Skip to main content

Responses are generated using AI and may contain mistakes.

Attack Surface InsightsAttack Surface Insights Guide

Restrict Entity Creation

Restrict Attack Surface Insights from creating entities from events you specify.

To prevent Attack Surface Insights from creating duplicate or erroneous entities, you can restrict it from creating entities using Log Stream enrichment rules.

The m_tags field is a field added to events using pre-built or custom enrichment rules. Depending on the value of the m_tags field, Attack Surface Insights doesn't create any entities from the event or creates an entity of a specific type only.

The m_tags field values that restrict Attack Surface Insights from creating entities are:

  • Discard EM – Attack Surface Insights doesn't create any entities from an event.

  • Discard_EM_USER – Attack Surface Insights doesn't create user entities from an event. Attack Surface Insights continues to create device entities.

  • Discard_EM_HOST – Attack Surface Insights doesn't create device entities from an event. Attack Surface Insights continues to create user entities.

Pre-Built Enrichment Rules Restricting Entity Creation

There are six pre-built enrichment rules that restrict entity creation:

  • discard-em-vendor-product-event-selection – Adds the m_tags field with the Discard EM value to events from vendors and products you select in event filtering.

  • Discard EM External – Adds the m_tags field with the Discard EM value to events where the value of email_domain or dest_email_domain is not in the Internal Domains context table.

  • Discard ASI Unix – Adds the m_tags field with the Discard EM value to Unix-related events.

  • Discard LFODownload Confirmation – Adds the m_tags field with the Discard EM value to CrowdStrike download confirmation events.

  • Discard EM Ephemeral – Adds the m_tags field with the Discard EM value to events associated with ephemeral user accounts.

  • Discard Users ASI – Adds the m_tags field with the Discard EM value to events associated with Exabeam accounts.

To use these pre-built enrichment rules, you must ensure they're enabled.

Restrict Entity Creation Using a Custom Enrichment Rule

To define your own conditions under which Attack Surface Insights is restricted from creating entities, create your own enrichment rule.

When you create an enrichment rule, under Map - Perform the following operation to map missing CIM values:

  1. Click Field, then select m_tags.

  2. In the space after equals to, enter one of the three m_tags values that restrict entity creation:

    • Discard EM – Attack Surface Insights doesn't create any entities from an event.

    • Discard_EM_USER – Attack Surface Insights doesn't create user entities from an event. Attack Surface Insights continues to create device entities.

    • Discard_EM_HOST – Attack Surface Insights doesn't create device entities from an event. Attack Surface Insights continues to create user entities.