Adding a policy to your attack surface
On the left side of the menu, you will find the Custom Policies tab. You can create your first policy from here by clicking "Add policy."
Conditions
Start by specifying the conditions that, if satisfied, will constitute a policy violation and thus trigger an Alert. First, select the variable for which you want to build a policy, such as port or technology. Then, select the operator that should apply to that variable. These can be:
- "Is one of", which allows you to select any number of inputs where if either of these match, an alert will be created;
- "Is not one of", which allows you to select any number of inputs where if none of these match, an alert will be created; or
- "Is any", which take no further input but instead create an alert for any instance where the variable can be found. These can be, create an alert for any new port discovered or any technology discovered.
Scope
Next, select the scope where you want your policy to apply. For many larger organizations, the same policies aren't applicable across the entire attack surface; activities such as M&A, legacy, or R&D might all contribute to this. Moreover, if certain domains should not expose any open ports, such as if a VPN is present, scoping in combination with the "Is any" operator can be used to monitor for this.
Today, you can scope on the domain name using just text, such as listing all domains or subdomains where the policy should apply, or by using Regular Expression (regex) patterns to create any type of complex scope (see image below).
Severity
Not all policies and alerts are equally important in prioritizing. To allow you and your teams to differentiate between more severe and less severe policy breaches, we give you the power to select the severity when creating a policy. These severity levels match the levels commonly used across the cybersecurity market and within Detectify in the severities set on vulnerabilities. They have five levels: Critical, High, Medium, Low, and Information.
Name
Wrap up by naming your policy in a manner that makes sense to you and will allow you to understand what is meant by this policy.
Take inventory of all your Custom Policies
When a policy is created, our policy service starts monitoring changes to your attack surface and generates an alert for any asset where the conditions are satisfied. All policies created for your attack surface can be found under the "Custom Policies" tab.
Each policy can be expanded to show when it was created and what the conditions for that policy are.
To see all breaches to a particular policy, simply click the alerts count on row
Removing a Custom Policy
To remove a policy you no longer wish to monitor, click the trash can that can be seen on each policy in your inventory.