Mark an Asset as Restricted or Allow an Asset

Marking an asset as restricted allows you to monitor access to the asset. When you mark an asset as restricted, you will be notified every time a new user logs in to the asset.

Restricted assets are useful for auditing access to systems, such as those that are critical for:

  • Business operations (for example, production web servers, databases, or C-level laptops)
  • Security administration (for example, DCs)
  • Compliance (for example, Cardholder Data Environment or PII servers)

You should mark assets as restricted as soon as possible in order to establish baselines for critical systems, while receiving valuable insight into which users are logging on to your critical devices.

Mark an asset as restricted

For InsightIDR to automatically generate detections on a restricted asset, you must configure the asset's settings.

To mark an asset as restricted:

  1. Using the top search, enter the exact name of the asset you want to mark as restricted.
  2. On the Asset Details page, switch the Restricted toggle to on.

Note: If you have integrated Nexpose or InsightVM with InsightIDR, use the Nexpose Criticality Score to automatically set restricted assets in Settings > Asset Settings.

InsightIDR will generate a Restricted Asset Authentication detection from the corresponding legacy detection rules whenever a new user logs in to this asset to the first time.

Multiple login attempts for this asset generate Blacklisted Authentication detections from the corresponding legacy detection rule.