Mark an Asset as Restricted or Allow an Asset

Marking an asset as restricted allows you to monitor access to the asset. When you mark an asset as restricted, you will be alerted every time a new user logs in to the asset.

Restricted assets are useful for auditing access to systems, such as those that are critical for:

  • Business operations (for example, production web servers, databases, or C-level laptops)
  • Security administration (for example, DCs)
  • Compliance (for example, Cardholder Data Environment or PII servers)

You should mark assets as restricted as soon as possible in order to establish baselines for critical systems, while receiving valuable insight into which users are logging on to your critical devices.

Mark an asset as restricted

For InsightIDR to automatically generate alerts on a restricted asset, you must configure the asset's settings.

To mark an asset as restricted:

  1. Using the top search, enter the exact name of the asset you want to mark as restricted.
  2. On the Asset Details page, switch the Restricted toggle to on.

Note: If you have integrated Nexpose or InsightVM with InsightIDR, use the Nexpose Criticality Score to automatically set restricted assets in Settings > Asset Settings.

InsightIDR will generate a Restricted Asset Authentication alert whenever a new user logs in to this asset to the first time.

Multiple login attempts for this asset generate Blacklisted Authentication alerts.

Add an asset to an allowlist

While you cannot specifically allowlist an asset from alerts, you can remove any existing alerts that are tied to the asset.

To delete any blocked authentication rules, go to Settings > Alert Modifications > Blacklisted Authentication to Asset, and then click the Trash icon to the left of the blocked rule.