- Get Started with Attack Surface Insights
- View Entities in Attack Surface Insights
- Search for Entities in Attack Surface Insights
- Edit Entities in Attack Surface Insights
- Entity Attributes
Pre-Built Attack Surface Insights Rules
To ensure behavioral threat detection works properly, partially configured pre-built rules assign tags and security criticality to entities.
Pre-built rules are Attack Surface Insights rules that are partially configured with predefined actions. They ensure that entities have the appropriate tags so analytics rules can work properly and the appropriate security criticality so Threat Center can assign cases and alerts an accurate risk score.
By default, pre-built rules are disabled. To use a pre-built rule, you must enable the rule. You can edit the description and conditions of a pre-built rule. You can also enable, disable or duplicate a pre-built rule. You can't edit the name and actions of a pre-built rule. You can't delete a pre-built rule.
There are four pre-built rules for user entities:
Privileged Users – Applies the Privileged User tag and Low security criticality to user entities according to a condition you specify.
Service Accounts – Applies the Service Account tag and Medium security criticality to user entities according to a condition you specify.
Executives – Applies the Executive tag and High security criticality to user entities whose title includes CEO or Chief Executive Officer and to user entities who are subordinates up to two levels beneath the CEO.
Departing Employees – Applies the Departing Employee tag and High security criticality to user entities whose usernames are in the Departing Employees context table under the Primary Login (Email Format) column.
There are four pre-built rules for device entities:
Critical Devices – Applies the Critical Device tag and Medium security criticality to device entities according to a condition you specify.
Domain Controllers – Applies the Domain Controller tag and High security criticality to device entities according to a condition you specify.
Servers – Applies the Server tag and High security criticality to device entities according to a condition you specify.
Workstations – Applies the Workstation tag and High security criticality to device entities according to a condition you specify.
Only the Executives and Departing Employees pre-built rules have a predefined condition. To use all other pre-built rules, you must edit the pre-built rule and enter a condition.