Manage assets in Xshield

In Xshield, an Asset can be a bare metal server, an end user computer, or a cloud-hosted virtual machine or instance. To bring assets under management from an Xshield instance, you must either register them or add the third-party cloud accounts to Xshield. Registration involves downloading Xshield agents from the instance and installing them on the assets, and these assets are 'managed assets' in Xshield.

See Asset categories for more details about 'managed' and 'monitored' assets in Xshield.

Currently, you cannot use all Xshield features for the assets in the third-party cloud accounts. You can collect inventory details, remediate alerts, and visualize traffic flows in the accounts Visualizer and Flow Explorer. You cannot use workload protection features such as Workload status alert and policy tamper auto-revert and risk assessment features such as vulnerability scanning and exposure detection using probes. Also, you cannot enforce Xshield policies and the associated policy management features.

Assets page

All assets that are successfully registered with Xshield are listed on the Assets page. By design, you land on the Assets page when you launch an Xshield app instance in ColorTokens Spectrum.

To go to the Assets page, click Assets (in the left navigation panel).

Asset details

You can see several details of the assets on the Assets page. Some of the details include inventory, Common Vulnerabilities and Exposures (CVE) vulnerabilities, policy tamper attempts on assets, and resource utilization by the agents on the assets.

The details of the assets are listed as columns. Some of the columns on the Assets page are hidden, and you can hide some of the columns displayed by default.

Add or hide columns to see the Assets page with attributes you want to see. For example, add the CPU Usage and Memory Usage columns to see the resource utilization by the agents.

To add or hide columns, click + (located in the top-right corner) and select the required columns.

See Asset inventory and other details for a list of the assets' details that are displayed on the Assets page.

Asset categories

Two categories of assets are listed on the Assets page - Managed and Monitored. The Type column on the Assets page indicates the category of the asset. See Asset inventory and other details for a list of the assets' details displayed on the Assets page.

Managed assets - assets on which you have installed the Xshield Microsegmentation or User Access type agents. To manage assets from an Xshield instance, you must download the Xshield agent from the instance and install the agent on the assets. The input parameters to install the Xshield agent are the name, Fully Qualified Domain Name (FQDN), and the installer key for your instance.
If you meet all the prerequisites to install the agent, the agent sends its first heartbeat to the instance and is registered with the instance. The agent sends the asset's inventory data (hardware and software) and keeps this updated in Xshield. The agent also sends traffic flow and other telemetry data in near real-time to Xshield.
See Agent management for more details about how to install agents and register assets with Xshield.
Monitored assets - AWS EC2 instances and S3 buckets, and Azure VMs and Storage accounts monitored from Xshield without using Xshield agents. You must add the relevant AWS customer accounts and Azure subscriptions to Xshield to monitor the assets.
Xshield fetches the inventory of the cloud assets by the Amazon Resource Name (ARN) of the AWS customer account and the tenant ID and client ID of the Azure subscription. Xshield fetches the traffic flows data from the AWS CloudTrail and CloudWatch logs of the AWS accounts and the Network Security Group (NSG) Flow logs of the Azure subscriptions. You can see the details of these traffic flows in Xshield.

Asset licenses

The total number of assets managed from an Xshield instance equals the count of the active licenses you see for the instance on the Launchpad > Licenses page in Spectrum.

Asset management operations

The Assets page provides you the tools to manage assets through their management life cycle on Xshield. See Asset operations from the Assets page for more details.

Asset inventory and other details

You will see the following details of the 'managed' and 'monitored' assets.

Managed assets

Type of asset - workload (Microsegmentation agent) or an end user computer (User Access agent).
OS on the asset - see Supported OSes and prerequisites for a list of OSes on which the Xshield agent can be installed.
Hostname and the details of the network interfaces on the asset
The version of the Xshield agent on the asset
Management status of the asset - the date and time when the asset was registered with the Xshield instance and Xshield tags associated with the asset.
Key indicators of the assets, such as CPU and memory used by the Xshield agent, connectivity status of the asset with Xshield, CVE vulnerabilities found on the assets, and the enforcement status and ' tamper' status of the Xshield policies on the asset. See Key indicators on the Assets page for more details.

Monitored assets

Type of asset - hosted in the AWS cloud or the Azure cloud
OS on the asset - OS on the AWS EC2 instances or Azure VMs
Hostname and the details of the network interfaces on the asset
AWS customer account ID, the name and ID of AWS EC2 instance, and type of service (EC2 or S3)
Subscription ID, subscription name, and the type of access to Azure VM or Storage account - Public or Restricted
Management details of the asset as on the AWS or Azure cloud - the date and time from when the assets in the AWS customer account or Azure subscription was monitored, AWS or Azure tags, and other essential operational details such as sizing, grouping details, and regions on the AWS or Azure cloud.
Key indicators of the assets, such as the connectivity status of the asset with Xshield. See Key indicators on the Assets page for more details.

Asset dashboard

The Assets dashboard provides a quick overview of all assets related information such as subnets for a tenant, vulnerability and list of OSes that are part of the tenant. You can view number of subnets and assets associated to a host by clicking on a location on the globe.

You can search and view assets with Flexible Query Language (FQL) that allows you to quickly and precisely locate and process information on the Asset page. You can write an FQL query using the asset keywords and FQL operators defined and retrieve asset information that satisfies the given conditions.

You will see the following tabs on the Assets page.

Hosts – view details of hosts
Users – view details of users

Click on any of the elements you see on the dashboard to view additional details. This is applicable to both hosts and users.

Right-click on a host to view options that will allow you to tag, update agent, decommission, quarantine, and download CSVs. You can also access these options by clicking the 3-dot menu.

In addition, you can switch tabs to view the pending and pre-approved hosts.

Pre-approved hosts are assets listed on the Assets page but, they are not active for management from Xshield. The inventory details of these assets are listed in the Pending for Approval tab. You can download a template, enter details in the specified format and upload the csv. See Pre-approved Assets for more details.

Click on host to see the summary and security details.

Summary

Summary view allows you to add tags and update the agent. The additional details listed here are the status of the asset, agent version, tags assigned to the asset, serial number of the asset, scope, group and policy details, hardware details the CPU and memory usage trend, and the, and

Security

Vulnerability

For managed assets

If you have integrated a Nessus vulnerability scanner with your Xshield instance, you will see a list of CVE vulnerabilities fetched from the Nessus setup for all assets of all supported OSes in Xshield.
If you are using the ColorTokens vulnerability scanner, you will see the list of CVE vulnerabilities only for Windows assets. This is because currently ColorTokens scanner can be used only for Windows assets.

For monitored assets

See the Network Access Control Lists (ACL) and Resource ACLs for AWS assets and Network Security Groups (NSG) for Azure assets.

Exposure (only for managed assets)

See the time and date when the last probing schedule was run for managed assets and the open ports and processing running on the open ports.

Click Probe to see the open ports on the asset. See Probes for more details.

Policy tampering (only for managed workloads)

See the logs for the last 10 attempts to tamper with the Xshield policies on the workload. See the tamper attempts by the inbound and outbound rules that were modified.

Asset filters

The Assets page is filterable by the attributes of the assets and the CVSS vulnerabilities found on them during vulnerability scans. Asset filters are available on the Assets, Visualizer, and Flow Explorer pages in the Xshield UI.

Asset operations from the Assets page

You can perform the following operations on the assets from the Assets page:

Sort and filter the Assets page. Currently, you can sort the Assets page only by the hostname of the assets. See Asset filters for more details about how to filter the Assets page.
Download the assets' details listed on the Assets page in CSV format.
Tag assets with Xshield tags. See Tag assets for more details.
Download the list and the details of the vulnerabilities found on the assets in CSV format.
Quarantine workloads that exhibit suspicious activities or when the assets are highly prone to be exploited for vulnerabilities. See Quarantine assets for more details.
Download the log files from the assets.
Upgrade the agents on the assets. See Upgrade agents for more details.
Uninstall the agents and decommission assets, and move them out of management from Xshield. See Uninstall agents from assets for more details.