Creating an Asset Group

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere supports static and dynamic asset groups Asset groups are administratively created objects that group similar assets for specific purposes.. A static group consists of assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. that you manually assign to the group. A dynamic group is defined using rules that automatically add or remove assets from the group, based on the criteria you have defined.

By default, LevelBlue creates these dynamic asset groups:

  • Assets with Agents: Asset group containing assets with agents.
  • Assets with Alarms Alarms provide notification of an event or sequence of events that require attention or investigation.: Asset group containing assets with alarms.
  • Assets with Vulnerabilities: Asset group containing assets with vulnerabilities.
  • Database Servers: Asset group containing database servers.
  • HIPAA: Asset group containing Health Insurance Portability and Accountability Act (HIPAA) assets. HIPAA is a standard for protecting sensitive patient data.
  • Linux Assets: Asset group containing Linux systems.
  • PCI DSS: Asset group containing Payment Card Industry (PCI) assets.
  • Web Servers: Asset group containing web servers.
  • Windows Assets: Asset group containing Microsoft Windows systems.

USM Anywhere also creates a default asset group for each Amazon Web Services (AWS) Elastic Load Balancing (ELB) Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud. instance in your environment. The AWS Sensor ELB group includes the ELB instance and any AWS Sensor instance connected to the load balancer and registered with the ELB service. USM Anywhere automatically discovers and enables you to collect ELB access logs if you have ELB access logging enabled.

Important: LevelBlue recommends that you limit your asset groups to 1024 or fewer assets. While asset groups can be larger, selecting an asset group for any searching or filtering will only return data for the most recent 1024 assets. To see more data, create multiple asset groups each with 1024 or fewer assets.

Creating a Static Asset Group

USM Anywhere enables you to create a static asset group.

To create a static asset group from the asset groups main window

  1. Go to Environment > Asset Groups.
  2. Select Actions > Static.

    Configure a static asset group

  3. Enter the name of the asset group.
    This field is required.

    4. Note: The valid characters for the asset group name are uppercase letters (A-Z), lowercase letters (a-z), numerical digits (0-9), hyphens ( - ), underscore (_), and blank space. You can enter up to 64 characters.

    Important: You can not use special characters like forward slash (/), backslash (\) or ampersand (&). When a special character is not valid, the Save button remains inactive.

  4. (Optional.) Enter a description for identifying this group.
  5. Locate the assets that you want to add to the group, and click Add Asset or Scan Network.

    6. If you click Scan Network, enter the name for a network and the Classless Inter-Domain Routing (CIDR Classless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses.) block to specify the subnet's IP address block that you want to scan.

  6. (Optional.) Delete assets from the group by clicking the icon. You can view a specific asset by clicking the icon, and use Cancel to discard the changes.
  7. Click Save.

Creating a Dynamic Asset Group

USM Anywhere enables you to create a dynamic asset group.

To create a dynamic asset group from the asset groups main window

  1. Go to Environment > Asset Groups.
  2. Select Actions > Dynamic.

    Configure a dynamic asset group

  3. Enter the name of the asset group.

    This field is required.

    Note: The valid characters for the asset group name are uppercase letters (A-Z), lowercase letters (a-z), numerical digits (0-9), hyphens ( - ), underscore (_), and blank space. You can enter up to 64 characters.

    Important: You can not use special characters like forward slash (/), backslash (\) or ampersand (&). When a special character is not valid, the Save button remains inactive.

  4. (Optional.) Enter a description for identifying this group.
  5. Add the search criteria for the assets you want to be part of this group:
    • Select a field: You can choose between fields, custom user fields, tags, and sensor apps fields. You can use the same field multiple times in a group. The table below includes the available fields:
      • Search Criteria to Create a Dynamic Asset Group
      Field NameMeaning
      Alarm CounterSearch asset groups by the number of alarms.
      Asset State

      Search asset groups by asset state. Depending on your installed sensor, this state can vary:

      • AWS:
        • Running: Asset (AWS instance) is running.
        • Available: RDS instance is running.
        • Stopped: Asset is not running.
      • VmWare /Hyper-V:
        • PoweredOn : Asset is running.
        • PoweredOff : Asset is not running. This state can be used for correlation.
        • Suspended: Asset is not running. This state can be used for correlation.
      • GCP / Azure:
        • Running: Asset is running.
        • Stopped: Asset is not running.
      Asset TypeSearch asset groups by asset type.
      Associated PluginSearch asset groups by the plugin associated to the asset.
      Configuration Issue CounterSearch asset groups by the number of configuration issues.
      DescriptionSearch asset groups by the asset description.
      Event CounterSearch asset groups by the number of events.
      FQDN Search asset groups by Fully Qualified Domain Name (FQDN).
      HIPAA AssetSearch asset groups by Health Insurance Portability and Accountability Act (HIPAA) Asset, if the asset is included or not in the HIPAA Asset Group. See Asset Group List View for more information.
      Instance TypeSearch asset groups by instance type.
      IP/CIDRSearch asset groups by IP and Classless Inter-Domain Routing (CIDR Classless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses.). This is a method for allocating IP addresses and routing IP packets. It is the range of IP addresses that define the network.
      NameSearch asset groups by the name of the asset.
      Operating ServiceSearch asset groups by operating system.
      PCI AssetSearch asset groups by Payment Card Industry (PCI) Asset, if the asset is included or not in the PCI Data Security Standards (DSS) Asset Group. See Asset Group List View and Working with Assets and PCI DSS for more information.
      RegionSearch asset groups by region.
      SensorSearch asset groups by sensor.
      ServiceSearch asset groups by service.
      SoftwareSearch asset groups by software.
      UUIDSearch asset groups by the universally unique identifier (UUID).
      Vulnerability CounterSearch asset groups by the number of vulnerabilities.
      Custom User FieldsSearch asset groups by the fields you have created. If you have not created fields, this filter does not display.
      Tags(Only for Amazon Web Services [AWS] Sensors). Identify asset groups by the tag assigned to an AWS resource.
      Sensor Apps Fields(Only for AWS Sensors). Identify asset groups by parameters of the AWS instance.

      Note: The result of a search when you use the Alarm Counter filter or the Event Counter filter depends on if an alarm or an event can identify the source or destination as an asset in the inventory. Your environment can have alarms or events associated with assets both included in the inventory and those not included in the inventory. Assets included in the inventory display their names in blue, and assets not included in the inventory display their names in gray. The alarm and event counter filters only count the identified (blue) assets.

      Important: The alarm and event counts are not updated in real time, but are calculated every hour. If the counts are not updated, it can happen because new events or alarms are in your environment after the last count.

    • Select an operator: Depending on the selected field, you can choose different operators. The table below shows the available operators:

      • Operators to Create a Dynamic Asset Group

      OperatorMeaning
      >Greater than
      >=Greater than or equal to
      <Less than
      <=Less than or equal to
      EqualEqual to
      IP RangeRange of IP addresses
      LikeSearch for the specified pattern
      Not EqualNot equal to
      Not LikeNot true
    • Enter a search criteria: Enter the value you want to search.

    6. Note: You can use the same field multiple times in a group.

  6. Click the icon to add your search criteria.
    You click this icon to add several fields. You can use the same field multiple times in a group.
  7. Click Apply Criteria.

    Configure Dynamic Asset Group dialog box

  8. Click Save.

Note: You can also add a dynamic asset group from the Setup Wizard, by scanning a network.