Aug 17 2021 01:50 PM
Aug 18 2021 03:56 AM
@wootts The High Value assets can be used in a couple of different ways. One that comes to mind is if there is any incident against an asset that is part of the list, raise the severity (either inside the Analytic rule or by using a Playlist). Another is to check to see if anyone is performing queries against entries in this list (assuming you have the query monitoring enabled) to make sure people are not looking for information they shouldn't (we had a list like this at a hospital I used to work at to make sure people were not looking up information for celebrities we were treating)
The Service Accounts list could be used to ignore incidents from service accounts, as there are usually quite a few of them, or lower the severity.
Terminated employees is very useful to keep a better eye on their activities, again by raising the severity.
Aug 18 2021 04:10 AM