Prerequisites
Before you begin the New-Scale Analytics configuration process, complete the prerequisite tasks below. Completing these tasks will ensure that you have the information you need for specific configuration steps.
Identify Internal Domains – List all of the internal web and email domains and sub-domains currently in use by your organization and keep the list updated as new domains are added. For example, Exabeam might include the following domains in such a list:
exabeam.com
logrhythm.com
exabeam.cloud
yyexabeam.onmicrosoft.com
This task is necessary for the required Step 1. Configure the Internal Domains Context Table
Identify Network Zones – Create a CSV file that lists the network zones in your environment. The CSV file must include CIDR Ranges and Zone Names, as in the example below. Ensure that the file conforms to the requirements described in Prepare a CSV File in the Context Management Guide.
CIDR Range, Zone Name
10.170.10.0/24, Worktations
10.180.10.0/24, Servers
This task is necessary for the optional Step 6. Configure Network Zones (Best Practice)
Identify Attributes for Rule Conditions – In order to configure rules in Attack Surface Insights using queries, you must be able to define the rule conditions necessary to identify entities in the following categories, found in your environment:
Privileged Users – sample query:
full_name: "admin*" OR user_name: "admin*" OR email_address: "admin*"Service Accounts – sample query:
full_name: "svc*" OR user_name: "svc*"Executives – sample query:
reports('title: "CEO" OR title: "Chief Executive Officer"', 2)Critical Devices – sample query:
host_name: "CRI_*" OR host_name:"crown_jewels_*"Domain Controllers – sample query:
endpoint_purpose: "Domain Controller"
To prepare for configuring Attack Surface Insights rules, you must either be able to build queries using identifying attributes in your data source for entities in these categories, or you must create filtered context tables based on the data source that can be leveraged to identify entities in these categories. These queries or filters will need to be entered directly into Attack Surface Insights and must be maintained to preserve the tags and criticality settings.
This task is necessary for the optional Step 7. Configure Attack Surface Insights Rules (Best Practice), specifically to Configure Pre-Built Rules via Attack Surface Insights Query
Confirm Source Context Tables for Rule Conditions – In order to configure rules in Attack Surface Insights using context tables, you will create specific filtered context tables in Context Management. Those filtered tables will need to be based on source Active Directory or Microsoft Entity ID context tables. As a prerequisite to configuring rules with this method, it is essential to confirm that these source files exist, and if not, to create them.
This task is necessary for the optional Step 7. Configure Attack Surface Insights Rules (Best Practice), specifically to Configure Pre-Built Rules via a Context Table
The following source context tables are necessary:
AD Users
AD Devices
Entra ID Users
Entra ID Devices
To confirm the existence of each these four tables (or of similarly-named tables), do the following:
On the New-Scale Security Operations Platform home page, navigate to Security Management column and click the Context Management tile.
On the Overview tab in Context Management, click the dropdown arrow next to All Vendors and select
Active DirectoryorMicrosoft Entra ID.Click the dropdown arrow next to All Context Types and select
UserorDevice.Verify that the source context table exists.
If the context table does not exist yet, follow the steps in one of the following sections of the Context Management Guide: