Environment Configuration

Asset Settings

Adding Assets Manually

To better track your inventory, you may want to view some additional assets you possess, even though these assets were not yet detected by OT Security. You can manually add these assets to your inventory by downloading and editing a CSV file, and then uploading the file to the system. Users can only upload assets with Ips that are not already in use by an existing asset in the system. In the event that the system detects an asset communicating over the network with the same IP, it will use the information retrieved about the detected asset and overwrite the previously uploaded information. The system will begin handling the asset as a regular one when it is detected communicating in the network.

The IP addresses of uploaded assets are counted as part of the system licensing.

Uploaded assets will display a Risk score of 0 until they are detected by the system.

Note: When assets are added manually, Events aren’t detected for those Assets until OT Security detects their communication in the network.

To add assets manually:

  1. Under Local Settings, go to Environment Configuration > Asset Settings.

    The Asset Settings screen is displayed.

  2. In Add Assets Manually, click on the Actions button and select Download CSV template.

  3. The tot_Assets template document is downloaded.

  4. Open the tot_Assets template document.

  5. Edit the tot_Assets template precisely in accordance with the instructions found in the file, leaving only the column headers (Name, Type, etc.) and the values you enter.

  6. Save the edited file.

  7. Return to the Assets Settings screen.

  8. Click on the Actions button, select Upload CSV, and navigate to and open the desired CSV file to upload it.

  9. In Add Assets Manually, click Download Report.

    A CSV file with report is displayed, showing successes and failures in the Result column. Details of errors are shown in the Error column.

Event Clusters

To facilitate the monitoring of events, multiple events with the same characteristics are clustered together into a single cluster. The clustering is based on event type (i.e., share the same policy), source and destination assets, etc.

For events to be clustered, they must be generated within the following configured time intervals:

  • Maximum time between consecutive events – sets the maximal time interval between events. If this time passes, the consecutive events will not be clustered.

  • Maximum time between the first and last event – sets the maximal time interval for all events to be shown as a cluster. An event that is generated after this time interval will not be part of the cluster.

To enable clustering:

  1. Under Local Settings, go to Environment Configuration > Event Clusters.

    The Event Clusters screen is displayed.

  2. Click on the toggle to enable desired categories for clustering.

  3. To configure the time intervals for a category, click on the Edit button.

    The Edit Configuration window is displayed.

  4. Enter the desired number value in the number field and adjust the unit of time using the drop-down list.

    Note: For more information about clustering and time intervals, click on the button.

  5. Click Save.

PCAP Player

OT Security enables you to upload a PCAP file containing recorded network activity and “play” it on OT Security. When you “play” a PCAP file, OT Security monitors the network traffic and records all information about detected assets, network activity and vulnerabilities as if the traffic had occurred within you network. This feature can be used for simulation purposes or in order to analyze traffic that occurs outside of the network that is monitored by your OT Security deployment (e.g. remote plants).

Note: The following file types are supported for this feature: .pcap, .pcapng, .pcap.gz, .pcapng.gz. You can use files that were recorded by an instance of OT Security or other network monitoring tools.

Uploading a PCAP File

To upload a PCAP file:

  1. Under Local Settings, go to Environment Configuration > PCAP Player.

  2. Click Upload PCAP File.

    The File Explorer opens.

  3. Select the desired PCAP recording.

  4. Click Open.

    The PCAP file is uploaded to the system.

Playing a PCAP File

To play a PCPAP file:

  1. Under Local Settings, go to Environment Configuration > PCAP Player.

  2. Select the PCAP recording you would like to play.

  3. Click Actions > Play.

  4. The Play PCAP wizard is displayed.

  5. In the Play Speed field, select from the drop-down list the speed you would like the system to play the file.

    Options are: 1X, 2X, 4X, 8X or 16X.

    Note: Playing a PCAP file injects data into the system, this operation cannot be undone or stopped once executed.

  6. Click Play.

    The PCAP file is “played” in the system. All network activity in the PCAP file is registered in the system and assets identified by the system are added to the assets inventory.

    Note: You cannot play another PCAP file while a file is still playing.