Host Discovery Policy with ZeroNorth™

ZeroNorth Experts
1

This articles describes the procedure for setting up an automated host-discovery scan in ZeroNorth . Once set up, you can use this procedure to:

  • Discover your currently exposed hosts.
  • Review the discovered hosts.
  • Baseline the initially discovered set.
  • Receive notifications about newly discovered hosts.

Part 1: The Initial Scan

We first create the necessary Policy and then perform the initial scan. The basic steps are:

  1. Ensure that the nmap-host-discovery Scenario is activated.
  2. Create an Integration of Type “Custom”.
  3. Define a Target for the desired subnet that is Class C (/24) or smaller.
  4. Create a Policy that configures scanning the Target subnet with the nmap-host-discovery Scenario.
  5. Run the scan.

The below sections describe each step in detail.

1) Activate the nmap-host-discovery Scenario

  1. Go to zn ADM > Scenarios .
  2. Locate Nmap in the list of Products and then click on +Add Scenario in the bottom right.
  3. In the Scenario screen, enter a Name .
  4. Select “nmap-host-discovery” for the Product Configuration .
  5. Click on Save .

2) Create the Integration (type “Custom”)

If you’ve been using ZeroNorth, you might already have a Custom type Integration that you can use. If not, create a new one:

  1. Go to zn ADM > Integrations > +Add Integration .
  2. Enter Name and a Description .
  3. Leave Scan Execution as “ZeroNorth (hosted, default)”.
  4. Select Type “Custom”.
  5. Leave Discovery Subnet blank. This information is used for auto-creation of Targets, which is a different use case.

3) Create the Target Pointing to the Desired Subnet

  1. Go to zn OPS > Targets > +Add Target .
  2. Enter a Name .
  3. Select Target Type “Custom”.
  4. Select the Integration crated in Step 2.
  5. Enter the IP address range as x.x.x.x/y. It must specify a Class C or smaller scope.
  6. Click on Save .

4) Create the Policy

Putting it all together:

  1. Go to zn OPS > Policies > +Add Policy .
  2. Enter Name and Description for your policy.
  3. Select the Target Type “Custom”.
  4. Select the Integration you created in Step 2.
  5. Select the Target you created in Step 3.
  6. Select the nmap-host-discovery Scenario you activated in Step 1.
  7. Leave Schedule unchecked (we will do this in Part 2).
  8. Click on Save .

5) Run the Scan for an Initial Scan

  1. Go to zn OPS > Policies to view the new Policy.
  2. Click on and then select Run Now to run the initial scan. Depending on the scope of the subnet you specified, it can take seconds to minutes.

Part 2: Set up Alerts and Schedule the Scan

In this section, we review the initial scan results, set up notifications, and then automate the scan. The basic steps are:

  1. Review/baseline the initial scan results.
  2. Set up Alerts and Notifications.
  3. Schedule the Policy.

The below sections describe each step in detail.

1) Review the Initial Results

Go to zn OPS > Policies and locate the Policy. Click on and then select View Scan Issues . ZeroNorth will display a window like:

image
image1061×566 109 KB

Review the list of discovered hosts. Take care of any adjustments and corrections you must make to your network. When ready, run the scan again. The new list of discovered hosts is your baseline. The baseline list of hosts is important, because in the next step, we will set up alerts for any changes.

2) Set Up Alerts and Notifications

Because the nmap-host-discovery scanner reports hosts as “Informational”, by default it will not generate Alerts. Therefore, we force Alerts on any new host discoveries.

  1. Go to zn OPS > Rules > +Add Rulset
  2. Enter Name and Description .
  3. Select Action type “alert” (the default).
  4. For the Rules fields, select “policyId”, “=”, and then the ID of the Policy from above. See this article for instructions on obtaining the Policy ID).
  5. Click Save Rulset .

The above step forces an Alert to be generated for the Informational issues for host discoveries. We now need to set up one or more Notifications to direct those Alerts.

  1. Go to zn OPS > Targets , and then click on the Target you created above.
  2. Select Severity Levels “All:…”.
  3. Add desired Notifications (see the article " Set Up Notifications About a Target-level Issue " for details).
  4. Click on Save .
    image
    image1225×407 50.8 KB

3) Schedule the Policy

The final step is to schedule the host discovery policy:

  1. Go to znOPS > Policies and locate the Policy.
  2. Click on and then select Edit .
  3. In the Policy edit screen, scroll down to the Schedule section.
  4. Check the Schedule checkbox and then specify the schedule in UTC time zone.
    image
    image870×223 7.63 KB

The Policy will run on set schedule and will send notification of new host discoveries, host changes, or hosts down.