>
    Strata Copilot
    Legacy IoT Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Administration Guide
    4. IoT Device Vulnerability Detection
    5. Create Compensating Controls
    6. Legacy IoT Security
    Download PDF
    Device Security

    Legacy IoT Security

    Table of Contents

    Legacy IoT Security

    Customize device risk scores by creating compensating controls in Device Security from the Risk Score Configuration page and the Device Details page.
    Under SettingsRisk Score Configuration, you can view, add, and edit compensating controls from the compensating control section. Select the Compensating Control Type tab to view all configured compensating controls and edit user-defined ones. Switch to the Compensating Control Matching tab to see where a compensating control matches to devices and risk (vulnerability or other risk factor), and to customize the compensating control factor for each matching criteria.

    Create a New Compensating Control Type from Risk Score Configuration

    Create a New Compensating Control Type from Risk Score Configuration
    Define a compensating control type when you want to create a broad category for related compensating controls. While compensating control types have a matching rule, you don't directly apply the compensating control type to all devices that match the rule. You need to create a compensating control with that compensating control type to apply the compensating control to matching devices. More commonly, you would narrow the scope of devices that the compensating control applies to by defining an asset scope.
    For example, a system-defined compensating control type is Endpoint Security, and the matching rule is that a device protected with endpoint protection can have a compensating control with type Endpoint Security. There can be multiple compensating control asset scopes that use the Endpoint Security type. You can only create new compensating control types from the Risk Score Configuration page.
    1. Navigate to SettingsRisk Score Configuration and select the Compensating Control Type tab from the compensating controls section.
    2. Click Add Compensating Control Type to bring up the Add Compensating Control Type pop-up.
    3. Configure the following fields.
      • Type: Enter the type of compensating control.
      • Matching Rule: Choose the attributes, operators, and attribute values that identify the compensating control type.
    4. Apply the new compensating control type.
    5. Verify that the new compensating control type appears in the Compensating Control Type table.
      You can now use this compensating control type when applying compensating controls to assets.

    Apply a New Compensating Control from Risk Score Configuration

    Apply a New Compensating Control from Risk Score Configuration
    You can create a new compensating control to apply to multiple matching assets. When defining a new compensating control, you can choose a system-defined type or a user-defined type. After choosing the type of compensating control, you match that type to a specific asset scope and risk (vulnerability or other risk factor).
    For example, you can define an Endpoint Protection compensating control for all devices with internet access. The asset scope for the compensating control would be all assets that have the risk of internet access. Because the compensating control type is Endpoint Protection, the matching criteria would only apply to those assets with internet access that also have endpoint protection. For all assets in scope that match the matching criteria, the compensating control offsets the risk caused by internet access. The compensating control does not offset other risks that those devices might be exposed to.
    1. Navigate to SettingsRisk Score Configuration, and select the Compensating Control Matching tab from the compensating controls section.
    2. Click Apply Compensating Control to bring up the Add Compensating Control pop-up.
    3. Configure the compensating control.
      When you add or edit a compensating control, the Matching Rule field automatically fills in based on the compensating control type that matches the risk that you chose to add the compensating control to.
      • Type: Select the compensating control type. The selected type will also populate the Matching Rule field.
      • Name: Enter a name for the compensating control.
      • Optional Description: Enter a short description.
    4. Define the assets and risks the compensating control applies to.
      1. Configure the following fields:
        • Asset Scope: Enter the criteria for all assets that you want to apply the compensating control to.
        • Risk: Select the risk that the compensating control applies to. You can select either Vulnerability or Other Risk Criteria.
        • Vulnerability Vulnerability Risk Criteria: Define the risk criteria that the compensating control applies to.
        • Other Risk Factors Other Risk Criteria: Select the appropriate risk criteria from the drop-down.
      2. View Matching Devices to verify the devices included in the asset scope.
        The Match Results section displays the count of all devices that match to the defined asset scope. You can click on the count to open the assets inventory in a new tab or window, with a filter to see all devices that match your asset scope.
    5. Enter a Compensating Control Factor, which is how much the compensating control offsets the risk.
    6. Apply the compensating control.
      Compensating controls can take up to 24 hours to take effect, so you might not see an immediate change in the device’s risk score.
    7. Verify that your new compensating control appears in the Compensating Control Matching table.

    Manage Compensating Controls from the Device Details Page

    Manage Compensating Controls from the Device Details Page
    On the Device Details page, you can add compensating controls when viewing the device's risk score. For existing compensating controls, you can adjust the compensating control factor from the Device Details page. To make other changes to an existing compensating control, edit the compensating control under SettingsRisk Score Configuration.
    1. Navigate to AssetsDevices and select the device that you want to add a compensating control for.
    2. On the Device Details page, find the device's risk score under the device's thumbnail, and click See Details.
      This brings up the Risk Score Details side panel for the device.
    3. In the Exposure Score table, review the list of identified risks, and see which risks you can apply a compensating control for.
      Compensating controls apply only to vulnerabilities and other risk factors. When you can add a compensating control, you will see an Edit (pencil) icon in the Compensating Control Name field for that risk.
    4. Select the Edit (pencil) icon in the Compensating Control Name field for the risk that you want to apply a compensating control to.
    5. On the Risk Score DetailsEdit Compensating Controls pop-up page, select + Add New to bring up the Add Compensating Control pop-up.
    6. Configure the compensating control.
      When you add or edit a compensating control, the Matching Rule field automatically fills in based on the compensating control type that matches the risk that you chose to add the compensating control to.
      • Type: Select the compensating control type. The selected type will also populate the Matching Rule field.
      • Name: Enter a name for the compensating control.
      • Optional Description: Enter a short description.
    7. Define the assets and risks the compensating control applies to.
      1. Configure the following fields:
        • Asset Scope: Enter the criteria for all assets that you want to apply the compensating control to. By default, the MAC address of the device you're modifying is part of the Asset Scope.
          The current device must always be within the asset scope, since you're applying the compensating control to the device. If you change the asset scope and it no longer includes the current device, then you won't be able to apply the compensating control.
        • Risk: Select the risk that the compensating control applies to. You can select either Vulnerability or Other Risk Criteria.
        • Vulnerability Vulnerability Risk Criteria: Define the risk criteria that the compensating control applies to.
        • Other Risk Factors Other Risk Criteria: Select the appropriate risk criteria from the drop-down.
      2. View Matching Devices to verify that the current device falls in the asset scope.
        The Match Results section displays the count of all devices that match to the defined asset scope. You can click on the count to open the assets inventory in a new tab or window, with a filter to see all devices that match your asset scope.
    8. Enter a Compensating Control Factor, which is how much the compensating control offsets the risk.
    9. Apply the compensating control.
      Compensating controls can take up to 24 hours to take effect, so you might not see an immediate change in the device’s risk score.
    10. Verify that your new compensating control appears in the Compensating Control Name field for the risk that you added it to.

    © 2026 Palo Alto Networks, Inc. All rights reserved.