Asset Tagging - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Learn about how Cortex Xpanse uses tags to support advanced data filtering, customized data, and to restrict or permit access to data.

Cortex Xpanse supports the use of tags to enable custom IP ranges, advanced data filtering, customized data, and to restrict or permit access to data in Expander using Scope-Based Access Control (SBAC). There are two types of tags:

  • User-defined tags—User-defined tags include the following:

    • Asset Tags (use the designation AT in the UI)—You can create, apply, and remove Asset Tags (AT) manually on the asset pages for domains, certificates, owned responsive IPs, and cloud assets in your Inventory.

    • IP Range Tags (IPR)—You can create, apply, and remove IP Range tags (IPR) manually on the Owned IPv4 Ranges and page in the Inventory.

    • Rule-Based Tags (TR)—You can define tag rules that apply tags automatically to assets that match your rule criteria, including any new assets that are attributed to your organization. Tag rules can be created for IPv4 addresses and IPv4 ranges, enabling you to define custom IPv4 ranges.

  • Xpanse-defined tags—These tags are predefined and systematically applied to assets in Expander. Xpanse-defined tags cannot be removed or modified by users.

    • Attribution Reason Tags (AR)—Tags applied to assets by Expander indicating why the asset was attributed to your organization. Values are Has Your Content or Registration Only.

    There are some Asset Tags (AT) which are predefined and assigned by Xpanse (such as the Xpanse Discovered tag) but can be modified by users.

Both user-defined tags and Xpanse-defined tags are propagated from the asset to the related services, websites, alerts, and incidents within your tenant. Removing a tag from an asset will also remove the tag from any services, websites, alerts, and incidents to which it had propagated. When applying or removing a tag, it could take up to 2 hours for the tag to appear on (or disappear from) the services, websites, alerts, and incidents.

Tag-based filtering is supported on asset pages, services and websites pages, incidents, alerts, and reports and dashboards. For information about how to use tags for SBAC, see Manage User Scope.

In Expander, you can apply tags to all assets in your Inventory except websites and services. However, services inherit tags from the assets they are associated with.

Asset tags and IP Range tags are managed from the asset pages in your Inventory. Tag Rules are created and managed on the Asset Tag Rules page.