Skip to main content

Attack Surface InsightsAttack Surface Insights Guide

Table of Contents

Edit Entities in Attack Surface Insights

Assign tags and a security criticality to entities.

There are only two attributes you can edit in an entity: tags and security criticality. You can edit entities automatically using Attack Surface Insights rules or manually.

Tags applied to Attack Surface Insights entities are referenced in Threat Detection Management analytics rules. To ensure analytics rules have the necessary attributes to work optimally, it's important that you assign entities the appropriate tags.

Tags applied to Attack Surface Insights entities are also automatically added to Threat Center case and alert tags if detections are grouped by entity. Tags are copied to the case or alert. If you remove a tag from the entity, the tag remains in the case or alert. If you remove a tag from the case or alert, it remains in the entity. To ensure you can find cases or alerts related to groups of entities, it's important that you assign entities the appropriate tags.

You can monitor entities with the same tag using watchlists in Threat Center.

We recommend the relevant user entities have the following tags:

  • Executive

  • Privileged User

  • Service Account

  • Departing Employee

We recommend the relevant device entities have the following tags:

  • Critical Device

  • Domain Controller

  • Server

  • Workstation

The security criticality of an entity is one of the business factors used to calculate a related Threat Center case or alert risk score. To ensure Threat Center scores cases and alerts accurately, it's important that you assign entities the appropriate security criticality.