Allowlist Assessment
For an overview of how TSA works, see About Tripwire State Analyzer.
During an Allowlist Assessment, Tripwire State Analyzer compares TE element data to a corresponding Allowlist and creates a list of Authorized, Unauthorized, and Unused Items.
- Authorized Items match an Allowed Item in an Allowlist.
- Unauthorized Items do not match any Allowed Items in an Allowlist.
- Unused Items are Allowed Items that were not found during the Assessment.
For a more detailed explanation, see How an Allowlist Assessment Works.
The Allowlist Assessment page displays the results of each Assessment. Each row on this page represents a different Allowlist Assessment, showing the results of its most recent run.
- Click anywhere in a row to view or edit the Assessment that created those results.
- Click the numbers in the Authorized Items, Unauthorized Items, and Unused Items columns to see details about these Items.
- Use the icons above the table to export Assessments to an external file, show and hide columns, or to filter the Assessments displayed.
|
Note: |
If you configured TSA to monitor Agentless Assets or Custom Software, the results of those Assessments will also be displayed on the Allowlist Assessment page. For more information, see Allowlisting of Agentless Assets and Allowlisting of Custom Software in the Tripwire State Analyzer Administration Guide. |
|---|
How an Allowlist Assessment Works
Each Allowlist Assessment runs against a single Allowlist Type (Users, Open Ports, etc.). During an Assessment, TSA retrieves the latest element data from TE and compares it to each System-Defined Attribute (but not User-Defined Attributes) for each Allowed Item in the Allowlist until a match is found.
- If an element matches all of the System-Defined Attributes for an Allowed Item, it becomes an Authorized Item.
- If an element doesn't match all of the System-Defined Attributes for any Allowed Items in the Allowlist, it becomes an Unauthorized Item.
- If an Allowed Item doesn't match any elements, it becomes an Unused Item.
Each System-Defined Attribute has a matching strategy that specifies how it is compared against TE element data during an Allowlist Assessment:
- Most matching strategies (Equals, Greater Than, etc) are straightforward and will match an Attribute to a specific value in the element data, or to a range of values.
- Attributes with the Contains strategy match only if the Attribute contains the entire value in the element data.
- Attributes with the Not Contains strategy match only if the Attribute does not contain the entire value in the element data.
If an Attribute in an Allowed Item uses a regular expression, TSA ignores the matching strategy for that Attribute and evaluates the element data against the regular expression instead.
|
Note: |
The matching strategy for an Attribute can be changed, but changing it can have a dramatic effect on the results of an Assessment. |
|---|
Working with Allowlist Assessments
From the Allowlist Assessments page, you can create a new Assessment, modify an existing one, or run an Assessment manually.
To create a new Allowlist Assessment
- Navigate to State Analyzer > Allowlist Assessment.
- Click NEW ALLOWLIST ASSESSMENT.
- Complete the New Allowlist Assessment panel:
- Select the Allowlist Type to create the Assessment for.
- Create a descriptive Assessment Name, like "Daily Open Ports".
- Specify the Scope for the Assessment. Scopes specify which assets are evaluated when the Assessment runs.
- Select a schedule and time for the Assessment.
- Click Save or Save and Run.
To modify an existing Assessment
- Navigate to State Analyzer > Allowlist Assessment.
- Select one or more Assessments, then select one of the following:
- Edit: You can only edit one Assessment at a time.
- Duplicate: You can only duplicate one Assessment at a time.
- Delete: Delete the Assessment(s).
To run an existing Assessment manually
- Navigate to State Analyzer > Allowlist Assessment.
- Select one or more Assessments and select Run to run the Assessment immediately.
Adding Unauthorized Items to an Allowlist
If an Unauthorized Item actually should be on an Allowlist, you can add it so that it will appear as Authorized in the future.
To add Unauthorized Items to an Allowlist- Navigate to State Analyzer > Allowlist Assessment.
- Find the Assessment with the results you want to change, and select the number in the Unauthorized Items column.
- Select one or more Items you want to add to an Allowlist and click Make Allowed.
If you select a single Item, you can edit the Attributes, Scope, and User-Defined Attributes for the Item.
If you select multiple Items, you can only edit User-Defined Attributes, and the same value will be applied to all of the Items.
Note:
You can add or edit User-Defined Attribute values for the individual Items later, from the corresponding Attributes tab of the Allowlist Settings page.
- Click Save.
- Navigate to the appropriate tab of the Allowed Items page. The newly-added Items should be at the top of the list with a NEW icon.
- Back on the Allowlist Assessment page, select the same Assessment and click Run. Click the number in the Authorized Items column to verify that the Item is now Authorized.
Exporting Allowlist Assessments
You can export Allowlist Assessments to CSV, PDF, or JSON files in a several ways.
To export details about Authorized, Unauthorized, or Unused Items for a specific Assessment
- On the Allowlist Assessments page, click the number in the Authorized Items, Unauthorized Items, or Unused Items columns for the Items you want to export.
- Apply any desired filters. Only visible items will be exported.
- Click the Export icon above the table and select a format for the export file.
- Specify the filename and click Save.
To export a summary of all visible Allowlist Assessments
- Apply any desired filters. Only visible items will be exported.
- Click the Export icon above the table and select a format for the export file.
Only CSV files can be imported back into State Analyzer.
- Specify the filename and click Save.
To export Allowlist Assessments for specific Allowlist Types
- Navigate to State Analyzer > Allowlist Settings and click the Display Types tab.
- Click EXPORT, then select a format for the export file from the dropdown.
- In the Export pane, specify the Allowlist Assessments to be exported:
- Select one or more Allowlist Types.
- Select Allowlist Assessments.
Note:
Filters on the Allowlist Assessment pages are ignored when exporting from the Allowlist Settings page.
- Click EXPORT.