Asset Investigation

Use Asset Investigation to view changes in the values of fields over a set period of time. The investigation data allows you to monitor the fields so you can identify abnormal behavior in the asset.

Events Table

The Events table shows changes in the values of fields on the assets selected.
Each row on the table represents a changed event on the asset and the time at which it happened. The changes are displayed for each adapter source, and not on the aggregated value. Events are displayed sorted by time with the newest events on the top. The first time you open this page, the Values Added column is populated with the first value identified by Axonius, which is the value from which added/removed values will be calculated. These values are marked by an i icon.

The Events table shows the following information:
Date – The date and the time stamp of the changed event in UTC.
Field Name – The name of the field, an adapter icon shows on which adapter the field is.
Values Added - Lists all the values added to the field. If more than 2 values were added, mouse over to see all the values, the first 50 are displayed and can be scrolled through.
Value Removed - Lists all the values removed from the field. If more than 2 values were removed, mouse over to see all the values.

Asset Investigation Fields

Asset Investigation is supported for the following fields:
Devices

• Public IPs
• Asset Name
• Host Name
• Network Interfaces: IPs
• Network Interfaces: MAC
• Total Physical Processors
• Total Cores
• Device Disabled
• OS: Distribution
• Open Ports: Port Number
• Agent Versions: Version
• Agent Versions: Status
• Last Used Users
• Power State
• Local Admins: Name of user or group
• Adapter Tags: Tag Value

Contact Axonius support to track the following Devices fields:

• Vulnerable Software: CVE ID
• Installed Software: Software Name
• AD memberOf

Users

• User Name
• Last Password Change
• Account Disabled
• Password Is Not Required
• Is Locked
• Password Never Expires
• Is Local
• Is Admin
• Domain
• User Status
• Last Logon Date
• Account Expiration Date
• Last Bad Logon Date
• User Manager Username

Contact Axonius support to track the following Users field:

• AD memberOf

Filtering Asset Investigation Tab Display

You can filter on the values to be displayed on the table. The following filters are available:

• Field Names - The fields for which the timeline will display changes in the selected time range.

• Adapter Connections - The adapter connections for which you want to display events.

• Time Range - You can filter for specific assets by date with the date range picker or by a specified last number of days, weeks, months, or years.

  To filter by date range:

  1. From the Time Range dropdown, select In range.
  2. Select Start date and End date to indicate the date range to display results. 
  3. To filter results only for a specific date, select the same date twice.
  4. If you want to include specific times in the date range, click Select Time in the date range picker.
  5. Click OK to set the Time Range filter.

  
  

  

  To filter by the last number of days, weeks, months, or years:

  1. From the Time Range dropdown, select Last and specify a value in the field next to Last.
  2. By default, the value is the number of days. If you want to filter by weeks/months/years, select the relevant option from the days dropdown.

  

  
  

  
  

• Use 'Clear all' to clear all of your selections in a specific filter.

Search
Use free text to enter a value to search for a value added or removed.

• Click 'Reset' to clear all filters or the search and reset the display.

• Click Comparison Report to open the Comparison Report dialog. The comparison report opens with the current device selected.

• Choose Export CSV to export the table to a CSV file.