Adding a policy to your attack surface
In the left side menu you will find the Custom Policies tab. From here you can create your first policy by clicking "Add policy".
Conditions
Start by specifying the conditions that, if satisfied, will constitute a policy violation and thus trigger an Alert. First, select the variable you want to build a policy for, such as port or technology. Then select the operator that should apply to that variable. These can be:
- "Is one of", which allows you to select any number of inputs where if either of these match, an alert will be created;
- "Is not one of", which allows you to select any number of inputs where if none of these match, an alert will be created; or
- "Is any", which take no further input but instead create an alert for any instance where the variable can be found. These can be, create an alert for any new port discovered or any technology discovered.
Scope
Next, select the scope where you want your policy to apply. For many larger organisations, the same policies don't apply across their entire attack surface, activities such as M&A, legacy, or R&D might all contribute to this. Moreover, if certain domains should not expose any open ports, such as if a VPN is present, scoping in combination with the "Is any" operator can be used to monitor for this.
Today, you can scope on the domain name both using just text, such that you can list all domains or subdomains where the policy should apply, but also using Regular Expression (regex) patterns to create any type of complex scopes (see image below).
Severity
Not all policies and their alerts are equally important to prioritise. In order to allow you and your teams to differentiate between more severe and less severe policy breaches we give you the power to select the severity when creating a policy. These severity levels match the levels commonly used across the cybersecurity market as well as within Detectify in the severities set on vulnerabilities. These have 5 levels: Critical, High, Medium, Low, Information.
Name
Wrap up by naming your policy in a manner that makes sense to you and will allow you to understand what is meant by this policy.
Take inventory of all your Custom Policies
As soon as a policy has been created our policy service will start monitoring changes to your attack surface and will generate an alert for any asset where the conditions are satisfied. All policies that have been created for your attack surface will be found under the "Custom Policies" tab.
Each policy can be expanded to show when it was created and what the conditions for that policy are.
To see all breaches to a particular policy, simply click the alerts count on row
Removing a Custom Policy
To remove a policy that you no longer wish to monitor, simply click the trash can that can be seen on each policy in your inventory.
