Search and Filter Assets - User Guide - 1.0 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse User Guide

Product
Cortex XPANSE
Version
1.0
Creation date
2022-08-25
Last date published
2024-03-14
End_of_Life
EoL
Category
User Guide
Abstract

Cortex Xpanse provides extensive filter and search capabilities for Assets.

Cortex Xpanse provides extensive filter and search capabilities for Assets. The filter and search options change based on the selected Assets tab, for example, the IPs/CIDR search option is available on the IP Ranges tab, but is not available on the Certificates tab. The filter bar at the top of each tab provides a search box and a drop-down box for each filter.

Search Assets

Cortex Xpanse supports the options listed below for searching assets on the Inventory tab and asset type tabs. The search options that are available vary depending on the asset tab being searched. The Content search option searches the content in the asset data. The other search options (such as Asset Type, Issue Priority, Provider, etc) provide the same results as the corresponding drop-down filters.

  • Content—Searches the content of key asset fields, such as Name and Business Unit.

  • Asset Type—Applies the Asset Type filter.

  • Domain—Domain searches should be targeted searches. Specify the complete domain, such as www.acme.com, if possible. Domain search will also search on the name, such as acme, or a subset of the full domain, such as www.acme or acme.com. Domain search does not use boolean, such as AND, OR, and NOT, or wildcard, such as ? or *, operators.

  • IPs/CIDR —Cortex Xpanse expects a valid IP or CIDR address, such as 1.1.1.1 or 1.1.1.1/16. You may also search on an IP Address range, such as 1.1.1.1 - 1.1.1.16, or use a wildcard, such as 1.1.1.*.

  • Issue Priority—Applies the Issue Priority filter.

  • Provider—Applies the Provider filter.

  • Tag—Applies the Tag filter.

  • Has Service—Applies the Has Service filter.

  • Has Issue—Applies the Has Issue filter.

  • Network Type—Applies the Network Type filter.

  • Device Type—Applies the Device Type filter.

  • Status—Applies the Status filter.

Filter Assets

Cortex Xpanse supports the following filters for filtering assets on the Inventory tab and asset type tabs. The filters options that are available vary depending on the tab. To apply a filter, select one or more filter options from the drop-down box and then click Apply.

  • Advertises—Cortex Xpanse will find Internet services advertising certificates. There are two options for this filter, yes and no.

  • Analysis—When Cortex Xpanse analyzes a certificate, there are multiple characteristics checked. The current list is Expired, Healthy, Self-signed, Domain-control validated, Wildcard, Insecure Signature, Short Public Key, and Long Expiration.

  • Asset Type—Filters on one or more of the selected asset types.

  • Business Unit—Cortex Xpanse provides a filter bar to specify business unit names. You may also select one or more business units from the list of business units in the Cortex Xpanse database.

  • Has Issue—Filters by whether or not the asset is associated with an active issue.

  • Has Related Managed Cloud Resources—When certificates and domains are associated with managed cloud resources, the certificate or domain has related managed cloud resources. Like the advertises filter, this filter has two options, yes, and no. When done selecting a has related managed cloud resources status, select Apply to activate the filter.

  • Has Service—When a certificate, domain, or managed cloud resource is associated with Service Assets, the asset has service. This filter has two options, yes, and no.

  • Issue Priority—Filters on the priority of the issues associated with the asset.

  • Network Type—Filters on Corporate, Remote, or All Network Types. A network is a collection of devices sharing a single IP address. Cortex Xpanse categorizes networks as either "Corporate" or "Remote" depending on whether the IP address of the network overlaps with any of your other assets in Cortex Xpanse or has no known association with your organization.

  • Provider—Search the list of providers or select one or more providers in the drop-down list.

  • Resolves—Cortex Xpanse will resolve domain names. There are two options for this filter: yes and no. Yes means the domain has resolved in the past 30 days.

  • Source—Filters based on how the assets were found. The source indicates that the assets were discovered by Xpanse or provided manually, while the other sources (Prisma Cloud, Prisma Access, Strata GlobalProtect, Cortex XDR) are all integrations that can generate additional assets in your inventory.

  • Status—Filters based on whether we believe the asset is active or not. Some assets, such as networks and certificates can be inactive based on a lack of observations. Available values are Active and Inactive.

  • Tag—Search for a specific tag, or select one or more tags from the list of tags in the Cortex Xpanse database. Note that tags are not case sensitive.

  • Time Period filter—To filter on the time since last observation, Cortex Xpanse provides the following time periods: 7 days, 2 weeks, 1 month, 6 months, 1 year, and All. You can only select one time period.

  • View by Use Case—Some of the most commonly used filter combinations.