Elisity Natively Discovered Attributes and Their Use in Policy Group (PG) Definitions
Elisity Native attributes are derived directly from Elisity's native detection and identification mechanisms. They represent information that Elisity has been able to ascertain on its own, without relying on external platforms or manual input. Elisity Native attributes such as VLAN, Virtual Edge Node association, custom Device Labels, and more can be used as match criteria in Policy Group Definitions.
Derived Elisity Native Attributes
Certain attributes in Elisity Native are derived using our built-in Identity Engine, leveraging hardware information and traffic flow analysis.
Device Genre
The Device Genre categorizes the broad function or role of a device within a network environment. For instance, Elisity’s Identity Engine can classify devices into genres such as IT (Information Technology), OT (Operational Technology), IoT (Internet of Things), or IoMT (Internet of Medical Things) based on hardware classification in our built-in device database along with other factors like observed traffic patterns, communications, and protocols in use. This classification helps administrators understand and enforce policies by grouping devices based on their operational domain.
Device Class
The Device Class attribute in Elisity organizes devices into functional categories that reflect their roles within various environments, including residential, industrial, and business settings. Current Device Classes include:
- Mobile: Devices intended for portable or personal use, such as tablets and smartphones.
- Smart Home: Consumer-grade connected devices commonly found in households, like smart plugs and thermostats.
- Network: Infrastructure devices responsible for network connectivity, such as routers and switches.
- Home & Office: Equipment used for typical home or office productivity, including printers and desktop computers.
- Server: Hardware dedicated to managing network resources, applications, or databases, including file and web servers.
- Audio & Video: Devices focused on media output, such as televisions, projectors, and audio players.
- Engineering: Devices used in specialized engineering contexts, such as controllers and monitoring systems.
- Industry: Devices specific to industrial or operational technology (OT) environments, like industrial sensors, PLCs, and energy systems.
Device Type
The Device Type attribute in Elisity Native categorizes devices primarily using MAC address-based identification and associated device metadata. By analyzing the MAC address and leveraging metadata linked to device manufacturers and model information, Elisity’s Identity Engine can derive the device’s specific type, such as "Smart Thermostat," "Printer," "IP Camera," or "Laptop."
This derived Device Type classification enables precise network access control, as it allows policies to be tailored to each device’s unique role and connectivity requirements. This process supports microsegmentation by aligning security policies with the operational context of each device, whether it’s part of an IT, OT, or IoT environment. By accurately identifying devices through this attribute, Elisity enhances visibility, strengthens compliance, and optimizes risk management across complex networks.
EDR Detected
Elisity Native Identity enhances visibility into endpoint protection by detecting traffic between devices and Endpoint Detection and Response (EDR) platforms. When Elisity identifies network traffic destined to leading EDR services like CrowdStrike or Microsoft Defender, the corresponding device is assigned the "EDR Detected" attribute. This capability functions independently of whether the EDR solution is integrated with Elisity Cloud Control Center via Connectors.
With this feature, customers can leverage the IdentityGraph to answer key security questions:
Integration Status: Determine whether a device is "Known In" an EDR solution that is integrated via Elisity Cloud Control Center Connectors.
EDR Communication: Identify if a device is actively communicating with an EDR solution (e.g., CrowdStrike or Microsoft Defender), suggesting that an EDR agent is deployed on the endpoint.
This dual-layered visibility is particularly valuable for scenarios where endpoint devices rely on an EDR solution that is not integrated with Elisity Cloud Control Center, or is connected to a tenant that is not included in the currently integrated EDR. Detected EDR can be used as Policy Group Match Criteria to create Policy Groups that classify assets that fall into this scenario.
Device Category and Consistency Score
The Device Category field provides a standardized classification for devices across the network, introducing the latest iternation of Device Class. Device class is primarily derived from Device Type and Vendor information. This field offers a more precise and reliable categorization, supporting accurate Policy Group classification and enhancing security within the Elisity platform.
The predefined list includes the following categories:
- Audio Video
- Building Management
- Collaboration
- Consumer Mobile
- Industrial Automation
- Medical Device
- Miscellaneous IoT
- Networking Equipment
- PC
- Physical Security System
- Printer
- Server Appliance and Storage
- WiFi AP and Controller
- Unclassified
Device Category and Consistency Score Details
1. Connector-Specific Categorization
Device Category is determined independently for each data source or connector integrated into the Elisity platform. Each connector—such as ServiceNow, Medigate, or Armis— has it's own Category field determined by Elisity using device attributes from each connector, contributing a unique perspective on the device's role. These connector-specific categories provide granular insights, allowing the platform to capture diverse viewpoints for each device.
2. Consistency Score
The Consistency Score is calculated based on the alignment of Category attributes for different connectors. A higher Consistency Score reflects greater agreement across data sources, giving administrators a quick measure of confidence in the assigned Device Category. For example, if multiple connectors classify a device as a "Medical Device," the Consistency Score will be higher, indicating a more reliable classification.
3. Visibility Across CCC
Device Category appears throughout the Cloud Control Center (CCC), including in device profiles, the Device Table, and exportable reports. This consistent display enables a unified view of each device’s role, helping administrators understand and manage the device landscape effectively.
4. Policy Application Based on Device Category
Device Category is available as a match criterion in policy configurations, allowing administrators to apply specific security and access policies to different device types. This flexibility supports granular control, enabling the application of distinct policies to categories like medical devices, IoT, or traditional IT equipment, which strengthens microsegmentation efforts.
By assigning Device Categories per connector and calculating a Consistency Score, Elisity enhances administrators' ability to make informed, data-driven policy decisions, ultimately improving network security and control.
Unclassified Devices
Devices that cannot be clearly categorized into one of the predefined Categories are assigned Unclassified. This ensures that every device has a classification, with Unclassified serving as a container for devices that require further investigation or categorization.
This should not be confused with the default Unassigned Policy Group, which captures all devices that do not meet the criteria of all other Policy Groups.
Site Label
This attribute is derived from the Virtual Edge (VE) or Virtual Edge Node (VEN) and indicates the physical or logical site to which the device belongs.
Usage: Site Label can be used to create policies that apply to only devices from a specific site. This is useful for enforcing site-specific security measures and ensuring devices at different locations adhere to appropriate security standards.
Subnet
Represents the subnet in which the device resides. Elisity discovers this network-level information and allows usage subnet assignment in Policy Group match criteria.
Usage: Subnet can be used as match criteria to dynamically match assets in a specific network segment. This allows administrators to layer additional identity-based match criteria on top of subnet assignment, providing granular control over device access and communication within specific network segments while retaining identity-based controls. Example below shows matching Random MAC devices on a specified Guest subnet.
Trust Attributes
Indicates the level of trust assigned to a device based on external systems of record or manual verification.
Usage: Trust Attributes can be leveraged to apply differentiated policies based on the trustworthiness of devices. For example, devices with the trust attribute "Known in ServiceNow" can have more lenient access policies compared to "Unverified" devices. Trust attributes are typically leveraged alongside other identifying match criteria, enabling elevated security posture for a subset of devices.
Virtual Edge Node Association
Represents the node within the Virtual Edge infrastructure responsible for policy enforcement to which discovered devices are attached.
Usage: Policies can be defined to apply specifically to devices managed by particular Virtual Edge Nodes. This is beneficial for scenarios where different Virtual Edge Nodes manage devices with distinct security requirements.
VLAN
Virtual Local Area Network identifier for devices gleaned from enhanced endpoint discovery can be used as PG match criteria.
Usage: VLANs are commonly used to segment network traffic statically, using a firewall or some other mechanism to block VLAN to VLAN traffic. Elisity enables administrators to use VLAN assignment in a dynamic fashion in Policy Groups, offering a flexible new approach. For example, if a device moves to a new network segment in a new VLAN and Policy Groups are leveraging VLAN info, the device will be assigned to a new PG dynamically based on the new VLAN assignment information with a new set of microsegmentation policies.
Randomized MAC Address
Elisity Native discovery has the ability to identify devices that have randomized MAC addresses. Opening up an asset view shows an icon next to the MAC address that indicates this type of MAC address.
Devices with randomized MAC addresses are purged from Cloud Control Center after 24 hours of having an "offline" status.
These attributes are also available in the device table view for quick sorting and filtering to quickly find assets with this designation.
Devices discovered with random MAC are typically personal devices such as tablets or phones with minimal identifying attributes, which are not found in any external system of record. These devices often have unique security and policy requirements, and must be isolated from vulnerable assets in the network. For this reason, Elisity gives administrators the ability to use "Random MAC" as Policy Group match Criteria. This attribute can be found in Elisity Native > Randomized MAC.
After creating the Policy Group, random MAC devices will automatically be assigned to the Policy Group you have created and will inherit the set of policies associated with this PG.
Other Elisity Native Attribute Examples: Genre, Class, Vendor, Discovered By, Last Seen, Last Update, Interface. Any of these attributes can be used in Policy Group match criteria.
Practical Applications of Unique Elisity Native Attributes
- Hostname Matching: By using the "contains" logic, you can create policies for devices with a common hostname pattern. For example, all devices with hostnames starting with "Sales-" can be grouped under a Sales policy group.
- Site-Specific Policies: Site Label allows for the creation of policies tailored to the security needs of different sites. For instance, stricter policies can be applied to devices at a data center compared to those at a branch office.
- Network Segmentation: Subnet and VLAN attributes provide a way to enforce network-based segmentation. Devices within a specific subnet or VLAN can be subject to customized access controls and monitoring.
- Trust-Based Policies: Trust Attributes enable the application of different policies based on the trust level of devices. This is crucial for managing access and protecting sensitive resources from potentially compromised devices.
- VE Node Management: Using Virtual Edge Node association, policies can be enforced at specific nodes, allowing for localized security measures that cater to the unique requirements of each node's managed devices.
By leveraging these unique attributes, administrators can achieve fine-grained control over network segmentation and security, ensuring that policies are both flexible and comprehensive in addressing various organizational needs.