Step 5: Begin asset validation and asset enrichment - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-11-12
Category
User Guide
Solution
Cloud
Abstract

Validate assets in your inventory as part of the onboarding process.

As soon as you have access to Cortex Xpanse, you can begin asset validation and enrichment. Asset validation is the process of reviewing the assets in your inventory to verify that those assets belong to your organization. Asset validation ensures that your organization doesn't spend time and resources fixing issues on assets that are not under your control.

Asset enrichment is the process of tagging assets so you can identify and filter those assets based on department, geographical location, or any other category that would be useful to your organization. Asset validation and asset enrichment are not one-time activities; these are on-going activities that you will perform periodically to ensure your inventory is accurate and easily managed.

Before you begin

Review the following information before you perform asset validation and enrichment.

Prerequisite

See topic

Learn about the types of assets in your Cortex Xpanse inventory, and how they are organized.

Inventory

Familiarize yourself with the asset attribution evidence that is provided for each asset in Xpanse. Asset attribution evidence explains why Cortex Xpanse believes an asset belongs to your organization.

Asset Attribution

Learn about inventory tagging in Cortex Xpanse, including the types of tags, how to add and remove tags, and how to automate tagging using inventory tag rules.

Inventory Tagging

Validate Xpanse-discovered assets

Cortex Xpanse places assets into two categories based on discovery method:

  • Provided: These assets were provided by the customer and added to the asset map by the Cortex Xpanse team.

  • Xpanse discovered: These assets were discovered by Xpanse. Xpanse assets are reviewed and maintained quarterly.

Ideally you'll validate all assets in your inventory, but we suggest you begin by validating the Xpanse-discovered assets. Assets that were discovered by Xpanse are tagged xpanse discovered so you can identify them.

  1. In Expander, navigate to Inventory<asset type>.

  2. Filter the list of assets.

    1. Open the filter by clicking on the filter icon filter-icon.png on the top right side of the screen.

    2. In the filter, select the field Tags and the value xpanse discovered or provided (or any other tag you would like to filter on). Be sure to select the IPR: tag if you are filtering Owned Responsive IPs or IP Ranges, and select the AT: tag for any other asset types.

      filter-validate.png
    3. Click anywhere outside the filter to activate the filter and see the results.

  3. View the asset attribution evidence for an asset by clicking on the row to display the asset details. Asset attribution evidence and other asset details will help you determine whether the asset is yours.

    asset-attribution-evidence.png
  4. If you find assets that don't belong to your organization, submit a request to your Customer Success team to remove them from your inventory. You can send them a spreadsheet or txt file that lists the assets, or you can tag the assets (with a label such as "remove") and request Customer Success to remove all assets with that label.

Begin tagging assets

Asset enrichment refers to adding contextual information to assets, typically in the form of tags. Tags are labels that you assign to an asset or group of assets. You can create tags yourself in Expander, which ensures that your approach to tagging meets the unique requirements of your organization. Tags can be geographical locations, names of business units, departments, or teams, or any other useful category.

Tags help you organize and manage the assets in your inventory. The tags on assets are also applied automatically to corresponding services, websites, alerts, and incidents, providing valuable context when triaging identified risks in your attack surface.

You can apply and remove tags individually or in bulk in Expander or using the Cortex Xpanse APIs. You can also create inventory tag rules that apply tags to all assets that meet specific rule criteria. See Inventory Tagging for details about how tags work, how to apply them, and how to automate tagging with inventory tag rules.

Like asset validation, asset enrichment is an ongoing activity that you begin during onboarding and continue as your attack surface changes and as you discover different ways of organizing and categorizing your assets.