• Support
  • Forums
  • Blogs

Asset Grouping in AlienVault USM – Tip of the Month July 2017

smacesmace

Little green alien
+6
Today’s topic is regarding Asset and Network groups in AlienVault USM Appliance and AlienVault OSSIM, and how you can use them to create organizational structures that can be used in analysis, reporting, policies, vulnerability scans, and dashboards.

Asset groups are created and accessed in Environment -->Assets & Groups --> Asset Groups.
Network groups are created and accessed in Environment -->Assets & Groups --> Network Groups.

We’ll start with asset groups first.  Once you’ve done your initial asset scan, and all your assets are properly identified, you start off with a flat list of assets. Your workstations are mixed in with your servers, printers, firewalls, switches, etc., making sorting through them a bit difficult.

The next step is to plan a strategy that works for you.  

Here are some common groupings:
Windows servers
Workstations
Workstation by department
Firewalls or edge devices
PCI Assets
SOX Assets
HIPAA Assets
Printers
DMZ
Once you have your plan mapped out, you can use the search function to search for a group of assets.  The More Filters button will let you refine your search by any of the asset attributes.
 
tip-7-17_asset-search1

tip-7-17_asset-search2
For this exercise let’s select All the Windows items under More Filters and Operating System.
The resulting search yields four systems: 
tip-7-17_asset-searchresult1
Select them all by clicking in the checkbox next to HOSTNAME, and click on the now available ACTIONS button, and choose Create/Add To Group  

tip-7-17_addtogroup
As you can see in the screenshot, we have created some groups already, but we are going to add a new one by typing in the New Group field, and clicking the plus sign to the right.
This will immediately create the group, and take you to the group asset view as shown below.

tip-7-17_asset-result2
Note the asset view has some familiar elements.  The list view looks like the default asset list view, but the map, status, and graphs view look like the view from a single asset drill down, but now include an aggregate of all the assets.  This can be helpful to quickly asses how a group of assets is looking.  Under the actions menu, you can initiate vulnerability scans, asset scans, enable/disable availability monitoring on all the assets in the group.

Now that we have a new asset group, now what?  Let’s go into SIEM view, and see what we can do.  Now we have an asset group we can select from the Asset Groups and we it will show only events involving those assets as shown below.

tip-7-17_asset-siem1


Another area where asset groups can be utilized is in the Dashboard section where you can customize a widget using a wizard to show only specific asset groups.  (External addresses are included as hosts being communicated with in this graph.)

tip-7-17_asset-widget1

 
Vulnerability scans:
 
tip-7-17_asset-vuln1

Custom run of reports, in this case the stock asset report:
tip-7-17_asset-report1

Lastly, in Policies, to enable policies specific to an asset group. 
tip-7-17_asset-policy1

Each of these options in which you can select asset groups, network groups can be applied as well, except for vulnerability scans.  Vulnerability scans can be multiple networks, so there is near parity.

An additional feature you get with network grouping is the ability to link the network group to specific knowledge base entries, either the stock provided or custom entries. 
tip-7-17_asset-kb1

tip-7-17_asset-kb2

Grouping assets and networks will help keep your AlienVault unified security platform well organized and manageable, and will allow for more granular reporting, as well as easing analytics and alarm triage.

bleslieKyleKatjsanderBBanks
Tagged:

Share post:

Comments

Sign In or Register to comment.