The Getting Started Wizard is available on USM All-in-One during the initial setup. This wizard includes the initial tasks for getting AlienVault USM ready for deployment. As a result, the wizard collects as much data as possible to analyze and identify threats in your environment. One of these tasks is to discover assets using a network scan through the following methods:
l Scanning networks configured in a previous step of the wizard.
l Scanning networks imported from a CSV file.
l Scanning networks added manually.
l Importing assets from a CSV file.
l Adding assets manually.
For more information, see the "About the Getting Started Wizard " in theUSM v5 Deployment Guide.
Adding Assets by Scanning for New Assets
This option scans the network for unidentified assets, and adds them to the USM database so that USM can monitor them. You can choose to scan an asset, a few assets, an asset group, a network, or a network group.
Running a Scan for New Assets Manually To run a scan for new assets manually
1. Navigate to Environment > Assets & Groups > Assets.
2. Click Add Assets at the upper right-hand corner, and then Scan For New Assets.
3. Select the assets you want to scan:
l Click the + sign to expand the branches in the All Assets tree and click your selection.
l Alternatively, type the name of a specific asset/network in the search box, then press Enter.
The selected asset appears in the text field on the left.
4. Select a sensor.
l Local means that USM uses the sensor on the All-in-One, and Automatic means that USM uses the first sensor available.
l Alternatively, click Select a Specific Sensor to display a list of sensors, choose one from the list.
5. Select the advanced options according to your network capacity.
Advanced
Options Suboption Description
Scan Type Ping Sends a ping to each asset.
Fast Scan (Default) Scans the most common 100 ports.
Normal Scans the most common 1000 ports.
Advanced options for asset scans
Advanced
Options Suboption Description
Full Scan Scans all ports. It can be slow.
Custom Allows the user to define the ports to scan.
Timing Template Paranoid Scans very slowly. It serializes all scans (no parallel scanning) and generally waits at least 5 min. between sending packets.
Sneaky Similar to paranoid mode, but it only waits 15 s between packet transmissions.
Polite Eases the network load and reduces the chance of system failure. It serializes the probes and waits at least 0.4 s to send the next probe.
Normal (Default) Scans at a rate that achieves the fastest scan throughput without overloading the network or missing hosts and ports.
Aggressive Adds a 5-min. timeout per host. Probe response intervals last no longer than 1.25 s.
Insane Only suitable for very fast networks unless you do not mind losing some information.
Times out hosts in 75 s. Waits only 0.3 s for individual probes.
Permits very fast network sweeps.
Autodetect Services and Operating System
None Detects services and operating system versions.
Enable Reverse DNS Resolution
None Reverses DNS resolution on the target IP addresses, normally against responsive (online) hosts only.
Advanced options for asset scans (Continued)
6. Click Start Scan.
After it completes, the scan result displays in the same page below the Start Scan button.
7. Click Update Managed Assets to save assets.
USM adds new assets and updates the existing ones if some of the properties have changed.
Column/Field
Name Description
Check box to select hosts.
Host The IP address that identifies the host.
Hostname The name that identifies the host.
FQDN Fully Qualified Domain Name for the host.
Device Types Type of device that identifies the host.
MAC MAC Address assigned to the host.
OS Operating System of the host.
Services The names of the services detected on the host.
FQDN as Hostname
Choose this option to use FQDN as the hostname for the discovered assets. If a FQDN contains any dot, only the name before the first dot is used.
Field descriptions for asset scan results
Scheduling an Asset Discovery Scan
You can schedule a scan to run at a set frequency. This is particularly useful on an active network.
To schedule a new asset scan
1. Navigate to Environment > Assets & Groups > Schedule Scan > Asset Discovery Scan.
2. Click Schedule New Scan towards the right.
3. Type a name for the new scan.
4. Type the target network or networks to scan. You can type a unique CIDR (x.x.x.x/xx) or a CIDR list separated by commas (CIDR1, CIDR2, CIDR3…).
5. Select a sensor from the list.
6. Select the advanced options according to your network capacity. For a description of these options, seeAdvanced options for asset scans, on page 75.
7. Select scan frequency. The options are Hourly, Daily, Weekly or Monthly.
The next scan runs an hour, a day, a week, or a month, respectively, after the previous scan has finished.
8. Click Save.
Note: The results of scheduled asset discovery scans do not appear in the web interface. USM adds the new assets automatically and updates existing ones if it identifies any new properties.
Adding Assets by Importing a CSV File
AlienVault USM allows users to import assets from a CSV file. The allowed formats consist of the following:
‘IPs(IP1,IP2,...)’*;’Hostname’;’FQDNs(FQDN1,FQDN2,...)’;’Description’;’Asset Value’;’Operating System’;’Latitude’;’Longitude’;’Asset ID’;’External
Asset’;’Device Types(Type1,Type2,...)’
Where:
l Delimiter is a semicolon.
l IPs field is mandatory.
l Hostname syntax is defined by RFC 1123.
l FQDN syntax is defined by RFC 1035, RFC 1123, and RFC 2181.
l Valid operating system values include: Windows, Linux, FreeBSD, NetBSD, OpenSD, MacOS, Solaris, Cisco, AIX, HP-UX, Tru64, IRIX, BSD/OS, SunOS, Plan9, or iOS
l Device types follows this syntax:Device Category:Device Type. For example, if you are importing a network router, the value for the device type field should beNetwork
Device:Router.
Device Categories Device Types for v5
Network Device Network Device : Bridge
Network Device : Broadband Router Network Device : Firewall
Network Device : Hub
Network Device : Load Balancer Network Device : Remote Management Network Device : Router
Network Device : Switch Network Device : Storage Network Device : VPN device
Network Device : VPN Gateway (added in v5.2.2) Network Device : Wireless AP
Endpoint Endpoint : Endpoint (Other) (added in v5.2.2) USM accepted device types
Device Categories Device Types for v5
Endpoint : Laptop (added in v5.2.2) Endpoint : Workstation (added in v5.2.2) General Purpose N / A
Industrial Device Industrial Device : PLC
Media Device Media Device : Game Console
Media Device : IoT Device (Other) (added in v5.2.2) Media Device : Set Top Box (added in v5.2.2) Media Device : Television (added in v5.2.2)
Mobile Mobile : Mobile
Mobile : Tablet Mobile : PDA Mobile : VoIP Phone Peripheral Peripheral : Camera
Peripheral : Environmental Monitoring (added in v5.2.2) Peripheral : IPMI (added in v5.2.2)
Peripheral : Peripheral (Other) (added in v5.2.2)
Peripheral : Power Distribution Unit (PDU) (added in v5.2.2) Peripheral : Printer
Peripheral : RAID (added in v5.2.2) Peripheral : Terminal
Peripheral : Uninterrupted Power Supply (UPS) (added in v5.2.2) Security Device Security Device : Antivirus (added in v5.2.2)
Security Device : DDOS Protection (added in v5.2.2) Security Device : Firewall (added in v5.2.2)
Security Device : Intrusion Detection System Security Device : Intrusion Prevention System
Security Device : Network Defense (Other) (added in v5.2.2) USM accepted device types (Continued)
Device Categories Device Types for v5
Security Device : Web Application Firewall (added in v5.2.2)
Server Server : Active Directory Server / Domain Controller (added in v5.2.2) Server : Application Server (added in v5.2.2)
Server : Database Server (added in v5.2.2) Server : DNS Server
Server : Domain Controller Server : File Server Server : HTTP Server Server : Mail Server
Server : Monitoring Tools Server (added in v5.2.2)
Server : Payment Server (ACI in particular) (added in v5.2.2) Server : PBX
Server : Point of Sale Controller (added in v5.2.2) Server : Print Server
Server : Proxy Server
Server : Server (Other) (added in v5.2.2) Server : Terminal Server
Server : Time Server (added in v5.2.2) Server : Virtual Host (added in v5.2.2) Server : VoIP Adapter
Server : Webserver (added in v5.2.2) USM accepted device types (Continued)
Each CSV file must contain a header row:
‘IPs’;’Hostname’;’FQDNs’;’Description’;’Asset Value’;’Operating
System’;’Latitude’;’Longitude’;’Asset ID’;’External Asset’;’Device Type’
For example, with the file below, you add a host with the IP address of 192.168.10.3:
‘IPs’;’Hostname’;’FQDNs’;’Description’;’Asset Value’;’Operating
System’;’Latitude’;’Longitude’;’Asset ID’;’External Asset’;’Device Type’
‘192.168.10.3’;’Host1’;’www.example -1.es,www.example -2.es’;’This is a test server.’;’2’;’Windows’;’23.78’;’121.45’;’379D45C0BBF22B4458BD2F8EE09ECCC2’;0;
’Server:Mail Server’
To add assets by using a CSV file
1. Navigate to Environment > Assets & Groups > Assets.
2. Click Add Assets at the upper right-hand corner and then Import CSV.
3. Click Choose File and select a CSV file. If you have special characters in the hostnames and want to ignore them, click the square next to Ignore invalid characters (Hostnames).
4. Click Import.
After it finishes, the result page shows the number of assets imported, plus the number of errors and warnings that occurred during the import. You also see an import status summary on every line of the CSV file.
5. To see the details on an error or a warning, click the icon.
6. To import more assets, click New Importation; alternatively, to close the window, click the icon located at the upper right-hand corner.
Adding Assets by Using SIEM Events
Sometimes new hosts appear in the SIEM events that USM detects. You can import these hosts as new assets. This option checks events and networks then imports automatically all assets that are found.
To add assets discovered in SIEM events
1. Navigate to Environment > Assets & Groups > Assets.
2. Click Add Assets at the upper right-hand corner and then Import from SIEM.
The Import Assets from SIEM Events message displays. It shows the number of assets found.
3. Click View Log if you want to read the log file.
4. Click Import to transfer the identified assets.
Note: USM can only import 25,000 assets at a time. Therefore, if you have more than 25,000 hosts, repeat the steps until you have imported all assets.
Adding Assets Manually
USM also allows you to add an asset manually. This feature helps when you only have a few assets to add, and when you already know the IP addresses of the assets.
While naming an asset in USM, keep the following rules in mind that an asset name —
l Cannot contain any dot (.).
l Cannot start or end with a dash (-).
l Cannot contain a space.
l Can start or end with a letter or a number.
l Can only contain up to 63 characters.
To add assets manually
1. Navigate to Environment > Assets & Groups > Assets.
2. Click Add Assets at the upper right-hand corner, and then Add Host.
3. On the New Asset page, fill out the fields.
4. Click Save.
The Asset Detail page for this asset displays.
Column /
Name Required Name of the asset.
IP Address Required IP address for the asset.
FQDN/Aliases Optional Domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).
Asset Value Required Value assigned to the asset. For further information, seeHow USM Determines the Asset Value, on page 73.
External Asset
Required Whether the asset is on your company network (internal) or not (external).
SeeWhat Are External Assets?, on page 72.
Sensors Required A list of USM Sensors with a check mark next to the one monitoring this asset.
Operating System
Optional Operating System on the asset.
Description Optional A short description for the asset.
Icon Optional Provide an image for the asset, if desired. The accepted image size is 400 x 400 and the allowed formats are .png, .jpg or .gif.
Location Optional Location of the asset. The written location appears on the map. You can Field descriptions for the New Asset and the Asset Details pages
Column / Field Name
Required or
Optional
Description
also use latitude and longitude to locate the place.
Model Optional Model that identifies the asset.
Device Types Optional Device type of the asset. Select an option from the Devices list to review options in the Types list. The options are the same as inUSM accepted device types, on page 78.
Field descriptions for the New Asset and the Asset Details pages (Continued)