Advanced Asset Investigation

The Asset Investigation page shows the changes over time for all the devices or users in the system. When a security event in the organization happens, this will often cause anomalies on more than one device. The Asset Investigation page enables you to see all changes on all assets on the system. You can use Advanced Asset Investigation to:

• Compare groupings of assets, more easily, from one central console
• Accelerate incident response and alert triage
• Track changes amongst assets
• Identify unusual or risky patterns.

From the Devices or Users page select Asset Investigation.

The Asset Investigation page opens and shows all the assets on the system.
Use the filters to set a time period, adapter connections and fields to investigate.

Events Table

The Events table shows changes in the values of fields on all the assets displayed. Each row on the table represents a changed event on the asset and the time at which it happened. The changes are displayed for each adapter source, and not on the aggregated value. Events are displayed sorted by time with the newest events on the top. The first time you open this page, the Values Added column is populated with the first value identified by Axonius, which is the value from which added/removed values will be calculated. These values are marked by an i icon.

The Events table shows the following information:

• Date – The date and the time stamp (in UTC) of the changed event.
• Asset - The name of the asset entity where a change happened. Click on the asset entity to open the Asset Profile page to see more information about this asset.
• Field Name - The name of a field where a change happened. An adapter icon shows on which adapter the field is.
• Values Added - lists all the values added to the field. If more than 2 values were added, mouse over to see all the values, the first 50 are displayed and can be scrolled through.
• Values Removed - lists all the values removed from the field. If more than 2 values were removed, mouse over to see all the values.

Filtering

You can filter on the values to be displayed in the table. You can then use the filters to create queries based on the filters and also save them as queries which can be used later on. Read more about queries based on filters.

Search - Use free text to enter a value to search for a value added or removed, or for an asset.

• The following filters are available:

  • Adapter Connections - Show assets from specific adapter connections. Click the arrow next to the adapter name to show the connections on the adapter.

  • Field Names - Show all assets containing a specific field.

  • Time Range - You can filter for specific assets by date with the date range picker or by a specified last number of days, weeks, months, or years, or for a time range prior to the number of days set.

  To filter by date range:

  1. From the Time Range dropdown, select In range.
  2. Select Start date and End date to indicate the date range to display results. 
  3. To filter results only for a specific date, select the same date twice.
  4. If you want to include specific times in the date range, click Select Time in the date range picker.
  5. Click OK to set the Time Range filter.

  
  

  

  To filter by the last number of days, weeks, months, or years:

  1. From the Time Range dropdown, select Last and specify a value in the field next to Last.
  2. By default, the value is the number of days. If you want to filter by weeks/months/years, select the relevant option from the days dropdown.

  

  
  

  To filter by the number of days ago:

  You can set a Time Range to show only the events prior to the number of days, weeks, months etc set.

  1. From the Time Range dropdown, select Prior to. 
  2. In the number field enter a value or use the arrows to select the value you want.

  • By default, the value is the number of days. If you want to filter by weeks/months/years, select the relevant option from the days dropdown.

  

  
  

• Click Clear All to clear all selections in a specific filter.

• Click Reset to clear all filters and reset the display.

After you filter on an Asset, you can open the Asset on the relevant asset profile (Devices or Users) page and then track changes on the Asset Investigation tab.

Use Case Example

For instance, to check which assets were updated with a new agent version during the last week.

• Set a Date Range filter for the last 7 days.
• Set the Field Name filter to Agent Version.
• If you see changes of interest, click on the Asset link to open the Asset on the Devices page.
• For further investitation, click the Asset Investigation tab on the Device Profile page.

Saving Filters and Searches

You can save filters and searches you configure on this page as Queries, Refer to Creating Queries Using Filters for full details. Once you save a query, you can see it on the Queries page.
Use:

• Save As - to save the filters/search as a Query
• Reset - to reset the display

Choose Export CSV to export the table to a CSV file.