Unified Security Management (USM) Asset Management Guide

Transcription

1 AlienVault Unified Security Management (USM) Asset Management Guide

2 USM Asset Management Guide, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and OSSIM are trademarks or service marks of AlienVault, Inc. All other registered trademarks, trademarks or service marks are the property of their respective owners. Revision to This Document Date July 29, 2015 August 17, 2015 October 2, 2015 Revision Description Original document based on the 5.1 release. Updated for the USM release. Added the limitation that each USM Sensor can have up to 100 plugins enabled. Updated the Figure 3. Scan Results sceen. Updated the Deployment Prerequisites chapter. October 2, 2015 USM Asset Management Guide, rev. 2 Page 2 of 60

3 Contents Contents Introduction... 5 About Asset Management... 6 What is an Asset... 6 What is Asset Value... 6 What is Asset Management... 6 Managing Assets... 8 Adding Assets... 8 Adding Assets by Using the Getting Started Wizard... 8 Adding Assets by Scanning for New Assets... 8 Running a Scan for New Assets Manually... 9 Scheduling an Asset Discovery Scan Adding Assets by Using a CSV File Adding Assets by Using SIEM Events Adding Assets Manually Knowing Your Assets Searching / Filtering for Assets Viewing the Status of Your Assets Labeling Your Assets Editing Your Assets Performing Actions on Your Assets Selecting Assets on the Asset List View Running Asset Scan Running Vulnerability Scan Deploying HIDS Agents Deployment Prerequisites Bulk Deployment Constraints Legacy HIDS Agents Enabling Availability Monitoring Disabling Availability Monitoring Creating or Adding to an Asset Group October 2, 2015 USM Asset Management Guide, rev. 2 Page 3 of 60

4 Contents Adding a Note Viewing Asset Details Table Area Environment Status Suggestions Exporting Assets Deleting Assets Managing Asset Groups Creating Asset Groups Knowing Your Assets Groups Performing Actions on Your Asset Groups Viewing Details of Your Asset Groups Managing Networks Creating a Network Creating a Network Manually Creating a Network by Using a CSV File Knowing Your Networks Performing Actions on Your Networks Viewing Details of Your Networks Managing Network Groups Creating Network Groups Managing Network Groups Editing Network Groups Deleting Network Groups October 2, 2015 USM Asset Management Guide, rev. 2 Page 4 of 60

5 What is an Asset Introduction In USM TM version 5.1, AlienVault continues the effort started in USM 5.0 to provide a simplified user interface and workflows, allowing users to fully manage assets, asset groups, and asset-based security controls. This document covers the new functionalities introduced in version 5.1, as well as those available in previous versions: Managing Assets Managing Asset Groups Managing Networks Managing Network Groups For asset management in USM version 4.x, refer to Assets, Groups & Networks. For asset management in USM version 5.0, refer to USM 5.0 Asset Management Guide. October 2, 2015 USM Asset Management Guide, rev. 2 Page 5 of 60

6 What is an Asset About Asset Management Asset management is one of the key functionalities that AlienVault USM provides. It is useful for controlling assets in the company. This control is very important. Managing assets effectively and efficiently allows you to take maximal advantage of the capabilities in AlienVault USM. What is an Asset In AlienVault USM, an asset is a piece of equipment that bears a unique IP address on the company s network. As examples, it can be a server, a router, a firewall, a printer, or an individual PC. An asset is monitored by at least one USM Sensor. What is Asset Value In USM, every asset has an asset value, ranging from 0 to 5, 0 being the least important and 5 the most important. In trying to decide the asset value, the system first sees if a value has been manually assigned. If not, the system checks the network that the asset belongs to, and uses the asset value of the network instead. If the network does not have an asset value, the asset will be assigned the default value of 2. Asset value is used in calculating event risk. In AlienVault USM, a risk value is calculated for every event once it arrives at the USM Server. The system uses the following formula to calculate the risk: risk of the event = Where (asset value event priority event reliability) 25 Asset value is from 0 to 5. Priority is from 0 to 5. Reliability is from 0 to 10. Therefore, the risk value is from 0 to 10. Decimals are always rounded down. For example, if the asset value is 3, the priority is 3, and the reliability is 5, you will get 3 * 3 * 5 / 25 = 1.8. Therefore, the risk of the event is 1. In USM, any event with a risk value greater than or equal to 1 becomes an alarm. What is Asset Management In USM, asset management includes the following aspects: Discovery (see Adding Assets by Scanning for New Assets). This is one of the essential security capabilities offered by AlienVault USM. This capability allows users to discover and inventory all the assets in a network and to correlate asset information with threat and October 2, 2015 USM Asset Management Guide, rev. 2 Page 6 of 60

7 What is Asset Management vulnerability data. This functionality uses active network asset scanning and passive network asset discovery to allow users to scan networks and hosts. The scan is used for discovering assets and adding them into the USM database to be monitored. Vulnerability Scanning. Vulnerability assessment is another essential security capabilities that USM provides. With the asset oriented security approach introduced in USM 5.0, you can schedule vulnerability scans directly from the assets. See Running Vulnerability Scan. HIDS Agent Deployment. In USM 5.1, you can deploy HIDS agents directly while managing the assets. See Deploying HIDS Agents. Categorization. You can categorize your assets in many different ways by using filters and/or labels. Prioritization. You can prioritize your assets by assigning different asset values to them. Monitoring. Availability monitoring in AlienVault USM allows two types of asset monitoring: host monitoring and services monitoring. Host monitoring reports if an asset is up or down, while services monitoring discovers services on an asset and monitors availability those services. Adding/Deleting. In addition to running asset discovery, you can also add or delete assets manually. Analysis is essential to investigate the detected alarms, which may require knowing, for instance, the software installed on an asset; the existing vulnerabilities; the users that have access; or the traffic generated by an asset. Proper asset management is necessary in order to make the most of the whole AlienVault USM functionality. Keep in mind that not all assets have the same significance. Asset management allows you to configure USM according to your needs. October 2, 2015 USM Asset Management Guide, rev. 2 Page 7 of 60

8 Adding Assets Managing Assets Adding Assets There are several ways to add an asset or assets on a USM: Adding Assets by Using the Getting Started Wizard Adding Assets by Scanning for New Assets Adding Assets by Using a CSV File Adding Assets by Using SIEM Events Adding Assets Manually Note: In addition, the USM system inserts new assets automatically if they are identified via passive asset monitoring, vulnerability scans (only when vulnerabilities are found), or through IDM events. Adding Assets by Using the Getting Started Wizard The Getting Started Wizard is available on USM All-in-One during the initial setup. This wizard includes the initial tasks for getting AlienVault USM ready for production. As a result, the wizard collects as much data as possible to analyze and identify threats in your environment. One of these tasks is to discover assets using a network scan through the following methods: By scanning networks configured in a previous step of the Wizard. By scanning networks imported from a CSV file. By scanning networks added manually. By importing assets from a CSV file. By adding assets manually. See Running the Getting Started Wizard for further information. Adding Assets by Scanning for New Assets This option scans the network for unidentified assets and adds them to the USM database so that they can be monitored by the system. You can choose to scan an asset, a few assets, an asset group, a network, or a network group. October 2, 2015 USM Asset Management Guide, rev. 2 Page 8 of 60

9 Adding Assets Running a Scan for New Assets Manually To run a scan for new assets 1. Navigate to Environment > Assets & Groups > Assets, click Add Assets and then Scan For New Assets. Figure 1. Assets: select option Scan for New Assets 2. Select the asset(s) you want to scan: a) Click the + sign to expand the branches in the All Assets tree and click on your selection; b) Alternatively, type the name of a specific asset/network in the search box, then press Enter; The selected asset appears in the text area on the left. 3. Select a sensor between Local (from your framework machine), Automatic (the first available sensor will be selected), or by selecting a specific sensor. 4. Select the advanced options: Table 1. Advanced options for asset scans Advanced Options Sub-options Description Scan Type Ping This option sends a ping to each asset. Fast Scan Normal This option scans the most common 100 ports. This option scans the most common 1000 ports. October 2, 2015 USM Asset Management Guide, rev. 2 Page 9 of 60

10 Adding Assets Advanced Options Sub-options Description Full Scan Custom This option scans all ports. It can be slow. This option allows the user to define the ports to scan. Timing Template Paranoid This option scans very slowly. It serializes all scans (no parallel scanning) and generally waits at least 5 minutes between sending packets. Autodetect Services and Operating System Enable Reverse DNS Resolution 5. Click Start Scan. Sneaky Polite Normal Aggressive Insane N/A N/A This option is similar to paranoid mode, except it only waits 15 seconds between sending packets. This option is meant to ease the load on the network and reduce the chance of crashing machines. It serializes the probes and waits at least 0.4 seconds in between. This option is the default behavior, which tries to run as quickly as possible without overloading the network or missing hosts/ports. This option adds a 5-minute timeout per host and it never waits more than 1.25 seconds for probe responses This option is only suitable for very fast networks or where you do not mind losing some information. It times out hosts in 75 seconds and only waits 0.3 seconds for individual probes. It does allow for very quick network sweeps. Choose this option to detect services and operating system versions. This option does reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts. October 2, 2015 USM Asset Management Guide, rev. 2 Page 10 of 60

11 Adding Assets Figure 2. Scan for New Assets window Once the scan is completed, the results are displayed in the same screen, just below the Start Scan button: Figure 3. Scan Results 6. Click Update Managed Assets in order to save the results in the database. The following table displays the meaning of each column: October 2, 2015 USM Asset Management Guide, rev. 2 Page 11 of 60

12 Adding Assets Table 2. of the columns in a scan result Column Check box to select items. Host Hostname FQDN Device Types MAC OS Services FQDN as Hostname The IP address that identifies the host. The name that identifies the host. Fully Qualified Domain Name. Type of device that identifies the host. MAC Address assigned to the host. Operating System. The names of the services assigned to that host. Choose this option to use FQDN as the hostname for the discovered assets. If a FQDN contains any dot, only the name before the first dot will be used. Scheduling an Asset Discovery Scan Navigate to Environment > Assets & Groups > Schedule Scan > Asset Discovery Scan. Figure 4. Schedule an Asset Discovery Scan This screen includes the following elements: October 2, 2015 USM Asset Management Guide, rev. 2 Page 12 of 60

13 Adding Assets Table 3. of the columns in the Asset Discovery Scan main window Column Name Sensor Targets Frequency Name given to the scan. The sensor that is watching that network. The network to be scanned. The rate at which that scan is going to happen or is going to be repeated. Enabled Indicates if the scan is enabled ( ) or not ( ). Actions To modify ( ) or delete ( ) a scan. Use this button ( ) to change information about an existing scan. Select the scan to be modified and click the button. A window similar to Figure 5. Schedule a new Asset Scan will appear. Modify the data you need and click Save. Use this button ( ) to remove an existing scan. Select the scan to be deleted and click the button. A confirmation message appears. Click Yes if you want to delete it; or No if you do not want to. The Vulnerability Scans button takes you to the Environment > Vulnerabilities > Scan Jobs page. Use the Schedule New Scan button to schedule a new Asset Discovery Scan. To schedule a new scan 1. Click Schedule New Scan. 2. Enter a name for the new scan. 3. Enter the target network or networks to scan. You can type one unique CIDR (x.x.x.x/xx) or a CIDR list separated by commas (CIDR1, CIDR2, CIDR ). 4. Select a sensor. 5. Select the scan type. See Adding Assets by Scanning for New Assets for further information. 6. Select the timing template. See Adding Assets by Scanning for New Assets for further information. 7. Autodetect services and Operating System. Select this option to detect services and operating system versions. October 2, 2015 USM Asset Management Guide, rev. 2 Page 13 of 60

14 Adding Assets 8. Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts. 9. Select the frequency at which the scan is going to happen or is going to be repeated. The options are Hourly, Daily, Weekly or Monthly. 10. Click Save. Figure 5. Schedule a new Asset Scan Note: The results of scheduled asset discovery scans do not appear in the web interface. New assets will be added automatically and existing ones will be updated if new properties are found. Adding Assets by Using a CSV File AlienVault USM allows users to import assets from a CSV file. In version 4.x and 5.x, the allowed formats are the following: IPs(IP1,IP2,...) *; Hostname ; FQDNs(FQDN1,FQDN2,...) ; Description ; Asset Value ; Operating System ; Latitude ; Longitude ; Host ID ; External Asset ; Device Types(Type1,Type2,...) where October 2, 2015 USM Asset Management Guide, rev. 2 Page 14 of 60

15 Adding Assets The IP field is mandatory. The hostname syntax is defined by RFC The FQDN syntax is defined by RFC 1035, RFC 1123 and RFC Valid operating system values are: Windows, Linux, FreeBSD, NetBSD, OpenSD, MacOS, Solaris, Cisco, AIX, HP-UX, Tru64, IRIX, BSD/OS, SunOS, Plan9 or iphone. For device type options, see Table 4. List of accepted device types. Each CSV file must contain a header row: IPs ; Hostname ; FQDNs ; Description ; Asset Value ; Operating System ; Latitude ; Longitude ; Host ID ; External Asset ; Device Type Important: The delimiter of the CSV file is a semicolon. For example, IPs ; Hostname ; FQDNs ; Description ; Asset Value ; Operating System ; Latitude ; Longitude ; Host ID ; External Asset ; Device Type ; Host1 ; ; This is a test server. ; 2 ; Windows ; ; ; 379D45C0BBF22B4458BD2F8EE09ECCC2 ;0; Se rver:mail Server Table 4. List of accepted device types Category Network Device Device Type Network Device:Router Network Device:Switch Network Device:VPN device Network Device:Wireless AP Network Device:Bridge Network Device:Broadband Router Network Device:Remote Management Network Device:Storage Network Device:Hub Network Device:Load Balancer Network Device:Firewall October 2, 2015 USM Asset Management Guide, rev. 2 Page 15 of 60

16 Adding Assets Category Endpoint General Purpose Industrial Device Media Device Mobile Peripheral Security Device Server Device Type n/a n/a Industrial Device:PLC Media Device:Game Console Mobile:Mobile Mobile:Tablet Mobile:PDA Mobile:VoIP Phone Peripheral:Printer Peripheral:Camera Peripheral:Terminal Security Device:Intrusion Detection System Security Device:Intrusion Prevention System Server:HTTP Server Server:Mail Server Server:Domain Controller Server:DNS Server Server:File Server Server:Proxy Server Server:PBX Server:Print Server Server:Terminal Server Server:VoIP Adapter October 2, 2015 USM Asset Management Guide, rev. 2 Page 16 of 60

17 Adding Assets To add assets by using a CSV file 1. Navigate to Environment > Assets & Groups > Assets, click Add Assets and then, Import CSV (see Figure 1. Assets: select option Scan for New Assets). 2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters (Hostnames) if you want to ignore them. Important: The header row and the IP fields are mandatory. When the CSV file does not include a header, the following error appears: Figure 6. Import Assets from CSV: error 3. Click Import. The results of the import display. October 2, 2015 USM Asset Management Guide, rev. 2 Page 17 of 60

18 Adding Assets This table shows the number of assets imported, and the number of errors and warnings that occurred during the import. Next, there is the summary of the import. The table includes three fields: Line, Status and Details. Line indicates the line number in the CSV file. Click the Status column to sort. The icon appears when the status is Warning or Error. Click this icon to read specific information about that warning or error. The imported assets appear in the asset list view, see Figure 9. Asset List View. 4. Click New Importation to import more assets from a CSV file or close the window by clicking on the icon located at the upper-right side ( ). Adding Assets by Using SIEM Events AlienVault USM allows the user to import hosts from SIEM events. This option checks events and networks and it imports automatically all assets that are found. 1. Navigate to Environment > Assets & Groups > Assets. 2. Click Add Assets and then, Import From SIEM. 3. Click View Log if you want to read the log file. 4. Click Import to transfer the assets that were found. Or click Cancel to exit this window. Assets are imported 25,000 at a time. Therefore, when more than 25,000 hosts are found, you will need to repeat step #1 to #3 until all assets have been imported. Figure 7. Assets : import assets from SIEM events (batches of 25,000 assets) Adding Assets Manually Follow the instructions below to add assets manually: 1. Navigate to Environment > Assets & Groups > Assets. October 2, 2015 USM Asset Management Guide, rev. 2 Page 18 of 60

19 Adding Assets 2. Click Add Assets, and then Add Host. The New Asset window displays. Figure 8. Assets : create a new asset 3. Fill out the fields: Table 5. Create a new asset: meaning of the fields Field Name This is a label that identifies the asset. This field is mandatory. October 2, 2015 USM Asset Management Guide, rev. 2 Page 19 of 60

20 Adding Assets Field IP Address Asset value External Asset Sensors This field denotes the IP Address of the assets. This field is mandatory. This is a value assigned to the asset. This field is mandatory. See What is Asset Value for further information. Indicates if this asset is external (publicly facing) (Yes) or internal (No). This field is mandatory. This shows the USM sensor or sensors monitoring this asset. This field is mandatory. There are optional fields. Although it is not compulsory to fill out these fields, it is recommended to do it for filtering, for example threads on Windows Systems. The optional fields are the following: Table 6. Create a new asset: meaning of the optional fields Field FQDN/Aliases Operating System Description Icon Location Model Device Types This field contains the domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). This field specifies the operating system on the asset. This field provides a short description of the asset. This field allows you to associate an image with the asset. The accepted image size is 400x400 and the allowed formats are png, jpg or gif. You can specify the location of this asset. The written location appears on the map. You can also use latitude and longitude to locate the place. This field is used to specify the model that identifies the asset. Select a device type and click Add. Important: While naming an asset in the USM, keep the following rules in mind: An asset name cannot contain any dot (.) An asset name cannot start or end with a dash (-) An asset name cannot contain a space An asset name can start or end with a letter or a number October 2, 2015 USM Asset Management Guide, rev. 2 Page 20 of 60

21 Knowing Your Assets An asset name can be up to 63 characters 4. Click Save. The Asset Details window appears (see Figure 24. Assets : view details of an asset). 5. Alternatively, click (at the right upper corner) to exit this window without saving any changes. Knowing Your Assets AlienVault USM provides a centralized view for your assets on Environment > Assets & Groups > Assets. We call this the Asset List View. In this window the following are available: Adding Assets Deleting Assets Exporting Assets Searching / Filtering for Assets Editing Your Assets Labeling Your Assets Viewing the Status of Your Assets Performing Actions on Your Assets October 2, 2015 USM Asset Management Guide, rev. 2 Page 21 of 60

22 Knowing Your Assets Figure 9. Asset List View Searching / Filtering for Assets You can either search or filter for your assets on the asset list view. Simply type what you are looking for in the search field. The system will search on hostname & FQDN if you enter text, or IP & CIDR if you enter an IP address. Below the search box there are some filters. The search filters are the following: Table 7. Search filters in the asset list view Filter Name Has Alarms Has Events Vulnerabilities Asset Value HIDS Status It allows searching for assets with alarms. It allows searching for assets with events. It allows searching for assets with vulnerabilities. By default, it includes all severity levels: Info, Low, Medium, High and Serious. Slide the bar to exclude one or more levels. It allows searching for assets with a specific asset value or values. By default it includes asset values from 0 to 5. Slide the bar to exclude one or more values. It allows searching for assets with HIDS connected, disconnected or not October 2, 2015 USM Asset Management Guide, rev. 2 Page 22 of 60

23 Knowing Your Assets Filter Name Availability Status Show Assets Added Last Updated deployed. It allows searching for assets that are running (Up), not running (Down) or availability monitoring not configured (Unconfigured). It allows searching for assets based on the date when they are added. It allows searching for assets based on the date when they are last updated. The More Filters button allows the user to add more filters: Figure 10. Assets: Network tab for the MORE FILTERS screen This screen includes several tabs. Each tab shows its specific data that can be used for filtering: Table 8. Search filters in the Assets screen: More filters button Filter Name Network Group Sensor Device Type Service Use this tab to filter assets by network name or network CIDR. Use this tab to filter assets by asset group name. Use this tab to filter assets by the sensor. Use this tab to filter assets by their device types. Use this tab to filter assets by the services running on them. Operating System Use this tab to filter assets by their operating system. Software Use this tab to filter assets by the software running on them. October 2, 2015 USM Asset Management Guide, rev. 2 Page 23 of 60

24 Knowing Your Assets Filter Name Model Label Location Plugin Use this tab to filter assets by their hardware model. Use this tab to filter assets by their label. Use this tab to filter assets by their location. Use this tab to filter assets by the plugin. You can filter by several plugins at the same time or choose the option No Plugin Enabled. There is a search field located at the top left of each tab. This is useful when there are many items in a tab. It allows executing a search among all of them. The icon is used to delete the search term that you entered. Click Apply to start the search. Click Cancel or the icon ( filters. ) located at the top right side of the window to finish the addition of When applying the filters, the search uses a logical AND operator when the filters are different. For example, the following search looks for assets that have alarms and events and were added during the last day: Figure 11. Detail of Assets Screen: Example of the logical AND However, when the filter is of the same type, the Pvt_010 network or the Pvt_172 network in the following example, the logical OR operator is used: Figure 12. Detail of Assets Screen: Example of the logical OR October 2, 2015 USM Asset Management Guide, rev. 2 Page 24 of 60

25 Knowing Your Assets Use the button Clear All Filters to start a new filter. Or click on the cross icon of each filter if you want to remove only that filter. Viewing the Status of Your Assets The result of a search is displayed in the table of assets. In addition, the number of assets that meet the selected filters is indicated. Figure 13. Detail of a search in the asset list view The table of assets includes the following columns: Table 9. Columns in the table of assets Column Used to select assets. It is possible to select assets from multiple pages and apply an action. Hostname IP Device Type Name of the asset. IP associated with the asset. Device type associated with the asset. October 2, 2015 USM Asset Management Guide, rev. 2 Page 25 of 60

26 Knowing Your Assets Column Operating System Asset Value Vuln Scan Scheduled HIDS Status Name of the Operating System associated with the asset. The value that has been set for that asset. This column indicates whether a vulnerability scan has been scheduled and enabled or not. This column indicates the HIDS status for that asset (Connected, Disconnected or Not Deployed). This button opens the details of that asset. Click on an asset to check the status of that asset: Figure 14. Expanded details of an asset Table 10. of the colors in an expanded view of an asset Type Color Vulnerabilities Gray The asset has no vulnerabilities. Green Yellow Red The asset contains Info level vulnerabilities. The asset contains 1 or more 'Low' and/or 'Medium' vulnerabilities. The asset contains 1 or more Serious and/or High vulnerabilities. October 2, 2015 USM Asset Management Guide, rev. 2 Page 26 of 60

27 Knowing Your Assets Type Color Alarms Gray There are no alarms on this asset. Yellow The asset contains alarms with risk between 1 and 5. Red The asset contains alarms with risk greater than 5. Events Gray There are no events on this asset. Yellow Red This asset contains low and/or medium risk events. This asset contains high risk events. Availability Gray The availability status of this asset is not enabled and/or pending status. Green Yellow Red The availability status of this asset is up. The availability status of this asset is unreachable. The availability status of this asset is down. Services Gray Availability monitoring has not been enabled and/or pending status for 1 or more services. Green Yellow Red The availability status is up for % of the ports/services on this asset. 1 or more services on this asset has an unknown status. There is a Critical and/or Warning status on 1 or more services on this asset. Groups Gray Display the number of groups the asset belongs to. Notes Gray Display the number of notes on this asset. Labeling Your Assets Labels are used to manage assets. Select the asset(s) you want to label and click the icon ( ). October 2, 2015 USM Asset Management Guide, rev. 2 Page 27 of 60

28 Knowing Your Assets Figure 15. Assets : labels The symbols that can appear next to a label are the following:. This icon means that the label has been applied to some of the selected assets.. This icon means that the label has been applied to all of selected assets.. This icon means that the label has not been applied to any of the selected assets. The link Manage Labels is used to control labels: Figure 16. Assets : manage labels Select a label, change the name if you want and click Save. Editing Your Assets It is possible to modify a field in multiple assets at the same time: October 2, 2015 USM Asset Management Guide, rev. 2 Page 28 of 60

29 Knowing Your Assets 1. Select the assets you want to modify. 2. Click Actions and then Edit. Figure 17. Assets : edit an asset 3. Modify the fields. 4. Click Save and the field with new information will be modified in the selected assets at the same time. Important: All user-defined property values have higher priority over those detected by other tools used in the USM, such as software inventory, HIDS, passive and/or active asset October 2, 2015 USM Asset Management Guide, rev. 2 Page 29 of 60

30 Performing Actions on Your Assets discovery. The AlienVault systems are recognized as "AlienVault OS". Performing Actions on Your Assets You can perform certain actions, such as running an asset scan or running a vulnerability scan, on one or multiple assets from the asset list view (Environment > Assets & Groups). However, these actions are not enabled until you have selected your asset(s). Selecting Assets on the Asset List View To select a single asset, check the square to the left of the hostname of the asset. To select multiple assets, check the squares one by one. You can navigate to the next page and select more assets. The selection on the previous page is preserved. To select all the assets on the same page, check the square in the first column of the header row. To select all the assets returned from a search, or all the assets in the system, first select all the assets on the page. The text You have selected 20 assets. Select 18,334 assets. appears above the asset table, where xxxxx is the number of assets in the system. Click the Select 18,334 assets. text. This will select all the assets. Figure 18. Assets : select all assets at the same time Once the assets are selected, you can perform one of these actions: Editing Your Assets October 2, 2015 USM Asset Management Guide, rev. 2 Page 30 of 60

31 Performing Actions on Your Assets Deleting Assets Running Asset Scan Running Vulnerability Scan Deploying HIDS Agents Enabling Availability Monitoring Disabling Availability Monitoring Creating or Adding to an Asset Group Adding a Note Figure 19. Assets : actions menu Running Asset Scan This option allows the user to scan assets. When the scan finds new assets they are added to the system automatically. 1. Select the assets. 2. Click Actions > Run Asset Scan. The Asset Scan window appears: October 2, 2015 USM Asset Management Guide, rev. 2 Page 31 of 60

32 Performing Actions on Your Assets Figure 20. Running Assets Scan Window 3. Select an option for Scan type and Timing template and click Autodetect services and Operating System and Timing template if you want to activate these options. There is an explanation of these advanced options in Adding Assets by Scanning for New Assets. Note: There are 3 icons that can appear in the status field:, which means the scan can be started., which means those assets cannot be scanned because the sensor is not connected at that moment., which means the system is busy with other scan jobs. 4. Click Start Scan. 5. A message appears. For example, Asset Scan in progress for 3 assets, or for the number of assets that you selected. 6. If the scan finds new assets, they will be added to the system automatically. October 2, 2015 USM Asset Management Guide, rev. 2 Page 32 of 60

33 Performing Actions on Your Assets Running Vulnerability Scan 1. Select the assets. 2. Click Actions > Run Vulnerability Scan. 3. The Vulnerability Scan window appears. 4. Enter a name to identify the vulnerability scan. 5. Select a sensor. There can be up to 5 concurrent scans per USM Sensor. 6. Select a profile: Table 11. Vulnerability Scan: profile Profile Deep Default Ultimate This is a non-destructive full and fast scan. This scan can be used if the scanned system breaks or crashes when overwhelmed with scanning requests. This is a full and fast scan, including destructive tests. Include dangerous stress tests that can crash the scanned system (for example, filling a network switches memory with random MAC addresses). 7. Select a schedule method: Table 12. Vulnerability Scan: Schedule Method Schedule Method Immediately Run Once Daily Day of the Week Day of the Month Nth weekday of the month The scan job will be done without delay. Schedule a scan job on a specific day and time and just on that time. Schedule a scan job every x days beginning on a specific day. Schedule a scan job on a specific day of the week Schedule a scan job on a specific day of the month Schedule a scan job on a specific day and week of a month. 8. Optionally, extend Advanced to reveal the following options: October 2, 2015 USM Asset Management Guide, rev. 2 Page 33 of 60

34 Performing Actions on Your Assets Table 13. Vulnerability Scan: Advanced Options Advanced Options SSH Credential SMB Credential Timeout Send an notification Checks the parch level and installed software versions on various Linux and UNIX distributions. Checks the patch level of Windows systems. Enter the maximum number of seconds that the scan can run. Click No if you do not want to send an notification; or click Yes to send an notification then select a user or an entity. 9. Select Only scan hosts that are alive to speed up the scanning process. 10. Select Pre-Scan locally if you do not want to pre-scan from a remote sensor. 11. Select Do not resolve names if you do not want to resolve hostnames or FQDN. 12. Click New Job to create the vulnerability scan or Cancel to exit this window. Figure 21. Assets : Run a Vulnerability Scan October 2, 2015 USM Asset Management Guide, rev. 2 Page 34 of 60

35 Performing Actions on Your Assets Deploying HIDS Agents Deployment Prerequisites A Windows system (XP, 7, 8, 10, Server 2003, 2008 or 2012). A user account with administrator privileges on the Windows system. Operating System specific settings: Table 14. Deploying HIDS Agents: Operating System specific settings Operating Systems Windows XP Configuration Steps 1. Go to Control Panel > Folder Options > View. Uncheck Use simple file sharing. 2. Go to Control Panel > Windows Firewall > Exceptions. Check File and Printer Sharing. Windows 7 1. Go to Control Panel > Folder Options > View. Uncheck Use Sharing Wizard (Recommended). 2. Go to Control Panel > System and Security> Windows Firewall > Advanced Settings > Inbound Rules. Allow rule File and Printer Sharing (SMB-In). 3. Go to Control Panel > User Accounts > Change User Account Control Settings. Move the slider to Never notify. Windows Server 2003, 2008 R2 and 2012 R2 1. Go to Control Panel > Windows Firewall > Advanced Settings > Inbound Rules. Allow rule File and Printer Sharing (SMB-In). 2. Allow NTLMv2 security. Execute gpedit.msc. Go to Local Security > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and change: Network Security: Minimum session security for NTLM SPP based (including secure RPC) clients > Require NTLMv2 session security, Require 128-bit encryption. Network Security: Minimum session security for NTLM SPP based (including secure RPC) servers > Require NTLMv2 session security, Require 128-bit encryption. Network Security: LAN Manager Authentication level > Send NTLMv2 response only. Refuse LM & NTLM. October 2, 2015 USM Asset Management Guide, rev. 2 Page 35 of 60

36 Performing Actions on Your Assets Operating Systems Configuration Steps Windows 8 and Go to Control Panel > Folder Options > View. Uncheck Use Sharing Wizard (Recommended). 2. Go to Control Panel > System and Security> Windows Firewall > Advanced Settings > Inbound Rules. Allow rule File and Printer Sharing (SMB-In). 3. Go to Control Panel > User Accounts > Change User Account Control Settings. Move the slider to Never notify. 4. Set User Account Control: Run all administrators in Admin Approval Mode to Disabled. This option is recommended by Dell, because it is more secure and can be centrally configured using GPO. To find this setting, open the Group Policy (type secpol.msc into the Search programs and files field under the Start menu), then go to Local Policies > Security Options. Restart the device after applying the settings. Important: The HIDS agent status is not shown in real time. It is updated in the background every hour. Bulk Deployment Constraints The selected assets can be accessed via the same credentials. The selected assets are Windows based. If none of the assets are Windows based, the HIDS agents are not deployed. A warning message displays instead. If some of the assets are Windows based, you will have 3 options: Table 15. Bulk Deployment Constraints: Windows based options Advanced Options Cancel View these assets Continue Cancel the deployment and go back to the asset list view. Cancel the deployment and view the non-windows assets in the asset list view. Continue with the deployment on the Windows assets. October 2, 2015 USM Asset Management Guide, rev. 2 Page 36 of 60

37 Performing Actions on Your Assets To deploy HIDS agents 1. Select the assets. 2. Click Actions > Deploy HIDS Agents. Figure 22. Deploy HIDS Agents 3. Fill out the fields. Domain is optional. The user accounts must have administrator privileges. 4. Click Deploy. HIDS agents will be deployed on the selected asset(s). For every deployment attempt, the system will generate a message in the Message Center with the result success or failure. Legacy HIDS Agents If this is an upgrade from a previous version of USM, you may already have some HIDS agents deployed. The system will try to link legacy HIDS agents with an asset. If the IP address of the HIDS agent is not present in the inventory, the system will create a new asset with that IP address. If the system does not have enough information to link the HIDS agent with an asset, a message is shown in the Message Center, and you should link the asset manually. To connect an HIDS agent with an asset 5. Go to Envionment > Detection > HIDS > Agents. The list of HIDS agents displays. 6. Select the HIDS agent without a value in the Asset column, click the link icon ( ). The Connect an Asset to HIDS Agent window pops up. 7. Type in the IP address of the asset or select it from the asset tree. October 2, 2015 USM Asset Management Guide, rev. 2 Page 37 of 60

38 Performing Actions on Your Assets 8. Click Save. A confirmation message displays. 9. Click Yes. Enabling Availability Monitoring 1. Select the assets. 2. Click Actions > Enable Availability Monitoring. Availability monitoring will be enabled on the selected asset or assets. Disabling Availability Monitoring 1. Select the assets. 2. Click Actions > Disable Availability Monitoring. Availability monitoring will be disabled on the selected asset or assets. Creating or Adding to an Asset Group 1. Select the assets. 2. Click Actions > Create / Add to Group. This option allows the user to create an asset group or add select assets to an existing asset group. October 2, 2015 USM Asset Management Guide, rev. 2 Page 38 of 60

39 Viewing Asset Details Figure 23. Assets : create or add to a group The Search field is used to find an existing group. To add assets to an existing group, locate the group and click the (Knowing Your Assets Groups). icon in the Actions column. The box labeled New Group is used to create a new group. Enter a group name and click the icon to create that group (Creating Asset Groups). Adding a Note 1. Select the assets. 2. Click Actions > Add Note. 3. Enter a note for the assets, click Save. Viewing Asset Details Do one of the following to view the specific information of an asset: Click the Details button ( ). October 2, 2015 USM Asset Management Guide, rev. 2 Page 39 of 60

40 Viewing Asset Details Double click on the line of that asset. Figure 24. Assets : view details of an asset This screen displays the following information: Table 16. of the columns in the Asset Details window Field Hostname Label Asset Value Device Type Networks Sensors Model Asset Type The name that identifies the asset. The IP and the MAC address of this asset are displayed underneath. Label or labels applied to this asset (see Labeling Your Assets). This is a value assigned to the asset. See What is Asset Value for further information. Device type of the asset. The network associated with this asset. This shows the USM sensor or sensors monitoring this asset. This field specifies the model that identifies the asset. This field indicates if this asset is external (publicly facing) (Yes) or internal (No). October 2, 2015 USM Asset Management Guide, rev. 2 Page 40 of 60

41 Viewing Asset Details Field Status Summary Description Table Area Actions Asset Location Environment Status Suggestions This field is mandatory. This field displays the status of the asset in a graphical view. Hover your mouse within each circle to see what it means. Clicking on the specific circle will activate the corresponding tab in the table area below, where you can investigate more details. See Table 10. of the colors in an expanded view of an asset. This field provides a short description of the asset. See Table Area for further information. This is a button that allows you to access selected functions (see Performing Actions on Your Assets). Geographical location of this asset. See Environment Status for further information. See Suggestions for further information. Table Area The table area appears at the bottom of the screen. This menu includes the following options: Vulnerabilities. This table displays vulnerabilities related to the asset. The fields are Scan Time, Asset, Vulnerabilities, Vuln ID, Service, and Severity. Alarms. This table displays alarms associated with this asset. The fields are Date, Status, Intent & Strategy, Method, Risk, Source, and Destination. The button brings you to the Alarm Details page. Events. This table displays events related to this asset. The table includes the following fields: Date, Signature, Source, Destination, Sensor, and Risk. The button brings you to the Event Details page. Software. This option indicates if the asset has some software installed. The fields are IP Address, Name, Date, and Source. Use the vertical scroll bar, if necessary, to see all rows. You can use the Edit Software button to add, modify and/or delete software. Services. This option displays a table that shows the services related to the asset. The fields are IP Address, Port, Protocol, Name, Status, and Monitoring. You can use the Edit Services button to add, modify and/or delete services. While in the Edit Services window, if you want to enable or disable availability monitoring for a service, select the service first, and then choose enable or disable from the Availability Monitoring dropdown menu. Plugins. This table displays the plugins that are enabled for this asset. The fields are Asset, Vendor, Model, Version, Sensor, and Receiving Data. The last field indicates if the plugin is October 2, 2015 USM Asset Management Guide, rev. 2 Page 41 of 60

42 Viewing Asset Details receiving data from this asset. The Edit Plugin button is used to select the vendor, model and version of the device. All three fields are required. Once they are selected, the button Add Plugin appears. It is possible to enable multiple plugins in USM 5.1. You can add as many as 10 plugins to a single asset. If the asset is related to multiple sensors, dropdown menu displays for you to choose on which sensor this plugin should be enabled. Note: The Plugin table is not available on the localhost because the default plugins have already been activated. You can enable up to 10 plugins per asset and up to 100 plugins per USM Sensor. Properties. This option displays information relating to the asset properties. The fields are IP Address, Type, Property, Date, and Source. You can use the Edit Properties button to modify or add an entry. To add a property: 1. Choose a type. 2. Enter the property. 3. Click Lock property to avoid it being modified by automatic processes. 4. Click Save. Netflow. This option displays a table which includes information about netflows related to that asset. This table includes the following fields: Date Flow Start, Duration, Protocol, Source, Destination, and Flags. Groups. This option displays the groups to which that asset belongs. The fields are Name, Owner, and Assets. The button goes to the Asset Groups detail page (see Managing Asset Groups) and the Add To Group button is used to add the asset to an asset group. Environment Status At the right side, you ll find the following links: HIDS. This link refers to the intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces. Clicking the link takes you to Environment > Detection > HIDS. The circle next to this field can appear in 4 different colors: Table 17. Environment Status: HIDS colors and meanings Field GREEN YELLOW It means that the HIDS agent is deployed with status Active or Active/Local. It means that the HIDS agent is deployed with status Disconnected. October 2, 2015 USM Asset Management Guide, rev. 2 Page 42 of 60

43 Viewing Asset Details Field RED GREY It means that the HIDS agent is deployed with status Never Connected. It means that no HIDS agent is deployed. Automatic Asset Discovery. This link indicates if there are any pending scans for that host. Clicking the link takes you to Environment > Assets & Groups > Schedule Scan. The circle next to this field can appear in 3 different colors: Table 18. Environment Status: Automatic Asset Discovery colors and meanings Field GREEN YELLOW RED It means that all IPs associated with that asset are scheduled to be scanned. It means that some IPs associated with that asset are scheduled to be scanned, but not all of them. It means that none of IPs associated with that asset are scheduled to be scanned. Vuln Scan Scheduled. This link indicates if there are any vulnerability scan scheduled for that host. Clicking the link takes you to Environment > Vulnerabilities > Scan Jobs. The circle next to this field can appear in 2 different colors: Table 19. Environment Status: Vulnerabilities Scan Scheduled colors and meanings Field GREEN RED It means there is a scheduled scan for the asset. It means there is no scheduled scan for the asset. See Network Activity. This link displays the network usage of the IP address associated with this asset. This page can be blank if no activity is detected. October 2, 2015 USM Asset Management Guide, rev. 2 Page 43 of 60

44 Exporting Assets Suggestions This section shows suggestions related to that asset. These suggestions can be informative, warning or error messages. Click the message to see the details. Exporting Assets Navigate to Environment > Assets & Groups > Assets, select the assets you want to export, and click the structure: button on the right side of the screen. The name of the exported file has the following Assets yyyy-mm-dd.csv Deleting Assets Navigate to Environment > Assets & Groups > Assets, select the asset(s) you want to delete, and click Actions > Delete: Figure 25. Assets : select an asset to delete A new window appears confirming the deletion: Figure 26. Assets : confirm the deletion October 2, 2015 USM Asset Management Guide, rev. 2 Page 44 of 60

45 Creating Asset Groups Managing Asset Groups Asset groups are administratively created objects that group similar assets for specific purposes. Assets are grouped based on IP addresses and networks that are monitored by AlienVault. Grouping based on IP addresses allows for easier search and management of assets. For example, you could group all network firewalls, or all servers running a particular operating system. Such groups are useful when performing various tasks, such as vulnerability assessment or asset discovery, or when you are interested only in events coming from specific devices. Grouping of assets is possible based on various properties, including: Asset Value Network Software running on assets Sensor that monitors assets Device type of asset Open port or services running on assets Location of assets Creating Asset Groups There are two ways to create an asset group: Select assets first, and then create the group. See Creating or Adding to an Asset Group. Create the asset group first, and then add assets to it. For the second approach, follow the instructions below: 1. Navigate to Environment > Assets & Groups > Asset Groups. 2. Click Create New Group. Figure 27. Create an Asset Group October 2, 2015 USM Asset Management Guide, rev. 2 Page 45 of 60

46 Creating Asset Groups 3. Enter name for the new group. An asset group name is required. Optionally, enter a description for the group. 4. Click Save. Figure 28. Create an Asset Group: group details 5. Click Add Assets. October 2, 2015 USM Asset Management Guide, rev. 2 Page 46 of 60

47 Knowing Your Assets Groups Figure 29. Create an Asset Group: adding assets 6. Click this button ( ) to add that asset to the group. 7. Close this window and the added asset will appear in the group. Knowing Your Assets Groups AlienVault USM provides a centralized view for managing your asset groups. This view is on Environment > Assets & Groups > Asset Groups. It has the same look and feel as the asset list view. The functionalities available are the same as well. The difference is that in this view, you are managing asset groups instead of assets. October 2, 2015 USM Asset Management Guide, rev. 2 Page 47 of 60

48 Knowing Your Assets Groups Figure 30. Asset Groups List View Click on an asset group to view the status of that group: Figure 31. Expanded details of an asset group October 2, 2015 USM Asset Management Guide, rev. 2 Page 48 of 60

49 Knowing Your Assets Groups Table 20. of the colors in an expanded view of an asset group Type Color Assets Gray Display the number of assets being part of the group. Vulnerabilities Gray Green Yellow Red The asset group has no vulnerabilities. The asset group contains Info level vulnerabilities. The asset group contains 1 or more 'Low' and/or 'Medium' vulnerabilities. The asset group contains 1 or more Serious and/or High vulnerabilities. Alarms Gray There are no alarms on this asset group. Yellow The asset group contains alarms with risk between 1 and 5. Red The asset group contains alarms with risk greater than 5. Events Gray There are no events for this asset group. Yellow Red The asset group contains low and/or medium risk events. The asset group contains high risk events. Availability Gray The availability status of this group is not enabled and/or pending status. Green Yellow Red The availability status is up for % of assets in this group. The availability status is up for 75-95% of assets in this group. The availability status is up for less than 75% of assets in this group. Services Gray The availability monitoring has not been enabled and/or pending status for 1 or more services. Green Yellow Red The availability status is up for % of the ports/services on this group. 1 or more services in this group have an unknown status. There is a Critical and/or Warning status on 1 or more services for this group. Notes Gray Display the number of notes on this group. October 2, 2015 USM Asset Management Guide, rev. 2 Page 49 of 60

50 Performing Actions on Your Asset Groups Performing Actions on Your Asset Groups The actions you can perform on asset groups work as those on assets. The difference is that you perform these actions on asset group(s) instead of assets. See Performing Actions on Your Assets. Figure 32. Asset Groups : actions menu Viewing Details of Your Asset Groups Do one of the following to view the specific information of a group: Click the Details button ( ). Double click on the line of that group. Figure 33. Assets Groups : view details of a group This window includes the same information as the one for assets (see Table 16. of the columns in the Asset Details window) except for the following: The export button ( ), which is used to export assets from a group to a CSV file. The name of the exported file has the following structure: Assets_from_group_groupID yyyy-mmdd.csv October 2, 2015 USM Asset Management Guide, rev. 2 Page 50 of 60

51 Viewing Details of Your Asset Groups Environment Status links. HIDS. Clicking the link takes you to Environment > Detection > HIDS. The circle next to this field can appear in 4 different colors: Table 21. Environment Status: HIDS colors and meanings Field GREEN YELLOW RED GREY It means that all the assets in this group have HIDS agents deployed and all of them are active. It means that some of the assets in this group have HIDS agents deployed but not all of them are active. It means that some of the assets in this group have HIDS agents deployed but they are not connected. It means that none of the assets in this group have HIDS agents deployed. Automatic Asset Discovery. Clicking the link takes you to Environment > Assets & Groups > Schedule Scan. The circle next to this field can appear in 3 different colors: Table 22. Environment Status: Automatic Asset Discovery colors and meanings Field GREEN YELLOW RED It means that all the assets in this group are scheduled to be scanned. It means that some of the assets in this group are scheduled to be scanned. It means that none the assets in this group are scheduled to be scanned. Vuln Scan Scheduled. Clicking the link takes you to Environment > Vulnerabilities > Scan Jobs. The circle next to this field can appear in 2 different colors: Table 23. Environment Status: Vuln Scan Scheduled colors and meanings Field GREEN RED It means that all the assets in this group have a vulnerability scan scheduled. It means that none of the assets in this group have a vulnerability scan scheduled. October 2, 2015 USM Asset Management Guide, rev. 2 Page 51 of 60

52 Creating a Network Managing Networks Networks are configuration objects that specify which parts of an organization are monitored by AlienVault USM. Networks also specify which assets will be imported during asset discovery. Only assets that correspond to a configured network will be imported into the asset management system. Assets are grouped based on IP addresses and configured networks for easier asset navigation and management. Creating a Network There are two ways to create a network in USM: manually or by importing a CSV file. Creating a Network Manually Follow the instructions below to add a network manually: 1. Navigate to Environment > Assets & Groups > Networks. 2. Click Add Network and then, Add Network. Figure 34. Networks : create a new network 3. Fill out the fields: October 2, 2015 USM Asset Management Guide, rev. 2 Page 52 of 60

53 Creating a Network Table 24. New Network: meaning of the fields Field Name CIDR Sensors Asset value External Asset This is a label that identifies the network. This field is mandatory. This is a method for allocating IP addresses and routing Internet Protocol packets. It is the range of IP addresses that define the network. This field is mandatory. This field indicates the sensor related to that network. This field is mandatory. This is a value assigned to the network. This field is mandatory. See What is Asset Value for further information. This choice indicates if this asset is external (publicly facing) (Yes) or internal (No). This field is mandatory. There are optional fields. Although it is not compulsory to fill out these fields, it is recommended to do it for filtering. The optional fields are the following: Table 25. New Network: meaning of the optional fields Field Owner Icon Description This field identifies the owner of that network.. This field allows you to associate an image with the asset. The accepted image size is 400x400 and the allowed formats are png, jpg or gif. This field provides a short description of the asset. Click Save to add the new network. Alternatively, click changes. (at the right upper corner) to exit this window without saving any 4. If you click Save in the previous step, the Network Details window appears (see Figure 35. Network List View). October 2, 2015 USM Asset Management Guide, rev. 2 Page 53 of 60

54 Knowing Your Networks Creating a Network by Using a CSV File You can also create a network by importing a CSV file. In AlienVault USM version 4.x and 5.x, the allowed formats are the following: "Netname"*;"CIDRs(CIDR1,CIDR2,...)"*;"Description";"Asset Value"*;"Net ID" where The Netname, CIDRs, and Asset Value fields are mandatory. The characters allowed for netname are: A-Z, a-z, 0-9,., :, _ and -. Each CSV file must contain a header row: "Netname";"CIDRs";"Description";"Asset Value";"Net ID" For example, "Netname";"CIDRs";"Description";"Asset Value";"Net ID" "Net_1";" /24, /24";"This is my network";"2";"479d45c0bbf22b4458bd2f8ee09ecac2" Important: The delimiter of the CSV file is a semicolon. To create a network by using a CSV file 1. Navigate to Environment > Assets & Groups > Networks, click Add Network and then, Import CSV. 2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters if you want to ignore them. 3. Click Import. The results of the import display. Knowing Your Networks AlienVault USM 5.1 provides a centralized view for managing your networks. This view is on Environment > Assets & Groups > Networks. It has a similar look and feel to the asset list view. The functions available are similar as well, except for the following differences: You cannot edit multiple networks at the same time. You can run asset scans or vulnerability scans on your network(s), but you cannot enable or disable availability monitoring for a network. October 2, 2015 USM Asset Management Guide, rev. 2 Page 54 of 60

55 Performing Actions on Your Networks Figure 35. Network List View Performing Actions on Your Networks The actions you can perform on networks work as those on assets. The difference is that you perform these actions on network(s) instead of assets. See Performing Actions on Your Assets. Figure 36. Networks : actions menu Viewing Details of Your Networks Do one of the following to view the specific information about a network: Click the Details button ( ). Double click on the line of that network. October 2, 2015 USM Asset Management Guide, rev. 2 Page 55 of 60

56 Viewing Details of Your Networks Figure 37. Networks : view details of a network This window includes the same information as the one for assets (see Table 16. of the columns in the Asset Details window) except for the following: The export button ( ), which is used to export assets from a network to a CSV file. The name of the exported file has the following structure: Networks yyyy-mm-dd.csv Environment Status links. HIDS. Clicking the link takes you to Environment > Detection > HIDS. The circle next to this field can appear in 4 different colors: Table 26. Environment Status: HIDS colors Field GREEN YELLOW RED GREY It means that all the assets in this network have HIDS agents deployed and all of them are active. It means that some of the assets in this network have HIDS agents deployed but not all of them are active. It means that some of the assets in this network have HIDS agents deployed but they are not connected. It means that none of the assets in this network have HIDS agents deployed. Automatic Asset Discovery. Clicking the link takes you to Environment > Assets & Groups > Schedule Scan. The circle next to this field can appear in 3 different colors: October 2, 2015 USM Asset Management Guide, rev. 2 Page 56 of 60

57 Viewing Details of Your Networks Table 27. Environment Status: Automatic Asset Discovery colors Field GREEN YELLOW RED It means that all the assets in this network are scheduled to be scanned. It means that some of the assets in this network are scheduled to be scanned. It means that none the assets in this network are scheduled to be scanned. Vuln Scan Scheduled. Clicking the link takes you to Environment > Vulnerabilities > Scan Jobs. The circle next to this field can appear in 2 different colors: Table 28. Environment Status: HIDS colors Field GREEN RED It means that all the assets in this network have a vulnerability scan scheduled. It means that none of the assets in this network have a vulnerability scan scheduled. October 2, 2015 USM Asset Management Guide, rev. 2 Page 57 of 60

58 Creating Network Groups Managing Network Groups Networks can be grouped into network groups for administrative purposes. Assets are grouped based on IP addresses and configured networks for easier asset navigation and management. Assets are organized into networks based on IP addresses, where networks belong to locations. If required, networks can also be grouped into network groups for various administrative tasks, such as asset discovery or vulnerability assessment. Creating Network Groups Network Groups are created by saving a result of a search filter. To create a network group 1. Navigate to Environment > Assets & Groups > Network Groups. 2. Click New. Figure 38. Creating a Network Group 3. Enter a name for the new group. October 2, 2015 USM Asset Management Guide, rev. 2 Page 58 of 60