Enterprise Recon Cloud 2.12.0

How To Start a Scan

This section covers the following topics:

Overview

This section assumes that you have set up and configured Targets to scan. Refer to the Scan Locations (Targets) Overview section.

Start a scan from the following places in the Web Console:

Start a Scan

  1. Log in to the ER Cloud Web Console.
  2. Navigate to the Select Locations page by clicking on:
    • Scans > New Scan, or
    • the New Scan button in the Dashboard, Targets, or Scans > Schedule Manager page.
      New Scan button to start a scan from the Dashboard, Targets or Schedule Manager page.
  3. On the Select Locations page, select Targets to scan from the list of Targets and click Next.

    In the Select Locations page, you can:

  4. On the Select Data Types page, select the data type profiles to be included in your scan (refer to the Use Data Type Profiles section) and click Next.
  5. On the Set Schedule page, configure the parameters for your scan and click Next. Refer to Set Schedule.
  6. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Your scan configuration is saved and you are directed to the Targets page. The Target(s) you have started scans for should display Searched x.x% in the Searched column to indicate that the scan is in progress.

Set Schedule

The Set Schedule page allows you to configure optional parameters for your scan.

Enterprise Recon 2.4 Set Schedule page to configure scan parameters.

Parameter Description
Schedule Label Enter a label for your scan. ER Cloud automatically generates a default label for the scan. The label must be unique, and will be displayed in the Schedule Manager. See View and Manage Scans
Scan Frequency Select whether to Scan Now, or to Schedule a future scan.

See Schedule a Scan.

Set Notifications To set notifications to alert specific users or email specific email addresses.
Advanced Options Configure the following scan schedule parameters:
  • Automatic Pause Scan Window - Set scan to pause during the scheduled periods. See Automatic Pause Scan Window.
  • Limit CPU Priority - Sets the CPU priority for the Node Agent used.

    If a Proxy Agent is used, CPU priority will be set for the Proxy Agent on the Proxy Agent host. The default is Low Priority to keep ER Cloud's resource footprint low.

  • Limit Search Throughput - Sets the rate at which ER Cloud scans the Target.
    • Select Limit Data Throughput Rate to set the maximum disk I/O rate at which the scanning engine will read data from the Target host. No limit is set by default.
    • Select Set memory usage limit to set the maximum amount of memory the scanning engine can use on the Target host. The default memory usage limit is 1024 MB.
      If you encounter a "Memory limit reached" error, increase the maximum amount of memory the Agent can use for the scan here.
  • Enable Scan Trace Logs - Select Enable Scan Trace to capture detailed scan trace messages when scanning a Target. For more information, see Scan Trace Logs.
    Scan Trace Logs may take up a large amount of disk space, depending on the size and complexity of the scan, and may impact system performance. Enable this feature only when troubleshooting.
  • Capture Context Data - Select to include contextual data when displaying matches in the Match Inspector. See Remediation.
    Contextual data is data found before and after a found match to help you determine if the found match is valid.
  • Match Detail - Control the quantity of match information captured for each scan to suit your scanning and remediation needs. See Match Detail.
  • Partial Salesforce Object Scanning - Specify the maximum number of records per Salesforce object to be scanned for each scan schedule.

    See Salesforce - Partial Salesforce Object Scanning for more information.

  • Enable Bulk Download for Cloud Target Scans - Allow bulk download of files for supported cloud Targets. See Enable Bulk Download for Cloud Target Scans.

Schedule a Scan

The Scan Frequency parameter allows you to select whether to Scan Now or to Schedule a future scan.

Example of Scan Frequency set to run just once on given date at 12:00 pm in the Default timezone.

To schedule a future scan, perform the following steps:

  1. Select Schedule.
  2. Select the start date and time for the scan.
  3. (Optional) Set the scan to repeat by selecting an option under How Often?.
  4. Set a Time Zone when scheduling a future scan. The Time Zone should be set to the Target host's local time.

    Selecting the "Default" Time Zone will set the scan schedule to use the Master Server local time.

Daylight Savings Time

When setting up a scan schedule, Time Zone settings take into account Daylight Savings Time (DST).

  1. On the start day of DST, scan schedules that fall within the skipped hour are moved to run one hour later.

  2. On the end day of DST, scan schedules that fall within the repeated hour will run only during one occurrence of the repeated hour.

Set Notifications

To set notifications for the scan:

  1. Select Notify.
    Set notifications for the scan schedule in Enterprise Recon 2.11.0.
  2. Click + Add Notification.
  3. In the New Notification dialog box:
    • Select Users to send alerts and emails to specific users.
      Send alert or email notifications to specific users when selected events are triggered for a scan schedule.
    • Select Email Address to send email notifications to specific email addresses.
      Send notifications to specific email address when selected events are triggered for a scan schedule.
  4. Under Notification Options, select Alert or Email for the event to send notifications for when the event is triggered. Only the Email options are available if Email Addresses is selected in Step 3.
  5. Click Save.

Refer to the Set Up Notification Policy section for more information.

Advanced Options

Configure the following scan schedule parameters in Advanced Options:

Automatic Pause Scan Window

Set scan to pause during the scheduled periods:

  • Pause From: Enter the start time (12:00 am - 11:59 pm)
  • To: Enter the end time (12:00 am - 11:59 pm)
  • Pause on which days?: Select the day(s) on which the scan is paused. If no days are selected, the Automatic Pause Scan Window will pause the scheduled scan every day between the times entered in the Pause From and To fields.
Set a scan pause schedule for every Wednesday and Friday from 8:00 am to 12:00 pm:

If a Time Zone is set, it will apply to the Automatic Pause Scan Window. If no Time Zone is set, the Time Zone menu will appear under How Often?, allowing the user to set the time zone for the scan.

Limit CPU Priority

Sets the CPU priority for the Node Agent used.

If a Proxy Agent is used, CPU priority will be set for the Proxy Agent on the Proxy Agent host.

The default is Low Priority to keep ER Cloud's resource footprint low.

Limit Search Throughput

Sets the rate at which ER Cloud scans the Target:

  • Limit Data Throughput Rate: Select to set the maximum disk I/O rate at which the scanning engine will read data from the Target host. No limit is set by default.
  • Set memory usage limit: Select to set the maximum amount of memory the scanning engine can use on the Target host. The default memory usage limit is 1024 MB.

Configure the data and memory usage limit for a scan schedule.

Enable Scan Trace Logs

Select Enable Scan Trace to capture detailed scan trace messages when scanning a Target. Refer to the View Scan Trace Logs section.

Capture Context Data

Select to include contextual data when displaying matches in the Match Inspector. Refer to the Perform Remedial Actions section.

Match Detail

For each scan schedule, ER Cloud balances the amount of information stored for each match location in terms of match details, contextual data (refer to Capture Context Data) and metadata.

While the default Match Detail setting is workable in most scenarios, sometimes there may not be sufficient match information captured for ER Cloud to safely perform "Masking" remediation on all matches within a given file. In such scenarios, ER Cloud will not proceed with the "Masking" remediation process.

You have control over the quantity of match information captured for each scan with the Match Detail setting to suit your scanning and remediation needs.

Setting Description
View less match detail per file across a larger quantity of files
  • This results in a more even spread of match data across a large quantity of files.
  • This setting captures less contextual data and metadata for each match location, which leads to less match information viewable in the Match Inspector window.
  • This setting is recommended for first-time scans of a system where a sample-based view of match and context details within every possible location found is required for initial investigation before deciding on the appropriate remediation strategy.
Balances quantity of files and match detail in each file
  • This is the default setting in ER Cloud. This results in more match detail initially captured per file, but rapidly drops off if matches are detected in a large quantity of files.
  • This setting is best catered to typical scenarios where up to 10,000 matches per location are expected.
View the maximal detail per file across a smaller number of files
  • This captures maximal detail per file, but will rapidly reach the resource limit for ER Cloud, resulting in very little match detail in subsequent files if more than a few files with a very high match count are present.
  • If the resource limit is hit before all the locations are scanned, the scan schedule will terminate with the "Scan stopped" status.
  • This setting is most appropriate when millions of matches are expected in a small number of locations.
  • With the View the maximal detail per file across a smaller number of files option, you can maximize the match information stored for each file to successfully perform "Masking" remediation on match locations.

Partial Salesforce Object Scanning

The Partial Salesforce object scanning parameter lets you specify the maximum number of records per Salesforce object to be scanned for each scan schedule.

For more information, refer to Salesforce - Partial Salesforce Object Scanning.

Enable Bulk Download for Cloud Target Scans BETA

The Enable bulk download for cloud target scans (BETA) parameter allows bulk download of files for supported cloud Targets.

Cloud Targets that support this feature are:

  • Box Inc

You can quickly filter, search, and select Targets and Target groups to include in your scans.

In the Select Locations page, when starting a new or modifying a scheduled scan, use the following functionalities:

Select Target or Target Group as scan locations in Enterprise Recon 2.12.0.

Functionality Description
(A) Search filter criteria

From the dropdown, select Targets, Groups, or All (default value) to specify whether to search for Targets, Target Groups, or both.

To update results, click Search.

(B) Name/keyword search bar In the search bar, enter keyword(s) for your search. X button.
  • Click Search to return partial and full match(es) of the entered keyword according to the selected search filter criteria. When you change your keyword, click Search to update the results.
  • Click X to clear the search bar.
(C) Target type filter From the Filter Target Type dropdown, select the Target type(s) to include in the results.
  • Click Apply to immediately update the results based on your updated Target type selection.
  • Click Clear to remove all selections.
(D) Reset button

Click Reset to remove all search keywords and filters.

Resetting clears the search bar, clears the selection for the Target type filter, and reverts the search filter criteria dropdown to the default "All" value.

Probe Targets

You can probe Targets to browse and select specific Target locations to scan when adding a new Target.

Requirements

Make sure that:

  • The version of the Node or Proxy Agent assigned to the Target is 2.0.21 or above. For details on how to install or update the Agent, refer to the Node Agents section.
  • The Target host and the Node or Proxy Agent assigned to the Target are running and connected to the network.

To probe Targets, perform the following steps:

  1. Start a new scan.
  2. In Select Locations, click the arrow next to the Target name to expand and view available locations for that Target.
    Probe Target to expand and view available locations in Enterprise Recon 2.11.0.
  3. Select the Target location(s) to scan.
    Select Target locations to scan in Enterprise Recon 2.11.0.
  4. Click Next to continue configuring your new scan.

BETA This is a beta feature. Ground Labs does not give any warranties, whether express or implied, as to the suitability or usability of its Beta features. If you have any feedback on bugs or usability of the Beta feature, please email your feedback to product@groundlabs.com. Your assistance on this is highly appreciated.