Learn about the attribution information Cortex Xpanse provides about your assets, so you know why each asset was attributed to your organization.
Cortex Xpanse provides attribution information about each asset in your asset inventory, so you know at-a-glance why Expander believes an asset belongs to your organization. Xpanse provides the following attribution data for each asset:
Note that asset attribution information is not available for services or websites.
Asset Attribution Evidence
The Asset Attribution Evidence section appears on the asset details panel and on the Assets tab in an incident. This section provides two key pieces of information:
Origin Information—Explains whether an asset was discovered by Cortex Xpanse or provided by your organization and when the asset was last seen.
Attribution Evidence—Explains why the asset was attributed to your organization. Provides the seed term that Cortex Xpanse used to attribute the asset to your organization and the specific piece of scan data that Cortex Xpanse matched to the seed term.
A seed term is a text string that our research team generated and associated with your organization. For example, seed terms for Cortex Xpanse might include: Xpanse, Cortex, Cortex Xpanse, Palo Alto Networks, PANW, PAN, etc. We use machine learning models as well as manual research to match the seed terms with our scan data to attribute assets to your organization. Additional details on how we attribute assets can be found in the Cortex Xpanse Discovery and Attribution datasheet.
Depending on the asset type and scan data, most assets will have one or more pieces of attribution evidence. Assets that don't have attribution evidence do not have a seed term match. The following are reasons we may not have a seed term match:
The domain or IP range is provided by the customer and cannot be externally validated using public data.
The domain registration information is redacted, blank, or private. We attribute these through manual routing.
The domain is attributed by an associated website (e.g. example.com is attributed to Example Corp because the website at www.example.com shows clear evidence of belonging to Example Corp).
The domain is attributed based on a DNS record.
If you have questions about a specific asset, reach out to Customer Success.
Attribution Confidence Labels
Confidence labels allow you to quickly see how confident Expander is that an asset belongs to your organization. The following table lists the attribution criteria Expander uses to assign confidence labels. If an asset has multiple methods of attribution, Expander applies the confidence label based on the highest confidence method.
Confidence Label | Attribution Criteria | |
---|---|---|
Very High Confidence applies to following the assets:
| ||
High Confidence applies to the following assets:
| ||
Medium Confidence applies to the following assets:
|
Confidence labels appear on the asset details panel and the Assets tab in an incident.
Attribution-Related Tags
Cortex Xpanse uses the asset attribution-related tags listed below to indicate whether an asset as discovered by Xpanse or provided by you and why it was attributed to you. These tags enable you to use attribution criteria to filter assets and incidents and to provide scope-based access control. Expander applies the relevant attribution-related tags to assets automatically.
Asset Tags (AT) -- AT tags are editable by users.
xpanse discovered
provided domain
IP Range Tags (IPR) -- IPR tags are editable by users.
xpanse discovered
provided range
Attribution Tags (AR) -- AR tags are not editable by users.
Has Your Content
Registered to You
All tags are displayed in the Tags column of the Asset Inventory pages and on the asset details panel.