Asset Attribution Evidence - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

The Asset Attribution Evidence section appears on the asset details panel and on the Assets tab in an incident. This section provides two key pieces of information:

  • Origin Information—Explains whether an asset was discovered by Cortex XSIAM or provided by your organization and when the asset was last seen.

  • Attribution Evidence—Explains why the asset was attributed to your organization. Provides the seed term that Cortex XSIAM used to attribute the asset to your organization and the specific piece of scan data that Cortex XSIAM matched to the seed term.

    A seed term is a text string that our research team generated and associated with your organization. For example, seed terms for Cortex Xpanse might include: Xpanse, Cortex, Cortex Xpanse, Palo Alto Networks, PANW, PAN, etc.  We use machine learning models as well as manual research to match the seed terms with our scan data to attribute assets to your organization. Additional details on how we attribute assets can be found in the Cortex Xpanse Discovery and Attribution datasheet.


Depending on the asset type and scan data, most assets will have one or more pieces of attribution evidence. Assets that don't have attribution evidence do not have a seed term match. The following are reasons we may not have a seed term match:  

  • The domain or IP range is provided by the customer and cannot be externally validated using public data.

  • The domain registration information is redacted, blank, or private. We attribute these through manual routing.

  • The domain is attributed by an associated website (e.g. is attributed to Example Corp because the website at shows clear evidence of belonging to Example Corp).

  • The domain is attributed based on a DNS record.

If you have questions about a specific asset, reach out to Customer Success.