Skip to main content

Responses are generated using AI and may contain mistakes.

Attack Surface InsightsAttack Surface Insights Guide

Linking in Attack Surface Insights

Get to know linking, the process by which entities are associated with context data.

Linking is the process by which entities are associated with context data. Attack Surface Insights links entities to context data so entities are enriched with relevant context data and all related identifiers and information are unified under a single entity.

Linking requires context data that you must provide, either by onboarding context tables from a supported context source or customizing the User Entity Links pre-built context table in Context Management.

As soon as Attack Surface Insights creates a new entity, it queries your context tables for the unique attribute value it used to identify the entity in the event. If there is a match for the attribute value, either an exact match or a match with prefix searching, the context record is linked to the entity. If you configured multiple context sources, by default, Attack Surface Insights enriches entities with context data from Microsoft Active Directory and the User Entity Links pre-built context table first, then context data from the next available context source.

After a context record is linked to an entity, whenever an event containing the unique attribute value is created and Attack Surface Insights hasn't looked up the attribute in your context tables in the last 24 hours, Attack Surface Insights queries the context record and updates the entity attribute with any new context data.

For more control over linking, you can use the User Entity Links pre-built context table to define relationships between user identities. By mapping these relationships yourself, you have more control over linking for user entities and can ensure multiple identities are accurately unified under a single user entity as accounts.

Custom Linking for User Entities

Control how Attack Surface Insights links user entities with related user identities with the pre-built User Entity Links context table.

User Entity Links is a pre-built context table where you define relationships between user identities. By mapping these relationships yourself, you have more control over linking for user entities and can ensure multiple identities are accurately unified under a single user entity as accounts.

By default, the User Entity Links context table has four columns: KeyType1, Key1, KeyType2, and Key2. You can configure these columns and add data to the context table, either programmatically using APIs or manually.

If you map multiple identities together—for example, if a username is mapped to an email, and the email is mapped to an SID—Attack Surface Insights links them all to a single user entity.

Attack Surface Insights prioritizes enriching user entities with context data from the User Entity Links context data first, alongside Microsoft Active Directory and before any other context source.

When you update the User Entity Links pre-built context table, these updates are not automatically applied to existing user entities. To ensure user identities are linked according to the updated information in the context table, you must delete the entity, then allow the system to recreate it with the updated linking.

Apply Custom Linking Updates to an Existing User Entity

When you update the User Entity Links pre-built context table, these updates are not automatically applied to existing user entities. To ensure user identities are linked according to the updated information in the context table, you must delete the entity, then allow Attack Surface Insights to recreate it.

Warning

Removing a relationship from the User Entity Links context table can have unintended consequences that affect your investigations. Always consult with Exabeam Customer Success before making any changes.

  1. Update the User Entity Links context table with new or updated information.

  2. To allow Attack Surface Insights to process the update and clear any cached details, wait 15 to 30 minutes.

  3. Delete the user entities affected by the updated information.

    With the next relevant event, Attack Surface Insights recreates the entity and correctly links it to the relevant user identities according to the relationships you defined in the User Entity Links context table.