USM Anywhere™

USM Anywhere Scans Best Practices

USM Anywhere provides several kinds of scans that can be done in different ways. This page gives you clearer information about scans, types of scans, the specific ways of doing a scan, the right order for doing scans and avoid asset duplicity, and so on. See USM Anywhere Scheduler Best Practices for more information.

Discovery Methods

The following table shows the types of scans that you can run using USM Anywhere.

Types of Scans in USM Anywhere
Types of Scans Information Collected From Where You Can Do It Sensors References
Active directory (AD) Inventory Information
  • Setup Wizard during your sensor's deployment
  • At any time from the sensor details page
  • Job Scheduler page
Microsoft Azure, Microsoft Hyper-V, and VMware Completing the Azure Sensor Setup, Completing the Hyper-V Sensor Setup, and Completing the VMware Sensor Setup
Asset discovery Discovers assets in your environment, detects changes in assets, and discovers malicious assets in the network
  • Setup Wizard
  • Adding new assets both in a quick and in an advanced way
  • Job Scheduler page
All Completing the Hyper-V Sensor Setup, Completing the VMware Sensor Setup, Adding Assets
Asset group scans Assets
  • Asset groups
  • Job Scheduler page
All Running Asset Groups Scans
Asset scans Assets
  • Assets
  • Job Scheduler page
All Running Asset Scans
Authenticated asset group scans Assets
  • Asset Groups
  • Job Scheduler page
All Running Authenticated Asset Groups Scans
Authenticated asset scans Assets
  • Assets
  • Job Scheduler page
All Running Authenticated Asset Scans
Log collection scans Log files from an external data source Job Scheduler page: log collection jobs are initially preset at installation and can't be modified by a user All USM Anywhere Scheduler
Scheduled AD scan jobs Inventory Information Job Scheduler page Microsoft Azure, Microsoft Hyper-V, and VMware Running Active Directory Scans
Scheduled API scans Assets Job Scheduler page GCP, Microsoft Azure, Microsoft Hyper-V, and VMware USM Anywhere Scheduler
Scheduled asset scans Assets Job Scheduler page All Scheduling Asset Scans from the Job Scheduler Page
Scheduled asset group scans Assets Job Scheduler page All Scheduling Asset Groups Scans from the Job Scheduler Page
Scheduled Authenticated Asset Scans Assets Job Scheduler page All Scheduling Asset Scans from the Job Scheduler Page
Scheduled authenticated asset group scans Assets Job Scheduler page All Scheduling Asset Groups Scans from the Job Scheduler Page
User scans Scheduled user behavior monitoring scan jobs Job Scheduler Page All Scheduling User Discovery Jobs from the Job Scheduler Page

Performance Issues Associated with Scans

When running a scan, keep the following in mind:

  • Run API scans first to avoid duplicates and discover the most assets in your environment, and then run asset discovery/asset (group) scans with the Asset Scanner to update the asset. When an asset is discovered through a network scan, and then that asset is discovered through an APIs method, the asset will be duplicated.
  • After deploying an agent, link it to existing assets.
  • When an AD scan discovers an asset, any asset discovery/asset (group) scan updates the existing asset created by the AD scan.
  • Assets discovered by API methods contain far more information than assets discovered by network scans and greatly reduce the risk of having duplicate assets. For example, assets discovered by API methods can include information such as the asset state (powered on, powered off, terminated, and so on), the resources allocated to the asset, or the asset operating system.
  • If multiple API methods return the same assets, then use only the method that provides the most assets to prevent duplicate assets. The other API methods can be disabled in the Job Scheduler page. See USM Anywhere Scheduler for more information.
  • The following table gives you information about the use of some scan types over other:
  • Scans Differences
    Discovery Type AD Scan VMware Scan AWS Scan Azure Scan GCP Scan Agent Network Scan Manually Created
    API Yes Yes Yes Yes Yes No No No
    Asset OS Yes Yes Yes Yes Yes Yes Depends on information gathered No
    Host resources Yes Yes Yes Yes Yes No No No
    Asset info updates Yes Yes Yes Yes Yes Yes Depends on information gathered Depends on information gathered
    Asset state No Yes Yes Yes Yes No only agent state No No