Customize Collections

In Mandiant Advantage Attack Surface Management (MA-ASM), Collections are created within Projects and are lists of assets that are actively being monitored. Collections define the starting point of external asset discovery. Entities, known as Seeds, are populated into a Collection to uncover additional Entities that are exposed. The data identified as related to the Seeds is represented in the Entities section of MA-ASM.

Collection configuration is available for paid Mandiant Advantage Attack Surface Management (MA-ASM) customers.

If you would like to upgrade to a more feature-rich account, send a message using our contact form, https://www.mandiant.com/contact-us.

For information on establishing Collections, see Create a Collection.

Explore Collections

To view all the Collections in your current Project, from the Collections menu in MA-ASM, select Settings. You see a list of all the Collections in this Project.

A list of two Collections in a specific Project with details about each Collection

A list of Collections in a Project

Each Collection listing contains:

The title of the Collection
The Workflow associated with the Collection
The Entities and Issues associated with the Collection
The date of the last scan
The scan rate
An on-demand Scan option
Collection scans run for a maximum of 72 hours.
Access to Settings specific to this Collection

Customize a Collection

To explore a Collection in depth or modify its current settings, click Settings for the Collection.

Each collection contains four sections:

Configurations
Notifications
History
Groups & Members

Configurations

Collections can be configured to focus on areas relevant to your organization. With custom configuration, you can define specific tasks, workflows, and scope. Multinational organizations with numerous subsidiaries and companies with operational technologies (OT) benefit from this functionality.

You must be the Collection owner to modify Configurations.

To establish Collection-specific configurations, navigate to a collection. Configurations is the default view.

Configurations options for a Collection.

Configurations Settings for a Collection

Configurations are divided into six groups:

Issue Settings: Control the Issues that are shown to you.
- All updates require a collection refresh when first enabled. For immediate refresh, click Scan Collection.
- Disabled Issues are still monitored but do not show up in your alerts or surface as Issues within the platform.
Scan Settings: Active Filter, Scoping and custom input types, including Cookies, Ports, and Headers.

Scan Settings for a Collection
- Configurable Active Filter: Define the timeline for when Entities, Technologies, and Issues are considered Active versus Inactive.
- Enable Broad Scoping: By default, broad scoping is disabled.
  Broad scoping is useful for penetration testers who want to expand the scope of their collection to find more Entities to test. However, this may result in false positives. When broad scoping is enabled, MA-ASM changes its default behavior and scopes DNS Entities where scoping logic indicates potential ownership.
- Cookies (string, name=value format): Enter one or more cookies to make a HTTP request. Individual cookies are concatenated and sent as one combined string.
  For example: x-cdn=akamai; SimpleSAMLSessionID=12312;
- Ports: Limited to 100 TCP ports. You can add/delete multiple ports based on your requirements.
- Headers: Limited to 100 Headers. Headers are case sensitive.
  - Scanning time increases as more Cookies, Ports, or Headers are added.
  - If you add an entry that exists, you receive a "Validation failed" error.
Seed Entities: See Understanding Attack Surface Management Seeds to learn more about Seeds in MA-ASM. Seeds can be uploaded from a CSV file.
Seed Keywords: These are UniqueKeyword Seed Types.
Integrations
You must be the Collection owner to view and modify Integrations.

You can connect an available integration by clicking Connect Integration and selecting Link associated with that integration. See Integrations for more details on how to add a new integration to a Collection.
Out of Scope: Choose an Entity to set out of scope.
By default, these changes are effective at the next Collection scan. For immediate refresh, click Scan Collection.

Notifications

You must be the Collection owner to view and modify Notifications.

You can enable email notifications as well as webhooks. Both Slack and Microsoft Teams webhooks are supported. For more information, see Notifications.

Notifications options for a Collection including email and webhook options.

Notifications for a Collection

History

You can view scan history information including:

Engine
Status
#Entities: Number of Entities discovered.
Created By: Who initiated the scan.
Started At: When the scan started.
Finished At: When the scan finished.
Duration

History for a Collection

Freemium organizations and organizations with trial entitlements may be linked to Read Only Collections that have historic data from the MA-ASM catalogue. This can cause First seen dates for Issues to be well before a collection was established.

Read Only Collections can be archived to prevent historic Issues from appearing in current scans.

Groups & Members

You must be the Collection owner to view and modify Groups & Members.

See Assign Roles Within a Collection for more information about how to add an individual member or a group to a Collection.

Archive a Collection

In MA-ASM, from the Collections menu, select Settings.
Click  associated with the Collection that you want to archive and select Archive.

Delete a Collection

A Collection must be archived before it can be deleted.

In MA-ASM, from the Collections menu, select Settings.
Click the Archived tab.
Click  associated with the Collection that you want to delete and select Delete.