Configure Assets

Network Passive Sensors can detect traffic flows between two types of IP addresses. These IP addresses can be internal (within your network) or external (outside your network).

You can configure how you want to categorize your assets discovered by the sensors while monitoring traffic flow. All these assets are listed in the Assets tab of Global AssetView/CyberSecurity Asset Management.

Assets can be defined as Internal Assets, Excluded Assets, and External Assets.

The Configuration tab consists of Internal Assets, Excluded Assets, Monitor Excluded Assets, General Settings tabs.

Internal Assets

Define Internal IP ranges that you want to monitor. IP addresses in these internal ranges are individually tracked for traffic analysis and inventoried in detail.

inventoried internal assets

When registering a sensor, you can add IP ranges within your network to monitor in Define Internal Assets step. The assets discovered for these IP addresses will be individually inventoried and tracked for traffic analysis. You'll be able to select IP ranges from the default list or can create custom IP ranges.

Alternatively, you can add internal assets, simply go to Configuration > Internal Assets > Add.

In this step, you define the IP ranges within your network you want to monitor. The assets discovered for these IP addresses are individually inventoried and tracked for traffic analysis. You can use default IP ranges, IP range tags, or customized IP range options to define the range of internal assets. By default, assets are added to inventory. Select No if you want to just monitor the traffic flows to/from the configured IP ranges but do not want to track them in asset inventory. You can always edit the sensor configuration later to add assets for the IP ranges to the inventory if you have selected No while registering virtual and physical sensors.

To complete the sensor setup and to start sensing assets you must define Internal Asset ranges. The passive sensor senses all the traffic that you have mirrored. However, by defining internal asset ranges, you choose the assets you want to monitor and report on.

1 - Default IP Ranges

This option defines internal assets discovered within default internal ranges for your network. Click Select Sensors to select a sensor from the list of sensors for which you want to define internal assets.

2 - IP Range Tags

This option defines internal assets discovered with IP range tags. These are the dynamic tags created with IP Address In Range(s) rule engine. Click Select Sensors to select a sensor from the list of sensors for which you want to define internal assets. Click Select IP Ranges to select IP tags from the list of tags for which you want to define internal assets.

3- Custom IP Ranges

This option defines internal assets discovered with custom IP ranges. You can provide IP ranges for monitoring. Click Select Sensors to select a sensor from the list of sensors for which you want to define internal assets.

How to edit the Internal Asset Groups with the Network + IP range tags?

Once you have added the Internal Asset Groups with the Network and IP range tags and if you want to edit these configuration settings, then go to the Sensor Details tab and edit the configuration.

Excluded Assets

Define the assets you want to exclude from the inventory. The assets discovered for these addresses are masked as Excluded in traffic summary.

excluded assets

To add excluded assets, go to Configuration > Excluded Assets > Add.

define excluded assets

Monitor External Assets

Define the external sites you want to monitor. These sites are reported individually for traffic summary however; these are not inventoried like the internal assets.

monitor external sites

To add external assets, simply go to Configuration > Monitor External Asset Group > Add.

define external sites to monitor

How does it work?

All these discovered assets are reported to Qualys Asset Inventory where you can see detailed information about them as well as traffic summary, etc.

If an asset discovered by Passive Sensor is already known by active scans or by cloud agents then it is considered a managed asset and the asset data is correlated and merged. If the asset is previously unknown, then it is placed in the unmanaged list of assets.

In the Inventory column of Asset Inventory, the Asset the source is marked as Passive Sensor to indicate that the asset was discovered by a passive sensor.

how all assets are displayed in asset inventory

Manually Activate Assets for VM/PC scans

Now you can add IP addresses of un-managed assets into an IP range which can be scanned for VM and PC. The scans themselves have to be triggered via the respective VM or PC modules. You can choose one or more assets whose active IP (by default) is selected. You may then choose to add the selected IP(s) or IP of a different interface to be activated for scan. If your account has Network subscription, then you can choose from a list of Networks that the user has admin rights to, for adding the IPs. While adding a single IP, the Network associated with the sensor appliance that reported the asset, is chosen as the default network to add the IP to.

The following screen shows how to activate assets in the Manager Role.

General Settings

General Settings tab is divided into

General Configuration tab

You can help Qualys NPS enhance the operating system and device prediction of the asset by providing fingerprint data.
You can set up notifications for events like Driver Change Required, Reboot Required, and Asset Reporting Stopped to be sent to your email address.
Also, you can see the alert notifications for the events generated (like Driver Change Required, Reboot Required, and Asset Reporting Stopped) in the events section of the sensor details page.

Exclusion tab
You can exclude specific hostnames when merging unmanaged assets or merging them into managed assets.

General Configuration

Qualys NPS service utilizes the data gathered from traffic flows to predict the OS and hardware. NPS does not collect any user-specific sensitive data. It collects the protocol-specific data gathered from packet headers, which are transparently displayed to the customer in the asset's Raw Discovery Data (in the CSAM/GAV > Asset Details > System Information > View Raw Information Data section).

NPS service identifies patterns in this data to predict OS and device models. There is always a scope for improving pattern recognition to detect more OS and device models. Once consent is given, Qualys can collect the asset's metadata and utilize it to enhance predictions of OS and device models in future releases.

Follow these steps to configure the general settings.

Navigate to Configuration > General Settings > General configuration.
To give consent to Qualys to access the metadata, toggle Access to Fingerprint Data to allow access.

Fingerprints do not include any sensitive data. They consist of metadata related to the assets, which can be viewed in the CSAM/GAV > Asset Details > System Information > View Raw Information section.

Go to the Recipients text box and add the e-mail. You can add multiple e-mails using comma separated.
Click Save.
Once you add the recipients, they receive the events in their e-mail inbox.

Exclusion

You can configure hostnames that need to be excluded while merging unmanaged assets or merging unmanaged assets into managed assets.

The hostnames provided here are case-insensitive. When a new hostname is added to the exclusion list, make sure first to purge the asset created for that hostname. Refer the following screenshot for configuring excluded hostnames.

Contact Qualys Customer Support to get them deleted to avoid deduplication in the future.