Assets
The assets dashboard displays an overview of the network assets currently tracked by Threat Defender.
If automatic asset tracking is enabled, Threat Defender automatically learns the MAC addresses of the devices in the network and creates individual assets for them in the database. If your network contains devices with multiple MAC addresses, Threat Defender creates an individual entry for each MAC address. You have to consolidate them manually (see Creating a Network Inventory).
To manually add a new asset to be tracked by Threat Defender, e.g. for devices that are located in subnets, click the Add button above the overview panels (see Asset Settings).
Click Create Report if you wish to create a downloadable PDF report on the asset database. The report contains the entire assets table.
The overview panels show the total number of assets by category:
Current - the total number of assets currently stored in the database of Threat Defender.
Created - the number of assets created in the past day.
Updated - the number of assets updated in the past day.
Seen - the number of assets that were active in the network in the past day.
The table displays the assets in the network. To manage multiple assets at once, mark their checkboxes in the first table column. You can then perform the following List Actions:
Operations: Add tags to the selected assets or remove tags from them. You can also merge several assets into one Primary Asset.
Reset Last Seen: Delete the metadata currently stored in the Last Seen section of the selected assets.
The Last Seen column of the table shows the metadata collected for the asset when Threat Defender last saw it in the network. This means it will be empty if there is no outgoing traffic from this asset. Click to show additional information and to show less information. The icons in the last table column allow you to directly access the reporting section under Analytics for the outbound () and inbound () traffic of the asset. You can also view the asset details and edit the asset settings or delete the asset.
Asset Details
To see further details on an asset, click in the overview table or double-click its row. The details page displays the available information on the asset in several tabs.
The buttons at the top of the page allow you to edit or delete the asset. Click Create Full Report or Create Summary Report if you wish to create a downloadable PDF report on the asset. The full report contains all information displayed in the details page, including the charts. The summary report contains only the data tables.
Asset
The Asset tab displays the configuration of the asset:
Last Seen
The Last Seen tab displays all information collected on the asset when it was last active in the network. If Threat Defender did not see any outgoing traffic from this asset, this tab will be empty.
Field |
Description |
---|---|
Seen |
The date when Threat Defender last saw the asset in the network. |
VLAN |
The VLAN the asset belongs to. |
IPv4 Addresses |
The IPv4 addresses last used by the asset. |
IPv6 Addresses |
The IPv6 addresses last used by the asset. |
MAC Vendors |
The vendor and/or manufacturer of the asset. |
DHCP Request Name |
Hostname requested via DHCP. |
DHCP Offer Name |
Hostname offered via DHCP. |
Bridge |
The name of the bridge via that the asset communicates. |
Interface |
The interface of Threat Defender that sees the asset. |
User |
The user who was last mapped to the asset. |
Click RESET DATA to reset the tracking information Threat Defender gathered dynamically for this asset.
Incidents
The Incidents tab displays an extract from the threat intelligence incident log that contains the incidents involving the asset:
Field |
Description |
---|---|
Created At |
The date and time the incident was created in Threat Defender. |
Severity |
The severity logged for the incident. |
Action |
The rule action logged for the incident. Actions are |
Type |
The type of the reported incident; |
Indicator |
The detected threat intelligence indicator. |
Classification |
The applications and/or protocols involved in the event. |
Assets |
The source and destination assets involved in the incident. |
IP Addresses |
The source and destination IP addresses involved in the incident. |
Ports |
The source and destination ports involved in the incident. |
Countries |
The source and destination countries of the flow involved in the incident. If a private IP range is used, the country is displayed as |
Click the in the last table column to go to the log entry under Threats > Incident Logs.
Events
The Events tab displays log events involving the asset and asset users:
Field |
Description |
---|---|
Created At |
The date and time the event was created in Threat Defender. |
State |
The state of the logged event, i.e. whether it was successful or failed. |
Tag |
The tag assigns the event to a certain log. |
Action |
The action logged for the asset. |
Message |
A message describing the event. |
Username |
The login name of the user involved in the event. |
User IP Address |
The IP address of the user involved in the event. |
Click the in the last table column to go to the log entry of the respective event.
Analytics
The Analytics tab shows charts that visualize the traffic information available for the asset. They are grouped in tabs by reporting period (last day, last week, last month).
Asset Settings
When you manually add a new asset to be tracked or edit an existing one, the settings screen is displayed with the following options:
The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).
Note
Any changes of the asset settings will only be applied to future logging data. Any existing datasets in the database remain unchanged.