You will learn why you should use Derived Fields and how to configure them.
Last Updated 5/13/24
Overview
Derived fields are NopSec fields admins can configure the logic on how to source the values of those fields per Integration.
You were already using Derived fields with the two existing fields, Target Name and Target Location, however, the logic for those fields was done by NopSec and was not configurable by you.
Now you can configure their logic plus 7 other fields:
- Target Name
- Target Location
- Target Uniqueness
- Target OS
- Target Owner
- Target Value
- Target Application
- Target Organization
- Target Country
Target Name and Target Location
These two derived fields already existed and were using our own rule sets in the backend which were not visible or configurable.
These two fields will continue to use those rule sets until you configure your own rules in Derived Fields.
Rules
Derived Fields are configured with a set of prioritized rules. NopSec will attempt to find a value using the first rule in the list, if the rule returns a blank string or a Null value, the rule is skipped and NopSec attempts the next rule. If no rules return a string then the Derived Field value remains empty.
Tags
Using Tag Key or Tag Value for a Derived Field always returns the Tag Value.
For context, when your scanner doesn't provide a Tag object such as Qualys returning a string, we create a NopSec tag object as:
- Tag Key: Scanner_Group
- Tag Value:
Other scanners may actually provide their own tag key and value such as:
- Tag Key:
- Tag Value:
So when you use a search pattern you can search across either Tag Key or Tag Value but we will always return the Tag Value string.
Search Patterns
If the Field you are using in your rules are stored as a List (IP Address, MAC Address) you can use search patterns to find the specific value you're looking to source. Or if your values may not be completely unique such as Tags you may use a search pattern to find the specific version of the value you were looking for.
Operators
- Is Exact
- Contains
- Starts With
- Ends With
- Regex
Examples
- IP Address
- ["127.o.0.1", "10.0.0.2", "7.35.23.15"]
- You can use the operators to find 10.0.0 and use that as the source
- Tag 0
- Tag Key: "Department"
- Tag Value: "Product - Production"
- Tag 1
- Tag Key: "Department"
- Tag Value: "Marketing"
- If your target had two tags with the same Tag Key where you need to find the specific version you can do either of the following:
- Tag Value is Exact Marketing == > Tag 1 Tag Value
- Tag Key contains Production == > Tag 0 Tag ValueTags
Testing
We've created a document explaining multiple ways to test your search patterns.
Processing
Derived Fields are processed after all new integration syncs. This means only Targets that are seen in a new integration sync are updated. If you have a need to update all targets you will have to submit a Help Ticket and ask for a Historical Sync.
Walkthrough
- Go to Integrations
- You must have Integrations.read and Integrations.write
- Find your configured integration in your My Integrations tab
- Open the accordion and view the specific Integration's Details (click View Details)
- Click on Derived Fields tab
- You can now see the 9 Derived Fields displayed in a list
- Click open an accordion by clicking the arrow button on the far right, this will expand the card
- Click Add Rule
- Prioritize the logic you'd like to use to source the value for this field.
- Think through what this scanner scans; maybe it scans both Cloud and Infrastructure targets. If that's the case consider prioritizing the Cloud properties first then the Infrastructure ones.
- If you'd like to only source the field if it meets a specific criteria you can add a search pattern.
- Click Add Search Pattern
- Select an Operator
- Fill in the Value
- We've created another document to highlight how users can test complicated search patterns here.
- Click Save
- Repeat for each rule.
- Then repeat for each field you'd like to configure.
- If a Derived field doesn't have any rules it will remain blank.