In Sheriff CSM, an asset is a piece of equipment on the company's network that bears a unique IP address. An asset can be a server, a router, a firewall, a printer, a PC or any other network-enabled device.

An asset is monitored by at least one Sheriff CSM Sensor (Deputy).

See Adding Assets or Asset Administration.

In Sheriff CSM, every asset or network has an asset value, ranging from 0 to 5, 0 being the least important and 5 the most important. To decide the asset value, the system first checks if a value has been manually assigned. If not, the system uses the asset value of the network the asset belongs to instead. If the network does not have an asset value, Sheriff CSM assigns the asset the default value of 2. You can assign a different value from the default of 2 to an asset, from 0 to 5.

Important: Keep in mind that raising the value of an asset, which increases the risk of the events, will generate a larger number of false positive alarms, especially when you use the value of 5.

Sheriff CSM uses asset value to calculate event risk. Sheriff CSM calculates risk value for every event after it arrives at the Sheriff CSM Server. The system uses the following formula to calculate the risk:

Risk = (asset value ∗ event priority ∗ event reliability) / 25

Where:

• Asset value is from 0 to 5.
• Event priority is from 0 to 5.
• Event reliability is from 0 to 10.

Therefore, the risk value is from 0 to 10. Decimals are always rounded down. For example, if the asset value is 3, event priority is 3, and event reliability is 5, you will get 3 * 3 * 5 / 25 = 1.8. In this case, the risk for the event is 1.

In Sheriff CSM, any event with a risk value greater than or equal to 1 generates an alarm.

Sheriff recommends that you do not change the asset value of the Sheriff CSM instance, because Sheriff CSM generates its own events, most of which are informational. Therefore, raising the value of this asset (which increases the risk of those events) will generate a larger number of false positive alarms.

Asset details can be updated by various services in Sheriff CSM. See the table below for a list of such services. You can also update assets manually by navigating to an asset and selecting Actions > Edit. Manual updates can be locked by going to the Edit Assets > Properties page. The update with the highest priority number takes precedence over the others, so an update created by a Vulnerability Scan (with a priority of 5) won't overwrite the updates made by an Active Asset Scan (with a priority of 7), but the Vulnerability Scan would overwrite a Passive Asset Scan because it has a lower priority of 4.

Update Priority

Service Name	Priority
Manual — Locked	10
Availability Monitoring	8
LDAP	8
Active Asset Scan	7
WMI	7
Vulnerability Scan	5
HIDS	5
Passive Asset Scan	4
Manual	3

Sheriff CSM uses External Assets to provide a way for you to create policies and correlation directives on assets that do not belong to you. For example, if a known malicious IP attacks your network, you can add it as an external asset, then create a policy to send out email alerts if this IP communicates to any devices on your network.

Note: Be aware that if you are using an asset-based license, external assets count toward your asset license limit.

When processing events, the correlation engine views external assets or networks as being outside your home network.

An asset group is an administratively created object that pools similar assets used for specific purposes. You can group assets based on IP addresses and networks monitored by Sheriff CSM. Grouping based on IP addresses allows for easier search and management of assets.

For example, you could group all network firewalls, or all servers running a particular operating system. Such groups are useful when performing various tasks, such as vulnerability assessment or asset discovery, or when you are interested only in events coming from specific devices.

You can group assets based on a number of attributes, including the following:

• Asset value
• Network
• Software running on the assets
• Sensor monitoring the assets
• Device type of asset
• Open port or services running on assets
• Location of assets

See Asset Group Administration.

In Sheriff CSM, a network represents a configuration object that identifies the part of an organization's network that Sheriff CSM monitors. For example, you can select a network during asset discovery to find all the assets on that particular network.

By default, Sheriff CSM comes with three networks already specified:

• Pvt_192—192.168.0.0/16
• Pvt_172—172.16.0.0/12
• Pvt_010—10.0.0.0/8

See Network Administration.

Just like an asset group, a network group pools networks with similar properties for easy access and management.

See Network Group Administration.