Attack Surface Management - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn how to protect your environment from the outside using Attack Surface Management (ASM) in Cortex XSIAM.


Attack Surface Management is an add-on capability.

Cortex XSIAM enables you to analyze your environment from the outside, which enhances the existing internal access to the environment provided with an installed agent. This improves the visibility of your environment by attributing new assets to the organization, identifying which known assets are publicly exposed to the internet, and alerting on risky services that pose a threat to the organization’s security posture. Enhancing existing capabilities with outside-in Attack Surface Management (ASM) capabilities creates a holistic view of the organization and its security threats and allows security professionals to potentially avoid attacks by proactively reducing their attack surface.

The following are the main use cases for using ASM by a SOC analyst.

  • Investigate and remediate ASM incidents and their underlying ASM alerts.

  • Enriching incidents with ASM data to provide greater visibility into all Internet-facing assets (i.e. external devices) and to attain a better sense of control to reduce the attack surface.

  • Attack Surface Reduction—Reducing the Attack Surface by proactively analyzing Internet-facing assets and services.

As soon as Cortex XSIAM begins receiving assets that were attributed to the organization, you can view the data in AssetsAsset Inventory. The following additional features are available to investigate these new assets.

  • The following tables are added to the Specific Assets page.

    • Unassociated Responsive IPs—An IP that currently or has previously exposed a Service and that was not matched with an existing IP of a known asset.

    • Domains—A domain name attributed to an organization by Cortex XSIAM . Subdomains of attributed Domains are also tracked as Domains. When there are too many (>1k) recent subdomains for one domain, Cortex XSIAM collapses them into the parent domain.

    • Certificates—A certificate attributed to an organization by Cortex XSIAM . Cortex XSIAM tracks historically sighted Certificates in addition to currently observed ones.

  • The data from the new tables added to the Specific Assets page is also available on the All Assets page and can be filtered by Type.

  • Internet exposure assessments on servers for the On-Prem Assets and Cloud Compute Instances tables when an external IP is identified.

  • The All External Services page presents the complete inventory of public internet-facing services attributed to your organization.

  • Cortex XSIAM identifies Externally Inferred CVEs by comparing the product name and version of the active service, if identifiable, with CVES for those products in the National Vulnerability Database. Externally inferred CVEs are identified for both assets and services.

  • Attack Surface Management Dashboard.

The following concepts are helpful for understanding ASM in Cortex XSIAM :