Configure Pre-Built Rules via Attack Surface Insights Query
Before beginning the steps below, make sure you have completed the necessary prerequisite of figuring out the identifying attributes in your source data for each Attack Surface Insights rule. For more information, see Identify Attributes for Rule Conditions in the Prerequisites.
Configuring a pre-built rule via a query involves writing a query that identifies the entities you want to be tagged for a specific rule. The following chart shows some sample Attack Surface Insights queries:
ASI Rule | Entity Type Tab | Sample Query |
---|---|---|
Privileged Users | Users |
|
Service Accounts | Users |
|
Executive Users | Users |
|
Critical Devices | Devices |
|
Domain Controllers | Devices |
|
To configure a rule using a query:
On the New-Scale Security Operations Platform home page, navigate to Security Management column and click the Attack Surface Insights tile.
At the top of the page, select the tab for the type of entities you want to search for in your environment: Users or Devices.
In the search bar at the top, use one of the following techniques to define a query that will identify the entities you want to associate with a pre-built rule.
Basic – This search method is a point and click option that allows you to build a query without knowing the specific Exabeam Query Language. For information, see Build a Search in Attack Surface Insights.
Advanced – This search method lets you enter a query manually using Exabeam Query Language. For more information, see Enter a Search in Attack Surface Insights.
Run the query and examine the entities returned in the search results. Adjust and rerun the query until you are satisfied with the results.
Under the search bar, select the Advanced option for Search mode and copy the final query from the search bar. Then click Set Rules in the top right corner. The Rules panel opens and displays the existing rules.
Identify the rule you want to configure with new conditions. Click the Options menu (
) on the right side of the rule and select Edit. An Edit Rule dialog box opens.
In the dialog box, do the following:
In the Condition field, remove the existing syntax and paste the query that you copied to your clipboard.
Click the Enabled check box to enable the rule.
Click Save to apply the modified rule logic.