|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
It is important for security practitioners to know what assets are connected on the company network and how the devices are configured.
In USM Appliance, an asset is a piece of equipment on the company's network that bears a unique IP address. An asset can be a server, a router, a firewall, a printer, a PC or any other network-enabled device.
An asset is monitored by at least one USM Appliance Sensor.
See Adding Assets or Asset Administration.
In USM Appliance, every asset or network has an asset value, ranging from 0 to 5, 0 being the least important and 5 the most important. To decide the asset value, the system first checks if a value has been manually assigned. If not, the system uses the asset value of the network the asset belongs to instead. If the network does not have an asset value, USM Appliance assigns the asset the default value of 2. You can assign a different value from the default of 2 to an asset, from 0 to 5.
Important: Keep in mind that raising the value of an asset, which increases the risk of the events, will generate a larger number of false positive alarms, especially when you use the value of 5.
USM Appliance uses asset value to calculate event risk. USM Appliance calculates risk value for every event after it arrives at the USM Appliance Server. The system uses the following formula to calculate the risk:
Risk = (asset value ∗ event priority ∗ event reliability) / 25
- Asset value is from 0 to 5.
- Event priority is from 0 to 5.
- Event reliability is from 0 to 10.
Therefore, the risk value is from 0 to 10. Decimals are always rounded down. For example, if the asset value is 3, event priority is 3, and event reliability is 5, you will get 3 * 3 * 5 / 25 = 1.8. In this case, the risk for the event is 1.
In USM Appliance, any event with a risk value greater than or equal to 1 generates an alarm.
AlienVault recommends that you do not change the asset value of the USM Appliance instance, because USM Appliance generates its own events, most of which are informational. Therefore, raising the value of this asset (which increases the risk of those events) will generate a larger number of false positive alarms.
Asset details can be updated by various services in USM Appliance. See the table below for a list of such services. You can also update assets manually by navigating to an asset and selecting Actions > Edit. Manual updates can be locked by going to the Edit Assets > Properties page. The update with the highest priority number takes precedence over the others, so an update created by a Vulnerability Scan (with a priority of 5) won't overwrite the updates made by an Active Asset Scan (with a priority of 7), but the Vulnerability Scan would overwrite a Passive Asset Scan because it has a lower priority of 4.
|Manual — Locked||10|
|Active Asset Scan||7|
|Passive Asset Scan||4|
USM Appliance uses External Assets to provide a way for you to create policies and correlation directives on assets that do not belong to you. For example, if a known malicious IP attacks your network, you can add it as an external asset, then create a policy to send out email alerts if this IP communicates to any devices on your network.
Note: Be aware that if you are using an asset-based license, external assets count toward your asset license limit.
When processing events, the correlation engine views external assets or networks as being outside your home network.
An asset group is an administratively created object that pools similar assets used for specific purposes. You can group assets based on IP addresses and networks monitored by USM Appliance. Grouping based on IP addresses allows for easier search and management of assets.
For example, you could group all network firewalls, or all servers running a particular operating system. Such groups are useful when performing various tasks, such as vulnerability assessment or asset discovery, or when you are interested only in events coming from specific devices.
You can group assets based on a number of attributes, including the following:
- Asset value
- Software running on the assets
- Sensor monitoring the assets
- Device type of asset
- Open port or services running on assets
- Location of assets
In USM Appliance, a network represents a configuration object that identifies the part of an organization's network that USM Appliance monitors. For example, you can select a network during asset discovery to find all the assets on that particular network.
By default, USM Appliance comes with three networks already specified:
Just like an asset group, a network group pools networks with similar properties for easy access and management.