Assets

Assets in the context of Surface Command are a general representation of one or more data records that pertain to a single object in your environment. This data record can be a person, device, vulnerability, server, and more. This is called the asset type, or the structure of the data associated with the asset. For example, an asset can have the type Asset, which informs you that it is a laptop, printer, or physical computer-like object. Two of the most important asset types, Assets and Identities (users, roles, etc.), have dedicated views within Surface Command. An asset's type is determined by its associated Connector and is then unified with other similar types as determined by the Unified asset model. Visit Managed unified properties for details.

Explore an asset

Assets are one of the most important results from Connectors and import feeds ingesting data from information sources. Most of Your Security Program, Attack Surface Overview, and Surface Command is built from assets and their properties. You can also use queries to filter your assets and create widgets and dashboards.

View asset properties

Asset properties are organized into two categories depending on where they come from: General properties (Unified properties) and Connector properties. This means you'll see at least a couple tabs when you open the asset properties side panel. Navigate to a Connector tab to see the properties associated with that particular Connector.

From the asset properties panel, you can:

View asset relationships

You can access the asset relationships graph from these locations:

  • Query results - click Menu > View graph.
  • Widgets - click View results or View all query results, then click Menu > View graph.
  • Asset properties - click Menu > View graph.

This graphical view displays the node and any nodes that have a direct relationship. The graph shows a relationship between nodes as an edge (a line between nodes). You can click an edge to see the property name and direction for the relationship.

View asset coverage

You can dynamically filter your assets returned from query results to show coverage or coverage gaps quickly.

To show coverage gaps:

  1. Build a query or navigate to the Assets or Identities view.
  2. Click Filter in a column header.
  3. Click Coverage gap by source.
  4. Begin typing and the matching results are automatically selected.

Assets that are not associated with the selected source are displayed.

To show coverage:

  1. Build a query or navigate to the Assets or Identities view.
  2. Click Filter in a column header.
  3. Click Filter by source.
  4. Begin typing and the matching results are automatically selected.

Assets that are associated with the selected source are displayed.

Interacting with assets

Assets can be used to trigger an existing workflow or can be tagged for easy organization and querying.

Trigger a workflow

You can trigger a workflow from query results. Click Menu, then click Run workflow. For more information on building workflows, visit Workflows.

Add tags

Tags are added from the asset properties panel.

To add a tag:

  1. Click + Tag.
  2. Begin typing into the search field.
    1. If the tag already exists, select it. You can select multiple tags.
    2. If the tag does not exist, provide a name and color for it.
  3. Click Done.

You can now use the selected tags to query for the associated asset. Review Workspace and Queries for details.

Manage unified properties

Surface Command has its own set of pre-defined asset types called unified asset types, which present a consistent view of the data correlated from many different sources such as EDR tools, vulnerability scanners, cloud infrastructure APIs, CMDBs, identity management technologies, and custom datasets. Each unified asset type represents a general class of assets, such as a Machine, Network, Person, and Vulnerability. Each unified asset defines the set of common properties and inter-object relationships that are common for that class of asset. The Unified model explorer shows all the unified asset types, the corresponding icon used throughout the platform, and how the unified assets relate to each other.

You can access the Unified model explorer from these locations:

  • Settings > Manage unified properties
  • Workspace > Unified asset model
Understand the unified asset model

You can use the unified asset types to query and report on assets and status, such as coverage gaps, independently of the specific sources that are connected to the platform. You can build queries using the unified assets’ properties and relationships, source asset properties and relationships, or both in any combination. In this way, you can take advantage of the consistency and simplicity of the unified model but also leverage source specific properties and relationships when necessary.

The unified model includes standard property names and also standard relationships (also known as edges) between assets. The diagram above shows the relationships of the unified asset types to the other assets. Types with an asterisk (*) can have a relationship to another asset of the same type. For example, Groups can be hierarchical. In the diagram, you can see that Machine relates to Vulnerability. A machine can have a list of vulnerabilities that were identified. You can build queries using these relationships.

For example, Machine is a unified type that might have sources such as Microsoft Defender, ServiceNow, Rapid7 and others, each providing a different perspective on the asset. Vulnerability is a unified type with sources such as Tenable, Qualys, NIST NVD, and CISA Known Exploited Vulnerabilities, each providing different data on the vulnerability. Using the unified model, you can build a single simple query that shows machines of a particular type that have vulnerabilities of a certain severity. You can filter your queries using properties of the unified model, such as asset type, operating system, or CVSS score, or using properties of specific correlated sources interchangeably.

Unified assets with disparate data

Viewing and querying unified properties:

When data is ingested from multiple sources, Surface Command pulls all of the source records referring to the same actual asset together into a single unified asset view. The unified asset defines a set of properties which are common for that asset type and each of the correlated source records will have their own properties which can be used to fulfill any number of those unified properties. When multiple source records try to fulfill the same unified property there is a configurable process that determines which is the best source value to choose. The best value might be the most recent value from any source or from a specific authoritative source, depending on the connectors that are installed. This best fulfilling value will be shown when you view the details of a unified asset.

When querying for unified assets you typically want to filter on the best value for a given unified property. But in some cases you may want to query for a match across any of the source properties fulfilling that unified property. By default, a property match clause from a column filter, or in a Cypher query (e.g. WHERE a.os_family), will compare against the best fulfilling property value with the exception of string or array properties. For properties which are strings or arrays by default the match will compare across all fulfilling values of the unified property and will evaluate to true if any of them match. This allows you to discover source records that may not be apparent from the best value.

For example, suppose a user in your attack surface has two different names in two different source records, "Christopher" and "Chris", and the best property for the username is "Chris". Since the name property of a User record is a string, a filter on user.name that matches either "Christopher" or "Chris" will retrieve this record. However, when displaying the user in a table, the user’s name will still be shown as "Chris". It is still possible to display both "Christopher" and "Chris" by modifying the source query to return every(user.name).

Additional notes:

  1. It is possible to only compare against the best value of a string property by using the top() function. for instance:
    SQL
    1
    MATCH (a:Asset) WHERE top(a.name) = "some_asset_name" RETURN a
    For other single-value property types, including enumerations, booleans, numeric and date properties, the best property is used as the only property for filtering and sorting purposes.
  2. If a boolean property is never fulfilled by a source record, and that property is used in a filter as true or false, then that property is considered false. For instance, suppose a machine has no sources that label it as being active or inactive, e.g. machine.active has no values. In that case the machine will match on a filter on NOT machine.active.
    • If it is necessary to check for null or an explicit false value, the filter machine.active IS NULL or machine.active = FALSE will match for those cases.
  3. If you want to match on any fulfilling value of a property you can use the every() function. for instance:
    SQL
    1
    MATCH (a:Asset) WHERE TRUE in every(a.active) RETURN a
Manage unified properties

You can manage how values are chosen when information sources provide different values for the same unified property.

To change a unified asset's property fulfillment:

  1. Open the Unified model explorer.
  2. Click a unified asset type. The side panel expands, displaying all properties.
  3. Click a property.
  4. Select an option from the Best source drop-down menu:
    • Top priority - Value is obtained from the first available source with the highest priority. You order each information source from highest to lowest by dragging them. You can also use the move icons to quickly move an item up or down once space, or +Shift when clicking to the top or bottom of the list.
    • Most recently updated value - Value is obtained from the information source with the most recent value.
    • Any true value - If any information source provides a value that equals True, the platform chooses that value in preference to any False or empty values.
    • Any false value - Value is obtained from the information source with a value that equals False.
    • Maximum value - Value is obtained from the information source with the largest value.
    • Minimum value - Value is obtained from the information source with the smallest value.
    • Latest date value - Available for date values. Value is obtained from the information source with the latest date.
    • Earliest data value - Available for date values. Value is obtained from the information source with the earliest date.
  5. Click Apply.