- 20 Aug 2023
- 9 Minutes to read
Asset Profile Page - Complex Fields
- Updated on 20 Aug 2023
- 9 Minutes to read
The Tables section shows fields that can be presented in a table view. These are also known as complex fields.
You can see all of the complex fields in the Tables section.
The complex fields which are displayed depend on the data fetched by your system. A set of predefined fields are displayed.
Click on a complex field to display its table. If a complex field is brought only from a specific adapter connection, it is not displayed by default. You can add new complex fields to this left pane, even if they are fetched by one specific adapter.
Displaying Complex Fields
Fields which are made up of a number of different parameters are displayed in blue in the All Fields table. Click any of those fields to display them as a table under Tables.
Each Complex Field is displayed as a table. The column on the right hand side displays the Adapter Connections column which lets you identify the source for each row. Each table consist of the following elements, in addition to the data displayed:
Search bar - Free text search on the table results.
Adapter Connections - Filter the display by specific adapter connections.
Total - The total number of displayed results is displayed on the top left side of the table.
Reset - Clear all search and filters of the display.
Export CSV - Export the table to a CSV file.
Navigation and pagination - By default, 20 results are displayed in each of the tables page. You can change the number of results per page and choose between 20, 50, or 100, by clicking the appropriate icon on the bottom left side of the table.
Use the pagination bar on the bottom right side of the table to move between the pages of the table.
Managing the Complex Fields
You can manage the list of complex fields that are displayed in order to only see fields that interest you.
Any complex field can be shown as a table (including fields that were fetched from a specific adapter connection). Click on a field shown in blue in the main table to display this as a table, and display its link in Tables in the side panel. Any asset that belongs to that complex field is then displayed on the table. You can choose Pin to list to save the complex field table to your display.
Once you pin a complex field, this display is saved for you. Next time you open the system, these fields are displayed. Note pinned fields are only displayed if they contain data for the asset that you selected. If you do not want to see that complex field any more, click unpin to remove the field from the display. Default Complex Field tables are also part of the display. You can also unpin these tables if you are not interested in seeing them.
Pinning and unpinning Complex Field tables only affects assets for your user account, and not for other people using the system.
Pinned and unpinned Complex Fields affect all of the assets on your system, not only this specific asset.
Exporting Complex Field Tables
You can export Complex Field Tables to a CSV file.
To export the results displayed, select Export CSV. A CSV file is created and downloaded to your system.
The CSV file is named according to the table, with the current date in UTC.
Complex Fields Available
This page details some of the complex fields that are displayed on the Asset Profile page. The complex fields which are displayed depend on the data fetched by your system. In addition, you can select a complex field in the Asset Profile table and click on it to display it in the list of complex fields. Refer to Managing the Complex Fields for information.
The following tables may be displayed, depending on the collected data.
The Associated Devices table lists the devices associated with that user.
Each row shows information about the device including: Device Name, Device Serial, Device Status, Device Unique ID, and Device Labels.
Click on a device to open it on the Devices page.
The Agent Versions table lists the agents installed on the device.
Information displayed for each agent includes its Name, Version, and Status.
The Connected Hardware table lists registry logged connected hardware.
The Firewall Rules table lists firewall rules that define allowed or denied traffic to and from virtual machines.
Each rule consists of the following information:
- Name and Source - For example, AWS security group or GCP firewall rule.
- Allow / Deny - Action is either allow or deny access.
- Direction - Incoming (INGRESS) or outgoing (EGRESS) traffic, not both.
- Target – Target subnet. Firewall rule that applies to any IP address is displayed as “0.0.0.0/0” for IPv4 and as “::/0” for IPv6.
- Target Subnet Count
- Protocol – Internet protocol for which the rule applies. If protocol value is ‘Any’, the firewall rule applies for all protocols.
- From Port, To Port – Range of ports for which the rule applies. If port values are not specified, the firewall rule applies for all ports.
- ‘Rule 1’ allows outgoing traffic to any IP address using any protocol.
- ‘Rule 2’ denies incoming traffic from a specific subnet (126.96.36.199/18) using TCP port 443.
|Name||Source||Allow/Deny||Direction||Target||Protocol||From Port||To Port|
|Rule 1||AWS Instance Security Group||Allow||EGRESS||0.0.0.0/0||Any|
|Rule 2||AWS Instance Security Group||Deny||INGRESS||188.8.131.52/18||TCP||443||443|
The Hard Drives table lists hard drives installed on the device, including their file system, total, and free sizes.
The Installed Software table lists installed software on the device, including its version and vendor.
The Linked Tickets table lists tickets associated with the asset that were created in third-party ticketing systems (for instance, ServiceNow) using Enforcement Actions (see Create Incident Category), and enables you to track their progress. Each linked ticket includes, by default, the following fields: Ticket Vendor, Ticket ID, Key (Display ID), Status, Summary, Created, Updated (the date and time that the ticket was created and updated), and Adapter Connections.
You can also view ticket information in the Tickets Tab on the Asset Profile page.
The Local Admins table lists admin users identities logged on to this device.
The Network Interfaces table lists network interfaces collected by the different adapters, including MAC addresses, IP addresses, and subnet addresses.
The Open Ports table lists ports open to the world, including the access protocol and service name.
OS Installed Security Patches
The OS Installed Security Patches table lists security patches installed on Windows devices.
OS Available Security Patches
The OS Available Security Patches table lists security patches available for Windows devices.
The Qualys Vulnerabilities table lists vulnerabilities fetched from Qualys Cloud Platform adapter connections.
The Rapid7 Vulnerabilities table lists vulnerabilities fetched from Rapid7 Nexpose and InsightVM adapter connections.
The Running Processes table lists running processes collected from the device.
The Services table lists running and stopped services collected from the device.
The Shares table lists shared folders on the device, including the name, description, and path.
The Normalization Reasons table displays indicators that use the holistic data available in Axonius to hint why a record didn't correlate with others.
Normalizations Reason: Here are examples of some of the reasons that can be displayed:
- Bad Hostnames By Cloud ID - Used to indicate that this hostname might be overlapping between two or more cloud machines. A Cloud ID should represent a single machine, a hostname seen with two or more Cloud IDs is suspected to be overlapping.
- Bad Hostnames By Cloud Provider - Used to indicate that this hostname might be overlapping between 2 or more cloud providers. A hostname seen with two or more Cloud providers is suspected to be overlapping.
- Bad Hostname By Serial - Used to indicate that this hostname might be overlapping between different devices. A Device Serial normally is a hardware identifier that represent the BIOS serial and therefore should be unique. A Hostname that is related to multiple serial numbers is suspected to be overlapping.
- Bad Hostnames By OS types - Used to indicate that this hostname might be overlapping between 2 or more OS types. A hostname seen with 2 or more OS types is suspected to be overlapping.
- Bad Serials By Hostnames - Used to indicate that this serial might be considered as not unique since it related to many hostnames. A Device Serial normally is a hardware identifier that represent the BIOS serial and therefore should be unique.
- Bad Hostname By MachineID - Used to indicate that this Microsoft Defender hostname might be overlapping between 2 or more machine ids. A Machine ID should represent a single machine, a hostname seen with 2 or more Machine IDs is suspected to be overlapping.
The details displayed include:
- Field name - The name of the field that is being correlated
- Field Value - The value of the field
- Calculated time - The time in the discovery cycle at which this was found
- Adapter connections - The adapters on which the field was found
The Users table lists user identities logged on to this device, including SID, Username, Last Use Time, and indications whether the user is a local and/or active user.
The Vulnerable Software table lists vulnerable software and vulnerability details, including:
- CVE ID - Link to the CVE details in the NIST National Vulnerability Database (NVD).
- Software Name and Software Vendor - If the CVE is applicable for multiple software, these fields are populated as "Multiple Software" and "Multiple Vendors".
- Common Vulnerability Scoring System (CVSS) - With a v2.0 or v3.0 rating as was fetched from source.
- CVE severity - LOW/MEDIUM/HIGH/CRITICAL value which is based on the CVSS rating.
- CVE description, synopsis, and reference
- CVE Vector information
- Risk Score - Axonius calculated field per vulnerability per device - This column is displayed in the table only when the Axonius - Calculate Risk Score Enforcement Action is used to calculate the risk score of each vulnerability on each device that matches the Device query defined for the Enforcement Set. Learn how to view Risk Scores in the Vulnerable Software table.
CISA Known Exploited Vulnerabilities
The CISA Known Exploited Vulnerabilities table displays additional details from the CISA catalog of existing CVEs of vulnerabilities detected in your software.
The details include:
- CVE ID - Link to the CVE details in the NIST National Vulnerability Database (NVD).
- Vendor and Product - The vendor name and product name. If the CVE is applicable for multiple software, these fields are populated as "Multiple Software" and "Multiple Vendors".
- Action - Describes the recommended action to mitigate the vulnerability.