F-Secure Elements Vulnerability Management has a built-in mechanism to bind and track assets coming from different sources to network vulnerability scans inside a specific scan group.
This means that if the new asset is discovered in a given asset source, it will be created or deleted as a network vulnerability scan (web scan or system scan) inside a scan group. Currently, the supported built-in asset sources are discovery scans and internet discovery, which are both supported via API and the user interface. Uploading a custom asset endpoint is also supported, but only via API.
-
- List the currently configured custom asset sources:
curl -X POST https://api.radar.f-secure.com/api/integration/assetMonitoring/withStartIndex/0/andPageSize/250
-H ‘Content-Type: application/json’
-H ‘ApiAccessKey: {ApiAccessKey}’
-H ‘ApiSecretKey: {ApiSecretKey}’
-d ‘{“AssetSourceType”: “Custom”}’
-
- Create a new custom asset source.
Replace the parameters marked with {} with your own values.
curl -X POST https://api.radar.f-secure.com/api/integration/assetmonitoring/custom
-H ‘Content-Type: application/json’
-H ‘ApiAccessKey: {ApiAccessKey}’
-H ‘ApiSecretKey: {ApiSecretKey}’
-d ‘{
“ScanGroupId”: “{ScanGroupId}”,
“TrackSystemScans”: true,
“TrackWebScans”: true,
“AlwaysAddNewSystemScans”: false,
“AlwaysAddNewWebScans”: false,
“RemoveSystemScanWhenUndiscovered”: true,
“RemoveWebScanWhenUndiscovered”: true,
“AssetSourceType”: “Custom”,
“TrackedHttpPortRangeForWebScan”: “80”,
“TrackedHttpsPortRangeForWebScan”: “443”,
“RunSystemScanImmediatelyAfterAdd”: false,
“RunWebScanImmediatelyAfterAdd”: false,
“ScheduleId”: null,
“RunSystemScanImmediatelyIfNewServicesDiscovered”: false
}’
The response will give you the unique identifier for the asset update source configuration.
-
- Retrieve a list of machines from Active Directory, for example using the ldapsearch command on Linux, and convert it to JSON format.
- Upload the list of machines that should use the custom asset source update configuration and verify that the scans have been created inside the defined scan group:
curl -X POST https://api.radar.f-secure.com/api/integration/assetmonitoring/custom/{AssetSourceId}/assets
-H ‘Content-Type: application/json’
-H ‘ApiAccessKey: {ApiAccessKey}’
-H ‘ApiSecretKey: {ApiSecretKey}’
-d ‘[
{
“IPAddress”: “192.168.1.1”
},
{
“IPAddress”: “192.168.1.2”,
“HostName”: “domain2.com”
},
{
“IPAddress”: “192.168.1.3”,
“HostName”: “domain3.com”,
“DiscoveredAssetPorts”: [
{
“Port”: “80”,
“Protocol”: “TCP”,
“Service”: “https”
}
]
}
]’
The upload triggers the addition of a new scan definition only if it was not uploaded before. Therefore, uploading the same list again does not change the list of network vulnerability scans within the defined scan group.
-
- Create a Windows Scheduled Task to run the F-Secure Elements Vulnerability Management asset monitoring script.
Typically, you should set the task to be triggered at an interval of several hours. For more information on scheduling a task, see: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748993(v=ws.11).
Note: Make sure that the task runs the script with sufficient access rights so that it can write to log files and access F-Secure Elements Vulnerability Management API.