Assets
An asset is any network endpoint with an IP address, MAC address, host name, or external ID. For network modeling purposes, an asset is any endpoint you consider significant enough to characterize with details that make correlation and reporting more meaningful.
Automatically-Created Assets
The system automatically creates assets to model the network nodes that host ArcSight components (Managers, Consoles, and SmartConnectors). It also automatically creates assets for events received from device endpoints on your network that do not already have assets modeled in ArcSight, and, if applicable, for assets arriving from scan reports sent by vulnerability scanners brought in by scanner SmartConnectors. This auto-asset creation feature could require configuration, depending on the assets reporting to the Manager.
Depending on which method you use, assets are placed in the following locations:
-
Assets that are created through scanners are placed in the Resource tree under
Assets/All Assets/
<Zone Group>
/
<Zone>
. -
Assets that are auto-created by any other type of SmartConnectors are placed under
Assets/All Assets/ArcSight System Administration/Devices
.
As a configuration option, you can also configure it to create assets for devices reporting through SmartConnectors.
Auto-Created Assets for Components
The system automatically creates assets to model the network nodes that host components. These assets do not contain vulnerability information, and are used for system administration.
Component |
|
|
---|---|---|
ArcSight Manager |
|
An asset for the Manager is added (if needed) every time the Manager service starts. |
Consoles |
|
An asset is added for each Console the first time it connects with the Manager. |
SmartConnectors |
|
An asset is created for SmartConnectors only when the SmartConnector begins reporting base events from the device it represents. A Connector can be successfully added to the Manager, but until it starts reporting events from the device it represents, an asset cannot be created for it in the Asset Model. It creates assets differently for SmartConnectors in static zones and those in dynamic zones. For more about static and dynamic zones, see Zones. For details about creating assets for SmartConnectors, see Creating Assets for SmartConnectors. |
Devices Discovered by a Vulnerability Scanner
The system also imports asset and vulnerability information from vulnerability scanner reports generated by products such as Nessus, FoundStone, and ISS Internet Scanner. Asset information is passed to the Manager via the scanner SmartConnector appropriate for your vulnerability scanner product based on IP address, MAC address, and host name.
Updated vulnerability information is added to existing assets with matching identifiers. If a matching asset does not already exist, the system creates one.
The system creates assets from vulnerability scan reports differently for dynamic and static zones. For more about dynamic and static zones, see Zones.
For details about how the system creates assets from vulnerability scans, see Creating Assets from a Vulnerability Scan Report for Dynamic Zones.
Tip: Scanner reports list only information received through the scanner, whereas Asset Editors include the full list of both scanner data and vulnerability mappings stored in the system. Therefore, the Editors might show more or different information than the information from scanner reports.
Devices Reporting Through SmartConnectors
The administrator can configure asset creation for each device that reports to that SmartConnector based on IP address, MAC address, and host name when the Manager receives events from SmartConnectors.
This feature makes it possible to add assets to the network model that may not be part of a regular asset scanning report without having to create them individually. Assets created using this method do not contain vulnerability information, although once they are added to the network model, they can be supplemented with matching data that arrives from a scanner report or that you add individually using the Console.
Administrators can enable the option to create assets for network devices in the Manager Configuration Wizard. See the topic “Running the Manager Configuration Wizard” in the Administrator’s Guide.
The system creates assets differently for devices in static zones and those in dynamic zones. For more about static and dynamic zones, see Zones.
For details about how the system creates assets for devices reporting through SmartConnectors, see Creating Assets for Network Devices.
For more about how to tune asset auto creation from the Console, see the ArcSight System and ArcSight Administration Standard Content Guide. For information about an optional ArcSight Foundation, refer to the Standard Content Guide for that Foundation.
You can customize how the asset auto-creation function works by modifying settings in the server.properties
file. For addtional details, see Creating Assets from a Vulnerability Scan Report for Dynamic Zones. For more about working with properties files, see the topic “Managing and Changing Properties File Settings” in the Administrator’s Guide.
For an overview of the ways by which the network model can be populated with assets, see Populating the Network Model with Assets.
Asset Aging and Model Confidence
Note: Only the assets belonging to the following categories are considered for aging:
-
/All Asset Categories/Site Asset Categories/Scanned/Open Ports
-
/All Asset Categories/Site Asset Categories/Scanned Vulnerabilities
The asset aging function keeps track of the last time an asset was scanned, and incrementally diminishes an asset’s model confidence in the priority formula over time to zero if it hasn’t been scanned in more than 120 days. (You can configure the time range.)
An asset’s age is tracked by default. You can opt to automatically disable an asset that exceeds the configured age limit. This process is described in “Asset Aging” in the Administrator’s Guide.
Note: Resolving zone information on disabled assets
To ensure that events get sorted properly, the system continues to resolve an asset’s zone information and add it to the event, even when the asset is inactive (disabled).
To see why an asset was disabled:
-
In the Navigator panel, go to the Assets tab in the Assets tree. The disabled asset appears with a grey icon.
-
Right-click the disabled asset and select Show Disabled Reason. The message displayed indicates how many days it has been since the asset’s last scan.
To re-enable a disabled asset:
If an asset has been automatically disabled, you can manually re-enable it. In the Navigator panel in the Assets tab of the Assets tree, right-click the disabled icon and select Enable.