Asset Attribution - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Learn about the attribution information Cortex Xpanse provides about your assets, so you know why each asset was attributed to your organization.

Cortex Xpanse provides attribution information about each asset in your asset inventory, so you know at-a-glance why Expander believes an asset belongs to your organization. Xpanse provides the following attribution data for each asset:

Note that asset attribution information is not available for services or websites.

Asset Attribution Evidence

The Asset Attribution Evidence section appears on the asset details panel and on the Assets tab in an incident. This section provides two key pieces of information:

  • Origin Information—Explains whether an asset was discovered by Cortex Xpanse or provided by your organization and when the asset was last seen.

  • Attribution Evidence—Explains why the asset was attributed to your organization. Provides the seed term that Cortex Xpanse used to attribute the asset to your organization and the specific piece of scan data that Cortex Xpanse matched to the seed term.

    A seed term is a text string that our research team generated and associated with your organization. For example, seed terms for Cortex Xpanse might include: Xpanse, Cortex, Cortex Xpanse, Palo Alto Networks, PANW, PAN, etc.  We use machine learning models as well as manual research to match the seed terms with our scan data to attribute assets to your organization. Additional details on how we attribute assets can be found in the Cortex Xpanse Discovery and Attribution datasheet.


Depending on the asset type and scan data, most assets will have one or more pieces of attribution evidence. Assets that don't have attribution evidence do not have a seed term match. The following are reasons we may not have a seed term match:  

  • The domain or IP range is provided by the customer and cannot be externally validated using public data.

  • The domain registration information is redacted, blank, or private. We attribute these through manual routing.

  • The domain is attributed by an associated website (e.g. is attributed to Example Corp because the website at shows clear evidence of belonging to Example Corp).

  • The domain is attributed based on a DNS record.

If you have questions about a specific asset, reach out to Customer Success.

Attribution Confidence Labels

Confidence labels allow you to quickly see how confident Expander is that an asset belongs to your organization. The following table lists the attribution criteria Expander uses to assign confidence labels. If an asset has multiple methods of attribution, Expander applies the confidence label based on the highest confidence method.

Confidence Label

Attribution Criteria


Very High Confidence applies to following the assets:

  • IP Ranges attributed to you because they are registered to your organization and because they host your content (such as your certificates or domains). Content-attributed IP Ranges are tagged with the Has Your Content tag.


High Confidence applies to the following assets:

  • Any asset that was provided by you, rather than discovered by Expander. These assets have the Provided Domain asset tag (AT) and the Provided Range IP range tag (IPR).

  • Certificates

  • Domains


Medium Confidence applies to the following assets:

  • IP Ranges attributed to your organization by registration only. These ranges typically do not host certificates or domains that look like you, and are more likely to be instances of stale registration. These IP Ranges are tagged with the Registered to You tag.

  • Assets from cloud compute instance integrations

    • XCloud (AWS, Azure, GCP)

    • Prisma Cloud

    Cloud compute assets can have dynamically assigned IP addresses, so the IP address that was recorded when the asset was last updated may no longer be associated with your organization

Confidence labels appear on the asset details panel and the Assets tab in an incident.

Attribution-Related Tags

Cortex Xpanse uses the asset attribution-related tags listed below to indicate whether an asset as discovered by Xpanse or provided by you and why it was attributed to you. These tags enable you to use attribution criteria to filter assets and incidents and to provide scope-based access control. Expander applies the relevant attribution-related tags to assets automatically.

  • Asset Tags (AT) -- AT tags are editable by users.

    • xpanse discovered

    • provided domain

  • IP Range Tags (IPR) -- IPR tags are editable by users.

    • xpanse discovered

    • provided range

  • Attribution Tags (AR) -- AR tags are not editable by users.

    • Has Your Content

    • Registered to You

All tags are displayed in the Tags column of the Asset Inventory pages and on the asset details panel.