Investigate sensor detections in a device inventory
The device inventory displays an extensive range of device attributes that a sensor detects. Options are available to:
Easily filter the information.
Export information to a CSV file.
Import Windows registry details.
Create groups for display in the device map.
View device attributes in the device inventory
The following attributes appear in the device inventory table.
|Name||The name of the device as the sensor discovered it, or as entered by the user.|
|Type||The type of device as determined by the sensor, or as entered by the user.|
|Vendor||The name of the device's vendor, as defined in the MAC address.|
|Operating System||The OS of the device, if detected.|
|Firmware version||The device's firmware, if detected.|
|IP Address||The IP address of the device where defined.|
|VLAN||The VLAN of the device. For details about instructing the sensor to discover VLANs, see Define VLAN names.(how-to-define-management-console-network-settings.md#define-vlan-names).|
|MAC Address||The MAC address of the device.|
|Protocols||The protocols that the device uses.|
|Unacknowledged Alerts||The number of unacknowledged alerts associated with this device.|
|Is Authorized||The authorization status defined by the user:
- True: The device has been authorized.
- False: The device has not been authorized.
|Is Known as Scanner||Defined as a network scanning device by the user.|
|Is Programming device||Defined as an authorized programming device by the user.
- True: The device performs programming activities for PLCs, RTUs, and controllers, which are relevant to engineering stations.
- False: The device is not a programming device.
|Groups||The groups that this device participates in.|
|Last Activity||The last activity that the device performed.|
|Discovered||When this device was first seen in the network.|
To view the device inventory:
In the left pane, select Devices. The Devices pane opens on the right.
In the Devices pane, select .
To hide and display columns, customize the device inventory table:
On the upper-right menu of the device inventory, select .
In the Device Inventory Settings window, select the columns that you want to display in the device inventory table.
Change the location of the columns in the table by using arrows.
Select Save. The Device Inventory Settings window closes, and the new settings appear in the table.
Create temporary device inventory filters
You can set a filter that defines what information the table displays. For example, you can decide that you want to view only the PLC device's information.
The filter is not saved when you leave the inventory.
Save device inventory filters
You can save a filter or a combination of filters that you need and reapply them in the device inventory. Create broader filters based on a certain device type, or more narrow filters based on a specific type and a specific protocol.
The filters that you save are also saved as device map groups. This feature provides an additional level of granularity in viewing network devices on the map.
To create filters:
In the column that you want to filter, select .
In the Filter dialog box, select the filter type:
Equals: The exact value according to which you want to filter the column. For example, if you filter the protocol column according to Equals and
value=ICMP, the column will present devices that use the ICMP protocol only.
Contains: The value that's contained among other values in the column. For example, if you filter the protocol column according to Contains and
value=ICMP, the column will present devices that use the ICMP protocol as a part of the list of protocols that the device uses.
To organize the column information according to alphabetical order, select . Arrange the order by selecting the and arrows.
To save a new filter, define the filter and select Save As.
To change the filter definitions, change the definitions and select Save Changes.
To view filters:
Open the left pane and view the filters that you've saved:
View filtered information as a map group
When you switch to the map view, the filtered devices are highlighted and filtered. The filter group that you saved appears in the side menu under the Device Inventory Filters group.
Learn Windows registry details
In addition to learning OT devices, you can discover Microsoft Windows workstations, and servers. These devices are also displayed in Device Inventory. After you learn devices, you can enrich the Device Inventory with detailed Windows information, such as:
Windows version installed
More robust information on OS versions
Two options are available for retrieving this information:
Active polling by using scheduled WMI scans.
Local surveying by distributing and running a script on the device. Working with local scripts bypasses the risks of running WMI polling on an endpoint. It's also useful for regulated networks with waterfalls and one-way elements.
This article describes how to locally survey the Windows endpoint registry with a script. This information will be used for generating alerts, notifications, data mining reports, risk assessments, and attack vector reports.
You can survey the following Windows operating systems:
Windows Server 2003/2008/2012/2016
Before you begin
To work with the script, you need to meet the following requirements:
Administrator permissions are required to run the script on the device.
The sensor should have already learned the Windows device. This means that if the device already exists, the script will retrieve its information.
A sensor is monitoring the network that the Windows PC is connected to.
Acquire the script
To receive the script, contact customer support.
Deploy the script
You can deploy the script once or schedule ongoing queries by using standard automated deployment methods and tools.
About the script
The script is run as a utility and not an installed program. Running the script does not affect the endpoint.
The files that the script generates remain on the local drive until you delete them.
The files that the script generates are located next to each other. Don't separate them.
If you run the script again in the same location, these files are overwritten.
To run the script:
Copy the script to a local drive and unzip it. The following files appear:
After the registry is probed, the CX-snapshot file appears with the registry information.
The file name indicates the system name and date and time of the snapshot. An example file name is
Import device details
Information learned on each endpoint should be imported to the sensor.
Files generated from the queries can be placed in one folder that you can access from sensors. Use standard, automated methods and tools to move the files from each Windows endpoint to the location where you'll be importing them to the sensor.
Don't update file names.
Select Import Settings from the Import Windows Configuration dialog box.
Select Add, and then select all the files (Ctrl+A).
Select Close. The device registry information is imported. If there's a problem uploading one of the files, you'll be informed which file upload failed.
Export device inventory information
You can export device inventory information to an Excel file.
To export a CSV file:
- On the upper-right menu of the device inventory, select . The CSV report is generated and downloaded.