A collection is a set of elements that defines the attack surface of an organization, entity, or system, along with any additional information that may be available.
The elements that may be included in a collection include:
CIDR IP address ranges
Ranges of IP addresses
Individual IP addresses
Each of the elements in a collection may have one or more risks associated with it. You can drill down into an element to view those risks.
Each collection has a Threat Indicator Confidence (TIC) score that is calculated based on the aggregate of its elements. This score is subject to change over time as new elements are added, and the risks associated with each element change on a daily basis.
Understanding Collection Membership
Direct vs. Inherited Members
If an Element is selected and then added to a Collection, it has direct membership in that Collection.
For example, if a CIDR is added to a Collection, that particular CIDR is a direct member of the Collection. This means it can be added or removed from the Collection via the Rule page.
It is important to note that all of the IPs and FQDNs that are part of that CIDR are added to the Collection when a CIDR is added, but they are considered inherited members of that Collection.
This means that these Elements may not be added to or removed from the Collection. The only way to remove inherited members is by removing the direct member/Element they belong to.
An Element Being Added to a Collection
How Inherited Members May Change the Collection
Inherited elements may cause the collection element count to be greater than expected because they are automatically added to the collection under the direct member they belong to.
Because Inherited elements are automatically added to the collection, they will also appear in the elements table, even though they were not directly selected to be part of the Collection.
This is especially important to remember when importing Elements Owners, ASNs, and CIDRs from CSV.
Understanding the Relationship Between Threats and Collection Elements
Threats appear in collections because they are associated with elements in the collection. If a threat is associated with an IP or FQDN in the selected collection, it appears on the threats list.
Threat Mapping in the Collection
A single threat may be associated with more than one element in a collection. A link next to each threat on the list displays the collection elements associated with each threat.
For greater context, click View All Associations at the top of the Threats table to illuminate the relationship between threats and collection elements.
At this time, threats are not considered members of a collection, therefore they cannot be added or removed from the Collection. A threat can only be entirely removed or disassociated with a collection when it is no longer linked to any of the direct or indirect members of that collection.
For the article on Nested Collections, click here.
System vs. User-Generated Collections
There are two types of collections in scoutPRIME:
By default, a list of system Collections has already been defined and populated within Collection Management.
System Collections are networked Elements grouped together by industry. These categories are defaults within the system and may not be edited or deleted. System collections appear regardless of the workspace selected.
User Collections are created, defined, and maintained by system users and may be modified at any time. Once a collection is created, it is automatically assigned to the person who created it. Other users may be assigned to the Collection as well.
Viewing a Collection
Collections can be viewed from the Collection Management tab.
To view a collection in the Collection Management screen, follow these steps.
1. Click on the Collection Management tab in the Navigation Bar.
2. Select the collection you want to view from the list on the left side of the screen.
If you have a large number of collections, you can filter the list by entering a full or partial name into the Filter Collections field at the top of the screen and scoutPRIME will do a search-as-you-type query and display only the collections whose names contain the specified text. To remove the filter, delete the text in the field.
The selected collection will display in the body of the screen.
The Collection Management screen contains the following features:
Navigation Breadcrumbs - These links show the path you took to get to this screen. Click on the links to return to the previous screens.
Collection Name - Displays the name of the collection.
Rules Link - Click to view the rules that make up this collection.
Notes Link - Click to view the notes entered for this collection.
Refresh button - Click to refresh the screen.
Actions Menu - Contains menu items for screen functions.
Element Tabs - List the number of each type of element contained in the collection. Click to view a list of the elements. You can click on each listing to drill down and see the details of each element.
Element Severity Listings - Lists the number of elements in the collection at each level of severity (Critical, Elevated, Normal). Click on the down arrow to view the list of elements at each level. You can click on the listings to drill down and view the details of each element.
Risks List - Lists the number of risks in the collection at each level of severity (Critical, Elevated, Normal). Click on the down arrow to view the list of risks at each level. You can click on the listings to drill down and view the details of each risk.
Owners - Lists the Owners contained in the collection. You can click on each listing to drill down and see the details of each owner.
Current TIC - The current TIC score for this collection.
Collection TIC Score - A graph of the daily TIC score for the last seven days.
Adding Elements as Rules to a Collection
To add an element to a collection, follow these steps:
1. Click the Rules link next to the collection name.
2. To search for an element to add to the collection, type a full or partial name into the Find Elements field at the top of the screen and scoutPRIME will do a search-as-you-type query and display only the entries that contain the specified text. To remove the filter, delete the text in the field.
Click on an the element that you want to as a Rule from the list of results to add it to the collection.
3. The element as a Rule will be listed on the page. You will also see that there is a number inside the parenthesis for Collection Rules.
Removing Elements/Rules from a Collection
NOTE: This action cannot be undone.
To remove a rule from a collection, follow these steps:
1. If you are not already in the Rules screen, click the Rules link next to the collection name in the Collection Management screen.
2. Scroll or search to find the rule(s) you want to delete.
3. Check the checkboxes next to the rules you want to delete and from the Actions select Remove Rules.
5. Read the confirmation message then click Delete to remove the selected rules, or click Cancel.
Ways to Create a Collection
For information on ways to create a collection, click here.
Setting Notifications for a Collection
To add a notifications for a collection, follow these steps:
1. Open the collection in the Collection Management screen.
2. From the Actions drop-down menu in the top right corner of the screen, select Notifications. The Notifications screen appears.
3. Click the NEW NOTIFICATION button, enter a name for the notification in the Name field. Then, select the collection that the notification will apply to in the Select Collection list. The current collection is selected by default.
4. The Notification Type section of the screen lists four options that can trigger the notification. Select one or more of the following:
a. Select Notify when Collection TIC is greater than and specify a value between 10 and 99 to send a notification when the TIC for the collection exceeds the specified value.
b. Select Notify when Element TIC is greater than and specify a value between 10 and 99 to send a notification when the TIC for any element in the collection exceeds the specified value.
c. Select Notify when there is a new threat association to send a notification when a new threat is associated with an element of the collection.
d. Select Notify when there is a new vulnerability association to send a notification when a new vulnerability is associated with an element of the collection.
5. Select an Alert Preference. Currently, this is limited to email.
6. Under Recipients, specify the users who will receive the notification. The current user is specified by default.
7. Click the Save button to create the notification. The notification appears in the list on the Notifications screen for the collection.
To delete a notification:
1. Click the trash can icon next to the notification in the Notifications screen.
2. Click the Yes button to delete the notification.
Adding Notes to a Collection
Add notes to a collection to capture extra information.
To add a note to a collection, follow these steps:
1. Click the Notes link next to the collection name in the Collection Management screen.
2. To add a note to the system, click the plus sign in the top right corner of the screen.
3. Enter a subject line for the note in the Subject field.
4. Enter the text of the note in the Note field.
5. Click the floppy disc save icon in the top right corner of the note area to save the note.
The new note will be listed in the Notes screen.
Exporting Associations from a Collection
The associations (Threats and Vulnerabilities) contained in a collection can be exported to a CSV file.
1. Select the collection in the Collection Management screen.
2. From the Actions drop-down menu in the upper right corner of the screen, select Export Associations.
3. Finally, specify a file location to save the CSV file.
Deleting a Collection
NOTE: Once a collection is deleted from the system, it cannot be recovered. Deleting a collection also removes any nested collections and elements. System Collections cannot be deleted.
To delete a collection that is not needed or is outdated from the system, follow these steps:
1. Select the collection in the Collection Management screen.
2. From the Action drop-down menu in the upper right corner of the screen, select Delete.
3. In the confirmation window, click the Delete to remove the collection, or click Cancel.