Assets, Groups & Networks

Transcription

1 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved.

2 AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.

3 CONTENTS 1. INTRODUCTION ASSETS MANAGEMENT Assets Asset Discovery GROUPS AND NETWORKS MANAGEMENT Groups Networks Network Groups DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 3 of 75

4 1. INTRODUCTION This document covers all functionality related to asset management, including that which is restricted to administrative users. Asset Discovery is one of the five essential security capabilities offered by AlienVault USM platform. This capability allows users to discover and inventory all the assets in a network and to correlate asset info with threat and vulnerability data. An asset is a thing of value that a company owns such as any data, device, or other component of the environment that supports information-related activities. Assets generally include hardware (e.g. Servers and switches), software (e.g. Mission critical applications and support systems) and confidential information. A proper asset management is necessary in order to make the most of the whole AlienVault USM functionality. 2. ASSETS MANAGEMENT 2.1. ASSETS Navigate to Environment > Assets : DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 4 of 75

5 Figure 1. Detail of Assets Screen The search is evaluated with a logical AND when the filter criteria are different;; and a logical OR when the filter criteria are the same. The system will only show assets meeting all search filters. Search Filters: Alarms. It enables the search for assets with associated alarms. Events. It enables the search for assets with associated events. Vulnerabilities. It enables the search for assets with vulnerabilities. The values are Info, Low, Medium, High, and Critical. Asset Value. It enables the search for assets within a value range. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one. Show Assets Added. It enables the search on the date the asset was added. Last Updated. It enables the search on the date the asset was last updated. MORE FILTERS allows the user to add more filters: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 5 of 75

6 Figure 2. Assets: see the more filters screen (Device Type tab) This screen includes several tabs: Network;; Software;; Sensor;; Device Type;; Ports/Services and Locations. Each tab shows its specific data that can be selected for filter a search. There is a search field located at the top left. This is useful when there are many items in a tab. It allows executing a search between all of them. The icon ( ) is used to delete the written terms. It is possible to navigate between all items through the links located at the bottom of the screen. Use the buttons PREVIOUS and NEXT to go to the previous or to the next page, respectively. Use the button numbers to go to an exact page. Click on APPLY to start the search. Click on CANCEL or on the icon ( addition of filters. ) located at the top right side of the window to finish the DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 6 of 75

7 The current search conditions are shown inside the white rectangle: Use the button Clear All Filters to start a new filter. Or click on the cross icon of each filter if you want to remove only that filter. The number of assets that meet the selected criteria is shown in the Results square: The button ADD ASSETS is explained in Section The button is used to export assets to CSV. If there is no filter, all assets will be exported. If there is a filter, the assets that meet the filter criteria will be exported. See Section for further information. The button is used to delete assets that are being displayed at that moment. When this button is clicked, the following message appears: The button SAVE GROUP is used to save the current set of assets as an asset group. This button is active when at least a filter has been selected and there are results that meet that filter. See Section for further information. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 7 of 75

8 The right side of the assets main window shows a table of all assets that are part of the system: Figure 3. Main window of assets: right side (table) There is an option in the first line of the table that allows the user to configure the number of entries to view between 10, 20 and 50 entries. The fields that appear in the table are the following: Hostname. It is a label that identifies the asset. IP. It refers to the IP assigned to that asset. FQDN/Alias. It is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). Alarms. It indicates if that hostname has associated alarms ( ) or not (dash). Vulnerabilities. It indicates if an asset is vulnerable ( ) or not (dash). Events. It indicates if that hostname has associated events ( ) or not (dash). Details. This button is used to open the specific information of that hostname, see Section VIEW DETAILS OF AN ASSET Click on an asset to expand the details of that asset: Networks. It indicates the associated networks to that asset. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 8 of 75

9 Device Type. It specifies the type of device associated with that host. Description. In this field may appear a short text for describing that asset. This field is not mandatory so it is possible that it does not appear any information. Operating System. It indicates the Operating System that runs in that asset. Asset Value. This is a value assigned to that host. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one. Details. This is a button that opens the specific information of that hostname. Figure 4. Expanded details of an asset Do one of the following to view the specific information of an asset: Click on its Details button ( ). Double click on the line of that asset. Click on Details button ( ). DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 9 of 75

10 Figure 5. Assets : details of an asset This screen displays the following information: Assets link. This button goes back to the assets main window (see Figure 1). If there were filters previously configured, they will remain. Delete button ( ). This button is used to delete that asset. More Details. This option allows the user to expand the assets details. Figure 6. Assets : more details of an asset The EDIT button is used to modify the data of that asset, see Section for further information. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 10 of 75

11 Snapshot side. It displays some of the information that appears at the bottom side of the screen. They actually are buttons used to go to its specific information in the table area. Figure 7. Assets : details of an asset- snapshot Environment Status. At the right side there are 3 links: HIDS. This button refers to the intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces. The circle that is next to this field can appear in 3 different colors: Red. It means that none of the IPs associated with the asset are configured in the HIDS. Green. It means that all IPs associated with the asset are configured in the HIDS. Yellow. It means that some IPs associated with the asset are configured in the HIDS. Automatic Asset Discovery. This button indicates if there are or there are not any pending scans for that host. The circle that is next to this field can appear in 3 different colors: Red, meaning that none of IPs associated with that asset are scheduled to be scanned. Green, meaning that all IPs associated with that asset are scheduled to be scanned. Yellow, meaning that some IPs associated with that asset are scheduled to be scanned, but not all of them. Availability Monitoring. This button indicates if the Availability Monitoring box is selected or not (see Section ). The circle that is next to this field can appear in 2 different colors: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 11 of 75

12 Red, meaning that it is not enabled. Green, meaning that it is enabled. Suggestions. This part shows suggestions related to that asset. They can be: Warning messages when an asset, which has sent logs does not send an event in 24 hours. Info messages when an asset is not sending logs to the system. Info messages when an asset is sending logs, but there is no plugin enable parsing the logs. There is a document whose title is System Errors, Warnings and Suggestions that explains what a suggestion is and how a suggestion works inside AlienVault USM TABLE AREA The table area appears at the bottom side of the screen (see Figure 5). This menu includes the following options: GENERAL 1. Software. It indicates if the asset has some software installed. Use the vertical scroll bar if it is necessary to see all rows. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 12 of 75

13 Figure 8. Assets : Table Area (General > Software) The table displays several fields: IP Address, Port, Name, Vulnerable and Available. By clicking on a line it is possible to view more information: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 13 of 75

14 Figure 9. Assets : Table Area (General > Software). Details of software installed on an asset It is possible to toggle the availability monitoring by clicking on the EDIT AVAILABILITY MONITORING button: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 14 of 75

15 Figure 10. Assets : Table Area (General > Services). Edit Availability Monitoring Select a service and then click on the TOGGLE AVAILABILITY MONITORING button to configure the services to be monitored. This option must be enabled in order to configure availability scans. Click on Check All to select all services at the same time; or click on the square next to each service to select that specific service. Click on the icon ( ) located at the top right side of the window to close it. Now, the selected services will have Yes(Ok) in the column Available. 2. Users. This option is not related to the configured users in the system. This field refers to one of the asset properties. To add users related to a specific asset, click on General > Properties (see Figure 13), then click on. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 15 of 75

16 Figure 11. Add users related to a specific asset Figure 12. Assets : Table Area (General > Users) DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 16 of 75

17 Click on Users logged and write the user name in the field Value at the bottom side of the screen. It is possible to specify the domain of a user by writing user@domain. The field Property is locked is used to avoid that user can be modified (Yes) or not modified (No). Click on SAVE to update changes. Click on the icon ( ) located at the top right side of the window to close it. Now, the added users will appear in the table. 3. Properties. It displays a table that relates a property (operating system, username, department, etc.) to its values and date when that property was updated and source are included. Properties are always the same: Figure 13. Assets : Table Area (General > Properties) Click on to modify or add value to properties. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 17 of 75

18 Figure 14. Assets : Edit Properties Click or select the property and write the value in the square blank at the bottom in order to modify it or add it. Click on the SAVE button to update changes. 4. Plugins. It displays a table that relates the vendor, model, version, plugin and sensor. It indicates also if that plugin is receiving data: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 18 of 75

19 Figure 15. Assets : Table Area (General > Plugins) Click on the icon ( ) located at the top right side of the window to close it. Now, the changes will be displayed in the column Value ACTIVITY 1. Alarms. This is a table where there is information about the date, alarm status, Intent & Strategy, Method, Risk, Source and Destination. At the upper right-hand corner there is a Search field to facilitate searches. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 19 of 75

20 Figure 16. Assets : Table Area (Activity > Alarms) 2. Events. It displays a table which includes information about events related to that asset. The table includes the following fields: Signature;; Data Source;; Date;; Incoming/Outgoing;; SRC/DST (Source;; Destination);; Sensor;; and Risk. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 20 of 75

21 Figure 17. Assets : Table Area (Activity > Events) 3. Netflow. It displays a table which includes information about netflows related to that asset. This table includes the following fields: Date Flow Start;; Duration;; Protocol;; SRC IP:Port;; DST IP:Port;; and Flags. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 21 of 75

22 Figure 18. Assets : Table Area (Activity > Netflow) LOCATION It is possible to set the geographic location of an asset. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 22 of 75

23 Figure 19. Assets : Table Area (Location) Click on EDIT LOCATION. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 23 of 75

24 Figure 20. Assets : Table Area (Edit Location) Write the location of the asset. The written location appears on the map. It is also possible to write a latitude and longitude to locate a place. Click on SAVE to update changes or CANCEL to exit and close this window without updating changes NOTES This option allows the user to add notes to the host. There is a text box where it is allowed to write text. Once the text has been written, click on the Save button. Added notes can be modified and deleted. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 24 of 75

25 EDIT DETAILS OF AN ASSET: VIEW AND MODIFY It is possible to view and modify the details of an asset by clicking on the Edit button (see Figure 6: Figure 21. Assets : edit details This screen includes the following parts: Name. It is a label that identifies the asset. IP Address. This field is used to relate the asset to an IP Address. FQDN/Aliases. It is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 25 of 75

26 Asset value. This is a value assigned to that asset. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one. External Asset. It indicates if this asset is external (publicly facing) (Yes) or internal (No). Sensors. AlienVault sensors monitoring the asset. Description. This field is not mandatory so it is possible that it does not have any information. This field may have a short text. Thresholds C. It refers to the compromise threshold level. It is an integer value. Thresholds A. It refers to the attack threshold level. It is an integer value. Scan options. It allows the user to select or not the Availability Monitoring. Icon. It is possible to associate an image with the asset. The allowed size is 16x16 and must be in png format. Location. Write the location of this asset. The written location appears on the map. It is also possible to write a latitude and longitude to locate a place. Device Types. Select a device type and click on ADD. The SAVE button is used to update changes. The CANCEL button is used to exit this window without saving changes. After clicking on the SAVE button a confirmatory message will appear, indicating the save was successful. You will then have to dismiss the dialog using the X in the upper right corner. Values that are marked with an asterisk (*) are mandatory ADD AN ASSET 1. Navigate to Environment > Assets. 2. Click on ADD ASSETS and, then, on ADD HOST. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 26 of 75

27 Figure 22. Assets : create a new asset 3. Fill out the fields. There is an explanation of each field in Section Click on SAVE to create the new asset IMPORT CSV AlienVault USM allows the user to import assets from a csv file. 1. Go to assets main window (see Figure 1) and click on ADD ASSETS and then, on IMPORT CSV. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 27 of 75

28 Figure 23. Assets : import hosts from a csv file 2. Click on Choose File button and select a csv file. 3. Click on the square next to Ignore invalid characters if you want to ignore them. Have in mind the explanation about allowing formats, examples and notes that appear on this screen. 4. Click on IMPORT. The results of importation are displayed: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 28 of 75

29 Figure 24. Assets : results of importing hosts from a csv file This table shows, firstly, the number of hosts imported and the number of errors and warning that have been occurring during the importation. Next, there is the summary of the import. Show n entries allows the user to configure the number of items to view between 10, 25, 50 and100 flows. The table includes 3 fields: Line, Status and Details. The Status column can be ordered, ascending or descending, by clicking on it. The icon can be displayed on Details column when the status is Warning or Error. Click on this icon to expand more information about that warning or error. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 29 of 75

30 Figure 25. Assets : results of importing host from a csv file with errors The importing host appears now in the assets main window, see Figure Click on NEW IMPORTATION to go to the import hosts from a csv file window (see Figure 23) or close this window by clicking on the icon located at the upper-right side ( ) IMPORT FROM SIEM AlienVault USM allows the user to import hosts from SIEM. 1. Go to assets main window (see Figure 1) and click on ADD ASSETS and then, on IMPORT FROM SIEM. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 30 of 75

31 Figure 26. Assets : import hosts from SIEM events 2. Click on VIEW LOG if you want to display the log file. 3. Click on the IMPORT button to transfer the found hosts. Or click on CANCEL to exit this window without saving changes EXPORT ASSETS AlienVault USM allows the user to export hosts to a csv file. If there is no filter, all assets will be exported. If there is a filter, the assets that meet the filter criteria will be exported. Go to assets main window (see Figure 1) to export assets and click on the icon ( ADD ASSETS button. ) next to A file is created in the download folder location configured in the settings of your web browser. The created file has always the same name structure: All_hosts yyyy-mm-dd.csv Where yyyy refers to the year, mm refers to the month and dd refers to the day CREATING AN ASSET GROUP It is possible to create an asset group by saving the results of a search by following the instructions below: 1. Go to assets main window, see Figure Select the filters to be included in that search. 3. Click on SAVE GROUP button: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 31 of 75

32 Figure 27. Assets : Save an Asset Group 4. Include a name and a description. 5. Click on SAVE button. 6. The saved group appears in the asset groups screen (see Figure 32) ASSET DISCOVERY This option allows the user to scan networks and hosts. The scan is made for adding assets into the AlienVault USM database and that assets are monitored by the system. The asset discovery application provides hosts, host groups, networks and network groups to scan. Navigate to Environment > Assets > Asset Discovery : DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 32 of 75

33 Figure 28. Main window of Asset Discovery 1. Select the asset or assets you want to scan. It is possible to select it through the All Assets tree or to write a specific asset. The selected asset appears in the left blank square. 2. Select a sensor between automatic, local or by selecting a specific sensor. 3. Set the advanced options: Scan type. There are the following possibilities: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 33 of 75

34 Figure 29. Asset Discovery : scan type Ping. This option launches a ping to each above to select asset. Normal. This option scans the most common 1000 ports. Fast Scan. This option scans the most common 100 ports. Full Scan. This option scans all ports, this can be slow. Custom. This option allows the user to define the ports to scan. Timing template. This option refers to the timing policies for conveniently expressing priorities to NMAP. Figure 30. Asset Discovery : timing template Paranoid. This mode scans very slowly. It serializes all scans (no parallel scanning) and generally waits at least 5 minutes between sending packets. Sneaky is similar to paranoid mode, except it only waits 15 seconds between sending packets. Polite is meant to ease the load on the network and reduce the chances of crashing machines. It serializes the probes and waits at least 0.4 seconds between them. Normal is the default NMAP behavior, which tries to run as quickly as possible without overloading the network or missing hosts/ports. Aggressive mode adds a 5-minute timeout per host and it never waits more than 1.25 seconds for probe responses. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 34 of 75

35 Insane is only suitable for very fast networks or where you do not mind losing some information. It times out hosts in 75 seconds and only waits 0.3 seconds for individual probes. It does allow for very quick network sweeps, though. Auto Detect services and Operating System. Mark this option to detect services and operating system versions. Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts. 4. Click on START SCAN. After a few seconds, depending on the selected assets this time could be longer, the results will be displayed just below, in a table: Figure 31. Asset Discovery : scan results 3. GROUPS AND NETWORKS MANAGEMENT 3.1. GROUPS It is possible to gather assets to a group. This option is available through the Primary Menu Environment > Groups & Networks : DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 35 of 75

36 Figure 32. Main window of Asset Groups The rectangle located at the top left side is a Search field. It is useful when there are many items and it allows executing a search by owner or group name between all items. Partial searches are allowed. Enter a term to find asset groups that match with that term. The first line of the table allows the user to configure the number of entries to view between 10, 20 and 50 entries. The fields that appear in the table are the following: Group Name. It is a label that identifies the group. Click on the column name to order the data: ascending or descending. Owner(s). This field identifies the owner of that group. Hosts. It indicates the number of assets that are part of that group. Alarms. It indicates if that hostname has associated alarms ( ) or not (dash). Vulnerabilities. It indicates if an asset is vulnerable ( ) or not (dash). Events. It indicates if that hostname has associated events ( ) or not (dash). Detail. This button is used to open the specific information about that group, see Section VIEW DETAILS OF A GROUP Click on a group to expand the details of that group: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 36 of 75

37 Owner. In this field may appear a short text to indicate the owner of that group. This field is not mandatory so it is possible that it does not appear any information. Description. In this field may appear a short text for describing that group. This field is not mandatory so it is possible that it does not appear any information. Details. This is a button that opens the specific information about that group. Figure 33. Expanded details of a group Do one of the following to view the specific information of a group: Click on its Details button ( ). Double click on the line of that group. Click on Details button ( ). DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 37 of 75

38 Figure 34. Groups : details of a group This screen displays the following information: Groups link. This button goes back to the asset groups main window (see Figure 32). Delete button ( ). This button is used to delete that group. Export button ( ). This button is used to export a group. See Section for further information. More Details. This option allows the user to expand the group details. Figure 35. Groups : more details of a group The EDIT button is used to modify the data of that group, see Section for further information. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 38 of 75

39 Snapshot side. It displays some of the information that appears at the bottom side of the screen. They actually are buttons used to go to its specific information in the table area. Figure 36. Groups : details of a group - snapshot Environment Status. At the right side there are 3 links: HIDS. This button refers to the intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces. The circle that is next to this field can appear in 3 different colors: Red. It means that none of the IPs associated with the group are configured in the HIDS. Green. It means that all IPs associated with the group are configured in the HIDS. Yellow. It means that some IPs associated with the group are configured in the HIDS. Automatic Asset Discovery. This button indicates if there are or there are not any pending scans for that group. The circle that is next to this field can appear in 3 different colors: Red, meaning that none of IPs associated with that group are scheduled to be scanned. Green, meaning that all IPs associated with that group are scheduled to be scanned. Yellow, meaning that some IPs associated with that group are scheduled to be scanned, but not all of them. Availability Monitoring. This button indicates if the Availability Monitoring box is selected or not (see Section ). The circle that is next to this field can appear in 2 different colors: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 39 of 75

40 Red, meaning that it is not enabled. Green, meaning that it is enabled. Suggestions. This part shows suggestions related to that asset. They can be: Warning messages when an asset, which has sent logs does not send an event in 24 hours. Info messages when an asset is not sending logs to the system. Info messages when an asset is sending logs, but there is no plugin enable parsing the logs. There is a document whose title is System Errors, Warnings and Suggestions that explains what a suggestion is and how a suggestion works inside AlienVault USM TABLE AREA The table area appears at the bottom side of the screen (see Figure 34). This menu includes the following options: GENERAL 1. Software. It indicates if the group has some software installed. Use the vertical scroll bar if it is necessary to see all rows. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 40 of 75

41 Figure 37. Groups : Table Area (General > Software) The table displays several fields: Host, Port, Name, Vulnerable and Available. By clicking on a line it is possible to view more information: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 41 of 75

42 Figure 38. Groups : Table Area (General > Software). Details of software installed on a group of assets 2. Users. This option is not related to the configured users in the system. This field refers to one of the asset properties. To add users related to a specific asset, click on General > Properties of an asset (see Figure 13) then click on. 3. Properties. It displays a table that relates a property (operating system, username, department, etc.) to its values and date when that property was updated and source are included. Properties are always the same: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 42 of 75

43 Figure 39. Groups : Table Area (General > Properties) ACTIVITY 1. Alarms. This is a table where there is information about the date, alarm status, Intent & Strategy, Method, Risk, Source and Destination. At the upper right-hand corner there is a Search field to facilitate searches. On the bottom side, there is an indication about the number of alarms in the list. This is indicated as Showing n to n of n alarms and it displays the same information that was explained further up. There also is a navigation bar on the right. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 43 of 75

44 Figure 40. Groups : Table Area (Activity > Alarms) 2. Events. It displays a table which includes information about events related to that group. The table includes the following fields: Signature;; Data Source;; Date;; Incoming/Outgoing;; SRC/DST (Source;; Destination);; Sensor;; and Risk. Search and Showing events from n display the same information that was explained further up. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 44 of 75

45 Figure 41. Groups : Table Area (Activity > Events) 3. Netflow. It displays a table which includes information about netflows related to that group. This table includes the following fields: Date Flow Start;; Duration;; Protocol;; SRC IP:Port;; DST IP:Port;; and Flags. Display n flows, it allows the user to configure the number of items to view between 10, 50, 100 and all flows. Showing n to n of n entries displays the same information that was explained further up. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 45 of 75

46 Figure 42. Groups : Table Area (Activity > Netflow) ASSETS This option allows the user to add assets to the group. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 46 of 75

47 Figure 43. Groups : Table Area (Assets) The table displays several fields: Host Name, IP, FQDN, Device Type and Description. The Host Name column can be ordered, ascending or descending, by clicking on it. The icon is used to delete assets of the group. Search and Showing n to n of n hosts display the same information that was explained further up. There also is a navigation bar on the right. 1. Click on ADD ASSETS button to increase the number of hosts: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 47 of 75

48 Figure 44. Groups : Table Area (Add Assets) 2. Click on the assets you want to add and click on the ADD button. 3. Click on CANCEL button to exit this window HISTORY This option allows the user to view the record of last changes carried out in that group. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 48 of 75

49 Figure 45. Groups : Table Area (History) The table displays several fields: Date, User and Activity. The Date column can be ordered, ascending or descending, by clicking on it. Search and Showing n to n of n history events display the same information that was explained further up. There also is a navigation bar on the right NOTES This option allows the user to add notes to the group. There is a text box where it is allowed to write text. Once the text has been written, click on the SAVE button. Added notes can be modified and deleted EDIT DETAILS OF A GROUP: VIEW AND MODIFY It is possible to view and modify the details of a group by clicking on the EDIT button (see Figure 35: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 49 of 75

50 Figure 46. Groups : edit details This screen includes the following parts: Name. It is a label that identifies the group. Owner. It is a label that identifies the owner of the group. Description. This field is not mandatory so it is possible that it does not appear any information. In this field may appear a short text. Threshold C. It refers to the compromise threshold level. It is an integer value. Threshold A. It refers to the attack threshold level. It is an integer value. The SAVE button is used to update changes. The CANCEL button is used to exit this window without saving changes. Values that are marked with an asterisk (*) are mandatory ADD A GROUP To add an asset, the instructions below must be followed: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 50 of 75

51 1. Go to assets groups main window, see Figure Click on ADD GROUP. 3. The assets window appears. The explanation about this window can be found in Sections 2.1 and EXPORT GROUPS OF ASSETS AlienVault USM allows the user to export groups of assets to a csv file. Go into the details of a group main window (see Figure 34) and click on the icon ( ) to access this option. A file is created in the download folder location configured in the settings of your web browser. The name of the created file has always the same structure: Hosts_from_group_groupID_yyyy-mm-dd.csv Where groupid refers to the ID that identifies that group;; yyyy refers to the year;; mm refers to the month; and dd refers to the day NETWORKS Choose on the Primary Menu Environment > Groups & Networks and then, Networks on the Secondary Menu to manage networks: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 51 of 75

52 Figure 47. Main window of Networks The rectangle located at the top left side is a Search field. It is useful when there are many items and it allows executing a search by owner or network name between all items. Enter a term to find networks that match with that term. The first line of the table allows the user to configure the number of entries to view between 10, 20 and 50 entries. The fields that appear in the table are the following: Network Name. It is a label that identifies the network. The data in this column can be ordered in ascending or descending order by clicking on the column name. Owner(s). This field identifies the owner of that network. CIDR. This is a method for allocating IP addresses and routing Internet Protocol packets. It is a range of IP addresses that define the network. Sensors. It indicates the sensor related to that network. Alarms. It indicates if that network has associated alarms ( ) or not (dash). Vulnerabilities. It indicates if a network has vulnerabilities ( ) or not (dash). Events. It indicates if a network has associated events ( ) or not (dash). Detail. This button is used to open the specific information of that network, see Section DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 52 of 75

53 On the bottom side, there is an indication about the number of networks in the list. This is indicated as Showing n to n of n and it displays the same information that was explained further up. There also is a navigation bar on the right VIEW DETAILS OF A NETWORK Click on a network to expand the details of that network: Owner to identify the owner of that network. CIDR. It indicates the range of IP addresses, which defines the network. Sensors. It indicates the sensor related to that network. Description. In this field may appear a short text for describing that network. This field is not mandatory so it is possible that it does not appear any information. Details. This is a button that opens the specific information of that network. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 53 of 75

54 Figure 48. Expanded details of a network Do one of the following to view the specific information of a network: Click on Details button ( ). Double click on the line of that network. Click on Details button ( ). DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 54 of 75

55 Figure 49. Networks : details of a network This screen displays the following information: Networks link. This button goes back to the networks main window (see Figure 47). Delete button ( ). This button is used to delete that network. Export button ( ). This button is used to export networks. See Section for further information. More Details. This option allows the user to expand the network details. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 55 of 75

56 Figure 50. Networks : more details of a network The EDIT button is used to modify the data of that network, see Section for further information. Snapshot side. It displays some of the information that appears at the bottom side of the screen. They actually are buttons used to go to its specific information in the table area. Figure 51. Networks : details of a network - snapshot Environment Status. At the right side there are 3 links: HIDS. This button refers to the intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces. The circle that is next to this field can appear in 3 different colors: Red. It means that none of the IPs associated with the network are configured in the HIDS. Green. It means that all IPs associated with the network are configured in the HIDS. Yellow. It means that some IPs associated with the network are configured in the HIDS. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 56 of 75

57 Automatic Asset Discovery. This button indicates if there are or there are no pending scans for that network. The circle that is next to this field can appear in 3 different colors: Red, meaning that none of IPs associated with that network are scheduled to be scanned. Green, meaning that all IPs associated with that network are scheduled to be scanned. Green, meaning that all IPs of that CIDR are in the inventory. Yellow, meaning that some IPs associated with that network are scheduled to be scanned, but not all of them. Availability Monitoring. This button indicates if the Availability Monitoring box is selected or not (see Section ). The circle that is next to this field can appear in 2 different colors: Red, meaning that it is not enabled. Green, meaning that it is enabled. Suggestions. This part shows suggestions related to that asset. They can be: Warning messages when an asset, which has sent logs does not send an event in 24 hours. Info messages when an asset is not sending logs to the system. Info messages when an asset is sending logs, but there is no plugin enable parsing the logs. There is a document whose title is System Errors, Warnings and Suggestions that explains what a suggestion is and how a suggestion works inside AlienVault USM TABLE AREA The table area appears at the bottom side of the screen (see Figure 49). This menu includes the following options: GENERAL 1. Software. It indicates if the group has some software installed. Use the vertical scroll bar if it is necessary to see all rows. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 57 of 75

58 Figure 52. Networks : Table Area (General > Software) The table displays several fields: Host, Port, Name, Vulnerable and Available. By clicking on a line it is possible to view more information: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 58 of 75

59 Figure 53. Networks : Table Area (General > Software). Details of software installed on a network 2. Users. This option is not related to the configured users in the system. This field refers to one of the asset properties. To add users related to a specific asset, click on General > Properties of an asset (see Figure 13) then click on. 3. Properties. It displays a table that relates a property (operating system, username, department, etc.) to its values and date when that property was updated and source are included. Properties are always the same: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 59 of 75

60 Figure 54. Networks : Table Area (General > Properties) ACTIVITY 1. Alarms. This is a table where there is information about the date, alarm status, Intent & Strategy, Method, Risk, Source and Destination. At the upper right-hand corner there is a Search field to facilitate searches. On the bottom side, there is an indication about the number of alarms in the list. This is indicated as Showing n to n of n alarms and it displays the same information that was explained further up. There also is a navigation bar on the right. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 60 of 75

61 Figure 55. Networks : Table Area (Activity > Alarms) 2. Events. It displays a table which includes information about events related to that network. The table includes the following fields: Signature;; Data Source;; Date;; Incoming/Outgoing;; Source;; Destination;; Sensor;; and Risk. Search and Showing events from n display the same information that was explained further up. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 61 of 75

62 Figure 56. Networks : Table Area (Activity > Events) 3. Netflow. It displays a table which includes information about netflows related to that network. This table includes the following fields: Date Flow Start;; Duration;; Protocol;; Src IP:Port;; Dst IP:Port;; and Flags. Display n flows, it allows the user to configure the number of items to view between 10, 50, 100 and all flows. Showing n to n of n flows displays the same information that was explained further up. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 62 of 75

63 Figure 57. Networks : Table Area (Activity > Netflow) ASSETS This option displays a table that includes several fields: Host Name, IP, FQDN, Device Type and Description. The Host Name column can be ordered, ascending or descending, by clicking on it. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 63 of 75

64 Figure 58. Networks : Table Area (Assets) NOTES This option allows the user to add notes to the network. There is a text box where it is allowed to write text. Once the text has been written, click on the SAVE button. Added notes can be modified and deleted EDIT DETAILS OF A NETWORK: VIEW AND MODIFY It is possible to view and modify the details of a group by clicking on the EDIT button (see Figure 50: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 64 of 75

65 Figure 59. Networks : edit details This screen includes the following parts: Name. It is a label that identifies the network. CIDRs. This is a method for allocating IP addresses and routing Internet Protocol packets. It is a range of IP addresses that define the network. Owner. It is a label that identifies the owner of the network. Sensors. AlienVault sensors monitoring the networks associated with that sensor. Click to select a sensor. Multiple selections are allowed. Asset value. This is a value assigned to that network. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one. External Asset. It indicates if this network is external (Yes) or internal (No). Icon. It is possible to associate an image with the network. The allowed size is 16x16 and must be in png format. Description. This field is not mandatory so it is possible that it does not appear any information. In this field may appear a short text. Thresholds C. It refers to the compromise threshold level. It is an integer value. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 65 of 75

66 Thresholds A. It refers to the attack threshold level. It is an integer value. Scan options. It allows the user to select or not the Availability Monitoring. The SAVE button is used to update changes. The CANCEL button is used to exit this window without saving changes. Values that are marked with an asterisk (*) are mandatory ADD A NETWORK To create a network, the instructions below must be followed: 1. Go to the main window of Networks (see Figure 47) and click on Add Network and then, on Add Network. Figure 60. Networks : create a new network 2. Fill out the fields. There is an explanation of each field in Section DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 66 of 75

67 3. Click on SAVE to create that new network IMPORT CSV AlienVault USM allows the user to import assets from a csv file. 1. Go to the main window of Networks (see Figure 47) and click on Add Network and then, on Import CSV. Figure 61. Networks : import CSV 2. Click on Choose File button and choose the csv file. 3. Click on the square next to Ignore invalid characters if you want to ignore them. Have in mind the explanation the notes that appear on the screen. 4. Click on IMPORT. The results of importation are displayed: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 67 of 75

68 Figure 62. Networks : results of importing networks from a csv file This table shows, firstly, the number of networks imported and the number of errors and warning that have been occurring during the importation. Next, there is the summary of the import. Show n entries allows the user to configure the number of items to view between 10, 25, 50 and100 flows. The table includes 3 fields: Line, Status and Details. The Status column can be ordered, ascending or descending, by clicking on it. The icon can be displayed on Details column when the status is Warning or Error. Click on this icon to expand more information about that warning or error. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 68 of 75

69 Figure 63. Networks : results of importing host from a csv file with errors The importing networks appear now in the networks main window (see Figure 47). 5. Click on NEW IMPORTATION to go to the import networks window (see Figure 61) or close this window by clicking on the icon located at the upper-right side ( ) EXPORT NETWORKS AlienVault USM allows the user to export networks to a csv file. To do that, go into details of a network main window (see Figure 47) and click on the icon ( ). A file is created in the download folder location configured in the settings of your web browser. The created file has always the same name structure: All_nets_yyyy-mm-dd.csv Where yyyy refers to the year, mm refers to the month and dd refers to the day. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 69 of 75

70 3.3. NETWORK GROUPS This option is used to manage an asset that groups Networks having the same role or being in the same corporation, for instance. Choose Environment > Groups & Networks the Primary Menu and then, Network Groups on the Secondary Menu: Figure 64. Main window of Network Groups This screen shows a table of all network groups that are part of the system. The first line of the table allows the user to configure the number of entries to view between 10, 15, 20, 25, 35 and 50 entries. It is possible to navigate between all items through the links located at the bottom of the screen. The buttons PREVIOUS and NEXT will be activated in case of having several pages and are used to go to the previous or to the next page, respectively. It is possible to hide and show columns by clicking on the right part of the first column: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 70 of 75

71 Figure 65. Network Groups : hide/show columns The fields that can appear are the following: Name. It is a label that identifies the network group. The data in this column can be ordered in ascending or descending order by clicking on the column name. Networks. It displays the networks, which are part of that network group. Thr_C. It refers to the compromise threshold level. It is an integer value. Thr_A. It refers to the attack threshold level. It is an integer value. Description. This field is not mandatory so it is possible that it does not appear any information. In this field may appear a short text for describing the Network Group, for instance. Knowledge DB. This field shows if that network includes a link to a document or to several documents that are part of the knowledge base of solutions to incidents. The number of associated documents appears between brackets next to the Knowledge DB icon. For instance, means that the network has linked KDB documents. Notes. This column indicates if that network group includes notes. Notes are useful to explain facts about that network group. The number of notes appears between brackets next to the notes icon. For instance, means that a network group includes 4 notes CREATE A NETWORK GROUP To create a network group, the instructions below should be followed: DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 71 of 75

72 1. Go to the main window of Network Groups, see Figure Click on NEW. Or click on a line, then click on the secondary mouse button (right button) and, finally, select New Network Group option. Figure 66. Network Groups : create a new network group This screen displays the following information: Name. Name to identify that Network Group. Networks. Select the network to be part of the group. The selected networks appear in the lower part. Filter. This field is used to search a specific network. It is useful when there are a lot of networks. DC Edition 03 Copyright 2014 AlienVault. All rights reserved. Page 72 of 75