- 16 Aug 2022
- 18 Minutes to read
- Print
- DarkLight
- PDF
Axonius 4.6 Adapter and Enforcement Action Updates
- Updated on 16 Aug 2022
- 18 Minutes to read
- Print
- DarkLight
- PDF
The following presents recent updates to Adapters and Enforcement Actions.
View full information about new and updated features in Axonius 4.6
Axonius adds and updates adapters and enforcement actions all the time. Follow updates to adapters and enforcement actions in Axonius 4.6.
Updated Terminology
In any adapters or actions where the terms blacklist or whitelist were used in Axonius configuration, they were replaced with Include list and Exclude list.
Updated Adapters
The following adapters were enhanced:
- Added the capability to specify the maximum number of devices to fetch per paginated API request.
- Added the capability to specify the maximum number of applications to fetch per paginated API request.
- Added the capability to specify the number of days to fetch data about events.
- Added the capability to to fetch users managed by the system from Users Inventory, in addition to system users and user activities.
- Added the capability to designate the account as a Parent account in which the devices of each child account belonging to the Parent account are fetched.
- Added the capability to not fetch any devices that only have a MAC address, but are missing the asset name and IP address.
- Added the capability to fetch by view name.
- Added the capability to exclude devices without an IP address from the fetch.
- Added support for additional regions, and for custom regions.
- Added option to select multiple device types to fetch, including wired and wireless clients.
- Added the capability to select whether to fetch security findings from the AWS Inspector service. When enabled it gets security findings about ec2 instances directly from AWS Inspector.
- You can now fetch AWS services accessed by IAM Roles as well as by IAM users.
- Added the capability to fetch IAM groups and create a user for each IAM group fetched.
- Added the capability to fetch policies and create a user for each policy fetched.
- Added the capability to specify multiple regions to connect in the Region Names parameter.
- Added the capability to fetch and process data-intensive parts in parallel, using distribution. This option accelerates the processing stages during the fetch.
- Added the option to specify the number of workers (independent processes that run in parallel) that process data.
- Added the capability to select whether the public DNS, private DNS, or both use the Axonius host name.
- Added the capability to specify the number of distributed workers (processes) to fetch data during the users fetch phase.
- Added the capability to add information about Amazon GuardDuty findings to assets.
- Added the capability to fetch information obtained by Amazon Macie about S3 buckets.
Atlassian Jira Service Desk - added support for Cloud-based installations of Jira Service Desk with Jira Insight.
- Added possibility to not populate the "Cloud Provider Account Name" aggregated field for devices for Azure AD.
- Added capability to select to fetch data from the users authentication_methods endpoint.
BeyondTrust Privilege Management for Windows - added option to fetch only the latest record for each host.
BeyondTrust Remote Support (Bomgar) - added the capability to specify the maximum days of history to fetch clients.
Bitdefender GravityZone Business Security - added the option to exclude devices defined as Organizational Units.
BlackBerry Unified Endpoint Management (UEM)
- Added the capability to fetch external data for each device and simple user information for each device.
- Added the capability to fetch user IT policies for each device.
- Added the capability for the API Source to use the AR System server (arsys)
- Added an allow list to limit fields fetched.
Centrify Identity Services - This adapter now fetches devices in addition to users.
Cherwell IT Service Management (SQL) - added the capability to fetch devices by specified statuses.
Cisco Identity Services Engine (ISE) - added support for Cisco ISE versions 2.4 and 2.7
Cisco Prime - added capability to fetch data about access point devices and create new devices for each access point.
Cisco Unified Communications Manager - added support of API version 10.5
Citrix ShareFile - added the capability to fetch folder data.
CloudHealth - added the capability to consider AWS Account tags as adapter tags.
Code42 - added the capability to authenticate via client credentials.
- Added the capability to fetch users.
- Added the capability to specify the maximum number of results fetched per page.
- Added the option to ignore devices that have not been seen by an existing adapter connection in the last specified number of hours.
- Added the option to avoid returning duplicate AWS machines when using the scroll API.
- Added the capability to specify a comma-separated list of product_type_desc parameters in Crowdstrike to fetch.
CSV - added the capability to set the time zone of date fields fetched with this adapter.
CylancePROTECT - added the capability to exclude specific zones from the fetch.
- Added the capability to offset the timestamp of the Axonius client in order to synchronize with the timestamp value of the server.
- Added the option to exclude fetching devices without a hostname.
- Added the option to only fetch devices with a MAC address and hostname.
Dell iDRAC - added the capability to specify multiple hostnames/IP addresses of the Dell iDRAC server.
Dragos Platform - added the capability to only fetch devices where the "internal" flag is set to 'True', and therefore not fetch devices with an external IP address.
Druva Cloud Platform - added the capability to fetch the last successful backup for each device.
Duo Beyond - added the option to fetch admin user details.
Dynatrace - added support for Dynatrace API version 2.
F5 BIG-IQ Centralized Management - added the option to fetch pool members of Virtual IPs.
FireMon Security Manager - added the option to fetch NAT information for the devices.
- Added the capability to specify an Inventory Database to fetch additional information.
- Added the option to avoid fetching devices with the same host name multiple times.
- Added the option for the Status field to fetch the value associated with the AssetStatusID in the Asset table.
- Added the capability to specify which device types to include in the fetch.
- Added the capability to specify which types of inventory status to exclude from the fetch.
- Added the capability to specify the maximum number of results fetched per page.
- Added the capability to fetch software assets.
FortiClient EMS - added the capability to fetch software information together with the devices.
Forward Networks - added the option to use the Network Query Engine endpoint to fetch additional devices.
GitHub - added the option to authenticate using “github app”.
GreyNoise - added a new parameter to limit fetch to specified subnets.
- Added the option to fetch multiple types of devices, including wired and wireless clients.
- Added the option to fetch devices with one or more of the following lease states: 'ABANDONED', ‘BACKUP', 'EXPIRED', 'FREE', 'RELEASED'.
- Added the capability to fetch chassis serial numbers when the selected API version is 2.10.5 or greater.
Infoblox NetMRI - added the option to fetch the discovery status of each device.
Ivanti Security Controls - As a result of server side (third party) issues previously some fetches failed without logging correctly. This is now fixed. If the fetch is erroneous there is a clear error log and clear fetch machines to clear the error.
Jamf Pro - added the option to exclude one or more of the following items from the fetch: accounts, attachments, fonts, local user, plugins, services.
Lacework - added the option to exclude devices with a machine status of Offline.
LastPass - enabled API integration for LastPass Business accounts.
LogRhythm - added the option to fetch data from the 'agent' endpoint.
Lookout Mobile Endpoint Security
- Added the Application Token parameter, which is now required for fetching data.
- Added the capability to specify the threat data time limit, in hours.
ManageEngine Desktop Central and Patch Manager - added the option to set a Domain Authorization Token.
McAfee ePolicy Orchestrator (ePO)
- Added the option to set Non-Compliant Devices Query ID.
- Added the option to specify the Events Management Query ID to fetch threat events.
- Added the option to specify the Benchmark Query ID to query audit logs.
- Added the option to specify the OAM Query ID to fetch additional information.
Medigate - added the capability to exclude CIDR ranges of assets from the fetch.
Microsoft Active Directory (AD)
- Added the capability to select whether to fetch and calculate a password expiration date for systems that manage passwords using Specops.
- Added the option to consider group Managed Service Accounts as users instead of devices.
Microsoft Azure - Documentation for Microsoft Azure, Microsoft Azure Active Directory (Azure AD), and Microsoft Intune was previously combined into a single topic. Documentation for Microsoft Azure is now separated from the documentation of Microsoft Azure Active Directory (Azure AD) and Microsoft Intune.
- Added the option to fetch security assessments (such as Qualys vulnerabilities) for devices.
- Added the capability to fetch security alerts from Azure Security Center service as devices.
- Added the capability to use Cloud ID for tracking support data as a manufacturer serial number.
- Added the capability to fetch data from multiple Subscription ID access control roles in IAM.
Microsoft Azure Active Directory (Azure AD) and Microsoft Intune - added the option to exclude disabled devices from the fetch.
Microsoft Defender for Endpoint (Microsoft Defender ATP) - added the option to ignore devices that have an inactive status.
Microsoft System Center Configuration Manager (SCCM)
- Added the option to only include devices when the ClientInstalled option in SCCM is 'True'.
- Added the capability to limit fetching by the specified number of days that the installed software was in use.
- Added the capability to specify the number of minutes that elapse before the MSSQL connection times out.
- Added the option to exclude devices by registration states.
- Added the option to select whether to use the default URL base path.
NetApp - Added the capability to fetch information about the physical storage disks.
- Added the capability to fetch by specified roles.
- Added the capability to include virtual machines in the fetch.
- Added the capability to specify the number of parallel processes to fetch devices from NetBrain.
- Added the capability to specify the number of requests per instance to send at once to OneIP.
Netskope - added the capability to fetch alerts created in a defined number of days.
- Added the capability to select whether groups of local users, domain users, system users, and unknown users are excluded from a fetch.
- Added the option to include installed software in the fetch.
Nozomi Guardian and CMC - added the option to not populate hostnames and asset names with MAC addresses.
OneLogin - added the option to to fetch users who are enrolled in a multi-factor authentication policy.
openDCIM - added the option to populate the device Hostname with the value specified in the Label field in Advanced View.
- Added the capability to fetch by multiple object classes of users.
- Added the capability to fetch by multiple object classes of devices.
- Added the option to not fetch devices that have the 'Disconnected' status.
- Added the capability to fetch information about installed software
Palo Alto Networks Expanse Expander - added the Client ID and Client Secret fields, which can be used instead of the API key.
Palo Alto Networks Prisma Cloud - added the option to fetch only active users.
Palo Alto Traps Endpoint Security Manager - added the option to not fetch devices where the value in the Is On field is 'No'.
PDQ Inventory - added the option to avoid fetching devices that lack MAC address information.
Preempt - added the capability to connect to Preempt using CrowdStrike credentials. The name of this adapter was updated to CrowdStrike Falcon Identity Protection.
Proofpoint's ObserveIT Insider Threat Management Platform - added the capability to use the alias field as hostname if the macOS is OS X.
Puppet - added the capability to exclude any loopback addresses from fetching devices.
Added the capability to fetch certificates as devices.
Added the capability to specify the maximum number of days to fetch from VM detection only assets that have a Fixed vulnerability status.
Inventory API is supported. When using Inventory API the following advanced settings also fetch devices:
- Fetch VM detections
- Fetch policy compliance
- Fetch policy posture information
- Fetch policy posture actual settings
- Add STIG rules to policy posture
- Fetch affect exploitable config from VM detection
- Fetch affect running service from VM detection
- Fetch affect running kernel from VM detection.
Quest KACE Endpoint Systems Management Appliances - added the capability to fetch the drive encryption status for all devices.
- Added the capability to fetch target information, such as Perspective Name data.
- Added the capability to fetch implant information from the device.
Rapid7 InsightIDR - added the capability to exclude assets with an Agent Status of "Stale" or "Offline" into Axonius.
- Added the capability to exclude devices in which Last Seen or hostname information is unavailable.
- Added the capability to exclude devices without MAC address or hostname information from the fetch.
Rapid7 Nexpose and InsightVM - Added the capability to calculate the last seen field using agent and scan data.
- Red Hat Satellite
- Added the capability to fetch the subscriptions fields from Red Hat Satellite.
- Added the capability to fetch the host collections fields from Red Hat Satellite.
- Red Hat Satellite
- Added the capability to specify the directory path used to access the API.
- Added the capability to enter a custom name of the URL endpoint for devices.
Rumble Network Discovery - Added the option to not fetch devices that aren't alive.
The name of the SaltStack Enterprise adapter was changed to vRealize Automation SaltStack Config.
Secureworks Taegis XDR (Red Cloak TDR) - added the capability to only add IP addresses if they were last seen in the last 24 hours. If there are no IP addresses seen in the last 24 hours, the single latest IP will be added, even if the last seen is older than 24 hours.
- Added the capability to set a specific date format for timestamps in ServiceNow in cases where the identification of the date format is ambiguous.
- Added the capability for the Device Manufacturer Serial to parse data even if it contains exclusion keywords.
- Added the capability to exclude metadata from ServiceNow serial numbers.
- Added the capability to fetch information from the 'cmdb_ci_appl' table about applications related to a device.
- Added the capability to fetch information from the 'service_offering' table.
- Removed the Do not ORDERBY the results from the following tables option from Advanced Settings, as this option is now redundant.
- Added the option to fetch Application Services extended information from the cmdb_ci_service_auto table and additional fields from the cmdb_ci_service_discovered table not fetched by the Fetch upstream related Application Services information parameter.
- Added the capability to fetch additional PC attribute data.
SolarWinds Network Performance Monitor - added the option to only fetch IPAM devices with a "Used" status.
Symantec DLP - added the option to exclude deleted devices from the fetch.
Symantec Endpoint Management Suite (Altiris) - added the capability for the BIOS Serial to also populate the Device Manufacturer Serial field.
- Added the capability to not fetch entities that were not seen for a set number of hours.
- Added the capability to delete entities that were not seen for a set number of hours.
- Added the capability to use a custom character set (encoding) for connections to MySQL databases.
- Added the capability to set a custom timeout for MSSQL connections.
- Added the option to duplicate each date field appearing in the MSSQL database as a text value. The name of the new field is appended with the ‘_raw’ suffix.
- Added the capability to fetch vulnerabilities in the background and not as part of a fetch.
- Added the capability to omit dashes from values retrieved from the Agent UUID field of Tenable.io agent devices.
- Added the option to not include fully qualified domain names (FQDNs) as asset names.
- Added the option to fetch scan exclusion status for Tenable.io devices.
- Added the capability to fetch mitigated vulnerabilities appearing in the Tenable.sc Mitigated table.
- Added the capability to fetch all plugin IDs equal or greater than 1 million.
- Added the capability to parse certificate information from plugin ID number 10863.
- Added the capability to enable Axonius to send requests using client side certificates to allow Mutual TLS configuration.
- Added the option to only fetch devices with either a MAC address or hostname.
- Added the option to to avoid returning duplicate hostname fetches.
- Added the option to not fetch devices when the Status field is set to 'inactive'.
Ubiquiti Networks UniFi Controller - added the capability to select the Ubiquiti Networks UniFi Controller version.
UKG Pro (Ultimate Software UltiPro) - added the capability to exclude one or more fields from the Basic and Advanced views.
Vectra AI - added the capability to fetch extra data about each host/device, including an asset with a low risk status.
VMware Carbon Black Cloud (Carbon Black CB Defense
- Added the capability to specify the number of entities returned per page request.
- Added the capability to fetch vulnerabilities on devices.
- Added the capability to only include active devices in the fetch.
VMware ESXi and vSphere - added the capability to fill the 'device_manufacturer_serial' field with the value of the UUID.
VMware vRealize Operations (vROps)
- Added the capability to specify the name of the authentication parameter that is sent to the API.
- Added the option to specify the type of serial number to fetch.
VMware Workspace ONE (AirWatch) - added option to include only installed software in the fetch.
- Added the capability to ignore devices from specified subnets or address pools.
- Added option to specify encoding for legacy PowerShell versions.
Windows Server Update Services (WSUS)
- Added the capability to specify which port to connect.
- Added the capability to select whether to use SSL for the PowerShell connection to the WSUS server.
- Added the capability to specify a custom share and directory instead of requiring full local administrator permissions to fetch data.
- Added the capability to not fetch devices with an 'off' power state.
- Added the capability to fetch vulnerability information.
- Added the capability to connect the adapter to a proxy instead of directly connecting it to the domain.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Updated Enforcement Actions
The following Enforcement Actions were updated:
Send CSV to SharePoint - Added the capability to select an Authentication method, either User Credentials, or Client Credentials and renamed the last parameter to Create CSV even if no data is returned in the query.
Send CSV to Share - Renamed the last parameter to Create CSV even if no data is returned in the query.
Send Email - Renamed the last parameter to Send email even if no data is returned in the query.
Add Custom Data - Added the capability to add the current date or any date in the past or future, then use this custom data in new queries you create.
- Added the capability to set the number of times the action is retried on each device if it fails.
- Added support of OAuth authentication.
Create Cherwell Incident per Entity - Added mapping of Axonius fields to Cherwell fields
Add Tag to Amazon Resource - Added the capability to add tags to many asset types and to select the asset types to which tags will be added. Additionally, the name was changed from Add Tag to Amazon EC2 Instance to Add Tag to Amazon Resource to reflect the wider application of the Enforcement Action.
Remove Tag from Amazon Resource - Added the capability to remove tags from many asset types and to select the asset types from which tags will be removed. Additionally, the name was changed from Remove Tag from Amazon EC2 Instance to Remove Tag from Amazon Resource to reflect the wider application of the Enforcement Action.
Run KACE Scripts - Updated the link to the KACE Systems Management Appliance (SMA) API.
Send to SQL Table - Added the capability to select the type of database the Enforcement Action is connecting to.
- Added the capability to prevent mapping of default Axonius fields.
- Added support of OAuth authentication.
Send Microsoft Teams Message and Create Zendesk Ticket - Added the Send message even if no data is returned in the query option. This new option allows you to select whether to send a message even if no data is returned in the query. Selecting this option prevents messages from being sent when no new entities have been discovered.
Create Jira Issue - Added the {{LABELS}} tag to the Summary and Description fields.
Manage Microsoft Active Directory (AD) Services - The name of the action category was changed to Manage Users and User Groups
The names of the following Enforcement Actions were changed:
- Enable and Disable Users or Devices was changed to Enable and Disable Users or Devices in Microsoft Active Directory (AD) Services
- Add or Update LDAP Attributes of Users or Devices was changed to Add or Update LDAP Attributes of Users or Devices in Microsoft Active Directory (AD) Services
- Add Users or Devices to Group was changed to Add Users or Devices to Microsoft Active Directory (AD) Group
- Remove Users or Devices from Group was changed to Remove Users or Devices from Microsoft Active Directory (AD) Group
- Reset Users' Password was changed to Reset Users' Passwords in Microsoft Active Directory (AD) Services
- Tag Rapid7 InsightVM Assets was changed to Tag Rapid7 Nexpose InsightVM Assets.
- See the complete Enforcement Action Library.