Assets
The Assets page lets you map assets that are included in a vulnerability scan report to endpoints managed by an endpoint manager such as TrueSight Server Automation, TrueSight Network Automation, or SCCM.
Typically, most assets detected with a vulnerability scan tool can be automatically mapped to endpoints. Mapping is based on a combination of IP addresses and DNS servers (for servers) or IP addresses and device addresses (for network devices). However, the presence of networking gear such as firewalls, load balancers, and proxies can cause mapping discrepancies. As a result, automatic mapping may not always correctly map all hosts.
Anyone who understands the correct mapping between managed endpoints and assets detected in a vulnerability scan can perform manual mapping. In some situations, you may have to override automatic mapping. In other situations a single endpoint may need to be mapped to multiple assets detected in the scan or a single asset in a scan may need to be mapped to multiple endpoints.
The Assets page provides the following capabilities:
Mapping and unmapping assets
To display the Assets page, select TrueSight Vulnerability Management > Assets.
Use the following procedures to map assets to endpoints.
Automatically mapping assets in a vulnerability scan to endpoints
To perform auto-mapping, click Auto-map at top right. If you stay on this page until auto-mapping is complete, a message describes the results.
Assets that are auto-mapped are marked with a icon in the Auto-mapped
column at left.
How auto-mapping works in TrueSight Server Automation and SCCM
Automatic mapping matches the domain name server (DNS) and then the IP address of an asset in a vulnerability scan report to an endpoint with the same information managed by TrueSight Server Automation or SCCM.
How auto-mapping works in TrueSight Network Automation
Automatic mapping matches the device address and then the IP address of an asset in a vulnerability scan report to an endpoint with the same information that is managed by TrueSight Network Automation.
Manually mapping assets in a vulnerability scan to endpoints
After you perform automatic mapping, some assets may remain unmapped. For these, you can perform a manual mapping procedure.
Typically, you map one scanned asset to an endpoint. However, if necessary, you can map one asset in a scan to multiple endpoints, or you can map multiple assets in a scan to one endpoint.
- Select the assets that require mapping.
If necessary, use the filtering capability at the top of each column in the page to find particular assets. For example, if you are looking for assets with names that include the string "aus," enter aus in the filter box at the top of the Scan Host column. - At top right, click the Actions menu and select Map.
The Map Endpoint to Scanned Host(s) page opens. It consists of two tabs: Selected Scanned Hosts and Endpoints. The assets you selected in the previous step are listed on the Selected Scanned Hosts tab. - Use the Map Endpoint to Scanned Host(s) page to perform the following actions:
- On the Selected Scanned Hosts tab, determine which hosts you want to map to an endpoint. To use the full list of hosts, skip this step. To remove a host from the list, click
on the appropriate row.
- Click the Endpoints tab.
- Use the search capabilities described below to find one or more endpoints that you want to map to one or more hosts on the Selected Scanned Hosts tab.
- Enter a text string in the Search text box.
Your text is matched against any text visible on screen except information in the Address column. For example, text could be mapped to part of an endpoint name, description, or OS.
Search strings cannot include spaces or hyphens.
Note that for endpoint searches, you enter data into an elliptical text field. The elliptical shape distinguishes endpoint searches from other types of search. - TrueSight Server Automation only: Optionally, use the filters at left to refine your search. In the example below, notice how the search filtered for the Windows operation system produces 35 results while the search shown above produces 61.
- Take one of the following actions:
- If there are multiple hosts on the Selected Scanned Hosts tab, select one endpoint on the Endpoints tab.
- If there is only one host on the Selected Scanned Hosts tab, select one or more endpoints on the Endpoints tab.
- Click Save.
If you selected one endpoint on the Endpoints tab, it is mapped to the host(s) on the Selected Scanned Hosts tab. If you selected multiple endpoints on the Endpoints tab, they are all mapped to the one host on the Selected Scanned Hosts tab.
- On the Selected Scanned Hosts tab, determine which hosts you want to map to an endpoint. To use the full list of hosts, skip this step. To remove a host from the list, click
Mapping one host in a scan to multiple endpoints
In some situations you may need to map one host in a scan to multiple endpoints.
Examples:
TrueSight Server Automation: When a proxy server or load balancer is enrolled in a vulnerability scan engine and a scan is performed without advanced configuration, the scan may not detect the real servers behind the load balancer or proxy server. In this situation, you must map the proxy server or load balancer that was detected in the scan to multiple endpoints–that is, the managed servers. Those servers are the real servers behind the load balancer or proxy server.
TrueSight Network Automation: A network device such as a NSX Manager can control other devices such as a firewall, a load balancer, and a router. All devices have the same IP address, but only the NSX Manager appears in a scan. If you need to perform remediation on the NSX Manager (for example, by applying a rule that upgrades its operating system), you can map all the other endpoints—that is, the firewall, load balancer, and a router—to the same IP address as the NSX Manager. When the remediation is performed, the same rule applies to all endpoints, and they all have their operating system upgraded.
- Select the host that requires mapping.
- At top right, click the Actions menu and select Map.
The Map Endpoint to Scanned Host(s) page opens. The host you selected in the previous step appears on the Selected Scanned Hosts tab. - Click the Endpoints tab.
- Use the Search capabilities to find endpoints–that is, servers or network devices. Select the endpoints to be mapped.
- Click Save. The endpoints you selected are mapped to the host on the Selected Scanned Hosts tab.
Mapping multiple hosts in a scan to one endpoint
In some situations you may need to map multiple hosts in a scan to one endpoint.
For example, if you are managing a proxy server or load balancer but a vulnerability scan detects the real hosts that are serviced by the proxy server or load balancer, you must map those hosts to a single proxy server or load balancer. Typically this level of detection occurs in a scan when hosts are enrolled in a vulnerability scan engine or advanced configuration in the vulnerability scan engine can reveal real server names or IP addresses.
- Select the hosts that requires mapping.
- At top right, click the Actions menu and select Map.
The Map Endpoint to Scanned Host(s) page opens. The hosts you selected in the previous step appear on the Selected Scanned Hosts tab. - Click the Endpoints tab.
- Use the Search capabilities to find an endpoint and select it.
- Click Save. The endpoint you select on the Endpoints tab is mapped to all the hosts on the Selected Scanned Hosts tab.
Removing mapping
Use this procedure to remove mapping after assets listed on the Assets page have been mapped to endpoints.
- Select assets that have been previously mapped.
- At top right, click the Actions menu and select Remove Mapping.
Clearing all selections
If you are in the process of selecting assets and you want to clear your selections, click the Actions menu at top right and select Clear All Selections.
Managing tags
You can manage tags associated with individual asset. For each asset, you can associate new tag keys, remove existing tag keys, and edit the values assigned to associated keys.
A tag is a key/value pair. Tags provide a means of enriching the data associated with assets. For example, you can use tags to specify asset owners or applications running on assets.
Currently, you can only manage tags for one asset at a time. If you select multiple assets, the Manage Tags capability is not available.
To manage tags
- Select the asset to which you want to add a tag key.
- At top right, click the Actions menu and select Manage Tags.
A dialog shows the list of tag keys assigned to this asset. - Use the following procedures to add, modify, or delete tags.
Adding a tag key to an asset
- Click Add New Tag.
- The Add New Tag dialog opens.
- For Select Key, use the drop-down list to select a tag to add.
You can only select tags that have already been added to the system. - For Add Value, define one or more values for the tag by doing either of the following:
- Click in the text box to display a drop-down list and select from the list.
- Type a new value and press Enter.
- Click OK.
- On the Manage Tags dialog, click Save.
Editing values of an associated tag
- Find the tag you want to modify and click Edit this tag
.
- The Edit Tag dialog opens.
- For Add Value, modify values for the tag by doing any of the following:
- Click in the text box to display a drop-down list and select a value from the list.
- Type a new value and press Enter.
- Delete an existing value by clicking the x next to the value.
- Click OK.
- On the Manage Tags dialog, click Save.
Removing a tag key from an asset
- Find the tag key you want to delete from this asset and click Remove this tag
.
- On the Manage Tags dialog, click Save.
Sorting data in columns
Sort columns of data on this page by clicking on the column header.
Filtering assets
Filters let you limit the data displayed on this page using different criteria, as described in the following sections.
Filtering data in columns
Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.
Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.
Filtering by security group
If your user ID is assigned to multiple security groups, you can filter the hosts displayed on the Assets page by selecting an option from the Security Groups filter at the top of the page. The page shows only assets to which that security group has access.
Filtering by mapping status
You can filter the assets displayed on the Assets page with the Mapping Status filter at the top of the page. This filter can limit the assets displayed to those that are mapped to endpoints. You can select Mapped, Not Mapped, or All.
Filtering by tags
If you have imported tags, you can filter assets using any combination of tags or tag values that have been applied to those assets. (A tag is a key/value pair.) The following example filters for both the "SRS" value of the tag called "BU" and the "Maria" value for the tag called "OWNER."
When using the Tags option, the search field lets you search for tag values but not for tag names.
When filtering by tags, you can select the key, which filters for all values of that key, or you can select individual values. Filtering behavior differs depending on whether you select tags, tag values, or both.
- When you select multiple values within a tag, filtering is based on an OR condition. For example, in the Owner tag, you might select Owner1 and Owner2. Filtering shows assets with the Owner1 OR the Owner2 value.
- When you select multiple tags, filtering is based on AND condition. For example, if you select the Owner and the Applications tags, filtering only shows assets with any Owner tag value AND any Applications tag value.
- When you select a combination of tags and tag values, filtering is based on a combination of AND and OR conditions. The AND conditions apply between tags and the OR conditions apply between values for a particular tag. For example, if you select the Application tag and the Owner 1 and Owner2 values of the Owner tag, filtering shows assets that have any Application tag value AND either the Owner1 value or the Owner2 value.
When you set tag filters, they persist when you switch between the Assets page, the Security Dashboard, and the Operator Dashboard.