Risk Dashboard User Guide

User Guide

Risk Dashboard Direct link to this section

The Risk Dashboard is an interactive dashboard that lets you monitor and acknowledge risks within your network. It includes the following pages:

Page Description
Overview Provides an overview of your network including risk score and asset health.
See Overview for more information.
Management Plan Displays all risks that a Managed Risk source identified in your network.
See Management Plan for more information.
Risks Displays all of the risks in your network and any of their associated plans.
See Risks for more information.
Assets Provides information about the assets in your network.
See Assets for more information.
Agent Displays risk and asset data discovered during Agent scans.
See Agent for more information.
EVA Displays risk data discovered during External Vulnerability Assessment (EVA) scans.
See EVA for more information.
Config > Scanner Config Allows you to configure your scan schedules.
See Scanner Config for more information.
Scanner Console Displays connection status and scanning status information for sensor IDs.
See Scanner Console for more information.

The Risk Dashboard also includes a variety of tools. For example, documentation, and a downloads area where you can download virtual machine images.

See Tools for more information.

Supported browser Direct link to this section

Accessing the Risk Dashboard Direct link to this section

To access the Risk Dashboard:

  1. Click https://risk.arcticwolf.com.
  2. Sign in using your access credentials.

Routine Risk Dashboard tasks Direct link to this section

The following table describes tasks that you should complete within the Risk Dashboard on a semi-regular basis:

Task Recommended frequency
Review active risks. Weekly or monthly*
Review inactive risks. Weekly or monthly*
Review risks that failed validation. Weekly or monthly*
Review mitigated risks. Monthly or quarterly
Review assets. Monthly or quarterly
Verify scanner health. Monthly or quarterly
Edit asset classification values. Monthly or quarterly
Evaluate the risk score. Monthly or quarterly

*Varies depending on the frequency of scans and how large or diverse the environment is. New and mitigated risks might be found frequently because Internal Vulnerability Assessment (IVA) scans can be configured to run continuously and, Agent scans are scheduled daily.

Overview Direct link to this section

The Overview page of the Risk Dashboard provides an overview of your network including risk score and asset health. The page includes the following sections:

Risk metrics Direct link to this section

The following risk metrics are located on all Risk Dashboard pages except for the Scanner Console page:

Tips:

Risk score Direct link to this section

Arctic Wolf calculates your risk score based on the Common Vulnerability Scoring System version 2 (CVSSv2). The CVSSv2 provides an open framework for communicating the network vulnerabilities impacts. Specifically, the CVSSv2 score provides an objective metric that Arctic Wolf uses to prioritize vulnerabilities so that the highest risk vulnerabilities are remediated first.

Tip: The National Institute of Standards and Technology (NIST) provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real-time. Each CVE provides details about a known network vulnerability, including a CVSSv2 score.

Your risk score automatically updates when a change occurs. For example, when a new risk is found in your network, or if you change the Status of an existing risk.

Note: When an internal network scan no longer detects a vulnerability, the reports promptly clear the device of that vulnerability when one of the following occurs:

Target score Direct link to this section

The Overview page also showcases the trends of your risk score over time in comparison to others in the industry and provides a target risk score for a low risk network.

Risk is something that can never be completely eliminated, only reduced. To ensure resources are spent effectively, you should mitigate the highest risk vulnerabilities first and mitigate the lower risk vulnerabilities last.

The CVSSv2 specification includes a high-level categorization into three severities:

Industry studies show a high correlation between the time to exploit and incidents of exploitation with high severity CVEs. Therefore, an effective mitigation and prioritization strategy addresses all high severity CVEs with the highest possible urgency.

Network health Direct link to this section

Your network health is based on risk score and number of vulnerabilities. A low risk network is a healthier network.

Vulnerabilities Direct link to this section

A vulnerability is an issue within the software, operating system, or service that is exploitable. Managed Risk scanners can identify, quantify, and prioritize or rank the vulnerabilities in a system.

A zero-day vulnerability is a vulnerability that bad actors or third-parties exploit before the vendor determines a solution to the problem.

To view Risk Score Trends:

  1. In the Risk Dashboard navigation pane, click Overview.

  2. (Optional) In the Risk Score Trends section, change the risk timeline:

    • Click the refresh icon Monthly to view the data on a monthly timeline.
    • Click the refresh icon Daily to view the data on a daily timeline.
  3. (Optional) Change the chart format:

    • Click the bar chart icon Bar to view the data as a bar chart.
    • Click the line chart icon Line to view the data as a line chart.

    Tip: Click the restore chart icon Restore to restore the chart to the default settings.

  4. (Optional) Hover over the chart to see the numerical value of your risk score, industry risk score, and target.

Evaluating the Current Risk Score Direct link to this section

The Current Risk Score is an overall risk score that represents the entire environment of risk in your network. It includes external, internal, host, and cloud risks. On a monthly or quarterly basis, evaluate your risk score, and recognize the risk types that impact your risk score the most. Risks with a high vulnerability score affect your Current Risk Score more than risks with a low vulnerability score. This means that addressing risks that have a low vulnerability score may not appear to affect the risk score.

To evaluate your Current Risk Score:

  1. In the Risk Dashboard navigation pane, click to open any page except Scanner Console.

  2. For the Current Risk Score, located in the upper-left, click the information icon Information.

    The Risk Score screen appears.

  3. Review each risk score Category to see the overall score of that particular type of risk, and take note of the Category names. The highest scoring Category should match the overall published risk. Review Severities with a High rating because they have the highest impact on the risk score.

  4. In the navigation pane, click Risks.

  5. In the Filters section, enter a Category name in the Search field to review the risks for that category.

    Tip: The search is a full-text search, so it might find risks from a different Category that have the search words in the description. You can export the list as a CSV file, to view the Category of each.

See Quantifying Cyber Risk: Calculating the Arctic Wolf Managed Risk Score for more information about the risk score algorithm.

To download Risk Score Trends data:

  1. In the Risk Dashboard navigation pane, click Overview.

  2. In the Risk Score Trends section, click the download CSV icon CSV.

    A CSV file downloads to your device.

Downloading Asset Class Health Direct link to this section

To download Asset Class Health data:

  1. In the Risk Dashboard navigation pane, click Overview.

  2. In the Asset Class Health section, click the download CSV icon CSV.

    A CSV file downloads to your device.

Downloading Asset Health Direct link to this section

To download Asset Health data:

  1. In the Risk Dashboard navigation pane, click Overview.

  2. In the Asset Health section, click the download CSV icon CSV.

    A CSV file downloads to your device.

Downloading an Executive Summary Direct link to this section

The Executive Summary PDF report includes all of your scan summary data and details about any risks with a score of 9 or higher.

To download your Executive Summary:

  1. In the Risk Dashboard navigation pane, click any page except Scanner Console.

  2. Click the download icon Executive Summary.

    The Executive Summary dialog appears.

  3. (Optional) Enter a name in the Prepared For text box.

  4. Select the checkboxes of the items that you want to include in the Executive Summary report:

    Note: If you refresh the page, or navigate elsewhere, your selections reset.

    • Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
    • Risk Severity Summary — A summary of your risks categorized by severity.
    • 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
    • Identified Risks — A list of the active risks in your network.
    • Risk Score Trends — Your risk score history as it appears on the Overview page.
    • Risk Classification Summary — A summary of your risks categorized by their remediation actions.
    • Network Risk Overview — A heatmap of your asset health.
    • Accepted Risks — A list of the risks that you have acknowledged.
  5. Click Download PDF.

    The PDF file downloads to your device.

Downloading a Risk Assessment Direct link to this section

The Risk Assessment PDF report includes all of the summary data plus details on all risks with a score of 5 or higher.

To download your Risk Assessment:

  1. In the Risk Dashboard navigation pane, click any page except Scanner Console.

  2. Click the download icon Risk Assessment.

    The Risk Assessment dialog appears.

  3. (Optional) Enter a name in the Prepared For text box.

  4. Select the checkboxes of the items that you want to include in the Risk Assessment report:

    Note: If you refresh the page, or navigate elsewhere, your selections reset.

    • Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
    • Risk Severity Summary — A summary of your risks categorized by severity.
    • 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
    • Identified Risks — A list of the active risks in your network.
    • Risk Score Trends — Your risk score history as it appears on the Overview page.
    • Risk Classification Summary — A summary of your risks categorized by their remediation actions.
    • Network Risk Overview — A heatmap of your asset health.
    • Accepted Risks — A list of the risks that you have acknowledged.
  5. Click Download PDF.

    The PDF file downloads to your device.

Management Plan Direct link to this section

The Management Plan page shows all of the risks in your network and any of their associated plans. On this page, you can create plans, and see risks that are not currently assigned to plans. The page includes the following sections:

Plan Direct link to this section

The Plan section is located on the Management Plan page. It allows you to view, create, and close plans.

A plan is a collection of risks that match certain criteria as defined in system rules. Information is displayed in a format similar to a Gantt chart. A timeline shows the estimated completion date for each plan, and colour is used to indicate the following:

See Viewing a plan, Creating a plan, and Closing a plan for more information.

Viewing a plan Direct link to this section

To view plans:

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. (Optional) Use Plan filters to narrow the list of plans that appear on the page.

    See Plan filters for more information.

  3. (Optional) In the Plan table, click + beside the name of the plan that you want to view, to view plan details.

    The row expands to display the risks contained in the plan and the associated timeline for each.

Plan filters Direct link to this section

You can use the following filters to refine the items that appear in the Plan chart:

Filter Description
Users Select a user to see the plans that are associated with that user.
Risk Score Use these filters to view the plans that include risks with risk scores within the value range that you specify.
Risk State Select a state to view the plans that include risks in that state.

See Risk states for more information.

Created Before Select a calendar date to view all of the plans that were created before that date.

Click Clear All at any time to remove all filters.

Changing the timeline scale for plans Direct link to this section

The Plan timeline displays the estimated completion date for each plan. You can adjust the timeline scale to be weekly, monthly, or quarterly. Custom timeline scales are not supported.

To change the timeline scale for plans:

  1. In the Risk Dashboard navigation pane, click Management Plan.
  2. In the Plan section, choose the Week, Month, or Quarter option.

Viewing unassigned risks Direct link to this section

Unassigned risks are risks that are not currently assigned to a plan.

To view unassigned risks:

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. Scroll down to the Unassigned Risks table.

    See Risks for more information about the table columns.

Creating a plan Direct link to this section

To create a plan:

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. Click Create Plan.

    The Create Plan dialog appears.

  3. Enter a title and description for the plan.

  4. (Optional) To create a plan that only includes risks of that severity, select a Severity value from the dropdown list.

    Tip: Risk severity is based on risk score.

  5. Click Create Plan.

  6. Add risks to your new plan.

    See Assign a single risk to a plan and Assign multiple risks to a plan for more information.

Assigning a single risk to a plan Direct link to this section

To assign a single risk to a plan:

  1. In the Risk Dashboard navigation pane, click Risks.

  2. (Optional) Use Filters to narrow the list of risks that appear on the page.

    See Filters for more information.

  3. In the Risks table, click the required risk.

  4. In the information panel, scroll down to Plan, and then select the required plan title from the list.

    Your changes are automatically saved.

Assigning multiple risks to a plan Direct link to this section

To assign multiple risks to a plan:

  1. In the Risk Dashboard navigation pane, click Risks.

  2. (Optional) Use Filters to narrow the list of risks that appear on the page.

    See Filters for more information.

  3. In the Risks table, select the checkbox next to each risk you want to update.

  4. Click the refresh icon Update Selected.

    The Bulk Update dialog appears.

  5. Select the required plan title from the Plan list.

Moving a risk between plans Direct link to this section

To change the plan that a risk belongs to:

Closing a plan Direct link to this section

Note: We recommend mitigating all risks in a plan before closing it. If any risks are not mitigated, the plan reopens when those risks are rediscovered during the next scan.

To close a plan:

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. Click Close Plan.

    The Close Plan dialog appears.

  3. Select a plan from the list that you would like to close.

  4. Click Close Plan.

Downloading the Unassigned Risks table data Direct link to this section

To download the Unassigned Risks table data:

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. (Optional) Use Filters to narrow the list of risks that appear on the page.

    See Filters for more information.

  3. In the Unassigned Risks section, click the download CSV icon Download CSV.

    A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

    Notes:

    • Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.

Risks Direct link to this section

The Risks page lists all risks that a Managed Risk source identified in the network, sorted by risk score. The page includes the following sections:

Risks and Unassigned Risks Direct link to this section

The Risks section is located on the Risks page. It includes a table with details about each risk that was identified in the network. The Unassigned Risks section is located on the Management Plan page. It includes a table with risks that are not currently assigned to a plan. Both tables have the same columns.

You can change how the information displays in the tables:

Both tables have the following information:

Column
Description
Source The source that discovered the risk, such as a scan or Arctic Wolf Agent.
Host The host where the risk was discovered.
Issue The risk title or issue name.
Risk Score The risk rating. The higher the risk score, the more severe the risk.
Asset Criticality The criticality value of the asset where the risk was discovered.

See Editing Asset Criticality for more information.

Action The action that is required to mitigate the risk.
State The state of the risk, which is one of:
  • Open
  • False Positive
  • Acknowledged, In-Planning
  • Mitigation/Fix in Progress
  • Fixed, Waiting Validation
  • Accepted
  • Unsuccessful Validation
  • Mitigated

See Risk states for more information.

Status The status of the risk, which is one of:
  • Active
  • Inactive
  • Obsolete
  • Mitigated

See Risk statuses for more information.

Resolution Date The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
Age The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not.
Days to Resolution The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
Asset Tags The tags that apply to the asset where the vulnerability was discovered.

Filters Direct link to this section

A Filters section is located on the Management Plan and Risks pages. You can use the following filters to refine the items that appear in the Unassigned Risks, or Risks tables:

Filter
Description
Risk Score Use these options to narrow the risk table based on severity:
  • Select Low, Medium, High, or Critical to view only the vulnerabilities with corresponding risk scores.
  • Use the numerical filters to see the vulnerabilities that have risk scores within the value range that you specify.
    Users Select a username to see the risks that are assigned to that user.

    You can select multiple usernames.

    Resolved Date Range Enter a date range to view the risks that were resolved within that time period.

    Tip: Also apply these filters to isolate resolved risks:

    • False Positive
    • Accepted
    • Mitigated
    State Select a state to view the risks that are currently in that state.

    You can select multiple states.

    See Risk states for more information.

    Status Select a status to view the risks that currently have that status.

    You can select more than one status.

    Tip: To view mitigated risks, set the Status filter to Mitigated. To view obsolete risks, set the Status filter to Obsolete. You can also select a metric value to apply the filters that make up that metric.

    See Risk statuses for more information.

    Search Enter a search term to automatically filter entries in the Risks table. Filter results are based on search term matches in any column.
    Source Select or deselect these options to show or hide the risks that these scan types identified:
    • the IVA icon IVA — Show or hide the risks that an IVA scan discovered.
    • the eva icon EVA — Show or hide the risks that an External Vulnerability Assessment (EVA) scan discovered based on scan group configuration.
    • the agent icon Agent — Show or hide the risks that an Agent scan discovered.
    Asset Tags Select one or more of these options to show the discovered assets with the selected tags.

    See Editing asset tags for more information.

    Asset Criticality Select a criticality value to show risks that were discovered on assets with the selected criticality.

    See Editing Asset Criticality for more information.

    Discovery Date Range Enter a date range to view the risks that were discovered within that time period.

    Click the clear filters icon Clear Filters at any time to remove all filters.

    Default Risk filters Direct link to this section

    By default, the Risks page loads with the following filters applied:

    Tip: Click a different page in the Risk Dashboard, and then return to the Risk page, to reset the Risk filters to the default values.


    Filter Default value(s)
    Risk Score 4 to 10
    State
    • Open
    • Acknowledged, In-Planning
    • Mitigation/Fix in Progress
    • Unsuccessful Validation
    Status
    • Active
    • Inactive

    See Filters for more information.

    Risk states Direct link to this section

    All detected risks within your network have a State value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. You can manually change the State of a risk. Changing this value does not impact whether the Risk Scanner detects, or is capable of detecting, any risk on the host machine. If you do not make changes, the default state of a risk is Open.

    Notes:

    The risk State values that you can select are:

    State Select this option when
    Open You are not currently taking any actions for this risk.
    False Positive You mitigated a risk in a way that the Risk Scanner does not account for.
    Acknowledged, In-Planning You plan to address the risk through direct resolution, or taking recommended or other mitigation steps.
    Mitigation/Fix in Progress You addressed the risk through mitigation actions.
    Fixed, Waiting Validation You believe the risk is mitigated.

    Notes: The next scan validates if the vulnerability still exists. If the vulnerability:

    • Still exists — The state changes to Unsuccessful Validation.
    • Was not detected — The state does not change. The status changes to Mitigated.
    Accepted You choose to accept the risk.

    See Accepting a vulnerability for more information.

    Mitigated You successfully mitigated the risk.

    Note: This is only available if the status of the risk is Inactive.

    Risk statuses Direct link to this section

    All detected risks within your network have a Status value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. This value is automatically assigned.

    Status
    Description
    Active A risk that a recent IVA scan identified on a device that is currently online.
    Inactive A risk that a recent IVA scan identified on a device that is either:
  • Currently offline.
  • Not identified in the most recent scan, but is still in an actionable state.
  • The reason that the risk is marked as inactive is displayed under the Status Reason field in the risk details.

    Note: If a device that is subject to IVA scanning goes offline, we cannot confirm if the risk is mitigated or not, and the risk is marked Inactive. This is usually due to a network connectivity issue.

    Obsolete A risk that has not appeared in vulnerability scanning results for a set number of days: 45 days for risks that Agent discovered, and 90 days for risks that EVA or IVA scanning discovered.

    Risks that are marked as Obsolete are removed from the Risks table after seven days.

    Mitigated A risk that was mitigated.

    Note: Risks can have a Status of Mitigated but retain a State of Fixed, Waiting Validation.

    Risk information pane Direct link to this section

    When you select a risk in the Risks table, an information pane opens for that risk. You can make changes to some fields in the information pane. Changes are reflected immediately.

    Note: If a field is irrelevant to the source that discovered the risk, or if the field has no value, it is set to N/A.

    The risk information pane has the following fields:

    Field
    Description
    Resolution Date The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
    Age The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not.
    Days to Resolution The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
    Action The action that is required to mitigate the risk.
    Risk Score The risk rating. The higher the risk score, the more severe the risk.
    Issue Description A description of the risk.
    Additional Details Click the details icon Details to view additional information that the scanner has identified about the risk.
    Remediation The recommended actions to mitigate this risk.
    First Detected The date and time when this risk was first seen.
    Most Recent Detected The date and time when this risk was last seen.
    Status The status of the risk.

    See Risk statuses for more information.

    State The state of the risk. Select an option to change the state of a risk.

    See Risk states for more information.

    Assigned To The email of the user who is assigned to manage the risk. Select an option to change the assignment.
    Due Date The date by which this risk should enter the Fixed, Waiting Validation state. Select the date when remediation actions should be completed by.
    Plan The plan that this risk is assigned to. Select an option to change the assignment.
    Host The hostname of the risk that the Agent or scanner identified.
    Source The source that discovered the risk. Possible values include:
    • external — This indicates an EVA scan.
    • scanner — This indicates an IVA scan.
    • agent — This indicates an Agent scan.
    Issue Category The category of the issue. Possible values include:
  • Hardware
  • Configuration
  • SMB
  • Dictionary
  • Patch Exploits
  • Data Leak
  • Webcrawler
  • CVEs Any known CVEs that this risk is part of.
    References A link to documentation that outlines the steps recommended in Remediation.
    Last Updated By The user who last updated the fields in this information panel for this risk.
    Comments Any current comments about this risk that other users have left. Click the comments icon Comments to open the Comments dialog, where you can leave your own comments.
    Asset ID The ID of the asset that has the vulnerability.
    Issue ID The unique identifier of the risk.
    Scanner ID The ID of the that scanner that performed the IVA scan, if applicable.
    Deployment ID If this risk was identified during:
    • An IVA scan — This field displays the deployment ID of the scanner.
    • An EVA scan — This field displays the deployment ID of the target risk.
    • An Agent scan — This field displays the organization ID.
    Host Annotations Any host alias or annotations that were discovered during EVA scanning, if applicable.
    Status Reason An explanation of the risk status that results from IVA scanning, if applicable.
    Issue Impact The potential impact to the organization if a bad actor exploits this vulnerability. Possible values include:
    • Data Theft — A bad actor can read and potentially modify unauthorized data that is stored on this host.
    • Denial of Service — A bad actor can intentionally disrupt one or more key services running on this host. Depending on the criticality of the service, this may disrupt daily employee tasks.
    • Session Hijack — A bad actor can take control of an open browser session. For example, an online banking session or Microsoft 365 session.
    • Account Theft — A bad actor can take over the account of a user or administrator. This lets the bad actor access any authorized service or data normally available to the compromised account. For example, reading or writing to a database or file storage to steal or modify data, stopping critical services, or, if this is an administrator account, installing malware such as backdoors, key loggers, or rootkits that compromise the host entirely.
    • Insecure Obsolete Software — The software is no longer supported and does not receive any security patches. Therefore the software likely contains many open and unidentified security vulnerabilities that a bad actor could easily take advantage of.
    • Active Breach Indicator — There are indicators that this host was or is currently breached. Immediate investigation should occur to determine if any mitigation steps are required.
    • Host Breach — This host is vulnerable to a bad actor taking over this host entirely, stealing or modifying data, denying services, or installing malware such as backdoors, key loggers, or rootkits.
    • Company Reputation — A bad actor can use open services on this host to attack other internet-connected devices. For example, a bad actor could use a misconfigured network time protocol (NTP) server for a reflection distributed denial-of-service (DDoS) attack, or use an open email relay server to send spam. This could result in your resources being publicly blocked or otherwise negatively affect the reputation of your organization.

    To initiate a new scan, click Rescan. This only works with the IVA icon IVA and the agent icon Agent risks.

    Rescanning risks Direct link to this section

    You can rescan an individual risk or rescan multiple risks at the same time.

    To rescan risks:

    1. In the Risk Dashboard navigation pane, click Risks.
    2. In the Risks table, select the checkbox of each risk to rescan.
    3. Click Rescan to add the risk to the scan queue.
    4. Click Rescan to confirm.

      Note: The Rescan button appears dimmed if you select a risk with the eva icon EVA as the Source because rescans are currently unavailable for the eva icon EVA.

    Rescanning IVA assets Direct link to this section

    You can rescan IVA assets to view internal network risks. This procedure is commonly used to verify that a risk is mitigated.

    To rescan IVA assets:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. Go to https://risk.arcticwolf.com/risks?assetID=<asset_ID>, where <asset_ID> is the asset ID.

      Tip: You can obtain the asset ID from the Risk information pane.

    3. In the Filters section, clear the the eva icon EVA and the agent icon Agent checkboxes.

    4. In the Risks table, select the checkbox of each risk with a State of Mitigated that you want to rescan.

    5. Click the update icon Update Selected.

      The Bulk Update dialog box appears.

    6. In the State list, select Fixed, Waiting Validation.

      This setting allows you to see the State change to Unsuccessful Validation if the risk is still detected, or the Status change to Mitigated if the risk was successfully fixed.

    7. Click Update.

    8. Clear the checkbox of each risk that you do not want to rescan.

    9. Click Rescan.

      The Rescan Risks dialog box appears.

    10. Click Rescan.

    Reviewing active risks Direct link to this section

    On a weekly or monthly basis, review active risks.

    To view risks that have been discovered in the environment since the previous review:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click the clear filters icon Clear Filters, and then do the following:

      • State — Add the following filters:

        • Open
        • Acknowledged, In-Planning
        • Mitigation/Fix in Progress
        • Fixed, Waiting Validation
        • Unsuccessful Validation
      • Status — Add the Active filter.

      • Discovery Date Range — Enter a date range as appropriate to view the newly discovered active risks.

      The Risks section displays active risks that occur within the specified date range.

    See Risk Statuses for more information.

    Reviewing inactive risks Direct link to this section

    On a weekly or monthly basis, review and update inactive risks. Inactive risks are included in default views and reports, and they count toward your risk score. Reviewing inactive risks helps to maintain an accurate risk score.

    See Risk Statuses for more information.

    To review inactive risks:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click the clear filters icon Clear Filters, and then do the following:

      • State — Add the following filters:

        • Open
        • Acknowledged, In-Planning
        • Mitigation/Fix in Progress
        • Fixed, Waiting Validation
        • Unsuccessful Validation
      • Status — Add the Inactive filter.

    3. Review the inactive risks, and then do one of the following:

      • Change the State of all Inactive risks.

        See Changing the State of Inactive risks for more information.

      • Manually review an individual Inactive risk, and then update it with the appropriate State.

        See Changing the State of Inactive risks for more information.

      • Do nothing. 90 days after the risk was last detected, the Status automatically changes to Obsolete if the device is offline or Mitigated if the device is no longer detected. Obsolete and Mitigated risks are removed from the default view (which only includes Active and Inactive risks), and are removed from the risk score calculation.

    Reviewing mitigated risks Direct link to this section

    On a monthly or quarterly basis, review mitigated risks to verify that the risks were resolved as expected.

    To review Mitigated risks:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. Change the State of Inactive risks that are fixed to Mitigated.

      See Changing the State of Inactive risks that are fixed to Mitigated for instructions.

    3. (Optional) Verify that a Mitigated risk is resolved.

      See Verifying that a Mitigated risk is resolved for instructions.

    See Risk States for more information.

    Changing the State of Inactive risks that are fixed to Mitigated Direct link to this section

    Note: Before you start this procedure, review mitigated risks. See Reviewing mitigated risks.

    To change the State of Inactive risks that are fixed to Mitigated:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click the clear filters icon Clear Filters, and then do the following:

      • State — Add the following filters:

        • Open
        • Acknowledged, In-Planning
        • Mitigation/Fix in Progress
        • Fixed, Waiting Validation
        • Unsuccessful Validation
      • Status — Add the Inactive filter.

    3. In the Risks section, review the risks. These are risks that were not detected in the last scan, or that are related to offline assets. If you expect any of these risks to be fixed, change the State to Mitigated.

      See Reviewing inactive risks for more information.

    4. In the Filters section, set the following filters:

      • Status — Add Mitigated and Obsolete and remove Inactive.
      • Resolved Date Range — Enter a date range as appropriate to view mitigated risks that occurred after fixes or patches were installed.
    5. In the Risks section, review the risks you updated earlier. Verify that mitigation occurred as expected.

      Tip: View the Status of the risk to determine if it is resolved. The State is user-assigned, so it retains the value it had prior to being confirmed as mitigated (including Unsuccessful Validation).

    6. (Optional) Verify that the mitigated risk is resolved.

      See Verifying that a Mitigated risk is resolved for more information.

    Verifying that a Mitigated risk is resolved Direct link to this section

    After you change the status of an inactive the IVA icon IVA risk to Mitigated, you can rescan the asset to confirm that the risk is resolved.

    Tip: You can only rescan an the IVA icon IVA risk. You cannot rescan an the agent icon Agent or the eva icon EVA risk.

    To verify that a Mitigated risk is resolved:

    1. Change the State of Inactive risks that are fixed to Mitigated.

      See Changing the State of Inactive risks that are fixed to Mitigated for more information.

    2. In the Risks section, verify that the Source and State columns are visible. If required, click Columns, and then select the Source and State checkboxes to view these columns.

    3. In the Source column, click an the IVA icon IVA risk.

    4. In the details panel, change the State to Fixed, Waiting Validation.

    5. Take note of the Scanner ID and Host values.

    6. Scroll to the bottom of the panel, and then click Rescan.

      The Rescan Options dialog appears.

    7. Select the Scan Now option.

    8. Click Save.

      The asset scan begins. A full suite of tests are performed, including risk validation. Depending on the type of asset, this can take between 15 minutes and 1.5 hours.

    9. In the navigation pane, click Config > Scanner Config.

    10. In the Scanner Configuration section, for Scanner ID, click the magnifying glass icon Magnifying Glass.

      The Scanner Select dialog appears.

    11. In the Search field, enter the Scanner ID value, and then click the matching ID in the table.

    12. In the Scanning Queue section, complete one of the following:

      • Click the Status column heading to sort the scan queue by status and view the risks with a Status of Running at the top.
      • In the Search field, enter the Host value.

      Tip: It can take several minutes for the scan to display active scanning data in the queue. If an asset is not scanned, wait several minutes and then refresh your browser.

    Reviewing risks that failed validation Direct link to this section

    On a weekly or monthly basis, review risks that failed validation. This helps you to recognize and prevent future security vulnerabilities.

    Risks that had a State of Fixed, Waiting Validation and later failed validation, now have a State of Unsuccessful Validation. Take, for example, a device that was offline for a period of time. The risk State was manually updated to Fixed, Waiting Validation because it was Inactive. When that device is online again, the risk is found again, so the State changes to Unsuccessful Validation.

    See Risk States for more information.

    To review risks that failed validation:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click the clear filters icon Clear Filters, and then do the following:

      • State — Add the Unsuccessful Validation filter.
      • Status — Add the following filters:
        • Active
        • Inactive
    3. In the Risks section, review the risks that failed validation. These are risks that previously had a State of Fixed, Waiting Validation but were rescanned and the risk is still being found. If you believe that the risk is resolved, complete the following to find more information about why the risk is still being found:

      • In the Risks section, click a risk you believe is resolved. Scroll to Additional Details, and then click the details icon Details. For the IVA icon IVA and the eva icon EVA risks, this often provides additional details about what was found and why it was flagged as a risk.

      • For the agent icon Agent risks, complete a vulnerabilities debug scan. This provides details about what exactly was found on the asset to trigger the vulnerability.

        See Interpreting Arctic Wolf Agent Vulnerability Debug Scans for more information.

    Contact your Concierge Security® Team (CST) at security@arcticwolf.com, and request assistance with the investigation.

    Viewing risks based on an assigned due date Direct link to this section

    You can view risks based on the assigned due date. This is useful if you want to see unmitigated risks with past due dates.

    Note: This replicates the functionality of the deprecated Past Due filter.

    To view risks based on an assigned due date:

    See Unix Time Stamp - Epoch Converter to convert a date to a 10-digit Unix timestamp format.

    Interpreting Arctic Wolf Agent Vulnerability Debug Scans Direct link to this section

    Arctic Wolf Agent Vulnerability Debug Scans produce a detailed HTML debug report that describes how a vulnerability was detected on a device. It includes the file or registry settings, and the logic that triggered the risk. Use this procedure to help you interpret the HTML debug report. You can also send your HTML debug reports to your CST for analysis.

    To interpret Arctic Wolf Agent Vulnerability Debug Scans:

    1. Create an HTML debug report.

      See Performing Arctic Wolf Agent Vulnerability Debug Scans for instructions.

    2. Open the HTML debug report in a browser.

      Tip: It may take some time to completely load the report. When the pie chart at the top of the page is fully rendered, the loading is complete.

    3. In the Rule Results Summary section, click the FAIL filter to view only the failed tests.

    4. Click the applicable vulnerability to see additional details.

    5. Review the Result Component Logic. Look for logic conditions that are green (true). This indicates that the conditions matched the logic Arctic Wolf uses to determine if a vulnerability exists.

      Result Component Logic

    6. Click OVAL TEST to view additional details. The file value or registry value and logic displays.

      OVAL TEST details

    7. If the vulnerability is for a File State, click show untested values.

      Information displays about the file that triggered the vulnerability detection.

      File state information

    Changing the State of Inactive risks Direct link to this section

    Note: Before you start this procedure, review inactive risks. See Reviewing inactive risks.

    To change the State of Inactive risks:

    1. In the Risks section, do one of the following:

      • To select a single inactive risk, select the checkbox next to the risk you want to update.

      • To select all inactive risks:

        1. Select All from the Show Entries list.

        2. Select the checkbox at the top of the table.

          All risks are selected.

    2. Click the update icon Update Selected.

      The Bulk Update dialog appears.

    3. Select one of the following from the State list:

      • Mitigated — Changes the Status to Mitigated for all selected risks, immediately removes the risks from the default view (which only includes Active and Inactive risks), and removes the risks from the risk score calculation. If any of these risks are discovered again, the risk reappears on the list with a State of Open, Status of Active, and Age reflecting the date that the risk was first discovered.

        Tip: If the majority of the assets in your environment are online most of the time, it is a common approach to change the State to Mitigated. This is a reasonable choice because a State of Inactive typically indicates that the risk has been mitigated.

      • Fixed, Waiting Validation — Maintains the Status of Inactive for all selected risks, and all risks remain in the risk score calculation. If any of these risks are not detected the next time the asset is scanned, the risk Status changes to Mitigated, and the risk is removed from the default view (which only includes Active and Inactive risks) and risk score calculation.

        Tip: If you have a dynamic environment, a State of Inactive could mean that the asset is offline and the risk can be verified when it is back online. In this situation, a State of Fixed, Waiting Validation may make more sense.

    4. Click Update.

    Editing risks Direct link to this section

    You can edit one or more risks at the same time. For example, you can assign a due date, or change the risk State of more than one risk at the same time.

    Notes:

    To edit risks:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Risks table, select the row for every risk that you want to edit as part of a group. You can review more pages and continue making your selections.

      Tip: The number of risks currently selected is displayed, along with options to update or clear your selections.

    3. Click the update icon Update Selected.

      The Bulk Update dialog appears.

    4. Edit one or more of the following fields:

      • State
      • Assign To
      • Plan
      • Due Date
    5. Click Update.

    6. (Optional) Click Clear All Selected to clear all selected risks.

    Accepting a vulnerability Direct link to this section

    You can choose to accept an identified risk rather than fixing or mitigating the vulnerability. Changing the state of a risk to Accepted removes that risk from the Risk Score calculation. The risk remains in the Risks table for as long as it is detected on the network.

    We recommend that you mitigate or fix risks to improve your security posture, instead of accepting them. Accepting a risk does not make the risk go away, so bad actors could still take advantage of the vulnerability.

    If the risk is a false positive, you should apply the False Positive state to the risk, which then removes the risk from the Risk Score calculation.

    Note: The Risk Score is not updated immediately when a risk is marked as Accepted or as False Positive. It takes about an hour for the system to process and display the changes.

    To accept a vulnerability risk:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Risks table, click the risk that you want to update.

      The information pane opens.

      Tip: Use the search field to narrow the results.

    3. In the information pane, select Accepted from the State dropdown list.

    4. Click anywhere outside of the information panel to close the panel and return to the Management Plan page.

      Your changes are automatically saved.

    Assigning a user and a due date to a risk Direct link to this section

    To track the resolution of a risk, you can assign risks to specific users within your organization and assign a due date.

    Tip: This task is optional.

    To assign a user and a due date to a risk:

    1. In the Risk Dashboard navigation pane, do one of the following:

      • To view the Risks table, click Risks.
      • To view the Unassigned Risks table, click Management Plan.
    2. In the Risks or Unassigned Risks table, click the risk you want to assign a user and due date to.

      The information pane opens.

    3. (Optional) In the information pane, select an email address from the Assigned To dropdown list.

      Tip: To remove user and due date assignments, select the blank field from the Assigned to menu.

    4. (Optional) In the information pane, click the Due Date field, and then select a date on the calendar by which the risk should enter the Fixed, Waiting Validation state. This date must be at least one day in the future. The present day is highlighted in blue.

      The Due Date field populates with a date based on the selection, following the format MM/DD/YYYY, such as 02/20/2020.

    5. Click anywhere outside of the information panel to close the panel.

      Your changes are automatically saved.

    Unassigning a user and a due date from a risk Direct link to this section

    You cannot unassign a user from a risk, but you can assign the risk to another email from the list in the Assigned To field.

    To unassign a user and a due date from a risk:

    1. In the Risk Dashboard navigation pane, do one of the following:

      • Click Risks, to view the Risks table.
      • Click Mangement Plan, to view the Unassigned Risks table.
    2. In the Risks or Unassigned Risks table, click the risk you want to unassign a user and due date from.

      The information pane opens.

    3. (Optional) In the information pane, select the blank field from the Assigned to menu.

    4. Click anywhere outside of the information panel to close the panel.

      Your changes are automatically saved.

    Downloading a remediation report Direct link to this section

    You can download a remediation report that includes:

    To download a remediation report:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. (Optional) Use Filters to narrow the list of risks that appear on the page.

      See Filters for more information.

    3. In the Risks section, click Remediation Export.

      A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

      Notes:

      • Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
      • If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.

    Downloading Risks table data Direct link to this section

    To download risks table data:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. (Optional) Use Filters to narrow the list of risks that appear on the page.

      See Filters for more information.

    3. In the Risks section, click the download CSV icon Download CSV.

      A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

      Notes:

      • Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
      • If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.

    Assets Direct link to this section

    The Assets page includes all information relevant to the assets in your network. The page includes the following sections:

    Asset Catalog Direct link to this section

    The Asset Catalog section is located on the Assets page. It includes a table with all of your assets, sorted by risk score. You can change how the information displays in the table:

    The Asset Catalog table has the following columns:

    Column
    Description
    Source The source that discovered the asset: the agent icon Agent, the eva icon EVA, or the IVA icon IVA.
    IP The IP address of the asset.
    Device Name The name of the asset as it appears on the device or in the Risk Dashboard.
    MAC The MAC address of the asset.
    OS The operating system (OS) of the asset.
    Category The category of the asset, including Desktop or Server.

    Note: If there is not enough information to classify an asset, the asset appears in the Unknown category.

    Last Seen The date and time that the IP address for this asset was last verified.

    Note: This value is not the last time that the asset was online.

    Manufacturer The manufacturer of the asset.

    Note: This information is only available for the assets that Agent discovers.

    Risk Score The highest risk score of all active risks for the asset.
    Asset Criticality The criticality of the asset.

    See Editing Asset Criticality for more information.

    Vulnerabilities The number of current vulnerabilities for the asset.
    Asset Tags The classification tags that apply to the asset.

    See Editing asset tags for more information.

    Asset filters Direct link to this section

    The Asset filters section is located on the Assets page. Use it to narrow the assets that appear in the Asset Catalog table. These are the available filter options:

    Filter
    Description
    Risk Score Use these filters to view assets that have vulnerabilities with risk scores in the specified range.
    Search Enter one or more search terms, separated by commas, and click Create to filter entries in the Asset Catalog table. Results are based on search term matches in any column. You can include up to 100 search terms. Each search term that you enter can be removed by clicking the X next to it.
    Source Select or deselect these options to show or hide the assets that these scan types identified:
    • the IVA icon IVA — Show or hide assets that an IVA scan discovered.
    • the eva icon EVA — Show or hide assets that an EVA scan discovered, based on scan group configuration.
    • the agent icon Agent — Show or hide assets that an Agent scan discovered.
    Asset Tags Select one or more of these options to show assets with all selected tags.
    Asset Criticality Select one or more of these options to show assets with any of the selected criticality values.
    Asset Category Select a category to view the assets that belong to that category.

    You can select multiple categories.

    Discovery Date Range Enter a date range to view the assets that were discovered within that time period.

    Click the clear filters icon Clear Filters at any time to remove all filters.

    Reviewing assets Direct link to this section

    On a monthly or quarterly basis, review your assets. As assets are removed or decommissioned from the environment, it is good practice to remove them from the Asset Catalog. It does not cause harm to keep them, but they create clutter and affect your metrics for a period of time.

    To review assets:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Filters section, click the clear filters icon Clear Filters.

    3. For the Source filter, clear the the eva icon EVA checkbox.

    4. Do one of the following:

      • Review your assets in the Asset Catalog section of the Risk Dashboard.
      • Export your asset information, and then review the assets in a spreadsheet:
        1. In the Asset Catalog section, click the download CSV icon Download CSV.

          The Asset Catalog.csv file downloads to your device.

        2. Open the Asset Catalog.csv file, and review the information in Microsoft Excel or other application of choice.

    5. Sort the assets by the Last Seen value.

      Tip: External assets have a Last Seen value of Unknown. Review public-facing IP addresses and domains with your CST on a regular basis. Submit a ticket to security@arcticwolf.com to immediately communicate any new systems or changes to them.

    6. Review the assets, and then complete the appropriate task:

      • The asset was decommissioned and can be removed — Click the delete icon Delete to delete it. All risks associated with the asset are also deleted.

      • The asset is present and active, but no longer seen by the IVA scanner or Agent — verify that the IP is still part of the IVA scan schedule or that no firewall rules are preventing the agent from checking in.

        See Arctic Wolf IP Addresses for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

    Viewing an Asset Profile Direct link to this section

    An Asset Profile provides additional details about an asset.

    Note: The Location and Advanced Identfication sections are only available when the agent icon Agent is the Source.

    To view an Asset Profile:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog section, go to the Source column, and then click any source.

      The Asset Profile information is organized into the following sections:

    Details Direct link to this section

    The Details section of the Asset Profile includes the following information about the selected asset:

    See Viewing an Asset Profile and Editing Details in an Asset Profile for more information.

    Location Direct link to this section

    The Location section of the Asset Profile includes the following information about the selected asset:

    Note: This information is only available when the agent icon Agent is the Source.

    See Viewing an Asset Profile for more information.

    Host Identification Direct link to this section

    The Host Identification section of the Asset Profile includes the following information about the selected asset:

    See Viewing an Asset Profile for more information.

    Advanced Identification Direct link to this section

    The Advanced Identification section of the Asset Profile includes the following information about the selected asset:

    Note: This information is only available when the agent icon Agent is the Source.

    See Viewing an Asset Profile for more information.

    Profile Activity Direct link to this section

    The Profile Activity section of the Asset Profile includes the following information about the selected asset:

    See Viewing an Asset Profile for more information.

    Add Note Direct link to this section

    The Add Note section of the Asset Profile allows you to add a note to the asset. The Previous Notes section allows you view existing notes to the asset. It includes the following information:

    See Viewing an Asset Profile, Adding a note to an asset profile, and Deleting a note from an asset profile for more information.

    Asset Profile History Direct link to this section

    The Asset Profile History section of the Asset Profile provides asset profile change history information. When a scan identifies an asset, an asset profile is created or the existing asset profile is updated. The Asset Profile History table shows asset profile changes over time as a result of scans from the selected source. It does not include a history of asset Tags or Asset Criticality. You can change how the information displays in the table:

    The Asset Profile History table has the following columns:

    Column Description
    IP The IP address of the asset.
    Device Name The name of the asset.
    OS The operating system of the asset.
    MAC The MAC address of the asset.
    When The date and time when the asset profile changed.
    Type The type of change to the asset profile. For example, OS refers to a change in the operating system.
    Event The change to the asset profile. For example, an operating system update.
    Raw Log An Arctic Wolf-specific field that the system generates for each asset profile change as a result of a scan.

    See Viewing an Asset Profile for more information.

    Adding a note to an Asset Profile Direct link to this section

    To add a note to an Asset Profile:

    1. In the Risk Dashboard navigation pane, click Assets.
    2. In the Asset Catalog section, go to the Source column, and then click any source.
    3. In the Add Note section, enter a note in the Add notes here text box.
    4. Click Add Note.

    Editing multiple assets Direct link to this section

    You can use the following methods to edit multiple assets:

    Editing multiple assets in the Asset Catalog table Direct link to this section

    To edit multiple assets in the Asset Catalog table:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters for more information.

    3. In the Asset Catalog table, select the row for every asset that you want to edit as part of a group. You can review more pages and continue making your selections.

      Tip: The number of assets currently selected is displayed, along with options to update or clear your selections.

    4. Click the update icon Update Selected.

      The Bulk Update dialog appears.

    5. Edit one or more of the following fields:

      • Asset Criticality
      • Category
      • Device Name
      • Tags

        Note: You must select desired tags with a checkmark to add or remove them from an asset. Tags selected with a dash are not applied or removed.

    6. Click Update to save your changes.

    7. (Optional) Click Deselect All to clear all selected assets.

    Editing multiple assets in a CSV file Direct link to this section

    Note: You cannot bulk edit asset criticality or tags with this workflow. See Editing multiple assets in the Asset Catalog table for instructions.

    To edit multiple assets in a CSV file:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters for more information.

      Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.

    3. In the Asset Catalog section, click Export Assets.

      A CSV file with the following fields downloads to your device:

      • Device ID
      • Asset IP
      • Device Name
      • Category
    4. Open the CSV file.

    5. Locate the required Asset IP, and then edit the corresponding Device Name and Category columns as desired.

      Notes:

      • Do not edit the Device ID column. Editing a Device ID values results in an unsuccessful CSV file import.
      • To reset the Device Name or Category of an asset to the value from the default sensor, leave the cell empty.
      • To exclude a device from the bulk edit, either leave the Device Name or Category values unchanged or delete the row from the CSV file.
    6. Save the CSV file.

    7. In the Risk Dashboard, click Import Assets.

    8. Locate the modified CSV file, and then click Open.

      The Confirm Upload dialog appears.

    9. Click Upload.

      A message appears to confirm whether the import was successful or unsuccessful.

    Editing asset classification values Direct link to this section

    It is important to add Category, Asset Criticality, and Asset Tags classification values to assets when they are initially deployed so you have a baseline. After that, on a monthly or quarterly basis, review and update your asset classification values because environments change over time. Classification values help to provide asset context.

    To edit asset classification values:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. For Discovery Date Range, enter a date range that allows you to view assets that were added since the previous asset updates.

    3. Update the asset classification values.

      See Editing multiple assets in the Asset Catalog table for more information.

      Tip: To filter assets, you can enter a comma-separated list of values in the Search field. For example, you can enter a distinct list of IP addresses or device names for bulk editing.

    Editing Asset Criticality Direct link to this section

    You can associate an asset with a pre-defined Asset Criticality value. This value is optional. The value displays for any risks that are discovered on the device, which can assist you with risk mitigation planning.

    To edit Asset Criticality in the Asset Profile:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog, select the checkbox next to each asset you want to update.

    3. Click the update icon Update Selected.

      The Update Selected Assets dialog appears.

    4. In the Asset Criticality dropdown list, select the required Asset Criticality:

      • Unassigned — The default value for all devices.
      • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
      • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact, if compromised.
      • Medium — Monitor for risk escalation. These assets have moderate negative impact, if compromised.
      • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
      • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
    5. Click Update Asset(s).

    Tip: You can edit asset criticality for multiple assets simultaneously. See Editing multiple assets for instructions.

    Editing Asset Tags Direct link to this section

    Tags are an optional value that you can apply to assets. The values are then included on any risks that are discovered on the device to assist with risk mitigation planning.

    Tip: You can ask your CST to create custom tags for you.

    To edit Asset Tags in the Asset Profile:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog, select the checkbox next to each asset you want to update.

    3. Click the update icon Update Selected.

      The Update Selected Assets dialog appears.

    4. In the Asset Tags search field, enter the required asset tag:

      • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
      • gdpr — Any asset that, if compromised, would render a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
      • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
      • internet_facing — Any asset that can be reached through the public internet.
      • network_infra — Any asset that makes communication between endpoints possible, including routers, switches, and firewalls.
      • pci — Any asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
      • pii — Any asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
      • remote_access — Any asset that is configured for remote access, including VPN gateways, and sign-in services such as RDP and SSH.
    5. Click Update Asset(s). See Editing asset details in the Asset Catalog for more information.

    Editing Details in an Asset Profile Direct link to this section

    To edit asset details in the Asset Profile:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog table, click the required Source.

    3. In the Details pane, click Edit Details.

      The Edit Asset Details dialog appears.

    4. Edit the required asset details:

      • Category — Select the required category from the list. If the desired category does not already exist, you can create it. Enter the category in the Add Category field, and then click Add.
      • Device Name — Edit the name of the asset. This is the name that appears in the Risk Dashboard.

        Note: You can edit the Tags or Asset Criticality values from the Asset Catalog table. See Editing asset details in the catalog.

    5. Click Update.

    Tips:

    Editing asset details in the Asset Catalog Direct link to this section

    To edit asset details in the Asset Catalog:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog table, select the checkbox of the risk to edit.

      Tip: The number of assets currently selected is displayed, along with options to update or clear your selections.

    3. Click the update icon Update Selected.

      The Update Selected Assets dialog appears.

    4. Edit one or more of the following fields:

    5. Click Update Asset(s).

    Tip: You can edit multiple assets simultaneously. See Editing multiple assets in the Asset Catalog table for instructions.

    Rescanning assets Direct link to this section

    You can rescan an individual asset or multiple assets at the same time.

    To rescan assets:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog table, select the checkbox of each risk to rescan.

    3. Click Rescan to add the asset to the scan queue.

      Tip: The Rescan button appears dimmed if you select an the eva icon EVA source as it is currently unavailable.

    4. Click Rescan to confirm.

    Deleting an asset Direct link to this section

    You can delete an asset if you no longer require it.

    Notes:

    To delete an asset:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog table, locate the asset you want to delete, and then click the delete icon Delete.

      The Confirm Delete dialog appears.

    3. Click Delete.

    Deleting a note from an Asset Profile Direct link to this section

    To add a note to an Asset Profile:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog section, go to the Source column, and then click any source.

    3. In the Previous Notes section, locate the note to delete, and then click the delete icon Delete.

      The Delete Note dialog appears.

    4. Click Delete.

    Downloading Asset Catalog data Direct link to this section

    To download Asset Catalog data to a CSV file:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters for more information.

      Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.

    3. Click the download CSV icon Download CSV.

      The CSV file downloads to your device.

    Agent Direct link to this section

    The Agent page includes the following sections:

    You can change how the information displays on the page:

    All sections display when the page refreshes.

    Viewing risk charts Direct link to this section

    Risk charts illustrate the percentage of risks in various categories.

    To view the risk charts:

    1. In the Risk Dashboard navigation pane, click Agent.

      The Agent page contains three risk charts:

      • Risks by OS
      • Risks by Category
      • Risks by Severity
    2. (Optional) Hover over a section of the chart to see the percentage. Use the legend, above each chart, for information about the chart colors. Click the arrows to scroll through the legend.

    Target Group Overview Direct link to this section

    The Target Group Overview section is located on the Agent page. It includes a table that provides a summary of the target groups and scanning schedules. You can change how the information displays in the table:

    The Target Group Overview table has the following columns:

    Column Description
    Name The name of the target group.
    Description A description of the target group.
    Targets The number of targets in the target group.
    Scanning The state of the target group. This can be one of the following:
  • Enabled — The target group is allowed to be scanned.
  • Disabled — The target group is not allowed to be scanned.
  • Running — The target group is currently being scanned.
  • Schedule The intended times for a scan to repeat itself. This can be one of the following:
  • Once
  • Daily
  • Weekly
  • Monthly
  • Created The date and time that the target group was created.
    Last Scan The date and time of the previous scan on the target group.
    Next Scan The date and time of the next scheduled scan on the target group.

    Click the download icon CSV to download a CSV file containing all target groups for the deployment.

    The the edit icon Edit and X icons are used by Arctic Wolf employees to edit and delete target groups. They are not functional for customers.

    Viewing Agent Risks Direct link to this section

    The Agent Risks section provides a link to the Risks page, so you can view risks with the agent icon Agent as the Source.

    To view Agent Risks:

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Agent Risks section, click here.

      The Risks page appears. The risk table is filtered to display risks with the agent icon Agent as the Source.

    Viewing Agent Scan Details Direct link to this section

    The Agent Scan Details section displays information about scans that overlap with or start within the specified date and time.

    To view Agent Scan Details:

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Agent Scan Details section, select the start date and time for the scan results that you want to view.

    3. Click Get Data.

      The table displays all target group scans that occurred after your selected start date and time.

    The Agent Scan Details table has the following columns:

    Column Description
    Scans Detail Click the details icon Details next to a scan in the table to view details for a specific scan.
    ID The unique identifier representing the scan.
    Name The name of the scanned target group.
    Scheduled Window Minutes Duration of the scan in minutes.
    Status Whether or not the scan was completed.
    Scan Reason The reason for the scan.
    Start Time The date and time of the start of the scan.
    End Time The date and time of the end of the scan.

    Click the details icon Details next to a scan in the table to view details for a specific scan. The sub-table has the following columns:

    Column Description
    Client UUID A universally unique identifier (UUID) for the device.
    Hostname The hostname of the device.
    ID The ID of the device.
    Status The status of the scan. The statuses can be one of the following:
  • Pending — The scan is scheduled to run at a further point in time.
  • Running — The scan is currently running.
  • Success — The scan completed.
  • Closed — The scan was cancelled before it started running.
  • Failure — The scan did not finish. This generates an audit report.
  • Cancelled — The scan was cancelled while it was running.
  • Unsupported — The scan attempted to start on an unsupported OS or architecture.
  • Start Time The time the agent began scanning the device.
    End Time The time the agent ended scanning the device.
    Create Time The time that the scan was created.
    Audit Provides the audit report if an audit was performed. Click the download icon Download to download the audit report as an HTML file.
    Vulnerability Report Provides the vulnerability report if a vulnerability scan was performed. Click the download icon Download to download the vulnerability report as an HTML file.
    Benchmark Report Provides the benchmark report if a benchmark scan was performed. Click the download icon Download to download the benchmark report as an HTML file.

    Viewing Agent Audits Direct link to this section

    To view Agent Audits:

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog section, go to the Source column, and then click any the agent icon Agent.

      If Agent discovered the asset and the asset information is available, it is provided in the appropriate section:

    Task List Direct link to this section

    The Task List table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Command The command associated with the task.
    Handle Count The number of object handles in the object table of the task.
    Name The name of the task.
    PCPU The percent of central processing unit (CPU) that is used.
    PID The process identifier (PID) associated with the process.
    PMEM The percent of the process’s RSS to physical memory (MEM) that is used.
    PPID The parent process identifier (PPID).
    Priority The priority of the task.
    Process ID The process ID of the task.
    RSS The resident set size (RSS) or portion of random access memory (RAM) that the process uses.
    Session ID The session ID that the task is using.
    STAT The current status (STAT) of the process.
    Thread Count The number of threads working on the task.
    Time The time since the process started.
    TT The task type (TT).
    VSZ The virtual memory size (VSZ) or the size of memory allocated to a process, even if it does not use it.
    Working Set Size The amount of memory that the task needs to function.

    See Viewing Agent Audits for more information.

    Wireless Networks Direct link to this section

    The Wireless Networks table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Authentication The authentication type of the network.
    BSSID The basic service set identifier (BSSID) that uniquely identifies the radio of the access point using a media access control (MAC) address.
    Channel The small band within a larger frequency band, that the wireless network uses to transmit wireless signals.
    Country The country code of the wireless device.
    Encryption The encryption type of the network.
    IsCurrent Whether the network is currently connected to the machine (True) or not (False).
    MCS Index The modulation coding scheme (MCS) index that is supported.
    Message The number of available networks. For example, There are 3 networks currently visible.
    Mode The wireless mode.
    Name The name of the network.
    Network Type The type of network.
    Network The network name.
    Noise The signal in decibels (-dBm) that is not WiFi traffic. The closer to 0, the greater the noise.
    Security The wireless security protocol provided by the wireless network.
    Signal The current signal strength in (-dBm). The closer to 0, the better the signal.
    SSID Name The service set identifier (SSID) that uniquely names the wireless local area network (WLAN) that devices connect to.
    Transit Rate The throughput capability of wireless devices connected to the network.

    See Viewing Agent Audits for more information.

    USB Devices Direct link to this section

    The USB Devices table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Bus The universal serial bus (BUS) identifier.
    Device ID The unique ID of the USB device.
    Device The device name.
    Manufacturer The manufacturer of the USB device.
    Name The name of the USB device.
    Product ID The product identification number.
    Serial Number The serial number of the USB, if available.
    Speed The speed of the USB in Mb/s.
    Status The status of the USB device.
    Vendor ID The identification number of the vendor.
    Version The software version on the USB device.

    See Viewing Agent Audits for more information.

    Software Packages Direct link to this section

    The Software Packages table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Arch The hardware architecture.
    Install Location The location that the software package is installed on the device.
    Install Source The location of the file that the software package was installed from.
    Installed The date that the software package was installed, formatted as YYYYMMDD.
    Intel 64bit Whether the software can run on Intel 64bit CPUs.
    Kind The type of software package.
    Last Modified The date and time that the software package was last modified.
    Location The file path of the software.
    Name The name of the software package.
    Obtained From The source of the software package.
    Signed By The signing authority of the software package.
    Summary A description of the software.
    Vendor The vendor of the software package.
    Version The version number of the software package.

    See Viewing Agent Audits for more information.

    Enabling an agent scan schedule Direct link to this section

    You can enable individual agent scan schedules.

    To enable an agent scan schedule:

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Target Group Overview section, locate the agent scan schedule you want to turn on.

    3. In the Scheduled Enable column, turn on the toggle.

      Note: If the toggle appears dimmed, the scan is currently disabled.

      In the Scanning column, the agent status changes to Enabled.

    Stopping active and scheduled agent scans Direct link to this section

    All active scans and scheduled scans can be stopped individually or in bulk:

    Stopping an agent scan schedule Direct link to this section

    To stop an agent scan schedule:

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Target Group Overview section, locate the agent scan schedule you want to turn off.

    3. In the Scheduled Enable column, turn off the toggle.

      Note: If the toggle appears dimmed, the scan is currently disabled.

      In the Scanning column, the agent status changes to Disabled.

    Stopping all agent scan schedules Direct link to this section

    To stop all active and scheduled agent scans:

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Target Group Overview section, click Stop All Scan Schedules.

    3. Click Stop All Scan Schedules to confirm.

      In the Scanning column, all agent statuses change to Disabled.

    EVA Direct link to this section

    The EVA page displays information gathered from External Vulnerability Assessment (EVA) scans, specifically target scan groups and the associated risks for these groups. The page includes the following sections:

    Target Group to Risk Severity Direct link to this section

    The Target Group to Risk Severity section is located on the EVA page. It displays target score information for each target group and its targets. The chart legend lists each target group, all targets within a group, and the color corresponding to the chart.

    Note: You cannot take actions on target groups that have discovered a host in scanning.


    Tip: See target score for more information on target scores.

    The chart visualizes the target score associated with each target and target group. The chart has three layers, where the innermost layer represents the target group, the second layer represents each target within that group, and the third layer represents the target score associated with each target. Each target group and associated targets are one unique color. Low target scores are not visible, medium target scores are yellow sectors, and high target scores are red sectors. If a target group scan did not discover a host, then it is not displayed on the chart.

    Target Group to Risk Severity filters Direct link to this section

    The Target Group to Risk Severity section is located on the EVA page. It includes the following filters that you can use to to change the chart data:

    Filter Description
    Target group Click a target group on the chart. This limits the chart to only display the relevant information for that target group.

    Select the gray circle in the center of the chart titled undefined.

    Location Filters the target group by location. Select one of the following options: All, Corporate, or Third Party.
    Tags Filters the target by Tag. Click the Tags field, select a tag from the dropdown list, and then click Update Control Data. See Filtering target groups by tags for more information.

    Target Group Overview Direct link to this section

    The Target Group Overview section is located on the EVA page. You can change how the information displays in the Target Group Overview table:

    Tip: Click the download icon CSV to download the table data to your device. This download includes target group filters, but ignores the search filter.


    The Target Group Overview table has the following columns:

    Column Description
    Name Name of the target group.
    Description Description of the target group.
    Targets All targets within the target group.
    Scanning If scanning is enabled or disabled for the target group.
    Schedule Whether the scan on the target group runs once, weekly, or monthly.
    Created The date that the target group was created.
    Last scan The date of the previous scan on the target group.
    Next scan The date of the next scheduled scan on the target group. If there is no next scan, the entry is empty.

    Risks by Target Group Direct link to this section

    The Risks by Target Group section is located on the EVA page. You can change how the information displays in the Risks by Target Group table:

    Tip: Click the download icon CSV to download the table data to your device. This download includes target group filters, but ignores the search filter.


    The Risks by Target Group table has the following columns:

    Column Description
    Level Target score of the target.
    Target IP address or domain name of the target.
    Name Name of the target.
    Description Description of the target.
    Recommendations Steps to mitigate the risk of the target.
    Created Date the target was created.

    Click the details icon Details at the left of each entry to display additional risk information. Details vary, depending on the risk. Not all information is present for each entry:

    Filtering target groups by tags Direct link to this section

    To filter target groups by tags:

    1. In the Risk Dashboard navigation pane, click EVA.
    2. In the Target Group to Risk Severity section, enter the tags you want to filter by in the Tags text box.
    3. Click Update Control Data.

      Note: It may take a few seconds for the updates to complete.

    Downloading a Target Group to Risk Severity Chart Direct link to this section

    To download a Target Group to Risk Severity chart:

    1. In the Risk Dashboard navigation pane, click EVA.

    2. (Optional) Use filters to narrow the information that appears in the chart.

      See Target Group to Risk Severity filters for more information.

    3. Click the download icon Save image.

      An image of the chart downloads to your device. It dow not save the legend.

    User Config Direct link to this section

    The User Config page is no longer available. Previously, it allowed you to manage users who could access your Risk Dashboard. If you need to make user management changes now, contact your CST.

    Scanner Config Direct link to this section

    The Scanner Config page lets you make changes to your scanning configuration and scanning schedules. The page includes the following sections:

    By default, the scanner scans all devices on the same network subnet as the IP or mask that is provisioned. If desired, you can add additional devices, if they are reachable through a gateway, for scanning.

    The scanner virtual machine (VM) is designed for rapid and continuous scanning to process all the network hosts as quickly as possible. As such, it is normal for the scanner to consume all of the virtual CPU (vCPU) allocated to it. This may not be desirable in a highly overloaded ESXi environment, and allocating more resources may be difficult in the short term. In this situation, we recommend using the minimum system requirements as described in Managed Risk Virtual Scanner Installation. If CPU consumption is an issue, try deploying a physical scanner. However, we only recommend this approach if the ESXi environment is unable to manage the scanner resource requirements.

    By design, company identifying information is not sent out of your network. Each scanner is provisioned with a globally unique identifier (GUID). The customer to GUID mapping is stored within the Arctic Wolf secure network.

    Scan frequency for a given host depends on a number of factors including:

    We recommend that each host on the network is scanned at a minimum once every 10-14 days. You may require additional scanners based on your network size and complexity.

    Note: EVA scans run monthly. We do not recommend scanning too frequently, as this could conflict with firewall rules or generate too much noise.

    The Risk Scanner operates in stages when determining what hosts to scan next. Every five minutes, the Risk Scanner:

    Scanner Configuration Direct link to this section

    The Scanner Configuration section is located on the Scanner Config page. It displays configuration details for the selected scanner.

    The Scanner Configuration section has the following information:

    Detail
    Description
    Scanner ID The ID of the scanner.

    Click the details icon Details at the end of the ID to choose a different scanner.

    Scanner IP Address The IP address of the scanner.
    Netmask The netmask of the scanner.
    Connection Status The connection status of the scanner, including:
    • Connected — The scanner is online.
    • Disconnected — The scanner is offline.
    Scanning Status The scanning status of the scanner, including:
    • Scanning — The scanner is actively scanning.
    • Not Scanning — The scanner is not actively scanning.
    • Not Configured — The scanner is not scanning because it is not configured.
    • Degraded — The scanner encountered an issue while scanning.
    Host Identification Scans A toggle that enables or disables host identification scans. Vulnerability Scans must also be enabled for host identification scans to work. When this toggle is disabled, Vulnerability Scanning is also disabled.
    Vulnerability Scanning A toggle that enables or disables IVA scans.
    Troubleshooting Settings A button that opens the Troubleshooting settings dialog. The dialog includes these troubleshooting settings:
    • Brute force checks — Toggles whether the scanner checks for brute force attempts in your network or not.
    • CGI scanning — Toggles whether the scanner acts as a Common Gateway Interface (CGI) or not. When turned on, it searches for well-known web vulnerabilities in web servers and similar software.
    • Only ping the target — Toggles whether the scanner only scans hosts that respond to pings or not.
    • Stop All Scanning Now — Click to disable all future scanning and stop any existing scanning processes.

    Caution: Arctic Wolf does not recommend using this option outside of an emergency since it may cause scan restart issues.

    DenyList IP/Networks IP addresses or networks that are part of the DenyList. These items are not scanned.
    See Adding an IP address or IP address range to the denylist for more information.
    Host Collection DNS Servers The DNS server that you have configured.

    Note: If this field is blank, we attempt to auto-discover the server name.

    Scanning Schedule Direct link to this section

    The Scanning Schedule section is located on the Scanner Config page. It displays scans that are scheduled for a selected scanner. You can change how the information displays in the Scanning Schedule table:

    The Scanning Schedule table has the following columns:

    Column
    Description
    Target The targets that the scan is configured to scan.
    Next Scan Time The next time that this scan is configured to run.
    Schedule The type of schedule for this scan:
  • Continuous — The scan runs continuously.
  • Daily — The scan runs once a day, based on the time that you configure.
  • Weekly — The scan runs once a week, based on the day and time that you configure.
  • Monthly — The scan runs once a month, based on the day and time that you configure.
  • Window (hours) The window that the scan can run within, in hours. For example, 12 am to 8 am.

    Notes:

  • If you schedule a large scan in a small window, the scan may never complete.
  • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
  • Priority The priority of the scan:
  • Low — This scan runs last, after all other scans are complete.
  • Medium — This scan runs after High priority scans but before Low priority scans.
  • High — This scan completes first before all other scans.

    Notes:

  • If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.
  • If you start a new High priority scan when a Low priority scan is in progress, the Low priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
  • The priority of a scan is used when there are conflicting scan schedules, to determine which scan schedule should be applied. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in alphabetical order.

    Modify Use this column to modify your scan schedule:
  • Click the edit icon Edit to edit the schedule.
  • Click the delete icon Delete to delete the schedule.
  • Tip: If the Scanning Schedule table is empty, the sensor scans all hosts on the network that it currently has an IP address on.

    Credentialed Scanning Direct link to this section

    The Credentialed Scanning section is located on the Scanner Config page. The table provides host credentials that the scanner uses to authenticate to devices on your network. During authentication, the scanner uses different protocols, some of which might be insecure; for example, server message block (SMB). Once connected, the scanner receives a list of installed software. The scanner then runs and checks all version check Network Vulnerability Tests (NVTs) that use OpenVAS, based on the list of software installed on the host.

    Tip: This scan also finds vulnerabilities that are not remotely exploitable, such as an Adobe Acrobat vulnerability.

    You can change how the information displays in the Credentialed Scanning table:

    The Credentialed Scanning table has the following columns:

    Column Description
    Name The name of credential that you configured.
    Type The type of credential:
  • Username/Password — You will provide the username and password of the target host(s).
  • Username/SSH Key — You will provide the username and SSH key of the target host(s).
  • Hosts The hosts that apply to this credentialed scan.
    Description The description that you configure, such as SSH key pair to host A.
    Modify Use this column to modify your credentialed scan:
  • Click the edit icon Edit to edit the credentialed scan.
  • Click the delete icon Delete to delete the credentialed scan.
  • Scanning Queue Direct link to this section

    The Scanning Queue section is located on the Scanner Config page. It is only visible if you are viewing information for a scanner that has scans queued. The table displays all of the running and scheduled scans for the selected scanner. You can change how the information displays in the Scanning Queue table:

    The Scanning Queue table has the following columns:

    Column Description
    Host The host that the scan will scan.
    Status The status of the scan:
  • Running — The scan is in progress.
  • Scheduled — The scan is scheduled to run at a specified date and time.
  • Last Scan The date and time of the last completed scan.
    Scan Schedule The schedule of this scan, including the target and type.

    Viewing the configuration of a scanner Direct link to this section

    To view the configuration of a scanner:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, next to Scanner ID, click the details icon Details.

      The Scanner Select dialog appears.

    3. Do one of the following:

      • Enter the required scanner ID in the search field.
      • Locate the required scanner ID in the table. Scroll through the pages if required.
    4. Click the scanner ID in the list.

      The dialog automatically closes and the configuration information appears in the Scanner Configuration section.

    Viewing the scan queue Direct link to this section

    To view the scan queue:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Queue section, view the data in the Last Scan column for the time that the host was last scanned.

      Note: The Scanning Queue section is only visible if you are viewing information for a scanner that has scans queued.

    Adding new scan credentials Direct link to this section

    To add new scan credentials:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Credentialed Scanning section, click Add new scan credentials.

      The Configure Credentials for Target Hosts dialog appears.

    3. Enter the following information in the dialog:

      • Name — Enter a name for the credential.

      • Description — (Optional) Enter a description for the credential.

      • Hosts — Enter the IP addresses of the target hosts in a comma-separated list.

        Tip: This field also accepts IP ranges using a hyphen, such as 10.0.0.1-3.

      • Type — Select the type of credential:

        • Username/Password — You will provide the username and password of the target hosts.
        • Username/SSH Key — You will provide the username and SSH key of the target hosts.
      • Username — Enter the appropriate credential.

      • Password — Enter the appropriate password.

      • Passphase (Optional) — Enter the appropriate password phrase.

      • SSH Key — Enter the appropriate SSH key.

    4. Click Configure.

    Managing Risk Scanner configuration Direct link to this section

    To add an IP address or IP address range to the:

    Adding a new scan schedule Direct link to this section

    To add a new scan schedule:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, click Add a new scan schedule.

      Tip: Click Cancel or press ESC to close this dialog box.

      The Configure Scanner Schedule dialog appears.

    3. In the Targets field, enter IP addresses or networks, in a comma-separated list in CIDR format, of the targets you want scanned.

      Note: Only entries with the CIDR format X.X.X.X/Y are accepted in this field. If you only want to add a single host, enter the host as X.X.X.X/32.

      We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue.

      See Managed Risk Scanner FAQ for more information about subnet scan ranges.

    4. In the Type dropdown list, select one of the following:

      • Continuous — The scan runs continuously.
      • Daily — The scan runs once a day. When selected, these options appear:
        • Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
        • Scan Window (Hours) — Select the scan window. The default value is 8.
      • Weekly — The scan runs once a week. When selected, these options appear:
        • Weekday checkboxes — Select the applicable days of the week to run the scan.
        • Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
        • Scan Window (Hours) — Select the scan window. The default value is 8.
      • Monthly — The scan runs once a month. When selected, these options appear:
        • Date & Time — Enter a date and time that you want the scan to start. The time is set using a 24-hour clock.
        • Scan Window (Hours) — Select the scan window. The default value is 8.
    5. In the Priority dropdown list, select one of the following:

      • Low — This scan runs last, after all other scans are complete.
      • Medium — This scan runs after High priority scans but before Low priority scans.
      • High — This scan completes first before all other scans.

        Note: If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.

    6. Click Configure to save your changes.

    Note: Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.

    Adding an IP address or IP address range to the AllowList Direct link to this section

    To add an IP address or IP address range to an AllowList:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, click Add a new scan schedule.

      The Configure Scanner Schedule dialog appears.

    3. Configure the following:

      • Targets — Enter a private IP address or private IP address range to AllowList.
      • Type — Select Continuous.
      • Priority — Select a scan priority. This determines the order that a scan performs in when there are multiple items in the Scanning Queue.
    4. Click Configure to save your configuration.

    Adding an IP address or IP address range to the DenyList Direct link to this section

    A DenyList is a list of IP addresses that you specifically do not want the scanner to scan, such as devices with non-optimally designed or implemented embedded network stacks that may behave unexpectedly if scanned. For example, printers or consumer-grade WiFi access points may print unexpected output or reboot if scanned.

    Because of the inconvenience this may cause, you can choose not to scan these devices.

    Tip: Your CST works with you to reduce the number of devices on your DenyList, as a bad actor could use the same vulnerabilities to further compromise your network.

    To manage the DenyList:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, enter IP addresses or networks in the DenyList IP/Networks field.

      The format of this field is a comma-separated list in classless inter-domain routing (CIDR) format. The DenyList IP/Networks field accepts individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.

      Tip: You can specify multiple IP addresses using a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.

    Editing an existing scan schedule Direct link to this section

    To edit an existing scan schedule:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, locate the desired schedule, and then click the edit icon Edit.

      Tip: Use the Search bar to search for a specific schedule.

      The Configure Scanner Schedule dialog appears.

    3. Modify the schedule as desired. For example, to:

      • Raise the priority of an existing scan schedule — Set the Type or Priority values to the desired cadence. This is often used when a scan needs to be rerun to confirm a high-risk vulnerability remediation throughout the organization.
      • Change the frequency of the scan — Change the Type value to your desired frequency.
    4. Click Configure to save your changes.

    Brute force scanning username checks Direct link to this section

    The Risk Scanner performs brute force scanning checks on the following non-exhaustive list of usernames:

    Note: In addition to these username checks, the Risk Scanner uses known default usernames of different devices to validate Common Vulnerabilities and Exposures (CVE).

    Enabling brute force scanning Direct link to this section

    The Risk Scanner performs brute force scanning checks for default, known, or common usernames and passwords for various services and devices.

    Note: Arctic Wolf recommends only using these settings for troubleshooting or emergency situations.

    See Brute force scanning username checks for a non-exhaustive list of brute force scanning username checks.

    To enable brute-force scanning:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn on the Brute force checks toggle.

    4. Click Close.

      Your changes are automatically saved.

    Enabling CGI scanning Direct link to this section

    To enable CGI scanning:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn on the CGI scanning toggle.

    4. Click Close.

      Your changes are automatically saved.

    Enabling a scan schedule Direct link to this section

    A scan schedule can be enabled individually.

    To enable a scan schedule:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
    2. In the Scanning Schedule section, located the desired schedule, and then turn on the Scheduled Enabled toggle.

      Note: If the button appears dimmed, the scan is currently disabled.

    Stopping active and scheduled scans Direct link to this section

    Active scans and scheduled scans can be stopped in bulk or individually.

    Stopping a scan schedule Direct link to this section

    To stop a scan schedule:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, located the desired schedule, and then turn off the Scheduled Enabled toggle.

      Note: If the button appears dimmed, the scan is currently disabled.

      The Disable Scan Schedule dialog appears.

    3. Click Stop Scan Schedule.

    Stopping all scan schedules Direct link to this section

    To stop all active and scheduled scans:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, click Stop All Scan Schedules.

      The Stop All Scan Schedules dialog appears.

    3. Click Stop All Scan Schedules to confirm.

    Disabling a scan Direct link to this section

    Host Identification Scans and Vulnerability Scanning is required for normal operation, but if needed you can disable one or both of these types of scans.

    Notes:

    To disable a scan:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
    2. In the Scanner Configuration section, do one or both of the following:
      • To temporarily disable IVA scanning, turn on the Vulnerability Scanning toggle. No new scans will run until you turn on the toggle again.
      • To disable host identification scans, turn off the Host Identification Scans toggle.

    Disabling brute force scanning Direct link to this section

    Brute force scanning can lead to account lockouts if you have devices on your network that use the default or known usernames. We recommend that you update the device username from the known or default values to both enhance your security posture and avoid account lockouts during scanning. If that is not possible, you can disable the brute force scanning checks.

    To disable brute force scanning:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn off the Brute force checks toggle.

    4. Click Close.

      Your changes are automatically saved

    Disabling CGI scanning Direct link to this section

    Webmin applications often use the Common Gateway Interface (CGI) language, so disabling these scans removes a lot of the Webmin checks that the Risk Scanner performs. CGI is a legacy feature for web-based Active Directory sign-in pages that consistently experienced false-positive account lockouts. Disabling the CGI scanning prevents the lockouts from Risk Scanner scans but does not mitigate the risk to the customer.

    For example, if a typical Webmin page using CGI has a vulnerability, the CGI scanning presumably discovers this vulnerability. If the discovered vulnerability involves bad actors using known or default credentials to sign in to the system, there is a risk of account lockout. Disabling the CGI scanning can limit the negative customer impact of account lockouts while the customer performs any remediation steps that are required to address the vulnerability.

    To disable CGI scanning:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn off the CGI scanning toggle.

    4. Click Close.

      Your changes are automatically saved

    Deleting a scan schedule Direct link to this section

    To delete a scan schedule:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, locate the scan to delete, and then click the delete icon Delete.

      The Delete Schedule dialog appears.

    3. Click Delete Schedule.

    Verifying that an IVA re-scan is running Direct link to this section

    To verify that an IVA re-scan is running:

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
    2. Locate the IP address of the host that you want to confirm is being scanned.
    3. Verify that the Status of the IP address is Running or Scheduled.

    Verifying scanner health Direct link to this section

    On a monthly or quarterly basis, do the following to review IVA Scanner and Arctic Wolf Agent scanning health:

    Checking IVA Scanner connectivity Direct link to this section

    Arctic Wolf alerts you if IVA Scanners go offline, but it is also good practice to verify that online IVA Scanners are working as expected and that assets are scanned in a timely fashion.

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, for Scanner ID, click the details icon Details.

      The Scanner Select dialog appears.

    3. In the Search field, click a scanner ID.

    4. In the Scanner Configuration section, verify that the Connection Status is Connected and that the Scanning Status is Scanning.

      • If the Connection Status is Disconnected — Make sure the network scanner is online and that nothing, such as a firewall, is blocking the network communication.

        See Arctic Wolf Portal IP Addresses page for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

      • If the Scanning Status is Degraded — restart the network scanning appliance. If it comes back online and is still Degraded, contact your CST at security@arcticwolf.com.

    5. Repeat steps 2 to 4 for additional scanners as needed.

    Checking the IVA Scanner rate Direct link to this section

    Make sure assets are scanned with an appropriate interval. In general, a scanner scans ~150-250 assets in an 8 hour period. This number changes based on the type of system and environment. For example, if several large subnets of assets are only given a weekly scan for an 8 hour scan window, it might take more than a month to complete a full cycle of scanning. If you have concern about your environment not being scanned in a timely manner, consult with your CST to review the scheduling.

    To optimize scanning without increasing the scan window time, you can deploy additional physical scanners. This would allow you to scan multiple subnets in parallel. Adding resources to virtual scanners would not result in any meaningful increase in scan throughput because they would consume additional resources.

    See Managed Risk Scanner FAQ for more information.

    Checking Agent scanning health Direct link to this section

    Agent scans are set and managed by your CST, but you can view the results of Agent scans and identify assets that were scanned or missed.

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Agent Scan Details section, enter a date that is prior to the scan date you want to verify, and then click Apply.

    3. Click Get Data.

    4. Review the Status of each scan, to identify if the scan was successful or not.

      See Viewing Agent Scan Details for more information. If an asset with the Agent is not being scanned correctly or if assets are missing from the scan schedule, contact your CST at security@arcticwolf.com.

      Tip: You can copy the information from the Agent Scan Details section and paste it into a Microsoft Excel spreadsheet. The table structure is maintained for easier analysis.

    5. (Optional) In the Scans Detail column, click the details icon Details, to view additional details for a scan.

    Scanner Console Direct link to this section

    The Scanner Console page displays connection status and scanning status information for each sensor ID.

    Tools Direct link to this section

    The Tools section of the Risk Dashboard includes links to a variety of Arctic Wolf tools, including:

    FAQ Direct link to this section

    These are some frequently asked questions about the Risk Dashboard.

    Q: What browsers support the Managed Risk Dashboard? Direct link to this section

    A: Only the latest version of Google Chrome is supported to view the Managed Risk dashboard. While other browsers may work without issue, Arctic Wolf is unable to support any issues arising from using an unsupported browser.

    Q: My Risk Dashboard is doing something weird, how can I fix it? Direct link to this section

    A: Performing a hard page refresh usually corrects any unexpected behavior. The keyboard shortcuts for a hard refresh are:

    Q: Why did the state of a risk change to "Unsuccessful Validation"? Direct link to this section

    A: When you set the state of a risk to Fixed, Waiting Validation and a subsequent scan of that host still detects the same issue, the system moves the state of that issue to Unsuccessful Validation. This lets you know that your changes were not successful in mitigating a specific vulnerability.

    Q: What does "The risk is confirmed resolved by the user" status reason mean? Direct link to this section

    A: If the Status Reason value is The risk is confirmed resolved by the user, the risk became inactive and was no longer scanned after you changed the State value of the risk to Mitigated.

    See Risk statuses for more information about inactive risks, and Risk states for more information about the Mitigated risk state.

    Q: What does the "Degraded" scanner status mean? Direct link to this section

    A: The Degraded Scanner Status means that a scan was not completed within a specific number of days. This usually occurs if the scanner is not upgraded to the latest version, or if a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is continually blocking traffic to or from the device.

    Other Scanner Status values are Not Configured and Scanning.

    See Scanner Configuration for more information about these values.

    Q: What should I do if a scanner has the "Degraded" status? Direct link to this section

    A: When a scan runs, the scanner status automatically updates. If:

    If your scanner is still marked as Degraded or if you have any questions, contact your CST.

    Q: Why does the scan take longer than the designated time window in the scanning schedule? Direct link to this section

    A: The time specified in the Scanning Schedule table for a scan is relative to the length of time that a scan actually takes. Also, the scanning window defines the start time for the scan. Some scans take up to two hours longer than their scheduled scanning window.

    Q: Which subnet ranges should I configure for scanning? Direct link to this section

    A: We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue.

    See Managed Risk Scanner FAQ for more information about subnet scan ranges.

    Q: How is the rescan request placed in the queued? Direct link to this section

    A: When a target host is selected for rescanning, the target host is placed at the top of the least recently scanned list, allowing it to be scanned next as capacity increases. Selecting Rescan does not immediately start a new scan.

    Note: If the target host identified for rescan is offline at the time of the rescan request, the Risk Scanner attempts to rescan the host. This scenario can happen because risks are not removed from the Risks table until the target host has been offline for more than 24 hours.

    See also Direct link to this section

    Managed Risk Scanner FAQ