Skip to main content

Attack Surface InsightsAttack Surface Insights Guide

How Attack Surface Insights Works

Learn how Attack Surface Insights creates entities and links related attributes and contextual data to an entity.

To create or update entities with new related information, Attack Surface Insights:

Attack Surface Insights executes the process to create or update entities as events are processed.

When Attack Surface Insights creates a new entity, it also enriches entities with context data from Context Management context tables. Every 24 hours, Attack Surface Insights updates entity attributes with the latest context data from Context Management.

1. Extract and link attribute values

First, Attack Surface Insights identifies entity types present in an event. From an event, Attack Surface Insights extracts attributes that are unique to an entity type.

Attributes unique to user entities are:

  • Username

  • Email

  • Badge ID

  • User SID

  • Employee ID

To derive the user name from an event, Attack Surface Insights considers certain event fields in a specific order:

  1. domain_user_name; in the format <user>@<domain> or <user> - <database name>

  2. local_user_name; in the format <user> - <source host or platform>

  3. account_user_name; in the format <account>@<domain or destination domain>

  4. database_user_name; in the format <user>@<domain or destination domain>

  5. dest_local_user_name; in the format <user> - <source host>

The first event field with a value is considered the user name.

The attribute unique to device entities is the host name.

If Attack Surface Insights extracts a new attribute value that it hasn't observed before, it links the the new attribute value with other attribute values in the event. Attribute values that are linked together are considered related.

Attack Surface Insights assesses all parsed events.

2. Determine whether to update an existing entity or create a new entity

Attack Surface Insights decides whether to update an existing entity or create a new entity depending on whether Attack Surface Insights has previously observed an extracted attribute value. Attack Surface Insights considers all unique attributes it extracted from the event.

If Attack Surface Insights has previously observed the extracted attribute value, it's an old attribute value already associated with an existing entity. In this case, Attack Surface Insights adds all other linked attribute values to the entity. For some attributes, if Attack Surface Insights hasn't observed the attribute value for a specific entity within a certain period of time, the attribute value expires and Attack Surface Insights removes it from the entity. If Attack Surface Insights observes an attribute value already associated with an existing event, Attack Surface also updates its expiration date.

If the extracted attribute value is new and hasn't been observed before, Attack Surface Insights assesses the other linked attributes. For each linked attribute, Attack Surface Insights determines whether their values are already associated with an existing entity. If one of these attribute values are already associated with an existing entity, Attack Surface Insights adds all linked attribute values to the entity as a new account. If none of the attribute values are associated with an existing entity, Attack Surface Insights creates a new entity.

When Attack Surface Insights creates a new entity, it:

  • Adds the extracted attribute value and all other linked attribute values to the entity

  • Assigns the entity a default security criticality, tags, and network zone

  • Queries configured Context Management context tables for context data matching the extracted or linked attribute values. If matching context data exists, Attack Surface Insights enriches the entity with the relevant context data.

3. Update value for an existing attribute

For some events with certain activity_type event field values, Attack Surface Insights determines whether an extracted attribute value modifies an existing attribute. If an existing attribute value has been modified, replaces the original attribute value with the new, extracted attribute value.