AlienVault Asset Management Reference Guide

AlienVault Unified Security Management Solution
Complete. Simple. Affordable
Asset Management Reference Guide
AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX,
Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and
OSSIM are trademarks or service marks of AlienVault.
Contents
Introduction......................................................................................................................... 4
About Asset Management .................................................................................................. 4

What is an Asset ............................................................................................................................. 4
What is Asset Value ........................................................................................................................ 4
What is Asset Management ............................................................................................................. 5
Managing Assets ................................................................................................................ 6

Adding Assets ................................................................................................................................. 6
Adding Assets by Using the Getting Started Wizard ............................................................... 6
Adding Assets by Using Asset Discovery ............................................................................... 6
Adding Assets by Using a CSV File ...................................................................................... 12
Adding Assets by Using SIEM Events .................................................................................. 16
Adding Assets Manually ....................................................................................................... 17
Knowing Your Assets .................................................................................................................... 20
Searching / Filtering for Assets ............................................................................................. 21
Viewing the Status of Your Assets ........................................................................................ 24
Labeling Your Assets ........................................................................................................... 27
Editing Your Assets .............................................................................................................. 29
Performing Actions on Your Assets ............................................................................................... 30
Selecting Assets on the Asset List View ............................................................................... 31
Running Asset Scan ............................................................................................................. 32
Running Vulnerability Scan .................................................................................................. 34
Enabling Availability Monitoring ............................................................................................ 36
Disabling Availability Monitoring ........................................................................................... 36
Creating or Adding to an Asset Group .................................................................................. 37
Adding a Note ...................................................................................................................... 38
Viewing Asset Details .................................................................................................................... 38
Table Area............................................................................................................................ 39
Environment Status .............................................................................................................. 41
Suggestions ......................................................................................................................... 41
Exporting Assets ........................................................................................................................... 42
Deleting Assets ............................................................................................................................. 42
Managing Asset Groups .................................................................................................. 43
Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 2 of 58

Creating Asset Groups .................................................................................................................. 43

Knowing Your Assets Groups ........................................................................................................ 46
Performing Actions on Your Asset Groups .................................................................................... 49
Viewing Details of Your Asset Groups ........................................................................................... 49
Managing Networks .......................................................................................................... 50

Creating a Network ........................................................................................................................ 50
Creating a Network Manually................................................................................................ 50
Creating a Network by Using a CSV File .............................................................................. 52
Knowing Your Networks ................................................................................................................ 53
Performing Actions on Your Networks ........................................................................................... 54
Viewing Details of Your Networks .................................................................................................. 54
Managing Network Groups .............................................................................................. 55

Creating Network Groups .............................................................................................................. 55
Managing Network Groups ............................................................................................................ 56
Editing Network Groups........................................................................................................ 57
Deleting Network Groups ..................................................................................................... 58

Introduction
In USMTM version 5.0, AlienVault provides a simplified user interface and workflows, allowing users
to fully manage assets, asset groups, and asset-based security controls. This document covers the
new functionalities introduced in version 5.0, as well as those available in previous versions:
Managing Assets
Managing Asset Groups
Managing Networks
Managing Network Groups
For asset management in USM version 4.x, refer to Assets, Groups & Networks
About Asset Management

Asset management is one of the key functionalities that AlienVault USM provides. It is useful for
controlling assets in the company. This control is very important. Managing assets effectively and
efficiently allows you to take maximal advantage of the capabilities in AlienVault USM.
What is an Asset
In AlienVault USM, an asset is a piece of equipment that bears a unique IP address on the
companys network. As examples, it can be a server, a router, a firewall, a printer, or an individual
PC. An asset is monitored by at least one USM Sensor.
What is Asset Value

In USM, every asset has an asset value, ranging from 0 to 5, 0 being the least important and 5 the
most important. In trying to decide the asset value, the system first sees if a value has been
manually assigned. If not, the system checks the network that the asset belongs to, and uses the
asset value of the network instead. If the network does not have an asset value, the asset will be
assigned the default value of 2.
Asset value is used in calculating event risk. In AlienVault USM, a risk value is calculated for every
event once it arrives at the USM Server. The system uses the following formula to calculate the
risk:
(asset value event priority event reliability)
risk of the event =
25

Where
Asset value is from 0 to 5.
Priority is from 0 to 5.
Reliability is from 0 to 10.
Therefore, the risk value is from 0 to 10. Any event with a risk value greater than or equal to 1
becomes an alarm.
What is Asset Management

In USM, asset management includes the following aspects:
Discovery (see Adding Assets by Using Asset Discovery). This is one of the five essential
security capabilities offered by AlienVault USM. This capability allows users to discover and
inventory all the assets in a network and to correlate asset information with threat and
vulnerability data. This functionality uses active network asset scanning and passive network
asset discovery to allow users to scan networks and hosts. The scan is used for discovering
assets and adding them into the USM database to be monitored.
Categorization. You can categorize your assets in many different ways by using filters and/or
labels.
Prioritization. You can prioritize your assets by assigning different asset values to them.
Monitoring. Availability monitoring in AlienVault USM allows two types of asset monitoring:
host monitoring and services monitoring. Host monitoring reports if an asset is up or down,
while services monitoring discovers services on an asset and monitors availability those
services.
Adding/Deleting. In addition to running asset discovery, you can also add or delete assets
manually.
Analysis is essential to investigate the detected alarms, which may require knowing, for
instance, the software installed on an asset; the existing vulnerabilities; the users that have
access; or the traffic generated by an asset.
Proper asset management is necessary in order to make the most of the whole AlienVault USM
functionality. Keep in mind that not all assets have the same significance. Asset management
allows you to configure USM according to your needs.

Managing Assets
Adding Assets
There are several ways to add an asset or assets on a USM:
Adding Assets by Using the Getting Started Wizard
Adding Assets by Using Asset Discovery
Adding Assets by Using a CSV File
Adding Assets by Using SIEM Events
Adding Assets Manually
Note: In addition, the USM system inserts new assets automatically if they are identified via
passive asset monitoring, through IDM events, or by adding HIDS agents.
Adding Assets by Using the Getting Started Wizard

The Getting Started Wizard is available on USM All-in-One during the initial setup. This wizard
includes the initial steps for getting AlienVault USM ready for production. The aim of these steps is
to collect as much data as possible to analyze and identify threats in your environment. One of
these steps is to discover assets using a network scan through the following methods:
By scanning the defined networks that have been configured in a previous step of the Wizard.
By adding a new network manually.
By adding new networks from a CSV file.
By adding assets manually.
See the AlienVault USM All-in-One Getting Started Guide document for further information.
Adding Assets by Using Asset Discovery

Asset Discovery Scan scans the network for unidentified assets and adds them to the USM
database so that they can be monitored by the system.
You can choose to scan an asset, a few assets, an asset group, a network, or a network group.

Running Asset Discovery Scan Manually

To run an Asset Discovery Scan:
1. Navigate to Environment > Assets & Groups > Discover New Assets.
Figure 1. Discover New Assets window
1. Select the asset(s) you want to scan:
a) Click the + sign to expand the branches in the All Assets tree and click on your
selection;
b) Alternatively, type the name of a specific asset/network in the search box, then press
Enter;
2. The selected asset appears in the text area on the left.
3. Select a sensor between local (from your framework machine), automatic (the first available
sensor will be selected) or by selecting a specific sensor.
4. Select the advanced options:
Scan type. There are the following options:

Ping. This option sends a ping to each asset.

Fast Scan. This option scans the most common 100 ports.
Normal. This option scans the most common 1000 ports.
Full Scan. This option scans all ports. It can be slow.
Custom. This option allows the user to define the ports to scan.
Timing template. Timing policies are pre-built groups of timing options that range from the
nearly invisible "paranoid" mode to the overly-aggressive "insane" mode.
Paranoid mode scans very slowly. It serializes all scans (no parallel scanning) and
generally waits at least 5 minutes between sending packets.
Sneaky mode is similar to paranoid mode, except it only waits 15 seconds between
sending packets.
Polite mode is meant to ease the load on the network and reduce the chance of
crashing machines. It serializes the probes and waits at least 0.4 seconds in between.
Normal mode is the default behavior, which tries to run as quickly as possible without
overloading the network or missing hosts/ports.
Aggressive mode adds a 5-minute timeout per host and it never waits more than 1.25
seconds for probe responses.
Insane mode is only suitable for very fast networks or where you do not mind losing
some information. It times out hosts in 75 seconds and only waits 0.3 seconds for
individual probes. It does allow for very quick network sweeps.
Autodetect services and Operating System. Choose this option to detect services and
operating system versions.

Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP
addresses. Normally reverse DNS is only performed against responsive (online) hosts.
5. Click START SCAN.
After a few seconds (or longer, depending on the selected assets), the results will be displayed in
the same screen, just below the START SCAN button:
Figure 2. Scan Results
6. Click UPDATE DATABASE VALUES in order to save the results in the database.
The following table displays the meaning of each column:
Table 1. Meaning of the columns in a scan result
Column Meaning
Check box to select tems.
Host The IP address that identifies the host.
Hostname The name that identifies the host.
FQDN Fully Qualified Domain Name.
Device Types Type of device that identifies the host.
MAC MAC Address assigned to the host.
OS Operating System.
Services The names of the services assigned to that host.
FQDN as Hostname Choose this option to use FQDN as the hostname for the discovered assets.
If a FQDN contains any dot, only the name before the first dot will be used.
Scheduling an Asset Discovery Scan

To schedule an Asset Discovery Scan, navigate to Environment > Assets & Groups > Schedule
Scan > Asset Discovery Scan.

Figure 3. Schedule an Asset Discovery Scan
This screen includes the following elements:
Table 2. Meaning of the columns in the Asset Discovery Scan main window
Column Meaning
Name Name given to the scan.
Sensor The sensor that is watching that network.
Network The network to be scanned.
Frequency The rate at which that scan is going to happen or is going to be repeated.
Enabled Indicates if the scan is enabled ( ) or not ( ).
The VULNERABILITY SCANS button takes you to the Environment > Vulnerabilities > Scan Jobs
page.
Use the MODIFY button to change information about an existing scan. Select the scan to be
modified and click MODIFY. A window similar to Figure 4. Schedule a new Asset Discovery
Scan will appear. Modify the data you need and click SAVE. And then click APPLY CHANGES.
Use the DELETE SELECTED button to remove an existing scan. Select the scan to be deleted and
click DELETE SELECTED. A confirmation message will appear. Click OK if you want to delete it; or
click Cancel if you do not want to. And then click APPLY CHANGES.
Use the NEW button to schedule a new Asset Discovery Scan.

Figure 4. Schedule a new Asset Discovery Scan
1. Enter a name for the new scan.
2. Select a sensor.
3. Enter the network to scan. You can type one unique CIDR (x.x.x.x/xx) or a CIDR list separated
by commas (CIDR1, CIDR2, CIDR).
4. Select the scan type. See Adding Assets by Using Asset Discovery for further information.
5. Select the timing template. See Adding Assets by Using Asset Discovery for further
information.
6. Autodetect services and Operating System. Select this option to detect services and operating
system versions.
7. Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP
addresses. Normally reverse DNS is only performed against responsive (online) hosts.
8. Select the frequency at which the scan is going to happen or is going to be repeated. The
options are Hourly, Daily, Weekly or Monthly.
9. Enabled. Select between Yes (the scan is enabled) or No (the scan is not enabled).
10. Click SAVE.
11. Click APPLY CHANGES.

Adding Assets by Using a CSV File

AlienVault USM allows users to import assets from a CSV file.
In version 4.x and 5.x, the allowed formats are the following:
IPs(IP1,IP2,...)*;Hostname;FQDNs(FQDN1,FQDN2,...);Description;Asset
Value;Operating System;Latitude;Longitude;Host ID;External
Asset;Device Types(Type1,Type2,...)
The IP field is mandatory.
The hostname syntax is defined by RFC 1123.
The FQDN syntax is defined by RFC 1035, RFC 1123 and RFC 2181.
Valid operating system values are: Windows, Linux, FreeBSD, NetBSD, OpenSD, MacOS,
Solaris, Cisco, AIX, HP-UX, Tru64, IRIX, BSD/OS, SunOS, Plan9 or iPhone.
For device type options, see Table 3. List of accepted device types.
Each CSV file must contain a header row:

IPs;Hostname;FQDNs;Description;Asset Value;Operating
System;Latitude;Longitude;Host ID;External Asset;Device Type
Important: The delimiter of the CSV file is a semicolon.
For example,
IPs;Hostname;FQDNs;Description;Asset Value;Operating
System;Latitude;Longitude;Host ID;External Asset;Device Type
192.168.10.3;Host1;www.example-1.es,www.example-2.es;This is a test
server.;2;Windows;23.78;121.45;379D45C0BBF22B4458BD2F8EE09ECCC2;0;Se
rver:Mail Server
Table 3. List of accepted device types
Category Device Types
Network Device Network Device:Router

Network Device:Switch
Network Device:VPN device


Network Device:Wireless AP
Network Device:Bridge
Network Device:Broadband Router
Network Device:Remote Management
Network Device:Storage
Network Device:Hub
Network Device:Load Balancer
Network Device:Firewall
Endpoint n/a
General Purpose n/a
Industrial Device Industrial Device:PLC
Media Device Media Device:Game Console
Mobile Mobile:Mobile
Mobile:Tablet
Mobile:PDA
Mobile:VoIP Phone
Peripheral Peripheral:Printer
Peripheral:Camera
Peripheral:Terminal
Security Device Security Device:Intrusion Detection System

Security Device:Intrusion Prevention System
Server Server:HTTP Server

Server:Mail Server
Server:Domain Controller
Server:DNS Server
Server:File Server
Server:Proxy Server
Server:PBX
Server:Print Server
Server:Terminal Server


Server:VoIP Adapter
To add assets by using a CSV file:
1. Navigate to Environment > Assets & Groups, click ADD ASSETS and then, Import CSV.
Figure 5. Assets: select option Import CSV
2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters if
you want to ignore them.
Important: The header row and the IP fields are mandatory.
When the CSV file does not include a header, the following error appears:

Figure 6. Import Assets from CSV: error
3. Click IMPORT.
The results of the import are then displayed.
This table shows the number of assets imported, and the number of errors and warnings that
occurred during the import.
Next, there is the summary of the import. Show n entries allows the user to configure the
number of items to view. Available values are 10, 25, 50 and 100. The table includes three
fields: Line, Status and Details. Line indicates the line number in the CSV file. Click the
Status column to sort. The icon appears when the status is Warning or Error. Click this
icon to read specific information about that warning or error.

Figure 7. Assets: results of importing assets from a CSV file with errors
The imported assets appear in the asset list view, see Figure 10. Asset List View.
4. Click NEW IMPORTATION to import more assets from a CSV file or close the window by
clicking on the icon located at the upper-right side ( ).
Adding Assets by Using SIEM Events

AlienVault USM allows the user to import hosts from SIEM events. This option checks events and
networks and it imports automatically all assets that are found.
1. Navigate to Environment > Assets & Groups, click ADD ASSETS and then, Import From
SIEM.
2. Click VIEW LOG if you want to read the log file.
3. Click IMPORT to transfer the assets that were found. Or click CANCEL to exit this window.
Assets are imported 25 000 at a time. Therefore, when more than 25 000 hosts are found, you will
need to repeat step #1 to #3 until all assets have been imported.

Figure 8. Assets: import assets from SIEM events (batches of 25 000 assets)
Adding Assets Manually

Follow the instructions below to add assets manually:
1. Navigate to Environment > Assets & Groups.
2. Click ADD ASSETS, and then Add Host.
3. The New Asset windows displays.

Figure 9. Assets: create a new asset
4. Fill out the fields:
Name. This is a label that identifies the asset. This field is mandatory.

Important: While naming an asset in the USM, keep the following rules in mind:
An asset name cannot contain any dot (.)
An asset name cannot start or end with a dash (-)
An asset name cannot contain a space
An asset name can start or end with a letter or a number
An asset name can be up to 63 characters
IP Address. This field denotes the IP Address of the assets. This field is mandatory.
Asset value. This is a value assigned to the asset. This field is mandatory. See What is
Asset Value for further information.
External Asset. Indicates if this asset is external (publicly facing) (Yes) or internal (No).
This field is mandatory.
Sensors. This shows the USM sensor or sensors monitoring this asset. This field is
mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is
recommended to do it for filtering, for example threads on Windows Systems. The optional
fields are the following:
FQDN/Aliases. This field contains the domain name that specifies its exact location in
the tree hierarchy of the Domain Name System (DNS).
Operating System. This field specifies the operating system on the asset.
Description. This field provides a short description of the asset.
Icon. This field allows you to associate an image with the asset. The accepted image
size is 400x400 and the allowed formats are png, jpg or gif.
Location. You can specify the location of this asset. The written location appears on
the map. You can also use latitude and longitude to locate the place.
Model. This field is used to specify the model that identifies the asset.
Device Types. Select a device type and click ADD.
Click SAVE.
Alternatively, click (at the right upper corner) to exit this window without saving any
changes.

5. If you click SAVE in the previous step, the Asset Details window appears (see Figure 24.
Assets: ).
Knowing Your Assets

AlienVault USM provides a centralized view for your assets on Environment > Assets & Groups.
We call this the Asset List View. In this window the following are available:
Adding Assets
Deleting Assets
Exporting Assets
Searching / Filtering for Assets
Editing Your Assets
Labeling Your Assets
Viewing the Status of Your Assets
Performing Actions on Your Assets

Figure 10. Asset List View
Searching / Filtering for Assets

You can either search or filter for your assets on the asset list view. Simply type what you are
looking for in the search field. The system will search on hostname & FQDN if you enter text, or IP
& CIDR if you enter an IP address.
Below the search box there are some filters. The search filters are the following:
Table 4. Search filters in the asset list view
Filter Name Meaning
Has Alarms It allows searching for assets with alarms.
Has Events It allows searching for assets with events.
Vulnerabilities It allows searching for assets with vulnerabilities. By default, it includes all
severity levels: Info, Low, Medium, High and Serious. Slide the bar to
exclude one or more levels.
Asset Value It allows searching for assets with a specific asset value or values. By
default it includes asset values from 0 to 5. Slide the bar to exclude one or

Filter Name Meaning

more values.
Availability Status It allows searching for assets that are running (Up), not running (Down) or
availability monitoring not configured (Unconfigured).
Show Assets Added It allows searching for assets based on the date when they are added.
Last Updated It allows searching for assets based on the date when they are last updated.
The MORE FILTERS button allows the user to add more filters:
Figure 11. Assets: see the more filters screen (Network tab)
This screen includes several tabs. Each tab shows its specific data that can be used for filtering:
Table 5. Search filters in the Assets screen: More filters button
Filter Name Meaning
Network Use this tab to filter assets by network name or network CIDR.
Group Use this tab to filter assets by asset group name.

Filter Name Meaning
Sensor Use this tab to filter assets by the sensor.
Device Type Use this tab to filter assets by their device types.
Service Use this tab to filter assets by the services running on them.
Operating System Use this tab to filter assets by their operating system.
Software Use this tab to filter assets by the softwares running on them.
Model Use this tab to filter assets by their hardware model.
Label Use this tab to filter assets by their label.
Location Use this tab to filter assets by their location.
There is a search field located at the top left of each tab. This is useful when there are many items
in a tab. It allows executing a search among all of them. The icon is used to delete the written
terms.
Click APPLY to start the search.
Click CANCEL or the icon ( ) located at the top right side of the window to finish the addition of
filters.
When applying the filters, the search uses a logical AND operator when the filters are different. For
example, the following search looks for assets that have alarms and events and were added during
the last day:
Figure 12. Detail of Assets Screen: Example of the logical AND
However, when the filter is of the same type, the Pvt_010 network or the Pvt_172 network in the
following example, the logical OR operator is used:

Figure 13. Detail of Assets Screen: Example of the logical OR
Use the button Clear All Filters to start a new filter. Or click on the cross icon of each filter if you
want to remove only that filter.
Viewing the Status of Your Assets

The result of a search is displayed in the table of assets. In addition, the number of assets that
meet the selected filters is indicated.

Figure 14. Detail of a search in the asset list view
The table of assets includes the following columns:
Table 6. Columns in the table of assets
Column Meaning
Used to select assets. It is possible to select assets from multiple pages and
apply an action.
Hostname Name of the asset.
IP IP associated with the asset.
Device Type Device type associated with the asset.
Operating System Name of the Operating System associated with the asset.
Asset Value The value that has been set for that asset.
Vuln Scan Scheduled This column indicates whether a vulnerability scan has been scheduled and
enabled or not.

Column Meaning
Availability Configured It indicates the availability status for that asset (Up, down or not enabled
and/or pending).
This button opens the details of that asset.
Click on an asset to check the status of that asset:
Figure 15. Expanded details of an asset
Table 7. Meaning of the colors in an expanded view of an asset
Type Color Meaning
Vulnerabilities Gray The asset has no vulnerabilities.
Green The asset contains Info level vulnerabilities..

Type Color Meaning
Yellow The asset contains 1 or more 'Low' and/or 'Medium' vulnerabilities.
Red The asset contains 1 or more Serious and/or High vulnerabilities.
Alarms Gray There are no alarms on this asset.
Yellow The asset contains alarms with risk between 1 and 5.
Red The asset contains alarms with risk greater than 5.
Events Gray There are no events on this asset.
Yellow This asset contains low and/or medium risk events.
Red This asset contains high risk events.
Availability Gray The availability status of this asset is not enabled and/or pending status.
Green The availability status of this asset is up.
Yellow The availability status of this asset is unreachable.
Red The availability status of this asset is down.
Services Gray Availability monitoring has not been enabled and/or pending status for 1
or more services.
Green The availability status is up for 75-100% of the ports/services on this

asset.
Yellow 1 or more services on this asset has an unknown status.
Red There is a Critical and/or Warning status on 1 or more services on this

asset.
Groups Gray Display the number of groups the asset belongs to.
Notes Gray Display the number of notes on this asset.
Labeling Your Assets

Labels are used to manage assets.
Select the asset(s) you want to label and click the icon ( ).

Figure 16. Assets: labels
The symbols that can appear next to a label are the following:
. This icon means that the label has been applied to some of the selected assets.
. This icon means that the label has been applied to all of selected assets.
. This icon means that the label has not been applied to any of the selected assets.
The link Manage Labels is used to control labels:

Figure 17. Assets: manage labels
Select a label, change the name if you want and click SAVE.
Editing Your Assets

It is possible to modify a field in multiple assets at the same time:
1. Select the assets you want to modify.
2. Click this icon .

Figure 18. Assets: edit an asset
3. Modify the fields.
4. Click SAVE and the field/fields having new information will be modified in the selected assets
at the same time.
Performing Actions on Your Assets

You can perform certain actions, such as running an asset scan or running a vulnerability scan, on
one or multiple assets from the asset list view (Environment > Assets & Groups). However, these
actions are not enabled until you have selected your asset(s).

Selecting Assets on the Asset List View

To select a single asset, check the square to the left of the hostname of the asset.
To select multiple assets, check the squares one by one. You can navigate to the next page and
select more assets. The selection on the previous page is preserved.
To select all the assets on the same page, check the square in the first column of the header row.
To select all the assets returned from a search, or all the assets in the system, first select all the
assets on the page. The text You have selected 20 assets. Select xxxx assets. appears above the
asset table, where xxxxx is the number of assets in the system. Click the Select xxxxx assets text.
This will select all the assets.
Figure 19. Assets: select all assets at the same time
Once the assets are selected, you can perform one of these actions:
Running Asset Scan

Running Vulnerability Scan
Enabling Availability Monitoring

Disabling Availability Monitoring

Creating or Adding to an Asset Group
Adding a Note
Figure 20. Assets: actions menu
Running Asset Scan

This option allows the user to scan assets. When the scan finds new assets they are added to the
system automatically.
1. Select the assets.
2. Click Actions > Run Asset Scan.
3. The Asset Scan window appears:

Figure 21. Running Assets Scan Window
4. Select an option for Scan type and Timing template and click Autodetect services and
Operating System and Timing template if you want to activate these options. There is an
explanation of these advanced options in Adding Assets by Using Asset Discovery.
Note:
There are 3 icons that can appear in the status field:
, which means the scan can be started.
, which means those assets cannot be scanned because the sensor is not connected at that
moment.
, which means the system is busy with other scan jobs.
5. Click START SCAN.
6. A message appears: Asset Scan in progress for 1 assets or for the number of assets that you
selected.

7. If the scan finds new assets, they will be added to the system automatically.
Running Vulnerability Scan

2. Click Actions > Run Vulnerability Scan.
3. The Vulnerability Scan window appears.
4. Enter a Job Name to identify the vulnerability scan.
5. Select a sensor.
6. Select a profile:
Deep. This is a non-destructive full and fast scan.

Default. This scan can be used if the scanned system breaks or crashes when
overwhelmed with scanning requests.
Ultimate. This is a full and fast scan, including destructive tests. Include dangerous stress
tests that can crash the scanned system (for example, filling a network switches memory
with random MAC addresses).
7. Select a schedule method:
Immediately. The scan job will be done without delay.

Run Once. Schedule a scan job on a specific day and time and just on that time.
Daily. Schedule a scan job every x days beginning on a specific day.
Day of the Week. Schedule a scan job on a specific day of the week.
Day of the Month. Schedule a scan job on a specific day of the month.
Nth weekday of the month. Schedule a scan job on a specific day and week of a month.
8. Optionally, extend the Advanced to reveal the following options:
a. SSH Credential. Checks the parch level and installed software versions on various Linux
and Unix distributions.
b. SMB Credential. Checks the patch level of Windows systems.
c. Timeout. Enter the maximum number of seconds that the scan can run.

d. Send an email notification. Click No if you do not want to send an email notification; or click
Yes to send an email notification and select a user or an entity.
9. Only scan hosts that are alive. Click this option to speed up the scanning process.
10. Pre-Scan locally. This option does not pre-scan from the scanning sensor.
11. Do not resolve names. This field is used to not resolve hostnames or FQDN. It is
recommended not to select this field, if the scanned host is out your DNS zone.
12. Click NEW JOB to create the vulnerability scan or CANCEL to exit this window.

Figure 22. Assets: Run a Vulnerability Scan
Enabling Availability Monitoring

2. Click Actions > Enable Availability Monitoring.
Availability monitoring will be enabled on the selected asset or assets.
Disabling Availability Monitoring

2. Click Actions > Disable Availability Monitoring.

Availability monitoring will be disabled on the selected asset or assets.
Creating or Adding to an Asset Group

2. Click Actions > Create / Add to Group.
This option allows the user to create an asset group or add select assets to an existing asset group.
Figure 23. Assets: create or add to a group
The Search field is used to find an existing group.
To add assets to an existing group, locate the group and click the icon in the Actions column.
(Knowing Your Assets Groups).
The box labeled New Group is used to create a new group. Enter a group name and click the
icon to create that group (Creating Asset Groups).

Adding a Note
2. Click Actions > Add Note.
3. Enter a note for the assets, click SAVE.
Viewing Asset Details

Do one of the following to view the specific information of an asset:
Click the Details button ( ).
Double click on the line of that asset.
Figure 24. Assets: view details of an asset
This screen displays the following information:

Table 8. Meaning of the columns in the Asset Details window
Field Meaning
Hostname The name that identifies the asset. The IP and the MAC address of this asset
are displayed underneath.
Label Label or labels applied to this asset (see Labeling Your Assets).
Asset Value This is a value assigned to the asset. See What is Asset Value for further
information.
Device Type Device type of the asset.
Networks The network associated with this asset.
Sensors This shows the USM sensor or sensors monitoring this asset.
Model This field specifies the model that identifies the asset.
Asset Type This field indicates if this asset is external (publicly facing) (Yes) or internal
(No). This field is mandatory.
Status Summary This field displays the status of the asset in a graphical view. Hover your
mouse within each circle to see what it means. Clicking on the specific circle
will activate the corresponding tab in the table area below, where you can
investigate more details. See Table 7. Meaning of the colors in an
expanded view of an asset.
Description This field provides a short description of the asset.
Table Area See Table Area for further information.
Actions This is a button that allows you to access selected functions (see Performing
Actions on Your Assets).
Modify Button ( ) Edit the asset to modify any field (Editing Your Assets).
Delete Button ( ) Delete this asset (See Deleting Assets).
Asset Location Geographical location of this asset.
Environment Status See Environment Status for further information.
Suggestions See Suggestions for further information.
Table Area
The table area appears at the bottom of the screen. This menu includes the following options:

Vulnerabilities. This table displays vulnerabilities related to the asset. The fields are Scan
Time, Asset, Vulnerabilities, Vuln ID, Service, and Severity.
Alarms. This table displays alarms associated with this asset. The fields are Date, Status,
Intent & Strategy, Method, Risk, Source, and Destination. The button brings you to the
Alarm Details page.
Events. This table displays events related to this asset. The table includes the following fields:
Date, Signature, Source, Destination, Sensor, and Risk. The button brings you to the Event
Details page.
Software. This option indicates if the asset has some software installed. The fields are IP
Address, Name, Date, and Source.Use the vertical scroll bar, if necessary, to see all rows. You
can use the EDIT SOFTWARE button to add, modify and/or delete software.
Services. This option displays a table that shows the services related to the asset. The fields
are IP Address, Port, Prototol, Name, Status, and Monitoring. You can use the EDIT
SERVICES button to add, modify and/or delete services. While in the Edit Services window, if
you want to enable or disable availability monitoring for a service, select the service first, and
then choose enable or disable from the AVAILABILITY MONITORING dropdown menu.
Plugin. This table displays the plugins that are enabled for this asset. The fields are Asset,
Vendor, Model, Version, Sensor, and Receiving Data. The last field indicates if the plugin is
receiving data from this asset. The EDIT PLUGIN button is used to select the vendor, model
and version of the device.
Note: The Plugin table is not available on the localhost because the default plugins have
already been activated.
Properties. This option displays information relating to the asset properties. The fields are IP
Address, Type, Property, Date, and Source. You can use the EDIT PROPERTIES button to
modify or add an entry. To add a property:
1. Choose a type.
2. Enter the property.
3. Click Lock property to avoid it being modified by automatic processes.
4. Click SAVE.
Netflow. This option displays a table which includes information about netflows related to that
asset. This table includes the following fields: Date Flow Start, Duration, Protocol, Source,
Destination, and Flags.

Groups. This option displays the groups to which that asset belongs. The fields are Name,
Owner, and Assets. The button goes to the Asset Groups detail page (see Managing
Asset Groups) and the ADD TO GROUP button is used to add the asset to an asset group.
Environment Status
At the right side, youll find the following links:
HIDS. This link refers to the intrusion detection system that monitors and analyzes the
internals of a computing system as well as (in some cases) the network packets on its network
interfaces. The circle next to this field can appear in 3 different colors:
Green. It means that all IPs associated with the asset are configured in the HIDS.
Yellow. It means that some IPs associated with the asset are configured in the HIDS.
Red. It means that none of the IPs associated with the asset are configured in the HIDS.
Automatic Asset Discovery. This link indicates if there are any pending scans for that host.
The circle next to this field can appear in 3 different colors:
Green. It means that all IPs associated with that asset are scheduled to be scanned.
Yellow. It means that some IPs associated with that asset are scheduled to be scanned,
but not all of them.
Red. It means that none of IPs associated with that asset are scheduled to be scanned.
Vulnerability Scan Scheduled. This link indicates if there are any vulnerability scan scheduled
for that host. The circle next to this field can appear in 2 different colors:
Green. It means there is a scheduled scan for the asset.

Red. It means there is no schedule scan for the asset.
See Network Activity. This link displays the network usage of the IP address associated with
this asset. This page can be blank if no activity is detected.
Suggestions
This section shows suggestions related to that asset. These suggestions can be informative,
warning or error messages. Click the message to see the details.

Exporting Assets
Navigate to Environment > Assets & Groups, select the assets you want to export, and click the
button on the right side of the screen. The name of the exported file has the following structure:
Assets__yyyy-mm-dd.csv
Deleting Assets
Navigate to Environment > Assets & Groups, select the asset(s) you want to delete, and click the
Delete button ( ):
Figure 25. Assets: select an asset to delete
A new window appears to confirm the deletion:

Figure 26. Assets: confirm the deletion
Managing Asset Groups

Asset groups are administratively created objects that group similar assets for specific purposes.
Assets are grouped based on IP addresses and networks that are monitored by AlienVault.
Grouping based on IP addresses allows for easier search and management of assets.
For example, you could group all network firewalls, or all servers running a particular operating
system. Such groups are useful when performing various tasks, such as vulnerability assessment
or asset discovery, or when you are interested only in events coming from specific devices.
Grouping of assets is possible based on various properties, including:
Asset Value
Network
Software running on assets
Sensor that monitors assets
Device type of asset
Open port or services running on assets
Location of assets
Creating Asset Groups

There are two ways to create an asset group:
Select assets first, and then create the group. See Creating or Adding to an Asset Group.
Create the asset group first, and then add assets to it.
For the second approach, follow the instructions below:
1. Navigate to Environment > Assets & Groups > Asset Groups.

2. Click CREATE NEW GROUP.
Figure 27. Create an Asset Group
3. Enter name for the new group. An asset group name is required. Optionally, enter a
description for the group.
4. Click SAVE.

Figure 28. Create an Asset Group: group details
5. Click ADD ASSETS.

Figure 29. Create an Asset Group: adding assets
6. Click this button ( ) to add that asset to the group.
7. Close this window and the added asset will appear in the group.
Knowing Your Assets Groups

AlienVault USM provides a centralized view for managing your asset groups. This view is on
Environment > Assets & Groups > Asset Groups. It has the same look and feel as the asset list
view. The functionalities available are the same as well. The difference is that in this view, you are
managing asset groups instead of assets.

Figure 30. Asset Groups List View
Click on an asset group to view the status of that group:

Figure 31. Expanded details of an asset group
Table 9. Meaning of the colors in an expanded view of an asset group
Type Color Meaning
Assets Gray Display the number of assets being part of the group.
Vulnerabilities Gray The asset group has no vulnerabilities.
Green The asset group contains Info level vulnerabilities.
Yellow The asset group contains 1 or more 'Low' and/or 'Medium' vulnerabilities.
Red The asset group contains 1 or more Serious and/or High

vulnerabilities.
Alarms Gray There are no alarms on this asset group.
Yellow The asset group contains alarms with risk between 1 and 5.
Red The asset group contains alarms with risk greater than 5.

Type Color Meaning
Events Gray There are no events for this asset group.
Yellow The asset group contains low and/or medium risk events.
Red The asset group contains high risk events.
Availability Gray The availability status of this group is not enabled and/or pending status.
Green The availability status is up for 95-100% of assets in this group.
Yellow The availability status is up for 75-95% of assets in this group.
Red The availability status is up for less than 75% of assets in this group.
Services Gray The availability monitoring has not been enabled and/or pending status
for 1 or more services.
Green The availability status is up for 75-100% of the ports/services on this

group.
Yellow 1 or more services in this group have an unknown status.
Red There is a Critical and/or Warning status on 1 or more services for this
group.
Notes Gray Display the number of notes on this group.
Performing Actions on Your Asset Groups

The actions you can perform on asset groups are exactly the same as those on assets. The
difference is that you perform these actions on asset group(s) instead of assets. See Performing
Actions on Your Assets.
Viewing Details of Your Asset Groups

Do one of the following to view the specific information of a group:
Double click on the line of that group.

Figure 32. Assets: view details of a group
This window includes the same information as the one for assets (see Table 8. Meaning of the
columns in the Asset Details window) except for the export button ( ), which is used to export
assets from a group to a CSV file. The name of the exported file has the following structure:
Assets_from_group_groupID__yyyy-mm-dd.csv
Managing Networks
Networks are configuration objects that specify which parts of an organization are monitored by
AlienVault USM. Networks also specify which assets will be imported during asset discovery. Only
assets that correspond to a configured network will be imported into the asset management
system. Assets are grouped based on IP addresses and configured networks for easier asset
navigation and management.
Creating a Network
There are two ways to create a network in USM: manually or by importing a CSV file.
Creating a Network Manually

Follow the instructions below to add a network manually:
1. Navigate to Environment > Assets & Groups > Networks.

2. Click ADD NETWORK and, then, Add Network.
Figure 33. Networks: create a new network
3. Fill out the fields:
Name. This is a label that identifies the network. This field is mandatory.
CIDR. This is a method for allocating IP addresses and routing Internet Protocol packets.
It is the range of IP addresses that define the network. This field is mandatory.
Sensor. This field indicates the sensor related to that network. This field is mandatory.
Asset value. This is a value assigned to the network. This field is mandatory. See What is
Asset Value for further information.
External Asset. This choice indicates if this asset is external (publicly facing) (Yes) or
internal (No). This field is mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is
recommended to do it for filtering. The optional fields are the following:
Owner. This field identifies the owner of that network.

Icon. This field allows you to associate an image with the asset. The accepted image
size is 400x400 and the allowed formats are png, jpg or gif.
Description. This field provides a short description of the asset.
Click SAVE to add the new network.
Alternatively, click (at the right upper corner) to exit this window without saving any
changes.
4. If you click SAVE in the previous step, the Network Details window appears (see Figure 35.
Networks: ).
Creating a Network by Using a CSV File

You can also create a network by importing a CSV file. In AlienVault USM version 4.x and 5.x, the
allowed formats are the following:
"Netname"*;"CIDRs(CIDR1,CIDR2,...)"*;"Description";"Asset Value"*;"Net ID"
where
The Netname, CIDRs, and Asset Value fields are mandatory.
The characters allowed for netname are: A-Z, a-z, 0-9, ., :, _ and -.
Each CSV file must contain a header row:

"Netname";"CIDRs";"Description";"Asset Value";"Net ID"
For example,
"Netname";"CIDRs";"Description";"Asset Value";"Net ID"
"Net_1";"192.168.10.0/24,192.168.9.0/24";"This is my
network";"2";"479D45C0BBF22B4458BD2F8EE09ECAC2"
Important: The delimiter of the CSV file is a semicolon.
To create a network by using a CSV file:
1. Navigate to Environment > Assets & Groups > Networks, click ADD NETWORK and then,
Import CSV.

2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters if
you want to ignore them.
3. Click IMPORT.
The results of the import are then displayed.
Knowing Your Networks

AlienVault USM 5.0 provides a centralized view for managing your networks. This view is on
Environment > Assets & Groups > Networks. It has a similar look and feel to the asset list view.
The functions available are similar as well, except for the following differences:
You cannot edit multiple networks at the same time.

You can run asset scans or vulnerability scans on your network(s), but you cannot enable or
disable availablility monitoring for a network.

Figure 34. Network List View
Performing Actions on Your Networks

The actions you can perform on networks are similar as those on assets, except that you cannot
enable or disable availablility monitoring for a network. See Performing Actions on Your Assets.
Viewing Details of Your Networks

Do one of the following to view the specific information about a network:
Double click on the line of that network.

Figure 35. Networks: view details of a network
This window includes the same information as the one for assets (see Table 8. Meaning of the
columns in the Asset Details window) except for the export button ( ), which is used to export
assets from a network to a CSV file. The name of the exported file has the following structure:
Networks__yyyy-mm-dd.csv

Networks can be grouped into network groups for administrative purposes. Assets are grouped
based on IP addresses and configured networks for easier asset navigation and management.
Assets are organized into networks based on IP addresses, where networks belong to locations. If
required, networks can also be grouped into network groups for various administrative tasks, such
as asset discovery or vulnerability assessment.
Creating Network Groups

Network Groups are created by saving a result of a search filter. To create a network group follow
the instructions below:
1. Navigate to Environment > Assets & Groups > Network Groups.
2. Click NEW.

Figure 36. Creating a Network Group
3. Enter name for the new group.
4. Select the network to be part of the group. Click the + sign to expand the branches in the
Select networks below tree and click on your selection. The selected networks appear in the
lower part. The filter field is used to search a specific network. It is useful when there are a lot
of networks. The button is used to remove a network from this group.
5. The description field is used to enter any useful information that identifies the network group.
6. Click SAVE.

On Environment > Assets & Groups > Network Groups, the following functionalities can be done:
Creating Network Groups
Editing Network Groups
Deleting Network Groups

Figure 37. Network Groups List View
The table of network groups includes the following columns:
Table 10. Columns in the table of network groups.
Column Meaning
Name Name of the network group.
Networks Networks associated with the group.
Description Text describing the network group., This field may be empty since it is not
mandatory.
Knowledge DB It is used to add a link to documents related to the network and that are included in
the database.
Notes This column indicates if that network group includes notes. Notes are useful to
explain facts about that network group. The number of notes appears between
brackets next to the notes icon. For instance, means that a network group
includes 4 notes.
Editing Network Groups

1. Select the group you want to modify.
2. Click MODIFY.
3. Modify the values you need to change.
4. Click SAVE.

Deleting Network Groups

Navigate to Environment > Assets & Groups > Network Groups, select the group you want to
delete, and then click DELETE SELECTED.

AlienVault Asset Management Reference Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AlienVault Asset Management Reference Guide

Uploaded by

Copyright:

Available Formats

AlienVault Unified Security Management Solution

Complete. Simple. Affordable

Asset Management Reference Guide

About Asset Management .................................................................................................. 4

Managing Assets ................................................................................................................ 6

Managing Asset Groups .................................................................................................. 43

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 2 of 58

Creating Asset Groups .................................................................................................................. 43

Managing Networks .......................................................................................................... 50

Managing Network Groups .............................................................................................. 55

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 3 of 58

Managing Asset Groups

Managing Network Groups

About Asset Management

What is Asset Value

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 4 of 58

Asset value is from 0 to 5.

Reliability is from 0 to 10.

What is Asset Management

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 5 of 58

Adding Assets by Using the Getting Started Wizard

Adding Assets by Using Asset Discovery

Adding Assets by Using a CSV File

Adding Assets by Using SIEM Events

Adding Assets Manually

Adding Assets by Using the Getting Started Wizard

By adding a new network manually.

By adding new networks from a CSV file.

By adding assets manually.

Adding Assets by Using Asset Discovery

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 6 of 58

Running Asset Discovery Scan Manually

Figure 1. Discover New Assets window

1. Select the asset(s) you want to scan:

2. The selected asset appears in the text area on the left.

4. Select the advanced options:

Scan type. There are the following options:

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 7 of 58

Ping. This option sends a ping to each asset.

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 8 of 58

5. Click START SCAN.

Figure 2. Scan Results

The following table displays the meaning of each column:

Table 1. Meaning of the columns in a scan result

Check box to select tems.

Host The IP address that identifies the host.

Hostname The name that identifies the host.

FQDN Fully Qualified Domain Name.

Device Types Type of device that identifies the host.

MAC MAC Address assigned to the host.

Services The names of the services assigned to that host.

Scheduling an Asset Discovery Scan

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 9 of 58

Figure 3. Schedule an Asset Discovery Scan

This screen includes the following elements:

Name Name given to the scan.

Sensor The sensor that is watching that network.

Network The network to be scanned.

Enabled Indicates if the scan is enabled ( ) or not ( ).

Use the NEW button to schedule a new Asset Discovery Scan.

Edition 05 Copyright 2015 AlienVault. All rights reserved. Page 10 of 58

Figure 4. Schedule a new Asset Discovery Scan

1. Enter a name for the new scan.

10. Click SAVE.