Risk Dashboard
Updated Sep 25, 2023- Risk Dashboard
- Overview page
- Management Plan page
- Risks page
- Risks and Unassigned Risks sections
- Filters section
- Risk information pane
- Risk State and Status lifecycles
- Rescan assets with risks
- Rescan IVA assets
- Review active risks
- Review inactive risks
- Review mitigated risks
- Review risks that failed validation
- View risks based on an assigned due date
- Interpret Arctic Wolf Agent Vulnerability Debug Scans
- Change the State of Inactive risks
- Edit risks
- Accept a vulnerability
- Assign a user and a due date to a risk
- Unassign a user and a due date from a risk
- Download a remediation report
- Download Risks table data
- Assets page
- Agent page
- EVA page
- User Config page
- Scanner Config page
- Scanner Configuration section
- Scanning Schedule section
- Credentialed Scanning section
- Scanning Queue table
- View the configuration of a scanner
- View the scan queue
- Add new scan credentials
- Manage Risk Scanner configuration
- Add a new scan schedule
- Add an IP address or IP address range to the AllowList
- Add an IP address or IP address range to the DenyList
- Edit an existing scan schedule
- Brute force scanning username checks
- Enable brute force scanning
- Enable CGI scanning
- Enable a scan schedule
- Stop active and scheduled scans
- Disable a scan
- Disable brute force scanning
- Disable CGI scanning
- Delete a scan schedule
- Verify that an IVA re-scan is running
- Verify scanner health
- Troubleshoot scanning statuses
- Scanner Console page
- Tools
- FAQ
- Q: My Risk Dashboard is doing something weird, how can I fix it?
- Q: Why did the state of a risk change to "Unsuccessful Validation"?
- Q: What does "The risk is confirmed resolved by the user" status reason mean?
- Q: Why does the scan take longer than the designated time window in the scanning schedule?
- Q: Which subnet ranges should I configure for scanning?
- Q: How is the rescan request placed in the queued?
- See also
Risk Dashboard
The Risk Dashboard is an interactive dashboard that lets you identify, monitor, and acknowledge risks within your network. It includes the following pages:
Page | Description |
---|---|
Overview | Provides an overview of your network including risk score and asset health. See Overview page for more information. |
Management Plan | Displays all risks that a Managed Risk source identified in your network. See Management Plan page for more information. |
Risks | Displays all of the risks in your network and any of their associated plans. See Risks page for more information. |
Assets | Provides information about the assets in your network. See Assets page for more information. |
Agent | Displays risks, asset, and Center for Internet Security (CIS) benchmark data discovered during Agent scans. See Agent page for more information. |
EVA | Displays risk data discovered during External Vulnerability Assessment (EVA) scans. See EVA page for more information. |
Config > Scanner Config | Allows you to configure your Internal Vulnerability Assessment (IVA) and Credentialed Scanning schedules. See Scanner Config page for more information. |
Scanner Console | Displays connection status and scanning status information for sensor IDs. See Scanner Console page for more information. |
The Risk Dashboard also includes a variety of tools. For example, documentation, and a downloads area where you can download virtual machine images.
See Tools for more information.
Requirements
- Google Chrome (latest version)
Access the Risk Dashboard
- Go to https://risk.arcticwolf.com.
- Sign in using your access credentials.
Routine Risk Dashboard tasks
The following table describes Risk Dashboard tasks that you should complete on a semi-regular basis:
Task | Recommended frequency |
---|---|
Review active risks. | Weekly or monthly* |
Review inactive risks. | Weekly or monthly* |
Review risks that failed validation. | Weekly or monthly* |
Review mitigated risks. | Monthly or quarterly |
Review assets. | Monthly or quarterly |
Verify scanner health. | Monthly or quarterly |
Edit an asset category. | Monthly or quarterly |
Edit asset criticality. | Monthly or quarterly |
Edit asset tags. | Monthly or quarterly |
Evaluate the risk score. | Monthly or quarterly |
*Varies depending on the frequency of scans and how large or diverse the environment is. New and mitigated risks might be found frequently because Internal Vulnerability Assessment (IVA) scans can be configured to run continuously and, Agent scans are scheduled daily.
Overview page
The Overview page of the Risk Dashboard provides an overview of your network including risk score and asset health. The page includes the following sections:
-
Risk metrics — Provides risk score information.
See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.
-
Current Risk Score — Provides your current risk score. This score automatically updates. The score duplicates the risk metric information, but it includes a visual chart.
-
Industry Risk Score — Displays your risk score compared to other Arctic Wolf customers in the same industry. This score is updated daily. The score duplicates the risk metric information, but it includes a visual chart.
-
Unresolved Risks — Displays the current number of active medium to critical severity vulnerabilities in your network. This number automatically updates. The score duplicates the risk metric information, but it includes a visual chart.
-
Risk Score Trends — Displays how your individual and industry risk scores have changed over time, up to one year.
See Download Risk Score Trends for more information.
-
Asset Class Health — Displays the health of all your assets divided by category, based on risk score and number of vulnerabilities. Assets that are closer to zero are healthier.
See Download Asset Class Health for more information.
-
Asset Health — Displays a heatmap of the assets in your network, based on risk score, where low is a better score.
See Download Asset Health for more information.
View risk metrics
Risk metrics are located at the top of all Risk Dashboard pages except for the Scanner Console page. The following metrics are provided:
- Current Risk Score — Provides your current risk score. The score automatically updates. Click Information to open the Risk Score page, which displays information about how the risk score was calculated. See Evaluate the Current Risk Score for more information.
- Industry Risk Score — Displays your risk score compared to other Arctic Wolf customers in the same industry. This risk score is updated daily.
- Unresolved Risks — Displays the current number of active medium to critical severity vulnerabilities in your network. This number automatically updates.
- New Risks — Displays the number of risks in your network that were discovered within the last 30 days. New risks are those that you have not yet acknowledged, and include vulnerabilities discovered during scans. If a risk is no longer found in your network, for example because a device was removed from the network, but that risk is found again at a later time, it is considered new at that point.
- Mitigated Risks — Displays the number of risks in your network that were resolved within the last 90 days.
- Accepted Risks — Displays the number of risks that you have acknowledged and are no longer included in your Current Risk Score.
Tips:
- Click a metric value to view the vulnerabilities that make up that metric on the Risks page.
- Each metric has a tooltip that provides information about the metric.
Current Risk score
Arctic Wolf calculates your current risk score based on the Common Vulnerability Scoring System (CVSS) using CVSS version 2 (CVSSv2)and CVSS version 3 (CVSSv3), and is the weighted average of all vulnerabilities found on your network. The CVSS provides an open framework for communicating the severity of information security vulnerabilities. Specifically, the CVSS score provides an objective metric that Arctic Wolf uses to prioritize vulnerabilities so that the highest risk vulnerabilities are remediated first.
Tip: NIST provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real-time. Each CVE provides details about a known information security vulnerability, including a CVSS score. For addition information, see the NIST CVSSv2 calculator and the NIST CVSSv3 calculator.
Your risk score automatically updates when a change occurs. For example, when a new risk is found in your network, or if you change the Status of an existing risk.
Note: When an internal network scan no longer detects a vulnerability, the scan promptly clears the device of that vulnerability when one of the following occurs:
- The risk state is Fixed, Waiting Validation.
- No manual changes are made to the state within 45 days.
Target score
The Overview page displays trends of your risk score over time in comparison to others in the industry.
Risk is something that can never be completely eliminated, only reduced. To ensure resources are used effectively, you should mitigate the highest risk vulnerabilities first, followed by medium, and then the highest internal vulnerabilities. Mitigate the lower risk vulnerabilities last.
Industry studies show a high correlation between the time to exploit and incidents of exploitation with high severity CVEs. Therefore, an effective mitigation and prioritization strategy addresses all high severity CVEs with the highest possible urgency.
Network health
Your network health is based on risk score and number of vulnerabilities. A low risk network is a healthier network.
Vulnerabilities
A vulnerability is an issue within the software, operating system, or service that is exploitable. Managed Risk scanners can identify, quantify, and prioritize or rank the vulnerabilities in a system. Vulnerabilities are classified as issues.
A zero-day vulnerability is a vulnerability that bad actors or third-parties exploit before the vendor determines a solution to the problem.
View Risk Score Trends
-
In the Risk Dashboard navigation pane, click Overview.
-
(Optional) In the Risk Score Trends section, change the risk timeline:
- Click Monthly to view the data on a monthly timeline.
- Click Daily to view the data on a daily timeline.
-
(Optional) Change the chart format:
- Click Bar to view the data as a bar chart.
- Click
Line to view the data as a line chart.
Tip: Click Restore to restore the chart to the default settings.
-
(Optional) Hover over the chart to see the numerical value of your risk score, industry risk score, and target.
Evaluate the Current Risk Score
The Current Risk Score is an overall risk score that represents the entire environment of risk in your network. It includes external, internal, host, and cloud risks. On a monthly or quarterly basis, evaluate your risk score, and recognize the risk types that impact your risk score the most. Risks with a high vulnerability score affect your Current Risk Score more than risks with a low vulnerability score. This means that addressing risks that have a low vulnerability score may not appear to affect the risk score.
-
In the Risk Dashboard navigation pane, click to open any page except Scanner Console.
-
For the Current Risk Score, located in the upper-left, click Information.
The Risk Score screen appears.
-
Review each risk score Category to see the overall score of that particular type of risk, and take note of the Category names. The highest scoring Category should match the overall published risk. Review Severities with a High rating because they have the highest impact on the risk score.
-
In the navigation pane, click Risks.
-
In the Filters section, enter a Category name in the Search field to review the risks for that category.
Tip: The search is a full-text search, so it might find risks from a different Category that have the search words in the description. You can export the list as a CSV file, to view the Category of each.
See Quantifying Cyber Risk: Calculating the Arctic Wolf Managed Risk Score for more information about the risk score algorithm.
Download Risk Score Trends
-
In the Risk Dashboard navigation pane, click Overview.
-
In the Risk Score Trends section, click CSV.
A CSV file downloads to your device.
Download Asset Class Health
-
In the Risk Dashboard navigation pane, click Overview.
-
In the Asset Class Health section, click CSV.
A CSV file downloads to your device.
Download Asset Health
-
In the Risk Dashboard navigation pane, click Overview.
-
In the Asset Health section, click CSV.
A CSV file downloads to your device.
Download an Executive Summary
The Executive Summary PDF report includes all of your scan summary data and details about any risks with a score of 9 or higher.
-
In the Risk Dashboard navigation pane, click any page except Scanner Console.
-
Click Executive Summary.
The Executive Summary dialog appears.
-
(Optional) Enter a name in the Prepared For field.
-
Select the checkboxes of the items that you want to include in the Executive Summary report:
Note: If you refresh the page, or navigate elsewhere, your selections reset.
- Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
- Risk Severity Summary — A summary of your risks categorized by severity.
- 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
- Identified Risks — A list of the active risks in your network.
- Risk Score Trends — Your risk score history as it appears on the Overview page.
- Risk Classification Summary — A summary of your risks categorized by their remediation actions.
- Network Risk Overview — A heat map of your asset health.
- Accepted Risks — A list of the risks that you have acknowledged.
-
Click Download PDF.
The PDF file downloads to your device.
Download a Risk Assessment
The Risk Assessment PDF report includes all of the summary data plus details on all risks with a score of 5 or higher.
-
In the Risk Dashboard navigation pane, click any page except Scanner Console.
-
Click Risk Assessment.
The Risk Assessment dialog appears.
-
Enter the following:
- (Optional) In the Prepared For field, enter a name for the report.
- In the Min Score dropdown, select the minimum risk score for the report. All matching risks with a score greater than or equal to that value will be included in the report.
-
Select the checkboxes of the items that you want to include in the Risk Assessment report:
Note: If you refresh the page, or navigate elsewhere, your selections reset.
- Network Risk Summary — An overview of your current risk score, industry score, and unresolved risks.
- Risk Severity Summary — A summary of your risks categorized by severity.
- 30 Days Summary — A summary of the risks that were identified, new, and ticketed in the last 30 days.
- Identified Risks — A list of the active risks in your network.
- Risk Score Trends — Your risk score history as it appears on the Overview page.
- Risk Classification Summary — A summary of your risks categorized by their remediation actions.
- Network Risk Overview — A heatmap of your asset health.
- Accepted Risks — A list of the risks that you have acknowledged.
-
Click Download PDF.
The PDF file downloads to your device. This report is only available in PDF format.
Management Plan page
The Management Plan page shows all of the risks in your network and any of their associated plans. On this page, you can create plans, and see risks that are not currently assigned to plans. The page includes the following sections:
-
Risk metrics — Provides risk score information.
See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.
-
Plan — Allows you to view, create, and close plans.
See Plan section, View a plan, View unassigned risks, Create a plan, Move a risk between plans, and Close a plan for more information.
-
Filters — Allows you to filter the risks that appear in the Unassigned Risks table.
See Filters section for more information.
-
Unassigned Risks — Displays risks that are not currently assigned to a plan.
See Risks and Unassigned Risks sections, Download the Unassigned Risks table data, and Download Remediation report for more information.
Plan section
The Plan section is located on the Management Plan page. It allows you to view, create, and close plans.
A plan is a collection of risks that match certain criteria as defined in system rules. Information is displayed in a format similar to a Gantt chart. A timeline shows the estimated completion date for each plan, and color is used to indicate the following:
- Blue — Represents the estimated time to completion, based on the plan due date. This is the cumulative time to completion of all risks associated with the plan.
- Red — Represents when a critical risk is estimated to complete.
- Orange — Represents when a medium risk is estimated to complete.
- Green — Represents when a low risk is estimated to complete. You can use plans to keep track of risks and to mitigate them.
Note: Risk severity colors are seen when viewing the risks associated with the Management Plan the risk(s) is mapped to.
See View a plan, Create a plan, and Close a plan for more information.
View a plan
-
In the Risk Dashboard navigation pane, click Management Plan.
-
In the Plan section, choose the Week, Month, or Quarter option, to specify the timeline scale.
-
(Optional) You can use the following plan filters to refine the items that appear in the Plan chart:
Filter Description Users Select a user to see the plans that are associated with that user. Risk Score Use these filters to view the plans that include risks with risk scores within the value range that you specify. Risk State Select a state to view the plans that include risks in that state. See Risk states for more information.
Created Before Select a calendar date to view all of the plans that were created before that date. Click Clear All at any time to remove all filters.
-
(Optional) In the Plan section, click + beside the name of the plan that you want to view, to view plan details.
The row expands to display the risks contained in the plan and the associated timeline for each.
Change the timeline scale for plans
The Plan timeline displays the estimated completion date for each plan. You can adjust the timeline scale to be weekly, monthly, or quarterly. Custom timeline scales are not supported.
- In the Risk Dashboard navigation pane, click Management Plan.
- In the Plan section, choose the Week, Month, or Quarter option.
View unassigned risks
Unassigned risks are risks that are not currently assigned to a plan.
-
In the Risk Dashboard navigation pane, click Management Plan.
-
Scroll down to the Unassigned Risks table.
See Risks and Unassigned Risks sections for more information about the table columns.
Create a plan
-
In the Risk Dashboard navigation pane, click Management Plan.
-
Click Create Plan.
The Create Plan dialog appears.
-
Enter a title and description for the plan.
-
(Optional) To create a plan that only includes risks of that severity, select a Severity value from the dropdown list.
Tip: Risk severity is based on risk score.
-
Click Create Plan.
-
Add risks to your new plan.
See Assign a single risk to a plan and Assign multiple risks to a plan for more information.
Assign a single risk to a plan
-
In the Risk Dashboard navigation pane, click Risks.
-
(Optional) Use Filters to narrow the list of risks that appear on the page.
See Filters section for more information.
-
In the Risks table, click the required risk.
-
In the information panel, scroll down to Plan, and then select the required plan title from the list.
Your changes are automatically saved.
Assign multiple risks to a plan
-
In the Risk Dashboard navigation pane, click Risks.
-
(Optional) Use Filters to narrow the list of risks that appear on the page.
See Filters section for more information.
-
In the Risks table, select the checkbox next to each risk you want to update.
-
Click Update Selected.
The Bulk Update dialog appears.
-
Select the required plan title from the Plan list.
Move a risk between plans
To change the plan that a risk belongs to:
- See Assign a single risk to a plan and Assign multiple risks to a plan for more information.
Close a plan
Note: We recommend mitigating all risks in a plan before closing it. If any risks are not mitigated, the plan reopens when those risks are rediscovered during the next scan.
-
In the Risk Dashboard navigation pane, click Management Plan.
-
Click Close Plan.
The Close Plan dialog appears.
-
Select a plan from the list that you would like to close.
-
Click Close Plan.
Download the Unassigned Risks table data
-
In the Risk Dashboard navigation pane, click Management Plan.
-
(Optional) Use Filters to narrow the list of risks that appear on the page.
See Filters section for more information.
-
In the Unassigned Risks section, click Download CSV.
A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.
Note: Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
Risks page
The Risks page lists all risks that a Managed Risk source identified in the network, sorted by risk score. The page includes the following sections:
-
Risk metrics — Provides risk score information.
See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.
-
Filters — Allows you to filter the risks that appear in the Risks table.
See Filters section, and Default Risk filters for more information.
-
Risks — Allows you to view the risks that were identified in your network.
See Risks and Unassigned Risks sections, Routine Risk Dashboard tasks, Rescan assets with risks, Rescan IVA assets, View risks based on an assigned due date, Assign a user and a due date to a risk, Unassign a user and a due date from a risk, Change the state of inactive risks, Edit risks, Download a remediation report, Download Risks table data for more information.
Risks and Unassigned Risks sections
The Risks section is located on the Risks page. It includes a table with details about each risk that was identified in the network. The Unassigned Risks section is located on the Management Plan page. It includes a table with risks that are not currently assigned to a plan. Both tables have the same columns.
You can change how the information displays in the tables:
- To set the number of rows that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To add or remove table columns, click Columns, and then select checkboxes of the columns you want to show.
- To sort data by a specific column, click the column heading.
- To configure the risks that appear in the table, change the filters. See Filters section for more information.
Both tables have the following information:
Column |
Description |
---|---|
Source | The source that discovered the risk, such as a scan or Arctic Wolf Agent. |
Host | The host where the risk was discovered. |
Issue | The risk title or issue name. |
Risk Score | The risk rating. The higher the risk score, the more severe the risk. |
Asset Criticality | The criticality value of the asset where the risk was discovered. See Edit Asset Criticality for more information. |
Action | The action that is required to mitigate the risk. |
State | The state of the risk, which is one of:
See Risk states for more information. |
Status | The status of the risk, which is one of:
See Risk statuses for more information. |
Resolution Date | The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted. |
Age | The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not. |
Days to Resolution | The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted. |
Asset Tags | The tags that apply to the asset where the vulnerability was discovered. |
Filters section
A Filters section for risks is located on the Management Plan and Risks pages. You can use the following filters to refine the items that appear in the Unassigned Risks, or Risks tables:
Filter |
Description |
---|---|
Risk Score | Use these options to narrow the risk table based on severity:
|
Users | Select a username to see the risks that are assigned to that user. You can select multiple usernames. |
Resolved Date Range | Enter a date range to view the risks that were resolved within that time period. Tip: Also apply these filters to isolate resolved risks:
|
State | Select a state to view the risks that are currently in that state. You can select multiple states. See Risk states for more information. |
Status | Select a status to view the risks that currently have that status. You can select more than one status. Tip: To view mitigated risks, set the Status filter to Mitigated. To view obsolete risks, set the Status filter to Obsolete. You can also click a metric value to apply the filters that make up that metric. See Risk statuses for more information. |
Search | Enter a search term to automatically filter entries in the Risks table. Filter results are based on search term matches in any column. |
Source | Select or deselect these options to show or hide the risks that these scan types identified:
|
Asset Tags | Select one or more of these options to show the discovered assets with the selected tags. See Edit asset tags for more information. |
Asset Criticality | Select a criticality value to show risks that were discovered on assets with the selected criticality. See Edit Asset Criticality for more information. |
Discovery Date Range | Enter a date range to view the risks that were discovered within that time period. |
Click Clear Filters at any time to remove all filters.
Default Risk filters
By default, the Risks page loads with the following filters applied:
Tip: Click a different page in the Risk Dashboard, and then return to the Risk page, to reset the Risk filters to the default values.
Filter | Default value(s) |
---|---|
Risk Score | 4 to 10 |
State |
|
Status |
|
See Filters section for more information.
Risk states
All detected risks within your network have a State value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. You can manually change the State of a risk. Changing this value does not impact whether the Risk Scanner detects, or is capable of detecting, any risk on the host machine. If you do not make changes, the default state of a risk is Open.
Notes:
- Accepted and False Positive risks do not contribute toward the Risk Score calculation.
- Unsuccessful Validation is a system-assigned state for any risk that was previously marked as Fixed, Waiting Validation but was detected in a subsequent vulnerability scan.
The risk State values that you can select are:
State | Select this option when |
---|---|
Open | You are not currently taking any actions for this risk. |
False Positive | You mitigated a risk in a way that the Risk Scanner does not account for. |
Acknowledged, In-Planning | You plan to address the risk through direct resolution, or taking recommended or other mitigation steps. |
Mitigation/Fix in Progress | You addressed the risk through mitigation actions. |
Fixed, Waiting Validation | You believe the risk is mitigated. Notes: The next scan validates if the vulnerability still exists. If the vulnerability:
|
Accepted | You choose to accept the risk. See Accept a vulnerability for more information. |
Mitigated | You successfully mitigated the risk. Note: This is only available if the status of the risk is Inactive. |
Risk statuses
All detected risks within your network have a Status value associated with them. This information appears in several Risk Dashboard tables, such as the Risks table. This value is automatically assigned.
Status |
Description |
---|---|
Active | A risk that a recent IVA scan identified on a device that is currently online. |
Inactive | A risk that a recent IVA scan identified on a device that is either:
Note: If a device that is subject to IVA scanning goes offline, we cannot confirm if the risk is mitigated or not, and the risk is marked Inactive. This is usually due to a network connectivity issue. |
Obsolete | A risk that has not appeared in vulnerability scanning results for a set number of days:
Risks that are marked as Obsolete are removed from the Risks table after seven days. |
Mitigated | A risk that was mitigated. Mitigated risks are automatically removed 90 days after entering the mitigated state. Note: Risks can have a Status of Mitigated but retain a State of Fixed, Waiting Validation. |
Risk information pane
When you select a risk in the Risks table, an information pane opens for that risk. You can make changes to some fields in the information pane. Changes are reflected immediately.
Note: If a field is irrelevant to the source that discovered the risk, or if the field has no value, it is set to N/A.
The risk information pane has the following fields:
Field |
Description |
---|---|
Resolution Date | The date when the risk was resolved. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted. |
Age | The number of days since the risk was first discovered. A risk in the Risks table continues to age regardless of whether the risk is resolved or not. |
Days to Resolution | The number of days between the discovery and resolution of the risk. This field is set to N/A if the state of the risk is not Mitigated, False Positive, or Accepted. |
Action | The action that is required to mitigate the risk. |
Risk Score | The risk rating. The higher the risk score, the more severe the risk. |
Issue Description | A description of the risk. |
Additional Details | Click Details to view additional information that the scanner has identified about the risk. |
Remediation | The recommended actions to mitigate this risk. |
First Detected | The date and time when this risk was first seen. |
Most Recent Detected | The date and time when this risk was last seen. |
Status | The status of the risk. See Risk statuses for more information. |
State | The state of the risk. Select an option to change the state of a risk. See Risk states for more information. |
Assigned To | The email of the user who is assigned to manage the risk. Select an option to change the assignment. |
Due Date | The date by which this risk should enter the Fixed, Waiting Validation state. Select the date when remediation actions should be completed by. |
Plan | The plan that this risk is assigned to. Select an option to change the assignment. |
Host | The hostname of the risk that the Agent or scanner identified. |
Source | The source that discovered the risk. Possible values include:
|
Issue Category | The category of the issue. Possible values include: |
CVEs | Any known CVEs that this risk is part of. |
References | A link to documentation that outlines the steps recommended in Remediation. |
Last Updated By | The user who last updated the fields in this information panel for this risk. |
Comments | Any current comments about this risk that other users have left. Click Comments to open the Comments dialog, where you can leave your own comments. |
Asset ID | The ID of the asset that has the vulnerability. |
Issue ID | The unique identifier of the risk. |
Scanner ID | The ID of the that scanner that performed the IVA scan, if applicable. |
Deployment ID | If this risk was identified during:
|
Host Annotations | Any host alias or annotations that were discovered during EVA scanning, if applicable. |
Status Reason | An explanation of the risk status that results from IVA scanning, if applicable. |
Issue Impact | The potential impact to the organization if a bad actor exploits this vulnerability. Possible values include:
|
To initiate a new scan, click Rescan. This only works with IVA and Agent risks.
Risk State and Status lifecycles
To effectively review risks and maintain an accurate risk score in your Risk Dashboard, it is important to understand risk states and statuses and their lifecycle.
Generally, the risk State is manually set by the Risk Dashboard administrator, and the risk Status is automatically set by the system based on certain conditions. The one exception is the risk State of Unsuccessful Validation, which is automatically set by the system if the State was previously Fixed, Waiting Validation, but the risk was detected again during the next scan.
The lifecycle of the risk State and Status is different depending on the Source that discovered the risk:
-
Agent (Arctic Wolf Agent)
-
EVA (External Vulnerability Assessment)
-
IVA (Internal Vulnerability Assessment)
For all three Sources, changing the State to Accepted or False Positive removes the risk from the list of actionable risks and from the risk calculation.
See Risk States and Risk Statuses for additional information.
Risks discovered using Arctic Wolf Agent
When a risk is discovered using Arctic Wolf Agent, the risk Source is Agent. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan:
-
If the risk is not found, the Status automatically changes to Mitigated. The State remains as Open, even though the risk is mitigated, because this value is manually set.
-
If the risk is found, the Status automatically changes to Active. The State remains as Open.
-
If the next scan does not occur for 45 days, the Status automatically changes to Obsolete and the risk is removed from the list of actionable risks and from the risk calculation.
Note: After seven days, Obsolete risks are deleted.
Risks discovered using EVA scanning
When a risk is discovered using EVA (External Vulnerability Assessment) scanning, the risk Source is EVA. Each newly discovered risk has a State of Open and a Status of Active. During the next monthly scan, if the risk is no longer found, the Status automatically changes to Mitigated. The State remains as Open, even though the risk is mitigated, because this value is manually set.
Risks discovered using IVA scanning
When a risk is discovered using IVA scanning, the risk Source is IVA. Each newly discovered risk has a Status of either:
-
Active — The risk was detected in the previous scan and is online.
-
Inactive — The risk was not detected during the previous scan, or the risk exists on an asset that is considered to be offline because it has not been detected for 24 hours. The risk remains as Inactive for 90 days unless the risk is detected again, or the device comes back online. After 90 days, if the risk is not detected, the Status automatically changes to Mitigated. If it’s been 90 days since the asset was last seen online, the risk Status automatically changes to Obsolete. In both cases, the risk is removed from the default actionable risk view and from the risk score calculation.
Notes:
- The Inactive is a Status used only for IVA risks.
- After seven days, Obsolete risks are deleted.
The following diagram illustrates the lifecycle of mitigated risks that were discovered by an IVA:
The following diagram illustrates the lifecycle of offline assets that were discovered by an IVA:
Rescan assets with risks
From the Risks page, you can select one or more risks to rescan the assets that those risks belong to. The assets are rescanned for all risks.
Note: You cannot rescan assets that were discovered through an EVA scan.
- In the Risk Dashboard navigation pane, click Risks.
- In the Risks table, select each risk to rescan.
- Click Rescan to add the risk to the scan queue.
- Click Rescan to confirm.
Rescan IVA assets
You can rescan IVA assets to view internal network risks. This procedure is commonly used to verify that a risk is mitigated.
-
In the Risk Dashboard navigation pane, click Risks.
-
Go to
https://risk.arcticwolf.com/risks?assetID=<asset_ID>
, where<asset_ID>
is the asset ID.Tip: You can obtain the asset ID from the Risk information pane.
-
In the Filters section, clear the EVA and Agent checkboxes.
-
In the Risks table, select the checkbox of each risk with a State of Mitigated that you want to rescan.
-
Click Update Selected.
The Bulk Update dialog appears.
-
In the State list, select Fixed, Waiting Validation.
This setting allows you to see the State change to Unsuccessful Validation if the risk is still detected, or the Status change to Mitigated if the risk was successfully fixed.
-
Click Update.
-
Clear the checkbox of each risk that you do not want to rescan.
-
Click Rescan.
The Rescan Risks dialog appears.
-
Click Rescan.
Review active risks
On a weekly or monthly basis, review active risks.
-
In the Risk Dashboard navigation pane, click Risks.
-
In the Filters section, click Clear Filters, and then do the following:
-
State — Add the following filters:
- Open
- Acknowledged, In-Planning
- Mitigation/Fix in Progress
- Fixed, Waiting Validation
- Unsuccessful Validation
-
Status — Add the Active filter.
-
Discovery Date Range — Enter a date range as appropriate to view the newly discovered active risks.
The Risks section displays active risks that occur within the specified date range.
-
See Risk Statuses for more information.
Review inactive risks
On a weekly or monthly basis, review and update inactive risks. Inactive risks are included in default views and reports, and they count toward your risk score. Reviewing inactive risks helps to maintain an accurate risk score.
See Risk Statuses for more information.
-
In the Risk Dashboard navigation pane, click Risks.
-
In the Filters section, click Clear Filters, and then do the following:
-
State — Add the following filters:
- Open
- Acknowledged, In-Planning
- Mitigation/Fix in Progress
- Fixed, Waiting Validation
- Unsuccessful Validation
-
Status — Add the Inactive filter.
-
-
Review the inactive risks, and then do one of the following:
-
Change the State of all Inactive risks.
See Change the State of Inactive risks for more information.
-
Manually review an individual Inactive risk, and then update it with the appropriate State.
See Change the State of Inactive risks for more information.
-
Do nothing. 90 days after the risk was last detected, the Status automatically changes to Obsolete if the device is offline or Mitigated if the device is no longer detected. Obsolete and Mitigated risks are removed from the default view (which only includes Active and Inactive risks), and are removed from the risk score calculation.
-
Review mitigated risks
On a monthly or quarterly basis, review mitigated risks to verify that the risks were resolved as expected.
Note: Mitigated risks are automatically removed after 90 days.
-
In the Risk Dashboard navigation pane, click Risks.
-
Change the State of Inactive risks that are fixed to Mitigated.
See Change the State of Inactive risks that are fixed to Mitigated for instructions.
-
(Optional) Verify that a Mitigated risk is resolved.
See Verify that a Mitigated risk is resolved for instructions.
See Risk States for more information.
Change the State of Inactive risks that are fixed to Mitigated
Note: Before you start this procedure, review mitigated risks. See Review mitigated risks.
-
In the Risk Dashboard navigation pane, click Risks.
-
In the Filters section, click Clear Filters, and then do the following:
-
State — Add the following filters:
- Open
- Acknowledged, In-Planning
- Mitigation/Fix in Progress
- Fixed, Waiting Validation
- Unsuccessful Validation
-
Status — Add the Inactive filter.
-
-
In the Risks section, review the risks. These are risks that were not detected in the last scan, or that are related to offline assets. If you expect any of these risks to be fixed, change the State to Mitigated.
See Review inactive risks for more information.
-
In the Filters section, set the following filters:
- Status — Add Mitigated and Obsolete and remove Inactive.
- Resolved Date Range — Enter a date range as appropriate to view mitigated risks that occurred after fixes or patches were installed.
-
In the Risks section, review the risks you updated earlier. Verify that mitigation occurred as expected.
Tip: View the Status of the risk to determine if it is resolved. The State is user-assigned, so it retains the value it had prior to being confirmed as mitigated (including Unsuccessful Validation).
-
(Optional) Verify that the mitigated risk is resolved.
See Verify that a Mitigated risk is resolved for more information.
Verify that a Mitigated risk is resolved
After you change the status of an inactive IVA risk to Mitigated, you can rescan the asset to confirm that the risk is resolved.
Tip: You can only rescan IVA and Agent risks. You cannot rescan an EVA risk.
Note: Mitigated risks are automatically removed after 90 days.
-
Change the State of Inactive risks that are fixed to Mitigated.
See Change the State of Inactive risks that are fixed to Mitigated for more information.
-
In the Risks section, verify that the Source and State columns are visible. If required, click Columns, and then select the Source and State checkboxes to view these columns.
-
In the Source column, click an IVA or Agent risk.
-
In the details panel, change the State to Fixed, Waiting Validation.
-
Take note of the Scanner ID and Host values.
-
Scroll to the bottom of the panel, and then click Rescan.
The Rescan Options dialog appears.
-
Select the Scan Now option.
-
Click Save.
The asset scan begins. A full suite of tests are performed, including risk validation. Depending on the type of asset, this can take between 15 minutes and 1.5 hours.
-
In the navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, for Scanner ID, click Details.
The Scanner Select dialog appears.
-
In the Search field, enter the Scanner ID value, and then click the matching ID in the table.
-
In the Scanning Queue section, complete one of the following:
- Click the Status column heading to sort the scan queue by status and view the risks with a Status of Running at the top.
- In the Search field, enter the Host value.
Tip: It can take several minutes for the scan to display active scanning data in the queue. If an asset is not scanned, wait several minutes and then refresh your browser.
Review risks that failed validation
On a weekly or monthly basis, review risks that failed validation. This helps you to recognize and prevent future security vulnerabilities.
Risks that had a State of Fixed, Waiting Validation and later failed validation, now have a State of Unsuccessful Validation. Take, for example, a device that was offline for a period of time. The risk State was manually updated to Fixed, Waiting Validation because it was Inactive. When that device is online again, the risk is found again, so the State changes to Unsuccessful Validation.
See Risk States for more information.
-
In the Risk Dashboard navigation pane, click Risks.
-
In the Filters section, click Clear Filters, and then do the following:
- State — Add the Unsuccessful Validation filter.
- Status — Add the following filters:
- Active
- Inactive
-
In the Risks section, review the risks that failed validation. These are risks that previously had a State of Fixed, Waiting Validation but were rescanned and the risk is still being found. If you believe that the risk is resolved, complete the following to find more information about why the risk is still being found:
-
In the Risks section, click a risk you believe is resolved. Scroll to Additional Details, and then click Details. For IVA and EVA risks, this often provides additional details about what was found and why it was flagged as a risk.
-
For Agent risks, complete a vulnerabilities debug scan. This provides details about what exactly was found on the asset to trigger the vulnerability.
See Interpret Arctic Wolf Agent Vulnerability Debug Scans for more information.
-
Contact your Concierge Security® Team (CST) at security@arcticwolf.com, and request assistance with the investigation.
View risks based on an assigned due date
You can view risks based on the assigned due date. This is useful if you want to see unmitigated risks with past due dates.
Note: This replicates the functionality of the deprecated Past Due filter.
-
In the Risk Dashboard, go to
https://risk.arcticwolf.com/risks?assignmentDueDateBefore=<unix_timestamp>
, where<unix_timestamp>
is the assigned due date in a 10-digit Unix timestamp format.For example:
https://risk.arcticwolf.com/risks?assignmentDueDateBefore=1657655263
See Unix Time Stamp - Epoch Converter to convert a date to a 10-digit Unix timestamp format.
Interpret Arctic Wolf Agent Vulnerability Debug Scans
Arctic Wolf Agent Vulnerability Debug Scans produce a detailed HTML debug report that describes how a vulnerability was detected on a device. It includes the file or registry settings, and the logic that triggered the risk. Use this procedure to help you interpret the HTML debug report. You can also send your HTML debug reports to your CST for analysis.
-
Create an HTML debug report.
See Performing Arctic Wolf Agent Vulnerability Debug Scans for instructions.
-
Open the HTML debug report in a browser.
Tip: It may take some time to completely load the report. When the pie chart at the top of the page is fully rendered, the loading is complete.
-
In the Rule Results Summary section, click the FAIL filter to view only the failed tests.
-
Click the applicable vulnerability to see additional details.
-
Review the Result Component Logic. Look for logic conditions that are green (true). This indicates that the conditions matched the logic Arctic Wolf uses to determine if a vulnerability exists.
-
Click OVAL TEST to view additional details. The file value or registry value and logic displays.
-
If the vulnerability is for a File State, click show untested values.
Information displays about the file that triggered the vulnerability detection.
Change the State of Inactive risks
Note: Before you start this procedure, review inactive risks. See Review inactive risks.
-
In the Risk Dashboard navigation pane, click Risks.
-
In the Risks section, do one of the following:
-
To select a single inactive risk, select the checkbox next to the risk you want to update.
-
To select all inactive risks:
-
Select All from the Show Entries list.
-
Select the checkbox at the top of the table.
All risks are selected.
-
-
-
Click Update Selected.
The Bulk Update dialog appears.
-
Select one of the following from the State list:
-
Mitigated — Changes the Status to Mitigated for all selected risks, immediately removes the risks from the default view (which only includes Active and Inactive risks), and removes the risks from the risk score calculation. If any of these risks are discovered again, the risk reappears on the list with a State of Open, Status of Active, and Age reflecting the date that the risk was first discovered.
Tip: If the majority of the assets in your environment are online most of the time, it is a common approach to change the State to Mitigated. This is a reasonable choice because a State of Inactive typically indicates that the risk has been mitigated.
-
Fixed, Waiting Validation — Maintains the Status of Inactive for all selected risks, and all risks remain in the risk score calculation. If any of these risks are not detected the next time the asset is scanned, the risk Status changes to Mitigated, and the risk is removed from the default view (which only includes Active and Inactive risks) and risk score calculation.
Tip: If you have a dynamic environment, a State of Inactive could mean that the asset is offline and the risk can be verified when it is back online. In this situation, a State of Fixed, Waiting Validation may make more sense.
-
-
Click Update.
Edit risks
You can edit one or more risks at the same time. For example, you can assign a due date, or change the risk State of more than one risk at the same time.
Notes:
- You must update the asset in the Asset Catalog to modify the Asset Criticality value. See Edit Asset Criticality for more information.
- Agent marks risks as Obsolete in the Risk Dashboard after 45 days. You cannot make any changes, such as, changing the status or assigning a user to these risks.
-
In the Risk Dashboard navigation pane, click Risks.
-
In the Risks table, select the row for every risk that you want to edit as part of a group. You can review more pages and continue making your selections.
Tip: The number of risks currently selected is displayed, along with options to update or clear your selections.
-
Click Update Selected.
The Bulk Update dialog appears.
-
Edit one or more of the following fields:
- State
- Assign To
- Plan
- Due Date
-
Click Update.
-
(Optional) Click Clear All Selected to clear all selected risks.
Accept a vulnerability
You can choose to accept an identified risk rather than fixing or mitigating the vulnerability. Changing the state of a risk to Accepted removes that risk from the Risk Score calculation. The risk remains in the Risks table for as long as it is detected on the network.
We recommend that you mitigate or fix risks to improve your security posture, instead of accepting them. Accepting a risk does not make the risk go away, so bad actors could still take advantage of the vulnerability.
If the risk is a false positive, you should apply the False Positive state to the risk, which then removes the risk from the Risk Score calculation.
Note: The Risk Score is not updated immediately when a risk is marked as Accepted or as False Positive. It takes about an hour for the system to process and display the changes.
-
In the Risk Dashboard navigation pane, click Risks.
-
In the Risks table, click the risk that you want to update.
The information pane opens.
Tip: Use the search field to narrow the results.
-
In the information pane, select Accepted from the State dropdown list.
-
In the prompt, enter a detailed justification description.
-
Click Accept to save your changes.
Your changes are automatically saved.
Assign a user and a due date to a risk
To track the resolution of a risk, you can assign risks to specific users within your organization and assign a due date.
Tip: This task is optional.
-
In the Risk Dashboard navigation pane, do one of the following:
- To view the Risks table, click Risks.
- To view the Unassigned Risks table, click Management Plan.
-
In the Risks or Unassigned Risks table, click the risk you want to assign a user and due date to.
The information pane opens.
-
(Optional) In the information pane, select an email address from the Assigned To dropdown list.
Tip: To remove user and due date assignments, select the blank field from the Assigned to menu.
-
(Optional) In the information pane, click the Due Date field, and then select a date on the calendar by which the risk should enter the Fixed, Waiting Validation state. This date must be at least one day in the future. The present day is highlighted in blue.
The Due Date field populates with a date based on the selection, following the format
MM/DD/YYYY
, such as02/20/2020
. -
Click Update to save your changes.
Unassign a user and a due date from a risk
You cannot unassign a user from a risk, but you can assign the risk to another email from the list in the Assigned To field.
-
In the Risk Dashboard navigation pane, do one of the following:
- Click Risks, to view the Risks table.
- Click Management Plan, to view the Unassigned Risks table.
-
In the Risks or Unassigned Risks table, click the risk you want to unassign a user and due date from.
The information pane opens.
-
(Optional) In the information pane, select the blank field from the Assigned to menu.
-
Click anywhere outside of the information panel to close the panel.
Your changes are automatically saved.
Download a remediation report
You can download a remediation report that includes:
-
A list of all risks that you selected to include in the report.
-
The Common Vulnerabilities and Exposures (CVEs) for all risks.
Tip: Each unique CVE and associated risk appear on a single line of the report. Therefore, if a risk has multiple CVEs, the risk repeats on multiple lines for each associated CVE.
-
The remediation steps for the CVE associated with the risk.
-
Each CVE has an associated CVE risk score, which is the Common Vulnerability Scoring System (CVSS) for the CVE.
Tip: These CVE risk scores are not the same as your overall Risk Score.
-
If available, references links to CVE remediation steps.
To download a remediation report:
-
In the Risk Dashboard navigation pane, click Risks.
-
(Optional) Use Filters to narrow the list of risks that appear on the page.
See Filters section for more information.
-
In the Risks section, click Remediation Export.
A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.
Notes:
- Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
- If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.
Download Risks table data
-
In the Risk Dashboard navigation pane, click Risks.
-
(Optional) Use Filters to narrow the list of risks that appear on the page.
See Filters section for more information.
-
In the Risks section, click Download CSV.
A CSV file downloads to your device. The CSV file includes all risks that match your filter criteria, even if the risks are not currently displayed in the Risk table.
Notes:
- Download times vary depending on the size of the CSV file, due to the number of CVEs and remediations for each.
- If any risks do not have Remediation Steps, contact your CST and they will help determine remediation steps for these risks.
Assets page
The Assets page includes all information relevant to the assets in your network. The page includes the following sections:
-
Risk metrics — Provides risk score information.
See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.
-
Filters — Allows you to filter the risks that appear in the Asset Catalog table.
See Asset filters section for more information.
-
Asset Catalog — Allows you to view, edit, rescan, and delete your assets.
See Asset Catalog section, View an Asset Profile, Add a note to an Asset Profile, Review assets, Edit assets, Rescan assets, Delete an asset, and Download Asset Catalog data for more information.
Asset Catalog section
The Asset Catalog section is located on the Assets page. It includes a table with all of your assets, sorted by risk score. You can change how the information displays in the table:
- To set the number of rows that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To add or remove table columns, click Columns, and then select checkboxes of the columns you want to show.
- To sort data by a specific column, click the column heading.
- To configure the assets that appear in the table, change the filters. See Asset filters section for more information.
The Asset Catalog table has the following columns:
Column |
Description |
---|---|
Source | The source that discovered the asset: Agent, EVA, or IVA. |
IP | The IP address of the asset. |
Device Name | The name of the asset as it appears on the device or in the Risk Dashboard. |
MAC | The MAC address of the asset. |
OS | The operating system (OS) of the asset. |
Category | The category of the asset, including Desktop or Server. Note: If there is not enough information to classify an asset, the asset appears in the Unknown category. |
Last Seen | The date and time in UTC that the IP address for this asset was last verified. Note: This value is not the last time that the asset was online. |
Last Successful Scan | The date and time in UTC of the last complete scan of this asset. Note: Currently, this information is only available for IVA and Agent assets. EVA assets display a status of Unsupported until this feature is available. |
Manufacturer | The manufacturer of the asset. Note: This information is only available for the assets that Agent discovers. |
Risk Score | The highest risk score of all active risks for the asset. |
Asset Criticality | The criticality of the asset. See Edit Asset Criticality for more information. |
Vulnerabilities | The number of current vulnerabilities for the asset. |
Asset Tags | The classification tags that apply to the asset. See Edit asset tags for more information. |
Asset filters section
The Filters section for assets is located on the Assets page. Use it to narrow the assets that appear in the Asset Catalog table. These are the available filter options:
Filter |
Description |
---|---|
Risk Score | Use these filters to view assets that have vulnerabilities with risk scores in the specified range. |
Search | Enter one or more search terms, separated by commas, and click Create to filter entries in the Asset Catalog table. Results are based on search term matches in any column. You can include up to 100 search terms. Each search term that you enter can be removed by clicking the X next to it. |
Source | Select or deselect these options to show or hide the assets that these scan types identified:
|
Asset Tags | Select one or more of these options to show assets with all selected tags. |
Asset Criticality | Select one or more of these options to show assets with any of the selected criticality values. |
Asset Category | Select a category to view the assets that belong to that category. You can select multiple categories. |
Discovery Date Range | Enter a date range to view the assets that were discovered within that time period. |
Click Clear Filters at any time to remove all filters.
Review assets
On a monthly or quarterly basis, review your assets. As assets are removed or decommissioned from the environment, it is good practice to remove them from the Asset Catalog. It does not cause harm to keep them, but they create clutter and affect your metrics for a period of time.
-
In the Risk Dashboard navigation pane, click Assets.
-
In the Filters section, click Clear Filters.
-
For the Source filter, clear the EVA checkbox.
-
Do one of the following:
- Review your assets in the Asset Catalog section of the Risk Dashboard.
- Export your asset information, and then review the assets in a spreadsheet:
-
In the Asset Catalog section, click Download CSV.
The Asset Catalog.csv file downloads to your device.
-
Open the Asset Catalog.csv file, and review the information in Microsoft Excel or other application of choice.
-
-
Sort the assets by the Last Seen value.
Tip: External assets have a Last Seen value of Unknown. Review public-facing IP addresses and domains with your CST on a regular basis. Submit a ticket to security@arcticwolf.com to immediately communicate any new systems or changes to them.
-
Review the assets, and then complete the appropriate task:
-
The asset was decommissioned and can be removed — Click Delete to delete it. All risks associated with the asset are also deleted.
-
The asset is present and active, but no longer seen by the IVA scanner or Agent — Verify that the IP is still part of the IVA scan schedule or that no firewall rules are preventing the agent from checking in.
See Arctic Wolf IP Addresses for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.
-
View an Asset Profile
An Asset Profile provides additional details about an asset.
Note: The Location and Advanced Identification sections are only available when Agent is the Source.
-
In the Risk Dashboard navigation pane, click Assets.
-
In the Asset Catalog section, go to the Source column, and then click any source.
The Asset Profile information is organized into the following sections:
- Details — See Details section and Edit assets for more information.
- Location — See Location section for more information.
- Host Identification — See Host Identification section for more information.
- Advanced Identification — See Advanced Identification section for more information.
- Profile Activity — See Profile Activity section for more information.
- Add Note — See Add Note section, Add a note to an Asset Profile, and Delete a note from an Asset Profile for more information.
- Asset Profile History — See Asset Profile History section for more information.
Details section
The Details section of the Asset Profile includes the following information about the selected asset:
- Source — The scan that discovered the asset.
- Category — The asset category.
- Device Name — The name of the asset.
- OS — The operating system, if known.
- Found By — The scan that discovered the asset.
- Manufacturer — The manufacturer, if known.
- Criticality — The criticality of the asset.
- Tags — The tags applied to the asset.
See View an Asset Profile for more information.
Location section
The Location section of the Asset Profile includes the following information about the selected asset:
Note: This information is only available when Agent is the Source.
- Longitude — The location of the asset, in decimal degrees, east or west of the prime meridian.
- Latitude — The location of the asset, in decimal degrees, north or south of the equator.
- City — The city where the asset was last discovered, if known.
- Country — The country where the asset was last discovered, if known.
See View an Asset Profile for more information.
Host Identification section
The Host Identification section of the Asset Profile includes the following information about the selected asset:
- DNS Hostname — The DNS hostname of the asset.
- NetBIOS Name — The NetBIOS name of the asset.
- IPv4 Address — The IP address of the asset.
- Asset ID — The ID of the asset.
See View an Asset Profile for more information.
Advanced Identification section
The Advanced Identification section of the Asset Profile includes the following information about the selected asset:
Note: This information is only available when Agent is the Source.
- Latest Username — The latest username.
- System Model — The system model.
- System Boot Time — The date and time when the system was last booted.
- External IP Address — The external IP address.
- Last Verified IP — The date and time that the IP address was last verified.
- Client ID — The client identification.
See View an Asset Profile for more information.
Profile Activity section
The Profile Activity section of the Asset Profile includes the following information about the selected asset:
- Profile Created — The date and time when the asset profile was created.
- Profile Last Updated — The date and time when the asset profile was last updated.
- Country — The country where the asset was last discovered, if known.
- City — The city where the asset was last discovered, if known.
See View an Asset Profile for more information.
Add Note section
The Add Note section of the Asset Profile allows you to add a note to the asset. The Previous Notes section allows you view existing notes to the asset. It includes the following information:
- Note — The content of the note.
- Who — The email address of the user who added the note.
- When — The date and time that the note was added.
See View an Asset Profile, Add a note to an asset profile, and Delete a note from an asset profile for more information.
Asset Profile History section
The Asset Profile History section of the Asset Profile provides asset profile change history information. When a scan identifies an asset, an asset profile is created or the existing asset profile is updated. The Asset Profile History table shows asset profile changes over time as a result of scans from the selected source. It does not include a history of asset Tags or Asset Criticality. You can change how the information displays in the table:
- To set the number of rows that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To add or remove table columns, click Columns, and then select checkboxes of the columns you want to show.
- To sort data by a specific column, click the column heading.
The Asset Profile History table has the following columns:
Column | Description |
---|---|
IP | The IP address of the asset. |
Device Name | The name of the asset. |
OS | The operating system of the asset. |
MAC | The MAC address of the asset. |
When | The date and time when the asset profile changed. |
Type | The type of change to the asset profile. For example, OS refers to a change in the operating system. |
Event | The change to the asset profile. For example, an operating system update. |
Raw Log | An Arctic Wolf-specific field that the system generates for each asset profile change as a result of a scan. |
See View an Asset Profile for more information.
Add a note to an Asset Profile
- In the Risk Dashboard navigation pane, click Assets.
- In the Asset Catalog section, go to the Source column, and then click any source.
- In the Add Note section, enter a note in the Add notes here field.
- Click Add Note.
Edit assets
It is important to add Category, Asset Criticality, and Asset Tags classification values to assets when they are initially deployed so you have a baseline. After that, on a monthly or quarterly basis, review and update your asset classification values because environments change over time. Classification values help to provide asset context.
Tip: To filter assets, you can enter a comma-separated list of values in the Search field. For example, you can enter a distinct list of IP addresses or device names for bulk editing.
Edit multiple assets
You can use the following methods to edit multiple assets:
Edit multiple assets in the Asset Catalog table
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
-
In the Asset Catalog table, select the row for every asset that you want to edit as part of a group. You can review more pages and continue making your selections.
Tip: The number of assets currently selected is displayed, along with options to update or clear your selections.
-
Click Update Selected.
The Bulk Update dialog appears.
-
Edit fields as required.
-
Click Update to save your changes.
-
(Optional) Click Deselect All to clear all selected assets.
Edit multiple assets in a CSV file
Notes:
- You cannot bulk edit asset criticality with this workflow. See Edit multiple assets in the Asset Catalog table for instructions.
- If you are editing asset tags, verify that the tag exists in the Risk Dashboard. You can ask your CST to create custom tags for you.
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.
-
In the Asset Catalog section, click Export Assets.
A CSV file with the following fields downloads to your device:
- Device ID
- Asset IP
- Device Name
- Category
- Asset Tags
-
Open the CSV file.
-
Locate the required
Asset IP
, and then edit the correspondingDevice Name
,Category
, andAsset Tags
columns as desired.Notes:
- Do not edit the
Device ID
column. Editing aDevice ID
values results in an unsuccessful CSV file import. - To reset the
Device Name
orCategory
of an asset to the value from the default sensor, leave the cell empty. - To exclude a device from the bulk edit, either leave the
Device Name
orCategory
values unchanged or delete the row from the CSV file. - Ensure that asset tags match those available in the Risk Dashboard. Entering invalid asset tags results in an unsuccessful CSV file import.
- Do not edit the
-
Save the CSV file.
-
In the Risk Dashboard, click Import Assets.
-
Locate the modified CSV file, and then click Open.
The Confirm Upload dialog appears.
-
Click Upload.
A message appears to confirm whether the import was successful or unsuccessful.
Edit an asset category
Note: These steps describe how to apply an existing asset category. If you want to add a new category, see Add an asset category.
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
-
In the Asset Catalog, select the checkbox next to each asset you want to update.
-
Click Update Selected.
The Update Selected Assets dialog appears.
-
In the Asset Category dropdown list, select the appropriate value.
-
Click Update Asset(s).
Add an asset category
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
-
In the Asset Catalog table, click the Source of an asset that you want to assign the asset category to.
-
In the Details pane, click Edit Details.
The Edit Asset Details dialog appears.
-
In the Add Category field, enter a name for the category.
-
Click Add.
Note: An asset category must be assigned to at least one asset for it to appear as an option when assigning asset categories. As a result, you cannot add multiple asset categories at once using this method.
-
Click Update.
Edit asset criticality
You can associate an asset with a pre-defined Asset Criticality value. This value is optional. The value displays for any risks that are discovered on the device, which can assist you with risk mitigation planning.
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
-
In the Asset Catalog, select the checkbox next to each asset you want to update.
-
Click Update Selected.
The Update Selected Assets dialog appears.
-
In the Asset Criticality dropdown list, select the required Asset Criticality:
- Unassigned — The default value for all devices.
- None — Defer risk remediation, for example, because these assets are not interconnected with business systems.
- Low — Defer risk remediation until higher-priority tasks are completed. These assets are unlikely targets for malicious activity, or have negligible negative impact, if compromised.
- Medium — Monitor for risk escalation. These assets have moderate negative impact, if compromised.
- High — Isolate and limit asset use until remediation. These assets have short-term compensating controls available, or are interconnected with external systems.
- Critical — Remediate risks immediately. These assets are likely targets for malicious activity.
-
Click Update Asset(s).
Tip: You can edit asset criticality for multiple assets simultaneously. See Edit multiple assets for instructions.
Edit asset tags
Tags are an optional value that you can apply to assets. The values are then included on any risks that are discovered on the device to assist with risk mitigation planning.
Tips:
- You can ask your CST to create custom tags for you.
- You can edit asset tags for multiple assets simultaneously. See Edit multiple assets for instructions.
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
-
In the Asset Catalog section, select the checkbox next to each asset you want to update.
-
Click Update Selected.
The Update Selected Assets dialog appears.
-
In the Asset Tags search field, search for and select the required asset tag:
- backup_recovery — An asset that directly or indirectly engages in the preservation of data for the purposes of recovery.
- gdpr — Any asset that, if compromised, would render a business or organization in violation of their GDPR legal responsibilities, as the European Union mandates.
- iam — An Identity and Access Management (IAM) system that provides users access to resources based on defined roles as policies.
- internet_facing — Any asset that can be reached through the public internet.
- network_infra — Any asset that makes communication between endpoints possible, including routers, switches, and firewalls.
- pci — Any asset that engages in the handling of credit card data, as part of the payment card industry (PCI) data security standards compliance.
- pii — Any asset that engages in the storage, retrieval, and/or processing of data that relates to an identified or identifiable natural person.
- remote_access — Any asset that is configured for remote access, including VPN gateways, and sign-in services such as RDP and SSH.
-
Click Update Asset(s).
Edit a device name
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
-
In the Asset Catalog section, select the checkbox next to each asset you want to update.
-
Click Update Selected.
The Update Selected Assets dialog appears.
-
In the Device Name field, enter a name for the asset. This is the name that appears in the Risk Dashboard.
-
Click Update Asset(s).
Reset sensor details
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
-
In the Asset Catalog table, click the required Source.
-
Click Reset to Sensor Defaults to revert the asset details to the default settings that the scanner created for this asset.
-
Click Confirm.
Rescan assets
You can rescan an individual asset or multiple assets at the same time.
-
In the Risk Dashboard navigation pane, click Assets.
-
In the Asset Catalog table, select the checkbox of each risk to rescan.
-
Click Rescan to add the asset to the scan queue.
Tip: The Rescan button appears dimmed if you select an EVA source as it is currently unavailable.
-
Click Rescan to confirm.
Delete an asset
You can delete an IVA or Agent asset from the Assets page if you no longer require it. To delete an EVA asset, update the appropriate scan configuration. See Scanner Configuration section for more information.
If a deleted asset is rediscovered during a future scan, it is given a new asset ID and re-added to the catalog.
You cannot delete:
- Assets associated with risks that were identified within the last 24 hours.
- Agent assets identified in the last 48 hours.
Note: Deleted Agent assets are automatically removed from scan schedules.
Delete a single asset
-
In the Risk Dashboard navigation pane, click Assets.
-
In the Asset Catalog table, click Delete next to the asset that you want to delete.
The Confirm Delete dialog appears.
-
Click Delete.
Delete multiple assets
-
In the Risk Dashboard navigation pane, click Assets.
-
In the Asset Catalog table, select the checkboxes next to the assets that you want to delete, and then click Delete Selected.
-
Click Delete Selected.
The Confirm Delete dialog appears.
-
Click Delete.
Delete a note from an Asset Profile
-
In the Risk Dashboard navigation pane, click Assets.
-
In the Asset Catalog section, go to the Source column, and then click any source.
-
In the Previous Notes section, locate the note to delete, and then click Delete.
The Delete Note dialog appears.
-
Click Delete.
Download Asset Catalog data
-
In the Risk Dashboard navigation pane, click Assets.
-
(Optional) Use Filters to narrow the list of assets that appear on the page.
See Asset Filters section for more information.
Tip: All assets that match the filter criteria are included in the CSV file, even if they are not currently displayed due to pagination settings.
-
Click Download CSV.
The CSV file downloads to your device.
Agent page
The Agent page includes the following sections:
-
Risk metrics — Provides risk score information.
See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.
-
Risk charts — Illustrates the percentage of risks in various categories.
See View risk charts for more information.
-
Target Group Overview — Provides a summary of the target groups and scanning schedules.
See Target Group Overview section, Enable an agent scan schedule, and Stop active and scheduled agent scans for more information.
-
Agent Risks — Allows you to view, edit, rescan, and delete your assets.
See View Agent Risks for more information.
-
Agent Scan Details — Allows you to view, edit, rescan, and delete your assets.
See View Agent Scan Details for more information.
You can change how the information displays on the page:
- Click Close to remove a section from the page.
- Click Collapse to collapse a section on the page.
All sections display when the page refreshes.
View risk charts
Risk charts illustrate the percentage of risks in various categories.
-
In the Risk Dashboard navigation pane, click Agent.
The Agent page contains three risk charts:
- Risks by OS
- Risks by Category
- Risks by Severity
-
(Optional) Hover over a section of the chart to see the percentage. Use the legend, above each chart, for information about the chart colors. Click the arrows to scroll through the legend.
Target Group Overview section
The Target Group Overview section is located on the Agent page. It includes a table that provides a summary of the target groups and scanning schedules. You can change how the information displays in the table:
- To set the number of rows that appear on a page, select a value from the Show
<x>
entries dropdown list. - To sort data by a specific column, click the column heading.
- To view specific information, enter search terms in the Search field.
The Target Group Overview table has the following columns:
Column | Description |
---|---|
Name | The name of the target group. |
Description | A description of the target group. |
Targets | The number of targets in the target group. |
Scanning | The state of the target group. This can be one of the following: |
Schedule | The intended times for a scan to repeat itself. This can be one of the following: |
Created | The date and time that the target group was created. |
Last Scan | The date and time of the previous scan on the target group. |
Next Scan | The date and time of the next scheduled scan on the target group. |
Click CSV to download a CSV file containing all target groups for the deployment.
The Edit and X icons are used by Arctic Wolf employees to edit and delete target groups. They are not functional for customers.
View Agent Risks
The Agent Risks section provides a link to the Risks page, so you can view risks with Agent as the Source.
-
In the Risk Dashboard navigation pane, click Agent.
-
In the Agent Risks section, click here.
The Risks page appears. The risk table is filtered to display risks with Agent as the Source.
View Agent Scan Details
The Agent Scan Details section displays information about scans that overlap with or start within the specified date and time.
-
In the Risk Dashboard navigation pane, click Agent.
-
In the Agent Scan Details section, select the start date and time for the scan results that you want to view.
-
Click Get Data.
The table displays all target group scans that occurred after your selected start date and time.
The Agent Scan Details table has the following columns:
Column | Description |
---|---|
Scans Detail | Click Details next to a scan in the table to view details for a specific scan. |
ID | The unique identifier representing the scan. |
Name | The name of the scanned target group. |
Scheduled Window Minutes | Duration of the scan in minutes. |
Status | Whether or not the scan was completed. |
Scan Reason | The reason for the scan. |
Start Time | The date and time of the start of the scan. |
End Time | The date and time of the end of the scan. |
Click Details next to a scan in the table to view details for a specific scan. The sub-table has the following columns:
Column | Description |
---|---|
Client UUID | A universally unique identifier (UUID) for the device. |
Hostname | The hostname of the device. |
ID | The ID of the device. |
Status | The status of the scan. The statuses can be one of the following: |
Start Time | The time the agent began scanning the device. |
End Time | The time the agent ended scanning the device. |
Create Time | The time that the scan was created. |
Audit | Provides the audit report if an audit was performed. Click Download to download the audit report as an HTML file. |
Vulnerability Report | Provides the vulnerability report if a vulnerability scan was performed. Click Download to download the vulnerability report as an HTML file. |
Benchmark Report | Provides the benchmark report if a benchmark scan was performed. Click Download to download the benchmark report as an HTML file. |
View Agent Audits
-
In the Risk Dashboard navigation pane, click Assets.
-
In the Asset Catalog section, go to the Source column, and then click any Agent.
If Agent discovered the asset and the asset information is available, it is provided in the appropriate section:
Task List table
The Task List table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:
Column | Description |
---|---|
Command | The command associated with the task. |
Handle Count | The number of object handles in the object table of the task. |
Name | The name of the task. |
PCPU | The percent of central processing unit (CPU) that is used. |
PID | The process identifier (PID) associated with the process. |
PMEM | The percent of the process’s RSS to physical memory (MEM) that is used. |
PPID | The parent process identifier (PPID). |
Priority | The priority of the task. |
Process ID | The process ID of the task. |
RSS | The resident set size (RSS) or portion of random access memory (RAM) that the process uses. |
Session ID | The session ID that the task is using. |
STAT | The current status (STAT) of the process. |
Thread Count | The number of threads working on the task. |
Time | The time since the process started. |
TT | The task type (TT). |
VSZ | The virtual memory size (VSZ) or the size of memory allocated to a process, even if it does not use it. |
Working Set Size | The amount of memory that the task needs to function. |
See View Agent Audits for more information.
Wireless Networks table
The Wireless Networks table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:
Column | Description |
---|---|
Authentication | The authentication type of the network. |
BSSID | The basic service set identifier (BSSID) that uniquely identifies the radio of the access point using a media access control (MAC) address. |
Channel | The small band within a larger frequency band, that the wireless network uses to transmit wireless signals. |
Country | The country code of the wireless device. |
Encryption | The encryption type of the network. |
IsCurrent | Whether the network is currently connected to the machine (True) or not (False). |
MCS Index | The modulation coding scheme (MCS) index that is supported. |
Message | The number of available networks. For example, There are 3 networks currently visible . |
Mode | The wireless mode. |
Name | The name of the network. |
Network Type | The type of network. |
Network | The network name. |
Noise | The signal in decibels (-dBm) that is not WiFi traffic. The closer to 0, the greater the noise. |
Security | The wireless security protocol provided by the wireless network. |
Signal | The current signal strength in (-dBm). The closer to 0, the better the signal. |
SSID Name | The service set identifier (SSID) that uniquely names the wireless local area network (WLAN) that devices connect to. |
Transit Rate | The throughput capability of wireless devices connected to the network. |
See View Agent Audits for more information.
USB Devices table
The USB Devices table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:
Column | Description |
---|---|
Bus | The universal serial bus (BUS) identifier. |
Device ID | The unique ID of the USB device. |
Device | The device name. |
Manufacturer | The manufacturer of the USB device. |
Name | The name of the USB device. |
Product ID | The product identification number. |
Serial Number | The serial number of the USB, if available. |
Speed | The speed of the USB in Mb/s. |
Status | The status of the USB device. |
Vendor ID | The identification number of the vendor. |
Version | The software version on the USB device. |
See View Agent Audits for more information.
Software Packages table
The Software Packages table displays when you view Agent Audits and the asset information is available. The table columns are different, depending on the operating system (OS) that is scanned. The table can have the following columns:
Column | Description |
---|---|
Arch | The hardware architecture. |
Install Location | The location that the software package is installed on the device. |
Install Source | The location of the file that the software package was installed from. |
Installed | The date that the software package was installed, formatted as YYYYMMDD. |
Intel 64bit | Whether the software can run on Intel 64bit CPUs. |
Kind | The type of software package. |
Last Modified | The date and time that the software package was last modified. |
Location | The file path of the software. |
Name | The name of the software package. |
Obtained From | The source of the software package. |
Signed By | The signing authority of the software package. |
Summary | A description of the software. |
Vendor | The vendor of the software package. |
Version | The version number of the software package. |
See View Agent Audits for more information.
Enable an agent scan schedule
You can enable individual agent scan schedules.
-
In the Risk Dashboard navigation pane, click Agent.
-
In the Target Group Overview section, locate the agent scan schedule you want to turn on.
-
In the Scheduled Enable column, turn on the toggle.
Note: If the toggle appears dimmed, the scan is currently disabled.
In the Scanning column, the agent status changes to Enabled.
Stop active and scheduled agent scans
Active scans and scheduled scans can be stopped individually or in bulk:
Stop an agent scan schedule
-
In the Risk Dashboard navigation pane, click Agent.
-
In the Target Group Overview section, locate the agent scan schedule you want to turn off.
-
In the Schedule Enabled column, turn off the toggle.
Note: If the toggle appears dimmed, the scan is currently disabled.
In the Scanning column, the agent status changes to Disabled.
Stop all agent scan schedules
-
In the Risk Dashboard navigation pane, click Agent.
-
In the Target Group Overview section, click Stop All Scan Schedules.
-
Click Stop All Scan Schedules to confirm.
In the Scanning column, all agent statuses change to Disabled.
EVA page
The EVA page displays information gathered from External Vulnerability Assessment (EVA) scans, specifically target scan groups and the associated risks for these groups. The page includes the following sections:
-
Risk metrics — Provides risk score information.
See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.
-
Target Group to Risk Severity — Displays target score information for each target group and its targets.
See Target Group to Risk Severity section, Target Group to Risk Severity filters, Download a Target Group to Risk Severity chart, and Filter target groups by tags for more information.
-
Target Group Overview — Displays information about target group scans.
See Target Group Overview section for more information.
-
Risks by Target Group — Displays risk information for target groups.
See Risks by Target Group section for more information.
Target Group to Risk Severity section
The Target Group to Risk Severity section is located on the EVA page. It displays target score information for each target group and its targets. The chart legend lists each target group, all targets within a group, and the color corresponding to the chart.
Note: You cannot take actions on target groups that have discovered a host in scanning.
Tip: See target score for more information on target scores.
The chart visualizes the target score associated with each target and target group. The chart has three layers, where the innermost layer represents the target group, the second layer represents each target within that group, and the third layer represents the target score associated with each target. Each target group and associated targets are one unique color. Low target scores are not visible, medium target scores are yellow sectors, and high target scores are red sectors. If a target group scan did not discover a host, then it is not displayed on the chart.
Target Group to Risk Severity filters
The Target Group to Risk Severity section is located on the EVA page. It includes the following filters that you can use to change the chart data:
Filter | Description |
---|---|
Target group | Click a target group on the chart. This limits the chart to only display the relevant information for that target group. Click the gray circle in the center of the chart titled undefined. |
Location | Filters the target group by location. Select one of the following options: All, Corporate, or Third Party. |
Tags | Filters the target by Tag. Click the Tags field, select a tag from the dropdown list, and then click Update Control Data. See Filter target groups by tags for more information. |
Target Group Overview section
The Target Group Overview section is located on the EVA page. You can change how the information displays in the Target Group Overview table:
- To set the number of rows that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To sort data by a specific column, click the column heading.
- To view specific information, enter search terms in the Search field.
- To limit the table to target groups with the relevant tags, see Filter target groups by tags for more information.
Tip: Click CSV to download the table data to your device. This download includes target group filters, but ignores the search filter.
The Target Group Overview table has the following columns:
Column | Description |
---|---|
Name | Name of the target group. |
Description | Description of the target group. |
Targets | All targets within the target group. |
Scanning | If scanning is enabled or disabled for the target group. |
Schedule | Whether the scan on the target group runs once, weekly, or monthly. |
Created | The date that the target group was created. |
Last scan | The date of the previous scan on the target group. |
Next scan | The date of the next scheduled scan on the target group. If there is no next scan, the entry is empty. |
Risks by Target Group section
The Risks by Target Group section is located on the EVA page. You can change how the information displays in the Risks by Target Group table:
- To set the number of rows that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To sort data by a specific column, click the column heading.
- To view specific information, enter search terms in the Search field.
- To limit the table to target groups with the relevant tags, see Filter target groups by tags for more information.
Tip: Click CSV to download the table data to your device. This download includes target group filters, but ignores the search filter.
The Risks by Target Group table has the following columns:
Column | Description |
---|---|
Level | Target score of the target. |
Target | IP address or domain name of the target. |
Name | Name of the target. |
Description | Description of the target. |
Recommendations | Steps to mitigate the risk of the target. |
Created | Date the target was created. |
Click Details at the left of each entry to display additional risk information. Details vary, depending on the risk. Not all information is present for each entry:
- Domains to resolve this address — Links or IP addresses used to access the risk.
- Observations — General notes about the risk.
- References — Links relating to further information about the risk type and potential mitigation steps.
Filter target groups by tags
- In the Risk Dashboard navigation pane, click EVA.
- In the Target Group to Risk Severity section, enter the tags you want to filter by in the Tags field.
- Click Update Control Data.
Note: It may take a few seconds for the updates to complete.
Download a Target Group to Risk Severity Chart
-
In the Risk Dashboard navigation pane, click EVA.
-
(Optional) Use filters to narrow the information that appears in the chart.
See Target Group to Risk Severity filters for more information.
-
Click Save image.
An image of the chart downloads to your device. It does not save the legend.
Stop active and scheduled EVA scans
Active scans and scheduled scans can be stopped individually or in bulk:
Stop an EVA scan schedule
-
In the Risk Dashboard navigation pane, click EVA.
-
In the Target Group Overview section, locate the EVA scan schedule you want to turn off.
-
In the Schedule Enabled column, turn off the toggle.
Note: If the toggle appears dimmed, the scan is currently disabled.
In the Scanning column, the status changes to Disabled.
Stop all EVA scan schedules
-
In the Risk Dashboard navigation pane, click EVA.
-
In the Target Group Overview section, click Stop All Scan Schedules.
-
Click Stop All Scan Schedules to confirm.
In the Scanning column, all EVA statuses change to Disabled.
User Config page
The User Config page is no longer available. Previously, it allowed you to manage users who could access your Risk Dashboard. If you need to make user management changes now, contact your CST.
Scanner Config page
The Scanner Config page lets you make changes to your scanning configuration and scanning schedules. The page includes the following sections:
-
Risk metrics — Provides risk score information.
See View risk metrics, Download an Executive Summary, and Download a Risk Assessment for more information.
-
Scanner Configuration — Displays configuration details about the selected scanner.
See Scanner Configuration section, View the configuration of a scanner, Delete a scan schedule, and Disable a scan for more information.
-
Scanning Schedule — Displays scans that are scheduled for a selected scanner.
See Scanning Schedule section, and Check IVA Scanner connectivity for more information.
-
Credentialed Scanning — Lists all the scans that have credentialed scanning enabled.
See Credentialed Scanning section, and Add new scan credentials for more information.
-
Scanning Queue — Displays all running and scheduled scans for the selected scanner. This section is only visible if you are viewing information for a scanner that has scans queued
See Scanning Queue table, and View the scan queue for more information.
By default, the scanner scans all devices on the same network subnet as the IP or mask that is provisioned. If desired, you can add additional devices, if they are reachable through a gateway, for scanning.
The scanner virtual machine (VM) is designed for rapid and continuous scanning to process all the network hosts as quickly as possible. As such, it is normal for the scanner to consume all of the virtual CPU (vCPU) allocated to it. This may not be desirable in a highly overloaded ESXi environment, and allocating more resources may be difficult in the short term. In this situation, we recommend using the minimum system requirements as described in the Managed Risk Scanner Installation Guide for your environment. If CPU consumption is an issue, try deploying a physical scanner. However, we only recommend this approach if the ESXi environment is unable to manage the scanner resource requirements.
By design, company identifying information is not sent out of your network. Each scanner is provisioned with a globally unique identifier (GUID). The customer to GUID mapping is stored within the Arctic Wolf secure network.
Scan frequency for a given host depends on a number of factors including:
- The uptime of the host
- The number of hosts in the scan
- Host uptime on the network
- The scanner hardware
We recommend that each host on the network is scanned at a minimum once every 10-14 days. You may require additional scanners based on your network size and complexity.
Note: EVA scans run monthly. We do not recommend scanning too frequently, as this could conflict with firewall rules or generate too much noise.
The Risk Scanner operates in stages when determining what hosts to scan next. Scans begin five minutes after the previous scan completes. During this process, the Risk Scanner:
- Builds a list of active hosts based on the most recently completed Nmap scan.
- Uses the OpenVAS history to sort the list of active hosts according to the least recently scanned interval, with the least recently scanned host at the top of the list, and the most recently scanned host at the bottom.
- Determines if each host is eligible to be scanned based on whether the current time falls within the applicable scan schedule window.
- Determines the system capacity to manage simultaneous scans based on the current CPU load. It begins with one scan and increases by one additional scan every cycle until all CPU resources are used. If the CPU load exceeds the threshold, the number of parallel scans is reduced by one for the next scan cycle.
- Runs the new scan, starting with the least recently scanned host that is available to be scanned at that moment. The scanner then polls for the next least recently scanned host until the scanning capacity is reached.
Scanner Configuration section
The Scanner Configuration section is located on the Scanner Config page. It displays configuration details for the selected scanner.
The Scanner Configuration section has the following information:
Detail |
Description |
---|---|
Scanner ID | The ID of the scanner. Click Details at the end of the ID to choose a different scanner. |
Scanner IP Address | The IP address of the scanner. |
Netmask | The netmask of the scanner. |
Connection Status | The connection status of the scanner, including:
|
Scanning Status | The scanning status of the scanner, including:
Tip: See Troubleshoot scanning statuses for help resolving scanning statuses. |
Host Identification Scans | A toggle that enables or disables host identification scans. Vulnerability Scans must also be enabled for host identification scans to work. When this toggle is disabled, Vulnerability Scanning is also disabled. |
Vulnerability Scanning | A toggle that enables or disables IVA scans. |
Troubleshooting Settings | A button that opens the Troubleshooting settings dialog. The dialog includes these troubleshooting settings:
Caution: Arctic Wolf does not recommend using the Stop All Scanning Now setting outside of an emergency since it may cause scan restart issues. |
DenyList IP/Networks | IP addresses or networks that are part of the DenyList. These items are not scanned. See Add an IP address or IP address range to the denylist for more information. |
Host Collection DNS Servers | The DNS server that you have configured. Note: If this field is blank, we attempt to auto-discover the server name. |
Only ping the target toggle
Under Troubleshooting Settings, if the Only ping the target (normally turned off) toggle is enabled, the scanner sends an ICMP echo request to the host. If the host returns an ICMP echo reply, the scanner determines that the host is online and can be scanned. Some networks and devices are configured to not reply to ICMP echo requests which excludes the host from identification scans.
While you can use this setting for troubleshooting, enabling the Only ping the target toggle can also be helpful if Host Identification Scans, also known as NMAP scans, are producing a lot of traffic or if you want to reduce the NMAP load.
We recommend that you enable the Only ping the target toggle for a scanner if scanning through a stateful firewall.
The Only ping the target toggle does not affect what information is scanned, like device name, operating system, or MAC address. This toggle also does not affect vulnerability scans.
Scanning Schedule section
The Scanning Schedule section is located on the Scanner Config page. It displays scans that are scheduled for a selected scanner. You can change how the information displays in the Scanning Schedule table:
- To set the number of schedules that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To sort data by a specific column, click the column heading.
- To view specific schedules, enter search terms in the Search field.
The Scanning Schedule table has the following columns:
Column |
Description |
---|---|
Target | The targets that the scan is configured to scan. |
Next Scan Time | The next time that this scan is configured to run. |
Schedule | The type of schedule for this scan: |
Window (hours) | The window that the scan can run within, in hours. For example, 12 am to 8 am. Notes: |
Priority | The priority of the scan: Notes: The priority of a scan is used when there are conflicting scan schedules, to determine which scan schedule should be applied. For example, if a target is covered under a daily and a weekly scan, the one with the higher priority would go first. If the priority is the same value, the least recently scanned target is selected. If both schedules are equally least recently scanned, the scans are performed in alphabetical order. |
Modify | Use this column to modify your scan schedule: |
Tip: If the Scanning Schedule table is empty, the sensor scans all hosts on the network that it currently has an IP address on.
Credentialed Scanning section
The Credentialed Scanning section is located on the Scanner Config page. Credentialed scanning requires entering known credentials for a target host or group of hosts to allow the scanner to run network vulnerability tests and security checks.
During authentication, the scanner enumerates different protocols, some of which may be insecure; for example, server message block (SMB). Once connected, the scanner receives a list of installed software. The scanner then runs and checks all version check Network Vulnerability Tests (NVTs) that use OpenVAS, based the list of software installed on the host. Scan results are limited if the scanner is unable to log in to the target.
Scanning a Windows target uses NTLMv2 over SMB for authentication.
Tip: This scan also finds vulnerabilities that are not remotely exploitable, such as an Adobe Acrobat vulnerability.
You can change how the information displays in the Credentialed Scanning table:
- To set the number of rows that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To sort data by a specific column, click the column heading.
- To view specific information, enter search terms in the Search field.
The Credentialed Scanning table has the following columns:
Column | Description |
---|---|
Name | The name of credential that you configured. |
Type | The type of credential:domain\username |
Hosts | The hosts that apply to this credentialed scan. |
Description | The description that you configure, such as SSH key pair to host A . |
Modify | Use this column to modify your credentialed scan: |
Scanning Queue table
The Scanning Queue section is located on the Scanner Config page. It is only visible if you are viewing information for a scanner that has scans queued. The table displays all of the running and scheduled scans for the selected scanner. You can change how the information displays in the Scanning Queue table:
- To set the number of rows that appear on a page, select a value from the Show
<x>
Entries dropdown list. - To sort data by a specific column, click the column heading.
- To view specific information, enter search terms in the Search field.
The Scanning Queue table has the following columns:
Column | Description |
---|---|
Host | The host that the scan will scan. |
Status | The status of the scan: |
Last Scan | The date and time of the last completed scan. |
Scan Schedule | The schedule of this scan, including the target and type. |
View the configuration of a scanner
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, next to Scanner ID, click Details.
The Scanner Select dialog appears.
-
Do one of the following:
- Enter the required scanner ID in the search field.
- Locate the required scanner ID in the table. Scroll through the pages if required.
-
Click the scanner ID in the list.
The dialog automatically closes and the configuration information appears in the Scanner Configuration section.
View the scan queue
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanning Queue section, view the data in the Last Scan column for the time that the host was last scanned.
Note: The Scanning Queue section is only visible if you are viewing information for a scanner that has scans queued.
Add new scan credentials
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Credentialed Scanning section, click Add new scan credentials.
The Configure Credentials for Target Hosts dialog appears.
-
Enter the following information in the dialog:
-
Name — Enter a name for the credential.
-
Description — (Optional) Enter a description for the credential.
-
Hosts — Enter the IP addresses of the target hosts in a comma-separated list.
Tip: This field also accepts IP ranges using a hyphen, such as
10.0.0.1-3
. -
Type — Select the type of credential:
- Username/Password — You will provide the username and password of the target hosts.
- Username/SSH Key — You will provide the username and SSH key of the target hosts.
-
Username — Enter the appropriate credential.
-
Password — Enter the appropriate password.
-
Passphrase (Optional) — Enter the appropriate password phrase.
-
SSH Key — Enter the appropriate SSH key.
-
-
Click Configure.
Manage Risk Scanner configuration
To add an IP address or IP address range to the:
- Scheduled scan configuration — See Add a new scan scheduled.
- DenyList — See Add an IP address or range to a DenyList.
- AllowList — See Add an IP address or range to an AllowList.
Add a new scan schedule
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanning Schedule section, click Add a new scan schedule.
Tip: Click Cancel or press ESC to close this dialog.
The Configure Scanner Schedule dialog appears.
-
In the Targets field, enter IP addresses or networks, in a comma-separated list of the targets you want scanned.
See Managed Risk Scanner FAQ for scanning subnet range recommendations and estimated time to complete a scan.
You can use the following formats:
Target IP Address CIDR Single host X.X.X.X
X.X.X.X/32
Subnet range X.X.X.X-X.X.X.X
X.X.X.X/Y
-
In the Type dropdown list, select one of the following:
- Continuous — The scan runs continuously.
- Daily — The scan runs once a day. When selected, these options appear:
- Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
- Scan Window (Hours) — Select the scan window. The default value is
8
.
- Weekly — The scan runs once a week. When selected, these options appear:
- Weekday checkboxes — Select the applicable days of the week to run the scan.
- Start Time — Select the time that you want the scan to start. The time is set using a 24-hour clock.
- Scan Window (Hours) — Select the scan window. The default value is
8
.
- Monthly — The scan runs once a month. When selected, these options appear:
- Date & Time — Enter a date and time that you want the scan to start. The time is set using a 24-hour clock.
- Scan Window (Hours) — Select the scan window. The default value is
8
.
-
In the Priority dropdown list, select one of the following:
- Low — This scan runs last, after all other scans are complete.
- Medium — This scan runs after High priority scans but before Low priority scans.
- High — This scan completes first before all other scans.
Note: If there is a high priority scan that does not complete in the scanning time window, any low or medium scans never run.
-
Click Configure to save your changes.
Note: Hosts that match a scheduled target are only run at the scheduled time. The scanner does not scan them as part of its regular scanning queue.
Add an IP address or IP address range to the AllowList
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanning Schedule section, click Add a new scan schedule.
The Configure Scanner Schedule dialog appears.
-
Configure the following:
- Targets — Enter a private IP address or private IP address range to AllowList.
- Type — Select the desired scan schedule.
- Priority — Select a scan priority. This determines the order that a scan performs in when there are multiple items in the Scanning Queue.
-
Click Configure to save your configuration.
Add an IP address or IP address range to the DenyList
A DenyList is a list of IP addresses that you specifically do not want the scanner to scan, such as devices with non-optimally designed or implemented embedded network stacks that may behave unexpectedly if scanned. For example, printers or consumer-grade WiFi access points may print unexpected output or reboot if scanned. Because of the inconvenience this may cause, you can choose not to scan these devices.
Tip: Your CST works with you to reduce the number of devices on your DenyList, as a bad actor could use the same vulnerabilities to further compromise your network.
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, enter IP addresses or networks in the DenyList IP/Networks field.
The format of this field is a comma-separated list in classless inter-domain routing (CIDR) format. The DenyList IP/Networks field accepts individual hosts without the
/32
specification or networks in the same CIDRX.X.X.X/Y
.Tip: You can specify multiple IP addresses using a
-
separator in one of the IP octets. For example,10.0.0.1-3
expands to10.0.0.1, 10.0.0.2, 10.0.0.3
.
Edit an existing scan schedule
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanning Schedule section, locate the desired schedule, and then click Edit.
Tip: Use the Search bar to search for a specific schedule.
The Configure Scanner Schedule dialog appears.
-
Modify the schedule as desired. For example, to:
- Raise the priority of an existing scan schedule — Set the Type or Priority values to the desired cadence. This is often used when a scan needs to be rerun to confirm a high-risk vulnerability remediation throughout the organization.
- Change the frequency of the scan — Change the Type value to your desired frequency.
-
Click Configure to save your changes.
Brute force scanning username checks
The Risk Scanner performs brute force scanning checks on the following non-exhaustive list of usernames:
Note: In addition to these username checks, the Risk Scanner uses known default usernames of different devices to validate Common Vulnerabilities and Exposures (CVE).
- acc
- adfexc
- adm
- admin
- Admin
- administrator
- Administrator
- adminttd
- ADVMAIL
- alex
- anonymous
- Anonymous
- apc
- asus
- at4400
- backup
- bbsd-client
- boss
- buh
- cellit
- cgadmin
- cisco
- Cisco
- client
- cmaker
- comsco
- craft
- customer
- davox
- debug
- device
- dhs3mt
- dhs3pms
- diag
- D-Link
- DTA
- FIELD
- foo
- ftp
- ftpadmin
- ftpuser
- guest
- Guest
- halt
- HELLO
- hscroot
- install
- intel
- IntraStack
- IntraSwitch
- kermit
- login
- manager
- Manager
- manuf
- MDaemon
- mediator
- MGR
- mobile
- monitor
- msfadmin
- mtch
- mtcl
- nas
- nasadmin
- nasuser
- NETOP
- netrangr
- NETWORK
- NICONEX
- operator
- OPERATOR
- patrol
- PBX
- PCUSER
- PFCUser
- pi
- public
- rdp
- rdpamin
- rdpuser
- readonly
- recovery
- root
- Root
- RSBCMON
- rwa
- sa
- security
- setup
- skyboxview
- SPOOLMAN
- storwatch
- super
- superadmin
- superuser
- supervisor
- support
- sysadm
- SYSDBA
- TANDBERG
- tech
- Test
- user
- User
- user-1
- User1
- volition
- vt100
- work
- WP
Enable brute force scanning
The Risk Scanner performs brute force scanning checks for default, known, or common usernames and passwords for various services and devices.
Notes:
- Arctic Wolf recommends only using these settings for troubleshooting or emergency situations.
- Brute force scanning is separate from OpenVAS scanning. OpenVAS scanning performs regular vulnerability checks, such as for default username and passwords, regardless of whether brute force scanning is enabled or not.
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, click Troubleshooting Settings.
The Troubleshooting settings dialog appears.
-
Turn on the Brute force checks toggle.
-
Click Close.
Your changes are automatically saved.
See Brute force scanning username checks for a non-exhaustive list of brute force scanning username checks.
Enable CGI scanning
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, click Troubleshooting Settings.
The Troubleshooting settings dialog appears.
-
Turn on the CGI scanning toggle.
-
Click Close.
Your changes are automatically saved.
Enable a scan schedule
A scan schedule can be enabled individually.
- In the Risk Dashboard navigation pane, click Config > Scanner Config.
- In the Scanning Schedule section, located the desired schedule, and then turn on the Scheduled Enabled toggle.
Note: If the button appears dimmed, the scan is currently disabled.
Stop active and scheduled scans
Active scans and scheduled scans can be stopped in bulk or individually.
Stop a scan schedule
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanning Schedule section, located the desired schedule, and then turn off the Scheduled Enabled toggle.
Note: If the button appears dimmed, the scan is currently disabled.
The Disable Scan Schedule dialog appears.
-
Click Stop Scan Schedule.
Stop all scan schedules
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanning Schedule section, click Stop All Scan Schedules.
The Stop All Scan Schedules dialog appears.
-
Click Stop All Scan Schedules to confirm.
Disable a scan
Host Identification Scans and Vulnerability Scanning is required for normal operation, but if needed you can disable one or both of these types of scans.
Notes:
- This causes dashboard reporting errors after 24 hours.
- IVA scans do not run if the Host Identification Scans checkbox is unchecked.
- In the Risk Dashboard navigation pane, click Config > Scanner Config.
- In the Scanner Configuration section, do one or both of the following:
- To temporarily disable IVA scanning, turn on the Vulnerability Scanning toggle. No new scans will run until you turn on the toggle again.
- To disable host identification scans, turn off the Host Identification Scans toggle.
Disable brute force scanning
Brute force scanning can lead to active directory or standard account lockouts if you have devices on your network that use the default or known usernames. We recommend that you update the device username from the known or default values to both enhance your security posture and avoid account lockouts during scanning. If that is not possible, you can disable the brute force scanning checks.
Note: Brute force scanning is separate from OpenVAS scanning. OpenVAS scanning performs regular vulnerability checks, such as for default username and passwords, regardless of whether brute force scanning is enabled or not.
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, click Troubleshooting Settings.
The Troubleshooting settings dialog appears.
-
Turn off the Brute force checks toggle.
-
Click Close.
Your changes are automatically saved
Disable CGI scanning
Webmin applications often use the Common Gateway Interface (CGI) language, so disabling these scans removes a lot of the Webmin checks that the Risk Scanner performs. CGI is a legacy feature for web-based Active Directory sign-in pages that consistently experienced false-positive account lockouts. Disabling the CGI scanning prevents the lockouts from Risk Scanner scans but does not mitigate the risk to the customer.
For example, if a typical Webmin page using CGI has a vulnerability, the CGI scanning presumably discovers this vulnerability. If the discovered vulnerability involves bad actors using known or default credentials to sign in to the system, there is a risk of account lockout. Disabling the CGI scanning can limit the negative customer impact of account lockouts while the customer performs any remediation steps that are required to address the vulnerability.
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, click Troubleshooting Settings.
The Troubleshooting settings dialog appears.
-
Turn off the CGI scanning toggle.
-
Click Close.
Your changes are automatically saved
Delete a scan schedule
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanning Schedule section, locate the scan to delete, and then click Delete.
The Delete Schedule dialog appears.
-
Click Delete Schedule.
Verify that an IVA re-scan is running
- In the Risk Dashboard navigation pane, click Config > Scanner Config.
- Locate the IP address of the host that you want to confirm is being scanned.
- Verify that the Status of the IP address is Running or Scheduled.
Verify scanner health
On a monthly or quarterly basis, do the following to review IVA Scanner and Arctic Wolf Agent scanning health:
Check IVA Scanner connectivity
Arctic Wolf alerts you if IVA Scanners go offline, but it is also good practice to verify that online IVA Scanners are working as expected and that assets are scanned in a timely fashion.
-
In the Risk Dashboard navigation pane, click Config > Scanner Config.
-
In the Scanner Configuration section, for Scanner ID, click Details.
The Scanner Select dialog appears.
-
In the Search field, click a scanner ID.
-
In the Scanner Configuration section, verify that the Connection Status is Connected and that the Scanning Status is Scanning.
-
If the Connection Status is Disconnected — Make sure the network scanner is online and that nothing, such as a firewall, is blocking the network communication.
See Arctic Wolf Portal IP Addresses page for a list of IP Addresses and Ports that Arctic Wolf requires on an AllowList. If you require additional troubleshooting, contact your CST at security@arcticwolf.com.
-
If the Scanning Status is Degraded — restart the network scanning appliance. If it comes back online and is still Degraded, contact your CST at security@arcticwolf.com.
-
-
Repeat steps 2 to 4 for additional scanners as needed.
Check the IVA Scanner rate
Make sure assets are scanned with an appropriate interval. In general, a scanner scans ~150-250 assets in an 8 hour period. This number changes based on the type of system and environment. For example, if several large subnets of assets are only given a weekly scan for an 8 hour scan window, it might take more than a month to complete a full cycle of scanning. If you have concern about your environment not being scanned in a timely manner, consult with your CST to review the scheduling.
To optimize scanning without increasing the scan window time, you can deploy additional physical scanners. This would allow you to scan multiple subnets in parallel. Adding resources to virtual scanners would not result in any meaningful increase in scan throughput because they would consume additional resources.
See Managed Risk Scanner FAQ for more information.
Check Agent scanning health
Agent scans are set and managed by your CST, but you can view the results of Agent scans and identify assets that were scanned or missed.
-
In the Risk Dashboard navigation pane, click Agent.
-
In the Agent Scan Details section, enter a date that is prior to the scan date you want to verify, and then click Apply.
-
Click Get Data.
-
Review the Status of each scan, to identify if the scan was successful or not.
See View Agent Scan Details for more information. If an asset with the Agent is not being scanned correctly or if assets are missing from the scan schedule, contact your CST at security@arcticwolf.com.
Tip: You can copy the information from the Agent Scan Details section and paste it into a Microsoft Excel spreadsheet. The table structure is maintained for easier analysis.
-
(Optional) In the Scans Detail column, click Details, to view additional details for a scan.
Troubleshoot scanning statuses
This information provides solutions to resolve various scanning statuses in the Risk Dashboard. See Scanner Configuration section for more information about these values.
Scanning status is degraded
Possible cause: A scanner status changes to Degraded if it did not complete a scan within 24 hours. This might be because a firewall, an intrusion detection system (IDS), or an intrusion prevention system (IPS) is blocking traffic to or from the device.
Resolution:
- Remove any traffic blocks.
- Make sure that:
- The scanner can reach all of the subnets that you want the scanner to scan.
- The firewall and switch access-controls lists (ACLs) do not prevent scanners from reaching the subnets that you want to scan.
- All of the required IP addresses and domain names are allowlisted. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Scanners.
- The scanner VM meets the minimum resource requirements. You may need to work with your CST to increase the system resources.
- If you are using credentialed scanning, make sure that you have added proper credentials under Credentialed Scanning or that you provided a proper private SSH key. See Credential Scanning section for more information.
- If a scan is scheduled to run in the near future, wait until the next scan runs. If the scanner is no longer degraded, the status updates when the next scan runs.
Scanning status is misconfigured
Possible cause:
- There is a misconfigured scan schedule.
- There are no hosts in the configured subnets or there are hosts that the scanner cannot reach.
- Vulnerability scans are disabled.
- Subnets are excluded in the denylist configuration.
- A scan schedule has a length of zero.
- The scan is targeting too many hosts, for example, 10.0.0.0/8.
Resolution: Reconfigure the scanner to address the possible causes.
Scanning status is disabled
Possible cause: Host identification scans and vulnerability scans are disabled.
Resolution: Enable host identification scans and vulnerability scans for the scanner. See Scanner configuration section for more information on enabling scans.
Scanner Console page
The Scanner Console page displays scanner information, connection status, and scanning status for each sensor ID.
Add scanner labels
To easily identify your scanners, you can add scanner labels to each sensor ID.
- In Scanner Console, under Label, click click to add label.
- In Enter Sensor Name, enter a sensor description.
- Click Submit.
Tools
To access Arctic Wolf tools, in the Risk Dashboard navigation pane, click one of the following:
-
Resources:
- Documents — Opens the Arctic Wolf Documentation in a new browser tab.
- Support — Opens the Contact Us page in a new browser tab.
-
Downloads — Opens the Downloads page, where you can download virtual machine images.
-
Analytics — Opens Arctic Wolf Analytics in a new browser tab, so you can view analytical data for your Managed Risk products, including Agent. See the Risk Analytics User Guide for more information.
Note: If you receive an error similar to
An error occurred
when clicking this link, disable any ad blocker extensions and refresh the page.
FAQ
These are some frequently asked questions about the Risk Dashboard.
Q: My Risk Dashboard is doing something weird, how can I fix it?
A: Performing a hard page refresh usually corrects any unexpected behavior. The keyboard shortcuts for a hard refresh are:
- Windows — Press Shift + F5 to perform a hard page refresh.
- MacOS — Press Command + Shift + r to perform a hard page refresh.
Q: Why did the state of a risk change to "Unsuccessful Validation"?
A: When you set the state of a risk to Fixed, Waiting Validation and a subsequent scan of that host still detects the same issue, the system moves the state of that issue to Unsuccessful Validation. This lets you know that your changes were not successful in mitigating a specific vulnerability.
Q: What does "The risk is confirmed resolved by the user" status reason mean?
A: If the Status Reason value is The risk is confirmed resolved by the user, the risk became inactive and was no longer scanned after you changed the State value of the risk to Mitigated.
See Risk statuses for more information about inactive risks, and Risk states for more information about the Mitigated risk state.
Q: Why does the scan take longer than the designated time window in the scanning schedule?
A: The time specified in the Scanning Schedule table for a scan is relative to the length of time that a scan actually takes. Also, the scanning window defines the start time for the scan. Some scans take up to two hours longer than their scheduled scanning window. Scan times are dependant on the following:
-
The target type
-
The target processor and bandwidth resource availability
-
If the target is online
The target will not be scanned during the scan window if it is not online.
Q: Which subnet ranges should I configure for scanning?
A: We recommend scanning subnet ranges /24
and smaller, excluding /8
, /16
, or /20
. Scanning these large subnet ranges would likely cause a timeout issue.
See Managed Risk Scanner FAQ for more information about subnet scan ranges.
Q: How is the rescan request placed in the queued?
A: When a target host is selected for rescanning, the target host is placed at the top of the least recently scanned list, allowing it to be scanned next as capacity increases. Clicking Rescan does not immediately start a new scan.
Note: If the target host identified for rescan is offline at the time of the rescan request, the Risk Scanner attempts to rescan the host. This scenario can happen because risks are not removed from the Risks table until the target host has been offline for more than 24 hours.