Inventory Rules
2. Inventory
Rule Definition
To define Inventory
Rule navigate to Inventory ManagementàInventory Rules. NetCyte Comes with 15 predefined policy with the state
is disabled. You can add your Rules
easily by clicking button on the up-right corner.
Figure 1 Inventory Rules
a.
Rule Definitions and Executions
Rule definition interface consists of two parts; Rule Type selection and Settings. There are 96 different rule types of checks available. While executing Inventory Rules, NetCyte NAC system checks every condition in a rule. If the result is returned “True” or positive, then the system takes action defined in the Advanced settings.
Rule Types: Rule Types are the predefined check which
is applied to Target Devices during the execution and has own individual
setting Rule Type can be general-purpose,
like MAC Spoofing Detection, or System Specific, like Windows Update Check. You
can use single Rule Type in an only Inventory Rule, or you can create compound
Rule Typeset by applying AND or OR conjunction. The first step in Inventory
Rule Definition is defining Rule Types.
Rule Settings:
There are two levels of settings; Basic and advanced. The
second stage is to define basic parameters of your rule-based on below
definitions. Name, Execution Interval and
Tag Query must be set for a rule. Other settings are optional and
defined based on your needs.
Basic Settings:
Basic Settings define minimum parameters to execute
Inventory Rule. Basic settings do not specify any blocking or remediation
actions.
Basic
Setting Parameters:
|
Settings Name |
Explanation |
|
Name |
Name of your Inventory Rule. |
|
Execution Interval |
How often your Rule will be executed. If the time gap between the current
time and the Last execution time is higher than this value rule is triggered
for execution. |
|
Last Execution Time |
The time when the Rule is last executed. |
|
Tag Query Mapping |
Tag Queries for selecting Target Devices. Inventory Rule Type checks
executed on Devices which is the result set of Tag Query. |
|
Execution Time |
If you define, this field rule will be executed only this time. |
|
Exclusion Time |
The Rule executed all time except for this time. |
|
Category |
Inventory Rules can be labelled for later
using in your reports or dashboards. There are three types of built-in
categories, but you can define the custom category under Inventory ManagementàInventory
Settings à
Inventory Rule Categories. |
|
Status |
Enable/Disable Rule. |
Table 1 Inventory Rule - Basic
Settings Definition
Advanced Settings:
The basic setting is enough for the execution of a rule. With basic
settings, you can collect information from devices, analyse and report them,
but you can not take any action for removing anomalies are found.
Advanced Setting of an Inventory
Rule is used for defining remediation actions for any abnormalities found in
your environment.
Figure 3 Inventory Rule - Advanced
Settings
Advanced Setting Parameters:
|
Setting |
Explanations |
|
Service |
NAC server which is responsible for executing this Rule. |
|
Automation Job |
Automation job will be executed on a noncompliant
host which is the Rule Type checks
return true. |
|
Program/Script Name |
Programs or Scripts will be executed
on a noncompliant host which is the
Rule Type checks return true. |
|
Alert (1,2,3) |
Alert will be shown to the user on the host,
which is the Rule Type checks return true. |
|
Agent Execution Interval |
How often this Rule executed by Agent
If Agent installed machine is in the set of Tag Query Result. |
|
Block Immediately |
Trigger Blocking Immediately without
waiting for a response from the user. |
|
Block Type |
Which Blocking will be applied to the host,
which is the Rule Type checks return true. |
|
VLAN/ACL Name |
Blocking Parameter according to Block Type. |
|
Trace Level |
Debug options for execution of the Rule.
Debug files can be found on the NacServer under the C:\Program Files\NETCYTE\NAC\Server\log\
directory. Debug file name ends with Rule Name. |
|
Enable Lag Collection |
Enables Lag collection. If you are executing
your Rule only specific times and some of your hosts could not be available at
that time, you may need to enable Lag Collection. Lag collection re-execute
Inventory rule on the host, which is not accessible on regular execution
time, at Lag Collection Interval. |
|
Lag Data Collection Interval |
Time LAG collection is executed. |
|
Acceptable Lag Interval |
How often LAG Collection process
executed. |
|
Last Lag Collection |
Last Lag execution Time. |
|
Collect On Enumeration |
Execute Inventory rule just after the enumeration
process, and even execution time does not elapse. If a new host matches tag query, inventory rule is
applied immediately. |
|
Block Device On Access Failure |
Block device if it is not accessible
during Inventory Rule execution. |
|
Show Compliance Analysis Dashboard |
Add rule result to Compliance analysis dashboard. |
|
Enable Device Exclusion |
You can add
another TAG Query to exclude some computers. |
Table 2 Advanced Setting Options
Once you finished your settings, click save button to activate
your Rule. If you want to execute Rule immediately, please ensure that time
difference between the current time and last execution time is greater than the
execution interval.
b.
Analyse Inventory Information
After execution Inventory Rules, information about your devices will be stored designated tables in the Database. To view collected information by Inventory Rules, go to Inventory Managementà Inventory Information. Log Types classified by Rule Type in your Inventory rule.
c.
View Active non-compliant Client
Active non-compliant devices which do not fit your Inventory
Rules are listed under Inventory ManagementàInventory
RulesàRule-Based
Active Alerts menu.
This list is dynamically managed by the system. If the
reason for non-compliance removed on the client system automatically removes the
entry in this screen. For example, if you are checking windows update service
and one of your client device is outdated. The system automatically creates
violation entry in his list. Once you update your client, the system
automatically removes entry here. Because in every 2-minute system
automatically checks if the violation persists or not. If not it is deleted automatically
from this list.
To view historical violation to your inventory Rules,
navigate to Visualisation and Analysis à
Compliance Analysis. Please note that the Inventory rules, whose “Show Compliance Analysis Dashboard” is not enabled will not be shown
here.
3.
Sample Rule Definition
In this section, We create Inventory Rule for Checking
Windows Defender Update status older than ten days, or windows Defender service
is not working.
Create Rule: Find the Rule Type Windows Defender Analysis and add to the Rule Type list. If rule type requires some conditions systems ask for a fill-up required Parameter. As below we define difference days as ten days, and we do not check any version information.
After defining condition, you need to set Rule settings. You need to define, Name, Execution interval and Tag Query for the Rule and save it.
Figure 8 Sample Rule Settings
After saving your Rule, your Rule is executed based on your execution interval and last execution time definitions. Once your Rule is run, you can find inventory information under Inventory ManagementàInventory Informationà Antivirus Analysisà MS Defender Av Status
Figure 9 Sample AV Check Result
As you see from the list, some of our clients are in a healthy
state; some of them is not.
Related Articles
Classification Rules
1. Introduction Classification rules enable automatic action on devices that meet specific criteria.These criteria are defined by using Tag Queries. 2. Classification Rule Definition To define Classification Rule navigate to All Hosts and ...Tag Queries
1. Introduction Tag Queries are SQL Queries to select target hosts or Client IP Addresses from different tables according to requirements. Tag Queries is executed on Database, and the result set is used as target devices. Tag Queries are used in ...NetCyte Quick Deployment Guide
NetCyte Quick Deployment Document 1. Summary This document is a summary of quick deployment of netCyte NAC solution from preconfigured virtual appliances 2. Objective The objective of the quick deployment is to demonstrate discovery and ...NetCyte DNS Security Quick Deployment Guide
Captive Portal Quick Deployment Guide 1. Summary This document is a summary of the quick deployment of the Captive Portal component of NetCyte NAC solution from pre-configured virtual appliances. 2. Objective The objective of the ...Trust Lists
1. Introduction Most of the malware uses similar methods to infect computers. Most commons are, creating service, creating schedule task, creating autorun entry to start with system startup, creating process, opening unusual/unexpected TCP ports ...