Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,414,336
Community Members
 
Community Events
170
Community Groups

Using Atlassian Insight for digital asset management

I've been testing the jsm cloud insight discovery and reporting capabilities in anticipation of introducing insight to a group of ~22,000 users across more than 35 technical divisions.  So far I have the discovery automated and integrated with the cloud, and next I'm going to incorporate nmap and npcap data streams into the import files to get beyond ssh and snmp limitations.  I intend to do this either through 1. xslt direct injection or 2. building an app with the sdk (documentation shows this is supported for data center, no word on cloud).  The example use case described below is what I'm using as the demo, first with a wintel device then a mac.

Challenge - View an entire set of digital assets and configurations as a living organism, with enough information to identify when a breach condition exists and raises that event or set of events as an incident in jsm cloud.

Context - Ferreck Dawn is a new hr employee, working remote.  She is sent a set of company devices with the standard hr configuration build for her iphone and windows 11 devices.  She logs into the vpn from her home wifi without issue and goes about her onboarding activities.  The next time she logs into the vpn she is at her remote colocation office and has attached a usb device sent to her from an approved hr vendor.  The second login triggers an incident on the Windows 11 device and does not impact the iPhone.

Action - At pre-defined time horizons (hourly) or network events (remote login to vpn) the discovery, nmap, and npcap processes activate and catalog the network data streams and asset inventories.  Objects that are found as newly introduced into the environment are sent to a set of automated security admin conditions to determine if an incident is initiated.  Her initial login from home successfully traversed all conditions.  Her subsequent login from the remote office triggered an "Unknown USB Device" incident.  Scanning is initiated automatically from the incident and network access is initially restricted pending the scan results.

Result - Proactive incident management and threat detection, integrated views of asset and packet data within a single ticket, automated incident triage and network restrictions when appropriate.

I have the hosts and settings xml files from scans I've run with the standard pattern files on a wintel device.  I'm starting to work on including the nmap and npcap streams as direct injection into the scan xml files the discovery agent generated using only the pre-defined Insight object definitions for now.  This is what I see as the easiest path to get a working demo in place.

I'll update this thread as I get further into the details.  If you have a complete xml structure that works with cloud, in case it's different than what's in the data center documentation, I could use that.  I have no idea if the data center import types as documented will work with jsm cloud.

1 comment

With nmap I access the assets I want by scanning the network segments.  While this provides a wide lens across segments, I'm still using Powershell to access device specific information, with mfa enabled including one time passwords, for security purposes.  Here's the ps cmd as admin to get the drive info into xml:

Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match 'USBSTOR' } | ConvertTo-JSON | Out-File "\\path\filename.xml"

This xml is easily converted using an xslt into the jsd insight import format to log the scan and detailed host device information. 

Next steps, I need to add a way to scan the device for malware and start figuring out how to integrate npcap streams into the incident.  I'm also going to explore if it's possible to assign the asset to a honeypot network segment during the vpn handshake so that the team can work an identified threat in real-time without concern about propagating the infection.

For those that want to eliminate the exposure (depends on how flexible you want to be), include a log entry in the xlst after executing an auto disable of the device prior to connecting to the vpn, admin required for this cmd to function properly:

| ForEach-Object { $_ | Disable-Pnpdevice -confirm:$false }

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events