All External Services - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

The All External Services page presents the complete inventory of public internet-facing services attributed to your organization.

Note

Viewing All External Services requires the Attack Surface Management add-on.

The All External Services page presents the complete inventory of public internet-facing services attributed to your organization. An external service can be any internet-facing device or software that communicates on a domain:port or IP:port pair. The All External Services view enables your IT and security teams to assess your total internet attack surface in detail. Some use cases include the following:

  • Enabling you to proactively reduce your attack surface, by providing a comprehensive view of your attack surface along with details about vulnerable services.

  • Answering questions about what kinds of software and devices are being used.

  • Searching for specific software, technology, or configurations.

  • Discovering unused technology deployments or legacy software in need of updating.

To view the All External Services page, select AssetsAsset InventoryAll External Services.

By default, the All External Services page displays all external services according to the service name. To search for specific services, use the filters above the results table to narrow the results or query the data using the XQL search. Export the tables and respective service views to a tab-separated values (TSV) file. From the All External Services page, you can also manage the output of the external services using the right-click pivot menu.

When any row in the All External Services table is selected, a side panel to the right of the table displays details about the service.

The All External Services table includes the fields listed in the following table. Fields are listed in alphabetical order.

Field

Description

Active classifications

Facts that have been inferred about each of your services by examining a response for fingerprints. Classifications cover a variety of details including:

  • Identifying specific software and versions.

  • Configuration details of note.

  • Identifying when the services do not implement best practices like web security headers or certificate security standards.

Some Classifications merely note that a fact is true or false, like Missing Cache Control Header. Other Classifications provide additional information, such as a version number for “nginx Server”. These details are viewable in the services table and on the details page for the service by clicking the name of the service in the All External Services table.

Business units

A Business Unit is a designation to classify assets. Cortex XSIAM tracks business units as a means to identify owning organizations of these assets. Business units become extremely important when an organization has subsidiaries and groups established through M&A activities.

Discovery type

Services are identified with one of the following two discovery types, depending on the level of confidence Cortex XSIAM has in attributing it to your organization.

  • Directly Discovered: services that are definitively associated with an asset that belongs to your organization.

    Examples include:

    • It is hosted on one of your on-prem IP ranges.

    • The service advertises one of your organization's certificates.

    • It is on a managed cloud resource that is known to be yours.

  • Colocated with your Services: the service is running on the same IP as a different directly-discovered service.

    In a multi-tenant hosting environment, these co-located services may belong to other organizations but can sometimes pose adjacency risks to your services hosted on that IP. If your organization has “single-tenant environment only” policies with 3rd party hosting providers, you can use this functionality to identify possible violations of that policy.

Domain

The most recent domain on which the service is running.

Externally detected providers

The provider of the asset is determined by an external assessment.

Externally inferred CVEs

Externally Inferred CVEs are identified by comparing the product name and version of active service, if identifiable, with CVES for those products in the National Vulnerability Database. Additional investigation may be required to confirm if the CVE is present.

Click on the service to view the service details, which include the complete list of all the externally inferred CVEs.

Externally inferred vulnerability score

This score is based on the highest CVSSv3 score for Externally Inferred CVEs on this service. If there is no CVSSv3 score for the CVE, then the CVSSv2 score is used.

This field applies only to services with Externally Inferred CVEs.

First observed

When the asset was first observed via any of the sources.

IP addresses

Array column specifying a list of IPs associated with this asset.

Is active

  • Yes— indicates the service is active, which means that the service has been observed recently.

  • No— indicates the service is inactive, which means Cortex XSIAM no longer sees it on the internet.

Last observed

When the asset was last observed via any of the sources.

Port

The most recent port for the service.

Protocol

The application-level protocol on the public internet over which Cortex XSIAM validated the service.

Service name

The service type along with the specific domain:port or IP:port pair for the service.

Service type

The type of server or software for the service.