Today’s topic is regarding Asset and Network groups in AlienVault USM Appliance and AlienVault OSSIM, and how you can use them to create organizational structures that can be used in analysis, reporting, policies, vulnerability scans, and dashboards.
Asset groups are created and accessed in Environment -->Assets & Groups --> Asset Groups.
Network groups are created and accessed in Environment -->Assets & Groups --> Network Groups.
We’ll start with asset groups first. Once you’ve done your initial asset scan, and all your assets are properly identified, you start off with a flat list of assets. Your workstations are mixed in with your servers, printers, firewalls, switches, etc., making sorting through them a bit difficult.
The next step is to plan a strategy that works for you.
Here are some common groupings:
Workstation by department
Firewalls or edge devices
Once you have your plan mapped out, you can use the search function to search for a group of assets. The More Filters button will let you refine your search by any of the asset attributes.
For this exercise let’s select All the Windows items under More Filters and Operating System.
The resulting search yields four systems:
Select them all by clicking in the checkbox next to HOSTNAME, and click on the now available ACTIONS button, and choose Create/Add To Group
As you can see in the screenshot, we have created some groups already, but we are going to add a new one by typing in the New Group field, and clicking the plus sign to the right.
This will immediately create the group, and take you to the group asset view as shown below.
Note the asset view has some familiar elements. The list view looks like the default asset list view, but the map, status, and graphs view look like the view from a single asset drill down, but now include an aggregate of all the assets. This can be helpful to quickly asses how a group of assets is looking. Under the actions menu, you can initiate vulnerability scans, asset scans, enable/disable availability monitoring on all the assets in the group.
Now that we have a new asset group, now what? Let’s go into SIEM view, and see what we can do. Now we have an asset group we can select from the Asset Groups and we it will show only events involving those assets as shown below.
Another area where asset groups can be utilized is in the Dashboard section where you can customize a widget using a wizard to show only specific asset groups. (External addresses are included as hosts being communicated with in this graph.)
Custom run of reports, in this case the stock asset report:
Lastly, in Policies, to enable policies specific to an asset group.
Each of these options in which you can select asset groups, network groups can be applied as well, except for vulnerability scans. Vulnerability scans can be multiple networks, so there is near parity.
An additional feature you get with network grouping is the ability to link the network group to specific knowledge base entries, either the stock provided or custom entries.
Grouping assets and networks will help keep your AlienVault unified security platform well organized and manageable, and will allow for more granular reporting, as well as easing analytics and alarm triage.