Assets


Overview

Assets Overview

The DefenseStorm GRID utilizes data sent from all assets (devices) on your network, and automatically adds them to the  Assets page based on your settings and configurations. Since Assets was designed to work with your specific network setup in mind,  there are different requirements for static, DHCP, or mixed networks. Most networks are considered mixed. 

 

There are eight sortable columns (from left to right):

  1. Importance: Displays as either none, one, two, or three dots. Knowing the importance level of an asset helps our TRAC Team provide better monitoring by ensuring your critical systems are always attended. If you update the importance, open a connect ticket so custom triggers can be updated.
  2. Name: When you track your asset, the name entered displays here; this is searchable. If an asset has not been added, it displays as untracked.
  3. Heartbeat: Last time data was received from the asset. In order to receive heartbeat data, automatic asset detection must be enabled and an IP address must be listed.
    1. Grey: Never
    2. Green: Within the last 24 hours
    3. Yellow: Within the last 7 days, but not the last 24 hours
    4. Red: Within the last 30 days, but not the last 7 days
  4. Hostname: The hostname you give the asset, this is searchable. (Machine hostname and FQDN, DNS hostname and FQDN, Aliases and FQDN)
  5. IP Address: The IP address of the asset, this is searchable.
  6. MAC Address: The MAC address of the asset, this is searchable.
  7. Last Seen: This is updated when events are matched to the asset via IP address, MAC address, or hostname. Any untracked assets that have not been seen for 30 or more days, are automatically deactivated. This allows the associated MAC and IP addresses to be available for future use.
  8. Events: Takes you to the Events page and only displays events for the selected asset.

Import

Importing your Asset List

Importing assets is typically done during the DefenseStorm on-boarding process, but it may also be necessary when  infrastructure changes such as upgrading hardware, routers, or switches occurs. If your list of assets becomes unmanageable due to a high number of untracked assets, it is also be best to re-import. The following matrix details what information is required, based on your network setup, for a successful asset import. 


  1. Create an Excel file of all assets and the information from the matrix above
  2. Upload Excel list to the DefenseStorm GRID via the UI 
  3. Turn on auto discovery
  4. Clean up the list (make sure all information from your Excel sheet transferred)
  5. Additional configurations
    • Insert CIDR ranges = Static IP blocks  
      To ensure your CIDR range is accurate, you can use an online conversion chart such as IPADDRESSGUIDE.

Import Recommendations

While only a few fields are required to track an asset, we highly recommend answering as many fields as possible to reduce the possibility for duplicate assets.  Multiple IP and MAC addresses can be associated with a single asset via a comma-separated list, surrounded by quotes. If using Excel to export to CSV, the extra quotes are added automatically.

The following Asset fields are highly recommended, or required, depending on your network configuration:

  • Owner 
  • Asset Name
  • Asset Importance
  • Asset Tag
  • Asset Hostname

Only include the ID field if you are importing assets that have previously been exported. The id number is from the export to ensure you are updating the existing asset as part of your import, rather than importing a new asset. 

Known Limitations

If the import data contains mixed entries (some are only MAC addresses, and some only have IP addresses), null values must be manually inserted into the CSV, as these are read in pairs during import.

Example with three mixed entries:

(11.11.11.11, null)
(22.22.22.23, null)
(null, de:ad:be:ef)

IP address CSV field: “11.11.11.11,22.22.22.23,,”
MAC address CSV field: “,,de:ad:be:ef”

The following line can be used as the first line of a CSV file, then opened in an editor of your choice to continue inputting data.

Name,ID,Owner,Hostname,IP Address,MAC Address,Importance,Description,OS,Product Vendor,Product Name,Product Version,Server Purpose / Notes


Untracked assets

Managing Untracked assets

An untracked asset means the asset either has not been listed as tracked, or for Windows Machines, does not have the Windows Agent running, but is still sending data through the DVM. You have three options with an Untracked Asset:

*As a best practice, an organization should regularly review their untracked asset.*

  • Merge into existing asset: This option is good for employees that have more than one asset sending data to the UI or if an asset has multiple interfaces like WiFi and Ethernet. For example, Bob has a laptop, desktop, and a mobile device.
  • Track this asset: Make your asset official. Give the asset a name, IP, hostname, and all other known information.
  • Create incident from this asset: When a suspicious asset displays on your console, create an incident for the TRAC Team to investigate.

To Track an Asset

An asset must be tracked before any changes or updates can be made. Complete the following steps to track your untracked asset.

  1. Click the dropdown arrow to the right of the Name and then select Track This Asset.
  2. The Add Tracked Asset window displays. Add as much information as possible.
  3. After an asset has been added, click on the asset name to display the Asset Details window where you can view, edit, and delete the asset.

CIDR

CIDR: Auto-detecting Untracked Assets

Including a CIDR range when adding assets helps let us know what IP Addresses we should expect to see on your network. If you aren't sure what an applicable CIDR range would be, you can use an online converter such as IPADDRESSGUIDE.  By default, we autodetect assets from events with hostnames or with mac-addresses. If we receive a DHCP event that links an IP address to a MAC address, we create an untracked asset with both.

If we receive an event that has an IP address, but no MAC address, we will not auto-detect that asset unless the IP falls within an “Included CIDR Range” that has been configured on the Assets page.

To configure the "Included CIDR Range" 


  1. Click the Asset Settings button located at the top right corner of the Assets page.
  2. Set the Asset Auto-Detection field to 'on' 
  3. Set the Included and/or Excluded CIDR Range fields based on your network
  4. Click 'Add' to save the CIDR range(s).
  5. 'Save' to apply all changes to Asset Settings. This auto-detects events coming in from those IP addresses and marks it as an "untracked" asset. Later, you can manage the untracked assets based on your needs.

Asset Management

Managing your Asset List

After the initial upload of your assets, there are a few best practices to keep your asset list tidy and up to date.

High number of untracked assets

  1. Upload your updated Asset list to the console as described earlier in this article. This allows your console to receive a fresh start and gives you a strong foundation for future asset management.
  2. Consider adding a classifier which excludes assets that are not relevant; such as a guest WiFi network or a test network.

Regular Asset Maintenance

The following steps are best performed on a weekly basis to ensure your asset list is up to date and maintained for optimum efficiency. 

  1. Ensure your CIDR range is accurate. (Assets > Settings)
  2. Verify there are no untracked assets. (Search via Untracked, and see that none display.)
  3. If you do see untracked assets, investigate and determine if it needs to be merged into an existing asset, added as a new tracked asset, or if it needs TRAC Team attention.
  4. If it is a duplicate asset, select to merge the asset.
  5. If it is a new asset that has been added to the network since your initial upload, select to track this asset.
  6. If it needs investigation,
    • Select Create Incident from this Asset, and fill it out as such:
      • Title: Unknown Asset
      • Owner: TRAC 
      • Severity: Low
      • Description: What steps you have already taken to figure out what the asset could be, along with your conclusion.

CSV Export

Creating a Filtered CSV Export of Assets

This gives you the ability to filter down your assets to a useful and manageable list to be exported, saved, formatted, and used for reporting.

  1. Select Assets in the left navigation.
  2. Filter your assets as desired by using Tracked status, Importance, Filter by Tag, or Searching options.
  3. Select the cloud icon to generate a CSV of the filtered assets.
  4. Save as an Excel sheet and format as desired.