The Assets page automatically displays all assets sending data to the DefenseStorm GRID via IP address, MAC address, and hostnames. If an asset displays as untracked, the Windows Agent has not been installed, and it must be manually listed as tracked. For best results, track/merge or investigate all untracked assets.
Setup, Configuration, and Importation of Assets
Importing your assets is typically done during the DefenseStorm on-boarding process, but there are several other instances where it may be necessary. For example, infrastructure changes such as upgrading hardware, routers, or switches may create the need to import your asset list. If your list of assets becomes unmanageable due to a high number of untracked assets, it may also be best to re-import.
The Assets portion of DefenseStorm GRID was designed to work with your specific network setup. With that in mind, there are different requirements for static, DHCP, or mixed networks. Most networks are considered mixed.
- If your network uses DHCP, DHCP logs should be forwarded to GRID.
- Hostnames include:
- Machine hostname and FQDN
- DNS hostname and FQDN
- Aliases and FQDN
Importing your Asset List
- Create an Excel file with all assets on your network
- Mixed Network = Hostnames, IP address, (MAC address required for DHCP host)
- Static Network = IP, Hostnames, optional MAC address
- DHCP Network = Hostnames and MAC address
- Upload Excel list into the DefenseStorm GRID via the UI
- Turn on auto discovery
- Clean up the list by making sure all information from step 1 is there for each asset.
- Additional configurations
- Insert CIDR ranges for static IP blocks
- Enable detect Bare MAC Addresses - Only select this option if you are tracking every single MAC address. If you select this option and not all MAC addresses are properly listed, it creates untracked assets for new MAC addresses seen which may result in duplicate assets.
While only a few fields are required to track an asset, we highly recommend answering as many fields as possible to reduce the possibility for duplicate assets. Multiple IP and MAC addresses can be associated with a single asset via a comma-separated list, surrounded by quotes. If using Excel to export to CSV, the extra quotes are added automatically.
The following Asset fields are highly recommended, or required, depending on your network configuration:
- Owner - Always required
- Asset Name
- Asset Importance
- Asset Tag
- Asset Hostname
Only include the ID field if you are importing assets that have previously been exported. The id number is from the export to ensure you are updating the existing asset as part of your import, rather than importing a new asset.
If the import data contains mixed entries (some are only MAC addresses, and some only have IP addresses), null values must be manually inserted into the CSV, as these are read in pairs during import.
Example with three mixed entries:
IP address CSV field: “126.96.36.199,188.8.131.52,,”
MAC address CSV field: “,,de:ad:be:ef”
The following line can be used as the first line of a CSV file, then opened in an editor of your choice to continue inputting data. (note: row spans multiple lines on this document).
Name,ID,Owner,Hostname,IP Address,MAC Address,Importance,Description,OS,Product Vendor,Product Name,Product Version,Server Purpose / Notes
Organization of the Assets Page
After you have uploaded and ensured all assets are tracked, use the information in this section to keep an up to date record of your assets and their activity.
There are eight sortable columns (from left to right):
- Importance: Displays as either none, one, two, or three dots. Knowing the importance level of an asset helps our TRAC Team provide better monitoring by ensuring your critical systems are always attended. If you update the importance, open a connect ticket so custom triggers can be updated.
- Name: When you track your asset, the name entered displays here; this is searchable. If an asset has not been added, it displays as untracked.
- Heartbeat: Last time data was received from the asset. In order to receive heartbeat data, automatic asset detection must be enabled and an IP address must be listed.
- Grey: Never
- Green: Within the last 24 hours
- Yellow: Within the last 7 days, but not the last 24 hours
- Red: Within the last 30 days, but not the last 7
- Hostname: The hostname you give the asset, this is searchable.
- IP Address: The IP address of the asset, this is searchable.
- MAC Address: The MAC address of the asset, this is searchable.
- Last Seen: This is updated when events are matched to the asset via IP address, MAC address, or hostname. Any untracked assets that have not been seen for 30 or more days, are automatically deactivated. This allows the associated MAC and IP addresses to be available for future use.
- Events: Takes you to the Events page and only displays events for the selected asset.
In addition to the ability to sort columns, you have several other options when organizing your assets.
- Asset Settings: Change the number of assets per page, disable auto-detection, and include/exclude CIDR ranges.
- Trashcan: Bulk deletion of depreciated or invalid assets.
- Cloud Download: CSV export of selected assets.
- Cloud Upload: Upload your assets to the UI via CSV file.
- Plus: Add a new asset.
Managing Untracked assets
An untracked asset means the asset does not have the Windows Agent running, but is still sending data. You have three options with an Untracked Asset:
- Merge into existing asset: This option is good for employees that have more than one asset sending data to the UI or if an asset has multiple interfaces like WiFi and Ethernet. For example, Bob has a laptop, desktop, and a mobile device.
- Track this asset: Make your asset official. Give the asset a name, IP, hostname, and all other known information.
- Create incident from this asset: When an unknown asset displays on your console, create an incident for the TRAC Team to investigate.
To Track an Asset
An asset must be tracked before any changes or updates can be made. Complete the following steps to track your untracked asset.
- Click the dropdown arrow to the right of the Name and then select Track This Asset.
- The Add Tracked Asset window displays. Add as much information as possible.
- After an asset has been added, click on the asset name to display the Asset Details window where you can view, edit, and delete the asset.
CIDR Auto-detecting Untracked Assets
By default, we autodetect assets from events with hostnames or with mac-addresses. If we receive a DHCP event that links an IP address to a MAC address, we create an untracked asset with both.
If we receive an event that has an IP address, but no MAC address, we will not auto-detect that asset unless the IP falls within an “Included CIDR Range” that has been configured on the Assets page.
To configure the "Included CIDR Range"
- Click the Asset Settings button located at the top right corner of the Assets page.
- Set the Asset Auto-Detection field to 'on'
- include the IP addresses in the "Included CIDR Range" field
- click 'Add' and 'Save' to apply the changes.
This auto-detects the events coming in from those IP addresses and marks it as an "untracked" asset. Later, you can manage the untracked assets based on your needs.
Managing your Asset List
After the initial upload of your assets, there are a few best practices to keep your asset list tidy and up to date.
High number of untracked assets
- Upload your updated Asset list to the console as described earlier in this article. This allows your console to receive a fresh start and gives you a strong foundation for future asset management.
- Consider adding a classifier which excludes assets that are not relevant; such as a guest WiFi network or a test network.
Regular Asset Maintenance
- Each week verify there are no untracked assets. Search via Untracked, and see that none display.
- If you do see untracked assets, investigate and determine if it needs to be merged into an existing asset, added as a new tracked asset, or if it needs TRAC Team attention.
- If it is a duplicate asset, select to merge the asset.
- If it is a new asset that has been added to the network since your initial upload, select to track this asset.
- If it needs investigation,
- Select Create Incident from this Asset, and fill it out as such:
- Title: Unknown Asset
- Owner: TRAC
- Severity: Low
- Description: What steps you have already taken to figure out what the asset could be, along with your conclusion.
- Select Create Incident from this Asset, and fill it out as such:
Creating a Filtered CSV Export of Assets
This gives you the ability to filter down your assets to a useful and manageable list to be exported, saved, formatted, and used for reporting.
- Select Assets in the left navigation.
- Filter your assets as desired by using Tracked status, Importance, Filter by Tag, or Searching options.
- Select the cloud icon to generate a CSV of the filtered assets.
- Save as an Excel sheet and format as desired.