Internal attack surface
Copy link

In Attack Surface Management (Surface Command), your internal attack surface comprises two of the most common types: assets and identities. For more information on asset types and how they relate, see Explore unified properties.

Assets and identities come directly from information sources through Connectors. Much of the functionality featured on Your Security Program (Command Platform), Attack Surface Overview (Command Platform), and Attack Surface Management (Surface Command) are built using assets and identities and their properties. You can also use the Workspace to query your assets and identities and create widgets and dashboards.

Explore assets and identities
Copy link

To begin exploring, go to Assets or Identities in Attack Surface Management (Surface Command).

Filter and view coverage

You can filter the Assets or Identities pages using the Filter icon in any column header. Click Filter and adjust the operator to get started.

The Sources column provides a unique coverage gap filter, which assists you in quickly identifying coverage gaps.

To show coverage gaps:

  1. Build a query or go to Assets or Identities.
  2. Click Filter in the Sources column header.
  3. Click Coverage gap by source.
  4. Begin typing. Matching results are automatically selected. Items that are not associated with the selected source are displayed.

To show coverage:

  1. Build a query or go to Assets or Identities.
  2. Click Filter in the Sources column header.
  3. Click Filter by source.
  4. Begin typing. The matching results are automatically selected. Items that are associated with the selected source are displayed.

If you want to filter by types from third-party sources (for example, Microsoft, Cisco, Crowdstrike), you must add additional columns to the view.

To manage table columns:

  1. Build a query or go to Assets or Identities.
  2. Click the Manage table columns icon in the last column header.
  3. Optionally, toggle on Show source types to reveal third-party source types.
  4. Click + next to an entry to add the column or click - to remove the column.

Save and use filters

After filtering the list of Assets or Identities, you can save the filter for later access. Anyone in Attack Surface Management (Surface Command) can access a saved filter.

To save a filter:

  1. Filter the Assets or Identities page as necessary.
  2. Click Save View.
  3. Enter a name for the view.
  4. Optionally, enter a description for the view.
  5. Click Save.

To access a saved filter:

  1. Go to the Assets or Identities page.
  2. Click Filter views (top-left corner).
  3. Select a filter. The filters with a lock icon denote a pre-made filter created by the Attack Surface Management (Surface Command) team.

To modify a saved filter:

  1. Go to the Assets or Identities page.
  2. Click Filter views (top-left corner).
  3. Select a filter.
  4. Remove, add, or modify filters as necessary.
  5. Save the filter:
    1. Click Save View to update the filter with the current configuration. This option is not available for pre-made filters.
    2. Click Save as… to save the current configuration as a new filter.

Manage and explore widgets

Widgets are used to populate dashboards. You can explore all widgets associated with the current filter view using the Widgets panel.

To explore widgets:

  1. Open an Attack surface page.
  2. Optionally, filter the Attack Surface page or click Filter views to load a saved filter.
  3. Click Widgets > View Widgets. If the View Widgets button is inactive, there are no widgets for the current filter view.
  4. Search or filter the list as needed.

Hover your cursor on a widget to show a menu where you can edit a widget, duplicate a widget, see how many dashboards the widget is on, or delete a widget.

You can also create a widget from a filtered view.

To create a widget:

  1. Filter the Attack Surface page as needed or click Filter views to load a saved filter.
  2. Click Widgets > New Widget.
  3. Enter a name for the widget.
  4. Optionally enter a widget description.
  5. Select a widget type.
  6. Configure the widget as needed.
  7. Click Save.

Visit Managing dashboards for details on using dashboards.

View properties

Click any asset or identity to open the properties side panel.

Properties are organized into tabs depending on where they come from: General properties and connector properties. This means you should see multiple tabs when you open the properties side panel. Navigate to a connector tab to see the properties associated with that particular connector.

From the properties panel, you can:

View relationships

You can access the relationships graph from these locations:

  • Query results - click Menu > View graph.
  • Widgets - click View results or View all query results, then click Menu > View graph.
  • Properties - click Menu > View graph.

This graphical view displays the node and any nodes that have a direct relationship. The graph shows a relationship between nodes as an edge (a line between nodes). You can click an edge to see the property name and direction for the relationship.”,

View remediations

You can view remediations for vulnerabilities associated with assets from Cloud Security (InsightCloudSec) or InsightVM.

To view remediations in the Remediation Hub :

  1. Build a query or go to Assets or Identities.
  2. Click Filter in the Sources column header.
  3. Click Filter by source.
  4. Select Rapid7 Cloud Security (InsightCloudSec) Instance and Rapid7 Vulnerability Management (InsightVM) Asset.
  5. Click Menu > View remediations next to a row. The Remediation Hub opens filtered to the selected item.

Interact with assets or identities
Copy link

Assets or identities can be used to trigger an existing workflow or can be tagged for easy organization and querying.

Trigger a workflow

You can trigger a workflow from query results. Click Menu, then click Run workflow. For more information on building workflows, visit Workflows.

Add tags

Tags are added from the properties panel.

You can access properties from these locations:

  • Query results - click the asset or identity in the results table.
  • Widgets - click View results or View all query results, then click the asset or identity in the results table.
  • Relationships graph - click an asset or identity node, then click Show details.

To add a tag:

  1. Click + Tag.
  2. Begin typing into the search field.
    1. If the tag already exists, select it. You can select multiple tags.
    2. If the tag does not exist, provide a name and color for it.
  3. Click Done.

You can now use the selected tags to query for the associated asset or identity. Review Workspace and Queries for details.

Manage correlation

Rapid7 automatically correlates assets that have the same properties. To learn more about correlation and correlation rules, see Explore and manage correlation.

If an asset is over-correlated, you can create an exclude rule to un-correlate the assets using a property.

⚠️

Proceed with caution

Tuning correlation may change how related assets are grouped. In some cases, it can split an asset into multiple separate assets. Changes may take time to process and can affect existing correlations, asset counts, and data accuracy.

To create a correlation exclude rule:

  1. Go to Assets & Identities > Attack Surface Management > Assets or Identities.
  2. Click a row to open the properties panel.
  3. Expand the Correlation information drop-down.
  4. Expand a correlated property and click Exclude.
  5. Adjust the Value as needed:
    • Leave the field empty to exclude all values.
    • Use line breaks to separate multiple values.
  6. To exclude values for a specific connector type, select types from the drop-down.
    • Leave the field empty to exclude all types.
  7. Adjust the Rule Name as needed.
  8. Optionally, update the description.
  9. Click Save Rule.

After you create the rule, it may take some time to process. Asset data updates after the next correlation cycle completes. While processing is in progress, a message appears in the Correlation Information section of the Asset Details panel.