Upload
tranthuan
View
218
Download
0
Embed Size (px)
Citation preview
© 2018 RapidFire Tools, Inc. All rights reserved. V20180112
Detector Service Delivery System (SDS)
Version 3.0
Detecting and Responding to
IT Security Policy Violations
User Guide
Network Detective™ Detector – User Guide
1
Contents Overview of Detector .................................................................................................................................... 5
Purpose of this Guide .................................................................................................................................... 7
Components of the Stand-Alone Detector and Detector SDS ...................................................................... 7
Detector Appliance ............................................................................................................................... 7
Diagnostic Tool ...................................................................................................................................... 7
Network Detective Application ............................................................................................................. 7
The Network Detective Service Plan Creator and the Service Catalog ................................................. 7
The Network Detective Portal............................................................................................................... 8
Portal Integration with Ticketing Systems/PSAs ................................................................................... 8
Detector Deployment Options ...................................................................................................................... 9
Detector System Requirements .................................................................................................................... 9
General Overview of Detector SDS Use and Operation ................................................................................ 9
Defining the Detector Security Policy Violation Detection, Scanning, and Alerting Settings ..................... 10
Setting Up Detector .................................................................................................................................... 11
Step 1 - Initial Set Up of the Detector Appliance .................................................................................... 11
Step 2 - Associate Detector with a Site and Access Detector Settings ................................................... 11
Step 3 - Set Up the Detector Scan Host and Scan Configuration ............................................................ 12
Step 4 - Schedule Scans, Daily Alert Notifications, and Weekly Notices ................................................ 14
Step 5 - Configure Technician Email Group ............................................................................................ 14
Step 6 - Set Up Subject Text for End User and Email Tech Alert Notification Emails ............................. 16
Step 7 - Assign Security Policies for Policy Violation Detection and Alerting ......................................... 17
Step 8 - Set Up Weekly Notice Notification Recipients .......................................................................... 19
Step 9 - Run Scan to Perform Initial Data Collection .............................................................................. 20
Step 10 - Download Detector Initial Data Collection Scan Data ............................................................. 20
Step 11 - Set up Smart-Tags (optional) ................................................................................................... 21
Step 12 - Set Up Ticketing/PSA System Integrations (Optional) ............................................................. 22
Security Policy Violation Alert Notification Rule Actions ............................................................................ 23
Detector SDS Alert Response Action Workflow Processes ......................................................................... 23
Using the Detector ND Portal to Process Investigate and Ignore Action Requests .................................... 24
Workflow Used to Automatically Create a Ticket from an Alert ............................................................ 24
Workflow Used to Process Security Policy Violation Alert Investigation Requests ................................ 25
Network Detective™ Detector – User Guide
2
Workflow Used by an End User to Request an Investigation of an Alert ............................................... 27
Workflow Used by an End User to Request that an Alert be Ignored .................................................... 29
Workflow Steps to Process an Alert Ignore Request Sent to MSP Technicians by an End User ............ 30
Responding to Ignore Request Notification Emails ............................................................................ 31
Using the ND Portal to View and Process To Do Items and Alerts. ............................................................ 34
Accessing and Logging into the ND Portal .............................................................................................. 34
Using the ND Portal To Do List ................................................................................................................ 34
Accessing the ND Portal to Use the Alert Queue List ............................................................................. 35
Using the ND Portal Alert Queue ............................................................................................................ 35
Alert Item Statuses .................................................................................................................................. 36
Filtering the Alert Queue to View Alerts by Status ............................................................................. 36
Creating To Do Items from Alerts Listed in the Alert Queue .................................................................. 37
Reverting Completed Alerts Back to the To Do Item List ....................................................................... 38
End User Security Policy Violation Alert Notifications ................................................................................ 40
Setting Up End User Alert Notifications .................................................................................................. 40
Provisioning Additional Detector Appliances for Deployment ................................................................... 43
Provisioning Additional Detector Legacy Appliances for Deployment ....................................................... 44
Managing and Deleting “Ignore” Alert Rules .............................................................................................. 45
Setting up Automatic Report Generation Using the Reporter Appliance ................................................... 46
Step 1 – Set up a Connector for the Site ................................................................................................. 46
Step 2 – Associate a Reporter with the Site ............................................................................................ 47
Step 3 – Set the Detector Scan to Upload the Scan Data to Reporter .................................................... 48
Step 4 – Set up Reporter to Automatically Generate Reports ................................................................ 48
Appendix A - Sample Daily Alerts and Weekly Notices ............................................................................... 49
Sample Tech Alert ................................................................................................................................... 49
Sample End User Alert ............................................................................................................................ 49
Sample Weekly Notice ............................................................................................................................ 50
Appendix B – Set Up of Smart-Tags ............................................................................................................ 51
Assigning Smart Tags to Change Events that Refine Alerts and Notices ................................................ 52
Examples of Smart Tag Use ................................................................................................................. 55
Warning Concerning the Removal of a Detector Appliance from a Site ............................................ 55
Network Detective™ Detector – User Guide
3
Backing Up Smart Tags for Reuse ....................................................................................................... 55
Adding and Configuring Smart Tags .................................................................................................... 56
Deleting Smart Tags ............................................................................................................................ 61
Appendix C – Saving and Reusing Smart Tags through Export and Import ................................................ 62
Steps to Export and Save Smart Tags for Later Use ............................................................................ 62
Steps to Import Smart Tags for into your Site for Use with Detector................................................. 64
Appendix D – Using the Service Plan Creator ............................................................................................. 66
Service Plan Creator Use Cases ............................................................................................................... 66
Creating Service Plans and Service Catalogs ........................................................................................... 67
Step 1 – Create a New Service Plan .................................................................................................... 67
Step 2 – Assign Security Policies to Your Service Plan ........................................................................ 68
Step 3 – Defining Reports Deliverables to be Included in the Service Plan ........................................ 69
Step 4 – Creating a Service Catalog..................................................................................................... 71
Generating a Service Catalog Document ................................................................................................ 73
Generating a Service Plan Matrix Document .......................................................................................... 75
Generating a Sample Master Services Agreement for a Service Plan .................................................... 77
Managing Service Plans .......................................................................................................................... 80
Modifying a Plan ................................................................................................................................. 80
Deleting a Plan .................................................................................................................................... 81
Managing Service Catalogs ......................................................................................................................... 83
Modifying a Catalog ............................................................................................................................ 83
Deleting (excluding) Service Plans from a Catalog .............................................................................. 84
Adding Service Plans to a Catalog ....................................................................................................... 85
Removing (deleting) a Service Catalog from the List of Catalogs ....................................................... 86
Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS .......... 87
Appendix F – Set Up ND Portal Branding (Detector SDS Only) ................................................................... 92
Appendix G – Set Up a Custom Subdomain to Access the ND Portal (Detector SDS Only) ........................ 94
Appendix H – Set Up Custom SMTP Server Support (Detector SDS Only) .................................................. 96
Appendix I – Setting up a ConnectWise Integrator Login ID ....................................................................... 98
Setting up an “Integrator Login” in ConnectWise ................................................................................... 98
Appendix J – Setting up a Network Detective to ConnectWise REST API Integration ................................ 99
Network Detective™ Detector – User Guide
4
Step 1 – Download and Install the ConnectWise Manage Internet Client Application ..................... 99
Step 2 – Select the ConnectWise Ticket System API Member Account to Integrate with Network
Detective ............................................................................................................................................. 99
Step 3 – Create an API Key in the ConnectWise Ticketing System ..................................................... 99
Step 4 – Configure Service Tables in ConnectWise ........................................................................... 100
Appendix K – Default Detector SDS Service Plans .................................................................................... 102
Appendix L – Additional Scan Host Configuration Options and Requirements ........................................ 104
Scan Host Requirements ....................................................................................................................... 104
Assigning Scan Hosts ............................................................................................................................. 104
Assigning Scan Hosts within a Workgroup ........................................................................................ 105
Network Detective™ Detector – User Guide
5
Overview of Detector
Detector prowls an entire network each day at whatever time you determine and then sends out daily Security Policy violation notification alerts to notify you of any suspicious issues it discovers.
And, for Detector Service Delivery System (SDS) subscribers, each discovered issue listed in a Security Policy Violation Alert contains an “Alert Link” that is a part of an automated process flow to enable your technicians to “Investigate” or “Ignore” the Alert item using the Network Detective (ND) Portal.
Clicking on any of these Alert Links in the Violation Alert Notification Email will take you to the ND Portal. In the Portal you can:
• review the issue’s forensics
• automatically generate a service ticket in your favorite Ticketing System/PSA
• configure a Detector Smart-Tag or an Ignore Rule to ignore the alert and prevent the same “false-positive” from being generated again in the future
Throughout the day, the Detector Appliance can perform scheduled IT assessment scans then issue
network change related Security Policy Violation Alerts on a Daily basis and Weekly Notices after
Anomalies, Changes, or Threats (ACT) have been identified on the network.
Each time Detector executes a pre-scheduled scan, it’s on the look-out for three classifications of internal network security issues: Anomalies, Changes, and Threats.
Anomalies are suspicious activities and findings that are out of the ordinary and unexpected and that should be investigated. Examples of anomalies are users logging in at times outside their historical patterns, or a USB drive plugged into a computer that has been tagged as being "locked down."
Changes are recorded variances from previous scans linked to specific aspects of the network environment that could represent a threat. Examples of suspicious changes are a user’s security permission promoted to administrative, or a new device added to the network that wasn’t there before.
Threats are defined as clear and recognizable dangers to the network environment that need fast attention. Examples of threats would be a critical security hole or a machine in the "DMZ" that hasn’t been patched in 30 days.
Detector Daily Alert
Network Detective™ Detector – User Guide
6
Every day Detector looks at a broad range of assets and configurations in search of anomalies, changes and threats, including: Wireless Networks, Network Devices, User Behavior, Computers, Printers, DNS entries, Switch Port Connections (Layer 2/3), and Internal Network Vulnerabilities. It also looks at issues specifically for environments subject to HIPAA and PCI compliance.
And, on a weekly basis, Detector will also notify you of changes in the large categories of: Access Control, Computer Security, Wireless Access, and Network Security.
Please note that throughout this guide you may see references to both “stand-alone” Detector and Detector SDS. Depending on which subscription you have purchased, please follow the instruction set for one or the other.
The stand-alone Detector has a limited number of features and is sold by individual license. Detector SDS has an expanded feature set and comes with “unlimited” licenses (subject to the license agreement).
The following provides a summary matrix between the stand-alone Detector and Detector SDS offerings:
Detector Detector SDS
Licensing Per Detector
Appliance
Unlimited Detector
Appliances
All Alerts ✓ ✓
Alerts sent through email ✓ ✓
Use RapidFire Tools’ supplied SMTP gateway ✓ ✓
Use custom SMTP gateway ✓
Use custom FROM email addresses ✓
Email Response Action Requests (Investigate and Ignore Actions)
✓
Branded Client Portal ✓
Custom Branded Portal Site Sub-domain ✓
Service Plan Creator ✓
Marketing Collateral ✓
Default Service Plans and Catalogs ✓
Direct PSA Integration (Autotask, ConnectWise, and Tigerpaw) ✓
Support Standard Support
Dedicated Portal Setup and
Onboarding
Network Detective™ Detector – User Guide
7
Purpose of this Guide This guide is designed to provide an overview and specific steps required to install and configure the
Detector Appliance and the Detector Service Delivery System (SDS). Configuration and set up will
include:
• the setting of Security Policies to enable detection of policy violations and trigger alerts
• the creation of Notification Rules to direct Alerts to email recipients or to automatically create
tickets in Ticketing/PSA systems.
• scheduling of network data collection and assessment scans
• scheduling of Daily Security Policy Violation Alerts and Weekly Notices
• creation of Service Plans and Catalogs
• integration of the Autotask, ConnectWise, and Tigerpaw PSA/Ticketing systems with the ND
Portal
• custom branding of the ND Portal web site used to process and manage To Do items and Alerts
Components of the Stand-Alone Detector and Detector SDS
Detector Appliance
This is the Detector Appliance software application that operates on either on a user supplied Microsoft
Hyper-V or VMware based system or the Small Form Factor Server computer available from RapidFire
Tools.
Optional Small Form Factor Server Computer
This is an optional hardware component that can be purchased from RapidFire Tools to host and
operate the Detector Appliance. It is a small, portable server computer which plugs into the target
network through an Ethernet connection.
Diagnostic Tool
This tool is used for configuring and troubleshooting the Detector Appliance. The Diagnostic Tool should
be run on the same network as the Detector Appliance to perform diagnostics checks such as for
Detector Appliance connectivity.
Network Detective Application
This is the same Network Detective desktop application and report generator that is used with any other
Network Detective modules. This application contains additional features to manage the Detector
Appliance remotely.
The Network Detective Service Plan Creator and the Service Catalog
Detector SDS users have access to the Network Detective’s unique “Service Plan Creator” tool that gives
you the ability to modify our starter Service Plans, or create your own plans from scratch.
Network Detective™ Detector – User Guide
8
You define and name the offerings based on the security policies that you want to enforce, and the tool
automatically generates a “Service Plan Catalog” (or catalogs), and “Service Plan Matrix” sheet that
compares your plans to help you sell them to your clients and prospects.
Once you sell one of your plans to your client, simply “apply” the plan to the Detector assigned to that
client and its Service Policy Violation detection capability is then automatically configured to deliver
that exact plan.
For more information about creating Service Plans and Catalogs, please refer to the Service Plan Creator Quick Reference Guide located at www.rapidfireotools.com/nd.
The Network Detective Portal
The Network Detective (ND) Portal is used to process Investigate Alert Action Requests and Ignore
Alert Action Requests created in response to Anomalies, Changes, or Threats (ACT) detected by the
Detector Appliance.
The Portal acts as an ACT “triage center” that enables technicians to view a “To-Do” list of Investigate
Alert Action Requests and Ignore Alert Action Requests and to enable processing of these requests by:
• transferring the requests to Ticketing/PSA Systems such as Autotask, ConnectWise, and
Tigerpaw
• using the Portal to modify Detector Smart-Tags to configure the Detector Appliance to more
effectively detect Security Policy violations and address False Positives
• creating Ignore Rules to address Alert False Positives
• completing a given Action Request
To access the ND Portal, visit the default web site URL of https://alerts.alert-central.com .
To learn more about the Portal refer to the following sections:
• Using the Detector ND Portal to Process Investigate and Ignore Action Requests
• Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS
• Set Up ND Portal Branding
• Set Up a Custom Subdomain to Access the ND Portal
• Set Up Custom SMTP Server Support for Alerts and Notifications
Portal Integration with Ticketing Systems/PSAs
To set up Detector SDS integration of the Autotask, ConnectWise, or Tigerpaw ticketing/PSA systems
with the ND Portal, please refer to Appendix E - Set Up and Assign a Ticketing System Integration to a
Site.
Network Detective™ Detector – User Guide
9
Detector Deployment Options
There are three Detector Appliance deployment platform options available to users:
• Hyper-V based systems
• VMware based systems
• on a Small Form Factor Computer Server available from RapidFire Tools
The next section outlines the steps to set up the scans, Tech Alerts, End User Alerts, and Weekly Notice
notification tasks to be performed using Detector.
Detector System Requirements
Below are the minimum requirements for installing and operating Detector.
Please note the Operational Requirements that must be met after Detector has been installed and
deployed.
Hyper-V Install Requirements:
• Hyper-V Enabled Operating System (Windows 8.1+)
• 2 GB Available RAM
• 20 GB Hard Drive Space VMware Install Requirements:
• ESXi 5.5+
• 2 GB Available RAM
• 20 GB Hard Drive Space
Operational Requirements:
• i5 Processor for dedicated use. Xeon server class processors for non-dedicated.
• 6 GB Available RAM
• 20 GB Hard Drive Space
General Overview of Detector SDS Use and Operation
Detector SDS is used to Detect and Alert upon Security Policy Violations that may consist of network
Access Anomalies, Changes, and Threats (ACT).
Detector SDS will scan a network and compare collected data with a set of predefined network Security
Policies that are contained within a Security Service Plan you create and assign to a Detector Site.
When Detector identifies a Security Policy Violation, there are a series of rule based Alert Notification
Actions and Response Action Workflows that can take place on a Daily basis in response to these
violations.
Network Detective™ Detector – User Guide
10
These Actions include:
• Investigate Alert Requests sent to a “Tech” Group via email
• Investigate Alert Requests are automatically created as “To Do” items in the ND Portal to
enable your company technicians to efficiently manage security incident perform “Triage” on
the issue
• Security Policy Violation Alerts sent to an “End User” Group containing a list of email recipients
at your client’s company
• Tickets being automatically generated in your Ticketing/PSA system for investigation, security
incident response, and remediation purposes
Detector SDS contains a number of other features that can enable you to package, market, and sell
Security Services. These features include the Service Plan Creator and the Service Catalog generation
tool that may be used to produce marketing literature and service contract documents.
Defining the Detector Security Policy Violation Detection, Scanning, and Alerting Settings
The setup process of the Detector SDS consists of setting up the following options:
• Policy Configuration using Service Plans with pre-configured Security Policies used for policy
violation detection of network Anomalies, Changes, or Threats (ACT)
• Notification Configurations consisting of Actions that automatically occur in response to
Security Policy Violations. These Actions include:
o Daily Alert Notification Emails sent to Technicians (Techs)
o Daily Alert Notification Emails sent to End Users
o Automatically created Tickets in Autotask, ConnectWise, or Tigerpaw
• Email Notification configuration that enables you to set up Tech and End User Notification
Email Groups of recipients set up to receive Daily Security Policy Violation Alert Notifications
• Setting up Scans
o Level 1 (Daily) Network Scan configuration and scheduling
o Level 2 (Weekly) Network Scan configuration and scheduling
• Weekly Notices Recipient assignment, notice Event Selection, and Scheduling
• Smart-Tag configurations to facilitate the refinement of security policy-based ACT detection
• Setting up Ticketing System Integration for use with the Network Detective (ND) Portal and
Network Detective Sites (Detector SDS Only)
• ND Portal Customization
o Portal Branding
o Custom Portal Subdomain
o Custom SMTP Server Usage for Alerts and Notifications
Network Detective™ Detector – User Guide
11
Setting Up Detector
Step 1 - Initial Set Up of the Detector Appliance
1. Install Detector on your client’s network by either:
a) connecting the Detector installed on the Small Form Factor Server Computer that you
purchased from RapidFire Tools to your client’s Network.
b) going to www.rapidfiretools.com/nd to download and install the Network Detective Virtual
Appliance on a Hyper-V or VMware enabled computer operating within your client’s
network. For more information about installing the Virtual Appliance, please download the
Virtual Appliance Installation Guide for Detector.
2. After successfully deploying Detector, visit www.rapidfiretools.com/nd to download and install
the latest version of the Network Detective Application. Then run Network Detective and login
with your credentials.
3. Create a new Site by selecting the New Site
option. Set the Site Name for the “Site” in
Network Detective.
Select the OK button to create the site.
Step 2 - Associate Detector with a Site and Access Detector Settings
1. From within the Site Window, select the
selector symbol to expand the Site’s
Preferences in order to Add an Appliance.
2. Next, select the Add Appliance button.
The Add Appliance window will be
displayed.
3. Select the Appliance ID of the Detector Appliance from the drop down menu.
Note: When users have purchased a Small
Form Factor Server Computer, the
Appliance ID can be found on a printed
label on the Small Form Factor Server
Computer itself.
After selecting the Appliance ID, select
the OK button to continue.
4. After successfully adding a Detector to
Network Detective™ Detector – User Guide
12
the Site, its Appliance ID will appear
under the Appliance bar in the Site
Preferences window. The status of the
Appliance will be indicated as Active.
Warning Concerning the Removal of a
Detector Appliance from a Site: When a Detector has been Associated with a Site and the Scan
Schedule, Alert Schedule, Alert Recipients, and Smart-Tags settings have been defined, if the
Detector is ever Associated with a different Site, the original Site’s Detector settings will be
automatically deleted.
Step 3 - Set Up the Detector Scan Host and Scan Configuration
Follow the steps below to set up a Scan Host and configure the scan:
1. After associating the Detector with the Site,
select the Detector Settings Icon located in the
Network Detective window to view the
Detector Settings window.
2. In the Detector Settings window, select the Modify
Scan Configuration option.
The Scan Configuration Wizard will appear.
The Detector Appliance requires access to at least one separate, additional PC on the client’s
network. This computer is called the “Scan Host.” The Scan Host is used to initiate scans.
Be sure that the computer you select to be a Scan Host meets the necessary Admin$, WMI,
File and Print Sharing requirements and their respective firewall settings. The computer must
also be operating Windows 7 or higher.
For more information on Scan Host requirements, see “Appendix L – Additional Scan Host
Configuration Options and Requirements”.
Network Detective™ Detector – User Guide
13
3. Enter the following information about the
Scan Host(s):
a. One set of login credentials for
all PCs that will serve as scan
hosts
b. IP Address or Computer Name
for the PCs that will serve as scan
hosts
c. Domain name (NOT the name of
the domain controller)
If you are in a Workgroup
environment, see “Assigning Scan
Hosts within a Workgroup”.
Note: We recommend that you assign at least two PCs to serve as scan hosts. This will allow
scans to run even if one scan host becomes unavailable.
4. Click Test Scan Hosts.
A message will appear indicating whether a
connection can be established to each scan host.
If the connection cannot be established, be sure
the scan host meets the requirements – and that
you have entered the correct credentials. See
“Appendix K – Additional Scan Host Configuration
Options and Requirements” for more information.
5. Follow the steps presented in the Wizard and
select Finish to complete the Scan Host set up and
Scan Configuration step.
Network Detective™ Detector – User Guide
14
Once installed and configured, the Detector Scan Host is used to perform network and push local
computer scans to ping-able computers during the Daily Scan process.
Step 4 - Schedule Scans, Daily Alert Notifications, and Weekly Notices
1. In the Detector settings window,
select the Modify Schedules
option.
The Schedule window will be
displayed.
2. Define the Time Zone, the time
that the Level 1 (Daily) and Level
2 (Weekly) scans should start,
and the days and times that the
Daily Alerts resulting from
Security Policy Violations and
Weekly Notices should be sent to
designated recipients.
Select Save to store the Schedule
settings.
Step 5 - Configure Technician Email Group
During the Security Policy Configuration step later in this Guide, you will configure the Security Policies
that Detector will Alert upon during its operation as the Appliance detects violations to the selected
policies.
During the Security Policies Configuration process, it will be necessary to define policy violation
detection response Action. This Action may include the sending of an Alert Notification Email to a
predefined list of recipients referred to as a Detector Email Group.
In this step, we will set up the Email Group that will be used when one particular Detector Action
named “Email Tech” is designated as a particular Security Policy violation’s response Action. To create
the Email Tech action’s Email Group, follow these steps.
1. Select the Modify Email Configuration
option.
Network Detective™ Detector – User Guide
15
2. Select the Email Groups tab in the Email
Configuration window.
3. Select the Add Email Group button.
4. The Add Email Group window will be
displayed.
5. During this step, you will enter in the
Name of the Email Group, select the
Group Type, and select or type in the
email addresses of the recipients that will
receive email notifications sent to this
Email Group.
a. For this Quick Start set up process,
type in the Name of the Email Group
you will use for your Company’s Tech
Team Email Group.
b. Next, set the Group Type to be
“Tech”.
c. Finally, select the To button to select email addresses from a list of your
company’s Network Detective users.
Network Detective™ Detector – User Guide
16
to define the Recipients of Daily
Alert Notification Emails. You can also directly type in the email address of the recipients as
well.
d. Once you have selected the email addresses for your Tech Team Email Group, Select the OK
button to save your new Email Group.
6. Proceed to Step 6 below before selecting
the Email Configuration window’s Save &
Close button.
Step 6 - Set Up Subject Text for End User and Email Tech Alert Notification Emails
1. Select the Email Subjects tab in the Email
Configuration window.
2. Enter a reference to the Detector’s
Network Detective “Site” name within
the Subject line for the End User Alert
and Tech Alert Notification Email
messages.
3. Select the Save & Close button.
Network Detective™ Detector – User Guide
17
Step 7 - Assign Security Policies for Policy Violation Detection and Alerting
The Policy Configuration option enables you to define when Detector sends alerts containing
information about identified threats to Access Control, Computer, and Network Security policies that
are detected by the Detector Appliance.
1. In the Detector Settings window, select the Policy
Configuration Modify button to access the Policy
Configuration options window.
The Policy Configuration window will be
displayed.
2. Using the Service Plan option, select the
Gold Service Plan to assign an initial set of
Security Policies to your Detector’s
configuration.
To learn more about Service Plans and
how to create custom Service Plans,
please refer to the Detector User Guide.
Any Policy Item listed and presented in
Red Text indicates that this policy
requires that some policy specific Smart-
Tags must be set up.
To learn more about Smart-Tags and their use, please refer to Step 11 – Set up of Smart-Tags.
In some cases, Smart-Tags that are associated with these particular policies may need to be set
up if alerts are to be generated or to prevent the detection of false positives.
Policies listed in Black Text within the Policy Configuration window are either:
a) policies that do not require a Smart-Tag
b) policies that require Smart-Tags that have been configured
Select one or more of Policies that you would like Detector to alert upon when a policy violation
has occurred. During this process, be sure to note which Smart-Tags must be configured to
enable alerts to be sent when violations of the selected Security Policies take place.
Network Detective™ Detector – User Guide
18
3. Select the Next button.
The Configure Notifications window will
be displayed.
Each Security Policy’s Alert Notification
Rule is assigned one of four Action
options:
• Create Ticket
• Email Tech
• Email End User
• None
When the Create Ticket Action is assigned to a policy’s Alert Notification Rule, Detector SDS will
automatically submit an Alert to your Ticketing System/PSA based on the Ticketing System to Site
Mapping configuration contained within the Portal’s Settings. For more information about how to set
up Detector SDS to work with your Autotask, ConnectWise or Tigerpaw Ticketing System/PSA, refer to
Appendix E - Set Up and Assign a Ticketing/PSA System Integration to a Site.
4. In this step, an Action will need to be
assigned to each policy violation
Notification associated with a given
Security Policy.
a. Right click on the Action column and
select the Select All menu option.
b. The list of Security Policy
Notifications will be highlighted in
Blue.
c. Next, right click again on the Action
column.
d. Next , select the Select Action menu
option.
e. Then select the Email Tech menu
option. This selection will assign the
Email Tech Action to all of the selected
Security Policies.
Network Detective™ Detector – User Guide
19
5. In this step you will assign your
Company’s Tech Team Email Group to
each of the Security Policy Notifications
that were assigned the Email Tech
Action.
a. Right click on the Email Group
column and click on the Select Group
Name menu option.
b. The list of available Email Groups for
selection will be displayed.
c. Select your Company’s Tech Team
Email Group. To create a Group, refer
to Step 5 - Configure Technician Email
Group.
d. Now, all of the Email Tech Notification Action for each Security Policy will be assigned the
Email Group you selected.
6. Next, select the Finish button to save your selections.
Note: Service Plans have a set of recommended Reports that should be generated on a regular
basis. If you want to have these reports automatically generated, then set up the necessary
Network and Security Assessments using the Network Assessment and Security Assessment
Modules to generate the reports to be run.
Step 8 - Set Up Weekly Notice Notification Recipients
1. Go to Detector settings window and select the Add Recipient
button on the Weekly Notice bar. The Weekly Notice
Alerts configuration window will be displayed.
2. Within the Email Configuration tab, define the recipients
of Weekly Notice Alerts emails either by:
a. selecting the To button and selecting recipients
from list in Select Users Form
b. entering in recipient email address(es) manually
in the To field.
After adding the recipient email addresses, select the
Selected Notices tab.
3. Set the Selected Notices by selecting the Weekly Notice Alerts options available in the list.
Network Detective™ Detector – User Guide
20
After you have selected the Weekly Notice types that you
want sent to the selected Recipients, click on the Save &
Close button to save your Weekly Notice Alerts settings.
Please Note: Two Weekly Scan Data Sets must exist in
order for a Weekly Notice to be generated and sent. For
example: from a past scan (last week) and most recent
scan (this week).
Step 9 - Run Scan to Perform Initial Data Collection
In order to perform Step 10 – Download Detector Initial Data Collection Scan Data, it is necessary
for Detector to perform an initial Data Collection on the network. This initial Data Collection is
performed through the execution of the Level 1 Scan (Daily Scan).
Two options are available to you in order to perform this initial Data Collection:
1) Wait until Detector completes the Level 1
Scan (Daily) scheduled in the previous step.
2) Use the Detector Scan Now feature to start
the Level 1 Scan (Daily).
When either the scheduled scan or the scan initiated with the Scan Now option have been
completed, the scan data must be downloaded into the Detector’s Smart-Tags settings window
Step 10 - Download Detector Initial Data Collection Scan Data
1. After the initial Data Collection scan is complete,
select the Smart-Tags link in the Detector Settings
window. The Smart-Tags window will be
displayed.
2. Select the Download Scan button to download
the scan data.
3. After the scan data has been downloaded, you
may select the Configure link to return to the
Network Detective™ Detector – User Guide
21
Detector Settings window. Otherwise, to set up Smart-Tags proceed to Step 11.
Step 11 - Set up Smart-Tags (optional)
Smart-Tags are used to enable Detector’s Machine Learning capability in order to further detect
violations to the Security Policies you select, as well as, eliminate False Positives.
During the initial set-up of the Detector Appliance, this step is optional. You may either close the
Detector Settings window and wait for Detector to start running scans and sending Alerts, or you may
proceed with setting up Smart-Tags. This step is dependent on the successful completion of Step 9 and
Step 10.
To configure Smart-Tags, follow these steps.
1. For the initial set-up of the Detector using this Guide, configure the following Smart-Tags:
SMART-TAG ITEM TAGGED WHY IS THIS ITEM BEING TAGGED?
RESTRICTED NETWORK Network Devices added to this network must be authorized
BUSINESS OWNER PC Computer Only the Business Owner is authorized to access
RESTRICTED IT ADMIN ONLY Computer Computers may only be accessed by IT Administrators
SINGLE DESKTOP USER User Users are only supposed to access one computer
LOCKED DOWN COMPUTER Computer No applications are to be installed or removed
SENSITIVE COMPUTER Computer Screen lock should be enabled on these computers
2. Search the list of Recommended and Available
Smart-Tags displayed in the Smart-Tags window
with those you previously noted above.
Note: Some Smart-Tags have a Red Corner
marker in the tag’s icon. These marked Smart-
Tags represent tags that must be set up to
enable
alerts to be sent for the specific Security
Policies
you selected in Step 8.
Network Detective™ Detector – User Guide
22
3. Double-click on a Smart-Tag icon to open the
Tag.
Depending on the requirements for the Smart-
Tag you are configuring, select or type in the
Computers, Users, SSIDs, Printers, or IP
Addresses that are required to configure the
specific tag.
4. After configuring the Smart-Tag, select the
Save & Close button to save the Smart-Tag’s
configuration.
5. After configuring the six (6) Smart-Tags defined
in item one (1) above, select the Configure link
to return to the Detector Settings window.
6. After completing all of the Detector settings
configuration, you can exit the Network
Detective application.
Step 12 - Set Up Ticketing/PSA System Integrations (Optional)
To set up Detector SDS integration of the Autotask, ConnectWise, or Tigerpaw ticketing/PSA systems
with the ND Portal, please refer to Appendix E - Set Up and Assign a Ticketing/PSA System Integration to
a Site.
Network Detective™ Detector – User Guide
23
Security Policy Violation Alert Notification Rule Actions
There are four predefined Security Policy’s Alert Notification Rule Actions that can be configured in the
Detector SDS’s Notification Settings. These Actions are assigned to specific Alert Notifications
generated as a result of a Policy Violation identified by Detector (Refer to Step 7 - Assign Security
Policies for Policy Violation Detection and Alerting).
These Actions are:
1. Create a Ticket – this Action will automatically generate a Ticket in the Ticketing/PSA system for
an Alert that has been set up to work with the ND Portal for a particular Site that has been
Mapped to a Connection that interfaces your company’s Ticketing/PSA system to the ND Portal.
2. Email Tech Group – this Action will automatically create an Investigate Alert To Do item in the
ND Portal for members of your technical team to process in response to a specific Alert.
3. Email End User – this Action will send an “End User” Alert Notification to an email recipient in
your Client’s Company. This Alert will enable the End User to play a role in directing how your
technicians should respond to an Alert. End Users can direct your company’s technicians to:
a. investigate an Alert
b. set up an Ignore Rule to ignore the Alert in the future.
4. None (i.e. no action)
Detector SDS Alert Response Action Workflow Processes
The Alert Response Use Cases below summarize the Alert Response Workflow Processes for Actions
one (1) through four (4) referenced above.
These Alert Response Workflow Processes are:
• Alert automatically Creates a Ticket in the Ticketing System/PSA that you configured in the ND
Portal’s Settings. For more information about setting up an Ticketing System/PSA in the ND
Portal please refer to
• Tech Group Members respond to Investigate Alert Request To Do Items listed in the To Do list
in the ND Portal
• End User submits an Investigate Alert Request Notification email to your technicians and To Do
item to the ND Portal
• End User submits an Ignore Alert Request Notification email and To Do item to the ND Portal
• Tech Group Members process the Ignore Alert Request To Do items in the ND Portal
Network Detective™ Detector – User Guide
24
Using the Detector ND Portal to Process Investigate and Ignore Action Requests
The workflow associated with the processing of Investigate or Ignore Action Requests relies on a
combination of email notifications along with the ND Portal system to assign these Action Requests to
your technicians as To Do items listed in the Portal’s To Do list.
You can access the ND Portal in order to view the current To Do list for each Network Detective Site
used to manage a Detector on your client’s network.
The ND Portal can be accessed https://alerts.alert-central.com.
Below, are the Alert Response Workflows that can be used by your company’s technicians and your
clients to assign and process Investigate Alert and Ignore Alert Action Requests.
Workflow Used to Automatically Create a Ticket from an Alert
In this use case, Detector SDS Alerts that are generated will automatically create Tickets in the
Ticketing/PSA System that is configured to operate with the Network Detective Site that is used to
manage your Detector Appliance.
To learn more about how to create a Ticketing/PSA System “Connection” to your ticketing system and to
“Map” your Network Detective Site used to manage your Detector to automatically create tickets,
please refer to section Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site
Using Detector SDS.
After a Daily Alert triggers a Ticket to be automatically generated, the Alert will be placed into the ND
Portal Alert Queue. This Alert will be assigned the Status of Ticket indicating that a ticket was created
on your company’s Ticketing/PSA system when the Alert was generated by the Detector Appliance.
Network Detective™ Detector – User Guide
25
Workflow Used to Process Security Policy Violation Alert Investigation Requests
Step 1 – Tech Alert Recipient Email Group member receives a Tech Alert Notification Email requesting
an Alert’s investigation.
Review the Tech Alert Notification Email and
select the link within individual Alert item to
access the ND Portal To Do list item related to
the Alert.
The ND Portal Login Page will be displayed.
Step 2 – Log into the ND Portal to view the Investigate Action Request To Do Item
Log into the ND Portal using your Network
Detective login credentials.
After login is successful, the Investigate
Request contained within the Pending To Do
list will be opened in the Portal automatically.
Step 3 –Review the Alert details.
In the Alert’s To Do item, details are
displayed.
Select the symbol to the right of the
Alert’s Additional Information and
History section headings to review any
additional details concerning the Alert.
Network Detective™ Detector – User Guide
26
Step 4 – Select one or more Actions to be performed in response to the Alert’s Investigation Request
Respond to the Alert incident and
Investigate Request using these steps:
a. Select the computers, users, or
other “items” referenced within
the Investigate Request.
b. Select the Action(s) that will be
assigned to the request. In this
case, the Actions available for
assignment may include:
• Remove or add Detector
Smart-Tags to computers, users, or other items
• Create a Ticket in the Ticketing System you have Mapped to the Site.
• Assign an Ignore Rule to the Alert by selecting the “Do not send this alert for the
selected items again (ignore completely)”.
• Cancel the entire request.
Note: The user can perform both
the remove/add Smart-Tag
Action along with creating a
Ticket Action simultaneously
when processing the Alert’s To
Do item.
c. Select the Submit button to
complete the processing of the Investigate Request To Do item.
Step 5 – After selecting the Completed To Do item’s Submit button, a Confirm Batch Action window
may be displayed.
This window is displayed in cases where you are
processing an Alert that has one or more
“Related Alerts”.
Related Alerts are essentially alerts that
have been duplicated on a day by day basis
as a result of a recurring Security Policy
violation.
Select the Confirm button to complete the To Do item and close any Related Alerts.
Network Detective™ Detector – User Guide
27
Step 6 – A Confirmation of your submission will be
displayed.
Step 7 – The completed To Do item’s Alert will be
moved into the Alerts Queue contained within
the ND Portal with a Status assigned as
Complete.
Step 8 - Log out of the ND Portal.
Workflow Used by an End User to Request an Investigation of an Alert
An End User should follow the steps below to create Investigate Alert Requests and To Do items in the
ND Portal for your technicians to process.
Step 1 - The End User will receive a Security Policy
Violation Notification Email message
containing an Alert from the Detector
Appliance.
This Email contains the Alert and presents a
question to the End User asking if your
company should Investigate the Alert issue.
Step 2 - To initiate the Investigate Alert Request, the
End User should select the Yes option.
Selecting the Yes option in the email message
starts an Internet browser session that will
access the ND Portal and display a page to be
used by the End User to create an Investigate
Request.
Network Detective™ Detector – User Guide
28
Step 3 - Complete the Request Investigation page by
adding a note and select the Request
Investigation button.
Step 4 - The “OK, your request has been submitted”
message displayed by the Portal indicates that
your Investigate Request has been submitted to
the ND Portal To Do item list.
Step 5 - An Investigate Request email is sent to the
technicians assigned to service the End User’s
network to notify them that an Investigate
Request To Do item is pending.
Network Detective™ Detector – User Guide
29
Workflow Used by an End User to Request that an Alert be Ignored
An End User should follow the steps below to create Ignore Alert Requests and To Do items in the ND
Portal for your technicians to process.
Step 1 - The End User will receive a Security Policy
Violation Notification Email message containing
an Alert from the Detector Appliance.
This Email contains the Alert and presents a
question to the End User asking if your company
should Investigate the Alert issue.
Step 2 - To initiate the Ignore Alert Request, the End User
should select the “No” option.
Selecting the No option in the email message
starts an Internet browser session that will access
the ND Portal and display a page to be used by the
End User to create an Ignore Request.
Step 3 - Complete the Request Ignore page by adding a
note and select the Request Ignore button.
Step 4 - The “OK, your request has been submitted”
message displayed by the Portal indicates that
your Ignore Request has been submitted to the
ND Portal To Do item list.
Network Detective™ Detector – User Guide
30
Step 5 - An Ignore Request email is sent to the
technicians assigned to service the End User’s
network to notify them that an Ignore Request
To Do item is pending.
Workflow Steps to Process an Alert Ignore Request Sent to MSP Technicians by an End User
The Detector SDS Email End User Action feature can be
used to configure the Detector to send certain Alerts for
specific Security Policies to End Users.
For more information about this feature please reference
to the End User Alerts section of this Guide.
End Users can submit Ignore Action Requests to your
technicians.
To submit an Ignore Action Request, the End User would
select the “No” option contained within any Daily Alert
Notification Email.
After the End User select the “No” option, the End User
will be directed to access the ND Portal via an Internet
Web Browser. The ND Portal will present to the End User
the Daily Alert Ignore Request page. The End User will use
this page to issue the Ignore Action Request via the Portal.
After the End User issues the Ignore Action Request, your
technicians will receive an Ignore Request Notification
email.
Network Detective™ Detector – User Guide
31
Responding to Ignore Request Notification Emails
Ignore Action Requests are used to direct your technicians to configure and apply an Ignore Rule to an
Alert. The applied Alert Ignore Rule is intended to eliminate a False Positive.
To enable a Recipient of an Ignore Action Request Notification email to process an Ignore Request, the
Recipient of the Ignore Request email will follow these steps:
Step 1 – Tech Alert Recipient Email Group member
receives an Ignore Request Notification Email
requesting that an Ignore Rule be assigned to an
Alert.
Step 2 – The Alert Recipient reviews the Ignore Request
Notification Email and selects the link within
individual Alert item to access the To Do list in
the ND Portal.
The ND Portal Login Page will be displayed.
Step 3 – Log into the ND Portal to view the Ignore
Request To Do item.
Log into the ND Portal using your Network
Detective login credentials.
After login is successful, the Ignore Request
contained within the Pending To Do list will be
opened in the Portal automatically.
Step 4 – Review the Alert’s Ignore Request details.
In the Alert’s To Do item, details are
displayed.
Select the symbol to the right of the
Alert’s.
Additional Information and History section headings to review any additional details concerning
the Alert.
Network Detective™ Detector – User Guide
32
Step 5 – Select one or more Actions to be performed in response to the Ignore Request
Respond to the Alert incident and Ignore
Request using these steps:
a. Select the computers, users, or
other “items” referenced within
the Ignore Request.
b. Select the Action(s) that will be
assigned to the request. In this
case, the Ignore Actions available
for assignment may
include:
• Remove or add Detector Smart-Tags to computers, users, or other items.
• Assign an Ignore Rule to the Alert by selecting the “Do not send this alert for the
selected items again (ignore completely)”.
• Create a Ticket in the Ticketing System you have Mapped to the Site.
• Cancel the entire request by selecting no Actions and selecting the Mark Complete
button.
Note: The user can perform
both the remove/add Smart-
Tag Action along with
creating an Ignore Rule or
any other Action
simultaneously when
processing the Alert’s To Do
item.
c. Select the Submit button to complete the processing of the Ignore Request To Do item.
Step 6 – After selecting the Completed To Do item’s
Submit button, a Confirm Batch Action window
may be displayed.
This window is displayed in cases where you are
processing an Alert that has one or more “Related
Alerts”.
Related Alerts are essentially alerts that have
been duplicated on a day by day basis as a result
of a recurring Security Policy violation.
Network Detective™ Detector – User Guide
33
Select the Confirm button to complete the To Do item and close any Related Alerts.
Step 7 – A Confirmation of your submission will be
displayed.
Step 8 – The completed To Do item’s Alert will be moved
into the Alerts Queue contained within the ND
Portal with a Status assigned as Complete.
Step 9 - Log out of the ND Portal.
Network Detective™ Detector – User Guide
34
Using the ND Portal to View and Process To Do Items and Alerts.
Below is a general overview of the ND Portal’s To Do list functionality used to process To Do items
created by Detector SDS and by End Users that submit Investigate Alert Requests and Ignore Alert
Requests.
Accessing and Logging into the ND Portal
To access your ND Portal account, visit https://alerts.alert-
central.com and log into the ND Portal using your
Network Detective login credentials.
After login is successful, the Pending To Do list screen will
be opened in the Portal automatically by default.
Using the ND Portal To Do List
The Pending To Do items List as displayed in the ND Portal as the Portal’s default Home page.
Network Detective™ Detector – User Guide
35
From the To Do item page you may select:
• a Site from the All Sites List to filter the To Do list view to a specific Site’s list
• the Alerts tab to view the Alerts Queue
• the Audit Log to view logged events related to the creation, processing, and completion of
Alerts and related To Do items
• the Settings option to access the ND Portal custom Branding features and Ticketing/PSA system
integration feature
Accessing the ND Portal to Use the Alert Queue List
To access your ND Portal account, visit https://alerts.alert-
central.com and log into the ND Portal using your
Network Detective login credentials.
After login is successful, the Pending To Do list screen will
be opened in the Portal automatically by default.
Using the ND Portal Alert Queue
All Alerts generated as a result of Security Policy violations are by the Detector are placed into the ND
Portal’s Alert Queue.
To view the Alert Queue, select the Alerts tab and the Alerts Queue will be displayed in the ND Portal.
Network Detective™ Detector – User Guide
36
Each Alert’s entry in the Queue presents the Alert’s Status, the Date the Alert was generated, which Site
it is associated with and the Message that was generated as part of the Alert’s creation.
Alert Item Statuses
For each Alert in the Alert Queue, a Status is assigned.
These statuses are:
New - this status is set for Alerts that are generated for network security violations that
do not have a Security Policy associated with a specific Alert type in the Detector
Settings
To Do – this status indicates that the Alert is associated with an open To Do item
End User – this status is assigned to an Alert when the Daily Alert notification has been
sent to an Alert Notification Email recipient in your Client’s company requesting the
recipients input on how your technical team should respond to the Alert
Complete – this status indicates that an Alert associated with a To Do item has been
processed and closed
Ticket - this status indicates that an Alert’s notification rule was set to automatically
generate a Ticket in the Ticketing/PSA system configured to operate with the Detector
SDS system and a specific Network Detective Site used to manage a Detector
Filtering the Alert Queue to View Alerts by Status
1. Select the Alerts view.
2. Select the Status for the types of Alerts
that you want to be displayed in the
Alerts Queue.
Network Detective™ Detector – User Guide
37
3. The Alert Queue list will be updated to
display Alert items that are assigned the
Status you selected.
Creating To Do Items from Alerts Listed in the Alert Queue
To Do items can be created for Alerts that have been assigned a Status of either “New” or “Ticket” to
the Alert when the Alert is viewed in the Alert Queue.
Follow the steps below to create a To Do item from an Alert located in the Alert Queue:
1. Select the Alerts view to access the Alert Queue.
2. Filter the Alerts to view Alert items that have
been assigned a Status of either “New” or
“Ticket”.
3. Select a specific Alert to view the Alert’s details.
Network Detective™ Detector – User Guide
38
4. The Alert’s Details window will be displayed.
5. To transform the Alert into a To Do item or
generate a Ticket from the Alert, select either the
Create To Do or the Create Ticket option.
Or, you can select the Alerts view to return to
the Alerts Queue.
If you select the Create To Do option, the To Do
item will be added to the To Do list, and the Alert’s To Do item page will be automatically
displayed.
If you select the Create Ticket option, then a Ticket will be created in the Ticketing/PSA system
that is Mapped to the Detector Site as defined in the ND Portal Settings.
Reverting Completed Alerts Back to the To Do Item List
To move a Completed Alert back to the To Do list for further reinvestigation and Alert Response Action
processing you may “Revert” the Completed Alert.
Follow these steps to Revert a Completed Alert item back to the To Do list:
1. Select the Alerts view.
2. To view an Alert’s details, click on a Completed
Alert item to open the Alert details page.
Network Detective™ Detector – User Guide
39
3. The Alert’s details page is displayed
4. Select the Revert button to create a To Do item
for the selected Alert.
5. The To Do item will be added to the To Do list,
and the Alert’s To Do item page will be
automatically displayed.
6. Process the Alert’s To Do item as by select the
Actions to apply to the Alert and Submit to
Complete the item.
Network Detective™ Detector – User Guide
40
End User Security Policy Violation Alert Notifications
This purpose of the End User Notifications feature is to
notify individuals within your client’s company about
Security Policy Violations via selected Detector Alerts.
In cases where your technicians will require guidance
from your client as to how your technicians should to
respond to a particular Security Policy Violation Alert,
you can configure Detector SDS to send End User Alert
Notifications directly to email recipients in your client’s
company.
Upon your client’s receipt of an Alert, your client can
assign To Do items to your technicians. The To Do items
may request that your technicians:
• Investigate the Alert
• Assign an Ignore Rule to a specific Alert to
address False Positives
End User Alerts are configured and controlled by a Notification Rule assigned to a specific Security
Policy. Notification Rules are configured either through the use of the Notification Rules setup or the
Policy Configuration features located within the Detector Settings window.
Setting Up End User Alert Notifications
Follow these steps to assign an Action to a Security Policy to enable Security Policy Violation Alerts to
be sent to an End User when a Policy violation is detected.
1. In the main Detector Settings window, minimize
the main Detector Settings section of the window
by selecting the control.
Network Detective™ Detector – User Guide
41
2. Next, minimize the Weekly Notification settings
section of the Window by selecting the
control.
The Notification Rules section of the window will
be maximized.
3. In order to assign the End User Action to a
Security Policy you will need to either have an
existing End User Email Group, or you can create
and End User Email Group by selecting the Email
Group button.
4. Enter the name of the Email Group to be
assigned to your client’s company, set the Email
Group Type of End User, and enter in the email
addresses for the client company ‘s recipients of
Security Policy Violation Alert Notification
Emails.
5. Select the Ok button to save the Email Group’s
settings.
6. Next, for the Security Policies where the Alerts
are to be sent to one or more End Users at your
client’s company set the Action to be Email End
User.
Network Detective™ Detector – User Guide
42
7. Then select and assign the Group Name to the
policy selecting an End User Email Group that
you previously configured.
For each Security Policy where you want Daily
Alerts sent to your client, assign the Email End
User Action. Select the End User Group you
created that contains your client company’s Alert
Recipients.
8. To save the updated Notification Rules, exit the
Detector Settings window by selecting the Home
icon.
Network Detective™ Detector – User Guide
43
Provisioning Additional Detector Appliances for Deployment
With Detector SDS, you have the ability to self-provision and deploy an unlimited number of Detector
Appliances.
Follow these steps to provision a Detector Appliance:
1. Run Network Detective and login with your credentials.
2. Select the Appliance icon on the ribbon bar.
The Appliances window will be displayed.
3. Select the Provision Detector button to begin the Detector provisioning process.
The Provision Detector window will be displayed.
4. Select the number of Detectors you want to activate
and select the OK button to continue.
5. The Detector Provisioned window will be
displayed to indicate that the Detector(s) have
been provisioned for use.
Select the OK button to view the newly
provisioned Detector in the Appliances window.
6. The newly provisioned Detector will be displayed
in the Appliances window and provisioned as Not
Activated.
7. To complete the Detector Activation process, go to www.rapidfiretools.com/nd and download
and install the Network Detective Virtual Appliance on a Hyper-V or VMware enabled computer
operating within your client’s network. For more information about installing the Virtual
Appliance, please download the Virtual Appliance Installation Guide.
Network Detective™ Detector – User Guide
44
Provisioning Additional Detector Legacy Appliances for Deployment
With Detector SDS, you have the ability to self-provision and deploy an unlimited number of Detector
Appliances.
Note that this workflow is currently in the process of being phased out in favor of new functionality. See
Provisioning Additional Detector Appliances for Deployment for instructions on the new workflow.
Follow these steps to provision a Detector Appliance:
1. Run Network Detective and login with your credentials.
2. Select the Appliance icon on the ribbon bar.
The Appliances window will be displayed.
3. Select the Provision Legacy Detector button to begin the Detector provisioning process.
The Provision Legacy Detector window will be
displayed.
4. Select the number of Detectors you want to
activate, select the Authorization check
box, and select the OK button to continue.
5. The Detector Provisioned window will be
displayed to indicate that the Detector(s) have
been provisioned for use.
Select the OK button to view the newly
provisioned Detector in the Appliances window.
6. The newly provisioned Detector will be displayed
in the Appliances window and provisioned as Not
Activated.
7. To complete the Detector Activation process, go to www.rapidfiretools.com/nd and download
and install the Network Detective Virtual Appliance on a Hyper-V or VMware enabled computer
Network Detective™ Detector – User Guide
45
operating within your client’s network. For more information about installing the Virtual
Appliance, please download the Virtual Appliance Installation Guide.
Managing and Deleting “Ignore” Alert Rules
With Detector SDS, you have the ability to select Alerts that you can “Ignore” through the use of the ND
Portal’s Ignore Alert process as a method to minimize Detector alerting on ACT false positives.
In order to view and delete Ignore Alert Rules assigned to a particular alert for a Site associated with
your Detector Appliance, you can use the View Ignored Alerts feature.
Follow these steps to view and delete Detector Alert ignore rules:
1. Run Network Detective and login with your credentials.
2. Open your Site associated with your Detector and view the Detector Settings.
3. Select the View Ignored Alerts button located
on the Daily Alerts bar in the Detector Settings
window.
The Ignored Alerts window will be displayed.
4. Select the X icon next to the Ignore Alert rule
that you would like to delete.
Selected Ignore Alert rules will be grayed out
indicating that these rules will be deleted after
the Alert Rule settings are saved.
Network Detective™ Detector – User Guide
46
5. After selecting the Ignore Alert rules that you
want to delete, select the Save & Close button
in the Ignored Alerts window.
Setting up Automatic Report Generation Using the Reporter Appliance The Reporter Appliance can be used with Detector to set up and perform the automatic report generation of Network Assessment and Security Assessment reports. To learn more about how to install and use the Reporter Appliance, please visit www.rapidfiretools.com/nd and download the Reporter Quick Reference guide. To set up a Reporter to work with the Network Detective Site used to manage a Detector installed on your client’s network, please follow these steps. First, you will need to set up a Connector to operate with the Site. Then, you will be required to Associate a Reporter with the Site.
Step 1 – Set up a Connector for the Site
1. Login to Network Detective.
2. Open the Network Detective Site used with your Detector.
3. From within the Site Window, select the
selector symbol to expand the Site’s
Preferences and verify that your Detector is Associated with this Site.
4. Select the Connectors button to add a
Connector to the Site. The Connectors
list window will be displayed.
This Connector is required to enable the
Detector to transport its scan files to the
RapidFire Tools Secure Storage Area for
access by the Reporter during the
scheduled report generation time.
Network Detective™ Detector – User Guide
47
5. Select the Add Connectors button to
display the Add Connector window.
Assign a Connector Label that specifically
references the name of the Site that is
going to be using the Connector. Next
select the OK button to finish adding the
Connector to the Site.
Step 2 – Associate a Reporter with the Site
1. From within the Site Window, select the
selector symbol to expand the Site’s
Preferences.
2. Next, select the Add Appliance button.
The Add Appliance window will be
displayed.
3. Select the Appliance ID of the Reporter
Appliance from the drop down menu.
Note: When users have purchased a
Small Form Factor Server Computer, the
Appliance ID can be found on a printed
label on the Small Form Factor Server
Computer itself.
After selecting the Appliance ID, select
the OK button to continue.
4. After successfully adding a Reporter to
the Site, its Appliance ID will appear
under the Appliance bar in the Site
Preferences window. The status of the
Appliance will be indicated as Active.
Network Detective™ Detector – User Guide
48
Step 3 – Set the Detector Scan to Upload the Scan Data to Reporter
1. Open the Detector Settings.
2. Select the Scan Configuration button.
3. In the Scan Configuration Wizard window, select the option “Upload finished scan to Reporter”.
4. Select the Finish button to save your updated Detector scan settings.
Step 4 – Set up Reporter to Automatically Generate Reports
When your company subscribes to the Network Assessment and/or Security Assessment Modules from RapidFire Tools, Detector SDS can be used to schedule the automatic generation of Network and/or Security Assessment reports. To configure the automatic generation of Network and Security Assessment reports by Reporter for your Detector Appliance, please refer to the Reporter User Guide at www.rapidfiretools.com/nd .
Network Detective™ Detector – User Guide
49
Appendix A - Sample Daily Alerts and Weekly Notices Below are samples of email messages that present a Tech Alert and End User Alert Notifications and a Weekly Notice.
Sample Tech Alert
Sample End User Alert
Network Detective™ Detector – User Guide
50
Sample Weekly Notice
Network Detective™ Detector – User Guide
51
Appendix B – Set Up of Smart-Tags
1. Select the Smart-Tags link to open the Smart-
Tags window.
2. Compare the list of Recommended and Available
Smart-Tags displayed in the Smart-Tags window
with those you previously noted were associated
with the Security Policies you selected during
Step 7.
Note: Some Smart-Tags have a Red Corner
marker in the tag’s icon. These marked Smart-
Tags represent tags that must be set up to enable
alerts to be sent for the specific Security Policies
you selected in Step 7.
3. Double-click on a Smart-Tag to open the Tag.
Depending on the requirements for the Smart-
Tag you are configuring, select or enter in the
Computers, Users, SSIDs, Printers, or IP
Addresses that are required to configure the
specific tag.
4. Select Save & Close button to save the Smart-Tag’s configuration. The configured tag will be
listed in the Applied Tags list.
5. Configure the remaining Smart-Tags associated with Policies you selected back in Step 7.
6. After you have configured the Smart-Tags, select
the Configure link to return to the Detector
Settings window.
Network Detective™ Detector – User Guide
52
Assigning Smart Tags to Change Events that Refine Alerts and Notices
Detector incorporates a proprietary feature named “Smart Tags”. The Smart Tags feature allows you to
fine-tune the Detector to adapt to each client’s unique IT environment to detect network Anomalies,
Changes, and Threats (ACT).
Smart Tags allow you to enrich the detection system by adding information about specific users, assets,
and settings that helps Detector get “smarter” about what it is finding. That means more potential
threats identified with fewer “false positives.”
Here is an example of some of the Smart Tags available for use:
Tag Applied To For What? Why?
ACCOUNTING COMPUTER Computer Computers that can either access or are running accounting systems
Identifies when non-accounting users attempt to access these computers
ACCOUNTING USER User These users should have access to accounting systems
Identifies who should have access to accounting systems
AUTHORIZED PRINTER Printer Printers that are allowed on the network
Helps identify which computers are allowed to be published on the network
AUTHORIZED SSID SSID Indicates which wireless networks that computers on the network may connect to for network access
Allows identification of wireless networks that are safe to connect to
BUSINESS OWNER User Business owners typically have more sensitive information on their systems
Helps associated business owners with their computers
BUSINESS OWNER PC Computer Computers used by business owners
Raises the computer’s security significance
DMZ COMPUTER Computer Computers in the DMZ typically bridge the public Internet and private internal network
Because these computers are exposed to the outside network, their security becomes more significant
GUEST NETWORK IP Range IP ranges that are reserved for guest networks.
Network changes from this range typically do not indicate a security concern.
Network Detective™ Detector – User Guide
53
Tag Applied To For What? Why?
GUEST WIRELESS NETWORK IP Range IP ranges that are reserved for guest networks.
Network changes from this range typically do not indicate a security concern.
HIPAA/ePHI AUTHORIZED USER
User These users are allowed to access computers containing ePHI.
Indicates which users can access computers with ePHI.
HIPAA/ePHI COMPUTER Computer Computers that contain ePHI.
Allows identification of unauthorized access to a system with ePHI.
IT ADMIN User IT Administrators typically have more access to network resources than the typical user
Identifies who should have this elevated level of access
LOCKED DOWN Computer Locked down computers are highly controlled systems where changes are limited
Changes to locked down computers are more significant than other computers
LOCKED DOWN DNS Network Tag a network to detect DNS changes on
Any changes in DNS for the specified subnet will trigger this alert. It is used in environments where you are certain there should be no DNS changes.
NO DIRECT INTERNET ACCESS Computer Computers that should have no direct Internet access (web or otherwise)
Allows identification of changes that might inadvertently grant Internet access
PCI/CDE AUTHORIZED USER User These users are allowed to access computers in the Cardholder Data Environment (CDE)
Indicates which users can access the CDE
PCI/CDE COMPUTER Computer Computers that are a part of the Cardholder Data Environment (CDE)
Allows identification of unauthorized access to the CDE
RESTRICTED IT ADMIN ONLY Computer Some computers (typically servers) should only be access directly by IT Administrators
Allows alerting when access occurs by non-IT Admin users
Network Detective™ Detector – User Guide
54
Tag Applied To For What? Why?
RESTRICTED NETWORK IP Range Restricted networks are defined as networks where the appearance of new devices is very rare
Tagging an IP range as a restricted network indicates changes are more significant
SENSITIVE COMPUTER Computer Tag a computer that contains sensitive information
This represents a computer that has sensitive information on it
SENSITIVE USER User Tag a user that works on sensitive information
This represents a user that works on sensitive information
SINGLE DESKTOP USER User Users that have dedicated desktop and should never log into other systems directly
Enhances detection of anomalies by identifying which users have been assigned a computer
VIRTUAL MACHINE Computer Computers that are not physical devices
Distinguishing between physical and virtual computers help determine what changes are considered abnormal
AUTHORIZED PRINTER Printer Printers that are allowed on the network
Helps identify which printers are allowed to be published on the network
TRANSIENT PRINTER Printer Transient printers are routinely put on and taken off the network
Allows for the removal of false positives related to inactivity and theft
Network Detective™ Detector – User Guide
55
Examples of Smart Tag Use
Here are some examples of how you might use the Smart Tags to fine-tune Detector’s alerts for a
particular client:
Restricted Computer Access Detection
Within Detector, you can tag a particular computer as being “RESTRICTED IT ADMIN ONLY”. Then,
when any user logs into the network that has not been tagged “IT ADMIN”, Detector will send an alert.
Changes to Locked Down Computer Detection
Within Detector, you can tag a particular computer as “Locked Down” (meaning, do not allow changes
to this computer). If someone manages to install an application on this machine, then Detector will
detect that the application was installed and send an Alert. In this way, tagging can remove false
positives and increases the relevance of alerts.
Wireless Network Availability Detection
Within Detector, you can tag a specific wireless network as a “GUEST WIRELESS NETWORK” telling
Detector it does not need to worry about new devices appearing on it. But if a new device shows up on
any non-guest network, then the appearance is significant and Detector will send you an alert so you can
determine if it is worth looking into.
Using Smart Tags
You can select, configure, or modify, your Smart Tags at any time. That allows you to see what kind of
alerts Detector is sending you and create the tags you want to use to “tweak” the Detector system.
The use of Smart Tags improves the detection of Anomalies, Changes, and Threats (ACT) by providing
additional “knowledge” of the network environment to the Detector. Once the Detector has scanned
your network for the first time, you can explore the data and assign Smart Tags to entries like
computers and users.
The use of the Smart Tags feature presumes that the Level 1 (Daily) Scan and/or Level 2 (Weekly) Scan
types available on the Detector Appliance have been configured and performed.
Warning Concerning the Removal of a Detector Appliance from a Site
When a Detector has been Associated with a Site and the Scan Schedule, Alert Schedule, Alert
Recipients, and Smart Tags settings have been defined, if the Detector is ever Associated with a
different Site, the original Site’s Detector settings will be automatically deleted.
Backing Up Smart Tags for Reuse
You have the ability to Export the Smart Tags associated with a Network Detective Site file that is
Associated with Detector. If you wish to save the assigned Smart Tags contained within the existing Site
that is Associated with Detector for later use with a new Site, then use the Smart Tags Export and
Network Detective™ Detector – User Guide
56
Import options described in Appendix C – Saving and Reusing Smart Tags through Export and Import
found on page 51.
Adding and Configuring Smart Tags
To assign and configure Smart Tags to enable Detector to recognize any Anomalies, Changes and
Threats (ACT) that trigger Daily Alerts or Weekly Notice alerts, perform the following steps.
Step 1 – Select the Site
Double click your mouse pointer on the Site that you
are configuring automated scan, alerts, and reports
to be performed upon in order to view and access
the Site.
Step 2 – Select Manage Detector Appliance and Access the Detector
Settings
After the Site has been opened, select the Detector icon located within the
Site bar.
The Detector Settings window will be displayed.
Network Detective™ Detector – User Guide
57
Step 3 – Access Smart Tags and Verify that Scan Data has been Downloaded
Select the Smart Tags link within the Detector’s
Settings window.
If no scans have been performed by the Detector,
the following message will be presented by Network
Detective.
After scans have been performed, select the Smart
Tags link and download the scan as instructed.
Once the scans have been downloaded, the
completion of the process will be confirmed by the
presentation of the Smart Tags options consisting of
Applied Tags, Recommended Tags, and Available
Tags as presented to the right.
Once the Smart Tags are “Up to Date”, you can
access, view, and use the settings for Applied Tags,
Recommended Tags, and Available Tags.
Also note: When starting a Site using the Detector,
then attempting to view or update the Smart Tags
configuration, you may be prompted to update the
scan data with the latest scan per a notice as
presented to the right.
Depending on the number of changes in Users and Computers on your client’s network, you may wish
download the updated scan to ensure the latest User identity and Computer information is available for
use when setting Smart Tag configurations.
Network Detective™ Detector – User Guide
58
Step 4 – Select and Apply Recommended Tags
1. To add a Smart Tag from the Recommended
Tags list, select the Recommended Tags
option by selecting the selector on the
Recommended Tags bar.
The Recommended Tags window will be
displayed.
2. Next, select the Smart Tag that you would like to configure and apply.
For example, select the IT Admin tag by
double-clicking on the IT Admin User Smart
Tag Icon.
This action will display the Tag Explorer
window for this Smart Tag.
Within the Tag Explorer window, instructions
are presented that detail:
• what the Tag is to be “Applied To” (i.e. users or computers)
• the “For What” purpose the Tag can be used
• the “Why” reason to use the Tag
Note: There are a number of Smart Tags that should be used as logical “pairs”. For example, the
IT Admin User tag should be used with the Restricted IT Admin Computer Only tag. Using this
pair of Smart Tags will enable you to define all of the IT Admin users, and the computer
endpoints that are to be only accessible by IT Admin users. Alerts will be generated when non-IT
Admin users access the computers designated as Restricted IT Admin Computers Only.
Network Detective™ Detector – User Guide
59
3. Next, define which network Users are IT
Admin Users by selecting the Users that
should be designated as IT Administrators in
the Tag Explorer window presented for the IT
Admin Users tag.
To specify the IT Admin Users, select the
Check Box next to Users that should be
designated as IT Admin Users from the list
presented in the Tag Explorer window.
4. Next, select the Save & Close button to save the Smart Tag settings for the IT Admin User Smart
Tag.
When the IT Admin Tag is configured and
Applied, the IT Admin Tag will be available
for updating in the Applied Tags section of
the Smart Tags options window.
Step 5 – View Applied Tags
To view the Smart Tags that have been
Applied from the Applied Tags list, select the
Applied Tags option by selecting the
selector on the Applied Tags bar.
The Smart Tags that have been applied to the
Detector configuration for the Site will be
listed in the Applied Tags window as seen
below.
You can double click on the Smart Tag to view the tag’s settings.
Network Detective™ Detector – User Guide
60
Step 6 – Select and Apply Additional Smart Tags from the Available Tags Window
1. To add a Smart Tag from the Available Tags
list, select the Available Tags option by
selecting the selector on the Available
Tags bar.
The Smart Tags available for use will be
displayed.
2. Double click on the Smart Tag that you want
to use and the Tag Explorer window for the
selected tag will open. Configure the Tag by
selecting the Users or Computers listed in the
Tag Explorer window that you want to
designate as being “Tagged” within the Tag
as displayed below.
3. Next, select the Save & Close button to save the Smart Tag settings for the selected Smart Tag.
When the Tag you selected is configured and Applied, the Tag will be available for updating in
the Applied Tags section of the Smart Tags options window.
4. Verify that the Tag you configured and Applied is in the Applied Tags window.
To view the Smart Tags that have been
Applied from the Applied Tags list, select the
Applied Tags option by selecting the
selector on the Applied Tags bar.
Network Detective™ Detector – User Guide
61
The Applied Tags will be displayed to enable
you to confirm that the Smart Tag you
selected and configured has been Applied.
Deleting Smart Tags
Use the following steps to delete a Smart Tag
Step 1 – Open the Applied Tags Window and Select the Tag for Deletion
To access the Smart Tags that have been Applied
from the Applied Tags list, select the Applied Tags
option by selecting the selector on the Applied
Tags bar.
The Applied Tags window will be displayed.
Step 2 – Select the Tag and Delete
Right click the mouse pointer on the tag to be
deleted. A Remove Tag menu option will be
presented.
Select the Remove Tag menu option and the tag will
be deleted and removed from the Applied Tags
window.
Network Detective™ Detector – User Guide
62
Appendix C – Saving and Reusing Smart Tags through Export and Import
Before associating a new Network Detective Site file to a
Detector that has already been configured for use with
another Site to detect Anomalies, Changes, and Threats
(ACT) on a network, you may want to Export and reuse
the original site’s Smart Tag settings.
The use of the Export Smart-Tags feature must be done
before associating a new Site with your Detector if the
Detector is to be used to detect ACT events on the same
network.
Once a Detector and its associated Site have been configured to operate with a given network, switching
the Site file to be used with your Detector will trigger a deletion of the Smart Tag settings associated
with the original Site used to configure and apply the Smart Tag settings to your Detector.
If there is a requirement to save the Smart Tags from the current Site’s Detector configuration for reuse
in a different Site associated with your Detector that is to be connected to the same network as the
original Site was used, you must use the Smart Tags Export and Import options to save and reuse the
tags for later use in your new Site file used to set up the Detector’s configuration.
Steps to Export and Save Smart Tags for Later Use
Step 1 – Select the Site
After starting Network Detective, double click your
mouse pointer on the Site that you are configuring the
automated scan and alerts to be performed upon in
order to view and access the Site’s Settings.
Step 2 – Select Manage Detector Appliance and Access the Detector Settings
After the Site has been opened, select the Detector icon located within the Site bar.
The Detector Settings window will be displayed.
Network Detective™ Detector – User Guide
63
Step 3 – Access Smart Tags and Verify that Scan Data
has been Downloaded
Select the Smart Tags link within the Detector’s Settings
window.
Step 4 – Export Smart Tags
Select the Export option to export the Smart Tags
configuration.
Your will be prompted to save the Smart Tags export file
in a location of your choice.
Select the folder you want to save the Smart Tags
Configuration file in, name the file, and select the Save
button to export the file.
Network Detective™ Detector – User Guide
64
Steps to Import Smart Tags for into your Site for Use with Detector
Step 1 – Select the Site
Double click your mouse pointer on the Site that you are
configuring automated scan, alerts, and reports to be
performed upon in order to view and access the Site.
Step 2 – Select Manage Detector Appliance and Access the Detector Settings
After the Site has been opened, select the Detector icon located within the
Site bar.
The Detector Settings window will be displayed.
Network Detective™ Detector – User Guide
65
Step 3 – Access Smart Tags and Verify that Scan Data has been Downloaded
Select the Smart Tags link within the Detector’s Settings
window.
Step 4 –Import a Smart Tags Configuration File
Select the Import option to import a Smart Tags
configuration file.
A prompt will be presented requesting verification from
you in order to continue the Import of the Smart Tags
Configuration File.
Select the Yes button to continue.
The Import Detector Smart Tag Configuration window
will be displayed.
Select the Smart Tag Configuration File name and select
the Open button to perform the Smart Tag Import
process.
Network Detective™ Detector – User Guide
66
Appendix D – Using the Service Plan Creator
The purpose of this appendix is to provide an overview and specific steps required to use the Network
Detective Service Plan Creator.
Other supplementary guides to be referenced along with this guide include, the Detector SDS Quick
Reference Guide and Detector Quick Start Guide. These guides are available at
www.rapidfiretools.com/nd.
Service Plan Creator Use Cases
There are four use cases for the Service Plan Creator:
• Create Service Plans that are used to offer and deliver one-time Assessment Services
• Create Service Plans that leverage the Network Detective Detector to deliver an on-going
Security Policy-based Service Offering to your customers using the Detector Appliance
• Create Service Catalogs used to produce a Service Catalog document in Word format. The
purpose of the Service Catalog document is to enable you to produce marketing literature, sales
proposals, and service agreements. The Service Catalog document presents:
o a Service Plan Matrix of the plans you are proposing to a prospective client or customer
o descriptions of the Security Policies and Procedures associated with each Service Plan
o a list of reports deliverables for each of the proposed plans
• Generate a stand-alone Service Plan Matrix document in Word format summarizing the Service
Plans you created
The next section outlines the steps necessary to create Service Plans and Catalogs.
Network Detective™ Detector – User Guide
67
Creating Service Plans and Service Catalogs
To create a new Service Plan, follow these steps:
Step 1 – Create a New Service Plan
4. After successfully deploying Detector, visit www.rapidfiretools.com/nd to download and install
the latest version of the Network Detective Application. Then run Network Detective and login
with your credentials.
5. Select the Service Plans icon.
6. Select Create New Service Plan.
7. Enter the name for your Service Plan.
Select Ok to generate the basic Service Plan
template.
Your Service Plan template will be displayed
within the Manage Plans window.
Note that the default Service Plan template
does not have any Network Detective Sites,
Security Policies, or Scheduled Reports
specified.
Before assigning the Service Plan to a Network Detective Site that is associated with a Detector,
you will need to specify the Service Plan’s Policies and Scheduled Reports requirements.
Network Detective™ Detector – User Guide
68
Step 2 – Assign Security Policies to Your Service Plan
1. Select the Edit Service Plan option to add the
Security Policy assignments to the newly
created plan.
.
2. Select the Security Policies tab and select the
policies that you want to assign to your
Service Plan.
3. As you select the Policies, be sure to
familiarize yourself with the Smart Tags
descriptions presented.
For each Security Policy that requires a
Smart Tag set up to be performed, the Tags
associated with a given security policy will
need to be configured to fully enable the
Detector’s Security Policy Violation
detection.
4. After completing the selection of the Policies
that you want associated with your Service
Plan, select the Save button before you
proceed to the next step.
Network Detective™ Detector – User Guide
69
Step 3 – Defining Reports Deliverables to be Included in the Service Plan
You have the ability to include references to one or more Network Assessment and Security
Assessment Reports to be included as a part of your Service Plan deliverables to your customer.
The Reports you select to be included in the Service Plan deliverables will be referenced in three places
within Network Detective:
• the Service Plan Scheduled Reports window
• the Service Catalog* document generated by Network Detective
• the Service Plan Matrix document generated by Network Detective
*Note: The Service Catalog document will enable you to present an overview of your company’s Service
Plan(s) to your clients.
Follow these steps to define the Reports deliverables for your Service Plan.
1. Select the Scheduled Reports tab to plan and
document the Scheduled Report runs
associated with a given Service Plan.
2. Select the Schedule Report button to define
the Reports that should be part of the
Service Plan you are creating.
You can define which Reports should be
generated by Detector and at which Intervals
(daily, weekly, monthly, etc.) the reports are
to be generated.
3. Select from the Network and Security
Reports listed in the Schedule Reports
Wizard window, and select the Next button.
4. Using the Every list control, select the
frequency from the choices available (i.e.
day, week, month, year, or once). Select the
Finish button once your selections are
complete.
Network Detective™ Detector – User Guide
70
After you have selected the Reports that are a part of the Service Plan, and have assigned
the frequency of Report generation, these reports will be listed in the Scheduled Reports
window.
When a Service Plan has been assigned to a
Network Detective Site used with a
Detector, you can use the Reporter
Appliance to schedule the actual automatic
Report generation tasks to generate the
reports deliverables for your service plans.
Note: When selecting a particular Report, or a group of Reports to be included in a Service Plan,
you will need to define how frequently that the Reports are to be generated by your team as
part of delivering your company’s security service associated with the Service Plan.
5. Select the Save button to save your Service
Plan Reports selections and configurations.
6. Select the Manage Plans options to view a
summary of your new Service Plan.
The Manage Plans window will list your
newly created Service Plan and present the
details associated with the plan.
The details include the number of:
• Network Detective Sites that use the
plan
• Security Policies assigned to the plan
itself
• Reports that are to be generated and
delivered to the customer as part of a
particular Service Plan
Network Detective™ Detector – User Guide
71
Step 4 – Creating a Service Catalog
1. Select the Service Plans icon.
2. Select the Manage Catalogs Icon.
All of the available Service Catalogs will be
available within the Catalog Name drop
down list found within the Service Catalog
window.
3. To create a new Service Catalog, select the
default Catalog named “All Plans” and
select the Clone button.
4. Enter in the Catalog Name and select the OK
button to create the new catalog.
Network Detective™ Detector – User Guide
72
5. Select the Exclude option to hide each of the
plans you do not want to be included in the
Service Catalog document to be generated.
6. The remaining Service Plans not excluded
from your new Service Catalog will be
contained within the catalog.
The Service Catalog you created will be
automatically saved for future use.
Network Detective™ Detector – User Guide
73
Generating a Service Catalog Document
After you have created a Service Catalog, you can use Network Detective to generate a Service Catalog
document in Microsoft Word format.
The Service Catalog document will contain a list of the Security Plans you have assigned to your Service
Catalog(s) along with an overview of the Service Plan Security Policies and Procedures, and a list of
Reports deliverables.
To generate the Service Catalog document, follow these steps:
1. Select the Service Plans icon.
2. Select the Manage Catalogs Icon.
All of the Catalogs will be presented in the
Catalog Name list.
3. To generate the Service Catalog document,
select the name of the Catalog from the
Catalog Name list.
4. Select the Generate and then select the
Service Plan Catalog menu option to
generate the Service Catalog document.
Network Detective™ Detector – User Guide
74
5. Network Detective will generate the
Service Catalog document and open
Microsoft Word so that you may edit
and print the document.
Network Detective™ Detector – User Guide
75
Generating a Service Plan Matrix Document
After you have created a Service Plan, you can use Network Detective to generate a Service Plan Matrix
document in Microsoft Word format.
The Service Plan Matrix document will contain a list of the Security Policies you have assigned to your
Service Plan(s) along with a list of Reports deliverables.
To generate the Service Plan Matrix document, follow these steps:
1. Select the Service Plans icon.
2. Select the Manage Catalogs Icon.
All of the Catalogs will be presented in the
Catalog Name list.
3. To generate the Service Plan Matrix
document for a specific Catalog, select the
name of the Catalog from the Catalog Name
list.
4. Select the Generate and then select the Plan
Matrix menu option to generate the Plan
Matrix document.
Network Detective™ Detector – User Guide
76
5. Network Detective will generate the Plan
Matrix document and open Microsoft Word
so that you may edit and print the document.
The Security Policies associated with the Plan
are in the document.
And a list of Reports deliverables associated
with the plan are referenced the Report
Tasks section of the Service Plan’s Matrix.
Network Detective™ Detector – User Guide
77
Generating a Sample Master Services Agreement for a Service Plan
After you have created a Service Plan, you can use Network Detective to generate a sample Master
Services Agreement (MSA) document in Microsoft Word format.
The sample MSA document will include an example of terms and conditions for an MSA and reference
an Exhibit that will present a list of the Security Policies and Procedures that reflect the Service Plan
that will be selected when setting up the Detector for your customer.
To generate the Sample MSA document, follow these steps:
Step 1 – Opening Existing Network Detective Site that is Associated with your Detector
1. Start the Network Detective application.
2. Select the Site that that is Associated with
your Detector Appliance.
3. To open the Site, double-click on the Site
name.
Step 2 – Access the Detector Settings
After opening the Site associated with your Detector Appliance,
select the Detector Settings icon located on the left side of
the Network Detective window to view the Detector’s Settings.
Step 3 – Select the Policy Configuration Option
The Policy Configuration option enables you to configure Detector to detect violations of Access
Control, Computer, and Network Security policies that take place within the network.
Within the Policy Configuration window, you have
the option to generate the Sample Master Service
Agreement that is associated with the selected
Service Plan’s Security Policies that you have defined
for your Detector.
In the Detector Settings window, select the Policy
Configuration Modify button to access the Policy
Configuration options window.
Network Detective™ Detector – User Guide
78
The Policy Configuration window will be displayed.
Step 4 – Generate Master Service Agreement Option
Select the Generate button in the Policy Configuration window.
Next, select the Master Service Agreement Option.
The MSA Customization window will be displayed
Step 5 – Enter the MSP information, Customer information, and Service Plan Cost Details
In the MSA Configuration window, enter the MSP Name, State, and Address along with the Customer
Name and Address.
Next, enter the Service Plan Monthly Charge, Additional Hourly Billing Rate, Hours per Month
Included, Emergency Authorized Limit, and the Effective Date to be referenced in the sample MSA.
After entering the MSA Configuration information, select the OK button.
Network Detective™ Detector – User Guide
79
The Disclaimer notification and confirmation window
will be displayed.
Step 6 – Confirm Acceptance of the Disclaimer and Generate the Sample MSA
Select the OK button in the Disclaimer window to generate the Sample MSA in Word format.
Network Detective will generate the Master Services
Agreement document and open Microsoft Word so
that you may edit and print the document.
Network Detective™ Detector – User Guide
80
Managing Service Plans
The instructions below detail the processes used to Modify and Delete Service Plans.
Modifying a Plan
To edit a Service Plan, follow these steps:
1. Select the Service Plans icon.
2. Select the Edit icon on the Service Plan
that you would like to edit.
The Modify Service Plan window will be
displayed.
3. Change the Detector Security Policies, the
plan’s Scheduled Reports settings, or the
Name of the plan, and select the Save
button.
Network Detective™ Detector – User Guide
81
Impact of Service Plan Changes upon Deployed Detector Service Policy Settings -
IMPORTANT
In cases where a Service Plan has been previously assigned to one or more Detector Appliances that are
deployed, and the Service Plan has been updated, this revised Service Plan and its new Detector Policy
Settings must be manually applied to each Detector that will continue to use the plan.
For more information about how to apply the Security Policies contained within a Service Plan to a
Detector Appliance, please refer to the Detector Quick Start Guide available at
www.rapidfiretools.com/nd.
Deleting a Plan
To Delete a Service Plan, follow these steps:
1. Select the Service Plans icon.
2. Select the Edit icon on the Service Plan
that you would like to Delete.
3. Confirm the deletion of the Service Plan you
selected.
Network Detective™ Detector – User Guide
82
4. The selected Service Plan is deleted and is
removed from the Manage Plans window.
Network Detective™ Detector – User Guide
83
Impact of Deleting a Service Plan Previously Used to Configure Security Policy
Settings - IMPORTANT
In cases where a Service Plan has been previously assigned to one or more Detector Appliances that are
deployed, and the Service Plan has been deleted, a new Service Plan and its new Detector Policy
Settings will need to be associated with these Detectors.
For more information about how to apply the Security Policies contained within a Service Plan to a
Detector Appliance, please refer to the Detector Quick Start Guide available at
www.rapidfiretools.com/nd.
Managing Service Catalogs
The instructions below detail the processes used to Modify and Remove (i.e. delete) Service Catalogs.
Modifying a Catalog
To edit a Service Catalog, follow these steps:
1. Select the Service Plans icon.
2. Select the Manage Catalogs icon.
3. Select Service Catalog Name for the Catalog
that you would like to edit.
The selected Service Catalog will be displayed
in the Manage Catalogs window.
Network Detective™ Detector – User Guide
84
At this point in the process, you may:
• Add Service Plans to a Catalog
• Exclude Service Plans from a Catalog
• Remove the selected Catalog entirely from the Service Plan Creator
Deleting (excluding) Service Plans from a Catalog
To delete a Service Plan from a Service Catalog, follow these steps:
1. Select the Service Plans icon.
2. Select the Manage Catalogs icon.
3. Select Service Catalog Name for the Catalog
that you would like to edit.
The selected Service Catalog will be displayed
in the Manage Catalogs window. This
Catalog will include the Service Plans
previously added to the Catalog.
4. Just below the name of each Service Plan is a
link labeled Exclude. The selection of the
Exclude Link removes the Service Plan from
the Catalog.
Select the Exclude Link to remove the specific
Service Plan selected from the Service
Network Detective™ Detector – User Guide
85
Catalog.
The Excluded Service Plan will no longer be listed within the Service Catalog user interface
unless re-added in the future.
Adding Service Plans to a Catalog
To Add a Service Plan to a Service Catalog, follow these steps:
1. Select the Service Plans icon.
2. Select the Manage Catalogs icon.
3. Select Service Catalog Name for the Catalog
that you would like to edit.
The selected Service Catalog will be displayed
in the Manage Catalogs window. This
Catalog will include the Service Plans
previously added to the Catalog.
Select the Include All Plans button.
This action will add all of the other Service
Plans that are currently not listed within the
Catalog’s Service Plan list.
Network Detective™ Detector – User Guide
86
4. Just below the name of each Service Plan is a
link labeled Exclude. The selection of the
Exclude Link removes the Service Plan from
the Catalog.
After you have Excluded the Services Plans
that are not required, exit the Service Plan
Creator.
Removing (deleting) a Service Catalog from the List of Catalogs
To Remove (delete) an entire Service Catalog, follow these steps:
1. Select the Service Plans icon.
2. Select the Manage Catalogs icon.
3. Select Service Catalog Name for the Catalog
that you would like to Remove.
The selected Service Catalog will be displayed
in the Manage Catalogs window.
4. Select Remove button to delete the Catalog
from the Service Plan Creator.
Network Detective™ Detector – User Guide
87
5. The Catalog that you Removed will no longer
be present in the Catalog Name list.
Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS
To successfully configure the Autotask, ConnectWise, or Tigerpaw Ticketing/PSA system integration with
the ND Portal, you will require the following information for the ticketing system you plan to set up for
use with the Portal:
This information will include:
• your Username and Password for your Ticketing System/PSA Integration Account provided
by the Ticketing System’s manufacturer
• URL for the Ticketing/PSA system’s API Integration system access
Step 1 – Set Up a Connection to your Ticketing System/PSA
Follow these steps to set up a Connection to your Ticketing System/PSA in the Portal.
1. Visit https://alerts.alert-central.com and log into
the Network Detective Portal.
Note: In order to configure the Settings in the
Portal, the login credentials you use to access the
Portal will require the Master User rights for your
company’s Network Detective account.
2. Select the Global Settings option.
Network Detective™ Detector – User Guide
88
3. Select the Connections option.
4. Select the Add option to create a
new Ticketing System/PSA
Connection to be later assigned it to
a Network Detective Site.
The Add Connection Setup New
Connection window will be
displayed.
5. In the Setup New Connection window, select
the Connection Type by selecting the
Autotask, ConnectWise, ConnectWise REST, or
Tigerpaw system.
Note about ConnectWise Support: For
ConnectWise connections, you will need to
set up an Integrator ID and use the Integrator
ID login credentials when setting up a
ConnectWise
integration in the ND Portal.
To learn more about setting up a
ConnectWise Integrator ID to work with the
ND Portal, refer to Appendix I – Setting up a
ConnectWise Integrator Login ID. If you are using the ConnectWise REST API integration, see
Appendix J – Setting up a Network Detective to ConnectWise REST API Integration.
Network Detective™ Detector – User Guide
89
6. Then select the Test Login button to test the Connection to the Ticketing/PSA system you
selected.
7. Then enter in the information required to set up the Connection.
This information will include:
• your Username and Password for your
Ticketing System/PSA Integration Account
provided by the Ticketing System’s
manufacturer
• URL for the Ticketing/PSA system’s API
Integration system access
8. Select the Test Login button to test your
Connection login.
After a successful test login, the second Add
Connection Ticket Details window will be
displayed.
9. Continue creating your Connection by entering in
the necessary Ticket Details that is relative to the
Ticketing System /PSA you are using in your
Connection setup.
For Autotask, set up the Company Name, Work
Type, Assigned Resource, Role, Due Date, Issue
Type, Queue, Priority, Status and Source fields.
For ConnectWise, set up the Company Name,
Service Board, Status, Service Type, Source, and
Priority fields. Sub-Service Type and Service Item
should be completed if applicable.
For Tigerpaw. set up the Service Board, Service
Type, Account, Representative, Status, and Priority
fields.
Select the Test Ticket button to continue.
The Add Connection Settings Confirmation window will be displayed after the Test Ticket
process is successful.
Network Detective™ Detector – User Guide
90
10. In the Add Connection Confirm Settings window
presented, enter the Name for your new
Connection to the Ticketing System/PSA in the
Name field.
11. Review the Connection’s configuration details
and select the Save button to complete the
creation of your Ticketing System/PSA
Connection setup.
12. The new Connection created will be listed in the
Portal’s Connection list.
13. Your new Connection will be listed in the
Connections list.
Step 2 – Map your Detector’s Site to a Ticketing System/PSA Connection
Follow these steps to map a Ticketing System/PSA Connection to the Network Detective Site associated
with your Detector.
1. In the Integrations window, select the Add
button located in the Site Mappings section of
the window.
The Map Site to Connection window will be
displayed.
2. Select the Network Detective Site you want to
assign to this Ticketing System/PSA Integration.
3. Next, select the name of the Connection that you
want use to link the Site to your Ticketing
System/PSA.
Network Detective™ Detector – User Guide
91
4. After selecting the Connection name, use the
Company Lookup field to search and select the
Company name to be referenced when
generating Tickets for the selected Site.
5. Select the Save button to save your Site Mapping
to Ticketing System/PSA Integration.
6. The Site’s mapping to your Ticketing System/PSA
Integation will be saved and listed in the Site
Mappings list.
Your Portal account now can be used to create tickets for any Alerts or To Do items listed in the Portal
for the Network Detective Site you selected.
Network Detective™ Detector – User Guide
92
Appendix F – Set Up ND Portal Branding (Detector SDS Only)
1. Visit https://alerts.alert-central.com and log into
the Network Detective Portal.
Note: In order to configure the settings in the
Portal, the login credentials you use to access the
Portal will require the Master User rights for your
company’s Network Detective account.
2. Select the Global Settings option.
3. Select the Branding option.
Network Detective™ Detector – User Guide
93
4. Enter your company brand in the
Company Name field.
The company brand information
you entered will be presented in
the Preview.
5. To select the Banner color for
your company’s Portal login
screen, single click on the Banner
Color field and a color selector
control will be displayed.
6. Select your Banner Color and
select the Save button to save
your Branding settings.
7. Log out of the ND Portal, then log back into the
Portal in order to verify that your Branding
settings have been applied.
Network Detective™ Detector – User Guide
94
Appendix G – Set Up a Custom Subdomain to Access the ND Portal (Detector SDS Only)
1. Visit https://alerts.alert-central.com and log into
the Network Detective Portal.
Note: In order to configure the settings in the
Portal, the login credentials you use to access the
Portal will require the Master User rights for your
company’s Network Detective account.
2. Select the Global Settings option.
3. Select the Branding option.
Network Detective™ Detector – User Guide
95
4. Enter the Subdomain name
you desire in the Site
Subdomain field.
5. Select the Save button to save
your Subdomain setting.
6. Log out of the ND Portal.
7. Next, access the ND Portal by using the URL
for the new Subdomain you configured to
access the Portal’s login screen.
Network Detective™ Detector – User Guide
96
Appendix H – Set Up Custom SMTP Server Support (Detector SDS Only)
Follow these steps to set up the use of your own SMTP server to send Alerts and Notices from Detector.
Follow these steps to set up the Email Configuration.
1. In the Detector Settings window, select the Email
Configuration Modify button to access the Email
Configuration options window.
The Email Configuration window will be
displayed.
2. Select the SMTP Server tab within the Email
Configuration window to access the Custom
SMTP Server settings.
3. Configure the following to set up your Customer
SMTP Server to send Detector Alerts and Notices:
• Alert From email address and display
name
• Report From email address and display
name
• SMTP Server Address
• Port Number
• Security Method
• SMTP Server Username and Password
Network Detective™ Detector – User Guide
97
4. Select the Send Test Email button to test the
SMTP email Server configuration and email
addresses.
5. Select the Send button in the Send Test Emails
window. The status of the email test is displayed
in the Send Test Emails window.
After a successful test has been completed, select
the Close button to close the Send Test Emails
window.
6. To complete the setup process, select the Save & Close button in the Email Configuration
window to save the Custom SMTP Server Email Configuration settings.
Network Detective™ Detector – User Guide
98
Appendix I – Setting up a ConnectWise Integrator Login ID
Before configuration items can be imported into the ConnectWise PSA, the appropriate permissions
must be setup in your ConnectWise system and you must configure a ConnectWise “Integration
Connection” in Network Detective Portal.
Setting up an “Integrator Login” in ConnectWise
• Navigate to System-> Setup Tables
• Type “Integrator” into the Table lookup and hit Enter
• Click the Integrator Login link
Click the “New” Icon to bring up the New Integrator login screen as shown on the right.
Enter and record Username and Password
values which you will need later on when
configuring a ConnectWise “Integration
Connection” in the Network Detective Portal.
Set the Access Level to “All Records.”
Using the ConnectWise Enable Available APIs
function, enable the following APIs:
• ServiceTicket API
• Company API
• Reporting API
• System API Note: If using the Network Detective Application’s Export Options, then additional API’s must be set up as referenced in the Network Detective User Guide.
Click the Save icon to save this Integrator Login.
Network Detective™ Detector – User Guide
99
Appendix J – Setting up a Network Detective to ConnectWise REST API Integration To set up a connection between the ND portal and the ConnectWise Ticketing system using the REST API
you will be required to:
Step 1 – Download and Install the ConnectWise Manage Internet Client Application
To enable the integration, you will need to use the ConnectWise Manage Internet Client application.
Download and install the app from http://university.connectwise.com/install/. Then log in using your
credentials.
If you are using the ConnectWise Manage web app, you can continue to use the web app after you have
completed the steps in this guide and enabled the integration with ND.
Step 2 – Select the ConnectWise Ticket System API Member Account to Integrate with Network Detective
1. From the ConnectWise dashboard, click System from the side menu.
2. Next, click Members.
3. Click on API Members Tab. The API Members screen will appear.
Note that the API Members Tab may not show by default and may need to be added. You can
add this tab from the Tab Configuration menu on the Members page .
4. Click on the button to create a new API Member. Fill in all required information.
5. Confirm that the API Member has been
assigned Admin rights by checking the
member’s Role ID under Security Information.
Step 3 – Create an API Key in the ConnectWise Ticketing System
1. Select the API Member that you created previously.
2. From the API Member
details screen, click API
Keys.
Network Detective™ Detector – User Guide
100
3. Click the button.
4. Enter a Description for the API Key.
5. Click Save.
6. The newly generated API Key will appear.
7. Write down or take a screen shot of the
Member’s Public and Private API Key strings.
This information will be required to set up
the integration between ND and
ConnectWise. Note that the Private Key is
only available at the time the key is created.
Be sure to copy the keys for your records.
Step 4 – Configure Service Tables in ConnectWise
In order to export issues from ND as tickets in ConnectWise, you will need to configure several Service
Tables in ConnectWise. These tables ensure that the issues in ND are “mapped” correctly to the tickets
created within ConnectWise. You must configure the Service Tables correctly in order to establish the
connection between ND and ConnectWise.
You can configure the Service Tables in ConnectWise from System>Setup Tables>Category>Service.
Configure the Service Tables as detailed below:
1. Service Board
You must have a Service Board created within ConnectWise. In addition, within the Service
Board, you must create values for the following fields. You can create values for these fields
from the Service Board page:
a. Statuses
b. Types
c. Teams
You must create at least one value for each of these fields.
Network Detective™ Detector – User Guide
101
In addition, you must define values for two additional Service Tables:
2. Source
You must include at least one Source.
3. Priority
You must include at least one Priority
level.
If your existing Service Tables already contain values for the fields listed above, you do not need to
create new values.
Once you have completed the configuration requirements detailed in this topic, you can then proceed to
Appendix E – Set Up and Assign a Ticketing/PSA System Integration to a Site Using Detector SDS.
Network Detective™ Detector – User Guide
102
Appendix K – Default Detector SDS Service Plans
The default Detector SDS Service Plans available for selection after initial installation are the Bronze,
Silver, Gold, and Platinum plans. Below is an overview of the default Security Policies associated with
each Service Plan.
Security Policy Description Bronze Silver Gold Platinum
Authorize New Devices to be Added to Restricted Networks ✓ ✓ ✓ ✓
Restrict Access to Accounting Computers to Authorized Users ✓ ✓ ✓ ✓
Restrict Access to Business Owner Computers to Authorized Users ✓ ✓ ✓ ✓
Restrict IT Administrative Access to Minimum Necessary ✓ ✓ ✓ ✓
Restrict Users that are Not Authorized to Log into Multiple Computer Systems ✓ ✓ ✓ ✓
Strictly Control the Addition of New Local Computer Administrators ✓ ✓ ✓ ✓
Strictly Control the Addition of New Users to the Domain ✓ ✓ ✓ ✓
Install Critical Patches on Network Computers within 30 Days ✓ ✓ ✓
Only Connect to Authorized Wireless Networks ✓ ✓ ✓
Strictly Control the Addition of Printers ✓ ✓ ✓
Restrict Access to IT Admin Only Restricted Computers to IT Administrators ✓ ✓ ✓
Users Should Only Access Authorized Systems ✓ ✓ ✓
Changes on Locked Down Computers should be Strictly Controlled ✓ ✓
Install Critical Patches for DMZ Computers within 30 Days ✓ ✓
Investigate Suspicious Logons by Users ✓ ✓
Investigate Suspicious Logons to Computers ✓ ✓
Remediate High Severity Internal Vulnerabilities Immediately (CVSS > 7.0) ✓ ✓
Restrict Internet Access for Computers that are Not Authorized to Access the
Internet Directly ✓ ✓
Detect Network Changes to Internal Networks ✓
Detect Network Changes to Internal Wireless Networks ✓
Remediate Medium Severity Internal Vulnerabilities (CVSS > 4.0) ✓
Restrict Access to Computers Containing ePHI to Authorized Users ✓
Restrict Access to Systems in the Cardholder Data Environment (CDE) to
Authorized Users ✓
Strictly Control the Clearing of System and Audit Logs
Strictly Control the Removal of Users from the Domain
Enable automatic screen lock on computers with sensitive information
Enable automatic screen lock for users with access to sensitive information
Network Detective™ Detector – User Guide
103
Security Policy Description Bronze Silver Gold Platinum
Strictly control DNS on Locked Down Networks
Strictly control changes to Group Policy
Strictly control changes to the Default Domain Policy
Only store Personally Identifiable Information (PII) on systems marked as sensitive
Strictly Control the Creation of New User Profiles
Only store ePHI on designated systems
Only store cardholder data on designated systems
Network Detective™ Detector – User Guide
104
Appendix L – Additional Scan Host Configuration Options and Requirements
The Detector Appliance requires access to at least one separate, additional PC on the client’s network.
This computer is called the “Scan Host.” The Scan Host is used to initiate scans.
Scan Host Requirements
Before proceeding to set up the Scan Host, ensure that the following requirements are met:
• The Scan Host PC must have Windows 7 or higher.
• WMI, Admin$, and File and Print Sharing must be enabled on the network along with their
respective firewall settings.
Note that in order to initiate the scans, the Scan Host PC must also:
• be turned on
• be connected to the network
Assigning Scan Hosts
You assign Scan Hosts in the first step of the Scan Configuration Wizard. We recommend that you assign
at least two PCs to serve as scan hosts. This will allow scans to run even if one scan host becomes
unavailable.
To assign Scan Hosts:
1. In the Detector Settings window, select the
Modify Scan Configuration option.
The Scan Configuration Wizard will appear.
2. Click Modify Settings if you wish to modify a
previously configured scan.
Network Detective™ Detector – User Guide
105
3. The Scan Hosts window will appear. Next assign scan hosts:
a. Enter one set of login credentials to access the PCs that you wish to designate as scan hosts.
b. Enter the name of the domain (NOT the name of the domain controller).
c. Enter the IPs or computer names of the computers that will initiate the scans.
4. Once you have entered scan hosts, click Test Scan Hosts to be sure you can connect. If you are
unable to connect, verify that the A) scan hosts meet the requirements listed above, B) that you
have entered the values correctly as detailed in the image above.
Assigning Scan Hosts within a Workgroup
If you are working within a Workgroup environment, you will
need to enter the following characters into the Domain field
when assigning scan hosts: “.\” (without quotation marks).