USM Anywhere enables you to run a scan against assets included in an asset group Asset groups are administratively created objects that group similar assets for specific purposes.. To accomplish this, the scanner sends crafted packets Term used when you are constructing your packets manually; might be used for fuzzying or testing protocols, as you can create exceptional situations that might be useful to evade IDSs or firewalls. They can also be used to fingerprint an asset, for vulnerability analysis, or scans. to the target asset group and analyzes the responses. This is not an authenticated scan.

To run an asset group scan from Asset Groups

1. Go to Environment > Asset Groups.
• Next to the asset group name that you want to scan, click the icon, select Full Details, and then select Actions > Asset Group Scan.

or

• Next to the asset group name that you want to scan, click the icon and select Asset Group Scan to directly start the asset group scan.

2. Select the scan profile that you want to run:

   • Discovery: This profile scans the known ports and services searching for the most-used ports. (There are 4571 This list is for information only. Scanned ports may be updated without notice: 1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6101,6106,6112,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8087,8090-8091,8095,8161,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32764,32913,33000,34205,34443,37718,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,55553,57772,62078,62514,65535 ports.)
   • Complete: This profile scans all TCP and UDP Simple transmission protocol that does not require recipient notification and uses datagrams for its messaging. UDP is part of the transport layer in the TCP/IP protocol. ports to find the possible ports in a deployment Entire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment.. (There are 65535 ports.)
   • Vulnerability Discovery: Performs general network discovery and checks for specific known vulnerabilities. It only reports results if they are found.
   • Extended Vulnerability Discovery: Performs a Vulnerability A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. Discovery scan, which actively discovers more about the network.
   • Intensive Vulnerability Discovery: Performs several tasks to discover vulnerabilities, which uses a significant number of resources on the targeted machine. Because of this, sensitive targets may perceive a brief disruption on their services.

3. Select Set Debug Mode if you want to log the results of the scan or if you have a problem with a scan.

   This option is disabled by default.

   Note: The Set Debug Mode option must be used only for debugging purposes because it needs a large amount of disk space for the file or files that it generates. Only AT&T Cybersecurity Technical Support should review these files. You can contact this department for more information.

4. Click Scan.

5. In the Asset Groups details page, click Scan History in the table area to display the results of the scan.

   You can see the status of each scan and the details. USM Anywhere also creates a system event named Asset Scanner Result with the same details.

Running an Asset Discovery

Asset Discovery finds and provides you visibility into the assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in your environments. You can discover all the IP-enabled devices on your network, determining what software and services are installed on them, how they are configured, and which active threats are being executed against them.

To run an asset discovery from Settings

1. Go to Data Sources > Sensors to open the Sensors page.
2. Click the sensor Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. you want to run an asset discovery.
3. Click the Asset Discovery tab to open the Asset Discovery window.

Important: Make sure when you use a virtual private network (VPN) using a Cisco Firewall, that arp-proxy is enabled in the firewall Virtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them.. Otherwise, all the assets will be reported using the same media access control (MAC) address, and USM Anywhere will consider all of them to be different interfaces for the same asset.

4. Click Yes to scan the network.

   This step may be different depending on the sensor you have installed.

   Note: In Amazon Web Services (AWS Amazon Web Services (AWS) is a suite of cloud computing services from Amazon that make up an on-demand platform giving users access to their computing resources.) Sensors, this option is not available because the instances are automatically set.

5. Click Scan Another to start a new scan or click Next to continue with the following step.

6. In the Asset Groups details page, click Scan History in the table area to display the results of the scan.

   You can see the status of each scan and the details. USM Anywhere also creates a system event named Asset Scanner Result with the same details.

Important: If you run Asset Discovery in an environment that discovers assets using a native application (AWS, Google Cloud Platform [GCP], Microsoft Azure, VMware, etc.), or in a Dynamic Host Configuration Protocol (DHCP) network environment, then you could potentially duplicate assets in USM Anywhere. You can configure local DNS Nameservers to avoid duplicate assets from being created and update existing assets with the new and correct IP Address. See Defining the DNS nameservers for more information.