Assets, Groups & Networks

(1)

AlienVault Unified Security Management™ Solution

Complete. Simple. Affordable

Assets, Groups & Networks

(2)

AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and

OSSIM™ are trademarks or service marks of AlienVault.

(3)

1. INTRODUCTION

This document covers all functionality related to asset management, including that which is restricted to administrative users.

Asset Discovery is one of the five essential security capabilities offered by AlienVault USM platform. This capability allows users to discover and inventory all the assets in a network and to correlate asset info with threat and vulnerability data.

An asset is a thing of value that a company owns such as any data, device, or other component of the environment that supports information-related activities. Assets generally include hardware (e.g. Servers and switches), software (e.g. Mission critical applications and support systems) and confidential information.

A proper asset management is necessary in order to make the most of the whole AlienVault USM functionality.

2. ASSETS MANAGEMENT 2.1. ASSETS

Navigate to “Environment > Assets”:

(5)

Figure 1. Detail of ‘Assets’ Screen

The search is evaluated with a logical ‘AND’ when the filter criteria are different;; and a logical

‘OR’ when the filter criteria are the same. The system will only show assets meeting all search filters.

Search Filters:

“Alarms”. It enables the search for assets with associated alarms.

“Events”. It enables the search for assets with associated events.

“Vulnerabilities”. It enables the search for assets with vulnerabilities. The values are Info, Low, Medium, High, and Critical.

“Asset Value”. It enables the search for assets within a value range. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one.

“Show Assets Added”. It enables the search on the date the asset was added.

“Last Updated”. It enables the search on the date the asset was last updated.

MORE FILTERS allows the user to add more filters:

(6)

Figure 2. Assets: see the more filters screen (Device Type tab)

This screen includes several tabs: Network;; Software;; Sensor;; Device Type;;

Ports/Services and Locations. Each tab shows its specific data that can be selected for filter a search.

There is a search field located at the top left. This is useful when there are many items in a tab.

It allows executing a search between all of them. The icon ( ) is used to delete the written terms.

It is possible to navigate between all items through the links located at the bottom of the screen. Use the buttons PREVIOUS and NEXT to go to the previous or to the next page, respectively. Use the button numbers to go to an exact page.

Click on APPLY to start the search.

Click on CANCEL or on the icon ( ) located at the top right side of the window to finish the addition of filters.

(7)

The current search conditions are shown inside the white rectangle:

Use the button Clear All Filters to start a new filter. Or click on the cross icon of each filter if you want to remove only that filter.

The number of assets that meet the selected criteria is shown in the “Results” square:

The button ADD ASSETS is explained in Section 2.1.2.

The button is used to export assets to CSV. If there is no filter, all assets will be exported. If there is a filter, the assets that meet the filter criteria will be exported. See Section 2.1.5 for further information.

The button is used to delete assets that are being displayed at that moment. When this button is clicked, the following message appears:

The button SAVE GROUP is used to save the current set of assets as an asset group. This button is active when at least a filter has been selected and there are results that meet that filter. See Section 2.1.6 for further information.

(8)

The right side of the assets main window shows a table of all assets that are part of the system:

Figure 3. Main window of assets: right side (table)

There is an option in the first line of the table that allows the user to configure the number of entries to view between 10, 20 and 50 entries.

The fields that appear in the table are the following:

“Hostname”. It is a label that identifies the asset.

“IP”. It refers to the IP assigned to that asset.

“FQDN/Alias”. It is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).

“Alarms”. It indicates if that hostname has associated alarms ( ) or not (dash).

“Vulnerabilities”. It indicates if an asset is vulnerable ( ) or not (dash).

“Events”. It indicates if that hostname has associated events ( ) or not (dash).

“Details”. This button is used to open the specific information of that hostname, see Section 2.1.1.

2.1.1. VIEW DETAILS OF AN ASSET

Click on an asset to expand the details of that asset:

“Networks”. It indicates the associated networks to that asset.

(9)

“Device Type”. It specifies the type of device associated with that host.

“Description”. In this field may appear a short text for describing that asset. This field is not mandatory so it is possible that it does not appear any information.

“Operating System”. It indicates the Operating System that runs in that asset.

“Asset Value”. This is a value assigned to that host. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one.

“Details”. This is a button that opens the specific information of that hostname.

Figure 4. Expanded details of an asset

Do one of the following to view the specific information of an asset:

Click on its Details button ( ).

Double click on the line of that asset.

Click on Details button ( ).

(10)

Figure 5. “Assets”: details of an asset

This screen displays the following information:

Assets link. This button goes back to the assets main window (see Figure 1). If there were filters previously configured, they will remain.

Delete button ( ). This button is used to delete that asset.

“More Details”. This option allows the user to expand the assets details.

Figure 6. “Assets”: more details of an asset

The EDIT button is used to modify the data of that asset, see Section 2.1.1.2 for further information.

(11)

Snapshot side. It displays some of the information that appears at the bottom side of the screen. They actually are buttons used to go to its specific information in the table area.

Figure 7. “Assets”: details of an asset- snapshot

Environment Status. At the right side there are 3 links:

“HIDS”. This button refers to the intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces. The circle that is next to this field can appear in 3 different colors:

Red. It means that none of the IPs associated with the asset are configured in the HIDS.

Green. It means that all IPs associated with the asset are configured in the HIDS.

Yellow. It means that some IPs associated with the asset are configured in the HIDS.

“Automatic Asset Discovery”. This button indicates if there are or there are not any pending scans for that host. The circle that is next to this field can appear in 3 different colors:

Red, meaning that none of IPs associated with that asset are scheduled to be scanned.

Green, meaning that all IPs associated with that asset are scheduled to be scanned.

Yellow, meaning that some IPs associated with that asset are scheduled to be scanned, but not all of them.

“Availability Monitoring”. This button indicates if the “Availability Monitoring” box is selected or not (see Section 2.1.1.2). The circle that is next to this field can appear in 2 different colors:

(12)

Red, meaning that it is not enabled.

Green, meaning that it is enabled.

Suggestions. This part shows suggestions related to that asset. They can be:

Warning messages when an asset, which has sent logs does not send an event in 24 hours.

Info messages when an asset is not sending logs to the system.

Info messages when an asset is sending logs, but there is no plugin enable parsing the logs.

There is a document whose title is “System Errors, Warnings and Suggestions”

that explains what a suggestion is and how a suggestion works inside AlienVault USM.

2.1.1.1. TABLE AREA

The table area appears at the bottom side of the screen (see Figure 5). This menu includes the following options:

2.1.1.1.1. GENERAL

1. “Software”. It indicates if the asset has some software installed. Use the vertical scroll bar if it is necessary to see all rows.

(13)

Figure 8. “Assets”: Table Area (General > Software)

The table displays several fields: “IP Address”, “Port”, “Name”, “Vulnerable” and

“Available”. By clicking on a line it is possible to view more information:

(14)

Figure 9. “Assets”: Table Area (General > Software). Details of software installed on an asset

It is possible to toggle the availability monitoring by clicking on the EDIT AVAILABILITY MONITORING button:

(15)

Figure 10. “Assets”: Table Area (General > Services). Edit Availability Monitoring

Select a service and then click on the TOGGLE AVAILABILITY MONITORING button to configure the services to be monitored. This option must be enabled in order to configure availability scans.

Click on Check All to select all services at the same time; or click on the square next to each service to select that specific service. Click on the icon ( ) located at the top right side of the window to close it. Now, the selected services will have

“Yes(Ok)” in the column “Available”.

2. “Users”. This option is not related to the configured users in the system. This field refers to one of the asset properties. To add users related to a specific asset, click on “General > Properties” (see Figure 13), then click on .

(16)

Figure 11. Add users related to a specific asset

Figure 12. “Assets”: Table Area (General > Users)

(17)

Click on “Users logged” and write the user name in the field “Value” at the bottom side of the screen. It is possible to specify the domain of a user by writing

“user@domain”. The field “Property is locked” is used to avoid that user can be modified (Yes) or not modified (No).

Click on SAVE to update changes. Click on the icon ( ) located at the top right side of the window to close it. Now, the added users will appear in the table.

3. “Properties”. It displays a table that relates a property (operating system, username, department, etc.) to its values and date when that property was updated and source are included. Properties are always the same:

Figure 13. “Assets”: Table Area (General > Properties)

Click on to modify or add value to properties.

(18)

Figure 14. “Assets”: Edit Properties

Click or select the property and write the value in the square blank at the bottom in order to modify it or add it. Click on the SAVE button to update changes.

4. “Plugins”. It displays a table that relates the vendor, model, version, plugin and sensor. It indicates also if that plugin is receiving data:

(19)

Figure 15. “Assets”: Table Area (General > Plugins)

Click on the icon ( ) located at the top right side of the window to close it. Now, the changes will be displayed in the column “Value”.

2.1.1.1.2. ACTIVITY

1. “Alarms”. This is a table where there is information about the date, alarm status, Intent & Strategy, Method, Risk, Source and Destination.

At the upper right-hand corner there is a “Search” field to facilitate searches.

(20)

Figure 16. “Assets”: Table Area (Activity > Alarms)

2. “Events”. It displays a table which includes information about events related to that asset. The table includes the following fields: Signature;; Data Source;; Date;;

Incoming/Outgoing;; SRC/DST (Source;; Destination);; Sensor;; and Risk.

(21)

Figure 17. “Assets”: Table Area (Activity > Events)

3. “Netflow”. It displays a table which includes information about netflows related to that asset. This table includes the following fields: Date Flow Start;; Duration;;

Protocol;; SRC IP:Port;; DST IP:Port;; and Flags.

(22)

Figure 18. “Assets”: Table Area (Activity > Netflow)

2.1.1.1.3. LOCATION

It is possible to set the geographic location of an asset.

(23)

Figure 19. “Assets”: Table Area (Location)

Click on EDIT LOCATION.

(24)

Figure 20. “Assets”: Table Area (Edit Location)

Write the location of the asset. The written location appears on the map. It is also possible to write a latitude and longitude to locate a place.

Click on SAVE to update changes or CANCEL to exit and close this window without updating changes.

2.1.1.1.4. NOTES

This option allows the user to add notes to the host. There is a text box where it is allowed to write text. Once the text has been written, click on the Save button. Added notes can be modified and deleted.

(25)

2.1.1.2. EDIT DETAILS OF AN ASSET: VIEW AND MODIFY

It is possible to view and modify the details of an asset by clicking on the Edit button (see Figure 6:

Figure 21. “Assets”: edit details

This screen includes the following parts:

“Name”. It is a label that identifies the asset.

“IP Address”. This field is used to relate the asset to an IP Address.

“FQDN/Aliases”. It is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).

(26)

“Asset value”. This is a value assigned to that asset. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one.

“External Asset”. It indicates if this asset is external (publicly facing) (Yes) or internal (No).

“Sensors”. AlienVault sensors monitoring the asset.

“Description”. This field is not mandatory so it is possible that it does not have any information. This field may have a short text.

“Thresholds C”. It refers to the compromise threshold level. It is an integer value.

“Thresholds A”. It refers to the attack threshold level. It is an integer value.

“Scan options”. It allows the user to select or not the “Availability Monitoring”.

“Icon”. It is possible to associate an image with the asset. The allowed size is 16x16 and must be in png format.

“Location”. Write the location of this asset. The written location appears on the map. It is also possible to write a latitude and longitude to locate a place.

“Device Types”. Select a device type and click on ADD.

The SAVE button is used to update changes.

The CANCEL button is used to exit this window without saving changes.

After clicking on the ‘SAVE’ button a confirmatory message will appear, indicating the save was successful. You will then have to dismiss the dialog using the ‘X” in the upper right corner.

Values that are marked with an asterisk (*) are mandatory.

2.1.2. ADD AN ASSET

1. Navigate to “Environment > Assets.

2. Click on ADD ASSETS and, then, on ADD HOST.

(27)

Figure 22. “Assets”: create a new asset

3. Fill out the fields. There is an explanation of each field in Section 2.1.1.2.

4. Click on SAVE to create the new asset.

2.1.3. IMPORT CSV

AlienVault USM allows the user to import assets from a csv file.

1. Go to assets main window (see Figure 1) and click on ADD ASSETS and then, on IMPORT CSV.

(28)

Figure 23. “Assets”: import hosts from a csv file

2. Click on Choose File button and select a csv file.

3. Click on the square next to “Ignore invalid characters” if you want to ignore them.

Have in mind the explanation about allowing formats, examples and notes that appear on this screen.

4. Click on IMPORT. The results of importation are displayed:

(29)

Figure 24. “Assets”: results of importing hosts from a csv file

This table shows, firstly, the number of hosts imported and the number of errors and warning that have been occurring during the importation.

Next, there is the summary of the import. “Show n entries” allows the user to configure the number of items to view between 10, 25, 50 and100 flows. The table includes 3 fields: “Line”, “Status” and “Details”. The “Status” column can be ordered, ascending or descending, by clicking on it. The icon can be displayed on “Details” column when the status is “Warning” or “Error”. Click on this icon to expand more information about that warning or error.

(30)

Figure 25. “Assets”: results of importing host from a csv file with errors

The importing host appears now in the assets main window, see Figure 1.

5. Click on NEW IMPORTATION to go to the import hosts from a csv file window (see Figure 23) or close this window by clicking on the icon located at the upper-right side (

).

2.1.4. IMPORT FROM SIEM

AlienVault USM allows the user to import hosts from SIEM.

1. Go to assets main window (see Figure 1) and click on ADD ASSETS and then, on IMPORT FROM SIEM.

(31)

Figure 26. “Assets”: import hosts from SIEM events

2. Click on VIEW LOG if you want to display the log file.

3. Click on the IMPORT button to transfer the found hosts. Or click on CANCEL to exit this window without saving changes.

2.1.5. EXPORT ASSETS

AlienVault USM allows the user to export hosts to a csv file. If there is no filter, all assets will be exported. If there is a filter, the assets that meet the filter criteria will be exported.

Go to assets main window (see Figure 1) to export assets and click on the icon ( ) next to ADD ASSETS button.

A file is created in the download folder location configured in the settings of your web browser. The created file has always the same name structure:

All_hosts__yyyy-mm-dd.csv

Where “yyyy” refers to the year, “mm” refers to the month and “dd” refers to the day.

2.1.6. CREATING AN ASSET GROUP

It is possible to create an asset group by saving the results of a search by following the instructions below:

1. Go to assets main window, see Figure 1.

2. Select the filters to be included in that search.

3. Click on SAVE GROUP button:

(32)

Figure 27. “Assets”: Save an Asset Group

4. Include a name and a description.

5. Click on SAVE button.

6. The saved group appears in the asset groups screen (see Figure 32).

2.2. ASSET DISCOVERY

This option allows the user to scan networks and hosts. The scan is made for adding assets into the AlienVault USM database and that assets are monitored by the system.

The asset discovery application provides hosts, host groups, networks and network groups to scan. Navigate to “Environment > Assets > Asset Discovery”:

(33)

Figure 28. Main window of “Asset Discovery”

1. Select the asset or assets you want to scan. It is possible to select it through the “All Assets” tree or to write a specific asset. The selected asset appears in the left blank square.

2. Select a sensor between automatic, local or by selecting a specific sensor.

3. Set the advanced options:

Scan type. There are the following possibilities:

(34)

Figure 29. “Asset Discovery”: scan type

Ping. This option launches a ping to each above to select asset.

Normal. This option scans the most common 1000 ports.

Fast Scan. This option scans the most common 100 ports.

Full Scan. This option scans all ports, this can be slow.

Custom. This option allows the user to define the ports to scan.

Timing template. This option refers to the timing policies for conveniently expressing priorities to NMAP.

Figure 30. “Asset Discovery”: timing template

Paranoid. This mode scans very slowly. It serializes all scans (no parallel scanning) and generally waits at least 5 minutes between sending packets.

Sneaky is similar to paranoid mode, except it only waits 15 seconds between sending packets.

Polite is meant to ease the load on the network and reduce the chances of crashing machines. It serializes the probes and waits at least 0.4 seconds between them.

Normal is the default NMAP behavior, which tries to run as quickly as possible without overloading the network or missing hosts/ports.

Aggressive mode adds a 5-minute timeout per host and it never waits more than 1.25 seconds for probe responses.

(35)

Insane is only suitable for very fast networks or where you do not mind losing some information. It times out hosts in 75 seconds and only waits 0.3 seconds for individual probes. It does allow for very quick network sweeps, though.

Auto Detect services and Operating System. Mark this option to detect services and operating system versions.

Enable reverse DNS Resolution. This option does reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts.

4. Click on START SCAN. After a few seconds, depending on the selected assets this time could be longer, the results will be displayed just below, in a table:

Figure 31. “Asset Discovery”: scan results

3. GROUPS AND NETWORKS MANAGEMENT

3.1. GROUPS

It is possible to gather assets to a group. This option is available through the Primary Menu

“Environment > Groups & Networks”:

(36)

Figure 32. Main window of “Asset Groups”

The rectangle located at the top left side is a “Search” field. It is useful when there are many items and it allows executing a search by owner or group name between all items. Partial searches are allowed. Enter a term to find asset groups that match with that term.

The first line of the table allows the user to configure the number of entries to view between 10, 20 and 50 entries. The fields that appear in the table are the following:

“Group Name”. It is a label that identifies the group. Click on the column name to order the data: ascending or descending.

“Owner(s)”. This field identifies the owner of that group.

“Hosts”. It indicates the number of assets that are part of that group.

“Alarms”. It indicates if that hostname has associated alarms ( ) or not (dash).

“Vulnerabilities”. It indicates if an asset is vulnerable ( ) or not (dash).

“Events”. It indicates if that hostname has associated events ( ) or not (dash).

“Detail”. This button is used to open the specific information about that group, see Section 3.1.1.

3.1.1. VIEW DETAILS OF A GROUP

Click on a group to expand the details of that group:

(37)

“Owner”. In this field may appear a short text to indicate the owner of that group. This field is not mandatory so it is possible that it does not appear any information.

“Description”. In this field may appear a short text for describing that group. This field is not mandatory so it is possible that it does not appear any information.

“Details”. This is a button that opens the specific information about that group.

Figure 33. Expanded details of a group

Do one of the following to view the specific information of a group:

Click on its Details button ( ).

Double click on the line of that group.

(38)

Figure 34. “Groups”: details of a group

Groups link. This button goes back to the asset groups’ main window (see Figure 32).

Delete button ( ). This button is used to delete that group.

Export button ( ). This button is used to export a group. See Section 3.1.3 for further information.

“More Details”. This option allows the user to expand the group details.

Figure 35. “Groups”: more details of a group

The EDIT button is used to modify the data of that group, see Section 3.1.1.2 for further information.

(39)

Figure 36. “Groups”: details of a group - snapshot

Red. It means that none of the IPs associated with the group are configured in the HIDS.

Green. It means that all IPs associated with the group are configured in the HIDS.

Yellow. It means that some IPs associated with the group are configured in the HIDS.

“Automatic Asset Discovery”. This button indicates if there are or there are not any pending scans for that group. The circle that is next to this field can appear in 3 different colors:

Red, meaning that none of IPs associated with that group are scheduled to be scanned.

Green, meaning that all IPs associated with that group are scheduled to be scanned.

Yellow, meaning that some IPs associated with that group are scheduled to be scanned, but not all of them.

(40)

3.1.1.1. TABLE AREA

3.1.1.1.1. GENERAL

1. “Software”. It indicates if the group has some software installed. Use the vertical scroll bar if it is necessary to see all rows.

(41)

Figure 37. “Groups”: Table Area (General > Software)

The table displays several fields: “Host”, “Port”, “Name”, “Vulnerable” and

(42)

Figure 38. “Groups”: Table Area (General > Software). Details of software installed on a group of assets

2. “Users”. This option is not related to the configured users in the system. This field refers to one of the asset properties. To add users related to a specific asset, click on “General > Properties” of an asset (see Figure 13) then click on . 3. “Properties”. It displays a table that relates a property (operating system,

username, department, etc.) to its values and date when that property was updated and source are included. Properties are always the same:

(43)

Figure 39. “Groups”: Table Area (General > Properties)

3.1.1.1.2. ACTIVITY

On the bottom side, there is an indication about the number of alarms in the list.

This is indicated as “Showing n to n of n alarms” and it displays the same information that was explained further up. There also is a navigation bar on the right.

(44)

Figure 40. “Groups”: Table Area (Activity > Alarms)

2. “Events”. It displays a table which includes information about events related to that group. The table includes the following fields: Signature;; Data Source;; Date;;

Incoming/Outgoing;; SRC/DST (Source;; Destination);; Sensor;; and Risk.

“Search” and “Showing events from n” display the same information that was explained further up.

(45)

Figure 41. “Groups”: Table Area (Activity > Events)

3. “Netflow”. It displays a table which includes information about netflows related to that group. This table includes the following fields: Date Flow Start;; Duration;;

Protocol;; SRC IP:Port;; DST IP:Port;; and Flags.

“Display n flows”, it allows the user to configure the number of items to view between 10, 50, 100 and all flows.

“Showing n to n of n entries” displays the same information that was explained further up.

(46)

Figure 42. “Groups”: Table Area (Activity > Netflow)

3.1.1.1.3. ASSETS

This option allows the user to add assets to the group.

(47)

Figure 43. “Groups”: Table Area (Assets)

The table displays several fields: “Host Name”, “IP”, “FQDN”, “Device Type” and

“Description”. The “Host Name” column can be ordered, ascending or descending, by clicking on it. The icon is used to delete assets of the group.

“Search” and “Showing n to n of n hosts” display the same information that was explained further up. There also is a navigation bar on the right.

1. Click on ADD ASSETS button to increase the number of hosts:

(48)

Figure 44. “Groups”: Table Area (Add Assets)

2. Click on the assets you want to add and click on the ADD button.

3. Click on CANCEL button to exit this window.

3.1.1.1.4. HISTORY

This option allows the user to view the record of last changes carried out in that group.

(49)

Figure 45. “Groups”: Table Area (History)

The table displays several fields: “Date”, “User” and “Activity”. The “Date” column can be ordered, ascending or descending, by clicking on it.

“Search” and “Showing n to n of n history events” display the same information that was explained further up. There also is a navigation bar on the right.

3.1.1.1.5. NOTES

This option allows the user to add notes to the group. There is a text box where it is allowed to write text. Once the text has been written, click on the SAVE button. Added notes can be modified and deleted.

3.1.1.2. EDIT DETAILS OF A GROUP: VIEW AND MODIFY

It is possible to view and modify the details of a group by clicking on the EDIT button (see Figure 35:

(50)

Figure 46. “Groups”: edit details

“Name”. It is a label that identifies the group.

“Owner”. It is a label that identifies the owner of the group.

“Description”. This field is not mandatory so it is possible that it does not appear any information. In this field may appear a short text.

“Threshold C”. It refers to the compromise threshold level. It is an integer value.

“Threshold A”. It refers to the attack threshold level. It is an integer value.

3.1.2. ADD A GROUP

To add an asset, the instructions below must be followed:

(51)

1. Go to assets groups main window, see Figure 32.

2. Click on ADD GROUP.

3. The assets window appears. The explanation about this window can be found in Sections 2.1 and 2.1.6.

3.1.3. EXPORT GROUPS OF ASSETS

AlienVault USM allows the user to export groups of assets to a csv file. Go into the details of a group main window (see Figure 34) and click on the icon ( ) to access this option.

A file is created in the download folder location configured in the settings of your web browser. The name of the created file has always the same structure:

Hosts_from_group_groupID_yyyy-mm-dd.csv

Where “groupID” refers to the ID that identifies that group;; “yyyy” refers to the year;; “mm”

refers to the month; and “dd” refers to the day.

3.2. NETWORKS

Choose on the Primary Menu “Environment > Groups & Networks” and then, “Networks” on the Secondary Menu to manage networks:

(52)

Figure 47. Main window of “Networks”

The rectangle located at the top left side is a “Search” field. It is useful when there are many items and it allows executing a search by owner or network name between all items. Enter a term to find networks that match with that term.

The first line of the table allows the user to configure the number of entries to view between 10, 20 and 50 entries. The fields that appear in the table are the following:

“Network Name”. It is a label that identifies the network. The data in this column can be ordered in ascending or descending order by clicking on the column name.

“Owner(s)”. This field identifies the owner of that network.

“CIDR”. This is a method for allocating IP addresses and routing Internet Protocol packets.

It is a range of IP addresses that define the network.

“Sensors”. It indicates the sensor related to that network.

“Alarms”. It indicates if that network has associated alarms ( ) or not (dash).

“Vulnerabilities”. It indicates if a network has vulnerabilities ( ) or not (dash).

“Events”. It indicates if a network has associated events ( ) or not (dash).

“Detail”. This button is used to open the specific information of that network, see Section 3.2.1.

(53)

On the bottom side, there is an indication about the number of networks in the list. This is indicated as “Showing n to n of n” and it displays the same information that was explained further up. There also is a navigation bar on the right.

3.2.1. VIEW DETAILS OF A NETWORK

Click on a network to expand the details of that network:

“Owner” to identify the owner of that network.

“CIDR”. It indicates the range of IP addresses, which defines the network.

“Sensors”. It indicates the sensor related to that network.

“Description”. In this field may appear a short text for describing that network. This field is not mandatory so it is possible that it does not appear any information.

“Details”. This is a button that opens the specific information of that network.

(54)

Figure 48. Expanded details of a network

Do one of the following to view the specific information of a network:

Double click on the line of that network.

(55)

Figure 49. “Networks”: details of a network

Networks link. This button goes back to the networks main window (see Figure 47).

Delete button ( ). This button is used to delete that network.

Export button ( ). This button is used to export networks. See Section 3.2.4 for further information.

“More Details”. This option allows the user to expand the network details.

(56)

Figure 50. “Networks”: more details of a network

The EDIT button is used to modify the data of that network, see Section 3.2.1.2 for further information.

Figure 51. “Networks”: details of a network - snapshot

Red. It means that none of the IPs associated with the network are configured in the HIDS.

Green. It means that all IPs associated with the network are configured in the HIDS.

Yellow. It means that some IPs associated with the network are configured in the HIDS.

(57)

“Automatic Asset Discovery”. This button indicates if there are or there are no pending scans for that network. The circle that is next to this field can appear in 3 different colors:

Red, meaning that none of IPs associated with that network are scheduled to be scanned.

Green, meaning that all IPs associated with that network are scheduled to be scanned.

Green, meaning that all IPs of that CIDR are in the inventory.

Yellow, meaning that some IPs associated with that network are scheduled to be scanned, but not all of them.

3.2.1.1. TABLE AREA

3.2.1.1.1. GENERAL

1. “Software”. It indicates if the group has some software installed. Use the vertical scroll bar if it is necessary to see all rows.

(58)

Figure 52. “Networks”: Table Area (General > Software)

The table displays several fields: “Host”, “Port”, “Name”, “Vulnerable” and

(59)

Figure 53. “Networks”: Table Area (General > Software). Details of software installed on a network

2. “Users”. This option is not related to the configured users in the system. This field refers to one of the asset properties. To add users related to a specific asset, click on “General > Properties” of an asset (see Figure 13) then click on . 3. “Properties”. It displays a table that relates a property (operating system,

username, department, etc.) to its values and date when that property was updated and source are included. Properties are always the same:

(60)

Figure 54. “Networks”: Table Area (General > Properties)

3.2.1.1.2. ACTIVITY

On the bottom side, there is an indication about the number of alarms in the list.

This is indicated as “Showing n to n of n alarms” and it displays the same information that was explained further up. There also is a navigation bar on the right.

(61)

Figure 55. “Networks”: Table Area (Activity > Alarms)

2. “Events”. It displays a table which includes information about events related to that network. The table includes the following fields: Signature;; Data Source;;

Date;; Incoming/Outgoing;; Source;; Destination;; Sensor;; and Risk.

“Search” and “Showing events from n” display the same information that was explained further up.

(62)

Figure 56. “Networks”: Table Area (Activity > Events)

3. “Netflow”. It displays a table which includes information about netflows related to that network. This table includes the following fields: Date Flow Start;; Duration;;

Protocol;; Src IP:Port;; Dst IP:Port;; and Flags.

“Display n flows”, it allows the user to configure the number of items to view between 10, 50, 100 and all flows.

“Showing n to n of n flows” displays the same information that was explained further up.

(63)

Figure 57. “Networks”: Table Area (Activity > Netflow)

3.2.1.1.3. ASSETS

This option displays a table that includes several fields: “Host Name”, “IP”, “FQDN”,

“Device Type” and “Description”. The “Host Name” column can be ordered, ascending or descending, by clicking on it.

(64)

Figure 58. “Networks”: Table Area (Assets)

3.2.1.1.4. NOTES

This option allows the user to add notes to the network. There is a text box where it is allowed to write text. Once the text has been written, click on the SAVE button. Added notes can be modified and deleted.

3.2.1.2. EDIT DETAILS OF A NETWORK: VIEW AND MODIFY

It is possible to view and modify the details of a group by clicking on the EDIT button (see Figure 50:

(65)

Figure 59. “Networks”: edit details

“Name”. It is a label that identifies the network.

“CIDRs”. This is a method for allocating IP addresses and routing Internet Protocol packets. It is a range of IP addresses that define the network.

“Owner”. It is a label that identifies the owner of the network.

“Sensors”. AlienVault sensors monitoring the networks associated with that sensor.

Click to select a sensor. Multiple selections are allowed.

“Asset value”. This is a value assigned to that network. Values can be from 1 to 5 being 1 the lowest value and 5 the highest one.

“External Asset”. It indicates if this network is external (Yes) or internal (No).

“Icon”. It is possible to associate an image with the network. The allowed size is 16x16 and must be in png format.

“Description”. This field is not mandatory so it is possible that it does not appear any information. In this field may appear a short text.

“Thresholds C”. It refers to the compromise threshold level. It is an integer value.

(66)

“Thresholds A”. It refers to the attack threshold level. It is an integer value.

“Scan options”. It allows the user to select or not the “Availability Monitoring”.

3.2.2. ADD A NETWORK

To create a network, the instructions below must be followed:

1. Go to the main window of “Networks” (see Figure 47) and click on Add Network and then, on Add Network.

Figure 60. “Networks”: create a new network

2. Fill out the fields. There is an explanation of each field in Section 3.2.1.2.

(67)

3. Click on SAVE to create that new network.

3.2.3. IMPORT CSV

AlienVault USM allows the user to import assets from a csv file.

1. Go to the main window of “Networks” (see Figure 47) and click on Add Network and then, on Import CSV.

Figure 61. “Networks”: import CSV

2. Click on Choose File button and choose the csv file.

3. Click on the square next to “Ignore invalid characters” if you want to ignore them.

Have in mind the explanation the notes that appear on the screen.

4. Click on IMPORT. The results of importation are displayed:

(68)

Figure 62. “Networks”: results of importing networks from a csv file

This table shows, firstly, the number of networks imported and the number of errors and warning that have been occurring during the importation.

Next, there is the summary of the import. “Show n entries” allows the user to configure the number of items to view between 10, 25, 50 and100 flows. The table includes 3 fields: “Line”, “Status” and “Details”. The “Status” column can be ordered, ascending or descending, by clicking on it. The icon can be displayed on “Details” column when the status is “Warning” or “Error”. Click on this icon to expand more information about that warning or error.

Assets, Groups & Networks

AlienVault Unified Security Management™ Solution