7.0 KiB
Asset Management
Asset management consolidates domains, IP addresses, ports, and services discovered through manual entry, FOFA, HTTP APIs, and Agent tasks into a maintainable baseline. It answers three questions: what assets exist, which assets have been assessed, and where risk is concentrated.
This feature is designed for security testing and attack-surface governance. It is not a replacement for a full enterprise CMDB. Add and scan only systems you own or are explicitly authorized to test.
Overview
Asset management provides three main views:
- Overview: asset totals, IPs, domains, ports, recent changes, scan coverage, and protocol distribution.
- Asset inventory: identity, service details, source, tags, project ownership, scan history, and risk state.
- Reconnaissance: search FOFA and save confirmed results individually or in batches.
Assets can launch single-target analysis or batch scans. After an Agent records findings and completes the scan callback, the inventory displays related vulnerability counts, risk level, and latest scan time.
Asset fields
An asset can include:
- host, IP address, domain, port, and protocol;
- page title and service or product fingerprint;
- country/region, state/province, and city;
- source, source query, and tags;
- active or inactive status;
- project and owner;
- first seen, last seen, created, and updated timestamps;
- latest scan time and linked conversation, task queue, and subtask;
- related vulnerability count and current risk level.
At least one of host, ip, or domain is required.
Build an asset baseline
Add an asset manually
Go to Asset Management → Asset Inventory and select Add Asset. Supported target forms include:
https://example.com:8443
example.com
192.0.2.10:443
[2001:db8::1]:443
The system attempts to identify the URL, domain, IP address, port, and protocol. You can then add a project, tags, title, service fingerprint, location, and status.
Import from FOFA
- Configure the FOFA email and API key in settings or the configuration file. You can also use the
FOFA_EMAILandFOFA_API_KEYenvironment variables. - Open Asset Management → Reconnaissance.
- Enter or generate a FOFA query and confirm its scope.
- Run the query, select results whose ownership has been verified, and choose Save Selected.
- Review the created, updated, and skipped counts.
Internet search results are not automatically your assets. Narrow the query with organization domains, certificates, network ranges, or product fingerprints, then verify authorization before saving results.
Normalization and deduplication
Different sources may describe the same target in different forms. The system:
- trims surrounding whitespace;
- normalizes IP addresses, domains, and protocols to lowercase;
- extracts hostname, protocol, and port from URL-like hosts;
- fills default HTTP/HTTPS ports when omitted;
- converts internationalized domains to ASCII/Punycode;
- removes empty or duplicate tags;
- supplies default source and status values.
Assets use “target + port + protocol” as the service-level deduplication key. The preferred target is the domain, followed by the IP address, then the host. As a result, 80/http and 443/https on the same host remain separate assets.
When an existing asset is imported again, non-empty incoming fields and the last-seen time are updated. Existing fields omitted by the new record and the original first-seen time are preserved.
Search and filters
The Web UI searches hosts, IP addresses, domains, titles, services, and tags, with status and project filters. The backend and Agent tools additionally support:
- source, tags, port, and protocol;
- scanned and never-scanned states;
- first-seen, last-seen, and latest-scan time ranges;
- allowlisted sort fields such as latest scan time;
- paginated queries.
Sorting by latest scan time in ascending order places never-scanned assets first, making coverage gaps visible.
Scanning and risk updates
Scan one asset
Select Scan from the asset inventory. The system:
- creates a conversation containing the target and asset ID;
- links the conversation to the asset;
- prompts the Agent to inspect exposed services and authorized risks;
- stores confirmed findings with
record_vulnerability; - updates scan state with
complete_asset_scan.
Scan prompts support {{asset_id}}, {{target}}, {{host}}, {{ip}}, {{domain}}, and {{port}}. Adjust scope, ports, test intensity, and validation methods to match the authorization before starting.
Batch scans
Select multiple assets and choose Create Scan Task. The system creates one subtask per asset and links each asset to its queue and subtask.
The current defaults use manual scheduling, one concurrent task, and Eino single-Agent mode to limit load on targets and the local host. You must still confirm the test window, request rate, permitted validation methods, and approval requirements.
Risk calculation
Asset risk is calculated dynamically from open vulnerabilities in the latest linked scan:
critical,high,medium,low, orinfo: an open finding at that level exists;normal: the asset was scanned and has no open risk;unassessed: no scan has completed.
Resolved, false-positive, and ignored findings remain in historical counts but no longer increase the current risk level.
Agent tools
Six built-in tools expose asset operations to Agents:
create_asset: create or deduplicate and update an asset;get_asset: retrieve full details by ID;query_assets: filter, sort, and paginate assets;update_asset: partially update an asset;delete_asset: delete an asset;complete_asset_scan: record scan completion.
query_assets returns 20 summaries by default and allows at most 50 per page. Use get_asset for full details so large inventories do not consume the model context.
Access control
Asset permissions are separated into:
asset:read: view assets and statistics;asset:write: create, import, edit, and update scan state;asset:delete: delete assets.
Server-side authorization considers the asset owner, explicit resource assignments, the linked project, and permission scope (all, assigned, or own). When a conversation is linked to a project, Agent asset queries are restricted to that project and tool arguments cannot widen the boundary.
Recommended workflow
- Define an explicitly authorized set of domains, IP addresses, or network ranges.
- Add a few critical targets manually and verify normalization and deduplication.
- Use tags to separate production, testing, critical-business, and internet-facing scopes.
- Configure FOFA, begin with narrow queries, and verify ownership.
- Test scanning and vulnerability callbacks on one low-risk target.
- Use never-scanned and over-30-day filters to identify coverage gaps.
- After validating the workflow, expand gradually with small batch tasks.
A small, verified baseline is usually more valuable than a large inventory with unclear ownership and inconsistent sources.