Restrict or Whitelist an Asset

Restricting an asset allows you to monitor access to critical systems at the level of each individual asset. When you mark an asset as restricted, you will be alerted every time a new user logs in to that asset; you can then whitelist or blacklist access to the system, effectively compiling a list of approved users.

Restricted Assets are useful for auditing access to systems critical for business operations (production web servers, databases, C-level laptops, and so on), security administration (DCs), compliance (Cardholder Data Environment, PII servers, and so on), and more.

You should restrict assets as soon as possible in order to establish baselines for critical systems, while receiving valuable insight into which users are logging on to your critical devices.

Restrict an Asset

In order to have InsightIDR automatically generate alerts on a restricted asset, you must first configure the settings around a restricted asset.

To mark an asset as restricted:

  1. Go to the individual asset page. You can get there through "Global Search", from a "User Details" page, or from the "Asset & Endpoints" page.
  2. Click the Target icon to the right of "Asset Info."

On a "User Details" page, select the Computer icon to mark it as "Restricted."

  1. If you have integrated Nexpose or InsightVM with InsightIDR, use the Nexpose Criticality Score to automatically set restricted assets in Settings > Asset Settings.

InsightIDR will generate a Restricted Asset Authentication alert whenever someone uses this asset to log in for the first time.

Multiple logins from this asset will generate Blacklisted Authentication alerts.

Whitelist an Asset

While you cannot specifically whitelist an asset from alerts, you can remove any existing alerts that are tied to the asset.

To delete any blacklisted authentication rules, go to Settings > Alert Modifications > Blacklisted Authentication to Asset. Then click the Trash icon to the left of the blacklist rule.