Services assets - Services assets show all internet-facing devices and software attributed to your organization that communicate on a domain:port or IP:port pair and respond to scanners on an application-level protocol over the public internet. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-04
Category
Administrator Guide
Abstract

Services assets show all internet-facing devices and software attributed to your organization that communicate on a domain:port or IP:port pair and respond to scanners on an application-level protocol over the public internet.

A service can be any internet-facing device or software that communicates on a domain:port or IP:port pair that responds to scanners on an application-level protocol over the public internet.

Services include classifications which are fingerprint-based identifiers of software, technologies, and behaviors observed on the service. Classifications can be either active or inactive based on the most recent observations of a service. In addition to classifications, services will also include banner, response, and header information from Cortex XSIAM data collection.

Services field descriptions

The Services table includes the fields.

Field

Description

Active classifications

Facts that have been inferred about each of your services by examining a response for fingerprints. Classifications cover a variety of details including:

  • Identifying specific software and versions.

  • Configuration details of note.

  • Identifying when the services do not implement best practices like web security headers or certificate security standards.

Some Classifications merely note that a fact is true or false, like Missing Cache Control Header. Other Classifications provide additional information, such as a version number for “nginx Server”. These details are viewable in the services table and on the details page for the service by clicking the name of the service in the All External Services table.

Business units

A Business Unit is a designation to classify assets. Cortex XSIAM tracks business units as a means to identify owning organizations of these assets. Business units become extremely important when an organization has subsidiaries and groups established through M&A activities.

Discovery type

Services are identified with one of the following two discovery types, depending on the level of confidence Cortex XSIAM has in attributing it to your organization.

  • Directly Discovered: services that are definitively associated with an asset that belongs to your organization.

    Examples include:

    • It is hosted on one of your on-prem IP ranges.

    • The service advertises one of your organization's certificates.

    • It is on a managed cloud resource that is known to be yours.

  • Colocated with your Services: the service is running on the same IP as a different directly-discovered service.

    In a multi-tenant hosting environment, these co-located services may belong to other organizations but can sometimes pose adjacency risks to your services hosted on that IP. If your organization has “single-tenant environment only” policies with 3rd party hosting providers, you can use this functionality to identify possible violations of that policy.

Domain

The most recent domain on which the service is running.

Externally detected providers

The provider of the asset is determined by an external assessment.

Externally inferred CVEs

Externally Inferred CVEs are identified by comparing the product name and version of active service, if identifiable, with CVES for those products in the National Vulnerability Database. Additional investigation may be required to confirm if the CVE is present.

Click on the service to view the service details, which include the complete list of all the externally inferred CVEs.

Externally inferred vulnerability score

This score is based on the highest CVSSv3 score for Externally Inferred CVEs on this service. If there is no CVSSv3 score for the CVE, then the CVSSv2 score is used.

This field applies only to services with Externally Inferred CVEs.

First observed

When the asset was first observed via any of the sources.

Inactive Classifications

Previously observed classifications that are no longer observed.

IP addresses

Array column specifying a list of IPs associated with this asset.

Is active

  • Yes— indicates the service is active, which means that the service has been observed recently.

  • No— indicates the service is inactive, which means Cortex XSIAM no longer sees it on the internet.

Last observed

When the asset was last observed via any of the sources.

Port

The most recent port for the service.

Protocol

The application-level protocol on the public internet over which Cortex XSIAM validated the service.

Service name

The service type along with the specific domain:port or IP:port pair for the service.

Service type

The type of server or software for the service.

Click a row in the Services table to open the details page for that service. The information on this page is organized into the following tabs:

  • Overview: Summarizes key information about the service, including Highlights like cases, issues, and internet exposure. It also lists Properties like Asset ID and Provider, along with Service Details including Status, Service Types, Discovery Type, Port, Protocol, IPs, Geo Region, and Attributed Organizations

  • Vulnerabilities: Displays the Vulnerability Findings associated with the service, including CVE IDs, CVSS scores, and EPSS scores

  • Compliance: Displays the Overall Compliance Score and Controls by Status for the service

  • Recently Observed: Lists recently observed IPs, Certificates, Domains, and TLS Versions associated with the service

  • Service Classifications: Provides fingerprint-based identifiers of software, technologies, and behaviors observed on the service, detailing specific software revisions, firmware, model names, and vendor information