Specific Assets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Cortex XSIAM enables you to view specific external assets from a designated assets category in the Specific Assets page.

Note

Viewing Unassociated Responsive IPs, Domains, and Certificates data for Attack Surface Management requires the Attack Surface Management add-on.

Note

The Asset Categories listed are dependent on your Cortex XSIAM license. For more information, see All Assets.

  • Asset Category: the name of the specific asset category.

  • Description: a brief description of the assets included on the specific asset page.

  • Unique Fields: the unique fields that are only available when viewing this specific asset page, and are displayed in addition to the common fields listed for the All Assets page. These fields are exposed by default.

Asset Category

Description

Unique Fields

Cloud compute instance

Include assets managed by Agents, where the agent reported that the assets are in a cloud environment. In addition, the assets can be Cloud Compute Instances that were reported by a Cloud integration (i.e. Cloud Inventory data collector) with or without a Cortex agent.

Cortex XSIAM attempts to associate the data received from the agent and the data received from the Cloud Integration and tie them together into a single asset.

No specific unique fields are displayed in addition to the common fields.

On-prem

Includes devices that have an Agent and also devices that were identified by various sources yet were not associated with an Agent, such as IoT devices.

Does not include devices that are in the cloud.

The following attributes are relevant for IoT devices and indicate the category and subcategory to which an IoT device belongs. For example, the category may identify network behaviors common to all security cameras. Respectively, the model identifies the model of the IoT device.

  • Device model

  • Device category

  • Device subcategory

Certificate

Certificates (also known as digital or public key certificates) are used when establishing encrypted communication channels to identify and authenticate a trusted party. The most common use of certificates is for SSL/TLS, HTTPS, FTPS, SSH, and VPN connections. The most common use of certificates is for HTTPS-based websites, which allow a web browser to validate that an HTTPS web server is an authentic website. Cortex XSIAM tracks information for each certificate, such as Issuer, Public key, Public Key Algorithm, Subject, Subject Alternative Names, Subject Organization, Subject Country, Subject State, and several “crypto health” checks.

  • Formatted issuer name

  • Certificate algorithm

  • Certificate classification

Domain

A domain name attributed to an organization by Cortex XSIAM . Subdomains of attributed Domains are also tracked as Domains. When there are too many (>1k) recent subdomains for one domain, Cortex XSIAM collapses them into the parent domain.

Resolves: indicates whether the domain has a DNS resolution.

Responsive IP

An IP that currently or has previously exposed an External Service which was detected by Cortex XSIAM and associated with the organization.

Only Responsive IPs and certificates that have at least one active Service are displayed in the Asset Inventory.

Externally detected Responsive IPs are matched with existing assets using the asset’s IP addresses. If the Responsive IP was matched to an existing asset, its data is added to the asset. Any externally detected Responsive IP that was not matched with an existing asset, is considered an independent asset of type “Unassociated External Responsive IP”.

No specific unique fields are displayed in addition to the common fields.