Risk Dashboard

Updated Sep 25, 2023

Risk Dashboard

The Risk Dashboard is an interactive dashboard that lets you identify, monitor, and acknowledge risks within your network. It includes the following pages:

Page Description
Overview Provides an overview of your network including risk score and asset health.
See Overview page for more information.
Management Plan Displays all risks that a Managed Risk source identified in your network.
See Management Plan page for more information.
Risks Displays all of the risks in your network and any of their associated plans.
See Risks page for more information.
Assets Provides information about the assets in your network.
See Assets page for more information.
Agent Displays risks, asset, and Center for Internet Security (CIS) benchmark data discovered during Agent scans.
See Agent page for more information.
EVA Displays risk data discovered during External Vulnerability Assessment (EVA) scans.
See EVA page for more information.
Config > Scanner Config Allows you to configure your Internal Vulnerability Assessment (IVA) and Credentialed Scanning schedules.
See Scanner Config page for more information.
Scanner Console Displays connection status and scanning status information for sensor IDs.
See Scanner Console page for more information.

The Risk Dashboard also includes a variety of tools. For example, documentation, and a downloads area where you can download virtual machine images.

See Tools for more information.

Requirements

Access the Risk Dashboard

  1. Go to https://risk.arcticwolf.com.
  2. Sign in using your access credentials.

Routine Risk Dashboard tasks

The following table describes Risk Dashboard tasks that you should complete on a semi-regular basis:

Task Recommended frequency
Review active risks. Weekly or monthly*
Review inactive risks. Weekly or monthly*
Review risks that failed validation. Weekly or monthly*
Review mitigated risks. Monthly or quarterly
Review assets. Monthly or quarterly
Verify scanner health. Monthly or quarterly
Edit an asset category. Monthly or quarterly
Edit asset criticality. Monthly or quarterly
Edit asset tags. Monthly or quarterly
Evaluate the risk score. Monthly or quarterly

*Varies depending on the frequency of scans and how large or diverse the environment is. New and mitigated risks might be found frequently because Internal Vulnerability Assessment (IVA) scans can be configured to run continuously and, Agent scans are scheduled daily.

Overview page

The Overview page of the Risk Dashboard provides an overview of your network including risk score and asset health. The page includes the following sections:

View risk metrics

Risk metrics are located at the top of all Risk Dashboard pages except for the Scanner Console page. The following metrics are provided:

Tips:

  • Click a metric value to view the vulnerabilities that make up that metric on the Risks page.
  • Each metric has a tooltip that provides information about the metric.

Current Risk score

Arctic Wolf calculates your current risk score based on the Common Vulnerability Scoring System (CVSS) using CVSS version 2 (CVSSv2)and CVSS version 3 (CVSSv3), and is the weighted average of all vulnerabilities found on your network. The CVSS provides an open framework for communicating the severity of information security vulnerabilities. Specifically, the CVSS score provides an objective metric that Arctic Wolf uses to prioritize vulnerabilities so that the highest risk vulnerabilities are remediated first.

Tip: NIST provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real-time. Each CVE provides details about a known information security vulnerability, including a CVSS score. For addition information, see the NIST CVSSv2 calculator and the NIST CVSSv3 calculator.

Your risk score automatically updates when a change occurs. For example, when a new risk is found in your network, or if you change the Status of an existing risk.

Note: When an internal network scan no longer detects a vulnerability, the scan promptly clears the device of that vulnerability when one of the following occurs:

  • The risk state is Fixed, Waiting Validation.
  • No manual changes are made to the state within 45 days.

Target score

The Overview page displays trends of your risk score over time in comparison to others in the industry.

Risk is something that can never be completely eliminated, only reduced. To ensure resources are used effectively, you should mitigate the highest risk vulnerabilities first, followed by medium, and then the highest internal vulnerabilities. Mitigate the lower risk vulnerabilities last.

Industry studies show a high correlation between the time to exploit and incidents of exploitation with high severity CVEs. Therefore, an effective mitigation and prioritization strategy addresses all high severity CVEs with the highest possible urgency.

Network health

Your network health is based on risk score and number of vulnerabilities. A low risk network is a healthier network.

Vulnerabilities

A vulnerability is an issue within the software, operating system, or service that is exploitable. Managed Risk scanners can identify, quantify, and prioritize or rank the vulnerabilities in a system. Vulnerabilities are classified as issues.

A zero-day vulnerability is a vulnerability that bad actors or third-parties exploit before the vendor determines a solution to the problem.

  1. In the Risk Dashboard navigation pane, click Overview.

  2. (Optional) In the Risk Score Trends section, change the risk timeline:

    • Click Monthly to view the data on a monthly timeline.
    • Click Daily to view the data on a daily timeline.
  3. (Optional) Change the chart format:

    • Click Bar to view the data as a bar chart.
    • Click Line to view the data as a line chart.

    Tip: Click Restore to restore the chart to the default settings.

  4. (Optional) Hover over the chart to see the numerical value of your risk score, industry risk score, and target.

Evaluate the Current Risk Score

The Current Risk Score is an overall risk score that represents the entire environment of risk in your network. It includes external, internal, host, and cloud risks. On a monthly or quarterly basis, evaluate your risk score, and recognize the risk types that impact your risk score the most. Risks with a high vulnerability score affect your Current Risk Score more than risks with a low vulnerability score. This means that addressing risks that have a low vulnerability score may not appear to affect the risk score.

  1. In the Risk Dashboard navigation pane, click to open any page except Scanner Console.

  2. For the Current Risk Score, located in the upper-left, click Information.

    The Risk Score screen appears.

  3. Review each risk score Category to see the overall score of that particular type of risk, and take note of the Category names. The highest scoring Category should match the overall published risk. Review Severities with a High rating because they have the highest impact on the risk score.

  4. In the navigation pane, click Risks.

  5. In the Filters section, enter a Category name in the Search field to review the risks for that category.

    Tip: The search is a full-text search, so it might find risks from a different Category that have the search words in the description. You can export the list as a CSV file, to view the Category of each.

See Quantifying Cyber Risk: Calculating the Arctic Wolf Managed Risk Score for more information about the risk score algorithm.

  1. In the Risk Dashboard navigation pane, click Overview.

  2. In the Risk Score Trends section, click CSV.

    A CSV file downloads to your device.

Download Asset Class Health

  1. In the Risk Dashboard navigation pane, click Overview.

  2. In the Asset Class Health section, click CSV.

    A CSV file downloads to your device.

Download Asset Health

  1. In the Risk Dashboard navigation pane, click Overview.

  2. In the Asset Health section, click CSV.

    A CSV file downloads to your device.

Download an Executive Summary

The Executive Summary PDF report includes all of your scan summary data and details about any risks with a score of 9 or higher.

  1. In the Risk Dashboard navigation pane, click any page except Scanner Console.

  2. Click Executive Summary.

    The Executive Summary dialog appears.

  3. (Optional) Enter a name in the Prepared For field.

  4. Select the checkboxes of the items that you want to include in the Executive Summary report:

    Note: If you refresh the page, or navigate elsewhere, your selections reset.

    • Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
    • Risk Severity Summary — A summary of your risks categorized by severity.
    • 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
    • Identified Risks — A list of the active risks in your network.
    • Risk Score Trends — Your risk score history as it appears on the Overview page.
    • Risk Classification Summary — A summary of your risks categorized by their remediation actions.
    • Network Risk Overview — A heat map of your asset health.
    • Accepted Risks — A list of the risks that you have acknowledged.
  5. Click Download PDF.

    The PDF file downloads to your device.

Download a Risk Assessment

The Risk Assessment PDF report includes all of the summary data plus details on all risks with a score of 5 or higher.

  1. In the Risk Dashboard navigation pane, click any page except Scanner Console.

  2. Click Risk Assessment.

    The Risk Assessment dialog appears.

  3. Enter the following:

    1. (Optional) In the Prepared For field, enter a name for the report.
    2. In the Min Score dropdown, select the minimum risk score for the report. All matching risks with a score greater than or equal to that value will be included in the report.
  4. Select the checkboxes of the items that you want to include in the Risk Assessment report:

    Note: If you refresh the page, or navigate elsewhere, your selections reset.

    • Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
    • Risk Severity Summary — A summary of your risks categorized by severity.
    • 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
    • Identified Risks — A list of the active risks in your network.
    • Risk Score Trends — Your risk score history as it appears on the Overview page.
    • Risk Classification Summary — A summary of your risks categorized by their remediation actions.
    • Network Risk Overview — A heatmap of your asset health.
    • Accepted Risks — A list of the risks that you have acknowledged.
  5. Click Download PDF.

    The PDF file downloads to your device. This report is only available in PDF format.

Management Plan page

The Management Plan page shows all of the risks in your network and any of their associated plans. On this page, you can create plans, and see risks that are not currently assigned to plans. The page includes the following sections:

Plan section

The Plan section is located on the Management Plan page. It allows you to view, create, and close plans.

A plan is a collection of risks that match certain criteria as defined in system rules. Information is displayed in a format similar to a Gantt chart. A timeline shows the estimated completion date for each plan, and color is used to indicate the following:

Note: Risk severity colors are seen when viewing the risks associated with the Management Plan the risk(s) is mapped to.

See View a plan, Create a plan, and Close a plan for more information.

View a plan

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. In the Plan section, choose the Week, Month, or Quarter option, to specify the timeline scale.

  3. (Optional) You can use the following plan filters to refine the items that appear in the Plan chart:

    Filter Description
    Users Select a user to see the plans that are associated with that user.
    Risk Score Use these filters to view the plans that include risks with risk scores within the value range that you specify.
    Risk State Select a state to view the plans that include risks in that state.

    See Risk states for more information.

    Created Before Select a calendar date to view all of the plans that were created before that date.

    Click Clear All at any time to remove all filters.

  4. (Optional) In the Plan section, click + beside the name of the plan that you want to view, to view plan details.

    The row expands to display the risks contained in the plan and the associated timeline for each.

Change the timeline scale for plans

The Plan timeline displays the estimated completion date for each plan. You can adjust the timeline scale to be weekly, monthly, or quarterly. Custom timeline scales are not supported.

  1. In the Risk Dashboard navigation pane, click Management Plan.
  2. In the Plan section, choose the Week, Month, or Quarter option.

View unassigned risks

Unassigned risks are risks that are not currently assigned to a plan.

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. Scroll down to the Unassigned Risks table.

    See Risks and Unassigned Risks sections for more information about the table columns.

Create a plan

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. Click Create Plan.

    The Create Plan dialog appears.

  3. Enter a title and description for the plan.

  4. (Optional) To create a plan that only includes risks of that severity, select a Severity value from the dropdown list.

    Tip: Risk severity is based on risk score.

  5. Click Create Plan.

  6. Add risks to your new plan.

    See Assign a single risk to a plan and Assign multiple risks to a plan for more information.

Assign a single risk to a plan

  1. In the Risk Dashboard navigation pane, click Risks.

  2. (Optional) Use Filters to narrow the list of risks that appear on the page.

    See Filters section for more information.

  3. In the Risks table, click the required risk.

  4. In the information panel, scroll down to Plan, and then select the required plan title from the list.

    Your changes are automatically saved.

Assign multiple risks to a plan

  1. In the Risk Dashboard navigation pane, click Risks.

  2. (Optional) Use Filters to narrow the list of risks that appear on the page.

    See Filters section for more information.

  3. In the Risks table, select the checkbox next to each risk you want to update.

  4. Click Update Selected.

    The Bulk Update dialog appears.

  5. Select the required plan title from the Plan list.

Move a risk between plans

To change the plan that a risk belongs to:

Close a plan

Note: We recommend mitigating all risks in a plan before closing it. If any risks are not mitigated, the plan reopens when those risks are rediscovered during the next scan.

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. Click Close Plan.

    The Close Plan dialog appears.

  3. Select a plan from the list that you would like to close.

  4. Click Close Plan.

Download the Unassigned Risks table data

  1. In the Risk Dashboard navigation pane, click Management Plan.

  2. (Optional) Use Filters to narrow the list of risks that appear on the page.

    See Filters section for more information.

  3. In the Unassigned Risks section, click Download CSV.

    A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

    Note: Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.

Risks page

The Risks page lists all risks that a Managed Risk source identified in the network, sorted by risk score. The page includes the following sections:

Risks and Unassigned Risks sections

The Risks section is located on the Risks page. It includes a table with details about each risk that was identified in the network. The Unassigned Risks section is located on the Management Plan page. It includes a table with risks that are not currently assigned to a plan. Both tables have the same columns.

You can change how the information displays in the tables:

Both tables have the following information:

Column
Description
Source The source that discovered the risk, such as a scan or Arctic Wolf Agent.
Host The host where the risk was discovered.
Issue The risk title or issue name.
Risk Score The risk rating. The higher the risk score, the more severe the risk.
Asset Criticality The criticality value of the asset where the risk was discovered.

See Edit Asset Criticality for more information.

Action The action that is required to mitigate the risk.
State The state of the risk, which is one of:
  • Open
  • False Positive
  • Acknowledged, In-Planning
  • Mitigation/Fix in Progress
  • Fixed, Waiting Validation
  • Accepted
  • Unsuccessful Validation
  • Mitigated

See Risk states for more information.

Status The status of the risk, which is one of:
  • Active
  • Inactive
  • Obsolete
  • Mitigated

See Risk statuses for more information.

Resolution Date The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
Age The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not.
Days to Resolution The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
Asset Tags The tags that apply to the asset where the vulnerability was discovered.

Filters section

A Filters section for risks is located on the Management Plan and Risks pages. You can use the following filters to refine the items that appear in the Unassigned Risks, or Risks tables:

Filter
Description
Risk Score Use these options to narrow the risk table based on severity:
  • Click Low, Medium, High, or Critical to view only the vulnerabilities with corresponding risk scores.
  • Use the numerical filters to see the vulnerabilities that have risk scores within the value range that you specify.
    Users Select a username to see the risks that are assigned to that user.

    You can select multiple usernames.

    Resolved Date Range Enter a date range to view the risks that were resolved within that time period.

    Tip: Also apply these filters to isolate resolved risks:

    • False Positive
    • Accepted
    • Mitigated
    State Select a state to view the risks that are currently in that state.

    You can select multiple states.

    See Risk states for more information.

    Status Select a status to view the risks that currently have that status.

    You can select more than one status.

    Tip: To view mitigated risks, set the Status filter to Mitigated. To view obsolete risks, set the Status filter to Obsolete. You can also click a metric value to apply the filters that make up that metric.

    See Risk statuses for more information.

    Search Enter a search term to automatically filter entries in the Risks table. Filter results are based on search term matches in any column.
    Source Select or deselect these options to show or hide the risks that these scan types identified:
    • IVA — Show or hide the risks that an IVA scan discovered.
    • EVA — Show or hide the risks that an External Vulnerability Assessment (EVA) scan discovered based on scan group configuration.
    • Agent — Show or hide the risks that an Agent scan discovered.
    Asset Tags Select one or more of these options to show the discovered assets with the selected tags.

    See Edit asset tags for more information.

    Asset Criticality Select a criticality value to show risks that were discovered on assets with the selected criticality.

    See Edit Asset Criticality for more information.

    Discovery Date Range Enter a date range to view the risks that were discovered within that time period.

    Click Clear Filters at any time to remove all filters.

    Default Risk filters

    By default, the Risks page loads with the following filters applied:

    Tip: Click a different page in the Risk Dashboard, and then return to the Risk page, to reset the Risk filters to the default values.


    Filter Default value(s)
    Risk Score 4 to 10
    State
    • Open
    • Acknowledged, In-Planning
    • Mitigation/Fix in Progress
    • Unsuccessful Validation
    Status
    • Active
    • Inactive

    See Filters section for more information.

    Risk states

    All detected risks within your network have a State value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. You can manually change the State of a risk. Changing this value does not impact whether the Risk Scanner detects, or is capable of detecting, any risk on the host machine. If you do not make changes, the default state of a risk is Open.

    Notes:

    • Accepted and False Positive risks do not contribute toward the Risk Score calculation.
    • Unsuccessful Validation is a system-assigned state for any risk that was previously marked as Fixed, Waiting Validation but was detected in a subsequent vulnerability scan.

    The risk State values that you can select are:

    State Select this option when
    Open You are not currently taking any actions for this risk.
    False Positive You mitigated a risk in a way that the Risk Scanner does not account for.
    Acknowledged, In-Planning You plan to address the risk through direct resolution, or taking recommended or other mitigation steps.
    Mitigation/Fix in Progress You addressed the risk through mitigation actions.
    Fixed, Waiting Validation You believe the risk is mitigated.

    Notes: The next scan validates if the vulnerability still exists. If the vulnerability:

    • Still exists — The state changes to Unsuccessful Validation.
    • Could not be checked — The state does not change.
    • Was not detected — The state does not change. The status changes to Mitigated.
    Accepted You choose to accept the risk.

    See Accept a vulnerability for more information.

    Mitigated You successfully mitigated the risk.

    Note: This is only available if the status of the risk is Inactive.

    Risk statuses

    All detected risks within your network have a Status value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. This value is automatically assigned.

    Status
    Description
    Active A risk that a recent IVA scan identified on a device that is currently online.
    Inactive A risk that a recent IVA scan identified on a device that is either:
    • Currently offline.
    • Not identified in the most recent scan, but is still in an actionable state. The reason that the risk is marked as inactive is displayed under the Status Reason field in the risk details.

    Note: If a device that is subject to IVA scanning goes offline, we cannot confirm if the risk is mitigated or not, and the risk is marked Inactive. This is usually due to a network connectivity issue.

    Obsolete A risk that has not appeared in vulnerability scanning results for a set number of days:
    • For risks that Agent discover, the number of days is 45.
    • For risks that EVA scans or IVA scans discover, the number of days is 90.

    Risks that are marked as Obsolete are removed from the Risks table after seven days.

    Mitigated A risk that was mitigated. Mitigated risks are automatically removed 90 days after entering the mitigated state.

    Note: Risks can have a Status of Mitigated but retain a State of Fixed, Waiting Validation.

    Risk information pane

    When you select a risk in the Risks table, an information pane opens for that risk. You can make changes to some fields in the information pane. Changes are reflected immediately.

    Note: If a field is irrelevant to the source that discovered the risk, or if the field has no value, it is set to N/A.

    The risk information pane has the following fields:

    Field
    Description
    Resolution Date The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
    Age The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not.
    Days to Resolution The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
    Action The action that is required to mitigate the risk.
    Risk Score The risk rating. The higher the risk score, the more severe the risk.
    Issue Description A description of the risk.
    Additional Details Click Details to view additional information that the scanner has identified about the risk.
    Remediation The recommended actions to mitigate this risk.
    First Detected The date and time when this risk was first seen.
    Most Recent Detected The date and time when this risk was last seen.
    Status The status of the risk.

    See Risk statuses for more information.

    State The state of the risk. Select an option to change the state of a risk.

    See Risk states for more information.

    Assigned To The email of the user who is assigned to manage the risk. Select an option to change the assignment.
    Due Date The date by which this risk should enter the Fixed, Waiting Validation state. Select the date when remediation actions should be completed by.
    Plan The plan that this risk is assigned to. Select an option to change the assignment.
    Host The hostname of the risk that the Agent or scanner identified.
    Source The source that discovered the risk. Possible values include:
    • external — This indicates an EVA scan.
    • scanner — This indicates an IVA scan.
    • agent — This indicates an Agent scan.
    Issue Category The category of the issue. Possible values include:
  • Hardware
  • Configuration
  • SMB
  • Dictionary
  • Patch Exploits
  • Data Leak
  • Webcrawler
  • CVEs Any known CVEs that this risk is part of.
    References A link to documentation that outlines the steps recommended in Remediation.
    Last Updated By The user who last updated the fields in this information panel for this risk.
    Comments Any current comments about this risk that other users have left. Click Comments to open the Comments dialog, where you can leave your own comments.
    Asset ID The ID of the asset that has the vulnerability.
    Issue ID The unique identifier of the risk.
    Scanner ID The ID of the that scanner that performed the IVA scan, if applicable.
    Deployment ID If this risk was identified during:
    • An IVA scan — This field displays the deployment ID of the scanner.
    • An EVA scan — This field displays the deployment ID of the target risk.
    • An Agent scan — This field displays the organization ID.
    Host Annotations Any host alias or annotations that were discovered during EVA scanning, if applicable.
    Status Reason An explanation of the risk status that results from IVA scanning, if applicable.
    Issue Impact The potential impact to the organization if a bad actor exploits this vulnerability. Possible values include:
    • Data Theft — A bad actor can read and potentially modify unauthorized data that is stored on this host.
    • Denial of Service — A bad actor can intentionally disrupt one or more key services running on this host. Depending on the criticality of the service, this may disrupt daily employee tasks.
    • Session Hijack — A bad actor can take control of an open browser session. For example, an online banking session or Microsoft 365 session.
    • Account Theft — A bad actor can take over the account of a user or administrator. This lets the bad actor access any authorized service or data normally available to the compromised account. For example, reading or writing to a database or file storage to steal or modify data, stopping critical services, or, if this is an administrator account, installing malware such as backdoors, key loggers, or rootkits that compromise the host entirely.
    • Insecure Obsolete Software — The software is no longer supported and does not receive any security patches. Therefore the software likely contains many open and unidentified security vulnerabilities that a bad actor could easily take advantage of.
    • Active Breach Indicator — There are indicators that this host was or is currently breached. Immediate investigation should occur to determine if any mitigation steps are required.
    • Host Breach — This host is vulnerable to a bad actor taking over this host entirely, stealing or modifying data, denying services, or installing malware such as backdoors, key loggers, or rootkits.
    • Company Reputation — A bad actor can use open services on this host to attack other internet-connected devices. For example, a bad actor could use a misconfigured network time protocol (NTP) server for a reflection distributed denial-of-service (DDoS) attack, or use an open email relay server to send spam. This could result in your resources being publicly blocked or otherwise negatively affect the reputation of your organization.

    To initiate a new scan, click Rescan. This only works with IVA and Agent risks.

    Risk State and Status lifecycles

    To effectively review risks and maintain an accurate risk score in your Risk Dashboard, it is important to understand risk states and statuses and their lifecycle.

    Generally, the risk State is manually set by the Risk Dashboard administrator, and the risk Status is automatically set by the system based on certain conditions. The one exception is the risk State of Unsuccessful Validation, which is automatically set by the system if the State was previously Fixed, Waiting Validation, but the risk was detected again during the next scan.

    The lifecycle of the risk State and Status is different depending on the Source that discovered the risk:

    For all three Sources, changing the State to Accepted or False Positive removes the risk from the list of actionable risks and from the risk calculation.

    See Risk States and Risk Statuses for additional information.

    Risks discovered using Arctic Wolf Agent

    When a risk is discovered using Arctic Wolf Agent, the risk Source is Agent. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan:

    Risks discovered using EVA scanning

    When a risk is discovered using EVA (External Vulnerability Assessment) scanning, the risk Source is EVA. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan, if the risk is no longer found, the Status automatically changes to Mitigated. The State remains as Open, even though the risk is mitigated, because this value is manually set.

    Risks discovered using IVA scanning

    When a risk is discovered using IVA scanning, the risk Source is IVA. Each newly discovered risk has a Status of either:

    Rescan assets with risks

    From the Risks page, you can select one or more risks to rescan the assets that those risks belong to. The assets are rescanned for all risks.

    Note: You cannot rescan assets that were discovered through an EVA scan.

    1. In the Risk Dashboard navigation pane, click Risks.
    2. In the Risks table, select each risk to rescan.
    3. Click Rescan to add the risk to the scan queue.
    4. Click Rescan to confirm.

    Rescan IVA assets

    You can rescan IVA assets to view internal network risks. This procedure is commonly used to verify that a risk is mitigated.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. Go to https://risk.arcticwolf.com/risks?assetID=<asset_ID>, where <asset_ID> is the asset ID.

      Tip: You can obtain the asset ID from the Risk information pane.

    3. In the Filters section, clear the EVA and Agent checkboxes.

    4. In the Risks table, select the checkbox of each risk with a State of Mitigated that you want to rescan.

    5. Click Update Selected.

      The Bulk Update dialog appears.

    6. In the State list, select Fixed, Waiting Validation.

      This setting allows you to see the State change to Unsuccessful Validation if the risk is still detected, or the Status change to Mitigated if the risk was successfully fixed.

    7. Click Update.

    8. Clear the checkbox of each risk that you do not want to rescan.

    9. Click Rescan.

      The Rescan Risks dialog appears.

    10. Click Rescan.

    Review active risks

    On a weekly or monthly basis, review active risks.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click Clear Filters, and then do the following:

      • State — Add the following filters:

        • Open
        • Acknowledged, In-Planning
        • Mitigation/Fix in Progress
        • Fixed, Waiting Validation
        • Unsuccessful Validation
      • Status — Add the Active filter.

      • Discovery Date Range — Enter a date range as appropriate to view the newly discovered active risks.

      The Risks section displays active risks that occur within the specified date range.

    See Risk Statuses for more information.

    Review inactive risks

    On a weekly or monthly basis, review and update inactive risks. Inactive risks are included in default views and reports, and they count toward your risk score. Reviewing inactive risks helps to maintain an accurate risk score.

    See Risk Statuses for more information.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click Clear Filters, and then do the following:

      • State — Add the following filters:

        • Open
        • Acknowledged, In-Planning
        • Mitigation/Fix in Progress
        • Fixed, Waiting Validation
        • Unsuccessful Validation
      • Status — Add the Inactive filter.

    3. Review the inactive risks, and then do one of the following:

      • Change the State of all Inactive risks.

        See Change the State of Inactive risks for more information.

      • Manually review an individual Inactive risk, and then update it with the appropriate State.

        See Change the State of Inactive risks for more information.

      • Do nothing. 90 days after the risk was last detected, the Status automatically changes to Obsolete if the device is offline or Mitigated if the device is no longer detected. Obsolete and Mitigated risks are removed from the default view (which only includes Active and Inactive risks), and are removed from the risk score calculation.

    Review mitigated risks

    On a monthly or quarterly basis, review mitigated risks to verify that the risks were resolved as expected.

    Note: Mitigated risks are automatically removed after 90 days.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. Change the State of Inactive risks that are fixed to Mitigated.

      See Change the State of Inactive risks that are fixed to Mitigated for instructions.

    3. (Optional) Verify that a Mitigated risk is resolved.

      See Verify that a Mitigated risk is resolved for instructions.

    See Risk States for more information.

    Change the State of Inactive risks that are fixed to Mitigated

    Note: Before you start this procedure, review mitigated risks. See Review mitigated risks.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click Clear Filters, and then do the following:

      • State — Add the following filters:

        • Open
        • Acknowledged, In-Planning
        • Mitigation/Fix in Progress
        • Fixed, Waiting Validation
        • Unsuccessful Validation
      • Status — Add the Inactive filter.

    3. In the Risks section, review the risks. These are risks that were not detected in the last scan, or that are related to offline assets. If you expect any of these risks to be fixed, change the State to Mitigated.

      See Review inactive risks for more information.

    4. In the Filters section, set the following filters:

      • Status — Add Mitigated and Obsolete and remove Inactive.
      • Resolved Date Range — Enter a date range as appropriate to view mitigated risks that occurred after fixes or patches were installed.
    5. In the Risks section, review the risks you updated earlier. Verify that mitigation occurred as expected.

      Tip: View the Status of the risk to determine if it is resolved. The State is user-assigned, so it retains the value it had prior to being confirmed as mitigated (including Unsuccessful Validation).

    6. (Optional) Verify that the mitigated risk is resolved.

      See Verify that a Mitigated risk is resolved for more information.

    Verify that a Mitigated risk is resolved

    After you change the status of an inactive IVA risk to Mitigated, you can rescan the asset to confirm that the risk is resolved.

    Tip: You can only rescan IVA and Agent risks. You cannot rescan an EVA risk.

    Note: Mitigated risks are automatically removed after 90 days.

    1. Change the State of Inactive risks that are fixed to Mitigated.

      See Change the State of Inactive risks that are fixed to Mitigated for more information.

    2. In the Risks section, verify that the Source and State columns are visible. If required, click Columns, and then select the Source and State checkboxes to view these columns.

    3. In the Source column, click an IVA or Agent risk.

    4. In the details panel, change the State to Fixed, Waiting Validation.

    5. Take note of the Scanner ID and Host values.

    6. Scroll to the bottom of the panel, and then click Rescan.

      The Rescan Options dialog appears.

    7. Select the Scan Now option.

    8. Click Save.

      The asset scan begins. A full suite of tests are performed, including risk validation. Depending on the type of asset, this can take between 15 minutes and 1.5 hours.

    9. In the navigation pane, click Config > Scanner Config.

    10. In the Scanner Configuration section, for Scanner ID, click Details.

      The Scanner Select dialog appears.

    11. In the Search field, enter the Scanner ID value, and then click the matching ID in the table.

    12. In the Scanning Queue section, complete one of the following:

      • Click the Status column heading to sort the scan queue by status and view the risks with a Status of Running at the top.
      • In the Search field, enter the Host value.

      Tip: It can take several minutes for the scan to display active scanning data in the queue. If an asset is not scanned, wait several minutes and then refresh your browser.

    Review risks that failed validation

    On a weekly or monthly basis, review risks that failed validation. This helps you to recognize and prevent future security vulnerabilities.

    Risks that had a State of Fixed, Waiting Validation and later failed validation, now have a State of Unsuccessful Validation. Take, for example, a device that was offline for a period of time. The risk State was manually updated to Fixed, Waiting Validation because it was Inactive. When that device is online again, the risk is found again, so the State changes to Unsuccessful Validation.

    See Risk States for more information.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Filters section, click Clear Filters, and then do the following:

      • State — Add the Unsuccessful Validation filter.
      • Status — Add the following filters:
        • Active
        • Inactive
    3. In the Risks section, review the risks that failed validation. These are risks that previously had a State of Fixed, Waiting Validation but were rescanned and the risk is still being found. If you believe that the risk is resolved, complete the following to find more information about why the risk is still being found:

      • In the Risks section, click a risk you believe is resolved. Scroll to Additional Details, and then click Details. For IVA and EVA risks, this often provides additional details about what was found and why it was flagged as a risk.

      • For Agent risks, complete a vulnerabilities debug scan. This provides details about what exactly was found on the asset to trigger the vulnerability.

        See Interpret Arctic Wolf Agent Vulnerability Debug Scans for more information.

    Contact your Concierge Security® Team (CST) at security@arcticwolf.com, and request assistance with the investigation.

    View risks based on an assigned due date

    You can view risks based on the assigned due date. This is useful if you want to see unmitigated risks with past due dates.

    Note: This replicates the functionality of the deprecated Past Due filter.

    See Unix Time Stamp - Epoch Converter to convert a date to a 10-digit Unix timestamp format.

    Interpret Arctic Wolf Agent Vulnerability Debug Scans

    Arctic Wolf Agent Vulnerability Debug Scans produce a detailed HTML debug report that describes how a vulnerability was detected on a device. It includes the file or registry settings, and the logic that triggered the risk. Use this procedure to help you interpret the HTML debug report. You can also send your HTML debug reports to your CST for analysis.

    1. Create an HTML debug report.

      See Performing Arctic Wolf Agent Vulnerability Debug Scans for instructions.

    2. Open the HTML debug report in a browser.

      Tip: It may take some time to completely load the report. When the pie chart at the top of the page is fully rendered, the loading is complete.

    3. In the Rule Results Summary section, click the FAIL filter to view only the failed tests.

    4. Click the applicable vulnerability to see additional details.

    5. Review the Result Component Logic. Look for logic conditions that are green (true). This indicates that the conditions matched the logic Arctic Wolf uses to determine if a vulnerability exists.

      Result Component Logic

    6. Click OVAL TEST to view additional details. The file value or registry value and logic displays.

      OVAL TEST details

    7. If the vulnerability is for a File State, click show untested values.

      Information displays about the file that triggered the vulnerability detection.

      File state information

    Change the State of Inactive risks

    Note: Before you start this procedure, review inactive risks. See Review inactive risks.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Risks section, do one of the following:

      • To select a single inactive risk, select the checkbox next to the risk you want to update.

      • To select all inactive risks:

        1. Select All from the Show Entries list.

        2. Select the checkbox at the top of the table.

          All risks are selected.

    3. Click Update Selected.

      The Bulk Update dialog appears.

    4. Select one of the following from the State list:

      • Mitigated — Changes the Status to Mitigated for all selected risks, immediately removes the risks from the default view (which only includes Active and Inactive risks), and removes the risks from the risk score calculation. If any of these risks are discovered again, the risk reappears on the list with a State of Open, Status of Active, and Age reflecting the date that the risk was first discovered.

        Tip: If the majority of the assets in your environment are online most of the time, it is a common approach to change the State to Mitigated. This is a reasonable choice because a State of Inactive typically indicates that the risk has been mitigated.

      • Fixed, Waiting Validation — Maintains the Status of Inactive for all selected risks, and all risks remain in the risk score calculation. If any of these risks are not detected the next time the asset is scanned, the risk Status changes to Mitigated, and the risk is removed from the default view (which only includes Active and Inactive risks) and risk score calculation.

        Tip: If you have a dynamic environment, a State of Inactive could mean that the asset is offline and the risk can be verified when it is back online. In this situation, a State of Fixed, Waiting Validation may make more sense.

    5. Click Update.

    Edit risks

    You can edit one or more risks at the same time. For example, you can assign a due date, or change the risk State of more than one risk at the same time.

    Notes:

    • You must update the asset in the Asset Catalog to modify the Asset Criticality value. See Edit Asset Criticality for more information.
    • Agent marks risks as Obsolete in the Risk Dashboard after 45 days. You cannot make any changes, such as, changing the status or assigning a user to these risks.
    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Risks table, select the row for every risk that you want to edit as part of a group. You can review more pages and continue making your selections.

      Tip: The number of risks currently selected is displayed, along with options to update or clear your selections.

    3. Click Update Selected.

      The Bulk Update dialog appears.

    4. Edit one or more of the following fields:

      • State
      • Assign To
      • Plan
      • Due Date
    5. Click Update.

    6. (Optional) Click Clear All Selected to clear all selected risks.

    Accept a vulnerability

    You can choose to accept an identified risk rather than fixing or mitigating the vulnerability. Changing the state of a risk to Accepted removes that risk from the Risk Score calculation. The risk remains in the Risks table for as long as it is detected on the network.

    We recommend that you mitigate or fix risks to improve your security posture, instead of accepting them. Accepting a risk does not make the risk go away, so bad actors could still take advantage of the vulnerability.

    If the risk is a false positive, you should apply the False Positive state to the risk, which then removes the risk from the Risk Score calculation.

    Note: The Risk Score is not updated immediately when a risk is marked as Accepted or as False Positive. It takes about an hour for the system to process and display the changes.

    1. In the Risk Dashboard navigation pane, click Risks.

    2. In the Risks table, click the risk that you want to update.

      The information pane opens.

      Tip: Use the search field to narrow the results.

    3. In the information pane, select Accepted from the State dropdown list.

    4. In the prompt, enter a detailed justification description.

    5. Click Accept to save your changes.

      Your changes are automatically saved.

    Assign a user and a due date to a risk

    To track the resolution of a risk, you can assign risks to specific users within your organization and assign a due date.

    Tip: This task is optional.

    1. In the Risk Dashboard navigation pane, do one of the following:

      • To view the Risks table, click Risks.
      • To view the Unassigned Risks table, click Management Plan.
    2. In the Risks or Unassigned Risks table, click the risk you want to assign a user and due date to.

      The information pane opens.

    3. (Optional) In the information pane, select an email address from the Assigned To dropdown list.

      Tip: To remove user and due date assignments, select the blank field from the Assigned to menu.

    4. (Optional) In the information pane, click the Due Date field, and then select a date on the calendar by which the risk should enter the Fixed, Waiting Validation state. This date must be at least one day in the future. The present day is highlighted in blue.

      The Due Date field populates with a date based on the selection, following the format MM/DD/YYYY, such as 02/20/2020.

    5. Click Update to save your changes.

    Unassign a user and a due date from a risk

    You cannot unassign a user from a risk, but you can assign the risk to another email from the list in the Assigned To field.

    1. In the Risk Dashboard navigation pane, do one of the following:

      • Click Risks, to view the Risks table.
      • Click Management Plan, to view the Unassigned Risks table.
    2. In the Risks or Unassigned Risks table, click the risk you want to unassign a user and due date from.

      The information pane opens.

    3. (Optional) In the information pane, select the blank field from the Assigned to menu.

    4. Click anywhere outside of the information panel to close the panel.

      Your changes are automatically saved.

    Download a remediation report

    You can download a remediation report that includes:

    To download a remediation report:

    1. In the Risk Dashboard navigation pane, click Risks.

    2. (Optional) Use Filters to narrow the list of risks that appear on the page.

      See Filters section for more information.

    3. In the Risks section, click Remediation Export.

      A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

      Notes:

      • Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
      • If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.

    Download Risks table data

    1. In the Risk Dashboard navigation pane, click Risks.

    2. (Optional) Use Filters to narrow the list of risks that appear on the page.

      See Filters section for more information.

    3. In the Risks section, click Download CSV.

      A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.

      Notes:

      • Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
      • If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.

    Assets page

    The Assets page includes all information relevant to the assets in your network. The page includes the following sections:

    Asset Catalog section

    The Asset Catalog section is located on the Assets page. It includes a table with all of your assets, sorted by risk score. You can change how the information displays in the table:

    The Asset Catalog table has the following columns:

    Column
    Description
    Source The source that discovered the asset: Agent, EVA, or IVA.
    IP The IP address of the asset.
    Device Name The name of the asset as it appears on the device or in the Risk Dashboard.
    MAC The MAC address of the asset.
    OS The operating system (OS) of the asset.
    Category The category of the asset, including Desktop or Server.

    Note: If there is not enough information to classify an asset, the asset appears in the Unknown category.

    Last Seen The date and time in UTC that the IP address for this asset was last verified.

    Note: This value is not the last time that the asset was online.

    Last Successful Scan The date and time in UTC of the last complete scan of this asset.

    Note: Currently, this information is only available for IVA and Agent assets. EVA assets display a status of Unsupported until this feature is available.

    Manufacturer The manufacturer of the asset.

    Note: This information is only available for the assets that Agent discovers.

    Risk Score The highest risk score of all active risks for the asset.
    Asset Criticality The criticality of the asset.

    See Edit Asset Criticality for more information.

    Vulnerabilities The number of current vulnerabilities for the asset.
    Asset Tags The classification tags that apply to the asset.

    See Edit asset tags for more information.

    Asset filters section

    The Filters section for assets is located on the Assets page. Use it to narrow the assets that appear in the Asset Catalog table. These are the available filter options:

    Filter
    Description
    Risk Score Use these filters to view assets that have vulnerabilities with risk scores in the specified range.
    Search Enter one or more search terms, separated by commas, and click Create to filter entries in the Asset Catalog table. Results are based on search term matches in any column. You can include up to 100 search terms. Each search term that you enter can be removed by clicking the X next to it.
    Source Select or deselect these options to show or hide the assets that these scan types identified:
    • IVA — Show or hide assets that an IVA scan discovered.
    • EVA — Show or hide assets that an EVA scan discovered, based on scan group configuration.
    • Agent — Show or hide assets that an Agent scan discovered.
    Asset Tags Select one or more of these options to show assets with all selected tags.
    Asset Criticality Select one or more of these options to show assets with any of the selected criticality values.
    Asset Category Select a category to view the assets that belong to that category.

    You can select multiple categories.

    Discovery Date Range Enter a date range to view the assets that were discovered within that time period.

    Click Clear Filters at any time to remove all filters.

    Review assets

    On a monthly or quarterly basis, review your assets. As assets are removed or decommissioned from the environment, it is good practice to remove them from the Asset Catalog. It does not cause harm to keep them, but they create clutter and affect your metrics for a period of time.

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Filters section, click Clear Filters.

    3. For the Source filter, clear the EVA checkbox.

    4. Do one of the following:

      • Review your assets in the Asset Catalog section of the Risk Dashboard.
      • Export your asset information, and then review the assets in a spreadsheet:
        1. In the Asset Catalog section, click Download CSV.

          The Asset Catalog.csv file downloads to your device.

        2. Open the Asset Catalog.csv file, and review the information in Microsoft Excel or other application of choice.

    5. Sort the assets by the Last Seen value.

      Tip: External assets have a Last Seen value of Unknown. Review public-facing IP addresses and domains with your CST on a regular basis. Submit a ticket to security@arcticwolf.com to immediately communicate any new systems or changes to them.

    6. Review the assets, and then complete the appropriate task:

      • The asset was decommissioned and can be removed — Click Delete to delete it. All risks associated with the asset are also deleted.

      • The asset is present and active, but no longer seen by the IVA scanner or Agent — Verify that the IP is still part of the IVA scan schedule or that no firewall rules are preventing the agent from checking in.

        See Arctic Wolf IP Addresses for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

    View an Asset Profile

    An Asset Profile provides additional details about an asset.

    Note: The Location and Advanced Identification sections are only available when Agent is the Source.

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog section, go to the Source column, and then click any source.

      The Asset Profile information is organized into the following sections:

    Details section

    The Details section of the Asset Profile includes the following information about the selected asset:

    See View an Asset Profile for more information.

    Location section

    The Location section of the Asset Profile includes the following information about the selected asset:

    Note: This information is only available when Agent is the Source.

    See View an Asset Profile for more information.

    Host Identification section

    The Host Identification section of the Asset Profile includes the following information about the selected asset:

    See View an Asset Profile for more information.

    Advanced Identification section

    The Advanced Identification section of the Asset Profile includes the following information about the selected asset:

    Note: This information is only available when Agent is the Source.

    See View an Asset Profile for more information.

    Profile Activity section

    The Profile Activity section of the Asset Profile includes the following information about the selected asset:

    See View an Asset Profile for more information.

    Add Note section

    The Add Note section of the Asset Profile allows you to add a note to the asset. The Previous Notes section allows you view existing notes to the asset. It includes the following information:

    See View an Asset Profile, Add a note to an asset profile, and Delete a note from an asset profile for more information.

    Asset Profile History section

    The Asset Profile History section of the Asset Profile provides asset profile change history information. When a scan identifies an asset, an asset profile is created or the existing asset profile is updated. The Asset Profile History table shows asset profile changes over time as a result of scans from the selected source. It does not include a history of asset Tags or Asset Criticality. You can change how the information displays in the table:

    The Asset Profile History table has the following columns:

    Column Description
    IP The IP address of the asset.
    Device Name The name of the asset.
    OS The operating system of the asset.
    MAC The MAC address of the asset.
    When The date and time when the asset profile changed.
    Type The type of change to the asset profile. For example, OS refers to a change in the operating system.
    Event The change to the asset profile. For example, an operating system update.
    Raw Log An Arctic Wolf-specific field that the system generates for each asset profile change as a result of a scan.

    See View an Asset Profile for more information.

    Add a note to an Asset Profile

    1. In the Risk Dashboard navigation pane, click Assets.
    2. In the Asset Catalog section, go to the Source column, and then click any source.
    3. In the Add Note section, enter a note in the Add notes here field.
    4. Click Add Note.

    Edit assets

    It is important to add Category, Asset Criticality, and Asset Tags classification values to assets when they are initially deployed so you have a baseline. After that, on a monthly or quarterly basis, review and update your asset classification values because environments change over time. Classification values help to provide asset context.

    Tip: To filter assets, you can enter a comma-separated list of values in the Search field. For example, you can enter a distinct list of IP addresses or device names for bulk editing.

    Edit multiple assets

    You can use the following methods to edit multiple assets:

    Edit multiple assets in the Asset Catalog table

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

    3. In the Asset Catalog table, select the row for every asset that you want to edit as part of a group. You can review more pages and continue making your selections.

      Tip: The number of assets currently selected is displayed, along with options to update or clear your selections.

    4. Click Update Selected.

      The Bulk Update dialog appears.

    5. Edit fields as required.

    6. Click Update to save your changes.

    7. (Optional) Click Deselect All to clear all selected assets.

    Edit multiple assets in a CSV file

    Notes:

    • You cannot bulk edit asset criticality with this workflow. See Edit multiple assets in the Asset Catalog table for instructions.
    • If you are editing asset tags, verify that the tag exists in the Risk Dashboard. You can ask your CST to create custom tags for you.
    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

      Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.

    3. In the Asset Catalog section, click Export Assets.

      A CSV file with the following fields downloads to your device:

      • Device ID
      • Asset IP
      • Device Name
      • Category
      • Asset Tags
    4. Open the CSV file.

    5. Locate the required Asset IP, and then edit the corresponding Device Name, Category, and Asset Tags columns as desired.

      Notes:

      • Do not edit the Device ID column. Editing a Device ID values results in an unsuccessful CSV file import.
      • To reset the Device Name or Category of an asset to the value from the default sensor, leave the cell empty.
      • To exclude a device from the bulk edit, either leave the Device Name or Category values unchanged or delete the row from the CSV file.
      • Ensure that asset tags match those available in the Risk Dashboard. Entering invalid asset tags results in an unsuccessful CSV file import.
    6. Save the CSV file.

    7. In the Risk Dashboard, click Import Assets.

    8. Locate the modified CSV file, and then click Open.

      The Confirm Upload dialog appears.

    9. Click Upload.

      A message appears to confirm whether the import was successful or unsuccessful.

    Edit an asset category

    Note: These steps describe how to apply an existing asset category. If you want to add a new category, see Add an asset category.

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

    3. In the Asset Catalog, select the checkbox next to each asset you want to update.

    4. Click Update Selected.

      The Update Selected Assets dialog appears.

    5. In the Asset Category dropdown list, select the appropriate value.

    6. Click Update Asset(s).

    Add an asset category

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

    3. In the Asset Catalog table, click the Source of an asset that you want to assign the asset category to.

    4. In the Details pane, click Edit Details.

      The Edit Asset Details dialog appears.

    5. In the Add Category field, enter a name for the category.

    6. Click Add.

      Note: An asset category must be assigned to at least one asset for it to appear as an option when assigning asset categories. As a result, you cannot add multiple asset categories at once using this method.

    7. Click Update.

    Edit asset criticality

    You can associate an asset with a pre-defined Asset Criticality value. This value is optional. The value displays for any risks that are discovered on the device, which can assist you with risk mitigation planning.

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

    3. In the Asset Catalog, select the checkbox next to each asset you want to update.

    4. Click Update Selected.

      The Update Selected Assets dialog appears.

    5. In the Asset Criticality dropdown list, select the required Asset Criticality:

      • Unassigned — The default value for all devices.
      • None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
      • Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact, if compromised.
      • Medium — Monitor for risk escalation. These assets have moderate negative impact, if compromised.
      • High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
      • Critical — Remediate risks immediately. These assets are likely targets for malicious activity.

    6. Click Update Asset(s).

    Tip: You can edit asset criticality for multiple assets simultaneously. See Edit multiple assets for instructions.

    Edit asset tags

    Tags are an optional value that you can apply to assets. The values are then included on any risks that are discovered on the device to assist with risk mitigation planning.

    Tips:

    • You can ask your CST to create custom tags for you.
    • You can edit asset tags for multiple assets simultaneously. See Edit multiple assets for instructions.
    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

    3. In the Asset Catalog section, select the checkbox next to each asset you want to update.

    4. Click Update Selected.

      The Update Selected Assets dialog appears.

    5. In the Asset Tags search field, search for and select the required asset tag:

      • backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
      • gdpr — Any asset that, if compromised, would render a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
      • iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
      • internet_facing — Any asset that can be reached through the public internet.
      • network_infra — Any asset that makes communication between endpoints possible, including routers, switches, and firewalls.
      • pci — Any asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
      • pii — Any asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
      • remote_access — Any asset that is configured for remote access, including VPN gateways, and sign-in services such as RDP and SSH.

    6. Click Update Asset(s).

    Edit a device name

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

    3. In the Asset Catalog section, select the checkbox next to each asset you want to update.

    4. Click Update Selected.

      The Update Selected Assets dialog appears.

    5. In the Device Name field, enter a name for the asset. This is the name that appears in the Risk Dashboard.

    6. Click Update Asset(s).

    Reset sensor details

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

    3. In the Asset Catalog table, click the required Source.

    4. Click Reset to Sensor Defaults to revert the asset details to the default settings that the scanner created for this asset.

    5. Click Confirm.

    Rescan assets

    You can rescan an individual asset or multiple assets at the same time.

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog table, select the checkbox of each risk to rescan.

    3. Click Rescan to add the asset to the scan queue.

      Tip: The Rescan button appears dimmed if you select an EVA source as it is currently unavailable.

    4. Click Rescan to confirm.

    Delete an asset

    You can delete an IVA or Agent asset from the Assets page if you no longer require it. To delete an EVA asset, update the appropriate scan configuration. See Scanner Configuration section for more information.

    If a deleted asset is rediscovered during a future scan, it is given a new asset ID and re-added to the catalog.

    You cannot delete:

    Note: Deleted Agent assets are automatically removed from scan schedules.

    Delete a single asset

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog table, click Delete next to the asset that you want to delete.

      The Confirm Delete dialog appears.

    3. Click Delete.

    Delete multiple assets

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog table, select the checkboxes next to the assets that you want to delete, and then click Delete Selected.

    3. Click Delete Selected.

      The Confirm Delete dialog appears.

    4. Click Delete.

    Delete a note from an Asset Profile

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog section, go to the Source column, and then click any source.

    3. In the Previous Notes section, locate the note to delete, and then click Delete.

      The Delete Note dialog appears.

    4. Click Delete.

    Download Asset Catalog data

    1. In the Risk Dashboard navigation pane, click Assets.

    2. (Optional) Use Filters to narrow the list of assets that appear on the page.

      See Asset Filters section for more information.

      Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.

    3. Click Download CSV.

      The CSV file downloads to your device.

    Agent page

    The Agent page includes the following sections:

    You can change how the information displays on the page:

    All sections display when the page refreshes.

    View risk charts

    Risk charts illustrate the percentage of risks in various categories.

    1. In the Risk Dashboard navigation pane, click Agent.

      The Agent page contains three risk charts:

      • Risks by OS
      • Risks by Category
      • Risks by Severity
    2. (Optional) Hover over a section of the chart to see the percentage. Use the legend, above each chart, for information about the chart colors. Click the arrows to scroll through the legend.

    Target Group Overview section

    The Target Group Overview section is located on the Agent page. It includes a table that provides a summary of the target groups and scanning schedules. You can change how the information displays in the table:

    The Target Group Overview table has the following columns:

    Column Description
    Name The name of the target group.
    Description A description of the target group.
    Targets The number of targets in the target group.
    Scanning The state of the target group. This can be one of the following:
  • Enabled — The target group is allowed to be scanned.
  • Disabled — The target group is not allowed to be scanned.
  • Running — The target group is currently being scanned.
  • Schedule The intended times for a scan to repeat itself. This can be one of the following:
  • Once
  • Daily
  • Weekly
  • Monthly
  • Agent stores schedules based on cron patterns. When scheduling a monthly scan, we recommend selecting a date between 1-28 to ensure monthly recurrence. See Cron job schedules in the Google documentation for more information on cron scheduling.
    Created The date and time that the target group was created.
    Last Scan The date and time of the previous scan on the target group.
    Next Scan The date and time of the next scheduled scan on the target group.

    Click CSV to download a CSV file containing all target groups for the deployment.

    The Edit and X icons are used by Arctic Wolf employees to edit and delete target groups. They are not functional for customers.

    View Agent Risks

    The Agent Risks section provides a link to the Risks page, so you can view risks with Agent as the Source.

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Agent Risks section, click here.

      The Risks page appears. The risk table is filtered to display risks with Agent as the Source.

    View Agent Scan Details

    The Agent Scan Details section displays information about scans that overlap with or start within the specified date and time.

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Agent Scan Details section, select the start date and time for the scan results that you want to view.

    3. Click Get Data.

      The table displays all target group scans that occurred after your selected start date and time.

    The Agent Scan Details table has the following columns:

    Column Description
    Scans Detail Click Details next to a scan in the table to view details for a specific scan.
    ID The unique identifier representing the scan.
    Name The name of the scanned target group.
    Scheduled Window Minutes Duration of the scan in minutes.
    Status Whether or not the scan was completed.
    Scan Reason The reason for the scan.
    Start Time The date and time of the start of the scan.
    End Time The date and time of the end of the scan.

    Click Details next to a scan in the table to view details for a specific scan. The sub-table has the following columns:

    Column Description
    Client UUID A universally unique identifier (UUID) for the device.
    Hostname The hostname of the device.
    ID The ID of the device.
    Status The status of the scan. The statuses can be one of the following:
  • Pending — The scan is scheduled to run at a further point in time.
  • Running — The scan is currently running.
  • Success — The scan completed.
  • Closed — The scan was cancelled before it started running.
  • Failure — The scan did not finish. This generates an audit report.
  • Cancelled — The scan was cancelled while it was running.
  • Unsupported — The scan attempted to start on an unsupported OS or architecture.
  • Start Time The time the agent began scanning the device.
    End Time The time the agent ended scanning the device.
    Create Time The time that the scan was created.
    Audit Provides the audit report if an audit was performed. Click Download to download the audit report as an HTML file.
    Vulnerability Report Provides the vulnerability report if a vulnerability scan was performed. Click Download to download the vulnerability report as an HTML file.
    Benchmark Report Provides the benchmark report if a benchmark scan was performed. Click Download to download the benchmark report as an HTML file.

    View Agent Audits

    1. In the Risk Dashboard navigation pane, click Assets.

    2. In the Asset Catalog section, go to the Source column, and then click any Agent.

      If Agent discovered the asset and the asset information is available, it is provided in the appropriate section:

    Task List table

    The Task List table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Command The command associated with the task.
    Handle Count The number of object handles in the object table of the task.
    Name The name of the task.
    PCPU The percent of central processing unit (CPU) that is used.
    PID The process identifier (PID) associated with the process.
    PMEM The percent of the process’s RSS to physical memory (MEM) that is used.
    PPID The parent process identifier (PPID).
    Priority The priority of the task.
    Process ID The process ID of the task.
    RSS The resident set size (RSS) or portion of random access memory (RAM) that the process uses.
    Session ID The session ID that the task is using.
    STAT The current status (STAT) of the process.
    Thread Count The number of threads working on the task.
    Time The time since the process started.
    TT The task type (TT).
    VSZ The virtual memory size (VSZ) or the size of memory allocated to a process, even if it does not use it.
    Working Set Size The amount of memory that the task needs to function.

    See View Agent Audits for more information.

    Wireless Networks table

    The Wireless Networks table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Authentication The authentication type of the network.
    BSSID The basic service set identifier (BSSID) that uniquely identifies the radio of the access point using a media access control (MAC) address.
    Channel The small band within a larger frequency band, that the wireless network uses to transmit wireless signals.
    Country The country code of the wireless device.
    Encryption The encryption type of the network.
    IsCurrent Whether the network is currently connected to the machine (True) or not (False).
    MCS Index The modulation coding scheme (MCS) index that is supported.
    Message The number of available networks. For example, There are 3 networks currently visible.
    Mode The wireless mode.
    Name The name of the network.
    Network Type The type of network.
    Network The network name.
    Noise The signal in decibels (-dBm) that is not WiFi traffic. The closer to 0, the greater the noise.
    Security The wireless security protocol provided by the wireless network.
    Signal The current signal strength in (-dBm). The closer to 0, the better the signal.
    SSID Name The service set identifier (SSID) that uniquely names the wireless local area network (WLAN) that devices connect to.
    Transit Rate The throughput capability of wireless devices connected to the network.

    See View Agent Audits for more information.

    USB Devices table

    The USB Devices table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Bus The universal serial bus (BUS) identifier.
    Device ID The unique ID of the USB device.
    Device The device name.
    Manufacturer The manufacturer of the USB device.
    Name The name of the USB device.
    Product ID The product identification number.
    Serial Number The serial number of the USB, if available.
    Speed The speed of the USB in Mb/s.
    Status The status of the USB device.
    Vendor ID The identification number of the vendor.
    Version The software version on the USB device.

    See View Agent Audits for more information.

    Software Packages table

    The Software Packages table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:

    Column Description
    Arch The hardware architecture.
    Install Location The location that the software package is installed on the device.
    Install Source The location of the file that the software package was installed from.
    Installed The date that the software package was installed, formatted as YYYYMMDD.
    Intel 64bit Whether the software can run on Intel 64bit CPUs.
    Kind The type of software package.
    Last Modified The date and time that the software package was last modified.
    Location The file path of the software.
    Name The name of the software package.
    Obtained From The source of the software package.
    Signed By The signing authority of the software package.
    Summary A description of the software.
    Vendor The vendor of the software package.
    Version The version number of the software package.

    See View Agent Audits for more information.

    Enable an agent scan schedule

    You can enable individual agent scan schedules.

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Target Group Overview section, locate the agent scan schedule you want to turn on.

    3. In the Scheduled Enable column, turn on the toggle.

      Note: If the toggle appears dimmed, the scan is currently disabled.

      In the Scanning column, the agent status changes to Enabled.

    Stop active and scheduled agent scans

    Active scans and scheduled scans can be stopped individually or in bulk:

    Stop an agent scan schedule

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Target Group Overview section, locate the agent scan schedule you want to turn off.

    3. In the Schedule Enabled column, turn off the toggle.

      Note: If the toggle appears dimmed, the scan is currently disabled.

      In the Scanning column, the agent status changes to Disabled.

    Stop all agent scan schedules

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Target Group Overview section, click Stop All Scan Schedules.

    3. Click Stop All Scan Schedules to confirm.

      In the Scanning column, all agent statuses change to Disabled.

    EVA page

    The EVA page displays information gathered from External Vulnerability Assessment (EVA) scans, specifically target scan groups and the associated risks for these groups. The page includes the following sections:

    Target Group to Risk Severity section

    The Target Group to Risk Severity section is located on the EVA page. It displays target score information for each target group and its targets. The chart legend lists each target group, all targets within a group, and the color corresponding to the chart.

    Note: You cannot take actions on target groups that have discovered a host in scanning.


    Tip: See target score for more information on target scores.

    The chart visualizes the target score associated with each target and target group. The chart has three layers, where the innermost layer represents the target group, the second layer represents each target within that group, and the third layer represents the target score associated with each target. Each target group and associated targets are one unique color. Low target scores are not visible, medium target scores are yellow sectors, and high target scores are red sectors. If a target group scan did not discover a host, then it is not displayed on the chart.

    Target Group to Risk Severity filters

    The Target Group to Risk Severity section is located on the EVA page. It includes the following filters that you can use to change the chart data:

    Filter Description
    Target group Click a target group on the chart. This limits the chart to only display the relevant information for that target group.

    Click the gray circle in the center of the chart titled undefined.

    Location Filters the target group by location. Select one of the following options: All, Corporate, or Third Party.
    Tags Filters the target by Tag. Click the Tags field, select a tag from the dropdown list, and then click Update Control Data. See Filter target groups by tags for more information.

    Target Group Overview section

    The Target Group Overview section is located on the EVA page. You can change how the information displays in the Target Group Overview table:

    Tip: Click CSV to download the table data to your device. This download includes target group filters, but ignores the search filter.


    The Target Group Overview table has the following columns:

    Column Description
    Name Name of the target group.
    Description Description of the target group.
    Targets All targets within the target group.
    Scanning If scanning is enabled or disabled for the target group.
    Schedule Whether the scan on the target group runs once, weekly, or monthly.
    Created The date that the target group was created.
    Last scan The date of the previous scan on the target group.
    Next scan The date of the next scheduled scan on the target group. If there is no next scan, the entry is empty.

    Risks by Target Group section

    The Risks by Target Group section is located on the EVA page. You can change how the information displays in the Risks by Target Group table:

    Tip: Click CSV to download the table data to your device. This download includes target group filters, but ignores the search filter.


    The Risks by Target Group table has the following columns:

    Column Description
    Level Target score of the target.
    Target IP address or domain name of the target.
    Name Name of the target.
    Description Description of the target.
    Recommendations Steps to mitigate the risk of the target.
    Created Date the target was created.

    Click Details at the left of each entry to display additional risk information. Details vary, depending on the risk. Not all information is present for each entry:

    Filter target groups by tags

    1. In the Risk Dashboard navigation pane, click EVA.
    2. In the Target Group to Risk Severity section, enter the tags you want to filter by in the Tags field.
    3. Click Update Control Data.

      Note: It may take a few seconds for the updates to complete.

    Download a Target Group to Risk Severity Chart

    1. In the Risk Dashboard navigation pane, click EVA.

    2. (Optional) Use filters to narrow the information that appears in the chart.

      See Target Group to Risk Severity filters for more information.

    3. Click Save image.

      An image of the chart downloads to your device. It does not save the legend.

    Stop active and scheduled EVA scans

    Active scans and scheduled scans can be stopped individually or in bulk:

    Stop an EVA scan schedule

    1. In the Risk Dashboard navigation pane, click EVA.

    2. In the Target Group Overview section, locate the EVA scan schedule you want to turn off.

    3. In the Schedule Enabled column, turn off the toggle.

      Note: If the toggle appears dimmed, the scan is currently disabled.

      In the Scanning column, the status changes to Disabled.

    Stop all EVA scan schedules

    1. In the Risk Dashboard navigation pane, click EVA.

    2. In the Target Group Overview section, click Stop All Scan Schedules.

    3. Click Stop All Scan Schedules to confirm.

      In the Scanning column, all EVA statuses change to Disabled.

    User Config page

    The User Config page is no longer available. Previously, it allowed you to manage users who could access your Risk Dashboard. If you need to make user management changes now, contact your CST.

    Scanner Config page

    The Scanner Config page lets you make changes to your scanning configuration and scanning schedules. The page includes the following sections:

    By default, the scanner scans all devices on the same network subnet as the IP or mask that is provisioned. If desired, you can add additional devices, if they are reachable through a gateway, for scanning.

    The scanner virtual machine (VM) is designed for rapid and continuous scanning to process all the network hosts as quickly as possible. As such, it is normal for the scanner to consume all of the virtual CPU (vCPU) allocated to it. This may not be desirable in a highly overloaded ESXi environment, and allocating more resources may be difficult in the short term. In this situation, we recommend using the minimum system requirements as described in the Managed Risk Scanner Installation Guide for your environment. If CPU consumption is an issue, try deploying a physical scanner. However, we only recommend this approach if the ESXi environment is unable to manage the scanner resource requirements.

    By design, company identifying information is not sent out of your network. Each scanner is provisioned with a globally unique identifier (GUID). The customer to GUID mapping is stored within the Arctic Wolf secure network.

    Scan frequency for a given host depends on a number of factors including:

    We recommend that each host on the network is scanned at a minimum once every 10-14 days. You may require additional scanners based on your network size and complexity.

    Note: EVA scans run monthly. We do not recommend scanning too frequently, as this could conflict with firewall rules or generate too much noise.

    The Risk Scanner operates in stages when determining what hosts to scan next. Scans begin five minutes after the previous scan completes. During this process, the Risk Scanner:

    Scanner Configuration section

    The Scanner Configuration section is located on the Scanner Config page. It displays configuration details for the selected scanner.

    The Scanner Configuration section has the following information:

    Detail
    Description
    Scanner ID The ID of the scanner.

    Click Details at the end of the ID to choose a different scanner.

    Scanner IP Address The IP address of the scanner.
    Netmask The netmask of the scanner.
    Connection Status The connection status of the scanner, including:
    • Connected — The scanner is online.
    • Disconnected — The scanner is offline.
    Scanning Status The scanning status of the scanner, including:
    • Scanning — The scanner is actively scanning.
    • Not Scanning — The scanner is not actively scanning.
    • Not Configured — The scanner is not scanning because it is not configured.
    • Misconfigured — There is an issue with the scanner configuration.
    • Disabled — Scanning is not enabled.
    • Degraded — The scanner encountered an issue while scanning.

    Tip: See Troubleshoot scanning statuses for help resolving scanning statuses.

    Host Identification Scans A toggle that enables or disables host identification scans. Vulnerability Scans must also be enabled for host identification scans to work. When this toggle is disabled, Vulnerability Scanning is also disabled.
    Vulnerability Scanning A toggle that enables or disables IVA scans.
    Troubleshooting Settings A button that opens the Troubleshooting settings dialog. The dialog includes these troubleshooting settings:
    • Brute force checks — Toggles whether the scanner checks for brute force attempts in your network or not.
    • CGI scanning — Toggles whether the scanner acts as a Common Gateway Interface (CGI) or not. When turned on, it searches for well-known web vulnerabilities in web servers and similar software.
    • Only ping the target — Toggles whether the scanner only scans hosts that respond to pings or not. For more information, see Only ping the target toggle.
    • Stop All Scanning Now — Click to disable all future scanning and stop any existing scanning processes.

    Caution: Arctic Wolf does not recommend using the Stop All Scanning Now setting outside of an emergency since it may cause scan restart issues.

    DenyList IP/Networks IP addresses or networks that are part of the DenyList. These items are not scanned.
    See Add an IP address or IP address range to the denylist for more information.
    Host Collection DNS Servers The DNS server that you have configured.

    Note: If this field is blank, we attempt to auto-discover the server name.

    Only ping the target toggle

    Under Troubleshooting Settings, if the Only ping the target (normally turned off) toggle is enabled, the scanner sends an ICMP echo request to the host. If the host returns an ICMP echo reply, the scanner determines that the host is online and can be scanned. Some networks and devices are configured to not reply to ICMP echo requests which excludes the host from identification scans.

    While you can use this setting for troubleshooting, enabling the Only ping the target toggle can also be helpful if Host Identification Scans, also known as NMAP scans, are producing a lot of traffic or if you want to reduce the NMAP load.

    We recommend that you enable the Only ping the target toggle for a scanner if scanning through a stateful firewall.

    The Only ping the target toggle does not affect what information is scanned, like device name, operating system, or MAC address. This toggle also does not affect vulnerability scans.

    Scanning Schedule section

    The Scanning Schedule section is located on the Scanner Config page. It displays scans that are scheduled for a selected scanner. You can change how the information displays in the Scanning Schedule table:

    The Scanning Schedule table has the following columns:

    Column
    Description
    Target The targets that the scan is configured to scan.
    Next Scan Time The next time that this scan is configured to run.
    Schedule The type of schedule for this scan:
  • Continuous — The scan runs continuously.
  • Daily — The scan runs once a day, based on the time that you configure.
  • Weekly — The scan runs once a week, based on the day and time that you configure.
  • Monthly — The scan runs once a month, based on the day and time that you configure.
  • Window (hours) The window that the scan can run within, in hours. For example, 12 am to 8 am.

    Notes:

  • If you schedule a large scan in a small window, the scan may never complete.
  • If a scan cannot complete within a scheduled window, the scan resumes where the previous scan stopped the next time the schedule runs.
  • Priority The priority of the scan:
  • Low — This scan runs last, after all other scans are complete.
  • Medium — This scan runs after High priority scans but before Low priority scans.
  • High — This scan completes first before all other scans.

    Notes:

  • If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.
  • If you start a new High priority scan when a Low priority scan is in progress, the Low priority scan will run after the current scan finishes. Any in-progress scan will complete before the new scan starts.
  • The priority of a scan is used when there are conflicting scan schedules, to determine which scan schedule should be applied. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in alphabetical order.

    Modify Use this column to modify your scan schedule:
  • Click Edit to edit the schedule.
  • Click Delete to delete the schedule.
  • Tip: If the Scanning Schedule table is empty, the sensor scans all hosts on the network that it currently has an IP address on.

    Credentialed Scanning section

    The Credentialed Scanning section is located on the Scanner Config page. Credentialed scanning requires entering known credentials for a target host or group of hosts to allow the scanner to run network vulnerability tests and security checks.

    During authentication, the scanner enumerates different protocols, some of which may be insecure; for example, server message block (SMB). Once connected, the scanner receives a list of installed software. The scanner then runs and checks all version check Network Vulnerability Tests (NVTs) that use OpenVAS, based the list of software installed on the host. Scan results are limited if the scanner is unable to log in to the target.

    Scanning a Windows target uses NTLMv2 over SMB for authentication.

    Tip: This scan also finds vulnerabilities that are not remotely exploitable, such as an Adobe Acrobat vulnerability.

    You can change how the information displays in the Credentialed Scanning table:

    The Credentialed Scanning table has the following columns:

    Column Description
    Name The name of credential that you configured.
    Type The type of credential:
  • Username/Password — You will provide the username and password of the target host(s). Windows requires the username in the format domain\username
  • Username/SSH Key — You will provide the username and SSH key of the target host(s). Using SSH key is only supported for Linux targets.
  • Hosts The hosts that apply to this credentialed scan.
    Description The description that you configure, such as SSH key pair to host A.
    Modify Use this column to modify your credentialed scan:
  • Click Edit to edit the credentialed scan.
  • Click Delete to delete the credentialed scan.
  • Scanning Queue table

    The Scanning Queue section is located on the Scanner Config page. It is only visible if you are viewing information for a scanner that has scans queued. The table displays all of the running and scheduled scans for the selected scanner. You can change how the information displays in the Scanning Queue table:

    The Scanning Queue table has the following columns:

    Column Description
    Host The host that the scan will scan.
    Status The status of the scan:
  • Running — The scan is in progress.
  • Scheduled — The scan is scheduled to run at a specified date and time.
  • Last Scan The date and time of the last completed scan.
    Scan Schedule The schedule of this scan, including the target and type.

    View the configuration of a scanner

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, next to Scanner ID, click Details.

      The Scanner Select dialog appears.

    3. Do one of the following:

      • Enter the required scanner ID in the search field.
      • Locate the required scanner ID in the table. Scroll through the pages if required.
    4. Click the scanner ID in the list.

      The dialog automatically closes and the configuration information appears in the Scanner Configuration section.

    View the scan queue

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Queue section, view the data in the Last Scan column for the time that the host was last scanned.

      Note: The Scanning Queue section is only visible if you are viewing information for a scanner that has scans queued.

    Add new scan credentials

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Credentialed Scanning section, click Add new scan credentials.

      The Configure Credentials for Target Hosts dialog appears.

    3. Enter the following information in the dialog:

      • Name — Enter a name for the credential.

      • Description — (Optional) Enter a description for the credential.

      • Hosts — Enter the IP addresses of the target hosts in a comma-separated list.

        Tip: This field also accepts IP ranges using a hyphen, such as 10.0.0.1-3.

      • Type — Select the type of credential:

        • Username/Password — You will provide the username and password of the target hosts.
        • Username/SSH Key — You will provide the username and SSH key of the target hosts.
      • Username — Enter the appropriate credential.

      • Password — Enter the appropriate password.

      • Passphrase (Optional) — Enter the appropriate password phrase.

      • SSH Key — Enter the appropriate SSH key.

    4. Click Configure.

    Manage Risk Scanner configuration

    To add an IP address or IP address range to the:

    Add a new scan schedule

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, click Add a new scan schedule.

      Tip: Click Cancel or press ESC to close this dialog.

      The Configure Scanner Schedule dialog appears.

    3. In the Targets field, enter IP addresses or networks, in a comma-separated list of the targets you want scanned.

      See Managed Risk Scanner FAQ for scanning subnet range recommendations and estimated time to complete a scan.

      You can use the following formats:

      Target IP Address CIDR
      Single host X.X.X.X X.X.X.X/32
      Subnet range X.X.X.X-X.X.X.X X.X.X.X/Y
    4. In the Type dropdown list, select one of the following:

      • Continuous — The scan runs continuously.
      • Daily — The scan runs once a day. When selected, these options appear:
        • Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
        • Scan Window (Hours) — Select the scan window. The default value is 8.
      • Weekly — The scan runs once a week. When selected, these options appear:
        • Weekday checkboxes — Select the applicable days of the week to run the scan.
        • Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
        • Scan Window (Hours) — Select the scan window. The default value is 8.
      • Monthly — The scan runs once a month. When selected, these options appear:
        • Date & Time — Enter a date and time that you want the scan to start. The time is set using a 24-hour clock.
        • Scan Window (Hours) — Select the scan window. The default value is 8.
    5. In the Priority dropdown list, select one of the following:

      • Low — This scan runs last, after all other scans are complete.
      • Medium — This scan runs after High priority scans but before Low priority scans.
      • High — This scan completes first before all other scans.

        Note: If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.

    6. Click Configure to save your changes.

    Note: Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.

    Add an IP address or IP address range to the AllowList

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, click Add a new scan schedule.

      The Configure Scanner Schedule dialog appears.

    3. Configure the following:

      • Targets — Enter a private IP address or private IP address range to AllowList.
      • Type — Select the desired scan schedule.
      • Priority — Select a scan priority. This determines the order that a scan performs in when there are multiple items in the Scanning Queue.
    4. Click Configure to save your configuration.

    Add an IP address or IP address range to the DenyList

    A DenyList is a list of IP addresses that you specifically do not want the scanner to scan, such as devices with non-optimally designed or implemented embedded network stacks that may behave unexpectedly if scanned. For example, printers or consumer-grade WiFi access points may print unexpected output or reboot if scanned. Because of the inconvenience this may cause, you can choose not to scan these devices.

    Tip: Your CST works with you to reduce the number of devices on your DenyList, as a bad actor could use the same vulnerabilities to further compromise your network.

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, enter IP addresses or networks in the DenyList IP/Networks field.

      The format of this field is a comma-separated list in classless inter-domain routing (CIDR) format. The DenyList IP/Networks field accepts individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.

      Tip: You can specify multiple IP addresses using a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.

    Edit an existing scan schedule

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, locate the desired schedule, and then click Edit.

      Tip: Use the Search bar to search for a specific schedule.

      The Configure Scanner Schedule dialog appears.

    3. Modify the schedule as desired. For example, to:

      • Raise the priority of an existing scan schedule — Set the Type or Priority values to the desired cadence. This is often used when a scan needs to be rerun to confirm a high-risk vulnerability remediation throughout the organization.
      • Change the frequency of the scan — Change the Type value to your desired frequency.
    4. Click Configure to save your changes.

    Brute force scanning username checks

    The Risk Scanner performs brute force scanning checks on the following non-exhaustive list of usernames:

    Note: In addition to these username checks, the Risk Scanner uses known default usernames of different devices to validate Common Vulnerabilities and Exposures (CVE).

    Enable brute force scanning

    The Risk Scanner performs brute force scanning checks for default, known, or common usernames and passwords for various services and devices.

    Notes:

    • Arctic Wolf recommends only using these settings for troubleshooting or emergency situations.
    • Brute force scanning is separate from OpenVAS scanning. OpenVAS scanning performs regular vulnerability checks, such as for default username and passwords, regardless of whether brute force scanning is enabled or not.
    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn on the Brute force checks toggle.

    4. Click Close.

      Your changes are automatically saved.

    See Brute force scanning username checks for a non-exhaustive list of brute force scanning username checks.

    Enable CGI scanning

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn on the CGI scanning toggle.

    4. Click Close.

      Your changes are automatically saved.

    Enable a scan schedule

    A scan schedule can be enabled individually.

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
    2. In the Scanning Schedule section, located the desired schedule, and then turn on the Scheduled Enabled toggle.

      Note: If the button appears dimmed, the scan is currently disabled.

    Stop active and scheduled scans

    Active scans and scheduled scans can be stopped in bulk or individually.

    Stop a scan schedule

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, located the desired schedule, and then turn off the Scheduled Enabled toggle.

      Note: If the button appears dimmed, the scan is currently disabled.

      The Disable Scan Schedule dialog appears.

    3. Click Stop Scan Schedule.

    Stop all scan schedules

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, click Stop All Scan Schedules.

      The Stop All Scan Schedules dialog appears.

    3. Click Stop All Scan Schedules to confirm.

    Disable a scan

    Host Identification Scans and Vulnerability Scanning is required for normal operation, but if needed you can disable one or both of these types of scans.

    Notes:

    • This causes dashboard reporting errors after 24 hours.
    • IVA scans do not run if the Host Identification Scans checkbox is unchecked.
    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
    2. In the Scanner Configuration section, do one or both of the following:
      • To temporarily disable IVA scanning, turn on the Vulnerability Scanning toggle. No new scans will run until you turn on the toggle again.
      • To disable host identification scans, turn off the Host Identification Scans toggle.

    Disable brute force scanning

    Brute force scanning can lead to active directory or standard account lockouts if you have devices on your network that use the default or known usernames. We recommend that you update the device username from the known or default values to both enhance your security posture and avoid account lockouts during scanning. If that is not possible, you can disable the brute force scanning checks.

    Note: Brute force scanning is separate from OpenVAS scanning. OpenVAS scanning performs regular vulnerability checks, such as for default username and passwords, regardless of whether brute force scanning is enabled or not.

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn off the Brute force checks toggle.

    4. Click Close.

      Your changes are automatically saved

    Disable CGI scanning

    Webmin applications often use the Common Gateway Interface (CGI) language, so disabling these scans removes a lot of the Webmin checks that the Risk Scanner performs. CGI is a legacy feature for web-based Active Directory sign-in pages that consistently experienced false-positive account lockouts. Disabling the CGI scanning prevents the lockouts from Risk Scanner scans but does not mitigate the risk to the customer.

    For example, if a typical Webmin page using CGI has a vulnerability, the CGI scanning presumably discovers this vulnerability. If the discovered vulnerability involves bad actors using known or default credentials to sign in to the system, there is a risk of account lockout. Disabling the CGI scanning can limit the negative customer impact of account lockouts while the customer performs any remediation steps that are required to address the vulnerability.

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, click Troubleshooting Settings.

      The Troubleshooting settings dialog appears.

    3. Turn off the CGI scanning toggle.

    4. Click Close.

      Your changes are automatically saved

    Delete a scan schedule

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanning Schedule section, locate the scan to delete, and then click Delete.

      The Delete Schedule dialog appears.

    3. Click Delete Schedule.

    Verify that an IVA re-scan is running

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.
    2. Locate the IP address of the host that you want to confirm is being scanned.
    3. Verify that the Status of the IP address is Running or Scheduled.

    Verify scanner health

    On a monthly or quarterly basis, do the following to review IVA Scanner and Arctic Wolf Agent scanning health:

    Check IVA Scanner connectivity

    Arctic Wolf alerts you if IVA Scanners go offline, but it is also good practice to verify that online IVA Scanners are working as expected and that assets are scanned in a timely fashion.

    1. In the Risk Dashboard navigation pane, click Config > Scanner Config.

    2. In the Scanner Configuration section, for Scanner ID, click Details.

      The Scanner Select dialog appears.

    3. In the Search field, click a scanner ID.

    4. In the Scanner Configuration section, verify that the Connection Status is Connected and that the Scanning Status is Scanning.

      • If the Connection Status is Disconnected — Make sure the network scanner is online and that nothing, such as a firewall, is blocking the network communication.

        See Arctic Wolf Portal IP Addresses page for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.

      • If the Scanning Status is Degraded — restart the network scanning appliance. If it comes back online and is still Degraded, contact your CST at security@arcticwolf.com.

    5. Repeat steps 2 to 4 for additional scanners as needed.

    Check the IVA Scanner rate

    Make sure assets are scanned with an appropriate interval. In general, a scanner scans ~150-250 assets in an 8 hour period. This number changes based on the type of system and environment. For example, if several large subnets of assets are only given a weekly scan for an 8 hour scan window, it might take more than a month to complete a full cycle of scanning. If you have concern about your environment not being scanned in a timely manner, consult with your CST to review the scheduling.

    To optimize scanning without increasing the scan window time, you can deploy additional physical scanners. This would allow you to scan multiple subnets in parallel. Adding resources to virtual scanners would not result in any meaningful increase in scan throughput because they would consume additional resources.

    See Managed Risk Scanner FAQ for more information.

    Check Agent scanning health

    Agent scans are set and managed by your CST, but you can view the results of Agent scans and identify assets that were scanned or missed.

    1. In the Risk Dashboard navigation pane, click Agent.

    2. In the Agent Scan Details section, enter a date that is prior to the scan date you want to verify, and then click Apply.

    3. Click Get Data.

    4. Review the Status of each scan, to identify if the scan was successful or not.

      See View Agent Scan Details for more information. If an asset with the Agent is not being scanned correctly or if assets are missing from the scan schedule, contact your CST at security@arcticwolf.com.

      Tip: You can copy the information from the Agent Scan Details section and paste it into a Microsoft Excel spreadsheet. The table structure is maintained for easier analysis.

    5. (Optional) In the Scans Detail column, click Details, to view additional details for a scan.

    Troubleshoot scanning statuses

    This information provides solutions to resolve various scanning statuses in the Risk Dashboard. See Scanner Configuration section for more information about these values.

    Scanning status is degraded

    Possible cause: A scanner status changes to Degraded if it did not complete a scan within 24 hours. This might be because a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is blocking traffic to or from the device.

    Resolution:

    Scanning status is misconfigured

    Possible cause:

    Resolution: Reconfigure the scanner to address the possible causes.

    Scanning status is disabled

    Possible cause: Host identification scans and vulnerability scans are disabled.

    Resolution: Enable host identification scans and vulnerability scans for the scanner. See Scanner configuration section for more information on enabling scans.

    Scanner Console page

    The Scanner Console page displays scanner information, connection status, and scanning status for each sensor ID.

    Add scanner labels

    To easily identify your scanners, you can add scanner labels to each sensor ID.

    1. In Scanner Console, under Label, click click to add label.
    2. In Enter Sensor Name, enter a sensor description.
    3. Click Submit.

    Tools

    To access Arctic Wolf tools, in the Risk Dashboard navigation pane, click one of the following:

    FAQ

    These are some frequently asked questions about the Risk Dashboard.

    Q: My Risk Dashboard is doing something weird, how can I fix it?

    A: Performing a hard page refresh usually corrects any unexpected behavior. The keyboard shortcuts for a hard refresh are:

    Q: Why did the state of a risk change to "Unsuccessful Validation"?

    A: When you set the state of a risk to Fixed, Waiting Validation and a subsequent scan of that host still detects the same issue, the system moves the state of that issue to Unsuccessful Validation. This lets you know that your changes were not successful in mitigating a specific vulnerability.

    Q: What does "The risk is confirmed resolved by the user" status reason mean?

    A: If the Status Reason value is The risk is confirmed resolved by the user, the risk became inactive and was no longer scanned after you changed the State value of the risk to Mitigated.

    See Risk statuses for more information about inactive risks, and Risk states for more information about the Mitigated risk state.

    Q: Why does the scan take longer than the designated time window in the scanning schedule?

    A: The time specified in the Scanning Schedule table for a scan is relative to the length of time that a scan actually takes. Also, the scanning window defines the start time for the scan. Some scans take up to two hours longer than their scheduled scanning window. Scan times are dependant on the following:

    Q: Which subnet ranges should I configure for scanning?

    A: We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue.

    See Managed Risk Scanner FAQ for more information about subnet scan ranges.

    Q: How is the rescan request placed in the queued?

    A: When a target host is selected for rescanning, the target host is placed at the top of the least recently scanned list, allowing it to be scanned next as capacity increases. Clicking Rescan does not immediately start a new scan.

    Note: If the target host identified for rescan is offline at the time of the rescan request, the Risk Scanner attempts to rescan the host. This scenario can happen because risks are not removed from the Risks table until the target host has been offline for more than 24 hours.

    See also

    Managed Risk Scanner FAQ