Creating Vulnerability Scan Jobs

Applies to Product: USM Appliance™ LevelBlue OSSIM®

By default, USM Appliance runs vulnerability scan jobs without any authentication. They are less thorough and are most appropriate when you want a bird's-eye overview on your assets.

Note: Before scanning a public network space, see Addendum Notice Regarding Scanning Leased or Public Address Space .

Important: Threat intelligence update will not finish if any vulnerability scan is running, because the update needs to refresh the vulnerability threat database used by the scan.

To create a new vulnerability scan job

  1. Go to Environment > Vulnerabilities > Scan Jobs.
  2. Click New Scan Job.

    Create Scan Job dialog box.

  3. Identify the scan job by typing a name in the Job Name field.

  4. Select a sensor from the Select Sensor list.

    Important: You can only run up to 5 concurrent scans per USM Appliance Sensor.

  5. Select a profile from the Profile list or create your own scan profile, see Vulnerability Scan Profiles for descriptions.

  6. In Schedule Method, do one of the following:

    • To launch the scan without any delay, keep the default value as "Immediately".

    • To schedule the job to run at a different time, make a selection based on the table below.

      USM Appliance vulnerability scan schedules
      Schedule Method Description
      Immediately Launch the scan job without any delay.
      Run Once Run scan once at the specified date and time.
      Daily Run scan every x days at the specified time beginning on the specified day.
      Day of the Week Run scan on the specified day and time of the week.
      Day of the Month

      Run scan on the specified day and time of the month.
      Nth week of the month Run scan on the specified day and time on the Nth week of the month. A week starts on the first day of the month and lasts 7 days.

  7. (Optional) Click Advanced.

    • For authenticated scans, choose SSH Credential (UNIX/Linux) or SMB Credential (Windows), depending on the operating system of your hosts.

      Note: Skip this step for unauthenticated scans. You need to create the credentials first. For assistance, see Creating Credentials for Vulnerability Scans.

    • Specify the maximum time (in seconds) that the scan should run.

      In USM Appliance version 5.2 and earlier, the default is 28,800 seconds (8 hours).

      In USM Appliance version 5.3 and later, the default is 57,600 seconds (16 hours).

    • To send an email notification after the scan finishes, select Yes, and then select User or Entity as the email recipient.

      Important: Be aware of the following when making the selection:

      • Admins can view all scans.
      • If you are not an admin and you assign the scan to a different user, you can't view this scan yourself.
      • If you are an admin and you don't assign the scan to any user or entity, all non-admin users can't view this scan.
      • If you are an admin and you assign this scan to a non-admin user, both you and the non-admin user can view this scan, but other non-admin users can't.
      • If you assign the scan to an entity, all users who belong to the entity can view the scan.

      See USM Appliance User Accounts for the definition of different user roles.

  8. (Optional, available in USM Appliance version 5.3.2 and later) Specify the port numbers you do not want to scan in Exclude Ports. Use comma to separate the port numbers but do not use any space between them. For example, "1,33,555,26-30,44".

    Note: Using this option slows down the scan because USM Appliance performs additional tasks to exclude the ports you specify.

  9. From the asset structure towards the right, select assets, asset groups, or networks to perform the vulnerability scan.

    Important: Starting from USM Appliance version 5.3, any scan covering more than 3500 hosts will be split into multiple scan jobs automatically. For example, if you are trying to scan a /16 network that contains 65,536 hosts, it will result in 19 jobs (65,536 / 3500). Each USM Appliance Sensor can run up to 5 jobs simultaneously. You will see 19 reports after the scan has completed.

  10. Alternatively, start typing the IP address and USM Appliance fills in the rest as you type. If you want to exclude a specific IP address, prefix your selection with an exclamation mark ("!"), which means do not scan that IP address.

    Example:

    !192.168.2.200

  11. (Optional) To speed up the scanning process, click Only scan hosts that are alive.
  12. (Optional) If you do not want to pre-scan from a remote sensor, click Pre-Scan locally.
  13. (Optional) If you do not want to resolve hostnames or FQDN, click Do not resolve names.
  14. To create the vulnerability scan, click Save.