You are here: How To > Assets

Assets

This option lists the available asset lists along with their defined parameters and attributes. Asset lists are dynamically or statically generated lists of assets within the Organization. Asset lists can be shared with one or more users based on local security policy requirements.

Assets can be defined as a grouping of devices (laptops, servers, tablets, phones, etc.), that are grouped together using common search terms within SecurityCenter. A network that assigns a department’s laptops by a defined IP range can create a static asset list using that block of IP addresses. A dynamic asset list can be created based on Plugin ID 21642, Session Initiation Protocol Detection, and Plugin ID 6291, SIP Server Detection. Any devices with a positive for these IDs will be added to the asset list automatically.

Dynamic Asset Discovery

SecurityCenter has the ability to parse the results of Nessus, PVS, or LCE event data obtained to build dynamic lists of assets. For example, a dynamic rule can be created that generates a list of IP addresses that each have ports 25 and 80 open. These rules can be very sophisticated and take into account addressing, open ports, specific vulnerability IDs, and discovered vulnerability content. SecurityCenter ships with a number of example rule templates and new rules are generated easily with a web-based wizard.

Dynamic asset lists take advantage of the flexible grouping of condition statements to obtain lists of systems on the network that meet those conditions. For example, in the asset above, we are looking for Linux systems listening on TCP Port 80 and the number of days since it was observed is greater than 7.

Watchlists

A watchlist is an asset list that is used to maintain lists of IPs not in the user’s managed range of IP addresses. IPs from a watchlist can be filtered on regardless of your IP range configuration. This proves to be beneficial when analyzing event activity originating outside of the user’s managed range. For example, if a block of IP addresses is a known source of malicious activity, it could be added to a watchlist called “malicious IPs” and added to a custom query.

Note: Watchlists only uses Event data to create the asset list.

Adding Assets

There are two methods for adding asset lists: selecting from Tenable-provided templates or creating a Custom Asset. Tenable assets are updated via the SecurityCenter feed. They are searchable by using the text search field on the “Add Asset” page or selecting the major category and selecting from the list presented. Once a list of asset templates is displayed, it may be searched by refining the original text query or selecting from the categories. Icons are displayed to indicate which Tenable product(s) are required to present the results defined by the template. Clicking on the asset list displays details of the criteria used to build the asset list. Once added to the list of assets, the entry may be edited to refine the criteria for particular requirements.

The table below outlines available fields for adding a Custom Asset List.

Asset List Fields

Option Description

Static IP List

Name

The asset list name.

Description

Descriptive text for the asset list.

Tag A logical grouping for created asset objects. This reduces lengthy lists of assets with no logical grouping. Tags can be reused as desired and previously created tags will display in the tag field when subsequent assets are added. Objects shared with new users will retain the tag specified by the creator.

IP Addresses

IP addresses to include within the asset list (20 K character limit). One address, CIDR address, or range can be entered per line.

Selecting the Choose File button will import a list of IP addresses from a saved file.

DNS Name List

Name

The asset list name.

Description

Descriptive text for the asset list.

DNS Names

The DNS hostnames for the asset list to be based upon.

Dynamic

Name

The asset list name.

Description

Descriptive text for the asset list.

Asset Definition

Defines the rules for creating a dynamic asset list. Hovering over an existing rule will give the ability to add, edit, or delete a group or a rule to the definition. The options are explained in the next table for Dynamic Rule Logic.

Combination

Name

The asset list name.

Description

Descriptive text for the asset list.

Combination

This field accepts multiple existing asset lists utilizing the operators “AND”, “OR”, and “NOT”. Using these operators and multiple existing asset lists, new unique asset lists may be created. If the source asset lists change, the Combination asset list will change to match the new conditions.

When this field is initially selected, the options of “NOT” and a list of existing asset lists are displayed. Selecting one of those options followed by a space will display the next valid option for building the asset list and continue until the selections are complete. If the border for the combination field is red it is an indication that there is a problem in the logic of the query.

Watchlist

Name

The asset list name.

Description

Descriptive text for the asset list.

IP Addresses

IP addresses to include within the asset list (20 K character limit). One address, CIDR address, or range can be entered per line.

Selecting the Choose File button will import a list of IP addresses from a saved file.

LDAP Query

 
Name The asset list name.
Description Descriptive text for the asset list
Search Base This is the LDAP search base used as the starting point to search for the user information
Search String This string may be modified to create a search based on a location or filter other than the default search base or attribute.
Generate Preview The preview query is displayed in the Results Preview section after selecting the "Generate Preview" button. The preview lists the LDAP objects that match the defined search string.

Import Asset

Name

The asset list name.

Asset

The “Choose File” button opens a file selection window to choose the asset list that was previously exported for import into SecurityCenter.

 

This table describes what type of logic can be used when writing a dynamic rule.

Dynamic Rule Logic

Valid Operators Effect

Plugin ID

is equal to

Field value must be equal to value specified.

not equal to

Field value must be not equal to value specified.

is less than

Field value must be less than the value specified.

is greater than

Field value must be greater than the value specified.

Plugin Text

is equal to

Field value must be equal to value specified.

not equal to

Field value must be not equal to value specified.

contains the pattern

Field value must contain the text specified (e.g., ABCDEF contains ABC).

Posix regex

Any valid Posix regex pattern contained within “/” and “/” (example: /.*ABC.*/).

Perl compatible regex

Any valid Perl compatible regex pattern.

Operating System

is equal to

Field value must be equal to value specified.

not equal to

Field value must be not equal to value specified.

contains the pattern

Field value must contain the text specified (e.g., ABCDEF contains ABC).

Posix regex

Any valid Posix regex pattern contained within “/” and “/” (e.g., /.*ABC.*/).

Perl compatible regex

Any valid Perl compatible regex pattern.

IP Address

is equal to

Field value must be equal to value specified.

not equal to

Field value must be not equal to value specified.

DNS, NetBIOS Host, NetBIOS Workgroup, MAC, SSH v1 Fingerprint, SSH v2 Fingerprint

is equal to

Field value must be equal to value specified.

not equal to

Field value must be not equal to value specified.

contains the pattern

Field value must contain the text specified (e.g., 1.2.3.124 contains 124).

Posix regex

Any valid Posix regex pattern contained within “/” and “/” (e.g., /.*ABC.*/).

Perl compatible regex

Any valid Perl compatible regex pattern.

Port, TCP Port, UDP Port

is equal to

Field value must be equal to value specified.

not equal to

Field value must be not equal to value specified.

is less than

Field value is less than value specified.

is greater than

Field value is greater than the value specified.

Days Since Discovery, Days Since Observation

is equal to

Field value must be equal to value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365.

not equal to

Field value must be not equal to value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365.

is less than

Field value is less than value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365.

is greater than

Field value is greater than the value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365.

where Plugin ID is

Any valid Plugin ID number. Multiple Plugin IDs may be entered using a range and/or comma separated Plugin IDs (e.g., 3, 10189, 34598, 50000-55000, 800001-800055).

Severity

is equal to

Field value must be equal to value specified (info, low, medium, high, or critical).

not equal to

Field value must be not equal to value specified (info, low, medium, high, or critical).

is less than

Field value must be less than the value specified (info, low, medium, high, or critical).

is greater than

Field value must be greater than the value specified (info, low, medium, high, or critical).

where Plugin ID is

Any valid Plugin ID number. Multiple Plugin IDs may be entered using a range and/or comma separated Plugin IDs (e.g., 3, 10189, 34598, 50000-55000, 800001-800055).

Exploit Available

Is

Select True of False from the drop-down menu.

Exploit Frameworks

is equal to

Field value must be equal to value specified.

Is not equal to

Field value must not be equal to value specified.

contains the pattern

Field value must contain the pattern entered.

XRef

 

The value entered must be in the XRef field.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.