I've been testing the jsm cloud insight discovery and reporting capabilities in anticipation of introducing insight to a group of ~22,000 users across more than 35 technical divisions. So far I have the discovery automated and integrated with the cloud, and next I'm going to incorporate nmap and npcap data streams into the import files to get beyond ssh and snmp limitations. I intend to do this either through 1. xslt direct injection or 2. building an app with the sdk (documentation shows this is supported for data center, no word on cloud). The example use case described below is what I'm using as the demo, first with a wintel device then a mac.
Challenge - View an entire set of digital assets and configurations as a living organism, with enough information to identify when a breach condition exists and raises that event or set of events as an incident in jsm cloud.
Context - Ferreck Dawn is a new hr employee, working remote. She is sent a set of company devices with the standard hr configuration build for her iphone and windows 11 devices. She logs into the vpn from her home wifi without issue and goes about her onboarding activities. The next time she logs into the vpn she is at her remote colocation office and has attached a usb device sent to her from an approved hr vendor. The second login triggers an incident on the Windows 11 device and does not impact the iPhone.
Action - At pre-defined time horizons (hourly) or network events (remote login to vpn) the discovery, nmap, and npcap processes activate and catalog the network data streams and asset inventories. Objects that are found as newly introduced into the environment are sent to a set of automated security admin conditions to determine if an incident is initiated. Her initial login from home successfully traversed all conditions. Her subsequent login from the remote office triggered an "Unknown USB Device" incident. Scanning is initiated automatically from the incident and network access is initially restricted pending the scan results.
Result - Proactive incident management and threat detection, integrated views of asset and packet data within a single ticket, automated incident triage and network restrictions when appropriate.
I have the hosts and settings xml files from scans I've run with the standard pattern files on a wintel device. I'm starting to work on including the nmap and npcap streams as direct injection into the scan xml files the discovery agent generated using only the pre-defined Insight object definitions for now. This is what I see as the easiest path to get a working demo in place.
I'll update this thread as I get further into the details. If you have a complete xml structure that works with cloud, in case it's different than what's in the data center documentation, I could use that. I have no idea if the data center import types as documented will work with jsm cloud.
