Specific Assets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-01
Category
Administrator Guide
Abstract

Cortex XSIAM enables you to view specific external assets from a designated assets category in the Specific Assets page.

Note

Ingesting and Viewing Cloud Compute Instances for Cloud Inventory Assets requires a Cortex XSIAM Pro per GB license.

Note

Viewing Unassociated Responsive IPs, Domains, and Certificates data for Attack Surface Management requires the Attack Surface Management add-on.

The Specific Assets pages enable you to view specific assets from a designated asset category. Each specific table contains the common columns that are listed in the All Assets table and some additional specific columns that are relevant for the type of asset.

To view the Specific Assets pages, select AssetsAsset InventorySpecific Assets, and select a specific asset category.

By default, the Specific Assets pages display the assets according to the name of the asset. To search for specific assets, use the filters above the results table to narrow the results. You can export the tables and respective asset views to a tab-separated values (TSV) file. From the Specific Assets page, you can also manage the asset's output using the right-click pivot menu.

When any row in the table is selected, a side panel on the right with greater details is displayed, where you can view additional data divided by sections. The section heading names and data displayed change depending on the source of the assets.

The table below describes the following for the different Specific Assets pages.

Note

The Specific Assets listed are dependent on your Cortex XSIAM license. For more information, see All Assets.

  • Specific Assets—The name of the specific asset page.

  • Description—A brief description of the assets included on the specific asset page.

  • Unique Fields—The unique fields that are only available when viewing this specific asset page, and are displayed in addition to the common fields listed for the All Assets page. These fields are exposed by default.

Specific Assets

Description

Unique Fields

Cloud Compute Instance

Include assets that are managed by Agents, where the agent reported that the assets are in a cloud environment. In addition, the assets can be Cloud Compute Instances that were reported by a Cloud integration (i.e. Cloud Inventory data collector) with or without a Cortex agent.

Cortex XSIAM attempts to associate the data received from the agent and the data received from the Cloud Integration and tie them together into a single asset.

No specific unique fields are displayed in addition to the common fields.

On-Prem

Includes devices that have an Agent and also devices that were identified by various sources yet were not associated with an Agent, such as IoT devices.

Does not include devices that are in the cloud.

The following attributes are relevant for IoT devices and indicate the category and subcategory to which an IoT device belongs. For example, the category may identify network behaviors common to all security cameras. Respectively, the model identifies the model of the IoT device.

  • DEVICE MODEL

  • DEVICE CATEGORY

  • DEVICE SUBCATEGORY

Certificate

Certificates (also known as digital or public key certificates) are used when establishing encrypted communication channels to identify and authenticate a trusted party. The most common use of certificates is for SSL/TLS, HTTPS, FTPS, SSH, and VPN connections. The most common use of certificates is for HTTPS-based websites, which allow a web browser to validate that an HTTPS web server is an authentic website. Cortex XSIAM tracks information for each certificate, such as Issuer, Public key, Public Key Algorithm, Subject, Subject Alternative Names, Subject Organization, Subject Country, Subject State, and several “crypto health” checks.

  • FORMATTED ISSUER NAME

  • CERTIFICATE ALGORITHM

  • CERTIFICATE CLASSIFICATION

Domain

A domain name attributed to an organization by Cortex XSIAM . Subdomains of attributed Domains are also tracked as Domains. When there are too many (>1k) recent subdomains for one domain, Cortex XSIAM collapses them into the parent domain.

RESOLVES—Indicates whether the domain has a DNS resolution.

Unassociated Responsive IPs

An IP that currently or has previously exposed an External Service which was detected by Cortex XSIAM and associated with the organization.

Only Responsive IPs and certificates that have at least one active Service are displayed in the Asset Inventory.

Externally detected Responsive IPs are matched with existing assets using the asset’s IP addresses. If the Responsive IP was matched to an existing asset, its data is added to the asset. Any externally detected Responsive IP that was not matched with an existing asset, is considered an independent asset of type “Unassociated External Responsive IP”.

No specific unique fields are displayed in addition to the common fields.