With the changes to the asset database in 7.2 I was wondering if it would be possible now to get the asset information of what is actually installed on systems from our Nessus scans into Qradar.
One of the biggest draw back to qradar is getting vulnerability alerts for software we dont actually have installed on the system due to the vulnerability being associated with an open port when Nessus (which is feeding qradar) knows everything that is actually installed on the system from its credentialed scans.
Doesnt need to come from Nessus per say, if there is *any* way to get a basic software inventory from a tool like Altiris into Qrdar id love to hear about it.
Alternatively maybe a reference map of sets with...
Asset ID, port, Installed app1, installed app2, installed app3. Would need a better rule function for accessing the reference map though, if Field1 = (asset id) and Field 2 = (Destination port) and PHP is contained in Field 3 then generate an offense.