Chapter 10: Managing Assets
Managing Assets
Pulse can review discovered assets and create a baseline list of known hosts throughout your organization.
The Assets tab of the Pulse web application shows information about all discovered Wired, Wireless Access Points, Wireless Clients, and Bluetooth devices.
You can filter the list of assets either by using the search bar at the top of the page, or by selecting attributes in the left- hand toolbar.
Asset Names & Trust Levels
For more detail on managing Asset Names & Trust Levels, see Chapter 06: Creating an Asset Baseline.
Asset Names
When the PwnScan service discovers assets, Pulse automatically displays their host names or SMB Names where available. ‘Friendly Names’ can be added as well.
Trust Levels
Assets can have one of the following trust levels:
- Unknown
- Known Good
- Suspicious
- Known Bad
- Acceptable
Each new asset that a Pulse sensor detects is automatically tagged as Unknown.
You can use Trust levels as follows:
- Manually update trust levels through the Asset list view.
- Leverage trust levels in rules you define for custom alerts.
- Manually tag known assets as Known Good.
- If your organization uses an asset management system, use the Pulse API to automate the tagging process.
Wired Assets
All devices discovered on the LAN by either the PwnScan service or scheduled network scanning tasks have a unique record created within the Network Hosts view on the Assets tab. Once an asset is discovered, each change to that device (IP address change, new port opened, vulnerability detected, and so on) is automatically associated and annotated on that particular asset record.
The Network Hosts view shows an overview of all assets currently online. The asset list includes a high-level view of attributes related to the asset. Click an asset to display a detailed device dashboard that lists all gathered information.
Click an asset to view a detailed device profile.
The asset list can be filtered by:
- Vulnerability Level – High, Medium, or Low
- Operating System – for example, Windows, Linux
- Ports – for example, 22, 445, 1337
- Vendor – for example, Apple, IBM, Linksys
- Threats – for example, Wireless-to-Wired Bridge
- Trust Level – Known Good, Unknown, Suspicious, Known Bad
- Discovered on – Date
- Services – for example, Active Directory, Remote Desktop Applications, Web Services
- Status – Online or Offline
Wired Asset Records
Each detected asset record contains detailed information on the device. Clicking on an asset record opens a pop-up containing the current and historical information for that device.
Depending on the record type, each record displays:
Asset information - MAC address, IP address, Hostname, Vendor, OS Family/Version
- Alerts, Threats, and Vulnerabilities detected
- Timeline of changes
- Open ports and enumerated services
The Timeline of Changes provides a visual representation of how this asset has changed. Zoom is available to view different time scales, and each data point is clickable, which either displays what was detected or what has changed. You can also use the filter (using the small filter icon), to filter the timeline for certain type(s) of changes.
The Alerts list includes a summary of all alerts associated with this device.
By default, the Open Port and Vulnerability Count graph shows a 24-hour view of detected open ports/services, vulnerabilities, and associated changes. Data points are set at hourly increments, which you can view by hovering your mouse over the graph. Click on a data point to redraw the Open Port and Vulnerabilities section to match that particular hour.
Wireless Access Points
Pulse discovers all Wi-Fi access points within range of connected sensors. This includes corporate-owned, guest, and neighboring access points. Pulse also sees all device connections observed to those access points.
The Wireless Access Point section, available from the Assets tab, lists all discovered access points.
Each wireless access point record displays these details:
- Current wireless network name (ESSID)
- Corporate Status (corporate, non-corporate, guest)
- BSSID (wireless MAC address)
- Encryption
- The mode (in other words AdHoc or Infrastructure) in which it operates
- How many wireless clients are currently associated
- The associated sensor
Any detected threats Wireless access point assets can be further filtered by the following:
- Encryption – such as WPA+TKIP, WPA+AES-CCM, WEP, OPEN
- Type – such as Ad-Hoc, Infrastructure
- Corporate Status - corporate, non-corporate, guest
- Sensor or Group
- Channel – such as 2, 11, 52, 64, etc.
- Status – Online or Offline
- Threats
Wireless Access Point Asset Records
Each detected asset record contains detailed information on the device. Clicking on an asset record opens a pop-up containing the current and historical information for that device.
Pulse also tracks the changes to each access point. Using the Timeline of Changes feature, this allows for a constant auditing of any wireless network, and alerting on changes in posture. Each wireless client that connects to the AP appears in the Wireless Client Connection History graph.
By default, the graph shows the last 24 hours of wireless client associations. Clicking the day, week, month, or all zoom options expands the scope of the graph. Each data point can be clicked, which updates the Clients Connection sections below to reflect the connected clients at that time.
Wireless Clients
The Wireless Clients section, available through the Assets tab, shows all detected devices that have Wi-Fi enabled, regardless of whether they are currently connected to a wireless network. Each wireless client record displays the MAC Address and associated Vendor, the Corporate Status, the ESSID and BSSID the device is connected to (if any), the number of Probes seen being sent by the device, and its Trust Level.
The Wireless Clients asset list can be filtered by:
- Associated Sensor
- Status - Online/Offline
- Corporate Status - corporate, non-corporate
- Probes
- Trust Level - Known Good, Unknown, Suspicious, Known Bad, Acceptable
- Vendor
- Discovered on - Date
Clicking a wireless client record displays a detailed view of all known information about the device:
- Probes indicate the SSIDs to which that the device has previously connected. To see the probes being broadcast by the device, click Show Probe Requests.
- If the device is currently connected to a wireless network, the ESSID and associated information appears under Connected SSIDs.
- The Timeline of Changes can also be used as a means of detecting when a device was introduced into the environment, as well as subsequent connections.
- The Access Point Connection History shows all of the Access Points to which the Wireless Client has connected, within detection range of the sensor. Each connection is listed with ESSID, BSSID, time of connection, disconnection, and connection duration.
Bluetooth Assets
Pulse discovers all Bluetooth assets within sensor range that are in a Bluetooth pairing mode. This includes devices in Bluetooth Classic and Low Energy (BLE, 4.0) modes.
Each asset record shows its MAC address and associated Vendor, Bluetooth Mode, Version, RSSI, TX power and Trust Level.
Additional Asset Views
Additional Asset Views are available to sort and review data records associated with all of the different assets discovered and assessed with Pulse:
Vulnerabilities : When using OpenVas for vulnerability scanning (Pwn Pro Sensor), use this view to see, sort and export lists of network host vulnerabilities detected by Pulse.
Note
Vulnerabilities associated with Open Share Drives are discovered by PwnScan (not OpenVas), and are accessible through the Vulnerabilities asset view.
- Threats : Use this view to see, sort and export a list of all Threats discovered by Pulse.
- Ports : With this view, you can view, sort, filter and export based on a list of each individual port open across all network hosts discovered by Pulse.
Asset Summary Exports
Each Assets section of Pulse can be exported to a CSV file. At the top right of any page in Pulse, click Export CSV to export information on the current screen to a CSV file. After the export process completes, you receive an email, and the Summary file is available on the Downloads tab of the Pulse web application.
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.