Known Assets Monitoring - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Cortex Xpanse performs targeted daily scans of known assets for customers who opt in.

Cortex Xpanse performs global scans twice a week on a limited set of ports by default. For customers who opt in, Xpanse performs targeted scanning of known assets daily. Known Assets Monitoring (KAM) brings three significant benefits to the data delivered by Cortex Xpanse:

  • Additional ports and protocols

    • Port/protocol pairs not included in global scans, including port 25/SMTP, 500/UDP

    • SMB version enumeration

  • TLS/SSL scanning

    • Determination of supported cipher suites and protocol versions for TLS/SSL services

  • Frequent scanning and data delivery

    • Faster data delivery for reduced time to notification of new exposures

Opting In to KAM

Note the following prerequisites for Known Assets Monitoring (KAM):

  • KAM uses more exhaustive payloads than global scans, so we recommend validating your network before opting in. KAM will be turned on once we have consent from the network owner that all identified ranges have been validated.

  • We recommend verifying that KAM source IP addresses are not blocked on your automated intrusion prevention system (IPS), intrusion detection system (IDS), or firewalls and that anti-scanning and DDoS rules do not apply to these specific IP ranges.

    • Xpanse scans your external attack surface only, so we do not need any access inside your network.

    • The amount of traffic you receive from our scanners depends on the KAM configuration (basic or extended) and the total amount of IP space owned by your organization

  • Contact your Customer Success Team to learn more and opt in to KAM.