Blacklist notification

38750136 - The Asset Reconciliation Exclusion rules added new asset data to the asset blacklists.

Explanation

A piece of asset data, such as an IP address, hostname, or MAC address, shows behavior that is consistent with asset growth deviations.

An asset blacklist is a collection of asset data that is considered untrustworthy by the asset reconciliation exclusion custom engine rules. The rules monitor asset data for consistency and integrity. If a piece of asset data shows suspicious behavior twice or more within 2 hours, that piece of data is added to the asset blacklists. Subsequent updates that contain blacklisted asset data are not applied to the asset database.

User response

In the notification description, click Asset Reconciliation Exclusion rules to see the rules that are used to monitor asset data.
In the notification description, click Asset deviations by log source to view the asset deviation reports that occurred in the last 24 hours.
If your blacklists are populating too aggressively, you can tune the asset reconciliation exclusion rules that populate them.
If you want the asset data to be added to the asset database, remove the asset data from the blacklist and add it to the corresponding asset whitelist. Adding asset data to the whitelist prevents it from inadvertently reappearing on the blacklist.
Review Updates to asset data (https://www.ibm.com/docs/en/qsip/7.4?topic=management-updates-asset-data).