Skip to main content

Responses are generated using AI and may contain mistakes.

New-Scale Security Operations PlatformNew-Scale Analytics Configuration Guide

Step 7 - Configure Attack Surface Insights Rules (Best Practice)

The goal of this step is to configure the Attack Surface Insights rules that are required to unlock pre-built, tag-specific use cases in the New-Scale Security Operations Platform. A set of pre-built rules are available with tags and an immutable security criticality defined. To configure the rules for use in your environment, you must define the rule conditions to match the entities (users or devices) found in your environment.

The following chart lists the required pre-built rules that must be configured:

Entity Type Tab

ASI Rule

Criticality

Tag

Purpose

Users

Privileged Users

High

Privileged User

This rule is key to understanding which behaviors are privilege escalations in your environment and key to adding additional risk to abnormal behaviors by users with elevated permissions.

Users

Service Accounts

High

Service Account

Triggers service account-based detections such as “A service account failed an interactive login to an endpoint.”

Users

Executives

High

Executive

Triggers executive tag-based rules such as “The mailbox permissions of an executive user were changed by another user.”

Devices

Critical Devices

High

Critical Device

Elevates the risk associated with abnormal events for critical devices. As anomalous behavior occurs, the system takes into consideration the fact that this device is critical.

Devices

Domain Controllers

High

Domain Controller

Elevates the risk associated with abnormal events on domain controllers and unlocks domain controller tags based on use cases.

There are two methods available for configuring the pre-built rules. It's also possible to configure a custom rule if you need an adjustment to the criticality level. Follow the links below for procedures: