Skip to main content

Responses are generated using AI and may contain mistakes.

Attack Surface InsightsAttack Surface Insights Guide

How Attack Surface Insights Works

Learn how Attack Surface Insights creates entities.

To create or update entities with new related information, Attack Surface Insights:

  1. Determines whether to create entities from an event

  2. Identifies unique attributes in events that identify an entity

  3. Creates a new entity or updates an existing entity

  4. Links the entity to context

1. Determine whether to create entities from an event

When an event is created, it goes through an enrichment process. During this process, Log Stream enrichment rules enrich events with data.

One of the fields enrichment rules can add to events is the m_tags field. If the value of the m_tags field is Discard EM, Attack Surface Insights discards the event and does not create any entities from that event.

2. Identify event attributes

If an event is not discarded in the enrichment process, Attack Surface Insights looks for attributes in the event that uniquely identify an entity.

The enriched m_tags event field can also determine which attributes Attack Surface Insights looks for:

  • If the m_tags value is Discard_EM_HOST, Attack Surface Insights looks only for user entity attributes.

  • If the m_tags value is Discard_EM_USER, Attack Surface Insights looks only for device entity attributes.

  • If the event has neither m_tag value or no m_tag field, Attack Surface Insights looks for both user and device entity attributes.

The attributes that uniquely identify a user entity are:

  • Username

  • Email

  • Badge ID

  • User SID

  • Employee ID

To derive the username from an event, Attack Surface Insights considers certain event fields in a specific order:

  1. domain_user_name; in the format <user>@<domain> or <user> - <database name>

  2. local_user_name; in the format <user> - <source host or platform>

  3. account_user_name; in the format <account>@<domain or destination domain>

  4. database_user_name; in the format <user>@<domain or destination domain>

  5. dest_domain_user_name; in the format <user>@<destination domain>

  6. dest_local_user_name; in the format <user> - <source host>

The first event field with a value is considered the username.

The attribute that uniquely identifies device entities is the host name.

3. Create a new entity or update an existing entity

As soon as Attack Surface Insights finds at least one unique event attribute that identifies an entity, it decides whether to create a new entity or update an existing entity based on whether it has seen the attribute value before.

If it has never seen the attribute value before, Attack Surface Insights creates a new entity. When Attack Surface Insights creates an entity, it:

  • Assigns the entity a Low (3) security criticality.

  • Depending on certain conditions, like the event activity_type, Attack Surface Insights adds other event data to the entity.

  • Looks up the attribute value in your Context Management context tables.

If Attack Surface Insights has seen the attribute value before, it updates the existing entity with new event data and determines whether it has looked up that attribute in your context tables in the last 24 hours. If it has, Attack Surface Insights does not look up the attribute in your context tables again and new context data won't appear in the entity. If it hasn't, Attack Surface Insights looks up the attribute in your context tables.

4. Link entities to context

If Attack Surface Insights has created a new entity or hasn't looked up an attribute it has seen before in the last 24 hours, it queries your context tables for the attribute.

Attack Surface Insights queries your context tables to link entities to context, which enriches entities with context data and ensure identities that share attributes in context are unified under a single entity.

After entities are linked to context:

  • Attack Surface Insights enriches the entity with context data from the matching context record.

  • Attack Surface Insights tracks relationships between entities, identities, and context. Identities that share common attributes in context are considered related and are unified under a single entity. For user entities, each related identity is an account.

  • Whenever an event containing the same attribute value is created and Attack Surface Insights hasn't looked up the attribute in your context tables in the last 24 hours, Attack Surface Insights queries context and updates the entity attribute with any new context data.