Recommended System Settings for Axonius Instances
As the Axonius platform is continuously enhanced with new features and functions, I often inform customers and recommend certain action be taken when the enhancement is made available. This community post outlines the various global settings that should be configured for each instance, especially as new settings become available in future releases.
The purpose of this post is to keep an ongoing list of the best practices and recommendations for system settings of new and existing Axonius instances. This post will be updated regularly, as new global settings are introduced to the platform in the future.
The following settings can be found in the gear icon in the top right of the interface, otherwise known as the System Settings. These settings should be configured according to the company's corporate security policies and preferences. The settings discussed in this post should be considered as a minimum approach to your overall configuration decisions.
(Note: Most of the settings discussed below must be performed by an administrative user of the platform.)
- Lifecycle Settings
- Global Settings
- GUI Settings
- Identity Providers Settings
- Manage Users/Roles
Discovery Settings: are used to set the time and recurrence for each adapter to run a fetch cycle, which retrieves asset data from connected sources. It is recommended to run asset discovery as often as your internal reporting timelines. This could be multiple times per day or week. Though keep in mind, historical snapshots (mentioned below) are only saved for the first discovery cycle on each calendar day.
Constantly Run Enforcement Sets: It is recommended to keep this option disabled.
- If enabled, Axonius will continuously run any automatic Enforcement Sets.
- If disabled, Axonius will run the automatic Enforcement Sets at the end of each discovery cycle.
Historical Snapshots: It is recommended to enable this option for Every Discovery Cycle.
- Scheduling Settings: If switched on, Axonius saves historical collected data, which can be used in the dashboard and in the Devices and Users pages to show insights on historical data.
- Retention Settings: enables historical data retention. It is recommended to enable this setting to retain data for at least 90 days. However, the actual duration may depend on the company's corporate security policies for data retention and may be limited by the amount of disk space available on your master node.
Note: Historical Snapshots directly impact your ability to view trending and historical data in your dashboards. For additional advice and information about Historical Settings, please refer to this Community Post: Configuring Historical Data and Snapshot Settings
Password Policy Settings: Should be configured and aligned with the company's corporate security policies for password complexity, password reset and expiration, and Brute Force Protection guidelines. The functionality to connect to a password manager, such as CyberArk, AWS Secrets Manager, Beyond Trust, etc., is also available.
Notification Settings: It is recommended to set the notifications email address(es) and enable notifications for low disk space.
- The Notifications Email Address(es) are used for alerts when an adapter connection fails or experiences an issue, as well as when any of the nodes in the instance meet the threshold configured for low disk space in GB or percentage of disk space consumption.
Correlation Settings: Speak to an Axonius TAM or Customer Support Agent before adjusting any of the settings in this section. These options were created for specific use cases and may adversely alter the correlation methodology in your instance, against perceived expectations.
- Remote Support: allows Axonius to connect to the instance for purposes of providing continuous updates, maintenance, and troubleshooting. It is recommended to keep this enabled to have the best customer experience.
- Anonymized Analytics: allows Axonius to receive analytical data, such as errors and exceptions, usage alerts, and more. It is recommended to keep this enabled to have the best customer experience.
Timeout Settings: It is recommended to enable this option.
- Session Idle Timeout should be set according to the company's corporate security policies for session timeouts. It is typical to have 15 minute session timeout.
Cache Settings: It is recommended to enable this option.
- If enabled, each executed query will be cached for the time specified, and provide faster page rendering for previously executed queries. This setting affects all users of the platform and is helpful when users run the same queries.
- If disabled, query results will not be cached.
It is recommended to use an identity provider to implement stronger access controls for authentication and authorization using Single-Sign-On (SSO) functionality.
Axonius supports the following identity providers:
- SAML Based
Role Assignment Rules: Once an identity provider has been configured, Role Assignment Settings should be configured to automatically assign users to certain permissions (roles) within Axonius. This approach is optimal when there are many users who will be accessing the Axonius instance. For more information about Role Assignment Rules, please refer to this page in our Documentation: https://docs.axonius.com/docs/identity-providers-settings#role-assignment-settings1
Make sure that users added to the platform have appropriate business justification for needing such access, and that their permissions follow the user controls defined in the company's corporate security policies.
Make sure the roles created and used for the instance follow role-based access controls (RBAC) defined in the company's corporate security policies.
Axonius offers multiple solutions that may span across different business units or departments within an organization. Make sure the various team members have the appropriate access. For example:
- Only members of the Security Team should be permitted with System and User Management (administrative) functionalities.
- Cloud compliance team members may only need access to Cloud Asset Compliance and Enforcement Center modules, but not the Device and User Assets pages.
- Report Analysts may need access to all of the products and modules within Axonius, but may not need more than Viewer access. They could also simply be permitted to access only the Reports page.
Note on Deleting Roles: If a custom Role needs to be deleted, no users can be assigned to that particular role. They will need to be assigned to a different role before it can be deleted. Some system-generated roles cannot be deleted within Axonius, such as Admin and Viewer.
Note on Deleting Users: If a user needs to be removed from the platform, make sure any saved queries they've created privately are made public. (Private saved queries are only accessible by the user who created them. Once that user is deleted, those private saved queries cannot be accessed)
I hope you found these recommendations to be useful. Feel free to comment below with any thoughts or questions.
Thank you for reading!