ASM Scan

AppViewX currently supports native discovery of certificates from multiple data sources such as CA connectors, network scans, and CT logs. As an enhancement, the native certificate discovery feature has been extended to invoke external ASM APIs as part of the discovery workflow.

The ASM certificate disovery scan discovers and inventories certificates visible across your organization's external attack surface to identify risks and exposures.

To initiate a ASM certificate discovery scan:
  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > ASM Scan.
    The Discovery : ASM Scan : Add Discovery page is displayed.
  2. Enter/Select the Discover Details.
    Table 1. Discover Details
    Field Description
    *Discovery Run Type To specify the frequency at which the certificate discovery scan will be triggered, from the following options, select the Discovery Run Type:
    • On-demand: ASM certificate discovery scan will be triggered manually by the user as and when required.
    • Scheduled: ASM certificate discovery scan will be triggered automatically at the specified time and date.
    *Discovery Instance Name Enter a Discovery Instance Name to track the discovered details.
    Description Enter an additional details for the ASM discovery instance.
    Note: Character limit: 2000 characters
    *Time Zone This field is displayed only if Discovery Run Type = Scheduled.

    From the dropdown list, select the time zone in which this discovery instance will be initated.
    Occurrence Type From the dropdown list, from the following options, select how often this discovery will be initated:
    • Daily
    • Weekly
    • Monthly
    • Yearly
    *Repeat On This field is displayed only when Occurrence Type = Weekly.

    Select a day of the week to initiate the certificate discovery scan.
    *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
    *Ends From the following options, select when the scheduled discovery is to end:
    • Never: Discovery never stops.
    • After: Discovery stops after the number of occurrences specified in the text field.
    • On: Discovery stops on the date selected using (Calendar widget)
    Summary Displays a summary of the selections made for scheduled discovery
    *: Mandatory fields
  3. In the Discover By section, from the table displayed, select the vendor integration instance(s) that will be used as the source for the scan.
  4. To execute the discovery operation batch-wise in sequence, select the Execute Batches Sequentially checkbox.
  5. If Execute Batches Sequentially is selected, enter an interval duration, in minutes, in the Interval Between Batches field. The sequential execution of the batches is spaced according to the interval value entered here.
  6. To route network traffic through a proxy server, instead of directly connecting to the target endpoints, select the Proxy Required checkbox.
    Important: If the cloud-dc data center is selected, the Proxy Required flag is disregarded.
  7. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  8. Configure the After Discover settings.
    Table 2. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    Note: If the discovered certificate is already available in the inventory, its status will not be updated/changed. Choose the appropriate status to ensure certificates are handled as per your organization’s policy.
    • Do not move
      • The discovered certificates and their objects will not be added to the inventory automatically.
      • Instead, the certificates will remain available for manual validation; the status is updated to Managed or Monitored after review.
    • Managed
      • The newly discovered certificates and their objects will be moved to the inventory with full lifecycle management (certificate renewal, revocation, push/provisioning, expiry monitoring, and alerting) enabled.
      • Certificate status will be set to Managed.
    • Monitored
      • The newly discovered certificates and their objects will be moved to the inventory with only monitoring enabled.

        Lifecycle management actions (certificate renewal, revocation, push/provisioning) cannot be performed.

      • Certificate status will be set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    *: Mandatory fields
  9. To receive Discovery Notifications:
    1. Select the Subscribe for discovery status notifications checkbox.
    2. From the following options, select Who should be notified? with the discovery details:
      • Notify User: Sends a notification to the user configuring/modifying the discovery instance
      • Notify User Group: Sends a notification to all the users in the group to which the user configuring/modifying the discovery instance belongs
  10. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.