Professional Documents
Culture Documents
AlienVault Asset Management Reference Guide
AlienVault Asset Management Reference Guide
AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX,
Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and
OSSIM are trademarks or service marks of AlienVault.
AlienVault Unified Security Management Solution
Asset Management Reference Guide
Contents
Introduction......................................................................................................................... 4
Introduction
In USMTM version 5.0, AlienVault provides a simplified user interface and workflows, allowing users
to fully manage assets, asset groups, and asset-based security controls. This document covers the
new functionalities introduced in version 5.0, as well as those available in previous versions:
Managing Assets
Managing Networks
For asset management in USM version 4.x, refer to Assets, Groups & Networks
What is an Asset
In AlienVault USM, an asset is a piece of equipment that bears a unique IP address on the
companys network. As examples, it can be a server, a router, a firewall, a printer, or an individual
PC. An asset is monitored by at least one USM Sensor.
Asset value is used in calculating event risk. In AlienVault USM, a risk value is calculated for every
event once it arrives at the USM Server. The system uses the following formula to calculate the
risk:
(asset value event priority event reliability)
risk of the event =
25
Where
Priority is from 0 to 5.
Therefore, the risk value is from 0 to 10. Any event with a risk value greater than or equal to 1
becomes an alarm.
Discovery (see Adding Assets by Using Asset Discovery). This is one of the five essential
security capabilities offered by AlienVault USM. This capability allows users to discover and
inventory all the assets in a network and to correlate asset information with threat and
vulnerability data. This functionality uses active network asset scanning and passive network
asset discovery to allow users to scan networks and hosts. The scan is used for discovering
assets and adding them into the USM database to be monitored.
Categorization. You can categorize your assets in many different ways by using filters and/or
labels.
Prioritization. You can prioritize your assets by assigning different asset values to them.
Monitoring. Availability monitoring in AlienVault USM allows two types of asset monitoring:
host monitoring and services monitoring. Host monitoring reports if an asset is up or down,
while services monitoring discovers services on an asset and monitors availability those
services.
Adding/Deleting. In addition to running asset discovery, you can also add or delete assets
manually.
Analysis is essential to investigate the detected alarms, which may require knowing, for
instance, the software installed on an asset; the existing vulnerabilities; the users that have
access; or the traffic generated by an asset.
Proper asset management is necessary in order to make the most of the whole AlienVault USM
functionality. Keep in mind that not all assets have the same significance. Asset management
allows you to configure USM according to your needs.
Managing Assets
Adding Assets
There are several ways to add an asset or assets on a USM:
Note: In addition, the USM system inserts new assets automatically if they are identified via
passive asset monitoring, through IDM events, or by adding HIDS agents.
By scanning the defined networks that have been configured in a previous step of the Wizard.
See the AlienVault USM All-in-One Getting Started Guide document for further information.
You can choose to scan an asset, a few assets, an asset group, a network, or a network group.
1. Navigate to Environment > Assets & Groups > Discover New Assets.
a) Click the + sign to expand the branches in the All Assets tree and click on your
selection;
b) Alternatively, type the name of a specific asset/network in the search box, then press
Enter;
3. Select a sensor between local (from your framework machine), automatic (the first available
sensor will be selected) or by selecting a specific sensor.
Paranoid mode scans very slowly. It serializes all scans (no parallel scanning) and
generally waits at least 5 minutes between sending packets.
Sneaky mode is similar to paranoid mode, except it only waits 15 seconds between
sending packets.
Polite mode is meant to ease the load on the network and reduce the chance of
crashing machines. It serializes the probes and waits at least 0.4 seconds in between.
Normal mode is the default behavior, which tries to run as quickly as possible without
overloading the network or missing hosts/ports.
Aggressive mode adds a 5-minute timeout per host and it never waits more than 1.25
seconds for probe responses.
Insane mode is only suitable for very fast networks or where you do not mind losing
some information. It times out hosts in 75 seconds and only waits 0.3 seconds for
individual probes. It does allow for very quick network sweeps.
Autodetect services and Operating System. Choose this option to detect services and
operating system versions.
Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP
addresses. Normally reverse DNS is only performed against responsive (online) hosts.
After a few seconds (or longer, depending on the selected assets), the results will be displayed in
the same screen, just below the START SCAN button:
6. Click UPDATE DATABASE VALUES in order to save the results in the database.
Column Meaning
OS Operating System.
FQDN as Hostname Choose this option to use FQDN as the hostname for the discovered assets.
If a FQDN contains any dot, only the name before the first dot will be used.
Table 2. Meaning of the columns in the Asset Discovery Scan main window
Column Meaning
Frequency The rate at which that scan is going to happen or is going to be repeated.
The VULNERABILITY SCANS button takes you to the Environment > Vulnerabilities > Scan Jobs
page.
Use the MODIFY button to change information about an existing scan. Select the scan to be
modified and click MODIFY. A window similar to Figure 4. Schedule a new Asset Discovery
Scan will appear. Modify the data you need and click SAVE. And then click APPLY CHANGES.
Use the DELETE SELECTED button to remove an existing scan. Select the scan to be deleted and
click DELETE SELECTED. A confirmation message will appear. Click OK if you want to delete it; or
click Cancel if you do not want to. And then click APPLY CHANGES.
2. Select a sensor.
3. Enter the network to scan. You can type one unique CIDR (x.x.x.x/xx) or a CIDR list separated
by commas (CIDR1, CIDR2, CIDR).
4. Select the scan type. See Adding Assets by Using Asset Discovery for further information.
5. Select the timing template. See Adding Assets by Using Asset Discovery for further
information.
6. Autodetect services and Operating System. Select this option to detect services and operating
system versions.
7. Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP
addresses. Normally reverse DNS is only performed against responsive (online) hosts.
8. Select the frequency at which the scan is going to happen or is going to be repeated. The
options are Hourly, Daily, Weekly or Monthly.
9. Enabled. Select between Yes (the scan is enabled) or No (the scan is not enabled).
In version 4.x and 5.x, the allowed formats are the following:
IPs(IP1,IP2,...)*;Hostname;FQDNs(FQDN1,FQDN2,...);Description;Asset
Value;Operating System;Latitude;Longitude;Host ID;External
Asset;Device Types(Type1,Type2,...)
The FQDN syntax is defined by RFC 1035, RFC 1123 and RFC 2181.
Valid operating system values are: Windows, Linux, FreeBSD, NetBSD, OpenSD, MacOS,
Solaris, Cisco, AIX, HP-UX, Tru64, IRIX, BSD/OS, SunOS, Plan9 or iPhone.
For device type options, see Table 3. List of accepted device types.
For example,
IPs;Hostname;FQDNs;Description;Asset Value;Operating
System;Latitude;Longitude;Host ID;External Asset;Device Type
192.168.10.3;Host1;www.example-1.es,www.example-2.es;This is a test
server.;2;Windows;23.78;121.45;379D45C0BBF22B4458BD2F8EE09ECCC2;0;Se
rver:Mail Server
Endpoint n/a
Mobile Mobile:Mobile
Mobile:Tablet
Mobile:PDA
Mobile:VoIP Phone
Peripheral Peripheral:Printer
Peripheral:Camera
Peripheral:Terminal
1. Navigate to Environment > Assets & Groups, click ADD ASSETS and then, Import CSV.
2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters if
you want to ignore them.
When the CSV file does not include a header, the following error appears:
3. Click IMPORT.
This table shows the number of assets imported, and the number of errors and warnings that
occurred during the import.
Next, there is the summary of the import. Show n entries allows the user to configure the
number of items to view. Available values are 10, 25, 50 and 100. The table includes three
fields: Line, Status and Details. Line indicates the line number in the CSV file. Click the
Status column to sort. The icon appears when the status is Warning or Error. Click this
icon to read specific information about that warning or error.
Figure 7. Assets: results of importing assets from a CSV file with errors
The imported assets appear in the asset list view, see Figure 10. Asset List View.
4. Click NEW IMPORTATION to import more assets from a CSV file or close the window by
clicking on the icon located at the upper-right side ( ).
1. Navigate to Environment > Assets & Groups, click ADD ASSETS and then, Import From
SIEM.
3. Click IMPORT to transfer the assets that were found. Or click CANCEL to exit this window.
Assets are imported 25 000 at a time. Therefore, when more than 25 000 hosts are found, you will
need to repeat step #1 to #3 until all assets have been imported.
Figure 8. Assets: import assets from SIEM events (batches of 25 000 assets)
Name. This is a label that identifies the asset. This field is mandatory.
Important: While naming an asset in the USM, keep the following rules in mind:
An asset name cannot contain any dot (.)
An asset name cannot start or end with a dash (-)
An asset name cannot contain a space
An asset name can start or end with a letter or a number
IP Address. This field denotes the IP Address of the assets. This field is mandatory.
Asset value. This is a value assigned to the asset. This field is mandatory. See What is
Asset Value for further information.
External Asset. Indicates if this asset is external (publicly facing) (Yes) or internal (No).
This field is mandatory.
Sensors. This shows the USM sensor or sensors monitoring this asset. This field is
mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is
recommended to do it for filtering, for example threads on Windows Systems. The optional
fields are the following:
FQDN/Aliases. This field contains the domain name that specifies its exact location in
the tree hierarchy of the Domain Name System (DNS).
Operating System. This field specifies the operating system on the asset.
Description. This field provides a short description of the asset.
Icon. This field allows you to associate an image with the asset. The accepted image
size is 400x400 and the allowed formats are png, jpg or gif.
Location. You can specify the location of this asset. The written location appears on
the map. You can also use latitude and longitude to locate the place.
Model. This field is used to specify the model that identifies the asset.
Device Types. Select a device type and click ADD.
Click SAVE.
Alternatively, click (at the right upper corner) to exit this window without saving any
changes.
5. If you click SAVE in the previous step, the Asset Details window appears (see Figure 24.
Assets: ).
Adding Assets
Deleting Assets
Exporting Assets
Searching / Filtering for Assets
Editing Your Assets
Labeling Your Assets
Viewing the Status of Your Assets
Performing Actions on Your Assets
Below the search box there are some filters. The search filters are the following:
Vulnerabilities It allows searching for assets with vulnerabilities. By default, it includes all
severity levels: Info, Low, Medium, High and Serious. Slide the bar to
exclude one or more levels.
Asset Value It allows searching for assets with a specific asset value or values. By
default it includes asset values from 0 to 5. Slide the bar to exclude one or
Availability Status It allows searching for assets that are running (Up), not running (Down) or
availability monitoring not configured (Unconfigured).
Show Assets Added It allows searching for assets based on the date when they are added.
Last Updated It allows searching for assets based on the date when they are last updated.
The MORE FILTERS button allows the user to add more filters:
Figure 11. Assets: see the more filters screen (Network tab)
This screen includes several tabs. Each tab shows its specific data that can be used for filtering:
Network Use this tab to filter assets by network name or network CIDR.
Device Type Use this tab to filter assets by their device types.
Service Use this tab to filter assets by the services running on them.
Operating System Use this tab to filter assets by their operating system.
Software Use this tab to filter assets by the softwares running on them.
There is a search field located at the top left of each tab. This is useful when there are many items
in a tab. It allows executing a search among all of them. The icon is used to delete the written
terms.
Click CANCEL or the icon ( ) located at the top right side of the window to finish the addition of
filters.
When applying the filters, the search uses a logical AND operator when the filters are different. For
example, the following search looks for assets that have alarms and events and were added during
the last day:
However, when the filter is of the same type, the Pvt_010 network or the Pvt_172 network in the
following example, the logical OR operator is used:
Use the button Clear All Filters to start a new filter. Or click on the cross icon of each filter if you
want to remove only that filter.
Column Meaning
Used to select assets. It is possible to select assets from multiple pages and
apply an action.
Operating System Name of the Operating System associated with the asset.
Asset Value The value that has been set for that asset.
Vuln Scan Scheduled This column indicates whether a vulnerability scan has been scheduled and
enabled or not.
Column Meaning
Availability Configured It indicates the availability status for that asset (Up, down or not enabled
and/or pending).
Availability Gray The availability status of this asset is not enabled and/or pending status.
Services Gray Availability monitoring has not been enabled and/or pending status for 1
or more services.
Groups Gray Display the number of groups the asset belongs to.
Select the asset(s) you want to label and click the icon ( ).
The symbols that can appear next to a label are the following:
. This icon means that the label has been applied to some of the selected assets.
. This icon means that the label has been applied to all of selected assets.
. This icon means that the label has not been applied to any of the selected assets.
Select a label, change the name if you want and click SAVE.
4. Click SAVE and the field/fields having new information will be modified in the selected assets
at the same time.
To select multiple assets, check the squares one by one. You can navigate to the next page and
select more assets. The selection on the previous page is preserved.
To select all the assets on the same page, check the square in the first column of the header row.
To select all the assets returned from a search, or all the assets in the system, first select all the
assets on the page. The text You have selected 20 assets. Select xxxx assets. appears above the
asset table, where xxxxx is the number of assets in the system. Click the Select xxxxx assets text.
This will select all the assets.
Once the assets are selected, you can perform one of these actions:
4. Select an option for Scan type and Timing template and click Autodetect services and
Operating System and Timing template if you want to activate these options. There is an
explanation of these advanced options in Adding Assets by Using Asset Discovery.
Note:
, which means those assets cannot be scanned because the sensor is not connected at that
moment.
6. A message appears: Asset Scan in progress for 1 assets or for the number of assets that you
selected.
7. If the scan finds new assets, they will be added to the system automatically.
5. Select a sensor.
6. Select a profile:
a. SSH Credential. Checks the parch level and installed software versions on various Linux
and Unix distributions.
c. Timeout. Enter the maximum number of seconds that the scan can run.
d. Send an email notification. Click No if you do not want to send an email notification; or click
Yes to send an email notification and select a user or an entity.
9. Only scan hosts that are alive. Click this option to speed up the scanning process.
10. Pre-Scan locally. This option does not pre-scan from the scanning sensor.
11. Do not resolve names. This field is used to not resolve hostnames or FQDN. It is
recommended not to select this field, if the scanned host is out your DNS zone.
12. Click NEW JOB to create the vulnerability scan or CANCEL to exit this window.
This option allows the user to create an asset group or add select assets to an existing asset group.
To add assets to an existing group, locate the group and click the icon in the Actions column.
(Knowing Your Assets Groups).
The box labeled New Group is used to create a new group. Enter a group name and click the
icon to create that group (Creating Asset Groups).
Adding a Note
1. Select the assets.
Field Meaning
Hostname The name that identifies the asset. The IP and the MAC address of this asset
are displayed underneath.
Label Label or labels applied to this asset (see Labeling Your Assets).
Asset Value This is a value assigned to the asset. See What is Asset Value for further
information.
Sensors This shows the USM sensor or sensors monitoring this asset.
Model This field specifies the model that identifies the asset.
Asset Type This field indicates if this asset is external (publicly facing) (Yes) or internal
(No). This field is mandatory.
Status Summary This field displays the status of the asset in a graphical view. Hover your
mouse within each circle to see what it means. Clicking on the specific circle
will activate the corresponding tab in the table area below, where you can
investigate more details. See Table 7. Meaning of the colors in an
expanded view of an asset.
Actions This is a button that allows you to access selected functions (see Performing
Actions on Your Assets).
Modify Button ( ) Edit the asset to modify any field (Editing Your Assets).
Table Area
The table area appears at the bottom of the screen. This menu includes the following options:
Vulnerabilities. This table displays vulnerabilities related to the asset. The fields are Scan
Time, Asset, Vulnerabilities, Vuln ID, Service, and Severity.
Alarms. This table displays alarms associated with this asset. The fields are Date, Status,
Intent & Strategy, Method, Risk, Source, and Destination. The button brings you to the
Alarm Details page.
Events. This table displays events related to this asset. The table includes the following fields:
Date, Signature, Source, Destination, Sensor, and Risk. The button brings you to the Event
Details page.
Software. This option indicates if the asset has some software installed. The fields are IP
Address, Name, Date, and Source.Use the vertical scroll bar, if necessary, to see all rows. You
can use the EDIT SOFTWARE button to add, modify and/or delete software.
Services. This option displays a table that shows the services related to the asset. The fields
are IP Address, Port, Prototol, Name, Status, and Monitoring. You can use the EDIT
SERVICES button to add, modify and/or delete services. While in the Edit Services window, if
you want to enable or disable availability monitoring for a service, select the service first, and
then choose enable or disable from the AVAILABILITY MONITORING dropdown menu.
Plugin. This table displays the plugins that are enabled for this asset. The fields are Asset,
Vendor, Model, Version, Sensor, and Receiving Data. The last field indicates if the plugin is
receiving data from this asset. The EDIT PLUGIN button is used to select the vendor, model
and version of the device.
Note: The Plugin table is not available on the localhost because the default plugins have
already been activated.
Properties. This option displays information relating to the asset properties. The fields are IP
Address, Type, Property, Date, and Source. You can use the EDIT PROPERTIES button to
modify or add an entry. To add a property:
1. Choose a type.
4. Click SAVE.
Netflow. This option displays a table which includes information about netflows related to that
asset. This table includes the following fields: Date Flow Start, Duration, Protocol, Source,
Destination, and Flags.
Groups. This option displays the groups to which that asset belongs. The fields are Name,
Owner, and Assets. The button goes to the Asset Groups detail page (see Managing
Asset Groups) and the ADD TO GROUP button is used to add the asset to an asset group.
Environment Status
At the right side, youll find the following links:
HIDS. This link refers to the intrusion detection system that monitors and analyzes the
internals of a computing system as well as (in some cases) the network packets on its network
interfaces. The circle next to this field can appear in 3 different colors:
Green. It means that all IPs associated with the asset are configured in the HIDS.
Yellow. It means that some IPs associated with the asset are configured in the HIDS.
Red. It means that none of the IPs associated with the asset are configured in the HIDS.
Automatic Asset Discovery. This link indicates if there are any pending scans for that host.
The circle next to this field can appear in 3 different colors:
Green. It means that all IPs associated with that asset are scheduled to be scanned.
Yellow. It means that some IPs associated with that asset are scheduled to be scanned,
but not all of them.
Red. It means that none of IPs associated with that asset are scheduled to be scanned.
Vulnerability Scan Scheduled. This link indicates if there are any vulnerability scan scheduled
for that host. The circle next to this field can appear in 2 different colors:
Suggestions
This section shows suggestions related to that asset. These suggestions can be informative,
warning or error messages. Click the message to see the details.
Exporting Assets
Navigate to Environment > Assets & Groups, select the assets you want to export, and click the
button on the right side of the screen. The name of the exported file has the following structure:
Assets__yyyy-mm-dd.csv
Deleting Assets
Navigate to Environment > Assets & Groups, select the asset(s) you want to delete, and click the
Delete button ( ):
Assets are grouped based on IP addresses and networks that are monitored by AlienVault.
Grouping based on IP addresses allows for easier search and management of assets.
For example, you could group all network firewalls, or all servers running a particular operating
system. Such groups are useful when performing various tasks, such as vulnerability assessment
or asset discovery, or when you are interested only in events coming from specific devices.
Grouping of assets is possible based on various properties, including:
Asset Value
Network
Location of assets
Select assets first, and then create the group. See Creating or Adding to an Asset Group.
Create the asset group first, and then add assets to it.
3. Enter name for the new group. An asset group name is required. Optionally, enter a
description for the group.
4. Click SAVE.
7. Close this window and the added asset will appear in the group.
Assets Gray Display the number of assets being part of the group.
Yellow The asset group contains 1 or more 'Low' and/or 'Medium' vulnerabilities.
Yellow The asset group contains alarms with risk between 1 and 5.
Red The asset group contains alarms with risk greater than 5.
Yellow The asset group contains low and/or medium risk events.
Availability Gray The availability status of this group is not enabled and/or pending status.
Red The availability status is up for less than 75% of assets in this group.
Services Gray The availability monitoring has not been enabled and/or pending status
for 1 or more services.
Red There is a Critical and/or Warning status on 1 or more services for this
group.
This window includes the same information as the one for assets (see Table 8. Meaning of the
columns in the Asset Details window) except for the export button ( ), which is used to export
assets from a group to a CSV file. The name of the exported file has the following structure:
Assets_from_group_groupID__yyyy-mm-dd.csv
Managing Networks
Networks are configuration objects that specify which parts of an organization are monitored by
AlienVault USM. Networks also specify which assets will be imported during asset discovery. Only
assets that correspond to a configured network will be imported into the asset management
system. Assets are grouped based on IP addresses and configured networks for easier asset
navigation and management.
Creating a Network
There are two ways to create a network in USM: manually or by importing a CSV file.
Name. This is a label that identifies the network. This field is mandatory.
CIDR. This is a method for allocating IP addresses and routing Internet Protocol packets.
It is the range of IP addresses that define the network. This field is mandatory.
Sensor. This field indicates the sensor related to that network. This field is mandatory.
Asset value. This is a value assigned to the network. This field is mandatory. See What is
Asset Value for further information.
External Asset. This choice indicates if this asset is external (publicly facing) (Yes) or
internal (No). This field is mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is
recommended to do it for filtering. The optional fields are the following:
Icon. This field allows you to associate an image with the asset. The accepted image
size is 400x400 and the allowed formats are png, jpg or gif.
Description. This field provides a short description of the asset.
Click SAVE to add the new network.
Alternatively, click (at the right upper corner) to exit this window without saving any
changes.
4. If you click SAVE in the previous step, the Network Details window appears (see Figure 35.
Networks: ).
where
The characters allowed for netname are: A-Z, a-z, 0-9, ., :, _ and -.
For example,
"Netname";"CIDRs";"Description";"Asset Value";"Net ID"
"Net_1";"192.168.10.0/24,192.168.9.0/24";"This is my
network";"2";"479D45C0BBF22B4458BD2F8EE09ECAC2"
1. Navigate to Environment > Assets & Groups > Networks, click ADD NETWORK and then,
Import CSV.
2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters if
you want to ignore them.
3. Click IMPORT.
This window includes the same information as the one for assets (see Table 8. Meaning of the
columns in the Asset Details window) except for the export button ( ), which is used to export
assets from a network to a CSV file. The name of the exported file has the following structure:
Networks__yyyy-mm-dd.csv
2. Click NEW.
4. Select the network to be part of the group. Click the + sign to expand the branches in the
Select networks below tree and click on your selection. The selected networks appear in the
lower part. The filter field is used to search a specific network. It is useful when there are a lot
of networks. The button is used to remove a network from this group.
5. The description field is used to enter any useful information that identifies the network group.
6. Click SAVE.
Column Meaning
Description Text describing the network group., This field may be empty since it is not
mandatory.
Knowledge DB It is used to add a link to documents related to the network and that are included in
the database.
Notes This column indicates if that network group includes notes. Notes are useful to
explain facts about that network group. The number of notes appears between
brackets next to the notes icon. For instance, means that a network group
includes 4 notes.
2. Click MODIFY.
4. Click SAVE.