• Support
  • Forums
  • Blogs

Asset Discovery and software inventory

egeeekegeeek

New Life Form
I read with great interest the article:

While I agree with the article, I do not know how USM can be used to achieve the objectives related to software inventory:
 * I do not see how AlienVault can be used to have an exhaustive and reliable software inventory automatically. The only thing I know that feeds automatically the "software" tab of an asset page is the nmap scan, but this gives only a list of applications that are listening on the network (and not even a reliable list, as nmap can be wrong). Is there a way for example that the vulnerability scan feeds the software tab with exhaustive and reliable info about software and versions? or something else I have missed, except for manually entering the list of softwares?
 * I do not see how AlienVault can be used to capture unlicensed software. Is there a way to raise an alarm when a new software is seen on an asset? or when a new asset is discovered on the network?

Thanks in advance for your tips regarding these points!
The blog post makes me think I have perhaps missed something

Regards

Eric
zparker

Share post:

Comments

  • Greetings Eric,

     

    I think that is a great idea that should be submitted to
    support. While Alienvault does not automatically update a program index for
    software packages in the Asset Details as seen below. 



    app-detection

    You can track installed/uninstalled applications through
    HIDS. If you go to Analysis > SIEM,
    filter by data source HIDS, search the Event Name APP and select the GROUPED
    option. You can see the Alienvault HIDS: Application Installed and Alienvault
    HIDS: Application Uninstalled groups. Note: if you don’t see the events, you
    may want to remove the Last Day filter. See below..


     


    app-detection2

    You
    can double click on the Alienvault HIDS: Application Installed event name to
    view all events captured in that group, then click the specific event to find
    out more details about what was installed.



    app-detection3

    You may want to create a policy and action to notify you if
    a new application is installed. Otherwise you can go to Configuration > Data
    Source : Search for the Data Source ID 7006 and Event Type ID 18147. Here you
    can change the Priority and Reliability to a higher value to quickly create
    alarms. 


     

    app-detection4

    Hopefully this helps, Cheers!

    Zach 
Sign In or Register to comment.