Inventory Rules

Inventory Rules

 Although granting network access only to authenticated and legitimate devices is of utmost importance, keeping the security posture at a high level is also necessary. Inventory Rules is used for continuously checking your infrastructure for any anomalies. These anomalies can be at the network level or host level.Netcyte provides a rich set of rules set for security check on host device or infrastructure.

2.      Inventory Rule Definition

To define Inventory Rule navigate to Inventory ManagementàInventory Rules. NetCyte Comes with 15 predefined policy with the state is disabled. You can add your  Rules easily by clicking  button on the up-right corner.


Figure 1 Inventory Rules

a.      Rule Definitions and Executions

Rule definition interface consists of two parts; Rule Type selection and  Settings. There are 96 different rule types of checks available. While executing Inventory Rules, NetCyte NAC system checks every condition in a rule. If the result is returned “True” or positive, then the system takes action defined in the Advanced settings.


Figure 2 Inventory Rule Definition

Rule Types: Rule Types are the predefined check which is applied to Target Devices during the execution and has own individual setting  Rule Type can be general-purpose, like MAC Spoofing Detection, or System Specific, like Windows Update Check. You can use single Rule Type in an only Inventory Rule, or you can create compound Rule Typeset by applying AND or OR conjunction. The first step in Inventory Rule Definition is defining Rule Types.

Rule Settings:

There are two levels of settings; Basic and advanced. The second stage is to define basic parameters of your rule-based on below definitions. Name, Execution Interval and  Tag Query must be set for a rule. Other settings are optional and defined based on your needs.

Basic Settings:

Basic Settings define minimum parameters to execute Inventory Rule. Basic settings do not specify any blocking or remediation actions.

Basic Setting Parameters:

Settings Name

Explanation

Name

Name of your Inventory Rule.

Execution Interval

How often your Rule will be executed. If the time gap between the current time and the Last execution time is higher than this value rule is triggered for execution.

Last Execution Time

The time when the Rule is last executed.

Tag Query Mapping

Tag Queries for selecting Target Devices. Inventory Rule Type checks executed on Devices which is the result set of Tag Query.

Execution Time

If you define, this field rule will be executed only this time.

Exclusion Time

The Rule executed all time except for this time.

Category

Inventory Rules can be labelled for later using in your reports or dashboards. There are three types of built-in categories, but you can define the custom category under Inventory ManagementàInventory Settings à Inventory Rule Categories.

Status

Enable/Disable Rule.

Table 1 Inventory Rule - Basic Settings Definition

 

Advanced Settings:

The basic setting is enough for the execution of a rule. With basic settings, you can collect information from devices, analyse and report them, but you can not take any action for removing anomalies are found.

Advanced  Setting of an Inventory Rule is used for defining remediation actions for any abnormalities found in your environment.

 


Figure 3 Inventory Rule - Advanced Settings

 

Advanced Setting Parameters:

Setting

Explanations

Service

NAC server which is responsible for executing this Rule.

Automation Job

Automation job will be executed on a noncompliant host which is the  Rule Type checks return true.

Program/Script Name

Programs or Scripts will be executed on a noncompliant host which is the  Rule Type checks return true.

Alert (1,2,3)

 Alert will be shown to the user on the host, which is the  Rule Type checks return true.

Agent Execution Interval

How often this Rule executed by Agent If Agent installed machine is in the set of Tag Query Result.

Block Immediately

Trigger Blocking Immediately without waiting for a response from the user.

Block Type

Which Blocking will be applied to the host, which is the  Rule Type checks return true.

VLAN/ACL Name

Blocking Parameter according to Block Type.

Trace Level

Debug options for execution of the Rule. Debug files can be found on the NacServer under the  C:\Program Files\NETCYTE\NAC\Server\log\ directory. Debug file name ends with Rule Name.

Enable Lag Collection

Enables Lag collection. If you are executing your Rule only specific times and some of your hosts could not be available at that time, you may need to enable Lag Collection. Lag collection re-execute Inventory rule on the host, which is not accessible on regular execution time, at Lag Collection Interval.

Lag Data Collection Interval

Time LAG collection is executed.

Acceptable Lag Interval

How often LAG Collection process executed.

Last Lag Collection

Last Lag execution Time.

Collect On Enumeration

Execute Inventory rule just after the enumeration process, and even execution time does not elapse. If a new host matches tag query, inventory rule is applied immediately.

Block Device On Access Failure

Block device if it is not accessible during Inventory Rule execution.

Show Compliance Analysis Dashboard

Add rule result to  Compliance analysis dashboard.

Enable Device Exclusion

You can add another TAG Query to exclude some computers.

Table 2 Advanced Setting Options

Once you finished your settings, click save button to activate your Rule. If you want to execute Rule immediately, please ensure that time difference between the current time and last execution time is greater than the execution interval.

b.      Analyse Inventory Information

After execution Inventory Rules, information about your devices will be stored designated tables in the Database. To view collected information by Inventory Rules, go to Inventory Managementà Inventory Information. Log Types classified by Rule Type in your Inventory rule. 


Figure 4 Sample Inventory Information View

 

c.       View Active non-compliant Client

Active non-compliant devices which do not fit your Inventory Rules are listed under Inventory ManagementàInventory RulesàRule-Based Active Alerts menu.


Figure 5 Active non-compliant Device List

This list is dynamically managed by the system. If the reason for non-compliance removed on the client system automatically removes the entry in this screen. For example, if you are checking windows update service and one of your client device is outdated. The system automatically creates violation entry in his list. Once you update your client, the system automatically removes entry here. Because in every 2-minute system automatically checks if the violation persists or not. If not it is deleted automatically from this list.

To view historical violation to your inventory Rules, navigate to Visualisation and Analysis à Compliance Analysis. Please note that the Inventory rules, whose “Show Compliance Analysis Dashboard” is not enabled will not be shown here.


Figure 6 Compliance Analysis

 

3.      Sample Rule Definition

In this section, We create Inventory Rule for Checking Windows Defender Update status older than ten days, or windows Defender service is not working.

Create Rule: Find the Rule Type Windows Defender Analysis and add to the Rule Type list. If rule type requires some conditions systems ask for a fill-up required Parameter. As below we define difference days as ten days, and we do not check any version information.


Figure 7 Define Rule Condition

After defining condition, you need to set Rule settings.  You need to define, Name, Execution interval and Tag Query for the Rule and save it.


Figure 8 Sample Rule Settings

After saving your Rule, your Rule is executed based on your execution interval and last execution time definitions. Once your Rule is run, you can find inventory information under Inventory ManagementàInventory Informationà Antivirus Analysisà MS Defender Av Status


Figure 9 Sample AV Check Result

As you see from the list, some of our clients are in a healthy state; some of them is not.

 



    • Related Articles

    • Classification Rules

      1.      Introduction  Classification rules enable automatic action on devices that meet specific criteria.These criteria are defined by using Tag Queries. 2.      Classification Rule Definition To define Classification Rule navigate to All Hosts and ...
    • Tag Queries

      1.      Introduction Tag Queries are SQL Queries to select target hosts or Client IP Addresses from different tables according to requirements. Tag Queries is executed on Database, and the result set is used as target devices. Tag Queries are used in ...
    • NetCyte Quick Deployment Guide

       NetCyte  Quick Deployment Document 1.      Summary This document is a summary of quick deployment of netCyte NAC solution from preconfigured virtual appliances 2.      Objective The objective of the quick deployment is to demonstrate discovery and ...
    • Trust Lists

      1.      Introduction Most of the malware uses similar methods to infect computers. Most commons are, creating service, creating schedule task, creating autorun entry to start with system startup, creating process, opening unusual/unexpected TCP ports ...
    • Alerts

      1.      Introduction Alert subsystem is an integral part of any system. NetCyte NAC supports SMTP (e-mail) and SMS (Text to Mobile Phone) based notifications. Different types of alerts can be routed, related person or team. 2.      Alert Before ...