The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM,
AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX
Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and
OSSIM are trademarks or service marks of AlienVault, Inc.
All other registered trademarks, trademarks or service marks are the property of their respective
owners.
October 2, 2015 Added the limitation that each USM Sensor can have up to 100 plugins enabled.
Updated the Figure 3. Scan Results sceen.
Updated the Deployment Prerequisites chapter.
Contents
Introduction ..................................................................................................................................... 5
Introduction
In USMTM version 5.1, AlienVault continues the effort started in USM 5.0 to provide a simplified user
interface and workflows, allowing users to fully manage assets, asset groups, and asset-based
security controls. This document covers the new functionalities introduced in version 5.1, as well as
those available in previous versions:
Managing Assets
Managing Asset Groups
Managing Networks
Managing Network Groups
For asset management in USM version 4.x, refer to Assets, Groups & Networks.
For asset management in USM version 5.0, refer to USM 5.0 Asset Management Guide.
What is an Asset
In AlienVault USM, an asset is a piece of equipment that bears a unique IP address on the
companys network. As examples, it can be a server, a router, a firewall, a printer, or an individual
PC. An asset is monitored by at least one USM Sensor.
vulnerability data. This functionality uses active network asset scanning and passive network
asset discovery to allow users to scan networks and hosts. The scan is used for discovering
assets and adding them into the USM database to be monitored.
Vulnerability Scanning. Vulnerability assessment is another essential security capabilities that
USM provides. With the asset oriented security approach introduced in USM 5.0, you can
schedule vulnerability scans directly from the assets. See Running Vulnerability Scan.
HIDS Agent Deployment. In USM 5.1, you can deploy HIDS agents directly while managing
the assets. See Deploying HIDS Agents.
Categorization. You can categorize your assets in many different ways by using filters and/or
labels.
Prioritization. You can prioritize your assets by assigning different asset values to them.
Monitoring. Availability monitoring in AlienVault USM allows two types of asset monitoring:
host monitoring and services monitoring. Host monitoring reports if an asset is up or down,
while services monitoring discovers services on an asset and monitors availability those
services.
Adding/Deleting. In addition to running asset discovery, you can also add or delete assets
manually.
Analysis is essential to investigate the detected alarms, which may require knowing, for
instance, the software installed on an asset; the existing vulnerabilities; the users that have
access; or the traffic generated by an asset.
Proper asset management is necessary in order to make the most of the whole AlienVault USM
functionality. Keep in mind that not all assets have the same significance. Asset management
allows you to configure USM according to your needs.
Managing Assets
Adding Assets
There are several ways to add an asset or assets on a USM:
Adding Assets by Using the Getting Started Wizard
Adding Assets by Scanning for New Assets
Adding Assets by Using a CSV File
Adding Assets by Using SIEM Events
Adding Assets Manually
Note: In addition, the USM system inserts new assets automatically if they are identified via
passive asset monitoring, vulnerability scans (only when vulnerabilities are found), or
through IDM events.
Fast Scan This option scans the most common 100 ports.
Custom This option allows the user to define the ports to scan.
Timing Template Paranoid This option scans very slowly. It serializes all scans (no
parallel scanning) and generally waits at least 5 minutes
between sending packets.
Polite This option is meant to ease the load on the network and
reduce the chance of crashing machines. It serializes the
probes and waits at least 0.4 seconds in between.
Aggressive This option adds a 5-minute timeout per host and it never
waits more than 1.25 seconds for probe responses
Insane This option is only suitable for very fast networks or where
you do not mind losing some information. It times out hosts
in 75 seconds and only waits 0.3 seconds for individual
probes. It does allow for very quick network sweeps.
Autodetect Services N/A Choose this option to detect services and operating system
and Operating System versions.
Enable Reverse DNS N/A This option does reverse DNS resolution on the target IP
Resolution addresses. Normally reverse DNS is only performed against
responsive (online) hosts.
Once the scan is completed, the results are displayed in the same screen, just below the Start
Scan button:
6. Click Update Managed Assets in order to save the results in the database.
The following table displays the meaning of each column:
Column Meaning
OS Operating System.
FQDN as Hostname Choose this option to use FQDN as the hostname for the discovered assets. If
a FQDN contains any dot, only the name before the first dot will be used.
Table 3. Meaning of the columns in the Asset Discovery Scan main window
Column Meaning
Frequency The rate at which that scan is going to happen or is going to be repeated.
Use this button ( ) to change information about an existing scan. Select the scan to be modified
and click the button. A window similar to Figure 5. Schedule a new Asset Scan will appear.
Modify the data you need and click Save.
Use this button ( ) to remove an existing scan. Select the scan to be deleted and click the button.
A confirmation message appears. Click Yes if you want to delete it; or No if you do not want to.
The Vulnerability Scans button takes you to the Environment > Vulnerabilities > Scan Jobs page.
Use the Schedule New Scan button to schedule a new Asset Discovery Scan.
3. Enter the target network or networks to scan. You can type one unique CIDR (x.x.x.x/xx) or a
CIDR list separated by commas (CIDR1, CIDR2, CIDR).
4. Select a sensor.
5. Select the scan type. See Adding Assets by Scanning for New Assets for further
information.
6. Select the timing template. See Adding Assets by Scanning for New Assets for further
information.
7. Autodetect services and Operating System. Select this option to detect services and operating
system versions.
8. Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP
addresses. Normally reverse DNS is only performed against responsive (online) hosts.
9. Select the frequency at which the scan is going to happen or is going to be repeated. The
options are Hourly, Daily, Weekly or Monthly.
Note: The results of scheduled asset discovery scans do not appear in the web interface. New
assets will be added automatically and existing ones will be updated if new properties are found.
The FQDN syntax is defined by RFC 1035, RFC 1123 and RFC 2181.
Valid operating system values are: Windows, Linux, FreeBSD, NetBSD, OpenSD, MacOS,
Solaris, Cisco, AIX, HP-UX, Tru64, IRIX, BSD/OS, SunOS, Plan9 or iPhone.
For device type options, see Table 4. List of accepted device types.
For example,
IPs;Hostname;FQDNs;Description;Asset Value;Operating
System;Latitude;Longitude;Host ID;External Asset;Device Type
192.168.10.3;Host1;www.example-1.es,www.example-2.es;This is a test
server.;2;Windows;23.78;121.45;379D45C0BBF22B4458BD2F8EE09ECCC2;0;Se
rver:Mail Server
Endpoint n/a
Mobile Mobile:Mobile
Mobile:Tablet
Mobile:PDA
Mobile:VoIP Phone
Peripheral Peripheral:Printer
Peripheral:Camera
Peripheral:Terminal
1. Navigate to Environment > Assets & Groups > Assets, click Add Assets and then, Import
CSV (see Figure 1. Assets: select option Scan for New Assets).
2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters
(Hostnames) if you want to ignore them.
When the CSV file does not include a header, the following error appears:
3. Click Import.
This table shows the number of assets imported, and the number of errors and warnings that
occurred during the import.
Next, there is the summary of the import. The table includes three fields: Line, Status and
Details. Line indicates the line number in the CSV file. Click the Status column to sort. The
icon appears when the status is Warning or Error. Click this icon to read specific
information about that warning or error.
The imported assets appear in the asset list view, see
Figure 9. Asset List View.
4. Click New Importation to import more assets from a CSV file or close the window by clicking
on the icon located at the upper-right side ( ).
4. Click Import to transfer the assets that were found. Or click Cancel to exit this window.
Assets are imported 25,000 at a time. Therefore, when more than 25,000 hosts are found, you will
need to repeat step #1 to #3 until all assets have been imported.
Figure 7. Assets: import assets from SIEM events (batches of 25,000 assets)
Field Meaning
Name This is a label that identifies the asset. This field is mandatory.
Field Meaning
IP Address This field denotes the IP Address of the assets. This field is mandatory.
This is a value assigned to the asset. This field is mandatory. See What is
Asset value
Asset Value for further information.
External Asset Indicates if this asset is external (publicly facing) (Yes) or internal (No). This field
is mandatory.
Sensors This shows the USM sensor or sensors monitoring this asset. This field is
mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is recommended to
do it for filtering, for example threads on Windows Systems. The optional fields are the following:
Table 6. Create a new asset: meaning of the optional fields
Field Meaning
FQDN/Aliases This field contains the domain name that specifies its exact location in the tree
hierarchy of the Domain Name System (DNS).
Operating System This field specifies the operating system on the asset.
Icon This field allows you to associate an image with the asset. The accepted image
size is 400x400 and the allowed formats are png, jpg or gif.
Location You can specify the location of this asset. The written location appears on the
map. You can also use latitude and longitude to locate the place.
Model This field is used to specify the model that identifies the asset.
Important: While naming an asset in the USM, keep the following rules in mind:
An asset name cannot contain any dot (.)
An asset name cannot start or end with a dash (-)
An asset name cannot contain a space
An asset name can start or end with a letter or a number
4. Click Save.
The Asset Details window appears (see Figure 24. Assets: view details of an asset).
5. Alternatively, click (at the right upper corner) to exit this window without saving any changes.
Vulnerabilities It allows searching for assets with vulnerabilities. By default, it includes all
severity levels: Info, Low, Medium, High and Serious. Slide the bar to exclude
one or more levels.
Asset Value It allows searching for assets with a specific asset value or values. By default it
includes asset values from 0 to 5. Slide the bar to exclude one or more values.
HIDS Status It allows searching for assets with HIDS connected, disconnected or not
Availability Status It allows searching for assets that are running (Up), not running (Down) or
availability monitoring not configured (Unconfigured).
Show Assets Added It allows searching for assets based on the date when they are added.
Last Updated It allows searching for assets based on the date when they are last updated.
The More Filters button allows the user to add more filters:
Figure 10. Assets: Network tab for the MORE FILTERS screen
This screen includes several tabs. Each tab shows its specific data that can be used for filtering:
Table 8. Search filters in the Assets screen: More filters button
Network Use this tab to filter assets by network name or network CIDR.
Device Type Use this tab to filter assets by their device types.
Service Use this tab to filter assets by the services running on them.
Operating System Use this tab to filter assets by their operating system.
Software Use this tab to filter assets by the software running on them.
Plugin Use this tab to filter assets by the plugin. You can filter by several plugins at the
same time or choose the option No Plugin Enabled.
There is a search field located at the top left of each tab. This is useful when there are many items
in a tab. It allows executing a search among all of them. The icon is used to delete the search
term that you entered.
Click Apply to start the search.
Click Cancel or the icon ( ) located at the top right side of the window to finish the addition of
filters.
When applying the filters, the search uses a logical AND operator when the filters are different. For
example, the following search looks for assets that have alarms and events and were added during
the last day:
Use the button Clear All Filters to start a new filter. Or click on the cross icon of each filter if you
want to remove only that filter.
Column Meaning
Used to select assets. It is possible to select assets from multiple pages and
apply an action.
Column Meaning
Operating System Name of the Operating System associated with the asset.
Asset Value The value that has been set for that asset.
Vuln Scan Scheduled This column indicates whether a vulnerability scan has been scheduled and
enabled or not.
HIDS Status This column indicates the HIDS status for that asset (Connected,
Disconnected or Not Deployed).
Availability Gray The availability status of this asset is not enabled and/or pending status.
Services Gray Availability monitoring has not been enabled and/or pending status for 1
or more services.
Groups Gray Display the number of groups the asset belongs to.
Select the asset(s) you want to label and click the icon ( ).
The symbols that can appear next to a label are the following:
. This icon means that the label has been applied to some of the selected assets.
. This icon means that the label has been applied to all of selected assets.
. This icon means that the label has not been applied to any of the selected assets.
Select a label, change the name if you want and click Save.
4. Click Save and the field with new information will be modified in the selected assets at the
same time.
Important: All user-defined property values have higher priority over those detected by
other tools used in the USM, such as software inventory, HIDS, passive and/or active asset
Once the assets are selected, you can perform one of these actions:
Editing Your Assets
Deleting Assets
Running Asset Scan
Running Vulnerability Scan
Deploying HIDS Agents
Enabling Availability Monitoring
Disabling Availability Monitoring
Creating or Adding to an Asset Group
Adding a Note
3. Select an option for Scan type and Timing template and click Autodetect services and
Operating System and Timing template if you want to activate these options. There is an
explanation of these advanced options in Adding Assets by Scanning for New Assets.
Note:
There are 3 icons that can appear in the status field:
, which means the scan can be started.
, which means those assets cannot be scanned because the sensor is not connected at
that moment.
5. A message appears. For example, Asset Scan in progress for 3 assets, or for the number of
assets that you selected.
6. If the scan finds new assets, they will be added to the system automatically.
6. Select a profile:
Profile Meaning
Default This scan can be used if the scanned system breaks or crashes when
overwhelmed with scanning requests.
Ultimate This is a full and fast scan, including destructive tests. Include dangerous
stress tests that can crash the scanned system (for example, filling a network
switches memory with random MAC addresses).
Run Once Schedule a scan job on a specific day and time and just on that time.
Day of the Week Schedule a scan job on a specific day of the week
Day of the Month Schedule a scan job on a specific day of the month
Nth weekday of the month Schedule a scan job on a specific day and week of a month.
SSH Credential Checks the parch level and installed software versions on various Linux
and UNIX distributions.
Timeout Enter the maximum number of seconds that the scan can run.
Send an email notification Click No if you do not want to send an email notification; or click Yes to
send an email notification then select a user or an entity.
9. Select Only scan hosts that are alive to speed up the scanning process.
10. Select Pre-Scan locally if you do not want to pre-scan from a remote sensor.
11. Select Do not resolve names if you do not want to resolve hostnames or FQDN.
12. Click New Job to create the vulnerability scan or Cancel to exit this window.
Deployment Prerequisites
A Windows system (XP, 7, 8, 10, Server 2003, 2008 or 2012).
A user account with administrator privileges on the Windows system.
Operating System specific settings:
Windows XP 1. Go to Control Panel > Folder Options > View. Uncheck Use simple file
sharing.
2. Go to Control Panel > Windows Firewall > Exceptions. Check File and
Printer Sharing.
Windows 7 1. Go to Control Panel > Folder Options > View. Uncheck Use Sharing
Wizard (Recommended).
2. Go to Control Panel > System and Security> Windows Firewall >
Advanced Settings > Inbound Rules. Allow rule File and Printer
Sharing (SMB-In).
3. Go to Control Panel > User Accounts > Change User Account
Control Settings. Move the slider to Never notify.
Windows Server 2003, 2008 1. Go to Control Panel > Windows Firewall > Advanced Settings >
R2 and 2012 R2 Inbound Rules. Allow rule File and Printer Sharing (SMB-In).
2. Allow NTLMv2 security. Execute gpedit.msc. Go to Local Security >
Computer Configuration > Windows Settings > Security Settings > Local
Policies > Security Options and change:
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) clients > Require NTLMv2 session security,
Require 128-bit encryption.
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) servers > Require NTLMv2 session
security, Require 128-bit encryption.
Network Security: LAN Manager Authentication level > Send
NTLMv2 response only. Refuse LM & NTLM.
Windows 8 and 10 1. Go to Control Panel > Folder Options > View. Uncheck Use Sharing
Wizard (Recommended).
2. Go to Control Panel > System and Security> Windows Firewall >
Advanced Settings > Inbound Rules. Allow rule File and Printer
Sharing (SMB-In).
3. Go to Control Panel > User Accounts > Change User Account
Control Settings. Move the slider to Never notify.
4. Set User Account Control: Run all administrators in Admin Approval
Mode to Disabled.
This option is recommended by Dell, because it is more secure and can
be centrally configured using GPO.
To find this setting, open the Group Policy (type secpol.msc into the
Search programs and files field under the Start menu), then go to Local
Policies > Security Options. Restart the device after applying the
settings.
Important: The HIDS agent status is not shown in real time. It is updated in the
background every hour.
Cancel Cancel the deployment and go back to the asset list view.
View these assets Cancel the deployment and view the non-Windows assets in the asset
list view.
3. Fill out the fields. Domain is optional. The user accounts must have administrator privileges.
4. Click Deploy.
HIDS agents will be deployed on the selected asset(s). For every deployment attempt, the system
will generate a message in the Message Center with the result success or failure.
8. Click Save.
A confirmation message displays.
9. Click Yes.
This option allows the user to create an asset group or add select assets to an existing asset group.
To add assets to an existing group, locate the group and click the icon in the Actions column.
(Knowing Your Assets Groups).
The box labeled New Group is used to create a new group. Enter a group name and click the
icon to create that group (Creating Asset Groups).
Adding a Note
1. Select the assets.
Field Meaning
Hostname The name that identifies the asset. The IP and the MAC address of this asset
are displayed underneath.
Label Label or labels applied to this asset (see Labeling Your Assets).
Asset Value This is a value assigned to the asset. See What is Asset Value for further
information.
Sensors This shows the USM sensor or sensors monitoring this asset.
Model This field specifies the model that identifies the asset.
Asset Type This field indicates if this asset is external (publicly facing) (Yes) or internal (No).
Field Meaning
This field is mandatory.
Status Summary This field displays the status of the asset in a graphical view. Hover your mouse
within each circle to see what it means. Clicking on the specific circle will
activate the corresponding tab in the table area below, where you can
investigate more details. See Table 10. Meaning of the colors in an expanded
view of an asset.
Actions This is a button that allows you to access selected functions (see Performing
Actions on Your Assets).
Table Area
The table area appears at the bottom of the screen. This menu includes the following options:
Vulnerabilities. This table displays vulnerabilities related to the asset. The fields are Scan
Time, Asset, Vulnerabilities, Vuln ID, Service, and Severity.
Alarms. This table displays alarms associated with this asset. The fields are Date, Status,
Intent & Strategy, Method, Risk, Source, and Destination. The button brings you to the
Alarm Details page.
Events. This table displays events related to this asset. The table includes the following fields:
Date, Signature, Source, Destination, Sensor, and Risk. The button brings you to the Event
Details page.
Software. This option indicates if the asset has some software installed. The fields are IP
Address, Name, Date, and Source. Use the vertical scroll bar, if necessary, to see all rows. You
can use the Edit Software button to add, modify and/or delete software.
Services. This option displays a table that shows the services related to the asset. The fields
are IP Address, Port, Protocol, Name, Status, and Monitoring. You can use the Edit Services
button to add, modify and/or delete services. While in the Edit Services window, if you want to
enable or disable availability monitoring for a service, select the service first, and then choose
enable or disable from the Availability Monitoring dropdown menu.
Plugins. This table displays the plugins that are enabled for this asset. The fields are Asset,
Vendor, Model, Version, Sensor, and Receiving Data. The last field indicates if the plugin is
receiving data from this asset. The Edit Plugin button is used to select the vendor, model and
version of the device. All three fields are required. Once they are selected, the button Add
Plugin appears. It is possible to enable multiple plugins in USM 5.1. You can add as many as
10 plugins to a single asset. If the asset is related to multiple sensors, dropdown menu displays
for you to choose on which sensor this plugin should be enabled.
Note: The Plugin table is not available on the localhost because the default plugins have
already been activated.
You can enable up to 10 plugins per asset and up to 100 plugins per USM Sensor.
Properties. This option displays information relating to the asset properties. The fields are IP
Address, Type, Property, Date, and Source. You can use the Edit Properties button to modify
or add an entry. To add a property:
1. Choose a type.
2. Enter the property.
3. Click Lock property to avoid it being modified by automatic processes.
4. Click Save.
Netflow. This option displays a table which includes information about netflows related to that
asset. This table includes the following fields: Date Flow Start, Duration, Protocol, Source,
Destination, and Flags.
Groups. This option displays the groups to which that asset belongs. The fields are Name,
Owner, and Assets. The button goes to the Asset Groups detail page (see Managing
Asset Groups) and the Add To Group button is used to add the asset to an asset group.
Environment Status
At the right side, youll find the following links:
HIDS. This link refers to the intrusion detection system that monitors and analyzes the
internals of a computing system as well as (in some cases) the network packets on its network
interfaces. Clicking the link takes you to Environment > Detection > HIDS. The circle next to
this field can appear in 4 different colors:
Table 17. Environment Status: HIDS colors and meanings
Field Meaning
GREEN It means that the HIDS agent is deployed with status Active or Active/Local.
YELLOW It means that the HIDS agent is deployed with status Disconnected.
Field Meaning
RED It means that the HIDS agent is deployed with status Never Connected.
Automatic Asset Discovery. This link indicates if there are any pending scans for that host.
Clicking the link takes you to Environment > Assets & Groups > Schedule Scan. The circle
next to this field can appear in 3 different colors:
Table 18. Environment Status: Automatic Asset Discovery colors and meanings
Field Meaning
GREEN It means that all IPs associated with that asset are scheduled to be scanned.
YELLOW It means that some IPs associated with that asset are scheduled to be scanned, but not all
of them.
RED It means that none of IPs associated with that asset are scheduled to be scanned.
Vuln Scan Scheduled. This link indicates if there are any vulnerability scan scheduled for that
host. Clicking the link takes you to Environment > Vulnerabilities > Scan Jobs. The circle next
to this field can appear in 2 different colors:
Table 19. Environment Status: Vulnerabilities Scan Scheduled colors and meanings
Field Meaning
See Network Activity. This link displays the network usage of the IP address associated with
this asset. This page can be blank if no activity is detected.
Suggestions
This section shows suggestions related to that asset. These suggestions can be informative,
warning or error messages. Click the message to see the details.
Exporting Assets
Navigate to Environment > Assets & Groups > Assets, select the assets you want to export, and
click the button on the right side of the screen. The name of the exported file has the following
structure:
Assets__yyyy-mm-dd.csv
Deleting Assets
Navigate to Environment > Assets & Groups > Assets, select the asset(s) you want to delete, and
click Actions > Delete:
3. Enter name for the new group. An asset group name is required. Optionally, enter a
description for the group.
4. Click Save.
7. Close this window and the added asset will appear in the group.
Assets Gray Display the number of assets being part of the group.
Yellow The asset group contains 1 or more 'Low' and/or 'Medium' vulnerabilities.
Red The asset group contains 1 or more Serious and/or High vulnerabilities.
Yellow The asset group contains alarms with risk between 1 and 5.
Red The asset group contains alarms with risk greater than 5.
Yellow The asset group contains low and/or medium risk events.
Availability Gray The availability status of this group is not enabled and/or pending status.
Red The availability status is up for less than 75% of assets in this group.
Services Gray The availability monitoring has not been enabled and/or pending status for
1 or more services.
Red There is a Critical and/or Warning status on 1 or more services for this
group.
This window includes the same information as the one for assets (see Table 16. Meaning of the
columns in the Asset Details window) except for the following:
The export button ( ), which is used to export assets from a group to a CSV file. The name of
the exported file has the following structure: Assets_from_group_groupID__yyyy-mm-
dd.csv
Field Meaning
GREEN It means that all the assets in this group have HIDS agents deployed and all of them are
active.
YELLOW It means that some of the assets in this group have HIDS agents deployed but not all of
them are active.
RED It means that some of the assets in this group have HIDS agents deployed but they are not
connected.
GREY It means that none of the assets in this group have HIDS agents deployed.
Automatic Asset Discovery. Clicking the link takes you to Environment > Assets & Groups
> Schedule Scan. The circle next to this field can appear in 3 different colors:
Table 22. Environment Status: Automatic Asset Discovery colors and meanings
Field Meaning
GREEN It means that all the assets in this group are scheduled to be scanned.
YELLOW It means that some of the assets in this group are scheduled to be scanned.
RED It means that none the assets in this group are scheduled to be scanned.
Vuln Scan Scheduled. Clicking the link takes you to Environment > Vulnerabilities >
Scan Jobs. The circle next to this field can appear in 2 different colors:
Table 23. Environment Status: Vuln Scan Scheduled colors and meanings
Field Meaning
GREEN It means that all the assets in this group have a vulnerability scan scheduled.
RED It means that none of the assets in this group have a vulnerability scan scheduled.
Managing Networks
Networks are configuration objects that specify which parts of an organization are monitored by
AlienVault USM. Networks also specify which assets will be imported during asset discovery. Only
assets that correspond to a configured network will be imported into the asset management
system. Assets are grouped based on IP addresses and configured networks for easier asset
navigation and management.
Creating a Network
There are two ways to create a network in USM: manually or by importing a CSV file.
Field Meaning
Name This is a label that identifies the network. This field is mandatory.
CIDR This is a method for allocating IP addresses and routing Internet Protocol packets. It is
the range of IP addresses that define the network. This field is mandatory.
Sensors This field indicates the sensor related to that network. This field is mandatory.
Asset value This is a value assigned to the network. This field is mandatory. See What is Asset
Value for further information.
External Asset This choice indicates if this asset is external (publicly facing) (Yes) or internal (No).
This field is mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is recommended to
do it for filtering. The optional fields are the following:
Field Meaning
Icon This field allows you to associate an image with the asset. The accepted image size is
400x400 and the allowed formats are png, jpg or gif.
4. If you click Save in the previous step, the Network Details window appears (see Figure 35.
Network List View).
1. Navigate to Environment > Assets & Groups > Networks, click Add Network and then, Import
CSV.
2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters if
you want to ignore them.
3. Click Import.
This window includes the same information as the one for assets (see Table 16. Meaning of the
columns in the Asset Details window) except for the following:
The export button ( ), which is used to export assets from a network to a CSV file. The name
of the exported file has the following structure: Networks__yyyy-mm-dd.csv
Environment Status links.
HIDS. Clicking the link takes you to Environment > Detection > HIDS. The circle next to
this field can appear in 4 different colors:
Table 26. Environment Status: HIDS colors
Field Meaning
GREEN It means that all the assets in this network have HIDS agents deployed and all of them are
active.
YELLOW It means that some of the assets in this network have HIDS agents deployed but not all of
them are active.
RED It means that some of the assets in this network have HIDS agents deployed but they are
not connected.
GREY It means that none of the assets in this network have HIDS agents deployed.
Automatic Asset Discovery. Clicking the link takes you to Environment > Assets & Groups
> Schedule Scan. The circle next to this field can appear in 3 different colors:
Field Meaning
GREEN It means that all the assets in this network are scheduled to be scanned.
YELLOW It means that some of the assets in this network are scheduled to be scanned.
RED It means that none the assets in this network are scheduled to be scanned.
Vuln Scan Scheduled. Clicking the link takes you to Environment > Vulnerabilities > Scan
Jobs. The circle next to this field can appear in 2 different colors:
Table 28. Environment Status: HIDS colors
Field Meaning
GREEN It means that all the assets in this network have a vulnerability scan scheduled.
RED It means that none of the assets in this network have a vulnerability scan scheduled.
2. Click New.
4. Select the network to be part of the group. Click the + sign to expand the branches in the
Select networks below tree and click on your selection. The selected networks appear in the
lower part. The filter field is used to search a specific network. It is useful when there are a lot
of networks. The button is used to remove a network from this group.
6. Click Save.
Column Meaning
Description Text describing the network group. This field may be empty since it is not
mandatory.
Knowledge DB It is used to add a link to documents related to the network and that are included in
Column Meaning
the database.
Notes This column indicates if that network group includes notes. Notes are useful to
explain facts about that network group. The number of notes appears between
brackets next to the notes icon. For instance, means that a network group
includes 4 notes.
2. Click Modify.
4. Click Save.