- Get Started with Attack Surface Insights
- Search for Entities in Attack Surface Insights
- View Entities in Attack Surface Insights
- Manage Entities in Attack Surface Insights
- Entity Attributes
How Attack Surface Insights Works
Learn how Attack Surface Insights creates entities and links related attributes and contextual data to an entity.
To create or update entities with new related information, Attack Surface Insights:
1. Identify event attributes
When an event is created, Attack Surface Insights looks for unique attributes in the event that identify an entity. Attack Surface Insights assesses all events.
Unique attributes that identify user entities are:
Username
Email
Badge ID
User SID
Employee ID
To derive the username from an event, Attack Surface Insights considers certain event fields in a specific order:
domain_user_name; in the format <user>@<domain> or <user> - <database name>local_user_name; in the format <user> - <source host or platform>account_user_name; in the format <account>@<domain or destination domain>database_user_name; in the format <user>@<domain or destination domain>dest_domain_user_name; in the format <user>@<destination domain>dest_local_user_name; in the format <user> - <source host>
The first event field with a value is considered the username.
The unique attribute that identifies device entities is the host name.
2. Create a new entity or update an existing entity
As soon as Attack Surface Insights finds a unique event attribute that identifies an entity, it decides whether to create a new entity or update an existing entity based on whether it has seen the attribute value before.
If it has never seen the attribute value before, Attack Surface Insights creates a new entity. When Attack Surface Insights creates an entity, it:
Assigns the entity a Low (3) security criticality.
Depending on certain conditions, like the event
activity_type,Attack Surface Insights adds other event data to the entity.Looks up the attribute value in your Context Management context tables.
If Attack Surface Insights has seen the attribute value before, it updates the existing entity with new event data and determines whether it has looked up that attribute in your context tables in the last 24 hours. If it has, Attack Surface Insights does not look up the attribute in your context tables again and new context data won't appear in the entity. If it hasn't, Attack Surface Insights looks up the attribute in your context tables.
3. Link context record and enrich context data
If Attack Surface Insights sees an attribute value for the first time or hasn't looked up an attribute it has seen before in the last 24 hours, it queries your context tables for the attribute value. Attack Surface Insights queries your context tables to link entities to context and ensure entities are enriched with context data.
If there is an exact match for the attribute value in context, Attack Surface Insights links the context record to the entity, if a link doesn't already exist, and enriches the entity with context data.
If there is no exact match, Attack Surface Insights conducts a prefix search. In a prefix search, Attack Surface Insights removes any extraneous information added during the event enrichment process. For example, if the attribute value is [email protected], Attack Surface Insights simplifies it to [email protected]. If there is a match for the prefix search in context, Attack Surface Insights creates a unique ID for the context record and links it to the entity, then enriches the entity with context data.
Now that entities are linked to context records, all related identifiers and information are unified under a single entity. Whenever an event containing the same attribute value is created and Attack Surface Insights hasn't looked up the attribute in your context tables in the last 24 hours, Attack Surface Insights queries context and updates the entity attribute with any new context data.