How do I find targets with Mitigating Controls?

You will be able to find targets that have Mitigating Controls enabled using the Prioritize Page. You will also learn how to view the mitigating controls.

Last Updated: 12/24/2023

 

Mitigating Controls

Mitigating controls are controls clients can take that are proactive in nature such as installing an EDR/XDR agent on an endpoint. The agent is actively looking for threats and in some cases is able to prevent certain exploitation or actions to be taken. 

Today we currently only support the Crowdstrike Falcon XDR platform but will soon integrate with Microsoft Defender for Endpoint. 

Controls and Settings

Each agent can be configured with specific controls as configured by the organization. These controls dictate the specific settings and their configuration that are applied at the target level. 

Depending on the configuration of the control NopSec will provide a risk reduction to the Target by reducing the risk of all vuln instances by a certain percentage. (See our article of how our mitigating controls framework works for more information). 

Finding Targets with Mitigating Controls

  1. Go to Prioritize
  2. Create a new Query by opening the Query Builder or Typing in the Text Input
    1. Query Builder:
      1. Find a Query Filter of Target has Mitigating Controls
      2. Click the checkbox as on which means True.
      3. Run Request
    2. Text Input
      1. target.has_mitigating_controls == true
      2. Run Request
  3. The Report Table will now show all targets we have associated with a Mitigating Control.

Viewing Control Information

  1. After running the query above, click on Group By Target
  2. Click on the Eye icon on the first column to open up the Target Details drawer
  3. Click on the Controls Tab
    1. Here you can see the specific Control that was detected and all of the controls it has deployed to that target.
    2. You can see the Risk Reduction we've applied for associating this control to this target.
      1. The risk reduction is based on the types of settings and their values identified.
    3. You can view the settings for each control and their current values.
    4. You can search by setting name.
    5. You can filter by the setting values of status.

Interesting Reports

You can create some reports to identify targets to potentially answer some of the following questions:

How many Targets have a mitigating control?

  • target.has_mitigating_control == true

How many Targets don't have a mitigating control?

  • target.has_mitigating_control == false

How many Targets have a mitigating control but are not receiving any risk reduction?

  • target.has_mitigating_control == true and instance.mitigating_risk_reduction == 0
  • Note: Risk Reduction is a float and is a value between 0 and 1.
  • This may be due to no settings being enabled and could be used to investigate potential misconfiguration.

How many Targets have a mitigating control with a risk reduction greater than 10%?

  • target.has_mitigating_control == true and instance.mitigating_risk_reduction >= .10
  • Note: Risk Reduction is a float and is a value between 0 and 1.