Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Using Atlassian Insight for digital asset management

Jason Green December 29, 2021

I've been testing the jsm cloud insight discovery and reporting capabilities in anticipation of introducing insight to a group of ~22,000 users across more than 35 technical divisions.  So far I have the discovery automated and integrated with the cloud, and next I'm going to incorporate nmap and npcap data streams into the import files to get beyond ssh and snmp limitations.  I intend to do this either through 1. xslt direct injection or 2. building an app with the sdk (documentation shows this is supported for data center, no word on cloud).  The example use case described below is what I'm using as the demo, first with a wintel device then a mac.

Challenge - View an entire set of digital assets and configurations as a living organism, with enough information to identify when a breach condition exists and raises that event or set of events as an incident in jsm cloud.

Context - Ferreck Dawn is a new hr employee, working remote.  She is sent a set of company devices with the standard hr configuration build for her iphone and windows 11 devices.  She logs into the vpn from her home wifi without issue and goes about her onboarding activities.  The next time she logs into the vpn she is at her remote colocation office and has attached a usb device sent to her from an approved hr vendor.  The second login triggers an incident on the Windows 11 device and does not impact the iPhone.

Action - At pre-defined time horizons (hourly) or network events (remote login to vpn) the discovery, nmap, and npcap processes activate and catalog the network data streams and asset inventories.  Objects that are found as newly introduced into the environment are sent to a set of automated security admin conditions to determine if an incident is initiated.  Her initial login from home successfully traversed all conditions.  Her subsequent login from the remote office triggered an "Unknown USB Device" incident.  Scanning is initiated automatically from the incident and network access is initially restricted pending the scan results.

Result - Proactive incident management and threat detection, integrated views of asset and packet data within a single ticket, automated incident triage and network restrictions when appropriate.

I have the hosts and settings xml files from scans I've run with the standard pattern files on a wintel device.  I'm starting to work on including the nmap and npcap streams as direct injection into the scan xml files the discovery agent generated using only the pre-defined Insight object definitions for now.  This is what I see as the easiest path to get a working demo in place.

I'll update this thread as I get further into the details.  If you have a complete xml structure that works with cloud, in case it's different than what's in the data center documentation, I could use that.  I have no idea if the data center import types as documented will work with jsm cloud.

1 comment

Jason Green January 4, 2022

With nmap I access the assets I want by scanning the network segments.  While this provides a wide lens across segments, I'm still using Powershell to access device specific information, with mfa enabled including one time passwords, for security purposes.  Here's the ps cmd as admin to get the drive info into xml:

Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match 'USBSTOR' } | ConvertTo-JSON | Out-File "\\path\filename.xml"

This xml is easily converted using an xslt into the jsd insight import format to log the scan and detailed host device information. 

Next steps, I need to add a way to scan the device for malware and start figuring out how to integrate npcap streams into the incident.  I'm also going to explore if it's possible to assign the asset to a honeypot network segment during the vpn handshake so that the team can work an identified threat in real-time without concern about propagating the infection.

For those that want to eliminate the exposure (depends on how flexible you want to be), include a log entry in the xlst after executing an auto disable of the device prior to connecting to the vpn, admin required for this cmd to function properly:

| ForEach-Object { $_ | Disable-Pnpdevice -confirm:$false }


Log in or Sign up to comment
AUG Leaders

Atlassian Community Events