Example Authorization Policies

Edit online

Authorize Known Owned PUBLIC Assets

Very commonly, organizations will want to authorize all Public Perspective assets on their Attack Surface, since the real Attackers are already going against those today. While you can add a Policy that authorizes all "Perspective = Public" Detections (similar to the Authorize All Internal Assets Policy below), given that discovery of your external attack surface has the potential to capture 3rd party hosted sites or assets you don't necessarily have dominion over, it is better to be more selective and set up a Policy to authorize your KNOWN OWNED public assets. For example, you can set up a Policy to authorize specific known network ranges and/or specific domains. A Policy to authorize Public Detections might look like this:

AuthorizePublicDetections

Authorize All Internal Assets

Similar to Public facing Detections, as Randori performs additional scanning and gains additional access once inside your network, it is highly recommended to create an Authorization Policy to auto-authorize ALL internal targets:

AuthorizeInternalDetections

Note: If there are a select few things you do NOT want authorized, you can always add additional rules such as "Hostname DOES NOT CONTAIN" or "IP Address DOES NOT CONTAIN" to ensure those assets do not get authorized.

AuthorizeInternalDetectionssExclude

Authorize All Social Targets for Attack

During Attack, Randori will perform Attack actions on the Social Targets that are authorized, such as Phishing, Credential Stuffing, and Password Spray Attacks. Social Targets are NOT able to be authorized via a Policy, but can be bulk authorized manually. To authorize social entities, go to the Social tab of your platform (found in the left menu under Active Assets), select the entities you would like to authorize, and simply click the Authorize button:

AuthorizeSocialAssets

Authorize All Targets in Particular Network Range(s) for Attack

If you do not want to authorize ALL Internal Detections, but there are particular network ranges you would like to authorize everything in, the "IP Address IS CONTAINED BY" Filter rule is what you need. Just add in the network range, in CIDR format, and it will authorize all Detections where the associated IP Address is in that range. You can do this for a single network, or multiple networks under a nested “OR” rule group:

AuthorizeNetworkRanges