Asset discovery and attribution - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-05-22
Last date published
2024-07-01
Category
User Guide
Solution
Cloud
Abstract

Cortex Xpanse uses a variety of methods to discover and attribute internet-facing assets to your organization.

Cortex Xpanse uses a variety of methods to discover and attribute internet-facing assets to your organization. These methods include:

  • IP Registration—The IP range’s registry information mentions information about your organization. Cortex Xpanse pulls from all regional internet registry databases, including ARIN, RIPE, APNIC, LACNIC, and AFRINIC. Registry information in your Cortex Xpanse instance is updated approximately biweekly.

  • ASN Advertisement—An autonomous system number (ASN) assigned to you advertises the IP range as a BGP prefix.

  • Certificate—That IP range advertised one of your certificates.

  • DNS—A DNS record points to an IP in that IP range. Cortex Xpanse gets its domains and DNS data from a combination of active and passive global collection techniques.

  • Self-Provided—The asset was on an IP address list provided to Cortex Xpanse by your organization or by Xpanse for a reason other than those listed above.

Xpanse discovers cloud assets using domain and certificate observations, since IP registration data is not useful for cloud-hosted assets. Xpanse can also pull in known cloud assets through integrations with cloud service providers, like Azure, AWS, and GCP.

All assets in Expander include an attribution reason that explains why Xpanse attributed the asset to your organization. Find the attribution reason in the asset details panel in the Inventory.