Assets

Assets in the context of Surface Command are a general representation of one or more data records that pertain to a single object in your environment. This data record can be a person, device, vulnerability, server, and more. This is called the asset type, or the structure of the data associated with the asset. For example, an asset can have the type Asset, which informs you that it is a laptop, printer, or physical computer-like object. Two of the most important asset types, Assets and Identities (users, roles, etc.), have dedicated views within Surface Command. An asset's type is determined by its associated Connector and is then unified with other similar types as determined by the Unified asset model. Visit Managed unified properties for details.

Explore an asset

Assets are one of the most important results from Connectors and import feeds ingesting data from information sources. Most of Your Security Program, Attack Surface Overview, and Surface Command is built from assets and their properties. You can also use queries to filter your assets and create widgets and dashboards.

View asset properties

Asset properties are organized into two categories depending on where they come from: General properties (Unified properties) and Connector properties. This means you'll see at least a couple tabs when you open the asset properties side panel. Navigate to a Connector tab to see the properties associated with that particular Connector.

From the asset properties panel, you can:

View asset relationships

You can access the asset relationships graph from these locations:

  • Query results - click Menu > View graph.
  • Widgets - click View results or View all query results, then click Menu > View graph.
  • Asset properties - click Menu > View graph.

This graphical view displays the node and any nodes that have a direct relationship. The graph shows a relationship between nodes as an edge (a line between nodes). You can click an edge to see the property name and direction for the relationship.

View asset coverage

You can dynamically filter your assets returned from query results to show coverage or coverage gaps quickly.

To show coverage gaps:

  1. Build a query or navigate to the Assets or Identities view.
  2. Click Filter in a column header.
  3. Click Coverage gap by source.
  4. Begin typing and the matching results are automatically selected.

Assets that are not associated with the selected source are displayed.

To show coverage:

  1. Build a query or navigate to the Assets or Identities view.
  2. Click Filter in a column header.
  3. Click Filter by source.
  4. Begin typing and the matching results are automatically selected.

Assets that are associated with the selected source are displayed.

Interacting with assets

Assets can be used to trigger an existing workflow or can be tagged for easy organization and querying.

Trigger a workflow

You can trigger a workflow from query results. Click Menu, then click Run workflow. For more information on building workflows, visit Workflows.

Add tags

Tags are added from the asset properties panel.

To add a tag:

  1. Click + Tag.
  2. Begin typing into the search field.
    1. If the tag already exists, select it. You can select multiple tags.
    2. If the tag does not exist, provide a name and color for it.
  3. Click Done.

You can now use the selected tags to query for the associated asset. Review Workspace and Queries for details.

Manage unified properties

Surface Command has its own set of pre-defined asset types called unified asset types, which present a consistent view of the data correlated from many different sources such as EDR tools, vulnerability scanners, cloud infrastructure APIs, CMDBs, identity management technologies, and custom datasets. Each unified asset type represents a general class of assets, such as a Machine, Network, Person, and Vulnerability. Each unified asset defines the set of common properties and inter-object relationships that are common for that class of asset. The Unified model explorer shows all the unified asset types, the corresponding icon used throughout the platform, and how the unified assets relate to each other.

You can access the Unified model explorer from these locations:

  • Settings > Manage unified properties
  • Workspace > Unified asset model
Understand the unified asset model

You can use the unified asset types to query and report on assets and status, such as coverage gaps, independently of the specific sources that are connected to the platform. You can build queries using the unified assets’ properties and relationships, source asset properties and relationships, or both in any combination. In this way, you can take advantage of the consistency and simplicity of the unified model but also leverage source specific properties and relationships when necessary.

After the ingestion, correlation, and fulfillment processes (described in the Surface Command Overview), Surface Command chooses the most relevant value of each property for display and query. The best value might be the most recent value from any source or from a specific authoritative source, depending on the Connectors that are installed. When building a query in Cypher, the system queries against the chosen value by default but you can use the every() shortcut to query against any or all the available source values for a property.

The unified model includes standard property names and also standard relationships (also known as edges) between assets. The diagram above shows the relationships of the unified asset types to the other assets. Types with an asterisk (*) can have a relationship to another asset of the same type. For example, Groups can be hierarchical. In the diagram, you can see that Machine relates to Vulnerability. A machine can have a list of vulnerabilities that were identified. You can build queries using these relationships.

For example, Machine is a unified type that might have sources such as Microsoft Defender, ServiceNow, Rapid7 and others, each providing a different perspective on the asset. Vulnerability is a unified type with sources such as Tenable, Qualys, NIST NVD, and CISA Known Exploited Vulnerabilities, each providing different data on the vulnerability. Using the unified model, you can build a single simple query that shows machines of a particular type that have vulnerabilities of a certain severity. You can filter your queries using properties of the unified model, such as asset type, operating system, or CVSS score, or using properties of specific correlated sources interchangeably.

Manage unified properties

You can manage how values are chosen when information sources provide different values for the same unified property.

To change a unified asset's property fulfillment:

  1. Open the Unified model explorer.
  2. Click a unified asset type. The side panel expands, displaying all properties.
  3. Click a property.
  4. Select an option from the Best source drop-down menu:
    • Top priority - Value is obtained from the first available source with the highest priority. You order each information source from highest to lowest by dragging them. You can also use the move icons to quickly move an item up or down once space, or +Shift when clicking to the top or bottom of the list.
    • Most recently updated value - Value is obtained from the information source with the most recent value.
    • Any true value - If any information source provides a value that equals True, the platform chooses that value in preference to any False or empty values.
    • Any false value - Value is obtained from the information source with a value that equals False.
    • Maximum value - Value is obtained from the information source with the largest value.
    • Minimum value - Value is obtained from the information source with the smallest value.
    • Latest date value - Available for date values. Value is obtained from the information source with the latest date.
    • Earliest data value - Available for date values. Value is obtained from the information source with the earliest date.
  5. Click Apply.