- Get Started with Attack Surface Insights
- View Entities in Attack Surface Insights
- Search for Entities in Attack Surface Insights
- Manage Entities in Attack Surface Insights
- Entity Attributes
Automatically Edit Entities in Attack Surface Insights
Automatically edit the tags and security criticality of entities with Attack Surface Insights rules.
You can use pre-built rules to assign tags and a security criticality to entities or you can create your own rule from scratch. After you create a rule, you can edit, duplicate, disable, or delete it.
Rules automatically run once every 24 hours at 12:00 AM UTC. If an entity matches the condition of multiple rules, the rule that was most recently run applies. You can also manually run a rule. By default, rules are ordered by the time they were last run.
Pre-Built Attack Surface Insights Rules
To ensure behavioral threat detection works properly, partially configured pre-built rules assign tags and security criticality to entities.
Pre-built rules are Attack Surface Insights rules that are partially configured with predefined actions. They ensure that entities have the appropriate tags so analytics rules can work properly and the appropriate security criticality so Threat Center can assign cases and alerts an accurate risk score.
By default, pre-built rules are disabled. To use a pre-built rule, you must enable the rule. You can edit the description and conditions of a pre-built rule. You can also enable, disable or duplicate a pre-built rule. You can't edit the name and actions of a pre-built rule. You can't delete a pre-built rule.
There are four pre-built rules for user entities:
Privileged Users – Applies the Privileged User tag and Low security criticality to user entities according to a condition you specify.
Service Accounts – Applies the Service Account tag and Medium security criticality to user entities according to a condition you specify.
Executives – Applies the Executive tag and High security criticality to user entities whose title includes CEO or Chief Executive Officer and to user entities who are subordinates up to two levels beneath the CEO.
Departing Employees – Applies the Departing Employee tag and High security criticality to user entities whose usernames are in the Departing Employees context table under the Primary Login (Email Format) column.
There are four pre-built rules for device entities:
Critical Devices – Applies the Critical Device tag and Medium security criticality to device entities according to a condition you specify.
Domain Controllers – Applies the Domain Controller tag and High security criticality to device entities according to a condition you specify.
Servers – Applies the Server tag and High security criticality to device entities according to a condition you specify.
Workstations – Applies the Workstation tag and High security criticality to device entities according to a condition you specify.
Only the Executives and Departing Employees pre-built rules have a predefined condition. To use all other pre-built rules, you must edit the pre-built rule and enter a condition.
Enable or Disable an Attack Surface Insights Rule
Enable a rule to activate it. Disable a rule to deactivate it without deleting it.
In Attack Surface Insights, click Set Rules.
For a rule, click the More menu
, then select Enable or Disable.
Manually Run an Attack Surface Insights Rule
Instead of having rules run automatically as events are processed, run a rule manually.
To manually run a rule, the rule must be enabled and not already running.
In Attack Surface Insights, click Set Rules.
For a rule, click the More menu
, then select Run now.
Create an Attack Surface Insights Rule
To automatically tag and assign a security criticality to entities as events are processed, create an Attack Surface Insights rule.
You can also manually edit the tags and security criticality for an individual entity.
You can create a rule from scratch or using a search query as a starting point.
Create an Attack Surface Insights Rule from Scratch
Click Set Rules.
Navigate to the tab for the entity type for which you're creating a rule.
To create a rule for user entities, navigate to the Users tab.
To create a rule for device entities, navigate to the Devices tab.
Click + New Rule, then define the rule:
Rule name – Enter the rule name.
Description – Enter a description of the rule.
Entity Type – Verify the entity type to which the rule applies.
Condition – Determine the events on which your rule triggers using search. Like searching for an entity, you can choose to build or enter a query.
Actions – Specify the tags and security criticality assigned to relevant entities when the rule triggers.
In Tags, specify up to 20 tags. Select from the list of existing tags or create a new one. To create a new tag, start typing, then click Add "<tag>".
In Security Criticality, select a security criticality: Low, Medium, or High.
Enabled – If the rule is automatically enabled after it's created, select the checkbox.
Click Save.
Create an Attack Surface Insights Rule from a Search Query
To create a rule from a search query, you first search for entities of interest and use the search results to verify the entities to which the rule applies. When you continue to define the rule, the rule condition is automatically populated with the search query.
In Attack Surface Insights, search for entities of interest, then click Convert to Rule
Define the rule:
Rule name – Enter the rule name.
Description – Enter a description of the rule.
Entity Type – Verify the entity type to which the rule applies.
Condition – The rule condition uses a search query to determine the events on which your rule triggers. Because you converted a search query to a rule, the rule condition is automatically populated with that query. To adjust the query, continue building or entering query parameters.
Actions – Specify the tags and security criticality assigned to relevant entities when the rule triggers.
In Tags, specify up to 20 tags. Select from the list of existing tags or create a new one. To create a new tag, start typing, then click Add "<tag>".
In Security Criticality, select a security criticality: Low, Medium, or High.
Enabled – If the rule is automatically enabled after it's created, select the checkbox.
Click Save.
Duplicate an Attack Surface Insights Rule
Duplicate an Attack Surface Insights rule as a starting point for a new rule.
In Attack Surface Insights, click Set Rules.
For a rule, click the More menu
, then select Duplicate.Edit the rule properties:
Rule name – Enter the rule name.
Description – Enter a description of the rule.
Entity Type – Verify the entity type to which the rule applies.
Condition – Determine the events on which your rule triggers using search. Like searching for an entity, you can choose to build or enter a query.
Actions – Specify the tags and security criticality assigned to relevant entities when the rule triggers.
In Tags, specify up to 20 tags. Select from the list of existing tags or create a new one. To create a new tag, start typing, then click Add "<tag>".
In Security Criticality, select a security criticality: Low, Medium, or High.
Enabled – If the rule is automatically enabled after it's created, select the checkbox.
Click Save.
Edit an Attack Surface Insights Rule
Change the name, description, condition, actions, and enabled status for an Attack Surface Insights rule.
You can only edit the description and conditions of a pre-built rule. You can't edit the name and actions of a pre-built rule.
In Attack Surface Insights, click Set Rules.
For a rule, click the More menu
, then select Edit.Edit the rule properties:
Rule name – Enter the rule name.
Description – Enter a description of the rule.
Entity Type – Verify the entity type to which the rule applies.
Condition – Determine the events on which your rule triggers using search. Like searching for an entity, you can choose to build or enter a query.
Actions – Specify the tags and security criticality assigned to relevant entities when the rule triggers.
In Tags, specify up to 20 tags. Select from the list of existing tags or create a new one. To create a new tag, start typing, then click Add "<tag>".
In Security Criticality, select a security criticality: Low, Medium, or High.
Enabled – If the rule is automatically enabled after it's edited, select the checkbox.
Click Save.
Delete an Attack Surface Insights Rule
Delete an Attack Surface Insights rule you no longer need.
You can't delete pre-built rules. You can only disable pre-built rules.
In Attack Surface Insights, click Set Rules.
For the rule you're deleting, click the More menu
, then select Delete.Click DELETE.