Hosts can be marked as key assets within the Vectra UI. This can be done on the individual 'host' page for a given host. Marking hosts as key assets can help customers put a spotlight on the hosts which hold the highest value assets. Once a key asset is marked, the Vectra platform UI functions somewhat differently:
- Key assets can be filtered on the “All Host” page with one click
- Detections on key assets can be viewed by filtering on key assets in “All Detections” page
- Key assets with detections in the last 24 hours show up on the dashboard in a distinct section in the top right of the dashboard
- Enabling host notification will generate email alert for detections on key assets regardless of host score. In comparison, for regular hosts, the host notification alerts are only generated when the host score exceeds user defined threat and certainty score
Key asset functionality was extended in release 3.5 to encompass hosts that are targeting key assets. This allows customers to know and take action when other hosts in their network are targeting key assets with detections. This includes:
- Reports not only include information on key assets with detections, but also hosts that are targeting key assets with detections.
- For host and detections targeting key assets, individual host and detection pages will display the key asset(s) that are being targeted by those hosts or detections.
- Filtering on key assets in “All Hosts” page now also shows hosts with detections targeting key assets. These hosts are shown with a distinct icon from key assets, to distinguish the key assets from hosts targeting key assets.
- As with the “All Hosts” page, filtering on key assets on the “All Detections” page now shows detections targeting key assets.
- The key asset section of the dashboard shows all hosts that have had detections in the past 24 hours targeting any key assets
- Enabling host email notification will now also generate email alerts for hosts targeting key assets
Vectra syslog output also identifies key assets via attributes:
- Host scoring syslog messages for key assets will have the attribute “sourceKeyAsset” as “True”
- Host scoring syslog messages for hosts targeting key assets will have “destKeyAsset” as “True”