Documentation Center
AlienVault® USM Anywhere™

AlienApp for Forensics and Response Requirements

To use the AlienApp for Forensics and Response for data collection and enforcement functions on remotes hosts, the target assets must meet the following requirements:

For information about configuring the host system to support remote management functions, see Host System Configuration for Scans and Functions.

Access Rights for Credentials

USM Anywhere requires privileged access to execute system-level functions for monitored assets. Using an unprivileged account will result in many "unknown" and potentially "error" results. Make sure that you have credentials for the target assets that meet the following requirements:

  • For Windows systems, USM Anywhere uses WinRM framework (version 2.0 or higher) to execute the corresponding commands. Therefore, if WinRM is unavailable on a target Windows system through the account credentials, USM Anywhere will be unable to connect.

    Important: Only the members of the Remote Management Users and Administrators groups can log in through WS-Management.

  • For Linux systems, USM Anywhere connects to the target host through SSH to run the supported functions. USM Anywhere supports the definition of credentials with sudo privilege escalation. It is also supports login as a particular user followed by a su privilege escalation, which executes every command as a root user.

Note: USM Anywhere also supports credentials for Cisco IOS to support authenticated scans on those devices. This credential type is not used by the AlienApp for Forensics and Response.

Manage Credentials for Your Assets

Before you use the AlienApp for Forensics and Response actions to perform collection and enforcement functions for your assets, you should make sure that each of the assets has assigned credentials that are able to connect to the system. In USM Anywhere, you can assign credentials for an individual assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. or for an asset groupAsset groups are administratively created objects that group similar assets for specific purposes..

Note: Credentials assigned directly to an asset have higher priority than those assigned to an asset group.

When USM Anywhere runs a scan or executes a system-level action, it uses the credential set assigned directly to the asset, if there is one. If those credentials do not connect or the asset does not have an assigned credential set, it uses the credential set assigned to the group where the asset is a member, if that asset is a member of an asset group.

To add a new credential

  1. Navigate to SETTINGS > CREDENTIALS.
  2. Click New Credentials.

    Add a new credential set for system-level access to USM Anywhere assets

  3. Enter a name for the credential in the Name field and, if desired, a description to clarify its use in the Description field.
  4. In Credential Type, select the appropriate credential type based on the operating systemSoftware that manages computer hardware resources and provides common services for computer programs. Examples include Microsoft Windows, Macintosh OS X, UNIX, and Linux. of the asset.

    This displays the fields that are applicable for that type.

  5. Click Save.

In USM Anywhere, you assign a defined credential set to an individual asset in order to use the credentials for authenticated scans, Active Directory scans, and AlienApp for Forensics and Response actions on the host. You can assign assets to a credential set in the Credentials page, or you can perform this task from the Assets page.

To assign a credential on the Credentials page

  1. Navigate to SETTINGS > CREDENTIALS.
  2. Click the Usage icon () in the line of the credential you want to assign.

    Click the Usage icon to manage the asset assignments for the credential set

  3. At the bottom of the dialog, enter part of the asset name in the field.

    This displays the matching items below the field. You can enter more text to filter the list further.

  4. Select the asset to assign to the credential set.

    Enter part of the asset name and select it from the list of matching items

    After you select the asset, the dialog displays the item at the top. If needed, you can enter text for another asset name and select it to assign multiple assets for the credential set.

  5. Next to the displayed asset name, click Test to execute a test connection to the asset using the credentials.

  6. Click the Close icon () in the dialog.

To assign a credential on the Assets page

  1. Navigate to ENVIRONMENT > ASSETS and locate the asset.
  2. Click the Menu icon () next to the asset name and select Assign Credentials.
  3. In the dialog, click Choose Credentials and select the credentials to use.

    Select Assign Credentials to use credentials for system-level access to the asset

    Note: If the needed credentials do not already exist, you can select Create New Credentials to define them in USM Anywhere. Use the information in the earlier procedure to create the new credential set.

  4. Click Test to execute a test connection to the asset using the selected credentials.

  5. Click Save.

In USM Anywhere, you assign a defined credential set to an asset group in order to use the credentials for authenticated scans, Active Directory scans, and AlienApp for Forensics and Response actions on members of the group. You can assign asset groups to a credential set in the Credentials page, or you can perform this task from the Asset Groups page.

Important: When you assign a credential to an asset group, USM Anywhere will assign the credential to the asset group instead of assigning it to all of its members.

To assign a credential on the Credentials page

  1. Navigate to SETTINGS > CREDENTIALS.
  2. Click the Usage icon () in the line of the credential you want to assign.

    Click the Usage icon to manage the asset assignments for the credential set

  3. Click the Asset Groups tab in the dialog.
  4. At the bottom of the dialog, enter part of the asset group name in the field.

    This displays the matching items below the field. You can enter more text to filter the list further.

  5. Select the asset group to assign to the credential set.

    Enter part of the asset group name and select it from the list of matching items

    After you select the asset group, the dialog displays the item at the top. If needed, you can enter text for another asset group name and select it to assign multiple asset groups for the credential set.

  6. Click the Close icon () in the dialog.

To assign a credential on the Asset Groups page

  1. Navigate to ENVIRONMENT > ASSET GROUPS.
  2. Click the Menu icon () next to the asset group name and select Assign Credentials.
  3. In the dialog, click Choose Credentials and select the credentials to use.

    Select Assign Credentials to use credentials for system-level access to the assets in the group

    Note: If the needed credentials do not already exist, you can select Create New Credentials to define them in USM Anywhere.

  4. Click Save.