Known Assets Monitoring - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Cortex XSIAM performs targeted daily scans of known assets for customers who opt in.

Cortex XSIAM performs global scans twice a week on a limited set of ports by default. For customers who opt in, Cortex XSIAMperforms targeted scanning of known assets daily. Known Assets Monitoring (KAM) brings three significant benefits to the data delivered by Cortex XSIAM:

  • Additional ports and protocols

    • Port/protocol pairs not included in global scans, including port 25/SMTP, 500/UDP

    • SMB version enumeration

  • TLS/SSL scanning

    • Determination of supported cipher suites and protocol versions for TLS/SSL services

  • Frequent scanning and data delivery

    • Faster data delivery for reduced time to notification of new exposures

Opting in to Known Assets Monitoring

Note the following prerequisites for Known Assets Monitoring (KAM):

  • KAM uses more exhaustive payloads than global scans, so we recommend validating your network before opting in. KAM will be turned on once we have consent from the network owner that all identified ranges have been validated.

  • We recommend verifying that KAM source IP addresses are not blocked on your automated intrusion prevention system (IPS), intrusion detection system (IDS), or firewalls and that anti-scanning and DDoS rules do not apply to these specific IP ranges.

    • Cortex XSIAM scans your external attack surface only, so we do not need any access inside your network.

    • The amount of traffic you receive from our scanners depends on the KAM configuration (basic or extended) and the total amount of IP space owned by your organization.

  • Contact your Customer Success Team to learn more and opt in to KAM.