Risk Dashboard User Guide

User Guide

Risk Dashboard

The Risk Dashboard is an interactive dashboard that lets you monitor and acknowledge risks within your network.

Risk metrics

These metrics appear on most Risk Dashboard pages:

Each metric has a tooltip that provides information about the metric.

Tip: Select a metric value to view the vulnerabilities that comprise that metric on the Risks page.

Downloads

Click Executive Summary or Risk Assessment to download any of these options on any Risk Dashboard pages.

You can also click CSV beside any chart or table within the Risk Dashboard to download a CSV file.

Executive Summary

The PDF Executive Summary report includes all of the scan summary data plus details on any risks with a score of 9 or higher.

Risk Assessment

The PDF Risk Assessment report includes all of the summary data plus details on all risks with a score of 5 or higher.

Changing report settings

To change report settings on any page:

  1. Click the Settings button to open a selection menu.

  2. (Optional) If desired, enter a name in the Prepared For text box.

  3. Under Section Select, choose the items that you want to include in the Executive Summary or Risk Assessment reports for the Assets page:

    Tip: If you refresh the page, or navigate elsewhere, your selections reset.

    • Network Risk Summary — Overview of your current risk score, industry score, and unresolved risks.

    • Risk Score Trends — Your risk score history as it appears on the Overview page.

    • Risk Severity Summary — A summary of your risks categorized by severity.

    • Risk Classification Summary — A summary of your risks categorized by their remediation action(s).

    • 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.

    • Network Risk Overview — A heatmap of your asset health.

    • Identified Risks — A list of the active risks in your network.

    • Accepted Risks — A list of the risks that you have acknowledged.

  4. Click on either Executive Summary or Risk Assessment to download a report with your selected settings.

Overview

The Overview page of the Risk Dashboard provides an overview of your network including risk score and asset health.

Risk score

Arctic Wolf calculates your risk score based on the Common Vulnerability Scoring System version 2 (CVSSv2). The CVSSv2 provides an open framework for communicating the impacts of network vulnerabilities. Specifically, the CVSSv2 score provides an objective metric that Arctic Wolf uses to prioritize vulnerabilities so that the highest risk vulnerabilities are remediated first.

Tip: The National Institute of Standards and Technology (NIST) provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real-time. Each CVE provides details about a known network vulnerability, including a CVSSv2 score.

Your risk score is updated automatically whenever there is a change, such as a new risk in your network or if you mitigate an existing risk.

Note: If the scanner scans a host and a vulnerability is no longer detected, the report(s) clear the device of that vulnerability.

Target score

The Overview page also showcases the trends of your risk score over time in comparison to others in the industry and provides a target risk score for a low risk network.

Risk is something that can never be completely eliminated, only reduced. To ensure resources are spent effectively, you should mitigate the highest risk vulnerabilities first and mitigate the lower risk vulnerabilities last.

The CVSSv2 specification includes a high-level categorization into three severities:

Industry studies show a high correlation between the time to exploit and incidents of exploitation with high severity CVEs. Therefore, an effective mitigation and prioritization strategy addresses all high severity CVEs with the highest possible urgency.

New risks

New risks are risks discovered in your network in the last 30 days. These risks are automatically added to the Overview page when they are discovered on your network. New risks are those that you have not yet acknowledged, and include vulnerabilities discovered during scans.

Note: If a risk is no longer found in your network, for example because a device was removed from the network, but we find that risk again at a later time, it is considered new at that point.

Network health

Your network health is based on risk score and number of vulnerabilities. A low risk network is a healthier network.

Vulnerabilities

A vulnerability is an issue within the software, operating system, or service that is exploitable. Managed Risk scanners can identify, quantify, and prioritize or rank the vulnerabilities in a system.

A zero-day vulnerability is a vulnerability that bad actors or third-parties exploit before the vendor determines a solution to the problem.

Management plan

The Management Plan page shows all of the risks in your network and any of their associated plans. On this page, you can create plans and also see risks that are not currently assigned to plans.

Plans

Plans are a collection of risks that match certain criteria as defined in system rules. You can use plans to keep track of risks to mitigate them.

Plans are displayed on a timeline, similar to a Gantt chart, displaying the estimated completion date for each plan. Plans are colour-coded with these colors:

You can search for the tags of specific plans using the Search bar. Select Clear All to remove all list filters.

Viewing the contents of a plan

To view the contents of a plan, click + beside the name of the plan that you want to view. The row expands to display each risk contained in the plan and the associated timeline for each risk in the plan.

Changing the timeline time scale

To change the scale of the Risk Management timeline, select Week, Month, or Quarter from the list. Custom time ranges are not supported.

Plan filters

Use these plan filter options to narrow the risks that appear in the Plan chart:

Filter Description
Created Before Select a calendar date to view all of the plans that were created before that date.
Users Select a user to see the plans that are associated with that user.
Risk State Select a state to view the plans that include risks in that state.

Tip: See Risk states for the meaning of each state.

Risk Score Use these filters to view the plans that include risks with risk scores within the value range that you specify.
Clear All Select this option to clear any applied filters.

Creating plans

To create a plan:

  1. Select Create Plan to open the dialog box.

  2. Enter a title and description for the plan in the dialog box.

  3. (Optional) Select a value in the Severity menu. This creates a plan that has risks of that severity.

    Tip: Risk severity is based on risk score.

  4. Click Create Plan.

  5. Select Risks in the navigation pane.

  6. Select one or multiple risks from the Risks table.

    Tip: You can use the Filters to narrow the list of risks appearing on the page. See Risk filters for more information.

  7. In the information panel for the risk(s), select a plan title from the Plan menu. Your changes are saved automatically.

  8. Return to the Management Plan page to view the risks within the new plan.

Closing plans

Note: We recommend mitigating all risks in a plan before closing it. If any risks are not mitigated, the plan reopens when those risks are rediscovered during the next scan.

To close a plan:

  1. Select Close Plan to open the dialog box.

  2. Select a plan that you would like to close from the menu.

  3. Click Close Plan.

Moving a risk between plans

To change the plan that a risk belongs to:

  1. In the navigation pane, select Risks.

  2. Select one or multiple risks from the Risks table.

    Tip: You can use the Filters to narrow the list of risks appearing on the page. See Risk filters for more information.

  3. In the information panel for the risk(s), select a plan title from the Plan menu. Your changes are saved automatically.

  4. Click anywhere outside of the information panel to close the panel and return to the Management Plan page.

Unassigned Risks

The Unassigned Risks table shows all of the risks that are not currently assigned to a plan. See Risks for display options, field descriptions, and information about the Risk Information Pane.

Risks

The Risks page lists all risks that a Managed Risk source identified in the network, sorted by risk score.

Tip: You can select any of the columns to sort by that column.

Use the Risks Per Page option to select the number of entries that appear on one page. Use the Columns display option to hide or show specific columns.

The Risks table has these columns:

Column Description
Source The source that discovered the risk, such as a scan or Arctic Wolf Agent.
Host The host where the risk was discovered.
Issue The risk title or issue name.
Risk Score The risk rating. The higher the risk score, the more severe the risk.
Action The action that is required to mitigate the risk.
State The state of the risk, which is one of:
  • Open
  • False Positive
  • Acknowledged, In-Planning
  • Mitigation/Fix in Progress
  • Fixed, Waiting Validation
  • Accepted
  • Unsuccessful Validation
  • Mitigated

Tip: See Risk states for the meaning of each state.

Status The status of the risk, which is one of:
  • Active
  • Inactive
  • Obsolete
  • Mitigated

Tip: See Risk statuses for the meaning of each state.

Resolution Date The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
Age The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not.
Days to Resolution The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.

By default, the Risks page loads with these filters applied:

Filter Default value(s)
Risk Score 4 to 10
State
  • Open
  • Acknowledged, In-Planning
  • Mitigation/Fix in Progress
  • Unsuccessful Validation
Status
  • Active
  • Inactive

You can change any of the applied filters to limit the risks that appear in the table. See Risk filters for all risk filtering options.

Risk filters

Use the Filters section to narrow the risks that appear in the Risks table. These are the available filter options:

Filter Description
Risk Score Use these options to narrow the risk table based on severity:
  • Select Low, Medium, High, or Critical to view only the vulnerabilities with corresponding risk scores.
  • Use the numerical filters to see the vulnerabilties that have risk scores within the value range that you specify.
    Users Select a username to see the risks that are assigned to that user.

    You can select multiple usernames.

    Resolved Date Range

    Enter a date range to view the risks that were resolved within that time period.

    Tip: Also apply these filters to isolate resolved risks:
    • False Positive
    • Accepted
    • Mitigated
    State Select a state to view the risks that are currently in that state.

    You can select multiple states.

    Tip: See Risk states for the meaning of each state.

    Status Select a status to view the risks that currently have that status.

    You can select more than one status.

    Tip: See Risk statuses for the meaning of each state.

    Search Enter a search term to automatically filter entries in the Risks table. Filter results are based on search term matches in any column.
    Source Select or deselect these options to show or hide the risks that these scan types identified:
    • iVA — Show or hide the risks that an Internal Vulnerability Assessment (iVA) scan discovered.
    • EVA — Show or hide the risks that an External Vulnerability Assessment (EVA) scan discovered based on scan group configuration.
    • Agent — Show or hide the risks that an Agent scan discovered.
    Deployment ID

    Select a deployment ID to view the risks associated with that deployment.

    The value of this field depends on the type of scan that identified the risk. If this risk was identified during:
    • An iVA scan — This field displays the deployment ID of the scanner.
    • An EVA scan — This field displays the deployment ID of the target risk.
    • An Agent scan — This field displays the organization ID.
    Action Select an action to view the risks that must be addressed by completing that action.

    You can select multiple actions.

    Discovery Date Range Enter a date range to view the risks that were discovered within that time period.
    Clear Filters Select this option to clear any applied filters.

    Tip: To view mitigated risks, set the Status filter to Mitigated. To view obsolete risks, set the Status filter to Obsolete. You can also select a metric value to apply the filters that comprise that metric.

    Risk states

    All detected risks within your network have a State value that appears in several Risk Dashboard tables, such as Risks. You can optionally change the state of a risk manually. Changing this value does not impact whether the Risk Scanner detects, or is capable of detecting, any risk on the host machine. If you do not make changes, the default state of a risk is Open.

    The risk State values that you can select are:

    State Select this option when
    Open You are not currently taking any actions for this risk.
    False Positive You mitigated a risk in a way that the Risk Scanner does not account for.
    Acknowledged, In-Planning You plan to address the risk through direct resolution, or taking recommended or other mitigation steps.
    Mitigation/Fix in Progress You addressed the risk through mitigation actions.
    Fixed, Waiting Validation You believe the risk is mitigated.

    Note: The next scan validates if the vulnerability still exists. If the vulnerability:

    • Still exists — The state changes to Unsuccessful Validation.
    • Was not detected — The state does not change. The status changes to Mitigated.
    Accepted You choose to accept the risk.

    Note: See Accepting a vulnerability for more information.

    Mitigated You successfully mitigated the risk.

    Note: This is only available if the status of the risk is Inactive.

    Notes:

    Risk statuses

    All detected risks within a customer network have a State value that appears in several Risk Dashboard tables, such as Risks. This value is automatically assigned.

    Status Description
    Active A risk that a recent iVA scan identified on a device that is currently online.
    Inactive A risk that a recent iVA scan identified on a device that is either:
  • Currently offline.
  • Not identified in the most recent scan, but is still in an actionable state.
  • The reason that the risk is marked as inactive is displayed under the Status Reason field in the risk details.

    Note: If a device that is subject to iVA scanning goes offline, we cannot confirm if the risk is mitigated or not, and the risk is marked Inactive. This is usually due to a network connectivity issue.

    Obsolete A risk that has not appeared in vulnerability scanning results for a set number of days: 45 days for risks that Agent discovered and 90 days for risks that EVA or iVA scanning discovered.
    Mitigated A risk that was mitigated.

    Note: Risks can have a status of Mitigated but retain a state of Fixed, Waiting Validation.

    Risk information pane

    You can make changes to some fields in the information pane. Changes are reflected immediately.

    When you select a specific risk in the Risks table, an information pane opens for that risk with the following fields:

    Note: If a field is irrelevant to the source that discovered the risk, or if the field has no value, it is set to N/A.

    Field Description
    Resolution Date The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
    Age The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not.
    Days to Resolution The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted.
    Action The action that is required to mitigate the risk.
    Risk Score The risk rating. The higher the risk score, the more severe the risk.
    Issue Description A description of the risk.
    Additional Details Click the magnifying glass to view additional information that the scanner has identified about the risk.
    Remediation The recommended actions to mitigate this risk.
    First Detected The date and time when this risk was first seen.
    Most Recent Detected The date and time when this risk was last seen.
    Status The status of the risk.

    Tip: See Risk statuses for the meaning of each state.

    State The state of the risk. Select an option to change the state of a risk.

    Tip: See Risk states for the meaning of each state.

    Assigned To The email of the user who is assigned to manage the risk. Select an option to change the assignment.
    Due Date The date by which this risk should enter the Fixed, Waiting Validation state. Select the date when remediaton actions should be completed by.
    Plan The plan that this risk is assigned to. Select an option to change the assignment.
    Host The hostname of the risk that the Agent or scanner identified.
    Source The source that discovered the risk. Possible values include:
    • external — This indicates an EVA scan.
    • scanner — This indicates an iVA scan.
    • agent — This indicates an Agent scan.
    Issue Category The category of the issue. Possible values include:
  • Hardware
  • Configuration
  • SMB
  • Dictionary
  • Patch Exploits
  • Data Leak
  • Webcrawler
  • CVEs Any known CVEs that this risk is part of.
    References A link to documentation that outlines the steps recommended in Remediation.
    Last Updated By The user who last updated the fields in this information panel for this risk.
    Comments Any current comments about this risk that other users have left. Clicking on the chat bubble opens the comment box, where you can leave your own comments.
    Asset ID The ID of the asset that has the vulnerability.
    Issue ID The unique identifier of the risk.
    Scanner ID The ID of the that scanner that performed the iVA scan, if applicable.
    Deployment ID If this risk was identified during:
    • An iVA scan — This field displays the deployment ID of the scanner.
    • An EVA scan — This field displays the deployment ID of the target risk.
    • An Agent scan — This field displays the organization ID.
    Host Annotations Any host alias or annotations which were discovered during EVA scanning, if applicable.
    Status Reason An explanation of the risk status that results from iVA scanning, if applicable.
    Issue Impact The potential impact to the organization if a bad actor exploits this vulnerability. Possible values include:
    • Data Theft — A bad actor can read and potentially modify unauthorized data that is stored on this host.
    • Denial of Service — A bad actor can intentionally disrupt one or more key services running on this host. Depending on the criticality of the service, this may disrupt daily employee tasks.
    • Session Hijack — A bad actor can take control of an open browser session. For example, an online banking session or Microsoft 365 session.
    • Account Theft — A bad actor can take over the account of a user or administrator. This lets the bad actor access any authorized service or data normally available to the compromised account. For example, reading or writing to a database or file storage to steal or modify data, stopping critical services, or, if this is an administrator account, installing malware such as backdoors, key loggers, or rootkits that compromise the host entirely.
    • Insecure Obsolete Software — The software is no longer supported and does not receive any security patches. Therefore the software likely contains many open and unidentified security vulnerabilities that a bad actor could easily take advantage of.
    • Active Breach Indicator — There are indicators that this host was or is currently breached. Immediate investigation should occur to determine if any mitigation steps are required.
    • Host Breach — This host is vulnerable to a bad actor taking over this host entirely, stealing or modifying data, denying services, or installing malware such as backdoors, key loggers, or rootkits.
    • Company Reputation — A bad actor can use open services on this host to attack other internet-connected devices. For example, a bad actor could use a misconfigured network time protocol (NTP) server for a reflection distributed denial-of-service (DDoS) attack, or use an open email relay server to send spam. This could result in your resources being publicly blocked or otherwise negatively affect the reputation of your organization.
    Rescan Click rescan to manually initiate a new scan. This only works with iVA risks.

    Assigning a user and a due date to a risk

    You can assign a user and a due date to a risk to track the resolution of that risk.

    Tip: This task is optional.

    To assign a user and a due date to a risk:

    1. Click Risks in the navigation pane to view the Risks table. Alternatively, click Mangement Plan in the navigation pane to view the Unassigned Risks table.

    2. Click a populated field for the risk that you want update. This opens the information pane.

    3. (Optional) Select the Assigned To menu, and then select an email address from the list. The Assigned To field updates with your selection.

    4. (Optional) Select the Due Date field, and then select a date on the calendar at least one day in the future.

      Tip: The present date is highlighted in blue.

      The Due Date field populates with a date based on the selection, following the format MM/DD/YYYY, such as 02/20/2020.

    Tip: To remove user and due date assignments, select the blank field from the Assigned to menu.

    Bulk editing risks

    You may make changes to several risks at once rather than making identical edits to risks individually, such as assigning a due date or changing the state.

    To simultaneously edit multiple risks:

    1. Click Risks in the navigation pane.

    2. In the Risks table, select the row for every risk that you want to edit as part of a group. You may page through results and continue making your selections.

      Tip: The number of risks currently selected is displayed, along with options to update or clear your selections.

    3. Once all desired risks are selected, click Update Selected in the Filters section to open the bulk update dialog box.

    4. In the dialog box, make the desired edits to one or more of the following fields:

      • State
      • Assign To
      • Plan
      • Due Date
    5. Click Update to save your changes.

    6. (Optional) Click Clear All Selected to clear all selected risks.

    Accepting a vulnerability

    You may choose to accept an identified risk rather than fixing or mitigating the vulnerability. Changing the state of a risk to Accepted removes that risk from the Risk Score calculation. The risk remains in the Risks table for as long as it is detected on the network.

    We recommend that you mitigate or fix risks to improve your security posture, instead of accepting them. Accepting a risk does not make the risk go away, so bad actors could still take advantage of the vulnerability.

    If the risk is a false positive, you should apply the False Positive state to the risk, which then removes the risk from the Risk Score calculation.

    Note: The Risk Score is not updated immediately when a risk is marked as Accepted or as False Positive. It takes about an hour for the system to process and display the changes.

    To accept a vulnerability risk:

    1. Click Risks in the navigation pane.

    2. In the Risks table, select the risk that you want update. This opens the information pane.

      Tip: Use the search field to narrow the results.

    3. In the information pane, locate the State list and select Accepted. Changes are saved automatically.

    4. Click anywhere outside of the information panel to close the panel and return to the Management Plan page.

    Remediation Export

    The Risks table includes a Remediation Export option that you can click to download and review the remediation report for various risks in the Risks table. This report provides:

    Downloading the Risks table or downloading the remediation report

    To download the Risks table or download the remediation report:

    1. (Optional) On the Risks page, use the Filters section to narrow the risks that appear in the Risks table, as desired.

      Tip: All risks that match the filter criteria are included in the CSV, even if they are not currently displayed due to pagination settings.

    2. Click Risk Export or Remediation Export as desired to download the CSV file to your device.

      Notes:

      • Download times vary depending on the size of the CSV, due to the number of CVEs and remediations for each.
      • If any risks do not have Remediation Steps, contact your Concierge Security Team (CST)® and they will help determine remediation steps for these risks.

    Assets

    The Assets page includes all information relevant to the assets in your network.

    Asset Catalog

    The Asset Catalog table includes all of your assets, sorted by risk score.

    Tip: Select any column to sort by that column.

    Use the Show <x> Entries menu to change the number of entries that appear on one page. Use the Columns display option to hide or show specific columns.

    These columns appear in the Asset Catalog table:

    Column Description
    IP The IP address of the asset.
    Source The source that discovered the asset, such as a scan or Agent.
    Deployment ID The value of this field depends on the type of scan that identified the asset. If this asset was identified during:
    • An iVA scan — This field displays the deployment ID of the scanner.
    • An EVA scan — This field displays the deployment ID of the target asset.
    • An Agent scan — This field displays the organization ID.
    Device Name The name of the asset, as it appears on the device or in the Risk Dashboard.
    MAC The MAC address of the asset.
    OS The operating system (OS) of the asset.
    Category The category of the asset, including Desktop or Server.

    Note: If there is not enough information to classify an asset, the asset appears in the Unknown category.

    Risk The highest risk of any active risks for the asset.
    Vulnerabilities The number of current vulnerabilities for the asset.
    Manufacturer The manufacturer of the asset.

    Note: This information is only available for the assets that Agent discovers.

    Last Seen The last time that the IP address for this asset was verified.

    Note: This value is not the last time that the asset was online.

    Asset filters

    Use the Filters section to narrow the assets that appear in the Asset Catalog table. These are the available filter options:

    Filter Description
    Risk Score Use these filters to view the assets with vulnerabilties that have risk scores within the value range that you specify.
    Search Enter a search term to automatically filter entries in the Asset Catalog table. Filter results are based on search term matches in any column.
    Source Select or deselect these options to show or hide the assets that these scan types identified:
    • iVA — Show or hide the assets that an iVA scan discovered.
    • EVA — Show or hide the assets that an EVA scan discovered based on scan group configuration.
    • Agent — Show or hide the assets that an Agent scan discovered.
    Deployment ID

    Select a deployment ID to view the asset associated with that ID.

    The value of this field depends on the type of scan that identified the asset. If this asset was identified during:
    • An iVA scan — This field displays the deployment ID of the scanner.
    • An EVA scan — This field displays the deployment ID of the target asset.
    • An Agent scan — This field displays the organization ID.
    Asset Category Select a category to view the assets that belong to that category.

    You can select multiple categories.

    Discovery Date Range Enter a date range to view the assets that were discovered within that time period.
    Clear Filters Select this option to clear any applied filters.

    Asset details

    Click the scan source for any asset in the Asset Catalog table to open the details for that asset.

    Asset profile

    The asset profile includes these details about the asset:

    Editing asset details

    Select Edit Details to change these details about the asset:

    Tips:

    Creating notes for the asset

    To create a note for the asset:

    1. In the Notes text box, enter your note.

    2. Click +Add Note to add this note to the table.

    Asset profile history

    Whenever a scan identifies an asset, a profile is created or an existing profile for that asset is updated. This table shows asset profile changes over time as a result of scans from the selected source.

    By default, entries are sorted in ascending order based on the timestamp of the scan that identified the asset.

    Tip: Select any column to sort by that column.

    Use the Show <x> entries list to change the number of entries that appear on one page. Use Columns display option to hide or show specific columns.

    These columns appear in the Asset Profile History page:

    Column Description
    IP The IP address of the asset.
    Device Name The name of the asset.
    OS The operating system of the asset.
    MAC The MAC address of the asset.
    When The date and time when the asset profile changed.
    Type The type of change to the asset profile. For example, OS refers to a change in the operating system.
    Event The change to the asset profile, for example, an operating system update.
    Raw Log An Arctic Wolf specific field that the system generates for each asset profile change as a result of a scan.

    Agent audits

    If Agent discovered this asset, this section appears and includes information about the asset that Agent discovered.

    Downloading the Asset Catalog table

    To download the Asset Catalog table as a CSV file:

    1. (Optional) On the Assets page, use the Filters section to narrow the assets that appear in the Asset Catalog table, as desired.

      Tip: All assets that match the filter criteria are included in the CSV, even if they are not currently displayed due to pagination settings.

    2. Click the CSV icon to download the CSV file to your device.

    Bulk editing assets

    You can bulk edit multiple assets in these ways:

    Bulk editing assets within the Asset Catalog table

    To bulk edit assets within the Asset Catalog table:

    1. Click Assets in the navigation pane.

    2. In the Asset Catalog table, select the row for every asset that you want to edit as part of a group. You may page through results and continue making your selections.

      Tip: The number of assets currently selected is displayed, along with options to update or clear your selections.

    3. Once all desired assets are selected, click Update Selected to open the bulk update dialog box.

    4. In the dialog box, make the desired edits to one or more of the following fields:

      • Category
      • Device Name
    5. Click Update to save your changes.

    6. (Optional) Click Deselected All to clear all selected assets.

    Bulk editing assets using CSV files

    To bulk edit assets using CSV files:

    1. (Optional) On the Assets page, use the Filters section to narrow the assets that appear in the Asset Catalog table, as desired.

      Tip: All assets that match the filter criteria are included in the CSV, even if they are not currently displayed due to pagination settings.

    2. Select Export Assets to download the list of assets as CSV file in the format required for bulk edits to the Asset Catalog table. The CSV file has these fields:

      • Device ID
      • Asset IP
      • Device Name
      • Category
    3. Using the Asset IP value to identify assets, edit the corresponding Device Name and Category columns as desired.

      Notes:

      • To reset the Device Name or Category of an asset to the value from the default sensor, leave the cell empty.
      • Do not edit the Device ID column. Editing a Device ID values results in an unsuccessful CSV import.
      • To exclude a device from the bulk edit, either leave the Device Name or Category values unchanged or delete the row from the CSV.
    4. In the Risk Dashboard, select Import Assets and open the modified CSV file. You are prompted to confirm that you want to upload the CSV file. A message appears that confirms whether the import was successful or unsuccessful.

    Deleting an asset

    Select the garbage can, located to the right of the table entry, to delete this asset from the catalog. You are prompted to confirm that you want to delete an asset.

    Note: You cannot delete an asset with risks that were identified within the last 48 hours. Also, if a deleted asset is rediscovered during a future scan, it is given a new asset ID and re-added to the catalog.

    User Config

    Previously, the User Config page lets you manage users who can access your Risk Dashboard. If you need to make user management changes now, contact your CST.

    Scanner Config

    The Scanner Config page lets you make changes to your scanning configuration and scanning schedules.

    Note: You need to select the magnifying glass to select a scanner to have information appear on this page.

    By default, the scanner scans all devices on the same network subnet as the IP or mask that is provisioned. If desired, you can add additional devices, if they are reachable through a gateway, for scanning.

    By design, company identifying information is not sent out of your network. Each scanner is provisioned with a globally unique identifier (GUID). The customer to GUID mapping is stored within the Arctic Wolf secure network.

    Scan frequency for a given host depends on a number of factors including:

    We recommend that each host on the network is scanned at a minimum once every 10-14 days. You may require additional scanners based on your network size and complexity.

    Note: EVA scans run monthly. We do not recommend scanning too frequently, as this could conflict with firewall rules or generate too much noise.

    Scanner Configuration

    The Scanner Configuration section of the Scanner Config page lists configuration details for the scanner that you select, including:

    Detail Description
    Scanner ID The ID of the scanner.

    Tip: Select the magnifying glass Scanner ID magnifying glass at the end of the ID to choose a different scanner.

    Scanner IP Address The IP address of the scanner.
    Netmask The netmask of the scanner.
    Connection Status The connection status of the scanner, including:
    • Connected — The scanner is online.
    • Disconnected — The scanner is offline.
    Scanning Status The scanning status of the scanner, including:
    • Scanning — The scanner is actively scanning.
    • Not Scanning — The scanner is not actively scanning.
    • Not Configured — The scanner is not scanning because it is not configured.
    • Degraded — The scanner encountered an issue while scanning.
    Host Identification Scans A toggle that enables or disables host identification scans. Vulnerability Scans must also be enabled for host identification scans to work. When this toggle is disabled, Vulnerability Scanning is also disabled.
    Vulnerability Scanning A toggle that enables or disables iVA scans.
    Troubleshooting Settings A toggle that allows you to select these options:
    • Brute force checks — Whether the scanner checks for brute force attempts in your network.
    • CGI scanning — Whether the scanner acts as a Common Gateway Interface (CGI), searching for well-known web vulnerabilities in web servers and similar software.
    • Only ping the target — Whether the scanner only scans hosts that respond to pings.
    • Stop All Scanning Now — Disable all future scanning and stop any existing scanning processes.

      Note: Arctic Wolf does not recommend using this option outside of an emergency since it may cause scan restart issues.

    DenyList IP/Networks IP addresses or networks which are part of the DenyList. These items are not scanned.
    Host Collection DNS Servers The DNS server that you have configured.

    Note: If this field is blank, we attempt to auto-discover the server name.

    Managing the DenyList

    A DenyList is a list of IP addresses that you specifically do not want the scanners to scan. Some devices with non-optimally designed and/or implemented embedded network stacks, such as printers or consumer-grade WiFi access points, may inadvertently behave in unexpected ways, such as print unexpected output or reboot, when the scanner runs against that host.

    Because of the inconvenience this may cause, you can optionally choose not to scan these devices.

    Tip: Your CST works with you to reduce the number of devices on your DenyList, as a bad actor could use the same vulnerabilities to further compromise your network.

    You can add IP addresses or networks in the DenyList IP/Networks field. The format of this field is a comma separated list in classless inter-domain routing (CIDR) format. The DenyList IP/Networks field accepts individual hosts without the /32 specification or networks in the same CIDR X.X.X.X/Y.

    Tip: You can specify multiple IP addresses using a - separator in one of the IP octets. For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.

    Scanning Queue

    This table shows all of the running and scheduled scans for the scanner that you selected.

    Use the Show <x> entries list to choose how many rows appear on this page. Use the Search bar to search for a specific scan in the queue.

    These columns appear in the Scanning Queue table:

    Column Description
    Host The host which the scan will scan.
    Status The status of the scan:
  • Running — The scan is in progress.
  • Scheduled — The scan is scheduled to run at a specified date and time.
  • Last Scan The date and time of the last completed scan.
    Scan Schedule The schedule of this scan, including the target and type.

    Scanning Schedule

    This table shows the scans that you have scheduled for the scanner that you selected.

    Use the Show <x> entries list to choose how many rows appear on this page. Use the Search bar to search for a specific schedule.

    These columns appear in the Scanning Schedule table:

    Column Description
    Target The targets which the scan is configured to scan.
    Next Scan Time The next time that this scan is configured to run.
    Schedule The type of schedule for this scan:
  • Continuous — The scan runs continuously.
  • Daily — The scan runs once a day, based on the time that you configure.
  • Weekly — The scan runs once a week, based on the day and time that you configure.
  • Monthly — The scan runs once a month, based on the day and time that you configure.
  • Window (hours) The window that the scan can run within, in hours. For example, 12 am to 8 am.

    Note: If you schedule a large scan in a small window, the scan may never complete.

    Priority The priority of the scan:
  • Low — This scan runs last, after all other scans are complete.
  • Medium — This scan runs after High priority scans but before Low priority scans.
  • High — This scan completes first before all other scans.

    Note: If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.

  • Modify Use this column to modify your scan schedule:
  • Select pencil to edit the schedule.
  • Select garbage can to delete the schedule.
  • Note: If the Scanning Schedule table is empty, the sensor scans all hosts on the network that it currently has an IP address on.

    Adding a new scan schedule

    To add a new scan schedule:

    1. Click Add a new scan schedule to open the dialog box.

      Tip: Click Cancel or press ESC to close this dialog box.

    2. Under Targets, enter the target(s) as either IP address(es) or network(s), that you want scanned in a comma-separated list in CIDR format.

      Note: Only entries with the CIDR format X.X.X.X/Y are accepted in this field. If you only want to add a single host, enter the host as X.X.X.X/32.

      We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue. See Managed Risk Scanner FAQ for more information about subnet scan ranges.

    3. Under Type, select one of these options:

      • Continuous — The scan runs continuously.

      • Daily — The scan runs once a day.

      • Weekly — The scan runs once a week.

      • Monthly — The scan runs once a month.

    4. Under Priority, select one of these options:

      • Low — This scan runs last, after all other scans are complete.

      • Medium — This scan runs after High priority scans but before Low priority scans.

      • High — This scan completes first before all other scans.

        Note: If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.

    5. Click Configure.

    Note: Hosts which match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.

    Modifying an existing scan schedule

    To modify an existing scan schedule:

    1. In the navigation pane, select Config > Scanner Config.
    2. In the Scanning Schedule section, select pencil for the desired schedule to open the edit dialog box.

    Tip: Use the Search bar to search for a specific schedule.

    1. Modify the schedule as desired, and then click Configure to save your changes.

    Stopping all scanning

    See Disabling a scan to learn how to disable scans.

    Note: In an emergency, you can disable all future scanning and stop any existing scanning processes. Arctic Wolf does not recommend this approach since it may cause scan restart issues.

    To stop scanning in an emergency, under the Scanner Configuration section, select Troubleshooting, and then select Stop All Scanning Now.

    Disabling a scan

    To disable a scan:

    1. Under the Scanner Configuration section, look at the Host Identification Scans and Vulnerability Scanning checkboxes. Both of these scans are required for normal operation.

    2. To temporarily disable iVA scanning, uncheck Vulnerability Scanning and no new scans will run until you re-enable it.

    3. Additionally, to disable host identification scans, uncheck Host Identification Scans.

      Notes:

      • This causes dashboard reporting errors after 24 hours.
      • iVA scans do not run if the Host Identification Scans checkbox is unchecked.

    Brute-force scanning

    The Risk Scanner performs brute-force scanning checks for default, known, or common usernames and passwords for various services and devices.

    Note: Arctic Wolf recommends only using these settings for troubleshooting or emergency situations.

    Credentialed Scanning

    This table lists all of the scans which have credentialed scanning enabled.

    Use the Show <x> entries list to choose how many rows appear on this page. Use the Search bar to search for a specific schedule.

    These columns appear in the Credentialed Scanning table:

    Column Description
    Name The name of credential that you configured.
    Type The type of credential:
  • Username/Password — You will provide the username and password of the target host(s).
  • Username/SSH Key — You will provide the username and SSH key of the target host(s).
  • Hosts The hosts which apply to this credentialed scan.
    Description The description that you configure, such as SSH key pair to host A.
    Modify Use this column to modify your credentialed scan:
  • Select pencil to edit the credentialed scan.
  • Select garbage can to delete the credentialed scan.
  • Adding new scan credentials

    To add new scan credentials:

    1. Click Add new scan credentials to open the dialog box.

    2. Fill in the fields:

      1. Under Type, select one of these options as the type of credential:

        • Username/Password — You will provide the username and password of the target host(s).

        • Username/SSH Key — You will provide the username and SSH key of the target host(s).

      2. Under Name, enter a name for the credential.

      3. Under Description, enter a description for the credential.

      4. Under Username and Password, or Username and SSH Key, enter the appropriate credentials.

      5. Under Hosts, enter the IP addresses of the target host(s) in a comma-separated list.

        Tip: This field also accepts IP ranges using a hyphen, such as 10.0.0.1-3.

    3. Click Configure.

    Tools

    The Tools section of the Risk Dashboard includes links to a variety of Arctic Wolf tools, including:

    FAQ

    These are some frequently asked questions about the Risk Dashboard.

    Q: What browsers support the Managed Risk Dashboard?

    A: Only the latest version of Google Chrome is supported to view the Managed Risk dashboard. While other browsers may work without issue, Arctic Wolf is unable to support any issues arising from using an unsupported browser.

    Q: Why did the state of a risk change to Unsuccessful Validation?

    A: When you set the state of a risk to Fixed, Waiting Validation and a subsequent scan of that host still detects the same issue, the system moves the state of that issue to Validation Unsuccessful. This lets you know that your changes were not successful in mitigating a specific vulnerability.

    Q: What does the "Degraded" scanner status mean?

    A: The Degraded Scanner Status means that a scan was not completed within a specific number of days. This usually occurs if the scanner is not upgraded to the latest version, or if a a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is continually blocking traffic to or from the device.

    Other Scanner Status values are Not Configured and Scanning. See Scanner Configuration for more information about these values.

    Q: What should I do if a scanner has the "Degraded" status?

    A: When a scan runs, the scanner status automatically updates. If:

    If your scanner is still marked as Degraded or if you have any questions, contact your CST.

    Q: Why does the scan take longer than the designated time window in the scanning schedule?

    A: The time specified in the Scanning Schedule table for a scan is relative to the length of time that a scan actually takes. Also, the scanning window defines the start time for the scan. Some scans take up to two hours longer than their scheduled scanning window.

    Q: Which subnet ranges should I configure for scanning?

    A: We recommend scanning subnet ranges /24 and smaller, excluding /8, /16, or /20. Scanning these large subnet ranges would likely cause a timeout issue. See Managed Risk Scanner FAQ for more information about subnet scan ranges.

    Q: I have an idea for a product or feature enhancement. Where do I submit it?

    A: The Arctic Wolf product team is always on the hunt for new ideas, and ways to create an amazing experience for our customers. If you have an idea or product enhancement that you would like to share, submit it through the Feature Request Portal. Access this portal in the navigation pane under Tools > Resources.

    See also

    Managed Risk Scanner FAQ