Internal attack surface

In Surface Command, your internal attack surface comprises two of the most common asset types: assets and identities. For more information on these concepts, refer to Surface Command Overview. Assets and identities come directly from information sources through Connectors. Much of the functionality featured on Your Security Program (Command Platform), Attack Surface Overview (Command Platform), and Surface Command are built using assets and identities and their properties. You can also use the Workspace to query your assets and identities and create widgets and dashboards.

Explore assets and identities

To begin exploring, go to Assets or Identities in Surface Command.

Filter and view coverage

You can filter the Assets or Identities pages using the Filter icon in any column header. Click Filter and adjust the operator to get started.

The Sources column provides a unique coverage gap filter, which assists you in quickly identifying coverage gaps.

To show coverage gaps:

  1. Build a query or go to Assets or Identities.
  2. Click Filter in the Sources column header.
  3. Click Coverage gap by source.
  4. Begin typing. Matching results are automatically selected. Items that are not associated with the selected source are displayed.

To show coverage:

  1. Build a query or go to Assets or Identities.
  2. Click Filter in the Sources column header.
  3. Click Filter by source.
  4. Begin typing. The matching results are automatically selected. Items that are associated with the selected source are displayed.
Save and use filters

After filtering the list of Assets or Identities, you can save the filter for later access. Anyone in Surface Command can access a saved filter.

To save a filter:

  1. Filter the Assets or Identities page as necessary.
  2. Click Save View.
  3. Enter a name for the view.
  4. Optionally, enter a description for the view.
  5. Click Save.

To access a saved filter:

  1. Go to the Assets or Identities page.
  2. Click Filter views (top-left corner).
  3. Select a filter. The filters with a lock icon denote a pre-made filter created by the Surface Command team.

To modify a saved filter:

  1. Go to the Assets or Identities page.
  2. Click Filter views (top-left corner).
  3. Select a filter.
  4. Remove, add, or modify filters as necessary.
  5. Save the filter:
    1. Click Save View to update the filter with the current configuration. This option is not available for pre-made filters.
    2. Click Save as... to save the current configuration as a new filter.
View properties

You can access properties from these locations:

  • Query results - click the asset or identity in the results table.
  • Widgets - click View results or View all query results, then click the asset or identity in the results table.
  • Relationships graph - click an asset or identity node, then click Show details.

Properties are organized into two categories depending on where they come from: General properties and connector properties. This means you'll see multiple tabs when you open the properties side panel. Navigate to a connector tab to see the properties associated with that particular connector.

From the properties panel, you can:

View relationships

You can access the relationships graph from these locations:

  • Query results - click Menu > View graph.
  • Widgets - click View results or View all query results, then click Menu > View graph.
  • Properties - click Menu > View graph.

This graphical view displays the node and any nodes that have a direct relationship. The graph shows a relationship between nodes as an edge (a line between nodes). You can click an edge to see the property name and direction for the relationship.",

View remediations

You can view remediations for vulnerabilities associated with assets from InsightCloudSec or InsightVM.

To view remediations in the Remediation Hub:

  1. Build a query or go to Assets or Identities.
  2. Click Filter in the Sources column header.
  3. Click Filter by source.
  4. Select Rapid7 InsightCloudSec Instance and Rapid7 InsightVM Asset.
  5. Click Menu > View remediations next to a row. The Remediation Hub opens filtered to the selected item.

Interact with assets or identities

Assets or identities can be used to trigger an existing workflow or can be tagged for easy organization and querying.

Trigger a workflow

You can trigger a workflow from query results. Click Menu, then click Run workflow. For more information on building workflows, visit Workflows.

Add tags

Tags are added from the properties panel.

You can access properties from these locations:

  • Query results - click the asset or identity in the results table.
  • Widgets - click View results or View all query results, then click the asset or identity in the results table.
  • Relationships graph - click an asset or identity node, then click Show details.

To add a tag:

  1. Click + Tag.
  2. Begin typing into the search field.
    1. If the tag already exists, select it. You can select multiple tags.
    2. If the tag does not exist, provide a name and color for it.
  3. Click Done.

You can now use the selected tags to query for the associated asset or identity. Review Workspace and Queries for details.

Explore unified properties

Surface Command has its own set of pre-defined types called unified types, which present a consistent view of the data correlated from many different sources such as EDR tools, vulnerability scanners, cloud infrastructure APIs, CMDBs, identity management technologies, and custom datasets. Each unified type represents a general class of objects, such as a Asset, Network, Identity, and Vulnerability, and defines the set of common properties and inter-object relationships that are common for that class. The Unified model explorer shows all the unified types, the corresponding icon used throughout the platform, and how the unified types relate to each other.

You can access the Unified model explorer from these locations:

  • Settings > Manage unified properties or Settings > View unified properties (depends on your permissions)
  • Workspace > Unified asset model
Understand the unified model

You can use the unified types to query and report on independently of the specific sources that are connected to the platform. You can build queries using the unified type's properties and relationships, source type properties and relationships, or both in any combination. In this way, you can take advantage of the consistency and simplicity of the unified model but also leverage source specific properties and relationships when necessary.

The unified model includes standard property names and also standard relationships (also known as edges) between types. Types with an asterisk (*) can have a relationship with themselves. For example, Groups can be hierarchical. In the model, you can see that Asset relates to Vulnerability. An asset can have a list of vulnerabilities that were identified. You can build queries using these relationships.

For example, Asset is a unified type that might have sources such as Microsoft Defender, ServiceNow, Rapid7 and others, each providing a different perspective on the type. Vulnerability is a unified type with sources such as Tenable, Qualys, NIST NVD, and CISA Known Exploited Vulnerabilities, each providing different data on the vulnerability. Using the unified model, you can build a single simple query that shows assets of a particular type that have vulnerabilities of a certain severity. You can filter your queries using properties of the unified model, such as type, operating system, or CVSS score, or using properties of specific correlated sources interchangeably.

Unified types with disparate data

Viewing and querying unified properties:

When data is ingested from multiple sources, Surface Command pulls all of the source records referring to the same type together into a single unified view. The unified type defines a set of properties which are common for that type and each of the correlated source records will have their own properties which can be used to fulfill any number of those unified properties. When multiple source records try to fulfill the same unified property there is a configurable process (if you have permissions to configure unified properties) that determines which is the best source value to choose. The best value might be the most recent value from any source or from a specific authoritative source, depending on the connectors that are installed. This best fulfilling value will be shown when you view the details of a unified type.

When querying for unified types you typically want to filter on the best value for a given unified property. But in some cases you may want to query for a match across any of the source properties fulfilling that unified property. By default, a property match clause from a column filter, or in a Cypher query (for example, WHERE a.os_family), will compare against the best fulfilling property value with the exception of string or array properties. For properties which are strings or arrays by default the match will compare across all fulfilling values of the unified property and will evaluate to true if any of them match. This allows you to discover source records that may not be apparent from the best value.

For example, suppose a user in your attack surface has two different names in two different source records, "Christopher" and "Chris", and the best property for the username is "Chris". Since the name property of a User record is a string, a filter on user.name that matches either "Christopher" or "Chris" will retrieve this record. However, when displaying the user in a table, the user’s name will still be shown as "Chris". It is still possible to display both "Christopher" and "Chris" by modifying the source query to return every(user.name).

Additional notes:

  1. It is possible to only compare against the best value of a string property by using the top() function. for instance:
    SQL
    1
    MATCH (a:Asset) WHERE top(a.name) = "some_name" RETURN a
    For other single-value property types, including enumerations, booleans, numeric and date properties, the best property is used as the only property for filtering and sorting purposes.
  2. If a boolean property is never fulfilled by a source record, and that property is used in a filter as true or false, then that property is considered false. For instance, suppose a machine has no sources that label it as being active or inactive, so machine.active would have no values. In that case the machine will match on a filter on NOT machine.active.
    • If it is necessary to check for null or an explicit false value, the filter machine.active IS NULL or machine.active = FALSE will match for those cases.
  3. If you want to match on any fulfilling value of a property you can use the every() function. for instance:
    SQL
    1
    MATCH (a:Asset) WHERE TRUE in every(a.active) RETURN a
Manage unified properties

If you have the appropriate permissions, you can manage how values are chosen when information sources provide different values for the same unified property.

To change a unified type's property fulfillment:

  1. Open the Unified model explorer.
  2. Click a unified type. The side panel expands, displaying all properties.
  3. Click a property.
  4. Select an option from the Best source drop-down menu:
    • Top priority - Value is obtained from the first available source with the highest priority. You order each information source from highest to lowest by dragging them. You can also use the move icons to quickly move an item up or down once space, or +Shift when clicking to the top or bottom of the list.
    • Most recently updated value - Value is obtained from the information source with the most recent value.
    • Any true value - If any information source provides a value that equals True, the platform chooses that value in preference to any False or empty values.
    • Any false value - If any information source provides a value that equals False, the platform chooses that value in preference to any True or empty values.
    • Maximum value - Value is obtained from the information source with the largest value.
    • Minimum value - Value is obtained from the information source with the smallest value.
    • Latest date value - Available for date values. Value is obtained from the information source with the latest date.
    • Earliest data value - Available for date values. Value is obtained from the information source with the earliest date.
  5. Click Apply.