How to generate an alert when an asset is discovered

srdroppers

How do I generate an alert when a new asset is discovered? I have nmap running every hour and it does insert assets into the asset list, but I would like to generate an alarm or report of all the new assets discovered - implementing "Metric 1" of "Critical Control 1: Inventory of Authorized and Unauthorized Devices" (CSIS: 20 Critical Security Controls Version 4.0 - http://www.sans.org/critical-security-controls/)

"Control 1 Metric:

The system must be capable of identifying any new unauthorized devices that are connected to the network within 24 hours, and of alerting or sending e-mail notification to a list of enterprise administrative personnel."

marcmunk

@sdrroppers

You will have to create a new policy and action. I will create a simple howto in a couple hours.

marcmunk

Now this will only be a very simple howto to point you in the right direction

Go to

Intelligence -> policy and create a new policy

src any dst any src port any dst port any

Under Event Types create new DS group


Name it and go to Add by Data source search for 'arp' and select 'Arpwatch' datasource 1512 Click add selected and then click accept close the next window and select the ds group you just created.

Now to go policy and create a policy that wil generate a new ticket

Remember to add arp-watch under Configuration - Sensors

It became a bit more then a simple howto but it should point you in the right direction.

machaith

I really would an answer too

marcmunk

If you go a look at policy and actions there are 3 event types that should deal with new hosts. I would look in that direction if i were you.

srdroppers

OK - I think I may have missed something very basic. When I look at "policy and actions" I do not see any definitions, I only see a screen with two tabs "Policy", "Actions". Under the "Policy" tab I see two groups, but nothing is in either group.

The actions tab has the label "Actions No Actions", with the options "New", "Modify", and "Delete Selected"

So I see nothing to select with any sort of "event type".