The following sections provide information about how to use filters to monitor and find potentially vulnerable assets in your Inventory.
Validating recently added assets will ensure you always have an accurate and up-to-date asset inventory and are receiving alerts on incidents that are important to you.
Navigate to Inventory → Unified Inventory or Inventory → <Asset Type>.
Sort on the First Observed column by clicking on the up/down arrow next to the First Observed column heading.
Note the difference between the First Observed and Date Added columns:
First Observed: the first time Cortex Xpanse sees the asset.
Date Added: when the asset was added to the map (applies to an IP range or domain).
Expired certificates open up multiple attack vectors, including phishing attacks and data breaches, weakening your web applications security. Additionally, using an expired certificate can cause reputation loss for users who are greeted by an expired certificate warning on your public interfaces. This could also result in revenue loss for customers who choose not to engage with the warning messages.
Navigate to Inventory → Certificates
Click the filter icon in the upper right corner to display the filter.
Set the filters as follows:
Certificate Classifications Contains Expired
+AND
Last Observed = Last 7D
Click anywhere outside the filter to activate it.
To remediate expired certificates, identify where the expired certificate is within your IT ecosystem, renew the expired certificate, and install a new digital certificate.
A self-signed certificate is a certificate that is not signed by a publicly trusted certificate authority (CA). When used in production environments, self-signed certificates leave systems exposed to vulnerabilities and security breaches. Additionally, the security warnings associated with self-signed certificates can drive away potential clients and impact brand reputation.
Use the following filter to find self-signed certificates that Cortex Xpanse has observed in the last week:
Navigate to Inventory → Certificates
Click the filter icon in the upper right corner to display the filter.
Set the filters as follows:
Certificate Classifications Contains SelfSigned
+AND
Last Observed = Last 7D
Click anywhere outside the filter to activate it.
To remediate, exchange self-signed certificates for signed certificates.
A dangling DNS record is a DNS record that has been misconfigured or points to a domain that has been abandoned. Because it is abandoned, this domain can be easily hijacked by threat actors and used to gain initial access into a network. Dangling DNS records can be easily exploited for domain hijacking, subdomain takeover, including loss of control over the content of the subdomain, cookie harvesting from unsuspecting visitors, and phishing campaigns.
Use the following filter to find dangling DNS records.
Navigate to Inventory → Domains
Click the filter icon in the upper right corner to display the filter.
Set the filters as follows:
Resolves = Yes
+AND
Has Active Services = No
+AND
Externally Detected Providers not Contains On Prem
Click anywhere outside the filter to activate it.
To remediate a dangling DNS record, update and remove DNS records that are not associated with an active service.
Shadow IT refers to any IT used by employees without the approval or oversight of the IT organization. The limited visibility introduced by shadow IT increases the probability for vulnerabilities, misconfigurations, and policy violations. The expanded attack surface also increases chances of data theft since these assets are not protected by security solutions, or could be used as a pathway into the organizations broader network.
Use the following filter to find shadow IT.
Navigate to Inventory → Services
Click the filter icon in the upper right corner to display the filter.
Set the filters as follows:
Discover Type = Directly Discovered
+AND
Externally Detected Providers not Contains On Prem, Amazon Web Services, Google, Microsoft Azure
Click anywhere outside the filter to activate it.
To remediate, make sure your organization enforces your security posture, policies, and compliance.
Public-facing internal IP addresses provide an indication of what your internal subnets are and can be used as track back-end servers for load balancer purposes. They can also be an indication of a misconfigured asset.
There are two ways to find internal public-facing IP addresses: from the Domains page and from the Services page.
Navigate to Inventory → Domains
Click the filter icon in the upper right corner to display the filter.
Set the filters as follows:
Externally Detected Providers Contains Reserved Ips
Click anywhere outside the filter to activate it.
Navigate to Inventory → Services
Click the filter icon in the upper right corner to display the filter.
Set the filters as follows:
Discover Type = Directly Discovered
+AND
Active Classifications Contains InternalIpAddressAdvertisement
Click anywhere outside the filter to activate it.
To remediate public-facing internal IP addresses, reconfigure relevant services to mask private addresses and rewrite addresses with anonymous identifiers so that an attacker cannot infer any useful information about your infrastructure.
Non-standard port usage increases the potential for malicious actors to gain unauthorized access to your network. Non-standard port usage can also be an indication of a misconfigured asset.
Navigate to Inventory → Services
Click the filter icon in the upper right corner to display the filter.
Set the filters as follows:
Discovery Type = Directly Discovered
+AND
Service Name Contains http server
+AND
Port != 80,443
Click anywhere outside the filter to activate it.