Skip to main content

Responses are generated using AI and may contain mistakes.

Attack Surface InsightsAttack Surface Insights Guide

How Linking Works

Learn how Attack Surface Insights links contextual data and related identities to an entity.

Linking Prerequisites

Linking requires context data that you must provide, either by onboarding context tables from a supported context source or customizing the User Entity Links pre-built context table in Context Management.

The Linking Process

After Attack Surface Insights creates a new entity, it queries your context tables for the attribute value it used to uniquely identify an entity in an event. If there is a match for the attribute value in context, the context record is linked to the entity.

In most cases, Attack Surface Insights only queries for and links the same attributes together. For example, if the identifying entity attribute is email_address, Attack Surface Insights queries context for email_address only. The only exception is if the identifying attribute is user_sid.

Attack Surface Insights tries different methods to find a match in a specific order:

  1. Attack Surface Insights searches the User Entity Link context table for the attribute.

    Example

    In an event, Attack surface Insights identifies the username value barbara.

    In the User Entity Links context table, it finds username value barbara.

    Attack Surface Insights links the entity to the context table.

  2. If the attribute is user_sid, Attack Surface Insights searches for a matching objectSid in Active Directory context data. This is the only linking method where Attack Surface Insights links together two different attributes.

    Example

    In an event, Attack Surface Insights identifies the user_sid value S-1-2-34-567.

    In context, it finds objectSid with value S-1-2-34-567.

    Attack Surface Insights links the entity to the context record.

  3. If the attribute value contains @, Attack Surface Insights conducts a prefix search, matching the attribute against the same context fields.

    During a prefix search, Attack Surface Insights removes everything after the delimiter, @, matching only the prefix. If the prefixes match, Attack Surface Insights links the entity to the context record.

    Note

    Example

    In an event, Attack Surface Insights identifies username attribute value [email protected].

    In context, it finds username field with value [email protected].

    Attack Surface Insights links the entity to the context record.

    There are two exceptions to this:

    • If the attribute is email_address, Attack Surface Insights first checks if the domains after @ match. If the domains don't match, the entity isn't linked to that context record.

      Example

      In an event, Attack Surface Insights identifies email_address attribute value [email protected].

      In context, it finds email_address field with value [email protected].

      Because the domains after @ are not the same, Attack Surface Insights does not link the entity to the context record.

    • If the attribute value contains a hyphen and the prefix is administrator, admin, or root, the entity is excluded from the linking process.

      Example

      In an event, Attack Surface Insights identifies user_name attribute value [email protected].

      Because the attribute value contains a hyphen and the prefix before @ is admin, the entity is not linked to any context data.

  4. If the attribute value contains - , space hyphen space, Attack Surface Insights conducts another prefix search, matching the attribute value against username context field values.

    In a prefix search with the - delimiter, Attack Surface Insights removes everything after the delimiter, - , matching only the prefix. If the prefixes match, Attack Surface Insights links the entity to the context record.

    Example

    In an event, Attack Surface Insights identifies user_name attribute value barbara.salazar - admin.

    In context, it finds username field with value barbara.salazar - user.

    Attack Surface Insights links the entity to the context record.

    The only exception is if the prefix is administrator, admin, or root. In this case, the entity is excluded from the linking process.

    Example

    In an event, Attack Surface Insights identifies user_name attribute value admin - Cisco.

    Because the attribute value contains a hyphen and the prefix before - is admin, the entity is not linked to any context data.

  5. If the attribute value does not meet any of the previous criteria, Attack Surface Insights searches for an exact match in context.

    Example

    In an event, Attack Surface Insights identifies username attribute value barbara.salazar.

    In context, it finds a matching user_name field with value barbara.salazar.

    Attack Surface Insights links the entity to the context record.

If no matches are found, an entity isn't linked to any context record. These entities are called orphaned entities.

If a match is found:

  • And a link doesn't already exist, Attack Surface Insights links the entity to the context record, then enriches the entity with context data from the matching context record.

    If you configured multiple context sources, by default, Attack Surface Insights enriches entities with context data from Microsoft Active Directory and the User Entity Links pre-built context table first, then context data from the next available context source.

  • Attack Surface Insights tracks relationships between identities and context. Identities that share common attributes in context are considered related and are unified under a single entity. For user entities, each related identity is an account.

  • If a newly created entity is a user entity and it is uniquely identified by the username attribute, Attack Surface Insights searches orphaned entities using prefix searching with @ and - delimiters on username. If an orphaned entity attribute value matches the prefix of username, the orphaned entity is linked to the same context data as the user entity and becomes an account under the user entity.

After the Linking Process

After a context record is linked to an entity, whenever an event containing the identifying attribute value is created and Attack Surface Insights hasn't looked up the attribute in your context tables in the last 24 hours, Attack Surface Insights queries the context record and updates the entity attribute with any new context data.

Linking Exceptions

Local administrator accounts are not linked to context and always create individual entities.

If the attribute value contains a hyphen and the prefix before the @ or - delimeter is administrator, admin, or root, it is excluded from the linking process and Attack Surface Insights always creates an individual entity using the attribute value.

Example

In an event, Attack Surface Insights identifies user_name attribute value [email protected].

Because the attribute value contains a hyphen and the prefix before @ is admin, the entity is not linked to any context data.

Example

In an event, Attack Surface Insights identifies user_name attribute value admin - Cisco.

Because the attribute value contains a hyphen and the prefix before - is admin, the entity is not linked to any context data.

Example

In an event, Attack Surface Insights identifies user_name attribute value [email protected].

Because the attribute value does not contain a hyphen, it proceeds with prefix searching using the @ delimiter.

In context, it finds user_name attribute value [email protected].

Attack Surface Insights links the entity to the context record.