Manage Business Units - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Cortex Xpanse defines a business unit or BU as an organizational unit that is responsible for a specific set of assets.

In Expander, a business unit or BU is an organizational unit that is responsible for a specific set of assets. Business units are assigned to assets by Xpanse during the initial network mapping process. Business unit definitions can be hierarchical, so a large organization may have a parent business unit with multiple levels of child business units. An asset may be associated with one or more business units.

Cortex Xpanse assigns business units to all assets in the Inventory, except services and websites. Services, websites, incidents, and alerts inherit the business units of the assets associated with them.

Expander supports filtering and sorting of data in your asset inventory, incidents, alerts, dashboards, and reports by business unit.

After the initial network mapping of your attack surface, you can modify the business unit assignments for assets in Expander on the Assets tab of an incident and on the asset details panel in the Inventory.

When changing the business unit assignment, Expander displays all of the existing business units as a hierarchy so you can choose the specific business units to assign to the asset. An asset can belong to any business unit in the hierarchy. Business unit assignments and the access permissions based on those assignments are not inherited. If you remove all the business units from an asset, Expander will mark the asset as Unassigned.

Add New Business Units

While you can modify business unit assignments, you cannot add new business units in Expander. To add additional business units, contact your Customer Success representative.

View Previous Updates to Business Units

You can view information about previous updates to business unit assignments in the management audit logs. Navigate to SettingsManagement Audit Logs and filter the table on Type equals Business Unit Change.

Restrict User Access Using Business Units

You can restrict user access in Expander to specific business units using scope-based access control (SBAC). See Manage User Scope for information about configuring SBAC.

You can also restrict access to viewing or editing business unit overrides by assigning users predefined or custom roles. The roles Account Admin and Instance Administrator are the only predefined roles with access to business unit overrides. For information about how to assign roles and create custom roles, see Manage Roles.

The Difference Between Business Units and Tags

In Expander, business units identify the organization or department that owns an asset on your attack surface. For example, if you acquire a company, you could assign their assets to a separate business unit. Or assets in different regions could be assigned separate business units. Tags, on the other hand, are used for a variety purposes, such as custom IP ranges, advanced data filtering, customized data, and to restrict or permit access to data in Expander using Scope-Based Access Control (SBAC).

Business units are initially assigned by Xpanse and can be modified by users later. Tags may be created and assigned by Xpanse or created and assigned by users, depending on the type of tag. See Asset Tagging for information about the different types of tags and how to use them.