Step 7 - Configure Attack Surface Insights Rules (Best Practice)
The goal of this step is to configure the Attack Surface Insights rules that are required to unlock pre-built, tag-specific use cases in the New-Scale Security Operations Platform. A set of pre-built rules are available with tags and an immutable security criticality defined. To configure the rules for use in your environment, you must define the rule conditions to match the entities (users or devices) found in your environment.
The following chart lists the required pre-built rules that must be configured:
Entity Type Tab | ASI Rule | Criticality | Tag | Purpose |
|---|---|---|---|---|
Users | Privileged Users | High | Privileged User | This rule is key to understanding which behaviors are privilege escalations in your environment and key to adding additional risk to abnormal behaviors by users with elevated permissions. |
Users | Service Accounts | High | Service Account | Triggers service account-based detections such as |
Users | Executives | High | Executive | Triggers executive tag-based rules such as “ |
Devices | Critical Devices | High | Critical Device | Elevates the risk associated with abnormal events for critical devices. As anomalous behavior occurs, the system takes into consideration the fact that this device is critical. |
Devices | Domain Controllers | High | Domain Controller | Elevates the risk associated with abnormal events on domain controllers and unlocks domain controller tags based on use cases. |
There are two methods available for configuring the pre-built rules. It's also possible to configure a custom rule if you need an adjustment to the criticality level. Follow the links below for procedures: