AlienVault USM 5.1 5.2 Asset Management Guide

AlienVault
Unified Security Management (USM) 5.1-5.2

Asset Management Guide
USM 5.1-5.2 Asset Management Guide, rev. 2
Copyright 2015 AlienVault, Inc. All rights reserved.
The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM,
AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX
Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and
OSSIM are trademarks or service marks of AlienVault, Inc.
All other registered trademarks, trademarks or service marks are the property of their respective
owners.
Revision to This Document
Date Revision Description
July 29, 2015 Original document based on the 5.1 release.
August 17, 2015 Updated for the USM 5.1.1 release.
October 2, 2015 Added the limitation that each USM Sensor can have up to 100 plugins enabled.
Updated the Figure 3. Scan Results sceen.
Updated the Deployment Prerequisites chapter.
October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 2 of 60

Contents
Contents
Introduction ..................................................................................................................................... 5
About Asset Management ............................................................................................................... 6

What is an Asset ......................................................................................................................... 6
What is Asset Value .................................................................................................................... 6
What is Asset Management ........................................................................................................ 6
Managing Assets ............................................................................................................................. 8

Adding Assets ............................................................................................................................. 8
Adding Assets by Using the Getting Started Wizard ............................................................... 8
Adding Assets by Scanning for New Assets ........................................................................... 8
Running a Scan for New Assets Manually ......................................................................... 9
Scheduling an Asset Discovery Scan ............................................................................... 12
Adding Assets by Using a CSV File ...................................................................................... 14
Adding Assets by Using SIEM Events .................................................................................. 18
Adding Assets Manually ....................................................................................................... 18
Knowing Your Assets ................................................................................................................ 21
Searching / Filtering for Assets ............................................................................................. 22
Viewing the Status of Your Assets ........................................................................................ 25
Labeling Your Assets ........................................................................................................... 27
Editing Your Assets .............................................................................................................. 28
Performing Actions on Your Assets........................................................................................... 30
Selecting Assets on the Asset List View ............................................................................... 30
Running Asset Scan ............................................................................................................. 31
Running Vulnerability Scan .................................................................................................. 33
Deploying HIDS Agents ........................................................................................................ 35
Deployment Prerequisites ................................................................................................ 35
Bulk Deployment Constraints ........................................................................................... 36
Legacy HIDS Agents........................................................................................................ 37
Enabling Availability Monitoring ............................................................................................ 38
Disabling Availability Monitoring ........................................................................................... 38
Creating or Adding to an Asset Group .................................................................................. 38

Contents
Adding a Note ...................................................................................................................... 39

Viewing Asset Details ............................................................................................................... 39
Table Area............................................................................................................................ 41
Environment Status .............................................................................................................. 42
Suggestions ......................................................................................................................... 44
Exporting Assets ....................................................................................................................... 44
Deleting Assets ......................................................................................................................... 44
Managing Asset Groups ................................................................................................................ 45

Creating Asset Groups.............................................................................................................. 45
Knowing Your Assets Groups ................................................................................................... 47
Performing Actions on Your Asset Groups ................................................................................ 50
Viewing Details of Your Asset Groups....................................................................................... 50
Managing Networks ....................................................................................................................... 52

Creating a Network ................................................................................................................... 52
Creating a Network Manually................................................................................................ 52
Creating a Network by Using a CSV File .............................................................................. 54
Knowing Your Networks ............................................................................................................ 54
Performing Actions on Your Networks....................................................................................... 55
Viewing Details of Your Networks ............................................................................................. 55
Managing Network Groups ............................................................................................................ 58

Creating Network Groups.......................................................................................................... 58
Managing Network Groups ....................................................................................................... 59
Editing Network Groups........................................................................................................ 60
Deleting Network Groups ..................................................................................................... 60

What is an Asset
Introduction
In USMTM version 5.1, AlienVault continues the effort started in USM 5.0 to provide a simplified user
interface and workflows, allowing users to fully manage assets, asset groups, and asset-based
security controls. This document covers the new functionalities introduced in version 5.1, as well as
those available in previous versions:
Managing Assets
Managing Asset Groups
Managing Networks
Managing Network Groups
For asset management in USM version 4.x, refer to Assets, Groups & Networks.
For asset management in USM version 5.0, refer to USM 5.0 Asset Management Guide.

What is an Asset
About Asset Management

Asset management is one of the key functionalities that AlienVault USM provides. It is useful for
controlling assets in the company. This control is very important. Managing assets effectively and
efficiently allows you to take maximal advantage of the capabilities in AlienVault USM.
What is an Asset
In AlienVault USM, an asset is a piece of equipment that bears a unique IP address on the
companys network. As examples, it can be a server, a router, a firewall, a printer, or an individual
PC. An asset is monitored by at least one USM Sensor.
What is Asset Value

In USM, every asset has an asset value, ranging from 0 to 5, 0 being the least important and 5 the
most important. In trying to decide the asset value, the system first sees if a value has been
manually assigned. If not, the system checks the network that the asset belongs to, and uses the
asset value of the network instead. If the network does not have an asset value, the asset will be
assigned the default value of 2.
Asset value is used in calculating event risk. In AlienVault USM, a risk value is calculated for every
event once it arrives at the USM Server. The system uses the following formula to calculate the
risk:
(asset value event priority event reliability)
risk of the event =
25
Where
Asset value is from 0 to 5.
Priority is from 0 to 5.
Reliability is from 0 to 10.
Therefore, the risk value is from 0 to 10. Decimals are always rounded down. For example, if the
asset value is 3, the priority is 3, and the reliability is 5, you will get 3 * 3 * 5 / 25 = 1.8. Therefore,
the risk of the event is 1. In USM, any event with a risk value greater than or equal to 1 becomes an
alarm.
What is Asset Management

In USM, asset management includes the following aspects:
Discovery (see Adding Assets by Scanning for New Assets). This is one of the essential
security capabilities offered by AlienVault USM. This capability allows users to discover and
inventory all the assets in a network and to correlate asset information with threat and

What is Asset Management
vulnerability data. This functionality uses active network asset scanning and passive network
asset discovery to allow users to scan networks and hosts. The scan is used for discovering
assets and adding them into the USM database to be monitored.
Vulnerability Scanning. Vulnerability assessment is another essential security capabilities that
USM provides. With the asset oriented security approach introduced in USM 5.0, you can
schedule vulnerability scans directly from the assets. See Running Vulnerability Scan.
HIDS Agent Deployment. In USM 5.1, you can deploy HIDS agents directly while managing
the assets. See Deploying HIDS Agents.
Categorization. You can categorize your assets in many different ways by using filters and/or
labels.
Prioritization. You can prioritize your assets by assigning different asset values to them.
Monitoring. Availability monitoring in AlienVault USM allows two types of asset monitoring:
host monitoring and services monitoring. Host monitoring reports if an asset is up or down,
while services monitoring discovers services on an asset and monitors availability those
services.
Adding/Deleting. In addition to running asset discovery, you can also add or delete assets
manually.
Analysis is essential to investigate the detected alarms, which may require knowing, for
instance, the software installed on an asset; the existing vulnerabilities; the users that have
access; or the traffic generated by an asset.
Proper asset management is necessary in order to make the most of the whole AlienVault USM
functionality. Keep in mind that not all assets have the same significance. Asset management
allows you to configure USM according to your needs.

Adding Assets
Managing Assets
Adding Assets
There are several ways to add an asset or assets on a USM:
Adding Assets by Using the Getting Started Wizard
Adding Assets by Scanning for New Assets
Adding Assets by Using a CSV File
Adding Assets by Using SIEM Events
Adding Assets Manually
Note: In addition, the USM system inserts new assets automatically if they are identified via
passive asset monitoring, vulnerability scans (only when vulnerabilities are found), or
through IDM events.
Adding Assets by Using the Getting Started Wizard

The Getting Started Wizard is available on USM All-in-One during the initial setup. This wizard
includes the initial tasks for getting AlienVault USM ready for production. As a result, the wizard
collects as much data as possible to analyze and identify threats in your environment. One of these
tasks is to discover assets using a network scan through the following methods:
By scanning networks configured in a previous step of the Wizard.
By scanning networks imported from a CSV file.
By scanning networks added manually.
By importing assets from a CSV file.
By adding assets manually.
See Running the Getting Started Wizard for further information.
Adding Assets by Scanning for New Assets

This option scans the network for unidentified assets and adds them to the USM database so that
they can be monitored by the system.
You can choose to scan an asset, a few assets, an asset group, a network, or a network group.

Adding Assets
Running a Scan for New Assets Manually

To run a scan for new assets
1. Navigate to Environment > Assets & Groups > Assets, click Add Assets and then Scan For
New Assets.
Figure 1. Assets: select option Scan for New Assets
2. Select the asset(s) you want to scan:

a) Click the + sign to expand the branches in the All Assets tree and click on your selection;
b) Alternatively, type the name of a specific asset/network in the search box, then press
Enter;
The selected asset appears in the text area on the left.
3. Select a sensor between Local (from your framework machine), Automatic (the first available
sensor will be selected), or by selecting a specific sensor.
4. Select the advanced options:
Table 1. Advanced options for asset scans
Advanced Options Sub-options Description
Scan Type Ping This option sends a ping to each asset.
Fast Scan This option scans the most common 100 ports.
Normal This option scans the most common 1000 ports.

Adding Assets
Advanced Options Sub-options Description
Full Scan This option scans all ports. It can be slow.
Custom This option allows the user to define the ports to scan.
Timing Template Paranoid This option scans very slowly. It serializes all scans (no
parallel scanning) and generally waits at least 5 minutes
between sending packets.
Sneaky This option is similar to paranoid mode, except it only waits

15 seconds between sending packets.
Polite This option is meant to ease the load on the network and
reduce the chance of crashing machines. It serializes the
probes and waits at least 0.4 seconds in between.
Normal This option is the default behavior, which tries to run as

quickly as possible without overloading the network or
missing hosts/ports.
Aggressive This option adds a 5-minute timeout per host and it never
waits more than 1.25 seconds for probe responses
Insane This option is only suitable for very fast networks or where
you do not mind losing some information. It times out hosts
in 75 seconds and only waits 0.3 seconds for individual
probes. It does allow for very quick network sweeps.
Autodetect Services N/A Choose this option to detect services and operating system
and Operating System versions.
Enable Reverse DNS N/A This option does reverse DNS resolution on the target IP
Resolution addresses. Normally reverse DNS is only performed against
responsive (online) hosts.
5. Click Start Scan.

Adding Assets
Figure 2. Scan for New Assets window
Once the scan is completed, the results are displayed in the same screen, just below the Start
Scan button:
Figure 3. Scan Results
6. Click Update Managed Assets in order to save the results in the database.
The following table displays the meaning of each column:

Adding Assets
Table 2. Meaning of the columns in a scan result
Column Meaning
Check box to select items.
Host The IP address that identifies the host.
Hostname The name that identifies the host.
FQDN Fully Qualified Domain Name.
Device Types Type of device that identifies the host.
MAC MAC Address assigned to the host.
OS Operating System.
Services The names of the services assigned to that host.
FQDN as Hostname Choose this option to use FQDN as the hostname for the discovered assets. If
a FQDN contains any dot, only the name before the first dot will be used.
Scheduling an Asset Discovery Scan

Navigate to Environment > Assets & Groups > Schedule Scan > Asset Discovery Scan.
Figure 4. Schedule an Asset Discovery Scan
This screen includes the following elements:

Adding Assets
Table 3. Meaning of the columns in the Asset Discovery Scan main window
Column Meaning
Name Name given to the scan.
Sensor The sensor that is watching that network.
Targets The network to be scanned.
Frequency The rate at which that scan is going to happen or is going to be repeated.
Enabled Indicates if the scan is enabled ( ) or not ( ).
Actions To modify ( ) or delete ( ) a scan.
Use this button ( ) to change information about an existing scan. Select the scan to be modified
and click the button. A window similar to Figure 5. Schedule a new Asset Scan will appear.
Modify the data you need and click Save.
Use this button ( ) to remove an existing scan. Select the scan to be deleted and click the button.
A confirmation message appears. Click Yes if you want to delete it; or No if you do not want to.
The Vulnerability Scans button takes you to the Environment > Vulnerabilities > Scan Jobs page.
Use the Schedule New Scan button to schedule a new Asset Discovery Scan.
To schedule a new scan
1. Click Schedule New Scan.
2. Enter a name for the new scan.
3. Enter the target network or networks to scan. You can type one unique CIDR (x.x.x.x/xx) or a
CIDR list separated by commas (CIDR1, CIDR2, CIDR).
4. Select a sensor.
5. Select the scan type. See Adding Assets by Scanning for New Assets for further
information.
6. Select the timing template. See Adding Assets by Scanning for New Assets for further
information.
7. Autodetect services and Operating System. Select this option to detect services and operating
system versions.

Adding Assets
8. Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP
addresses. Normally reverse DNS is only performed against responsive (online) hosts.
9. Select the frequency at which the scan is going to happen or is going to be repeated. The
options are Hourly, Daily, Weekly or Monthly.
10. Click Save.
Figure 5. Schedule a new Asset Scan
Note: The results of scheduled asset discovery scans do not appear in the web interface. New
assets will be added automatically and existing ones will be updated if new properties are found.
Adding Assets by Using a CSV File

AlienVault USM allows users to import assets from a CSV file. In version 4.x and 5.x, the allowed
formats are the following:
IPs(IP1,IP2,...)*;Hostname;FQDNs(FQDN1,FQDN2,...);Description;Asset
Value;Operating System;Latitude;Longitude;Host ID;External
Asset;Device Types(Type1,Type2,...)
where

Adding Assets
The IP field is mandatory.
The hostname syntax is defined by RFC 1123.
The FQDN syntax is defined by RFC 1035, RFC 1123 and RFC 2181.
Valid operating system values are: Windows, Linux, FreeBSD, NetBSD, OpenSD, MacOS,
Solaris, Cisco, AIX, HP-UX, Tru64, IRIX, BSD/OS, SunOS, Plan9 or iPhone.
For device type options, see Table 4. List of accepted device types.
Each CSV file must contain a header row:

IPs;Hostname;FQDNs;Description;Asset Value;Operating
System;Latitude;Longitude;Host ID;External Asset;Device Type
Important: The delimiter of the CSV file is a semicolon.
For example,
IPs;Hostname;FQDNs;Description;Asset Value;Operating
System;Latitude;Longitude;Host ID;External Asset;Device Type
192.168.10.3;Host1;www.example-1.es,www.example-2.es;This is a test
server.;2;Windows;23.78;121.45;379D45C0BBF22B4458BD2F8EE09ECCC2;0;Se
rver:Mail Server
Table 4. List of accepted device types
Category Device Type
Network Device Network Device:Router

Network Device:Switch
Network Device:VPN device
Network Device:Wireless AP
Network Device:Bridge
Network Device:Broadband Router
Network Device:Remote Management
Network Device:Storage
Network Device:Hub
Network Device:Load Balancer
Network Device:Firewall

Adding Assets
Category Device Type
Endpoint n/a
General Purpose n/a
Industrial Device Industrial Device:PLC
Media Device Media Device:Game Console
Mobile Mobile:Mobile
Mobile:Tablet
Mobile:PDA
Mobile:VoIP Phone
Peripheral Peripheral:Printer
Peripheral:Camera
Peripheral:Terminal
Security Device Security Device:Intrusion Detection System

Security Device:Intrusion Prevention System
Server Server:HTTP Server

Server:Mail Server
Server:Domain Controller
Server:DNS Server
Server:File Server
Server:Proxy Server
Server:PBX
Server:Print Server
Server:Terminal Server
Server:VoIP Adapter

Adding Assets
To add assets by using a CSV file
1. Navigate to Environment > Assets & Groups > Assets, click Add Assets and then, Import
CSV (see Figure 1. Assets: select option Scan for New Assets).
2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters
(Hostnames) if you want to ignore them.
Important: The header row and the IP fields are mandatory.
When the CSV file does not include a header, the following error appears:
Figure 6. Import Assets from CSV: error
3. Click Import.
The results of the import display.

Adding Assets
This table shows the number of assets imported, and the number of errors and warnings that
occurred during the import.
Next, there is the summary of the import. The table includes three fields: Line, Status and
Details. Line indicates the line number in the CSV file. Click the Status column to sort. The
icon appears when the status is Warning or Error. Click this icon to read specific
information about that warning or error.
The imported assets appear in the asset list view, see
Figure 9. Asset List View.
4. Click New Importation to import more assets from a CSV file or close the window by clicking
on the icon located at the upper-right side ( ).
Adding Assets by Using SIEM Events

AlienVault USM allows the user to import hosts from SIEM events. This option checks events and
networks and it imports automatically all assets that are found.
1. Navigate to Environment > Assets & Groups > Assets.
2. Click Add Assets and then, Import From SIEM.
3. Click View Log if you want to read the log file.
4. Click Import to transfer the assets that were found. Or click Cancel to exit this window.
Assets are imported 25,000 at a time. Therefore, when more than 25,000 hosts are found, you will
need to repeat step #1 to #3 until all assets have been imported.
Figure 7. Assets: import assets from SIEM events (batches of 25,000 assets)
Adding Assets Manually

Follow the instructions below to add assets manually:
1. Navigate to Environment > Assets & Groups > Assets.

Adding Assets
2. Click Add Assets, and then Add Host.
The New Asset window displays.
Figure 8. Assets: create a new asset
3. Fill out the fields:
Table 5. Create a new asset: meaning of the fields
Field Meaning
Name This is a label that identifies the asset. This field is mandatory.

Adding Assets
Field Meaning
IP Address This field denotes the IP Address of the assets. This field is mandatory.
This is a value assigned to the asset. This field is mandatory. See What is
Asset value
Asset Value for further information.
External Asset Indicates if this asset is external (publicly facing) (Yes) or internal (No). This field
is mandatory.
Sensors This shows the USM sensor or sensors monitoring this asset. This field is
mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is recommended to
do it for filtering, for example threads on Windows Systems. The optional fields are the following:
Table 6. Create a new asset: meaning of the optional fields
Field Meaning
FQDN/Aliases This field contains the domain name that specifies its exact location in the tree
hierarchy of the Domain Name System (DNS).
Operating System This field specifies the operating system on the asset.
Description This field provides a short description of the asset.
Icon This field allows you to associate an image with the asset. The accepted image
size is 400x400 and the allowed formats are png, jpg or gif.
Location You can specify the location of this asset. The written location appears on the
map. You can also use latitude and longitude to locate the place.
Model This field is used to specify the model that identifies the asset.
Device Types Select a device type and click Add.
Important: While naming an asset in the USM, keep the following rules in mind:
An asset name cannot contain any dot (.)
An asset name cannot start or end with a dash (-)
An asset name cannot contain a space
An asset name can start or end with a letter or a number

Knowing Your Assets
An asset name can be up to 63 characters
4. Click Save.
The Asset Details window appears (see Figure 24. Assets: view details of an asset).
5. Alternatively, click (at the right upper corner) to exit this window without saving any changes.
Knowing Your Assets

AlienVault USM provides a centralized view for your assets on Environment > Assets & Groups >
Assets. We call this the Asset List View. In this window the following are available:
Adding Assets
Deleting Assets
Exporting Assets
Searching / Filtering for Assets
Editing Your Assets
Labeling Your Assets
Viewing the Status of Your Assets
Performing Actions on Your Assets

Knowing Your Assets
Figure 9. Asset List View
Searching / Filtering for Assets

You can either search or filter for your assets on the asset list view. Simply type what you are
looking for in the search field. The system will search on hostname & FQDN if you enter text, or IP
& CIDR if you enter an IP address.
Below the search box there are some filters. The search filters are the following:
Table 7. Search filters in the asset list view
Filter Name Meaning
Has Alarms It allows searching for assets with alarms.
Has Events It allows searching for assets with events.
Vulnerabilities It allows searching for assets with vulnerabilities. By default, it includes all
severity levels: Info, Low, Medium, High and Serious. Slide the bar to exclude
one or more levels.
Asset Value It allows searching for assets with a specific asset value or values. By default it
includes asset values from 0 to 5. Slide the bar to exclude one or more values.
HIDS Status It allows searching for assets with HIDS connected, disconnected or not

Knowing Your Assets
Filter Name Meaning

deployed.
Availability Status It allows searching for assets that are running (Up), not running (Down) or
availability monitoring not configured (Unconfigured).
Show Assets Added It allows searching for assets based on the date when they are added.
Last Updated It allows searching for assets based on the date when they are last updated.
The More Filters button allows the user to add more filters:
Figure 10. Assets: Network tab for the MORE FILTERS screen
This screen includes several tabs. Each tab shows its specific data that can be used for filtering:
Table 8. Search filters in the Assets screen: More filters button
Filter Name Meaning
Network Use this tab to filter assets by network name or network CIDR.
Group Use this tab to filter assets by asset group name.
Sensor Use this tab to filter assets by the sensor.
Device Type Use this tab to filter assets by their device types.
Service Use this tab to filter assets by the services running on them.
Operating System Use this tab to filter assets by their operating system.
Software Use this tab to filter assets by the software running on them.

Knowing Your Assets
Filter Name Meaning
Model Use this tab to filter assets by their hardware model.
Label Use this tab to filter assets by their label.
Location Use this tab to filter assets by their location.
Plugin Use this tab to filter assets by the plugin. You can filter by several plugins at the
same time or choose the option No Plugin Enabled.
There is a search field located at the top left of each tab. This is useful when there are many items
in a tab. It allows executing a search among all of them. The icon is used to delete the search
term that you entered.
Click Apply to start the search.
Click Cancel or the icon ( ) located at the top right side of the window to finish the addition of
filters.
When applying the filters, the search uses a logical AND operator when the filters are different. For
example, the following search looks for assets that have alarms and events and were added during
the last day:
Figure 11. Detail of Assets Screen: Example of the logical AND

However, when the filter is of the same type, the Pvt_010 network or the Pvt_172 network in the
following example, the logical OR operator is used:
Figure 12. Detail of Assets Screen: Example of the logical OR

Knowing Your Assets
Use the button Clear All Filters to start a new filter. Or click on the cross icon of each filter if you
want to remove only that filter.
Viewing the Status of Your Assets

The result of a search is displayed in the table of assets. In addition, the number of assets that
meet the selected filters is indicated.
Figure 13. Detail of a search in the asset list view
The table of assets includes the following columns:

Table 9. Columns in the table of assets
Column Meaning
Used to select assets. It is possible to select assets from multiple pages and
apply an action.
Hostname Name of the asset.
IP IP associated with the asset.
Device Type Device type associated with the asset.

Knowing Your Assets
Column Meaning
Operating System Name of the Operating System associated with the asset.
Asset Value The value that has been set for that asset.
Vuln Scan Scheduled This column indicates whether a vulnerability scan has been scheduled and
enabled or not.
HIDS Status This column indicates the HIDS status for that asset (Connected,
Disconnected or Not Deployed).
This button opens the details of that asset.
Click on an asset to check the status of that asset:
Figure 14. Expanded details of an asset

Table 10. Meaning of the colors in an expanded view of an asset
Type Color Meaning
Vulnerabilities Gray The asset has no vulnerabilities.
Green The asset contains Info level vulnerabilities.
Yellow The asset contains 1 or more 'Low' and/or 'Medium' vulnerabilities.
Red The asset contains 1 or more Serious and/or High vulnerabilities.

Knowing Your Assets
Type Color Meaning
Alarms Gray There are no alarms on this asset.
Yellow The asset contains alarms with risk between 1 and 5.
Red The asset contains alarms with risk greater than 5.
Events Gray There are no events on this asset.
Yellow This asset contains low and/or medium risk events.
Red This asset contains high risk events.
Availability Gray The availability status of this asset is not enabled and/or pending status.
Green The availability status of this asset is up.
Yellow The availability status of this asset is unreachable.
Red The availability status of this asset is down.
Services Gray Availability monitoring has not been enabled and/or pending status for 1
or more services.
Green The availability status is up for 75-100% of the ports/services on this

asset.
Yellow 1 or more services on this asset has an unknown status.
Red There is a Critical and/or Warning status on 1 or more services on this

asset.
Groups Gray Display the number of groups the asset belongs to.
Notes Gray Display the number of notes on this asset.
Labeling Your Assets

Labels are used to manage assets.
Select the asset(s) you want to label and click the icon ( ).

Knowing Your Assets
Figure 15. Assets: labels
The symbols that can appear next to a label are the following:
. This icon means that the label has been applied to some of the selected assets.
. This icon means that the label has been applied to all of selected assets.
. This icon means that the label has not been applied to any of the selected assets.
The link Manage Labels is used to control labels:
Figure 16. Assets: manage labels
Select a label, change the name if you want and click Save.
Editing Your Assets

It is possible to modify a field in multiple assets at the same time:

Knowing Your Assets
1. Select the assets you want to modify.
2. Click Actions and then Edit.
Figure 17. Assets: edit an asset
3. Modify the fields.
4. Click Save and the field with new information will be modified in the selected assets at the
same time.
Important: All user-defined property values have higher priority over those detected by
other tools used in the USM, such as software inventory, HIDS, passive and/or active asset

discovery. The AlienVault systems are recognized as "AlienVault OS".

You can perform certain actions, such as running an asset scan or running a vulnerability scan, on
one or multiple assets from the asset list view (Environment > Assets & Groups). However, these
actions are not enabled until you have selected your asset(s).
Selecting Assets on the Asset List View

To select a single asset, check the square to the left of the hostname of the asset.
To select multiple assets, check the squares one by one. You can navigate to the next page and
select more assets. The selection on the previous page is preserved.
To select all the assets on the same page, check the square in the first column of the header row.
To select all the assets returned from a search, or all the assets in the system, first select all the
assets on the page. The text You have selected 20 assets. Select 18,334 assets. appears above
the asset table, where xxxxx is the number of assets in the system. Click the Select 18,334
assets. text. This will select all the assets.
Figure 18. Assets: select all assets at the same time
Once the assets are selected, you can perform one of these actions:
Editing Your Assets

Deleting Assets
Running Asset Scan
Running Vulnerability Scan
Deploying HIDS Agents
Enabling Availability Monitoring
Disabling Availability Monitoring
Creating or Adding to an Asset Group
Adding a Note
Figure 19. Assets: actions menu
Running Asset Scan

This option allows the user to scan assets. When the scan finds new assets they are added to the
system automatically.
1. Select the assets.
2. Click Actions > Run Asset Scan.
The Asset Scan window appears:

Figure 20. Running Assets Scan Window
3. Select an option for Scan type and Timing template and click Autodetect services and
Operating System and Timing template if you want to activate these options. There is an
explanation of these advanced options in Adding Assets by Scanning for New Assets.
Note:
There are 3 icons that can appear in the status field:
, which means the scan can be started.
, which means those assets cannot be scanned because the sensor is not connected at
that moment.
, which means the system is busy with other scan jobs.
4. Click Start Scan.
5. A message appears. For example, Asset Scan in progress for 3 assets, or for the number of
assets that you selected.
6. If the scan finds new assets, they will be added to the system automatically.

Running Vulnerability Scan

2. Click Actions > Run Vulnerability Scan.
3. The Vulnerability Scan window appears.
4. Enter a name to identify the vulnerability scan.
5. Select a sensor. There can be up to 5 concurrent scans per USM Sensor.
6. Select a profile:
Table 11. Vulnerability Scan: profile
Profile Meaning
Deep This is a non-destructive full and fast scan.
Default This scan can be used if the scanned system breaks or crashes when
overwhelmed with scanning requests.
Ultimate This is a full and fast scan, including destructive tests. Include dangerous
stress tests that can crash the scanned system (for example, filling a network
switches memory with random MAC addresses).
7. Select a schedule method:
Table 12. Vulnerability Scan: Schedule Method
Schedule Method Meaning
Immediately The scan job will be done without delay.
Run Once Schedule a scan job on a specific day and time and just on that time.
Daily Schedule a scan job every x days beginning on a specific day.
Day of the Week Schedule a scan job on a specific day of the week
Day of the Month Schedule a scan job on a specific day of the month
Nth weekday of the month Schedule a scan job on a specific day and week of a month.
8. Optionally, extend Advanced to reveal the following options:

Table 13. Vulnerability Scan: Advanced Options
Advanced Options Meaning
SSH Credential Checks the parch level and installed software versions on various Linux
and UNIX distributions.
SMB Credential Checks the patch level of Windows systems.
Timeout Enter the maximum number of seconds that the scan can run.
Send an email notification Click No if you do not want to send an email notification; or click Yes to
send an email notification then select a user or an entity.
9. Select Only scan hosts that are alive to speed up the scanning process.
10. Select Pre-Scan locally if you do not want to pre-scan from a remote sensor.
11. Select Do not resolve names if you do not want to resolve hostnames or FQDN.
12. Click New Job to create the vulnerability scan or Cancel to exit this window.
Figure 21. Assets: Run a Vulnerability Scan

Deploying HIDS Agents
Deployment Prerequisites
A Windows system (XP, 7, 8, 10, Server 2003, 2008 or 2012).
A user account with administrator privileges on the Windows system.
Operating System specific settings:
Table 14. Deploying HIDS Agents: Operating System specific settings
Operating Systems Configuration Steps
Windows XP 1. Go to Control Panel > Folder Options > View. Uncheck Use simple file
sharing.
2. Go to Control Panel > Windows Firewall > Exceptions. Check File and
Printer Sharing.
Windows 7 1. Go to Control Panel > Folder Options > View. Uncheck Use Sharing
Wizard (Recommended).
2. Go to Control Panel > System and Security> Windows Firewall >
Advanced Settings > Inbound Rules. Allow rule File and Printer
Sharing (SMB-In).
3. Go to Control Panel > User Accounts > Change User Account
Control Settings. Move the slider to Never notify.
Windows Server 2003, 2008 1. Go to Control Panel > Windows Firewall > Advanced Settings >
R2 and 2012 R2 Inbound Rules. Allow rule File and Printer Sharing (SMB-In).
2. Allow NTLMv2 security. Execute gpedit.msc. Go to Local Security >
Computer Configuration > Windows Settings > Security Settings > Local
Policies > Security Options and change:
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) clients > Require NTLMv2 session security,
Require 128-bit encryption.
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) servers > Require NTLMv2 session
security, Require 128-bit encryption.
Network Security: LAN Manager Authentication level > Send
NTLMv2 response only. Refuse LM & NTLM.

Operating Systems Configuration Steps
Windows 8 and 10 1. Go to Control Panel > Folder Options > View. Uncheck Use Sharing
Wizard (Recommended).
2. Go to Control Panel > System and Security> Windows Firewall >
Advanced Settings > Inbound Rules. Allow rule File and Printer
Sharing (SMB-In).
3. Go to Control Panel > User Accounts > Change User Account
Control Settings. Move the slider to Never notify.
4. Set User Account Control: Run all administrators in Admin Approval
Mode to Disabled.
This option is recommended by Dell, because it is more secure and can
be centrally configured using GPO.
To find this setting, open the Group Policy (type secpol.msc into the
Search programs and files field under the Start menu), then go to Local
Policies > Security Options. Restart the device after applying the
settings.
Important: The HIDS agent status is not shown in real time. It is updated in the
background every hour.
Bulk Deployment Constraints

The selected assets can be accessed via the same credentials.
The selected assets are Windows based.
If none of the assets are Windows based, the HIDS agents are not deployed. A warning
message displays instead.
If some of the assets are Windows based, you will have 3 options:
Table 15. Bulk Deployment Constraints: Windows based options
Advanced Options Meaning
Cancel Cancel the deployment and go back to the asset list view.
View these assets Cancel the deployment and view the non-Windows assets in the asset
list view.
Continue Continue with the deployment on the Windows assets.

To deploy HIDS agents

2. Click Actions > Deploy HIDS Agents.
Figure 22. Deploy HIDS Agents
3. Fill out the fields. Domain is optional. The user accounts must have administrator privileges.
4. Click Deploy.
HIDS agents will be deployed on the selected asset(s). For every deployment attempt, the system
will generate a message in the Message Center with the result success or failure.
Legacy HIDS Agents

If this is an upgrade from a previous version of USM, you may already have some HIDS agents
deployed. The system will try to link legacy HIDS agents with an asset. If the IP address of the
HIDS agent is not present in the inventory, the system will create a new asset with that IP address.
If the system does not have enough information to link the HIDS agent with an asset, a message is
shown in the Message Center, and you should link the asset manually.
To connect an HIDS agent with an asset
5. Go to Envionment > Detection > HIDS > Agents.
The list of HIDS agents displays.
6. Select the HIDS agent without a value in the Asset column, click the link icon ( ).
The Connect an Asset to HIDS Agent window pops up.
7. Type in the IP address of the asset or select it from the asset tree.

8. Click Save.
A confirmation message displays.
9. Click Yes.
Enabling Availability Monitoring

2. Click Actions > Enable Availability Monitoring.
Availability monitoring will be enabled on the selected asset or assets.
Disabling Availability Monitoring

2. Click Actions > Disable Availability Monitoring.
Availability monitoring will be disabled on the selected asset or assets.
Creating or Adding to an Asset Group

2. Click Actions > Create / Add to Group.
This option allows the user to create an asset group or add select assets to an existing asset group.

Viewing Asset Details
Figure 23. Assets: create or add to a group
The Search field is used to find an existing group.
To add assets to an existing group, locate the group and click the icon in the Actions column.
(Knowing Your Assets Groups).
The box labeled New Group is used to create a new group. Enter a group name and click the
icon to create that group (Creating Asset Groups).
Adding a Note
2. Click Actions > Add Note.
3. Enter a note for the assets, click Save.

Do one of the following to view the specific information of an asset:
Click the Details button ( ).

Double click on the line of that asset.
Figure 24. Assets: view details of an asset
This screen displays the following information:

Table 16. Meaning of the columns in the Asset Details window
Field Meaning
Hostname The name that identifies the asset. The IP and the MAC address of this asset
are displayed underneath.
Label Label or labels applied to this asset (see Labeling Your Assets).
Asset Value This is a value assigned to the asset. See What is Asset Value for further
information.
Device Type Device type of the asset.
Networks The network associated with this asset.
Sensors This shows the USM sensor or sensors monitoring this asset.
Model This field specifies the model that identifies the asset.
Asset Type This field indicates if this asset is external (publicly facing) (Yes) or internal (No).

Field Meaning
This field is mandatory.
Status Summary This field displays the status of the asset in a graphical view. Hover your mouse
within each circle to see what it means. Clicking on the specific circle will
activate the corresponding tab in the table area below, where you can
investigate more details. See Table 10. Meaning of the colors in an expanded
view of an asset.
Table Area See Table Area for further information.
Actions This is a button that allows you to access selected functions (see Performing
Actions on Your Assets).
Asset Location Geographical location of this asset.
Environment Status See Environment Status for further information.
Suggestions See Suggestions for further information.
Table Area
The table area appears at the bottom of the screen. This menu includes the following options:
Vulnerabilities. This table displays vulnerabilities related to the asset. The fields are Scan
Time, Asset, Vulnerabilities, Vuln ID, Service, and Severity.
Alarms. This table displays alarms associated with this asset. The fields are Date, Status,
Intent & Strategy, Method, Risk, Source, and Destination. The button brings you to the
Alarm Details page.
Events. This table displays events related to this asset. The table includes the following fields:
Date, Signature, Source, Destination, Sensor, and Risk. The button brings you to the Event
Details page.
Software. This option indicates if the asset has some software installed. The fields are IP
Address, Name, Date, and Source. Use the vertical scroll bar, if necessary, to see all rows. You
can use the Edit Software button to add, modify and/or delete software.
Services. This option displays a table that shows the services related to the asset. The fields
are IP Address, Port, Protocol, Name, Status, and Monitoring. You can use the Edit Services
button to add, modify and/or delete services. While in the Edit Services window, if you want to
enable or disable availability monitoring for a service, select the service first, and then choose
enable or disable from the Availability Monitoring dropdown menu.
Plugins. This table displays the plugins that are enabled for this asset. The fields are Asset,
Vendor, Model, Version, Sensor, and Receiving Data. The last field indicates if the plugin is

receiving data from this asset. The Edit Plugin button is used to select the vendor, model and
version of the device. All three fields are required. Once they are selected, the button Add
Plugin appears. It is possible to enable multiple plugins in USM 5.1. You can add as many as
10 plugins to a single asset. If the asset is related to multiple sensors, dropdown menu displays
for you to choose on which sensor this plugin should be enabled.
Note: The Plugin table is not available on the localhost because the default plugins have
already been activated.
You can enable up to 10 plugins per asset and up to 100 plugins per USM Sensor.
Properties. This option displays information relating to the asset properties. The fields are IP
Address, Type, Property, Date, and Source. You can use the Edit Properties button to modify
or add an entry. To add a property:
1. Choose a type.
2. Enter the property.
3. Click Lock property to avoid it being modified by automatic processes.
4. Click Save.
Netflow. This option displays a table which includes information about netflows related to that
asset. This table includes the following fields: Date Flow Start, Duration, Protocol, Source,
Destination, and Flags.
Groups. This option displays the groups to which that asset belongs. The fields are Name,
Owner, and Assets. The button goes to the Asset Groups detail page (see Managing
Asset Groups) and the Add To Group button is used to add the asset to an asset group.
Environment Status
At the right side, youll find the following links:
HIDS. This link refers to the intrusion detection system that monitors and analyzes the
internals of a computing system as well as (in some cases) the network packets on its network
interfaces. Clicking the link takes you to Environment > Detection > HIDS. The circle next to
this field can appear in 4 different colors:
Table 17. Environment Status: HIDS colors and meanings
Field Meaning
GREEN It means that the HIDS agent is deployed with status Active or Active/Local.
YELLOW It means that the HIDS agent is deployed with status Disconnected.

Field Meaning
RED It means that the HIDS agent is deployed with status Never Connected.
GREY It means that no HIDS agent is deployed.
Automatic Asset Discovery. This link indicates if there are any pending scans for that host.
Clicking the link takes you to Environment > Assets & Groups > Schedule Scan. The circle
next to this field can appear in 3 different colors:
Table 18. Environment Status: Automatic Asset Discovery colors and meanings
Field Meaning
GREEN It means that all IPs associated with that asset are scheduled to be scanned.
YELLOW It means that some IPs associated with that asset are scheduled to be scanned, but not all
of them.
RED It means that none of IPs associated with that asset are scheduled to be scanned.
Vuln Scan Scheduled. This link indicates if there are any vulnerability scan scheduled for that
host. Clicking the link takes you to Environment > Vulnerabilities > Scan Jobs. The circle next
to this field can appear in 2 different colors:
Table 19. Environment Status: Vulnerabilities Scan Scheduled colors and meanings
Field Meaning
GREEN It means there is a scheduled scan for the asset.
RED It means there is no scheduled scan for the asset.
See Network Activity. This link displays the network usage of the IP address associated with
this asset. This page can be blank if no activity is detected.

Exporting Assets
Suggestions
This section shows suggestions related to that asset. These suggestions can be informative,
warning or error messages. Click the message to see the details.
Exporting Assets
Navigate to Environment > Assets & Groups > Assets, select the assets you want to export, and
click the button on the right side of the screen. The name of the exported file has the following
structure:
Assets__yyyy-mm-dd.csv
Deleting Assets
Navigate to Environment > Assets & Groups > Assets, select the asset(s) you want to delete, and
click Actions > Delete:
Figure 25. Assets: select an asset to delete
A new window appears confirming the deletion:
Figure 26. Assets: confirm the deletion

Creating Asset Groups
Managing Asset Groups

Asset groups are administratively created objects that group similar assets for specific purposes.
Assets are grouped based on IP addresses and networks that are monitored by AlienVault.
Grouping based on IP addresses allows for easier search and management of assets.
For example, you could group all network firewalls, or all servers running a particular operating
system. Such groups are useful when performing various tasks, such as vulnerability assessment
or asset discovery, or when you are interested only in events coming from specific devices.
Grouping of assets is possible based on various properties, including:
Asset Value
Network
Software running on assets
Sensor that monitors assets
Device type of asset
Open port or services running on assets
Location of assets

There are two ways to create an asset group:
Select assets first, and then create the group. See Creating or Adding to an Asset Group.
Create the asset group first, and then add assets to it.
For the second approach, follow the instructions below:

1. Navigate to Environment > Assets & Groups > Asset Groups.
2. Click Create New Group.
Figure 27. Create an Asset Group

3. Enter name for the new group. An asset group name is required. Optionally, enter a
description for the group.
4. Click Save.
Figure 28. Create an Asset Group: group details
5. Click Add Assets.

Knowing Your Assets Groups
Figure 29. Create an Asset Group: adding assets
6. Click this button ( ) to add that asset to the group.
7. Close this window and the added asset will appear in the group.

AlienVault USM provides a centralized view for managing your asset groups. This view is on
Environment > Assets & Groups > Asset Groups. It has the same look and feel as the asset list
view. The functionalities available are the same as well. The difference is that in this view, you are
managing asset groups instead of assets.

Figure 30. Asset Groups List View
Click on an asset group to view the status of that group:
Figure 31. Expanded details of an asset group

Table 20. Meaning of the colors in an expanded view of an asset group
Type Color Meaning
Assets Gray Display the number of assets being part of the group.
Vulnerabilities Gray The asset group has no vulnerabilities.
Green The asset group contains Info level vulnerabilities.
Yellow The asset group contains 1 or more 'Low' and/or 'Medium' vulnerabilities.
Red The asset group contains 1 or more Serious and/or High vulnerabilities.
Alarms Gray There are no alarms on this asset group.
Yellow The asset group contains alarms with risk between 1 and 5.
Red The asset group contains alarms with risk greater than 5.
Events Gray There are no events for this asset group.
Yellow The asset group contains low and/or medium risk events.
Red The asset group contains high risk events.
Availability Gray The availability status of this group is not enabled and/or pending status.
Green The availability status is up for 95-100% of assets in this group.
Yellow The availability status is up for 75-95% of assets in this group.
Red The availability status is up for less than 75% of assets in this group.
Services Gray The availability monitoring has not been enabled and/or pending status for
1 or more services.
Green The availability status is up for 75-100% of the ports/services on this

group.
Yellow 1 or more services in this group have an unknown status.
Red There is a Critical and/or Warning status on 1 or more services for this
group.
Notes Gray Display the number of notes on this group.

Performing Actions on Your Asset Groups
Performing Actions on Your Asset Groups

The actions you can perform on asset groups work as those on assets. The difference is that you
perform these actions on asset group(s) instead of assets. See Performing Actions on Your
Assets.
Figure 32. Asset Groups: actions menu
Viewing Details of Your Asset Groups

Do one of the following to view the specific information of a group:
Double click on the line of that group.
Figure 33. Assets Groups: view details of a group
This window includes the same information as the one for assets (see Table 16. Meaning of the
columns in the Asset Details window) except for the following:
The export button ( ), which is used to export assets from a group to a CSV file. The name of
the exported file has the following structure: Assets_from_group_groupID__yyyy-mm-
dd.csv

Viewing Details of Your Asset Groups
Environment Status links.

HIDS. Clicking the link takes you to Environment > Detection > HIDS. The circle next to
Table 21. Environment Status: HIDS colors and meanings
Field Meaning
GREEN It means that all the assets in this group have HIDS agents deployed and all of them are
active.
YELLOW It means that some of the assets in this group have HIDS agents deployed but not all of
them are active.
RED It means that some of the assets in this group have HIDS agents deployed but they are not
connected.
GREY It means that none of the assets in this group have HIDS agents deployed.
Automatic Asset Discovery. Clicking the link takes you to Environment > Assets & Groups
> Schedule Scan. The circle next to this field can appear in 3 different colors:
Table 22. Environment Status: Automatic Asset Discovery colors and meanings
Field Meaning
GREEN It means that all the assets in this group are scheduled to be scanned.
YELLOW It means that some of the assets in this group are scheduled to be scanned.
RED It means that none the assets in this group are scheduled to be scanned.
Vuln Scan Scheduled. Clicking the link takes you to Environment > Vulnerabilities >
Scan Jobs. The circle next to this field can appear in 2 different colors:
Table 23. Environment Status: Vuln Scan Scheduled colors and meanings
Field Meaning
GREEN It means that all the assets in this group have a vulnerability scan scheduled.
RED It means that none of the assets in this group have a vulnerability scan scheduled.

Creating a Network
Managing Networks
Networks are configuration objects that specify which parts of an organization are monitored by
AlienVault USM. Networks also specify which assets will be imported during asset discovery. Only
assets that correspond to a configured network will be imported into the asset management
system. Assets are grouped based on IP addresses and configured networks for easier asset
navigation and management.
Creating a Network
There are two ways to create a network in USM: manually or by importing a CSV file.
Creating a Network Manually

Follow the instructions below to add a network manually:
1. Navigate to Environment > Assets & Groups > Networks.
2. Click Add Network and then, Add Network.
Figure 34. Networks: create a new network
3. Fill out the fields:

Creating a Network
Table 24. New Network: meaning of the fields
Field Meaning
Name This is a label that identifies the network. This field is mandatory.
CIDR This is a method for allocating IP addresses and routing Internet Protocol packets. It is
the range of IP addresses that define the network. This field is mandatory.
Sensors This field indicates the sensor related to that network. This field is mandatory.
Asset value This is a value assigned to the network. This field is mandatory. See What is Asset
Value for further information.
External Asset This choice indicates if this asset is external (publicly facing) (Yes) or internal (No).
This field is mandatory.
There are optional fields. Although it is not compulsory to fill out these fields, it is recommended to
do it for filtering. The optional fields are the following:
Table 25. New Network: meaning of the optional fields
Field Meaning
Owner This field identifies the owner of that network..
Icon This field allows you to associate an image with the asset. The accepted image size is
400x400 and the allowed formats are png, jpg or gif.
Click Save to add the new network.

Alternatively, click (at the right upper corner) to exit this window without saving any
changes.
4. If you click Save in the previous step, the Network Details window appears (see Figure 35.
Network List View).

Knowing Your Networks
Creating a Network by Using a CSV File

You can also create a network by importing a CSV file. In AlienVault USM version 4.x and 5.x, the
allowed formats are the following:
"Netname"*;"CIDRs(CIDR1,CIDR2,...)"*;"Description";"Asset Value"*;"Net ID"
where
The Netname, CIDRs, and Asset Value fields are mandatory.
The characters allowed for netname are: A-Z, a-z, 0-9, ., :, _ and -.
Each CSV file must contain a header row:

"Netname";"CIDRs";"Description";"Asset Value";"Net ID"
For example,
"Netname";"CIDRs";"Description";"Asset Value";"Net ID"
"Net_1";"192.168.10.0/24,192.168.9.0/24";"This is my
network";"2";"479D45C0BBF22B4458BD2F8EE09ECAC2"
Important: The delimiter of the CSV file is a semicolon.
To create a network by using a CSV file
1. Navigate to Environment > Assets & Groups > Networks, click Add Network and then, Import
CSV.
2. Click Choose File and select a CSV file. Click the square next to Ignore invalid characters if
you want to ignore them.
3. Click Import.
The results of the import display.
Knowing Your Networks

AlienVault USM 5.1 provides a centralized view for managing your networks. This view is on
Environment > Assets & Groups > Networks. It has a similar look and feel to the asset list view.
The functions available are similar as well, except for the following differences:
You cannot edit multiple networks at the same time.
You can run asset scans or vulnerability scans on your network(s), but you cannot enable or
disable availability monitoring for a network.

Performing Actions on Your Networks
Figure 35. Network List View
Performing Actions on Your Networks

The actions you can perform on networks work as those on assets. The difference is that you
perform these actions on network(s) instead of assets. See Performing Actions on Your Assets.
Figure 36. Networks: actions menu
Viewing Details of Your Networks

Do one of the following to view the specific information about a network:
Double click on the line of that network.

Figure 37. Networks: view details of a network
This window includes the same information as the one for assets (see Table 16. Meaning of the
columns in the Asset Details window) except for the following:
The export button ( ), which is used to export assets from a network to a CSV file. The name
of the exported file has the following structure: Networks__yyyy-mm-dd.csv
Environment Status links.
HIDS. Clicking the link takes you to Environment > Detection > HIDS. The circle next to
Table 26. Environment Status: HIDS colors
Field Meaning
GREEN It means that all the assets in this network have HIDS agents deployed and all of them are
active.
YELLOW It means that some of the assets in this network have HIDS agents deployed but not all of
them are active.
RED It means that some of the assets in this network have HIDS agents deployed but they are
not connected.
GREY It means that none of the assets in this network have HIDS agents deployed.
Automatic Asset Discovery. Clicking the link takes you to Environment > Assets & Groups
> Schedule Scan. The circle next to this field can appear in 3 different colors:

Table 27. Environment Status: Automatic Asset Discovery colors
Field Meaning
GREEN It means that all the assets in this network are scheduled to be scanned.
YELLOW It means that some of the assets in this network are scheduled to be scanned.
RED It means that none the assets in this network are scheduled to be scanned.
Vuln Scan Scheduled. Clicking the link takes you to Environment > Vulnerabilities > Scan
Jobs. The circle next to this field can appear in 2 different colors:
Table 28. Environment Status: HIDS colors
Field Meaning
GREEN It means that all the assets in this network have a vulnerability scan scheduled.
RED It means that none of the assets in this network have a vulnerability scan scheduled.

Creating Network Groups

Networks can be grouped into network groups for administrative purposes. Assets are grouped
based on IP addresses and configured networks for easier asset navigation and management.
Assets are organized into networks based on IP addresses, where networks belong to locations. If
required, networks can also be grouped into network groups for various administrative tasks, such
as asset discovery or vulnerability assessment.

Network Groups are created by saving a result of a search filter.
To create a network group
1. Navigate to Environment > Assets & Groups > Network Groups.
2. Click New.
Figure 38. Creating a Network Group
3. Enter a name for the new group.

4. Select the network to be part of the group. Click the + sign to expand the branches in the
Select networks below tree and click on your selection. The selected networks appear in the
lower part. The filter field is used to search a specific network. It is useful when there are a lot
of networks. The button is used to remove a network from this group.
5. Enter a description that identifies the network group.
6. Click Save.

On Environment > Assets & Groups > Network Groups, the following functionalities can be done:
Editing Network Groups
Deleting Network Groups
Figure 39. Network Groups List View
The table of network groups includes the following columns:

Table 29. Columns in the table of network groups.
Column Meaning
Name Name of the network group.
Networks Networks associated with the group.
Description Text describing the network group. This field may be empty since it is not
mandatory.
Knowledge DB It is used to add a link to documents related to the network and that are included in

Column Meaning
the database.
Notes This column indicates if that network group includes notes. Notes are useful to
explain facts about that network group. The number of notes appears between
brackets next to the notes icon. For instance, means that a network group
includes 4 notes.
Editing Network Groups

1. Select the group you want to modify.
2. Click Modify.
3. Modify the values you need to change.
4. Click Save.
Deleting Network Groups

Navigate to Environment > Assets & Groups > Network Groups, select the group you want to
delete, and then click Delete Selected.

AlienVault USM 5.1 5.2 Asset Management Guide

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

AlienVault USM 5.1 5.2 Asset Management Guide

Diunggah oleh

Hak Cipta:

Format Tersedia

AlienVault

Unified Security Management (USM) 5.1-5.2

Revision to This Document

Date Revision Description

July 29, 2015 Original document based on the 5.1 release.

August 17, 2015 Updated for the USM 5.1.1 release.

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 2 of 60

About Asset Management ............................................................................................................... 6

Managing Assets ............................................................................................................................. 8

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 3 of 60

Adding a Note ...................................................................................................................... 39

Managing Asset Groups ................................................................................................................ 45

Managing Networks ....................................................................................................................... 52

Managing Network Groups ............................................................................................................ 58

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 4 of 60

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 5 of 60

About Asset Management

What is Asset Value

What is Asset Management

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 6 of 60

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 7 of 60

Adding Assets by Using the Getting Started Wizard

Adding Assets by Scanning for New Assets

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 8 of 60

Running a Scan for New Assets Manually

Figure 1. Assets: select option Scan for New Assets

2. Select the asset(s) you want to scan:

Advanced Options Sub-options Description

Scan Type Ping This option sends a ping to each asset.

Normal This option scans the most common 1000 ports.

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 9 of 60

Advanced Options Sub-options Description

Full Scan This option scans all ports. It can be slow.

Sneaky This option is similar to paranoid mode, except it only waits

Normal This option is the default behavior, which tries to run as

5. Click Start Scan.

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 10 of 60

Figure 2. Scan for New Assets window

Figure 3. Scan Results

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 11 of 60

Table 2. Meaning of the columns in a scan result

Check box to select items.

Host The IP address that identifies the host.

Hostname The name that identifies the host.

FQDN Fully Qualified Domain Name.

Device Types Type of device that identifies the host.

MAC MAC Address assigned to the host.

Services The names of the services assigned to that host.

Scheduling an Asset Discovery Scan

Figure 4. Schedule an Asset Discovery Scan

This screen includes the following elements:

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 12 of 60

Name Name given to the scan.

Sensor The sensor that is watching that network.

Targets The network to be scanned.

Enabled Indicates if the scan is enabled ( ) or not ( ).

Actions To modify ( ) or delete ( ) a scan.

To schedule a new scan

1. Click Schedule New Scan.

2. Enter a name for the new scan.

October 2, 2015 USM 5.1-5.2 Asset Management Guide, rev. 2 Page 13 of 60

10. Click Save.

Figure 5. Schedule a new Asset Scan