma Cloud inventory.

  • Managed Cloud: Cloud assets discovered by Xpanse that are present in your Prisma Cloud inventory.

  • Not Applicable: The service for this alert is derived from on-prem assets.

Resolution Status

The status that was assigned to this alert when it was triggered or last modified. See Alert Status for descriptions of each status.

Right-click an alert to Change Status.

Service IDs

Unique ID associated with the service.


The severity that was assigned to this alert when it was triggered or modified: Low, Medium, High, or Critical. Right-click an alert to Change Severity.


Whether the alert is starred by starring configuration.


The asset tags associated with the alert.


The date and time when the alert was triggered.

Right-click to Show rows 30 days prior or 30 days after the selected timestamp field value.

Website IDs

Unique ID associated with the website.