• Support
  • Forums
  • Blogs

New Release!

AlienVault v5.0.4 is now available for OSSIM and USM. Learn more

Announcement

Documentation for USM and OSSIM has moved. Check out the new AlienVault Documentation Center

How to generate an alert when an asset is discovered

How do I generate an alert when a new asset is discovered? I have nmap running every hour and it does insert assets into the asset list, but I would like to generate an alarm or report of all the new assets discovered - implementing "Metric 1" of "Critical Control 1: Inventory of Authorized and Unauthorized Devices" (CSIS: 20 Critical Security Controls Version 4.0 - http://www.sans.org/critical-security-controls/)

"Control 1 Metric:
The system must be capable of identifying any new unauthorized devices that are connected to the network within 24 hours, and of alerting or sending e-mail notification to a list of enterprise administrative personnel."

Best Answers

  • Answer ✓
    @sdrroppers

    You will have to create a new policy and action. I will create a simple howto in a couple hours.
  • Answer ✓
    Now this will only be a very simple howto to point you in the right direction

    Go to

    Intelligence -> policy and create a new policy

    src any dst any src port any dst port any

    Under Event Types create new DS group


    Name it and go to Add by Data source search for 'arp' and select 'Arpwatch' datasource 1512 Click add selected and then click accept close the next window and select the ds group you just created.

    Now to go policy and create a policy that wil generate a new ticket

    Remember to add arp-watch under Configuration - Sensors

    It became a bit more then a simple howto but it should point you in the right direction.

Answers

  • I really would an answer too
  • If you go a look at policy and actions there are 3 event types that should deal with new hosts. I would look in that direction if i were you.
  • OK - I think I may have missed something very basic. When I look at "policy and actions" I do not see any definitions, I only see a screen with two tabs "Policy", "Actions". Under the "Policy" tab I see two groups, but nothing is in either group.

    The actions tab has the label "Actions No Actions", with the options "New", "Modify", and "Delete Selected"

    So I see nothing to select with any sort of "event type".
Sign In or Register to comment.