Risk Dashboard Direct link to this section

The Risk Dashboard is an interactive dashboard that lets you identify, monitor, and acknowledge risks within your network. It includes the following pages:

The Risk Dashboard also includes a variety of tools. For example, documentation, and a downloads area where you can download virtual machine images.

See Tools section for more information.

Requirements Direct link to this section

• Google Chrome (latest version)

Access the Risk Dashboard Direct link to this section

1. Go to https://risk.arcticwolf.com.
2. Sign in using your access credentials.

Routine Risk Dashboard tasks Direct link to this section

The following table describes Risk Dashboard tasks that you should complete on a semi-regular basis:

*Varies depending on the frequency of scans and how large or diverse the environment is. New and mitigated risks might be found frequently because Internal Vulnerability Assessment (IVA) scans can be configured to run continuously and, Agent scans are scheduled daily.

Overview page Direct link to this section

The Overview page of the Risk Dashboard provides an overview of your network including risk score and asset health. The page includes the following sections:

• Risk metrics — Provides risk score information.

  See View risk metrics, Downloading an Executive Summary, and Downloading a Risk Assessment for more information.

• Current Risk Score — Provides your current risk score. This score automatically updates. The score duplicates the risk metric information, but it includes a visual chart.

• Industry Risk Score — Displays your risk score compared to other Arctic Wolf customers in the same industry. This score is updated daily. The score duplicates the risk metric information, but it includes a visual chart.

• Unresolved Risks — Displays the current number of active medium to critical severity vulnerabilities in your network. This number automatically updates. The score duplicates the risk metric information, but it includes a visual chart.

• Risk Score Trends — Displays how your individual and industry risk scores have changed over time, up to one year.

  See Downloading Risk Score Trends for more information.

• Asset Class Health — Displays the health of all your assets divided by category, based on risk score and number of vulnerabilities. Assets that are closer to zero are healthier.

  See Downloading Asset Class Health for more information.

• Asset Health — Displays a heatmap of the assets in your network, based on risk score, where low is a better score.

  See Downloading Asset Health for more information.

View risk metrics Direct link to this section

Risk metrics are located at the top of all Risk Dashboard pages except for the Scanner Console page. The following metrics are provided:

• Current Risk Score — Provides your current risk score. The score automatically updates. Click Information to open the Risk Score page, which displays information about how the risk score was calculated. See Evaluating the Current Risk Score for more information.
• Industry Risk Score — Displays your risk score compared to other Arctic Wolf customers in the same industry. This risk score is updated daily.
• Unresolved Risks — Displays the current number of active medium to critical severity vulnerabilities in your network. This number automatically updates.
• New Risks — Displays the number of risks in your network that were discovered within the last 30 days. New risks are those that you have not yet acknowledged, and include vulnerabilities discovered during scans. If a risk is no longer found in your network, for example because a device was removed from the network, but that risk is found again at a later time, it is considered new at that point.
• Mitigated Risks — Displays the number of risks in your network that were resolved within the last 90 days.
• Accepted Risks — Displays the number of risks that you have acknowledged and are no longer included in your Current Risk Score.

Current Risk score Direct link to this section

Arctic Wolf calculates your current risk score based on the Common Vulnerability Scoring System version 2 (CVSSv2) and is the weighted average of all vulnerabilities found on your network. The CVSSv2 provides an open framework for communicating the network vulnerabilities impacts. Specifically, the CVSSv2 score provides an objective metric that Arctic Wolf uses to prioritize vulnerabilities so that the highest risk vulnerabilities are remediated first.

Your risk score automatically updates when a change occurs. For example, when a new risk is found in your network, or if you change the Status of an existing risk.

Target score Direct link to this section

The Overview page displays trends of your risk score over time in comparison to others in the industry and provides a target risk score for a low risk network.

Risk is something that can never be completely eliminated, only reduced. To ensure resources are spent effectively, you should mitigate the highest risk vulnerabilities first, followed by medium, and then the highest internal vulnerabilities. Mitigate the lower risk vulnerabilities last.

The CVSSv2 specification includes a high-level categorization into three severities:

• Low — Less than 3.9
• Medium — From 4 to 6.9
• High — From 7 to 10

Industry studies show a high correlation between the time to exploit and incidents of exploitation with high severity CVEs. Therefore, an effective mitigation and prioritization strategy addresses all high severity CVEs with the highest possible urgency.

Network health Direct link to this section

Your network health is based on risk score and number of vulnerabilities. A low risk network is a healthier network.

Vulnerabilities Direct link to this section

A vulnerability is an issue within the software, operating system, or service that is exploitable. Managed Risk scanners can identify, quantify, and prioritize or rank the vulnerabilities in a system. Vulnerabilities are classified as issues.

A zero-day vulnerability is a vulnerability that bad actors or third-parties exploit before the vendor determines a solution to the problem.

View Risk Score Trends Direct link to this section

1. In the Risk Dashboard navigation pane, click Overview.

2. (Optional) In the Risk Score Trends section, change the risk timeline:

   • Click Monthly to view the data on a monthly timeline.
   • Click Daily to view the data on a daily timeline.

3. (Optional) Change the chart format:

   • Click Bar to view the data as a bar chart.
   • Click Line to view the data as a line chart.

   Tip: Click Restore to restore the chart to the default settings.

4. (Optional) Hover over the chart to see the numerical value of your risk score, industry risk score, and target.

Evaluate the Current Risk Score Direct link to this section

The Current Risk Score is an overall risk score that represents the entire environment of risk in your network. It includes external, internal, host, and cloud risks. On a monthly or quarterly basis, evaluate your risk score, and recognize the risk types that impact your risk score the most. Risks with a high vulnerability score affect your Current Risk Score more than risks with a low vulnerability score. This means that addressing risks that have a low vulnerability score may not appear to affect the risk score.

1. In the Risk Dashboard navigation pane, click to open any page except Scanner Console.

2. For the Current Risk Score, located in the upper-left, click Information.

   The Risk Score screen appears.

3. Review each risk score Category to see the overall score of that particular type of risk, and take note of the Category names. The highest scoring Category should match the overall published risk. Review Severities with a High rating because they have the highest impact on the risk score.

4. In the navigation pane, click Risks.

5. In the Filters section, enter a Category name in the Search field to review the risks for that category.

   Tip: The search is a full-text search, so it might find risks from a different Category that have the search words in the description. You can export the list as a CSV file, to view the Category of each.

See Quantifying Cyber Risk: Calculating the Arctic Wolf Managed Risk Score for more information about the risk score algorithm.

Download Risk Score Trends Direct link to this section

1. In the Risk Dashboard navigation pane, click Overview.

2. In the Risk Score Trends section, click CSV.

   A CSV file downloads to your device.

Download Asset Class Health Direct link to this section

1. In the Risk Dashboard navigation pane, click Overview.

2. In the Asset Class Health section, click CSV.

   A CSV file downloads to your device.

Download Asset Health Direct link to this section

1. In the Risk Dashboard navigation pane, click Overview.

2. In the Asset Health section, click CSV.

   A CSV file downloads to your device.

Download an Executive Summary Direct link to this section

The Executive Summary PDF report includes all of your scan summary data and details about any risks with a score of 9 or higher.

1. In the Risk Dashboard navigation pane, click any page except Scanner Console.

2. Click Executive Summary.

   The Executive Summary dialog appears.

3. (Optional) Enter a name in the Prepared For text box.

4. Select the checkboxes of the items that you want to include in the Executive Summary report:

   Note: If you refresh the page, or navigate elsewhere, your selections reset.

   • Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
   • Risk Severity Summary — A summary of your risks categorized by severity.
   • 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
   • Identified Risks — A list of the active risks in your network.
   • Risk Score Trends — Your risk score history as it appears on the Overview page.
   • Risk Classification Summary — A summary of your risks categorized by their remediation actions.
   • Network Risk Overview — A heat map of your asset health.
   • Accepted Risks — A list of the risks that you have acknowledged.

5. Click Download PDF.

   The PDF file downloads to your device.

Download a Risk Assessment Direct link to this section

The Risk Assessment PDF report includes all of the summary data plus details on all risks with a score of 5 or higher.

1. In the Risk Dashboard navigation pane, click any page except Scanner Console.

2. Click Risk Assessment.

   The Risk Assessment dialog appears.

3. (Optional) Enter a name in the Prepared For text box.

4. Select the checkboxes of the items that you want to include in the Risk Assessment report:

   Note: If you refresh the page, or navigate elsewhere, your selections reset.

   • Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
   • Risk Severity Summary — A summary of your risks categorized by severity.
   • 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
   • Identified Risks — A list of the active risks in your network.
   • Risk Score Trends — Your risk score history as it appears on the Overview page.
   • Risk Classification Summary — A summary of your risks categorized by their remediation actions.
   • Network Risk Overview — A heatmap of your asset health.
   • Accepted Risks — A list of the risks that you have acknowledged.

5. Click Download PDF.

   The PDF file downloads to your device. This report is only available in PDF format.

Management Plan page Direct link to this section

The Management Plan page shows all of the risks in your network and any of their associated plans. On this page, you can create plans, and see risks that are not currently assigned to plans. The page includes the following sections:

• Risk metrics — Provides risk score information.

  See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.

• Plan — Allows you to view, create, and close plans.

  See Plan section, View a plan, View unassigned risks, Create a plan, Move a risk between plans, and Close a plan for more information.

• Filters — Allows you to filter the risks that appear in the Unassigned Risks table.

  See Filters section for more information.

• Unassigned Risks — Displays risks that are not currently assigned to a plan.

  See Risks and Unassigned Risks sections, Download the Unassigned Risks table data, and Download Remediation report for more information.

Plan section Direct link to this section

The Plan section is located on the Management Plan page. It allows you to view, create, and close plans.

A plan is a collection of risks that match certain criteria as defined in system rules. Information is displayed in a format similar to a Gantt chart. A timeline shows the estimated completion date for each plan, and colour is used to indicate the following:

• Blue — Represents the estimated time to completion, based on the plan due date. This is the cumulative time to completion of all risks associated with the plan.
• Red — Represents when a critical risk is estimated to complete.
• Orange — Represents when a medium risk is estimated to complete.
• Green — Represents when a low risk is estimated to complete. You can use plans to keep track of risks and to mitigate them.

See View a plan, Create a plan, and Close a plan for more information.

View a plan Direct link to this section

1. In the Risk Dashboard navigation pane, click Management Plan.

2. In the Plan section, choose the Week, Month, or Quarter option, to specify the timeline scale.

3. (Optional) You can use the following plan filters to refine the items that appear in the Plan chart:

   Filter	Description
   Users	Select a user to see the plans that are associated with that user.
   Risk Score	Use these filters to view the plans that include risks with risk scores within the value range that you specify.
   Risk State	Select a state to view the plans that include risks in that state. See Risk states for more information.
   Created Before	Select a calendar date to view all of the plans that were created before that date.

   Click Clear All at any time to remove all filters.

4. (Optional) In the Plan section, click + beside the name of the plan that you want to view, to view plan details.

   The row expands to display the risks contained in the plan and the associated timeline for each.

Change the timeline scale for plans Direct link to this section

The Plan timeline displays the estimated completion date for each plan. You can adjust the timeline scale to be weekly, monthly, or quarterly. Custom timeline scales are not supported.

1. In the Risk Dashboard navigation pane, click Management Plan.
2. In the Plan section, choose the Week, Month, or Quarter option.

View unassigned risks Direct link to this section

Unassigned risks are risks that are not currently assigned to a plan.

1. In the Risk Dashboard navigation pane, click Management Plan.

2. Scroll down to the Unassigned Risks table.

   See Risks and Unassigned Risks sections for more information about the table columns.

Create a plan Direct link to this section

1. In the Risk Dashboard navigation pane, click Management Plan.

2. Click Create Plan.

   The Create Plan dialog appears.

3. Enter a title and description for the plan.

4. (Optional) To create a plan that only includes risks of that severity, select a Severity value from the dropdown list.

   Tip: Risk severity is based on risk score.

5. Click Create Plan.

6. Add risks to your new plan.

   See Assign a single risk to a plan and Assign multiple risks to a plan for more information.

Assign a single risk to a plan Direct link to this section

1. In the Risk Dashboard navigation pane, click Risks.

2. (Optional) Use Filters to narrow the list of risks that appear on the page.

   See Filters section for more information.

3. In the Risks table, click the required risk.

4. In the information panel, scroll down to Plan, and then select the required plan title from the list.

   Your changes are automatically saved.

Assign multiple risks to a plan Direct link to this section

1. In the Risk Dashboard navigation pane, click Risks.

2. (Optional) Use Filters to narrow the list of risks that appear on the page.

   See Filters section for more information.

3. In the Risks table, select the checkbox next to each risk you want to update.

4. Click Update Selected.

   The Bulk Update dialog appears.

5. Select the required plan title from the Plan list.

Move a risk between plans Direct link to this section

To change the plan that a risk belongs to:

• See Assign a single risk to a plan and Assign multiple risks to a plan for more information.

Close a plan Direct link to this section

1. In the Risk Dashboard navigation pane, click Management Plan.

2. Click Close Plan.

   The Close Plan dialog appears.

3. Select a plan from the list that you would like to close.

4. Click Close Plan.

Download the Unassigned Risks table data Direct link to this section

1. In the Risk Dashboard navigation pane, click Management Plan.

2. (Optional) Use Filters to narrow the list of risks that appear on the page.

   See Filters section for more information.

3. In the Unassigned Risks section, click Download CSV.

   A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

   Note: Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.

Risks page Direct link to this section

The Risks page lists all risks that a Managed Risk source identified in the network, sorted by risk score. The page includes the following sections:

• Risk metrics — Provides risk score information.

  See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.

• Filters — Allows you to filter the risks that appear in the Risks table.

  See Filters section, and Default Risk filters for more information.

• Risks — Allows you to view the risks that were identified in your network.

  See Risks and Unassigned Risks sections, Routine Risk Dashboard tasks, Rescan risks, Rescan IVA assets, View risks based on an assigned due date, Assign a user and a due date to a risk, Unassign a user and a due date from a risk, Change the state of inactive risks, Edit risks, Download a remediation report, Download Risks table data for more information.

Risks and Unassigned Risks sections Direct link to this section

The Risks section is located on the Risks page. It includes a table with details about each risk that was identified in the network. The Unassigned Risks section is located on the Management Plan page. It includes a table with risks that are not currently assigned to a plan. Both tables have the same columns.

You can change how the information displays in the tables:

• To set the number of rows that appear on a page, select a value from the Show <x> Entries dropdown list.
• To add or remove table columns, click Columns, and then select checkboxes of the columns you want to show.
• To sort data by a specific column, click the column heading.
• To configure the risks that appear in the table, change the filters. See Filters for more information.

Both tables have the following information:

Filters section Direct link to this section

A Filters section for risks is located on the Management Plan and Risks pages. You can use the following filters to refine the items that appear in the Unassigned Risks, or Risks tables:

Click Clear Filters at any time to remove all filters.

Default Risk filters Direct link to this section

By default, the Risks page loads with the following filters applied:

See Filters section for more information.

Risk states Direct link to this section

All detected risks within your network have a State value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. You can manually change the State of a risk. Changing this value does not impact whether the Risk Scanner detects, or is capable of detecting, any risk on the host machine. If you do not make changes, the default state of a risk is Open.

The risk State values that you can select are:

Risk statuses Direct link to this section

All detected risks within your network have a Status value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. This value is automatically assigned.

Risk information pane Direct link to this section

When you select a risk in the Risks table, an information pane opens for that risk. You can make changes to some fields in the information pane. Changes are reflected immediately.

The risk information pane has the following fields:

To initiate a new scan, click Rescan. This only works with IVA and Agent risks.

Risk State and Status lifecycles Direct link to this section

To effectively review risks and maintain an accurate risk score in your Risk Dashboard, it is important to understand risk states and statuses and their lifecycle.

Generally, the risk State is manually set by the Risk Dashboard administrator, and the risk Status is automatically set by the system based on certain conditions. The one exception is the risk State of Unsuccessful Validation, which is automatically set by the system if the State was previously Fixed, Waiting Validation, but the risk was detected again during the next scan.

The lifecycle of the risk State and Status is different depending on the Source that discovered the risk:

• Agent (Arctic Wolf Agent)

  See Risks discovered using Arctic Wolf Agent.

• EVA (External Vulnerability Assessment)

  See Risks discovered using EVA scanning.

• IVA (Internal Vulnerability Assessment)

  See Risks discovered using IVA scanning.

For all three Sources, changing the State to Accepted or False Positive removes the risk from the list of actionable risks and from the risk calculation.

See Risk States and Risk Statuses for additional information.

Risks discovered using Arctic Wolf Agent Direct link to this section

When a risk is discovered using Arctic Wolf Agent, the risk Source is Agent. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan:

• If the risk is not found, the Status automatically changes to Mitigated. The State remains as Open, even though the risk is mitigated, because this value is manually set.

• If the risk is found, the Status automatically changes to Active. The State remains as Open.

• If the next scan does not occur for 45 days, the Status automatically changes to Obsolete and the risk is removed from the list of actionable risks and from the risk calculation.

  Note: After 10 days, Obsolete risks are deleted.

Risks discovered using EVA scanning Direct link to this section

When a risk is discovered using EVA (External Vulnerability Assessment) scanning, the risk Source is EVA. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan, if the risk is no longer found, the Status automatically changes to Mitigated. The State remains as Open, even though the risk is mitigated, because this value is manually set.

Risks discovered using IVA scanning Direct link to this section

When a risk is discovered using IVA scanning, the risk Source is IVA. Each newly discovered risk has a Status of either:

• Active — The risk was detected in the previous scan and is online.

• Inactive — The risk was not detected during the previous scan, or the risk exists on an asset that is considered to be offline because it has not been detected for 24 hours. The risk remains as Inactive for 90 days unless the risk is detected again, or the device comes back online. After 90 days, if the risk is not detected, the Status automatically changes to Mitigated. If it’s been 90 days since the asset was last seen online, the risk Status automatically changes to Obsolete. In both cases, the risk is removed from the default actionable risk view and from the risk score calculation.

  Notes:

  • The Inactive is a Status used only for IVA risks.
  • After 10 days, Obsolete risks are deleted.

  The following diagram illustrates the lifecycle of mitigated risks that were discovered by an IVA:

  

  The following diagram illustrates the lifecycle of offline assets that were discovered by an IVA:

  

Rescan risks Direct link to this section

You can rescan an individual risk or rescan multiple risks at the same time.

1. In the Risk Dashboard navigation pane, click Risks.
2. In the Risks table, select the checkbox of each risk to rescan.
3. Click Rescan to add the risk to the scan queue.
4. Click Rescan to confirm.

   Note: The Rescan button appears dimmed if you select a risk with EVA as the Source because rescans are currently unavailable for EVA.

Rescan IVA assets Direct link to this section

You can rescan IVA assets to view internal network risks. This procedure is commonly used to verify that a risk is mitigated.

1. In the Risk Dashboard navigation pane, click Risks.

2. Go to https://risk.arcticwolf.com/risks?assetID=<asset_ID>, where <asset_ID> is the asset ID.

   Tip: You can obtain the asset ID from the Risk information pane.

3. In the Filters section, clear the EVA and Agent checkboxes.

4. In the Risks table, select the checkbox of each risk with a State of Mitigated that you want to rescan.

5. Click Update Selected.

   The Bulk Update dialog box appears.

6. In the State list, select Fixed, Waiting Validation.

   This setting allows you to see the State change to Unsuccessful Validation if the risk is still detected, or the Status change to Mitigated if the risk was successfully fixed.

7. Click Update.

8. Clear the checkbox of each risk that you do not want to rescan.

9. Click Rescan.

   The Rescan Risks dialog box appears.

10. Click Rescan.

Review active risks Direct link to this section

On a weekly or monthly basis, review active risks.

1. In the Risk Dashboard navigation pane, click Risks.

2. In the Filters section, click Clear Filters, and then do the following:

   • State — Add the following filters:

     • Open
     • Acknowledged, In-Planning
     • Mitigation/Fix in Progress
     • Fixed, Waiting Validation
     • Unsuccessful Validation

   • Status — Add the Active filter.

   • Discovery Date Range — Enter a date range as appropriate to view the newly discovered active risks.

   The Risks section displays active risks that occur within the specified date range.

See Risk Statuses for more information.

Review inactive risks Direct link to this section

On a weekly or monthly basis, review and update inactive risks. Inactive risks are included in default views and reports, and they count toward your risk score. Reviewing inactive risks helps to maintain an accurate risk score.

See Risk Statuses for more information.

1. In the Risk Dashboard navigation pane, click Risks.

2. In the Filters section, click Clear Filters, and then do the following:

   • State — Add the following filters:

     • Open
     • Acknowledged, In-Planning
     • Mitigation/Fix in Progress
     • Fixed, Waiting Validation
     • Unsuccessful Validation

   • Status — Add the Inactive filter.

3. Review the inactive risks, and then do one of the following:

   • Change the State of all Inactive risks.

     See Change the State of Inactive risks for more information.

   • Manually review an individual Inactive risk, and then update it with the appropriate State.

     See Change the State of Inactive risks for more information.

   • Do nothing. 90 days after the risk was last detected, the Status automatically changes to Obsolete if the device is offline or Mitigated if the device is no longer detected. Obsolete and Mitigated risks are removed from the default view (which only includes Active and Inactive risks), and are removed from the risk score calculation.

Review mitigated risks Direct link to this section

On a monthly or quarterly basis, review mitigated risks to verify that the risks were resolved as expected.

1. In the Risk Dashboard navigation pane, click Risks.

2. Change the State of Inactive risks that are fixed to Mitigated.

   See Change the State of Inactive risks that are fixed to Mitigated for instructions.

3. (Optional) Verify that a Mitigated risk is resolved.

   See Verify that a Mitigated risk is resolved for instructions.

See Risk States for more information.

Change the State of Inactive risks that are fixed to Mitigated Direct link to this section

1. In the Risk Dashboard navigation pane, click Risks.

2. In the Filters section, click Clear Filters, and then do the following:

   • State — Add the following filters:

     • Open
     • Acknowledged, In-Planning
     • Mitigation/Fix in Progress
     • Fixed, Waiting Validation
     • Unsuccessful Validation

   • Status — Add the Inactive filter.

3. In the Risks section, review the risks. These are risks that were not detected in the last scan, or that are related to offline assets. If you expect any of these risks to be fixed, change the State to Mitigated.

   See Review inactive risks for more information.

4. In the Filters section, set the following filters:

   • Status — Add Mitigated and Obsolete and remove Inactive.
   • Resolved Date Range — Enter a date range as appropriate to view mitigated risks that occurred after fixes or patches were installed.

5. In the Risks section, review the risks you updated earlier. Verify that mitigation occurred as expected.

   Tip: View the Status of the risk to determine if it is resolved. The State is user-assigned, so it retains the value it had prior to being confirmed as mitigated (including Unsuccessful Validation).

6. (Optional) Verify that the mitigated risk is resolved.

   See Verify that a Mitigated risk is resolved for more information.

Verify that a Mitigated risk is resolved Direct link to this section

After you change the status of an inactive IVA risk to Mitigated, you can rescan the asset to confirm that the risk is resolved.

1. Change the State of Inactive risks that are fixed to Mitigated.

   See Change the State of Inactive risks that are fixed to Mitigated for more information.

2. In the Risks section, verify that the Source and State columns are visible. If required, click Columns, and then select the Source and State checkboxes to view these columns.

3. In the Source column, click an IVA or Agent risk.

4. In the details panel, change the State to Fixed, Waiting Validation.

5. Take note of the Scanner ID and Host values.

6. Scroll to the bottom of the panel, and then click Rescan.

   The Rescan Options dialog appears.

7. Select the Scan Now option.

8. Click Save.

   The asset scan begins. A full suite of tests are performed, including risk validation. Depending on the type of asset, this can take between 15 minutes and 1.5 hours.

9. In the navigation pane, click Config > Scanner Config.

10. In the Scanner Configuration section, for Scanner ID, click Details.

    The Scanner Select dialog appears.

11. In the Search field, enter the Scanner ID value, and then click the matching ID in the table.

12. In the Scanning Queue section, complete one of the following:

    • Click the Status column heading to sort the scan queue by status and view the risks with a Status of Running at the top.
    • In the Search field, enter the Host value.

    Tip: It can take several minutes for the scan to display active scanning data in the queue. If an asset is not scanned, wait several minutes and then refresh your browser.

Review risks that failed validation Direct link to this section

On a weekly or monthly basis, review risks that failed validation. This helps you to recognize and prevent future security vulnerabilities.

Risks that had a State of Fixed, Waiting Validation and later failed validation, now have a State of Unsuccessful Validation. Take, for example, a device that was offline for a period of time. The risk State was manually updated to Fixed, Waiting Validation because it was Inactive. When that device is online again, the risk is found again, so the State changes to Unsuccessful Validation.

See Risk States for more information.

1. In the Risk Dashboard navigation pane, click Risks.

2. In the Filters section, click Clear Filters, and then do the following:

   • State — Add the Unsuccessful Validation filter.
   • Status — Add the following filters:
     • Active
     • Inactive

3. In the Risks section, review the risks that failed validation. These are risks that previously had a State of Fixed, Waiting Validation but were rescanned and the risk is still being found. If you believe that the risk is resolved, complete the following to find more information about why the risk is still being found:

   • In the Risks section, click a risk you believe is resolved. Scroll to Additional Details, and then click Details. For IVA and EVA risks, this often provides additional details about what was found and why it was flagged as a risk.

   • For Agent risks, complete a vulnerabilities debug scan. This provides details about what exactly was found on the asset to trigger the vulnerability.

     See Interpreting Arctic Wolf Agent Vulnerability Debug Scans for more information.

Contact your Concierge Security® Team (CST) at security@arcticwolf.com, and request assistance with the investigation.

View risks based on an assigned due date Direct link to this section

You can view risks based on the assigned due date. This is useful if you want to see unmitigated risks with past due dates.

• In the Risk Dashboard, go to https://risk.arcticwolf.com/risks?assignmentDueDateBefore=<unix_timestamp>, where <unix_timestamp> is the assigned due date in a 10-digit Unix timestamp format.

  For example:

  https://risk.arcticwolf.com/risks?assignmentDueDateBefore=1657655263

See Unix Time Stamp - Epoch Converter to convert a date to a 10-digit Unix timestamp format.

Interpret Arctic Wolf Agent Vulnerability Debug Scans Direct link to this section

Arctic Wolf Agent Vulnerability Debug Scans produce a detailed HTML debug report that describes how a vulnerability was detected on a device. It includes the file or registry settings, and the logic that triggered the risk. Use this procedure to help you interpret the HTML debug report. You can also send your HTML debug reports to your CST for analysis.

1. Create an HTML debug report.

   See Performing Arctic Wolf Agent Vulnerability Debug Scans for instructions.

2. Open the HTML debug report in a browser.

   Tip: It may take some time to completely load the report. When the pie chart at the top of the page is fully rendered, the loading is complete.

3. In the Rule Results Summary section, click the FAIL filter to view only the failed tests.

4. Click the applicable vulnerability to see additional details.

5. Review the Result Component Logic. Look for logic conditions that are green (true). This indicates that the conditions matched the logic Arctic Wolf uses to determine if a vulnerability exists.

   

6. Click OVAL TEST to view additional details. The file value or registry value and logic displays.

   

7. If the vulnerability is for a File State, click show untested values.

   Information displays about the file that triggered the vulnerability detection.

   

Change the State of Inactive risks Direct link to this section

1. In the Risk Dashboard navigation pane, click Risks.

2. In the Risks section, do one of the following:

   • To select a single inactive risk, select the checkbox next to the risk you want to update.

   • To select all inactive risks:

     1. Select All from the Show Entries list.

     2. Select the checkbox at the top of the table.

        All risks are selected.

3. Click Update Selected.

   The Bulk Update dialog appears.

4. Select one of the following from the State list:

   • Mitigated — Changes the Status to Mitigated for all selected risks, immediately removes the risks from the default view (which only includes Active and Inactive risks), and removes the risks from the risk score calculation. If any of these risks are discovered again, the risk reappears on the list with a State of Open, Status of Active, and Age reflecting the date that the risk was first discovered.

     Tip: If the majority of the assets in your environment are online most of the time, it is a common approach to change the State to Mitigated. This is a reasonable choice because a State of Inactive typically indicates that the risk has been mitigated.

   • Fixed, Waiting Validation — Maintains the Status of Inactive for all selected risks, and all risks remain in the risk score calculation. If any of these risks are not detected the next time the asset is scanned, the risk Status changes to Mitigated, and the risk is removed from the default view (which only includes Active and Inactive risks) and risk score calculation.

     Tip: If you have a dynamic environment, a State of Inactive could mean that the asset is offline and the risk can be verified when it is back online. In this situation, a State of Fixed, Waiting Validation may make more sense.

5. Click Update.

Edit risks Direct link to this section

You can edit one or more risks at the same time. For example, you can assign a due date, or change the risk State of more than one risk at the same time.

1. In the Risk Dashboard navigation pane, click Risks.

2. In the Risks table, select the row for every risk that you want to edit as part of a group. You can review more pages and continue making your selections.

   Tip: The number of risks currently selected is displayed, along with options to update or clear your selections.

3. Click Update Selected.

   The Bulk Update dialog appears.

4. Edit one or more of the following fields:

   • State
   • Assign To
   • Plan
   • Due Date

5. Click Update.

6. (Optional) Click Clear All Selected to clear all selected risks.

Accept a vulnerability Direct link to this section

You can choose to accept an identified risk rather than fixing or mitigating the vulnerability. Changing the state of a risk to Accepted removes that risk from the Risk Score calculation. The risk remains in the Risks table for as long as it is detected on the network.

We recommend that you mitigate or fix risks to improve your security posture, instead of accepting them. Accepting a risk does not make the risk go away, so bad actors could still take advantage of the vulnerability.

If the risk is a false positive, you should apply the False Positive state to the risk, which then removes the risk from the Risk Score calculation.

1. In the Risk Dashboard navigation pane, click Risks.

2. In the Risks table, click the risk that you want to update.

   The information pane opens.

   Tip: Use the search field to narrow the results.

3. In the information pane, select Accepted from the State dropdown list.

4. In the prompt, enter a detailed justification description.

5. Click Accept to save your changes.

   Your changes are automatically saved.

Assign a user and a due date to a risk Direct link to this section

To track the resolution of a risk, you can assign risks to specific users within your organization and assign a due date.

1. In the Risk Dashboard navigation pane, do one of the following:

   • To view the Risks table, click Risks.
   • To view the Unassigned Risks table, click Management Plan.

2. In the Risks or Unassigned Risks table, click the risk you want to assign a user and due date to.

   The information pane opens.

3. (Optional) In the information pane, select an email address from the Assigned To dropdown list.

   Tip: To remove user and due date assignments, select the blank field from the Assigned to menu.

4. (Optional) In the information pane, click the Due Date field, and then select a date on the calendar by which the risk should enter the Fixed, Waiting Validation state. This date must be at least one day in the future. The present day is highlighted in blue.

   The Due Date field populates with a date based on the selection, following the format MM/DD/YYYY, such as 02/20/2020.

5. Click Update to save your changes.

Unassign a user and a due date from a risk Direct link to this section

You cannot unassign a user from a risk, but you can assign the risk to another email from the list in the Assigned To field.

1. In the Risk Dashboard navigation pane, do one of the following:

   • Click Risks, to view the Risks table.
   • Click Management Plan, to view the Unassigned Risks table.

2. In the Risks or Unassigned Risks table, click the risk you want to unassign a user and due date from.

   The information pane opens.

3. (Optional) In the information pane, select the blank field from the Assigned to menu.

4. Click anywhere outside of the information panel to close the panel.

   Your changes are automatically saved.

Download a remediation report Direct link to this section

You can download a remediation report that includes:

• A list of all risks that you selected to include in the report.

• The Common Vulnerabilities and Exposures (CVEs) for all risks.

  Tip: Each unique CVE and associated risk appear on a single line of the report. Therefore, if a risk has multiple CVEs, the risk repeats on multiple lines for each associated CVE.

• The remediation steps for the CVE associated with the risk.

• Each CVE has an associated CVE risk score, which is the Common Vulnerability Scoring System (CVSS) for the CVE.

  Tip: These CVE risk scores are not the same as your overall Risk Score.

• If available, references links to CVE remediation steps.

To download a remediation report:

1. In the Risk Dashboard navigation pane, click Risks.

2. (Optional) Use Filters to narrow the list of risks that appear on the page.

   See Filters section for more information.

3. In the Risks section, click Remediation Export.

   A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

   Notes:

   • Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
   • If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.

Download Risks table data Direct link to this section

1. In the Risk Dashboard navigation pane, click Risks.

2. (Optional) Use Filters to narrow the list of risks that appear on the page.

   See Filters section for more information.

3. In the Risks section, click Download CSV.

   A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

   Notes:

   • Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
   • If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.

Assets page Direct link to this section

The Assets page includes all information relevant to the assets in your network. The page includes the following sections:

• Risk metrics — Provides risk score information.

  See View risk metrics, Downloading an Executive Summary, and Downloading a Risk Assessment for more information.

• Filters — Allows you to filter the risks that appear in the Asset Catalog table.

  See Asset filters section for more information.

• Asset Catalog — Allows you to view, edit, rescan, and delete your assets.

  See Asset Catalog section, View an Asset Profile, Adding a note to an Asset Profile, Editing multiple assets, Review assets, Editing asset classification values, Rescan assets, Deleting and asset, and Downloading Asset Catalog data for more information.

Asset Catalog section Direct link to this section

The Asset Catalog section is located on the Assets page. It includes a table with all of your assets, sorted by risk score. You can change how the information displays in the table:

• To set the number of rows that appear on a page, select a value from the Show <x> Entries dropdown list.
• To add or remove table columns, click Columns, and then select checkboxes of the columns you want to show.
• To sort data by a specific column, click the column heading.
• To configure the assets that appear in the table, change the filters. See Asset filters section for more information.

The Asset Catalog table has the following columns:

Asset filters section Direct link to this section

The Filters section for assets is located on the Assets page. Use it to narrow the assets that appear in the Asset Catalog table. These are the available filter options:

Click Clear Filters at any time to remove all filters.

Review assets Direct link to this section

On a monthly or quarterly basis, review your assets. As assets are removed or decommissioned from the environment, it is good practice to remove them from the Asset Catalog. It does not cause harm to keep them, but they create clutter and affect your metrics for a period of time.

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Filters section, click Clear Filters.

3. For the Source filter, clear the EVA checkbox.

4. Do one of the following:

   • Review your assets in the Asset Catalog section of the Risk Dashboard.
   • Export your asset information, and then review the assets in a spreadsheet:

     1. In the Asset Catalog section, click Download CSV.

        The Asset Catalog.csv file downloads to your device.

     2. Open the Asset Catalog.csv file, and review the information in Microsoft Excel or other application of choice.

5. Sort the assets by the Last Seen value.

   Tip: External assets have a Last Seen value of Unknown. Review public-facing IP addresses and domains with your CST on a regular basis. Submit a ticket to security@arcticwolf.com to immediately communicate any new systems or changes to them.

6. Review the assets, and then complete the appropriate task:

   • The asset was decommissioned and can be removed — Click Delete to delete it. All risks associated with the asset are also deleted.

   • The asset is present and active, but no longer seen by the IVA scanner or Agent — Verify that the IP is still part of the IVA scan schedule or that no firewall rules are preventing the agent from checking in.

     See Arctic Wolf IP Addresses for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

View an Asset Profile Direct link to this section

An Asset Profile provides additional details about an asset.

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog section, go to the Source column, and then click any source.

   The Asset Profile information is organized into the following sections:

   • Details — See Details section and Edit Details in an Asset Profile for more information.
   • Location — See Location section for more information.
   • Host Identification — See Host Identification section for more information.
   • Advanced Identification — See Advanced Identification section for more information.
   • Profile Activity — See Profile Activity section for more information.
   • Add Note — See Add Note section, Add a note to an Asset Profile, and Delete a note from an Asset Profile for more information.
   • Asset Profile History — See Asset Profile History section for more information.

Details section Direct link to this section

The Details section of the Asset Profile includes the following information about the selected asset:

• Source — The scan that discovered the asset.
• Category — The asset category.
• Device Name — The name of the asset.
• OS — The operating system, if known.
• Found By — The scan that discovered the asset.
• Manufacturer — The manufacturer, if known.
• Criticality — The criticality of the asset.
• Tags — The tags applied to the asset.

See View an Asset Profile and Edit Details in an Asset Profile for more information.

Location section Direct link to this section

The Location section of the Asset Profile includes the following information about the selected asset:

• Longitude — The location of the asset, in decimal degrees, east or west of the prime meridian.
• Latitude — The location of the asset, in decimal degrees, north or south of the equator.
• City — The city where the asset was last discovered, if known.
• Country — The country where the asset was last discovered, if known.

See View an Asset Profile for more information.

Host Identification section Direct link to this section

The Host Identification section of the Asset Profile includes the following information about the selected asset:

• DNS Hostname — The DNS hostname of the asset.
• NetBIOS Name — The NetBIOS name of the asset.
• IPv4 Address — The IP address of the asset.
• Asset ID — The ID of the asset.

See View an Asset Profile for more information.

Advanced Identification section Direct link to this section

The Advanced Identification section of the Asset Profile includes the following information about the selected asset:

• Latest Username — The latest username.
• System Model — The system model.
• System Boot Time — The date and time when the system was last booted.
• External IP Address — The external IP address.
• Last Verified IP — The date and time that the IP address was last verified.
• Client ID — The client identification.

See View an Asset Profile for more information.

Profile Activity section Direct link to this section

The Profile Activity section of the Asset Profile includes the following information about the selected asset:

• Profile Created — The date and time when the asset profile was created.
• Profile Last Updated — The date and time when the asset profile was last updated.
• Country — The country where the asset was last discovered, if known.
• City — The city where the asset was last discovered, if known.

See View an Asset Profile for more information.

Add Note section Direct link to this section

The Add Note section of the Asset Profile allows you to add a note to the asset. The Previous Notes section allows you view existing notes to the asset. It includes the following information:

• Note — The content of the note.
• Who — The email address of the user who added the note.
• When — The date and time that the note was added.

See View an Asset Profile, Add a note to an asset profile, and Delete a note from an asset profile for more information.

Asset Profile History section Direct link to this section

The Asset Profile History section of the Asset Profile provides asset profile change history information. When a scan identifies an asset, an asset profile is created or the existing asset profile is updated. The Asset Profile History table shows asset profile changes over time as a result of scans from the selected source. It does not include a history of asset Tags or Asset Criticality. You can change how the information displays in the table:

• To set the number of rows that appear on a page, select a value from the Show <x> Entries dropdown list.
• To add or remove table columns, click Columns, and then select checkboxes of the columns you want to show.
• To sort data by a specific column, click the column heading.

The Asset Profile History table has the following columns:

See View an Asset Profile for more information.

Add a note to an Asset Profile Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.
2. In the Asset Catalog section, go to the Source column, and then click any source.
3. In the Add Note section, enter a note in the Add notes here text box.
4. Click Add Note.

Edit multiple assets Direct link to this section

You can use the following methods to edit multiple assets:

• Edit multiple assets in the Asset Catalog table
• Edit multiple assets in a CSV file

Edit multiple assets in the Asset Catalog table Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.

2. (Optional) Use Filters to narrow the list of assets that appear on the page.

   See Asset Filters section for more information.

3. In the Asset Catalog table, select the row for every asset that you want to edit as part of a group. You can review more pages and continue making your selections.

   Tip: The number of assets currently selected is displayed, along with options to update or clear your selections.

4. Click Update Selected.

   The Bulk Update dialog appears.

5. Edit one or more of the following fields:

   • Asset Criticality
   • Category
   • Device Name
   • Tags

     Note: You must select desired tags with a checkmark to add or remove them from an asset. Tags selected with a dash are not applied or removed.

6. Click Update to save your changes.

7. (Optional) Click Deselect All to clear all selected assets.

Edit multiple assets in a CSV file Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.

2. (Optional) Use Filters to narrow the list of assets that appear on the page.

   See Asset Filters section for more information.

   Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.

3. In the Asset Catalog section, click Export Assets.

   A CSV file with the following fields downloads to your device:

   • Device ID
   • Asset IP
   • Device Name
   • Category

4. Open the CSV file.

5. Locate the required Asset IP, and then edit the corresponding Device Name and Category columns as desired.

   Notes:

   • Do not edit the Device ID column. Editing a Device ID values results in an unsuccessful CSV file import.
   • To reset the Device Name or Category of an asset to the value from the default sensor, leave the cell empty.
   • To exclude a device from the bulk edit, either leave the Device Name or Category values unchanged or delete the row from the CSV file.

6. Save the CSV file.

7. In the Risk Dashboard, click Import Assets.

8. Locate the modified CSV file, and then click Open.

   The Confirm Upload dialog appears.

9. Click Upload.

   A message appears to confirm whether the import was successful or unsuccessful.

Edit asset classification values Direct link to this section

It is important to add Category, Asset Criticality, and Asset Tags classification values to assets when they are initially deployed so you have a baseline. After that, on a monthly or quarterly basis, review and update your asset classification values because environments change over time. Classification values help to provide asset context.

1. In the Risk Dashboard navigation pane, click Assets.

2. For Discovery Date Range, enter a date range that allows you to view assets that were added since the previous asset updates.

3. Update the asset classification values.

   See Edit multiple assets in the Asset Catalog table for more information.

   Tip: To filter assets, you can enter a comma-separated list of values in the Search field. For example, you can enter a distinct list of IP addresses or device names for bulk editing.

Edit Asset Criticality Direct link to this section

You can associate an asset with a pre-defined Asset Criticality value. This value is optional. The value displays for any risks that are discovered on the device, which can assist you with risk mitigation planning.

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog, select the checkbox next to each asset you want to update.

3. Click Update Selected.

   The Update Selected Assets dialog appears.

4. In the Asset Criticality dropdown list, select the required Asset Criticality:

   • Unassigned — The default value for all devices.
   • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
   • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact, if compromised.
   • Medium — Monitor for risk escalation. These assets have moderate negative impact, if compromised.
   • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
   • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.

5. Click Update Asset(s).

Edit Asset Tags Direct link to this section

Tags are an optional value that you can apply to assets. The values are then included on any risks that are discovered on the device to assist with risk mitigation planning.

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog section, select the checkbox next to each asset you want to update.

3. Click Update Selected.

   The Update Selected Assets dialog appears.

4. In the Asset Tags search field, enter the required asset tag:

   • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
   • gdpr — Any asset that, if compromised, would render a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
   • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
   • internet_facing — Any asset that can be reached through the public internet.
   • network_infra — Any asset that makes communication between endpoints possible, including routers, switches, and firewalls.
   • pci — Any asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
   • pii — Any asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
   • remote_access — Any asset that is configured for remote access, including VPN gateways, and sign-in services such as RDP and SSH.

5. Click Update Asset(s).

See Edit asset details in the Asset Catalog for more information.

Edit Details in an Asset Profile Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog table, click the required Source.

3. In the Details pane, click Edit Details.

   The Edit Asset Details dialog appears.

4. Edit the required asset details:

   • Category — Select the required category from the list. If the desired category does not already exist, you can create it. Enter the category in the Add Category field, and then click Add.
   • Device Name — Edit the name of the asset. This is the name that appears in the Risk Dashboard.

     Note: You can edit the Tags or Asset Criticality values from the Asset Catalog table. See Edit asset details in the catalog.

5. Click Update.

Edit asset details in the Asset Catalog Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog table, select the checkbox of the risk to edit.

   Tip: The number of assets currently selected is displayed, along with options to update or clear your selections.

3. Click Update Selected.

   The Update Selected Assets dialog appears.

4. Edit one or more of the following fields:

   • Category

   • Asset Criticality

     See Edit Asset Criticality for more information.

   • Asset Tags

     See Edit asset tags for more information.

   • Device Name

5. Click Update Asset(s).

Rescan assets Direct link to this section

You can rescan an individual asset or multiple assets at the same time.

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog table, select the checkbox of each risk to rescan.

3. Click Rescan to add the asset to the scan queue.

   Tip: The Rescan button appears dimmed if you select an EVA source as it is currently unavailable.

4. Click Rescan to confirm.

Delete an asset Direct link to this section

You can delete an asset if you no longer require it.

To delete an asset:

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog table, locate the asset you want to delete, and then click Delete.

   The Confirm Delete dialog appears.

3. Click Delete.

Delete a note from an Asset Profile Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog section, go to the Source column, and then click any source.

3. In the Previous Notes section, locate the note to delete, and then click Delete.

   The Delete Note dialog appears.

4. Click Delete.

Download Asset Catalog data Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.

2. (Optional) Use Filters to narrow the list of assets that appear on the page.

   See Asset Filters section for more information.

   Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.

3. Click Download CSV.

   The CSV file downloads to your device.

Agent page Direct link to this section

The Agent page includes the following sections:

• Risk metrics — Provides risk score information.

  See View risk metrics, Download an Executive Summary, and Downloading a Risk Assessment for more information.

• Risk charts — Illustrates the percentage of risks in various categories.

  See View risk charts for more information.

• Target Group Overview — Provides a summary of the target groups and scanning schedules.

  See Target Group Overview section, Enable an agent scan schedule, and Stopping active and scheduled agent scans for more information.

• Agent Risks — Allows you to view, edit, rescan, and delete your assets.

  See View Agent Risks for more information.

• Agent Scan Details — Allows you to view, edit, rescan, and delete your assets.

  See View Agent Scan Details for more information.

You can change how the information displays on the page:

• Click Close to remove a section from the page.
• Click Collapse to collapse a section on the page.

All sections display when the page refreshes.

View risk charts Direct link to this section

Risk charts illustrate the percentage of risks in various categories.

1. In the Risk Dashboard navigation pane, click Agent.

   The Agent page contains three risk charts:

   • Risks by OS
   • Risks by Category
   • Risks by Severity

2. (Optional) Hover over a section of the chart to see the percentage. Use the legend, above each chart, for information about the chart colors. Click the arrows to scroll through the legend.

Target Group Overview section Direct link to this section

The Target Group Overview section is located on the Agent page. It includes a table that provides a summary of the target groups and scanning schedules. You can change how the information displays in the table:

• To set the number of rows that appear on a page, select a value from the Show <x> entries dropdown list.
• To sort data by a specific column, click the column heading.
• To view specific information, enter search terms in the Search field.

The Target Group Overview table has the following columns:

Click CSV to download a CSV file containing all target groups for the deployment.

The Edit and X icons are used by Arctic Wolf employees to edit and delete target groups. They are not functional for customers.

View Agent Risks Direct link to this section

The Agent Risks section provides a link to the Risks page, so you can view risks with Agent as the Source.

1. In the Risk Dashboard navigation pane, click Agent.

2. In the Agent Risks section, click here.

   The Risks page appears. The risk table is filtered to display risks with Agent as the Source.

View Agent Scan Details Direct link to this section

The Agent Scan Details section displays information about scans that overlap with or start within the specified date and time.

1. In the Risk Dashboard navigation pane, click Agent.

2. In the Agent Scan Details section, select the start date and time for the scan results that you want to view.

3. Click Get Data.

   The table displays all target group scans that occurred after your selected start date and time.

The Agent Scan Details table has the following columns:

Click Details next to a scan in the table to view details for a specific scan. The sub-table has the following columns:

View Agent Audits Direct link to this section

1. In the Risk Dashboard navigation pane, click Assets.

2. In the Asset Catalog section, go to the Source column, and then click any Agent.

   If Agent discovered the asset and the asset information is available, it is provided in the appropriate section:

   • Task List table
   • Wireless Networks table
   • USB Devices table
   • Software Packages table

Task List table Direct link to this section

The Task List table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

See View Agent Audits for more information.

Wireless Networks table Direct link to this section

The Wireless Networks table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

See View Agent Audits for more information.

USB Devices table Direct link to this section

The USB Devices table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

See View Agent Audits for more information.

Software Packages table Direct link to this section

The Software Packages table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

See View Agent Audits for more information.

Enable an agent scan schedule Direct link to this section

You can enable individual agent scan schedules.

1. In the Risk Dashboard navigation pane, click Agent.

2. In the Target Group Overview section, locate the agent scan schedule you want to turn on.

3. In the Scheduled Enable column, turn on the toggle.

   Note: If the toggle appears dimmed, the scan is currently disabled.

   In the Scanning column, the agent status changes to Enabled.

Stop active and scheduled agent scans Direct link to this section

Active scans and scheduled scans can be stopped individually or in bulk:

• Stop an agent scan schedule
• Stop all agent scan schedules

Stop an agent scan schedule Direct link to this section

1. In the Risk Dashboard navigation pane, click Agent.

2. In the Target Group Overview section, locate the agent scan schedule you want to turn off.

3. In the Schedule Enabled column, turn off the toggle.

   Note: If the toggle appears dimmed, the scan is currently disabled.

   In the Scanning column, the agent status changes to Disabled.

Stop all agent scan schedules Direct link to this section

1. In the Risk Dashboard navigation pane, click Agent.

2. In the Target Group Overview section, click Stop All Scan Schedules.

3. Click Stop All Scan Schedules to confirm.

   In the Scanning column, all agent statuses change to Disabled.

EVA page Direct link to this section

The EVA page displays information gathered from External Vulnerability Assessment (EVA) scans, specifically target scan groups and the associated risks for these groups. The page includes the following sections:

• Risk metrics — Provides risk score information.

  See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.

• Target Group to Risk Severity — Displays target score information for each target group and its targets.

  See Target Group to Risk Severity section, Target Group to Risk Severity filters, Download a Target Group to Risk Severity chart, and Filter target groups by tags for more information.

• Target Group Overview — Displays information about target group scans.

  See Target Group Overview section for more information.

• Risks by Target Group — Displays risk information for target groups.

  See Risks by Target Group section for more information.

Target Group to Risk Severity section Direct link to this section

The Target Group to Risk Severity section is located on the EVA page. It displays target score information for each target group and its targets. The chart legend lists each target group, all targets within a group, and the color corresponding to the chart.

The chart visualizes the target score associated with each target and target group. The chart has three layers, where the innermost layer represents the target group, the second layer represents each target within that group, and the third layer represents the target score associated with each target. Each target group and associated targets are one unique color. Low target scores are not visible, medium target scores are yellow sectors, and high target scores are red sectors. If a target group scan did not discover a host, then it is not displayed on the chart.

Target Group to Risk Severity filters Direct link to this section

The Target Group to Risk Severity section is located on the EVA page. It includes the following filters that you can use to change the chart data:

Target Group Overview section Direct link to this section

The Target Group Overview section is located on the EVA page. You can change how the information displays in the Target Group Overview table:

• To set the number of rows that appear on a page, select a value from the Show <x> Entries dropdown list.
• To sort data by a specific column, click the column heading.
• To view specific information, enter search terms in the Search field.
• To limit the table to target groups with the relevant tags, see Filter target groups by tags for more information.

The Target Group Overview table has the following columns:

Risks by Target Group section Direct link to this section

The Risks by Target Group section is located on the EVA page. You can change how the information displays in the Risks by Target Group table:

• To set the number of rows that appear on a page, select a value from the Show <x> Entries dropdown list.
• To sort data by a specific column, click the column heading.
• To view specific information, enter search terms in the Search field.
• To limit the table to target groups with the relevant tags, see Filter target groups by tags for more information.

The Risks by Target Group table has the following columns:

Click Details at the left of each entry to display additional risk information. Details vary, depending on the risk. Not all information is present for each entry:

• Domains to resolve this address — Links or IP addresses used to access the risk.
• Observations — General notes about the risk.
• References — Links relating to further information about the risk type and potential mitigation steps.

Filter target groups by tags Direct link to this section

1. In the Risk Dashboard navigation pane, click EVA.
2. In the Target Group to Risk Severity section, enter the tags you want to filter by in the Tags text box.
3. Click Update Control Data.

   Note: It may take a few seconds for the updates to complete.

Download a Target Group to Risk Severity Chart Direct link to this section

1. In the Risk Dashboard navigation pane, click EVA.

2. (Optional) Use filters to narrow the information that appears in the chart.

   See Target Group to Risk Severity filters for more information.

3. Click Save image.

   An image of the chart downloads to your device. It does not save the legend.

Stop active and scheduled EVA scans Direct link to this section

Active scans and scheduled scans can be stopped individually or in bulk:

• Stop an EVA scan schedule
• Stop all EVA scan schedules

Stop an EVA scan schedule Direct link to this section

1. In the Risk Dashboard navigation pane, click EVA.

2. In the Target Group Overview section, locate the EVA scan schedule you want to turn off.

3. In the Schedule Enabled column, turn off the toggle.

   Note: If the toggle appears dimmed, the scan is currently disabled.

   In the Scanning column, the status changes to Disabled.

Stop all EVA scan schedules Direct link to this section

1. In the Risk Dashboard navigation pane, click EVA.

2. In the Target Group Overview section, click Stop All Scan Schedules.

3. Click Stop All Scan Schedules to confirm.

   In the Scanning column, all EVA statuses change to Disabled.

User Config page Direct link to this section

The User Config page is no longer available. Previously, it allowed you to manage users who could access your Risk Dashboard. If you need to make user management changes now, contact your CST.

Scanner Config page Direct link to this section

The Scanner Config page lets you make changes to your scanning configuration and scanning schedules. The page includes the following sections:

• Risk metrics — Provides risk score information.

  See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.

• Scanner Configuration — Displays configuration details about the selected scanner.

  See Scanner Configuration section, View the configuration of a scanner, Delete a scan schedule, and Disable a scan for more information.

• Scanning Schedule — Displays scans that are scheduled for a selected scanner.

  See Scanning Schedule section, and Check IVA Scanner connectivity for more information.

• Credentialed Scanning — Lists all the scans that have credentialed scanning enabled.

  See Credentialed Scanning section, and Add new scan credentials for more information.

• Scanning Queue — Displays all running and scheduled scans for the selected scanner. This section is only visible if you are viewing information for a scanner that has scans queued

  See Scanning Queue section, and View the scan queue for more information.

By default, the scanner scans all devices on the same network subnet as the IP or mask that is provisioned. If desired, you can add additional devices, if they are reachable through a gateway, for scanning.

The scanner virtual machine (VM) is designed for rapid and continuous scanning to process all the network hosts as quickly as possible. As such, it is normal for the scanner to consume all of the virtual CPU (vCPU) allocated to it. This may not be desirable in a highly overloaded ESXi environment, and allocating more resources may be difficult in the short term. In this situation, we recommend using the minimum system requirements as described in the Managed Risk Scanner Installation Guide for your environment. If CPU consumption is an issue, try deploying a physical scanner. However, we only recommend this approach if the ESXi environment is unable to manage the scanner resource requirements.

By design, company identifying information is not sent out of your network. Each scanner is provisioned with a globally unique identifier (GUID). The customer to GUID mapping is stored within the Arctic Wolf secure network.

Scan frequency for a given host depends on a number of factors including:

• The uptime of the host
• The number of hosts in the scan
• Host uptime on the network
• The scanner hardware

We recommend that each host on the network is scanned at a minimum once every 10-14 days. You may require additional scanners based on your network size and complexity.

The Risk Scanner operates in stages when determining what hosts to scan next. Scans begin five minutes after the previous scan completes. During this process, the Risk Scanner:

• Builds a list of active hosts based on the most recently completed Nmap scan.
• Uses the OpenVAS history to sort the list of active hosts according to the least recently scanned interval, with the least recently scanned host at the top of the list, and the most recently scanned host at the bottom.
• Determines if each host is eligible to be scanned based on whether the current time falls within the applicable scan schedule window.
• Determines the system capacity to manage simultaneous scans based on the current CPU load. It begins with one scan and increases by one additional scan every cycle until all CPU resources are used. If the CPU load exceeds the threshold, the number of parallel scans is reduced by one for the next scan cycle.
• Runs the new scan, starting with the least recently scanned host that is available to be scanned at that moment. The scanner then polls for the next least recently scanned host until the scanning capacity is reached.

Scanner Configuration section Direct link to this section

The Scanner Configuration section is located on the Scanner Config page. It displays configuration details for the selected scanner.

The Scanner Configuration section has the following information:

Scanning Schedule section Direct link to this section

The Scanning Schedule section is located on the Scanner Config page. It displays scans that are scheduled for a selected scanner. You can change how the information displays in the Scanning Schedule table:

• To set the number of schedules that appear on a page, select a value from the Show <x> Entries dropdown list.
• To sort data by a specific column, click the column heading.
• To view specific schedules, enter search terms in the Search field.

The Scanning Schedule table has the following columns:

Credentialed Scanning section Direct link to this section

The Credentialed Scanning section is located on the Scanner Config page. Credentialed scanning requires entering known credentials for a target host or group of hosts to allow the scanner to run network vulnerability tests and security checks.

During authentication, the scanner enumerates different protocols, some of which may be insecure; for example, server message block (SMB). Once connected, the scanner receives a list of installed software. The scanner then runs and checks all version check Network Vulnerability Tests (NVTs) that use OpenVAS, based the list of software installed on the host. Scan results are limited if the scanner is unable to log in to the target.

Scanning a Windows target uses NTLMv2 over SMB for authentication.

You can change how the information displays in the Credentialed Scanning table:

• To set the number of rows that appear on a page, select a value from the Show <x> Entries dropdown list.
• To sort data by a specific column, click the column heading.
• To view specific information, enter search terms in the Search field.

The Credentialed Scanning table has the following columns:

Scanning Queue table Direct link to this section

The Scanning Queue section is located on the Scanner Config page. It is only visible if you are viewing information for a scanner that has scans queued. The table displays all of the running and scheduled scans for the selected scanner. You can change how the information displays in the Scanning Queue table:

• To set the number of rows that appear on a page, select a value from the Show <x> Entries dropdown list.
• To sort data by a specific column, click the column heading.
• To view specific information, enter search terms in the Search field.

The Scanning Queue table has the following columns:

View the configuration of a scanner Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanner Configuration section, next to Scanner ID, click Details.

   The Scanner Select dialog appears.

3. Do one of the following:

   • Enter the required scanner ID in the search field.
   • Locate the required scanner ID in the table. Scroll through the pages if required.

4. Click the scanner ID in the list.

   The dialog automatically closes and the configuration information appears in the Scanner Configuration section.

View the scan queue Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanning Queue section, view the data in the Last Scan column for the time that the host was last scanned.

   Note: The Scanning Queue section is only visible if you are viewing information for a scanner that has scans queued.

Add new scan credentials Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Credentialed Scanning section, click Add new scan credentials.

   The Configure Credentials for Target Hosts dialog appears.

3. Enter the following information in the dialog:

   • Name — Enter a name for the credential.

   • Description — (Optional) Enter a description for the credential.

   • Hosts — Enter the IP addresses of the target hosts in a comma-separated list.

     Tip: This field also accepts IP ranges using a hyphen, such as 10.0.0.1-3.

   • Type — Select the type of credential:

     • Username/Password — You will provide the username and password of the target hosts.
     • Username/SSH Key — You will provide the username and SSH key of the target hosts.

   • Username — Enter the appropriate credential.

   • Password — Enter the appropriate password.

   • Passphase (Optional) — Enter the appropriate password phrase.

   • SSH Key — Enter the appropriate SSH key.

4. Click Configure.

Manage Risk Scanner configuration Direct link to this section

To add an IP address or IP address range to the:

• Scheduled scan configuration — See Add a new scan scheduled.
• DenyList — See Add an IP address or range to a DenyList.
• AllowList — See Add an IP address or range to an AllowList.

Add a new scan schedule Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanning Schedule section, click Add a new scan schedule.

   Tip: Click Cancel or press ESC to close this dialog box.

   The Configure Scanner Schedule dialog appears.

3. In the Targets field, enter IP addresses or networks, in a comma-separated list in CIDR format, of the targets you want scanned.

   Note: Only entries with the CIDR format X.X.X.X/Y are accepted in this field. If you only want to add a single host, enter the host as X.X.X.X/32.

   We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue.

   See Managed Risk Scanner FAQ for more information about subnet scan ranges.

4. In the Type dropdown list, select one of the following:

   • Continuous — The scan runs continuously.
   • Daily — The scan runs once a day. When selected, these options appear:
     • Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
     • Scan Window (Hours) — Select the scan window. The default value is 8.
   • Weekly — The scan runs once a week. When selected, these options appear:
     • Weekday checkboxes — Select the applicable days of the week to run the scan.
     • Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
     • Scan Window (Hours) — Select the scan window. The default value is 8.
   • Monthly — The scan runs once a month. When selected, these options appear:
     • Date & Time — Enter a date and time that you want the scan to start. The time is set using a 24-hour clock.
     • Scan Window (Hours) — Select the scan window. The default value is 8.

5. In the Priority dropdown list, select one of the following:

   • Low — This scan runs last, after all other scans are complete.
   • Medium — This scan runs after High priority scans but before Low priority scans.
   • High — This scan completes first before all other scans.

     Note: If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.

6. Click Configure to save your changes.

Add an IP address or IP address range to the AllowList Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanning Schedule section, click Add a new scan schedule.

   The Configure Scanner Schedule dialog appears.

3. Configure the following:

   • Targets — Enter a private IP address or private IP address range to AllowList.
   • Type — Select Continuous.
   • Priority — Select a scan priority. This determines the order that a scan performs in when there are multiple items in the Scanning Queue.

4. Click Configure to save your configuration.

Add an IP address or IP address range to the DenyList Direct link to this section

A DenyList is a list of IP addresses that you specifically do not want the scanner to scan, such as devices with non-optimally designed or implemented embedded network stacks that may behave unexpectedly if scanned. For example, printers or consumer-grade WiFi access points may print unexpected output or reboot if scanned. Because of the inconvenience this may cause, you can choose not to scan these devices.

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanner Configuration section, enter IP addresses or networks in the DenyList IP/Networks field.

   The format of this field is a comma-separated list in classless inter-domain routing (CIDR) format. The DenyList IP/Networks field accepts individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.

   Tip: You can specify multiple IP addresses using a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.

Edit an existing scan schedule Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanning Schedule section, locate the desired schedule, and then click Edit.

   Tip: Use the Search bar to search for a specific schedule.

   The Configure Scanner Schedule dialog appears.

3. Modify the schedule as desired. For example, to:

   • Raise the priority of an existing scan schedule — Set the Type or Priority values to the desired cadence. This is often used when a scan needs to be rerun to confirm a high-risk vulnerability remediation throughout the organization.
   • Change the frequency of the scan — Change the Type value to your desired frequency.

4. Click Configure to save your changes.

Brute force scanning username checks Direct link to this section

The Risk Scanner performs brute force scanning checks on the following non-exhaustive list of usernames:

• acc
• adfexc
• adm
• admin
• Admin
• administrator
• Administrator
• adminttd
• ADVMAIL
• alex
• anonymous
• Anonymous
• apc
• asus
• at4400
• backup
• bbsd-client
• boss
• buh
• cellit
• cgadmin
• cisco
• Cisco
• client
• cmaker
• comsco
• craft
• customer
• davox
• debug
• device
• dhs3mt
• dhs3pms
• diag
• D-Link
• DTA
• FIELD
• foo
• ftp
• ftpadmin
• ftpuser
• guest
• Guest
• halt
• HELLO
• hscroot
• install
• intel
• IntraStack
• IntraSwitch
• kermit
• login
• MAIL
• manager
• Manager
• manuf
• MDaemon
• mediator
• MGR
• mobile
• monitor
• msfadmin
• mtch
• mtcl
• nas
• nasadmin
• nasuser
• NETOP
• netrangr
• NETWORK
• NICONEX
• operator
• OPERATOR
• patrol
• PBX
• PCUSER
• PFCUser
• pi
• public
• rdp
• rdpamin
• rdpuser
• readonly
• recovery
• root
• Root
• RSBCMON
• rwa
• sa
• security
• setup
• skyboxview
• SPOOLMAN
• storwatch
• super
• superadmin
• superuser
• supervisor
• support
• sysadm
• SYSDBA
• TANDBERG
• tech
• Test
• user
• User
• user-1
• User1
• volition
• vt100
• work
• WP

Enable brute force scanning Direct link to this section

The Risk Scanner performs brute force scanning checks for default, known, or common usernames and passwords for various services and devices.

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanner Configuration section, click Troubleshooting Settings.

   The Troubleshooting settings dialog appears.

3. Turn on the Brute force checks toggle.

4. Click Close.

   Your changes are automatically saved.

See Brute force scanning username checks for a non-exhaustive list of brute force scanning username checks.

Enable CGI scanning Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanner Configuration section, click Troubleshooting Settings.

   The Troubleshooting settings dialog appears.

3. Turn on the CGI scanning toggle.

4. Click Close.

   Your changes are automatically saved.

Enable a scan schedule Direct link to this section

A scan schedule can be enabled individually.

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
2. In the Scanning Schedule section, located the desired schedule, and then turn on the Scheduled Enabled toggle.

   Note: If the button appears dimmed, the scan is currently disabled.

Stop active and scheduled scans Direct link to this section

Active scans and scheduled scans can be stopped in bulk or individually.

Stop a scan schedule Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanning Schedule section, located the desired schedule, and then turn off the Scheduled Enabled toggle.

   Note: If the button appears dimmed, the scan is currently disabled.

   The Disable Scan Schedule dialog appears.

3. Click Stop Scan Schedule.

Stop all scan schedules Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanning Schedule section, click Stop All Scan Schedules.

   The Stop All Scan Schedules dialog appears.

3. Click Stop All Scan Schedules to confirm.

Disable a scan Direct link to this section

Host Identification Scans and Vulnerability Scanning is required for normal operation, but if needed you can disable one or both of these types of scans.

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
2. In the Scanner Configuration section, do one or both of the following:
   • To temporarily disable IVA scanning, turn on the Vulnerability Scanning toggle. No new scans will run until you turn on the toggle again.
   • To disable host identification scans, turn off the Host Identification Scans toggle.

Disable brute force scanning Direct link to this section

Brute force scanning can lead to active directory or standard account lockouts if you have devices on your network that use the default or known usernames. We recommend that you update the device username from the known or default values to both enhance your security posture and avoid account lockouts during scanning. If that is not possible, you can disable the brute force scanning checks.

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanner Configuration section, click Troubleshooting Settings.

   The Troubleshooting settings dialog appears.

3. Turn off the Brute force checks toggle.

4. Click Close.

   Your changes are automatically saved

Disable CGI scanning Direct link to this section

Webmin applications often use the Common Gateway Interface (CGI) language, so disabling these scans removes a lot of the Webmin checks that the Risk Scanner performs. CGI is a legacy feature for web-based Active Directory sign-in pages that consistently experienced false-positive account lockouts. Disabling the CGI scanning prevents the lockouts from Risk Scanner scans but does not mitigate the risk to the customer.

For example, if a typical Webmin page using CGI has a vulnerability, the CGI scanning presumably discovers this vulnerability. If the discovered vulnerability involves bad actors using known or default credentials to sign in to the system, there is a risk of account lockout. Disabling the CGI scanning can limit the negative customer impact of account lockouts while the customer performs any remediation steps that are required to address the vulnerability.

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanner Configuration section, click Troubleshooting Settings.

   The Troubleshooting settings dialog appears.

3. Turn off the CGI scanning toggle.

4. Click Close.

   Your changes are automatically saved

Delete a scan schedule Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanning Schedule section, locate the scan to delete, and then click Delete.

   The Delete Schedule dialog appears.

3. Click Delete Schedule.

Verify that an IVA re-scan is running Direct link to this section

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
2. Locate the IP address of the host that you want to confirm is being scanned.
3. Verify that the Status of the IP address is Running or Scheduled.

Verify scanner health Direct link to this section

On a monthly or quarterly basis, do the following to review IVA Scanner and Arctic Wolf Agent scanning health:

• Check IVA Scanner connectivity.
• Check the IVA Scanner rate.
• Check the Agent scanning health.

Check IVA Scanner connectivity Direct link to this section

Arctic Wolf alerts you if IVA Scanners go offline, but it is also good practice to verify that online IVA Scanners are working as expected and that assets are scanned in a timely fashion.

1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

2. In the Scanner Configuration section, for Scanner ID, click Details.

   The Scanner Select dialog appears.

3. In the Search field, click a scanner ID.

4. In the Scanner Configuration section, verify that the Connection Status is Connected and that the Scanning Status is Scanning.

   • If the Connection Status is Disconnected — Make sure the network scanner is online and that nothing, such as a firewall, is blocking the network communication.

     See Arctic Wolf Portal IP Addresses page for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

   • If the Scanning Status is Degraded — restart the network scanning appliance. If it comes back online and is still Degraded, contact your CST at security@arcticwolf.com.

5. Repeat steps 2 to 4 for additional scanners as needed.

Check the IVA Scanner rate Direct link to this section

Make sure assets are scanned with an appropriate interval. In general, a scanner scans ~150-250 assets in an 8 hour period. This number changes based on the type of system and environment. For example, if several large subnets of assets are only given a weekly scan for an 8 hour scan window, it might take more than a month to complete a full cycle of scanning. If you have concern about your environment not being scanned in a timely manner, consult with your CST to review the scheduling.

To optimize scanning without increasing the scan window time, you can deploy additional physical scanners. This would allow you to scan multiple subnets in parallel. Adding resources to virtual scanners would not result in any meaningful increase in scan throughput because they would consume additional resources.

See Managed Risk Scanner FAQ for more information.

Check Agent scanning health Direct link to this section

Agent scans are set and managed by your CST, but you can view the results of Agent scans and identify assets that were scanned or missed.

1. In the Risk Dashboard navigation pane, click Agent.

2. In the Agent Scan Details section, enter a date that is prior to the scan date you want to verify, and then click Apply.

3. Click Get Data.

4. Review the Status of each scan, to identify if the scan was successful or not.

   See View Agent Scan Details for more information. If an asset with the Agent is not being scanned correctly or if assets are missing from the scan schedule, contact your CST at security@arcticwolf.com.

   Tip: You can copy the information from the Agent Scan Details section and paste it into a Microsoft Excel spreadsheet. The table structure is maintained for easier analysis.

5. (Optional) In the Scans Detail column, click Details, to view additional details for a scan.

Scanner Console page Direct link to this section

The Scanner Console page displays scanner information, connection status, and scanning status for each sensor ID.

Add scanner labels Direct link to this section

To easily identify your scanners, you can add scanner labels to each sensor ID.

1. In Scanner Console, under Label, click click to add label.
2. In Enter Sensor Name, enter a sensor description.
3. Click Submit.

Tools Direct link to this section

To access Arctic Wolf tools, in the Risk Dashboard navigation pane, click one of the following:

• Resources:

  • Documents — Opens the Arctic Wolf Documentation in a new browser tab.
  • Support — Opens the Contact Us page in a new browser tab.

• Downloads — Opens the Downloads page, where you can download virtual machine images.

• Analytics — Opens Arctic Wolf Analytics in a new browser tab, so you can view analytical data for your Managed Risk products, including Agent. See the Risk Analytics User Guide for more information.

  Note: If you receive an error similar to An error occurred when clicking this link, disable any ad blocker extensions and refresh the page.

FAQ Direct link to this section

These are some frequently asked questions about the Risk Dashboard.

Q: My Risk Dashboard is doing something weird, how can I fix it? Direct link to this section

A: Performing a hard page refresh usually corrects any unexpected behavior. The keyboard shortcuts for a hard refresh are:

• Windows — Press Shift + F5 to perform a hard page refresh.
• MacOS — Press Command + Shift + r to perform a hard page refresh.

Q: Why did the state of a risk change to "Unsuccessful Validation"? Direct link to this section

A: When you set the state of a risk to Fixed, Waiting Validation and a subsequent scan of that host still detects the same issue, the system moves the state of that issue to Unsuccessful Validation. This lets you know that your changes were not successful in mitigating a specific vulnerability.

Q: What does "The risk is confirmed resolved by the user" status reason mean? Direct link to this section

A: If the Status Reason value is The risk is confirmed resolved by the user, the risk became inactive and was no longer scanned after you changed the State value of the risk to Mitigated.

See Risk statuses for more information about inactive risks, and Risk states for more information about the Mitigated risk state.

Q: What does the "Degraded" scanner status mean? Direct link to this section

A: The Degraded Scanner Status means that a scan was not completed within a specific number of days. This usually occurs if the scanner is not upgraded to the latest version, or if a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is continually blocking traffic to or from the device.

Other Scanner Status values are Not Configured and Scanning.

See Scanner Configuration section for more information about these values.

Q: What should I do if a scanner has the "Degraded" status? Direct link to this section

A: When a scan runs, the scanner status automatically updates. If:

• The next scheduled scan window is in the future, then the scan schedule may not have activated. The scanner status automatically updates when the next scan runs. No user action is required.

• It is currently within the scan window, ensure that:

  • The scanner can reach all of the subnets that you want the scanner to scan.
  • The firewall and switch access-controls lists (ACLs) do not prevent scanners from reaching the subnets that you want scanned.
  • All of the required IP addresses and domain names are AllowListed. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under If you are a Managed Risk (MR) customer.
  • The scanner virtual machine (VM) meets the minimum resource requirements. You may need to work with your CST to increase the system resources.
  • Host Identification Scans and Vulnerability Scanning are enabled under Config > Scanner Config.
  • If you are using credentialed scanning, proper credentials have been added under Credentialed Scanning, or that you've provided a proper private SSH key.

If your scanner is still marked as Degraded or if you have any questions, contact your CST.

Q: Why does the scan take longer than the designated time window in the scanning schedule? Direct link to this section

A: The time specified in the Scanning Schedule table for a scan is relative to the length of time that a scan actually takes. Also, the scanning window defines the start time for the scan. Some scans take up to two hours longer than their scheduled scanning window. Scan times are dependant on the following:

• The target type

• The target processor and bandwidth resource availability

• If the target is online

  The target will not be scanned during the scan window if it is not online.

Q: Which subnet ranges should I configure for scanning? Direct link to this section

A: We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue.

See Managed Risk Scanner FAQ for more information about subnet scan ranges.

Q: How is the rescan request placed in the queued? Direct link to this section

A: When a target host is selected for rescanning, the target host is placed at the top of the least recently scanned list, allowing it to be scanned next as capacity increases. Selecting Rescan does not immediately start a new scan.

See also Direct link to this section

Managed Risk Scanner FAQ