Global Settings
  • 16 minutes to read
  • Print
  • Share
  • Dark
    Light

Global Settings

  • Print
  • Share
  • Dark
    Light

Global Settings include options that have impact system-wide.

To open the Global Settings, from the top right corner of any page, click image.png . The System Settings page opens. Then click the Global Settings tab.

The Global Settings consist of the following options, none of which are selected by default:

GUI SSL Settings

  • Configure custom SSL certificate (required, default: False) - Check this checkbox in order to replace the default self-signed SSL certificate presented when accessing the Axonius GUI.

    Once enabled, configure the following parameters:

    • Site hostname (required) - The hostname of the certificate. This must match a value defined in the certificates Common Name or Subject Alternative Name.
    • Certificate file (required) - The public certificate (PEM format)
    • Private key file (required) - The private key certificate (PEM format)
    • Private key passphrase (optional, default: empty) - The password for the Private key file, if it is password-protected.

    image.png

SSL Trust & CA Settings

  • Use Custom CA certificate (required, default: False) - Check this checkbox to be able to upload Certificate Authority (CA) certificates files that will be used when Verify SSL is enabled for an adapter connection. The CA certificates provided here will be used in combination with the Mozilla CA Certificate List to verify that the certificate presented by the host defined in the adapters connection is valid.

    image.png

Proxy Settings

  • Proxy enabled (required, default: False) - Check this checkbox to use a proxy for the Axonius machine, if a proxy service exists in your environment.

    • Once enabled, you need to configure the proxy address and port (default is 8080), and user name and password as optional fields for proxy services, if required.
    • Choose whether to verify the SSL certificate of the server. By default, the Verify SSL checkbox is selected.

    image.png

Password Policy Settings

  • Enforce password complexity (required, default: False) - Check this checkbox to configure and to enforce password complexity for new/changed Axonius user accounts defined passwords.

    Once enabled, specify the following parameters:

    • Minimum password length (required, default: 10) - Specify the minimum password length for a defined password. The specified value must be equals or greater to the sum of the rest of the fields.
    • Minimum lowercase letters required (optional, default: 1) - Specify the minimum lowercase letters required for a defined password.
      • If supplied, new/changed Axonius user accounts defined passwords must include at least the specified numbers of lowercase letters.
      • If not suppled, new/changed Axonius user accounts defined passwords do not have to include any lowercase letter.
    • Minimum uppercase letters required (optional, default: 1) - Specify the minimum uppercase letters required for a defined password.
      • If supplied, new/changed Axonius user accounts defined passwords must include at least the specified numbers of uppercase letters.
      • If not suppled, new/changed Axonius user accounts defined passwords do not have to include any uppercase letter.
    • Minimum numbers required (optional, default: 1) - Specify the minimum numbers required for a defined password.
      • If supplied, new/changed Axonius user accounts defined passwords must include at least the specified amount of numbers.
      • If not suppled, new/changed Axonius user accounts defined passwords do not have to include any number.
    • Minimum special characters required (optional, default: 0) - Specify the minimum special characters required for a defined password.
      • If supplied, new/changed Axonius user accounts defined passwords must include at least the specified amount of special characters.
      • If not suppled, new/changed Axonius user accounts defined passwords do not have to include any special character.
      • Special characters refer to the following list: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/

image.png

Password Reset Settings

  • Reset password link expiration (hours) (required, default: 48) - The number of hours which the reset password link will be valid until it expires.
    image.png

Password Brute Force Settings

  • Enable Brute force protection (required, default: False) - Check this checkbox to enable and to configure the rate limit on user login and on Changing user account password.


    Axonius uses fixed window with elastic expiry strategy for rate limiting. This strategy helps circumvent bursts.
    Example - 10/minute rate limit is configured:

    • If the user login is attacked at the rate of 10 hits for 1 minute - the attacker will be locked out of the resource for 1 minute after the last hit.
    • If the user login is attacked at the rate of 1 hit per second for 1 minute (total of 60 hits) - after passing the first 10 hits (after 10 seconds), the attacker will be locked out of the resource for 1 minute. Since the attacker continues with additional attempts, each attempt after the rate limit is exceeded, will increase the lock out by the relative impact of a single hit on the defined window size. In the example, each hit increases the lock out by additional 6 seconds (60 seconds / 10 hits = 6 seconds per hit).

    Once enabled, specify the following parameters:

    • Maximum attempts (required, default: 20) - Specify the maximum number of attempts allowed.
      NOTE

      both GET and POST requests are considered as attempts.

    • Window size in minutes (required, default: 5) - Specify the number of minutes to define a window size for the attempts allowed.
    • Lock Type (required, default: IP address) - Select between IP Address or User name.
      • User login rate limit is always done per IP Address
      • Changing user account password rate limiting can be done by either IP address or by the user name.
      NOTE

      When a specific user name will be locked, Axonius will also lock the IP address associated with the session of the user name.

image.png

Enterprise Password Management Settings

  • Use Password Manager - Check this checkbox to enable a password manager integration and allow Axonius to securely pull privileged credentials from the password manager defined.
    • Password Manager (required, default: CyberArk Vault) - Select the password Manager for the intergration.

      • If CyberArk Vault is selected, Axonius uses CyberArk’s Application Access Manager (AAM) to pull credentials from the CyberArk Vault. Please follow CyberArk integration configuration guidelines, and specify the following parameters:
      • CyberArk Domain (required) - The base URL of the Central Credential Provider (CCP).
      • Port (required) - The port the Central Credential Provider (CCP) is listening to.
      • Application ID (required) - The Application ID which identifies the Axonius application created in CyberArk.
      • Certificate key (required) - The certificate which will be authenticated against the Certificate Serial Number defined on the Application.
        image.png
    • If Thycotic Secret Server is selected, please follow Thycotic Integation configuration guidelines and specify the following parameters:

      • Thycotic Secret Server URL (required)
        • For on-prem Thycotic Secret Server, needs to be in the following format: https://<hostname>/SecretServer (e.g. https://demo-server/SecretServer)
        • For cloud Thycotic Secret Server, needs to be in the following format: https://<tenant>.secretservercloud.com (e.g https://mycompany.secretservercloud.com)
      • Username and Password (required) - The credentials of a local Thycotic user with read-only permissions for the secrets.
      • Port (optional, default: 443)
        • If supplied, the port specified will be used for the connection.
        • If not supplied, default 443 for https URL or if http/https not supplied in URL, default 80 for http URL.
      • Verify SSL (required, default: False) - Verify the SSL certificate offered by the value supplied in Thycotic Secret Server URL. For more details, see SSL Trust & CA Settings.
        • If enabled, the SSL certificate offered by the value supplied in Thycotic Secret Server URL will be verified against the CA database inside of Axonius. If the SSL certificate can not be validated against the CA database inside of Axonius, the connection will fail with an error.
        • If disabled, the SSL certificate offered by the value supplied in Thycotic Secret Server URL will not be verified against the CA database inside of Axonius.
          image.png

Email Settings

  • Send emails (required, default: False) - Check this checkbox to use an Email server. A configured Email server is a prerequisite before you can configure an email notification as part of a configured Enforcement Set or configuring a report to be sent via mail.

    • Once enabled, you need to define the Email host name and Port. User name and Password are optional.
    • Configure if the connection will be unencrypted, verified or unverified. If you select the Verified or Unverified options, you need to provide the SSL CA, certificate and private key files.
    • Define the Sender Address for all mails sent by Axonius.

    image.png

Syslog Settings

  • Use Syslog (required, default: False) - Check this checkbox to use a Syslog server.
    Once enabled, define Syslog Host name and Port (optional) and you can use an SSL connection and certificates.

    image.png

This setting must be enabled in order to utilize the Send to Syslog System action.

If this setting is enabled, the following log entries are sent to the configured Syslog server:

  • Login
    • Sent on success or failure of each login attempt.
    • Entries will include the supplied user name and the result.
  • Discovery cycle phase
    Sent on the beginning and ending of each discovery cycle phase.
  • Adapter connection failures
    • Sent when an adapter connection fails to connect using the supplied configuration.
    • Entries will include the adapter name, ID of the node running the adapter, and connection error.
  • Adapter connection fetches
    • Sent when a fetch is finished if the "Notify on Adapters" setting is enabled.
    • Entries will include the number of assets fetched and how long the fetch took.
  • Adapter connection asset cleanup
    • Sent when an adapter decides to remove assets due to the configuration defined in Advanced Settings.
    • Entries will include the number of assets removed.
    • For more details see: Adapter Advanced Settings.

HTTPS Logs Settings

  • Use HTTPS logs (required, default: False) - Check this checkbox to use an HTTPS logs server,
    Once enabled, define HTTPS logs host, Port (optional) and the HTTPs proxy (optional).

    image.png

This setting must be enabled in order to utilize the Send to HTTPS Log System action.

If this setting is enabled, the log entries described in the Syslog Settings are sent to the configured HTTPS logs system.

Atlassian Opsgenie Settings

  • Use Atlassian Opsgenie *(required, default: False) - Check this checkbox to configure and to use Atlassian Opsgenie server. This is a prerequisite to configure an Enforcement Set with a Create Atlassian Opsgenie Alert enforcement action.

Once enabled, specify the following:

  • Opsgenie API domain (required, default: https://api.opsgenie.com/) - Specify the Opsgenie API URL. If using the EU instance of Opsgenie, the URL needs to be https://api.eu.opsgenie.com for requests to be executed.
  • API key (required) - API key generated from the Opsgenie console.
    To add an API key:
    1. Navigate to Settings page >> App Settings >> API Key Management.
      image.png

    2. Click Add New API Key.

    3. Enter a name for the API key and select the following access rights to give to this API key:

      • Read - Can read the alerts, incidents, and configurations.
      • Create/Update - Can create new alerts, configurations and incidents, and update them.
        image.png
    4. Click Add API Key to save the new API key.
      For more details, see Atlassian Opsgenie - API Key Management.

  • Verify SSL (required, default: False) - Verify the SSL certificate offered by the value supplied in Opsgenie API domain. For more details, see SSL Trust & CA Settings.
    • If enabled, the SSL certificate offered by the value supplied in Opsgenie API domain will be verified against the CA database inside of Axonius. If the SSL certificate can not be validated against the CA database inside of Axonius, the connection will fail with an error.
    • If disabled, the SSL certificate offered by the value supplied in Opsgenie API domain will not be verified against the CA database inside of Axonius.
  • HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the value supplied in Opsgenie API domain.
    • If supplied, Axonius will utilize the proxy when connecting to the value supplied in Opsgenie API domain.
    • If not supplied, Axonius will connect directly to the value supplied in Opsgenie API domain.
      image.png

Jira Settings

  • Use Jira (required, default: False) - Check this checkbox to use a Jira server. This is a prerequisite to configure an Enforcement Set with a Create Jira Issue and Create Jira Issue Per Entity enforcement actions.


    To integrate Axonius with Jira, you need to do the following :

    1. Create a user in your Atlassian site with access to Jira. The user should be part of the most basic group which is jira-software-users.

    image.png

    1. Log in to Jira using the created user and generate an API token.
      For cloud based Atlassian sites, use the following URL to generate an API token: https://id.atlassian.com/manage/api-tokens#

    image.png

    1. Under the Global Settings, specify the Jira domain, User Name and API Key.
      Choose whether to verify the SSL certificate of the server. By default, the Verify SSL checkbox is unselected.

    image.png

Notifications Settings

  • Notify On adapters fetch (required, default: False) - Check this checkbox to generate a system notification, notify Syslog (if enabled) or notify HTTPS Log System (if enabled) every time a discovery cycle for specific adapter starts and when it ends.
  • Adapters errors mail address (optional, default: empty) - Configure a comma-separated list of email addresses to receive an email:
    • When there is a connection issue with any of the adapter connections.
    • When a node has not communicated for over 3 hours.
  • Adapters errors webhook address (optional, default: empty) - Configure webhook URL to receive a message when there is a connection issue with any of the adapter connections. The message sent is as same as the message included in the email.

image.png

Correlation Settings

  • Correlate users by email prefix (required, default: False) - Axonius correlates users based on several criteria, including the user name and email address.
    • If enabled, Axonius correlates users by email prefix only, instead of correlating users by the entire email address. For example, in the email address JohnDoe@CompanyDomain.com, “JohnDoe” is the email prefix.
    • If disabled, Axonius correlates users by the entire email address.
  • Correlate users by AD display name (required, default: True)
    • If enabled, Axonius correlates users also by Microsoft Active Directory (AD) display name.
    • If disabled, Axonius users correlation logic ignores Microsoft Active Directory (AD) display name.
  • Correlate users by user name and domain only (required, default: False) -
    • If enabled, Axonius correlates users by user name and domain only.
    • If disabled, Axonius use its default correlation logic to correlate users.
  • Correlate Microsoft Active Directory (AD) and Microsoft SCCM data based on Distinguished Names (required, default: False)
    • If enabled, Axonius only correlates devices from a Microsoft Active Directory (AD) or a from Microsoft SCCM adapter connection by the LDAP object distinguished name only.
    • If disabled, Axonius correlates devices from connections for those adapters based on hostname, serial number, MAC address, IP address and more.
  • Correlate devices by exact hostnames when no MAC and no IPs (required, default: False)
    • If enabled, Axonius only correlates devices based on the exact hostnames, if the device entity does not have any MAC or IP address.
    • If disabled, the Axonius does not correlate devices, if the device entity does not have any MAC or IP address.
  • Correlate ServiceNow adapter based on MAC address only (required, default: False)
    • If enabled, Axonius only correlates assets from ServiceNow adapter connection based on MAC address.
    • If disabled, Axonius correlates assets from ServiceNow adapter connection based on MAC address, hostname and others.
  • Correlate Microsoft Azure AD based on asset name only (required, default: False)
    • If enabled, Axonius only correlates assets from Microsoft Azure AD adapter connection based on asset name.
    • If disabled, Axonius correlates assets from Microsoft Azure AD adapter connection based on several parameters such as MAC address, hostname and others.
NOTE

For more details on those settings, Please contact Axonius Support.

Correlation Schedule

  • Enable Correlation Schedule (required, default: False)
    • If enabled, define the hour gap between each correlation run. Only one correlation can be run at once, meaning, correlation will run as part of each discovery cycle and based on the configured scheduling.
    • If disabled, correlation will continue to be a part of the discovery cycle.

image.png

Static Analysis Settings

  • Fetch software vulnerabilities even when the vendor name is unknown (required, default: False)
    • If enabled, Axonius fetches vulnerabilities even if the software vendor name is unknown.
    • If disabled, Axonius fetches vulnerabilities only if they include both software and vendor names.

image.png

Aggregation Settings

  • Maximum adapters to execute asynchronously (required, default: 20) - Define the number of adapters that - as part of discovery cycle - will be executed to fetch asset information in parallel.
  • Socket read-timeout in seconds (required, default: 5 seconds) - Define the number of seconds to wait for any initial or existing connection response before reporting a connection timeout. Default value is 5 seconds.
  • Convert all hostnames to uppercase (required, default: False)
    • If enabled, starting the next data fetch, Axonius will convert all fetched hostnames to uppercase.
    • If disabled, Axonius will persist fetched hostnames in the format received from each adapter connection.
  • Update adapters connections status periodically (every 1:30 hours) (required, default: False)
    • If enabled, Axonius will update the status of all the adapter connections every 1:30 hours.
    • If disabled, Axonius will update the status of all the adapter connections as part of a discovery cycle.

image.png

Getting Started with Axonius Settings

Amazon S3 Settings / SMB Settings

For details on those settings, please contact your Axonius account representative.

API Settings

  • Enable advanced API settings (required, default: False) - Check this checkbox to control and configure the REST API.
  • Enable API destroy endpoints (required, default: False) - Control access to the /users/destroy and /devices/destroy endpoints that allow deleting all assets.
    • If enabled, allow access to the destroy endpoints.
    • If disabled, do not allow access to the destroy endpoints.

Advanced Settings

  • Remote Support (required, default: True) - Allow Axonius to remotely connect to the instance using a Chef agent. Remote support is required to provide continuous updates, maintenance, and troubleshooting. It is strongly recommended to keep this enabled to have the best customer experience.
    If you turn remove support off, you can still allow Axonius to remotely connect to the instance for a predefined number of hours.
  • Anonymized Analytics (required, default: True) - Anonymized analytics data will be sent to Axonius. This kind of data consists of errors and exceptions, usage alerts, and more. It is strongly recommended to keep this enabled to have the best customer experience.
  • Remote Access (required, default: True) - Remote Access allows Axonius to keep the system updated by providing continuous updates and to speed-up issue resolution time.

image.png

Was this article helpful?