Server discovery

IBM® QRadar® automatically discovers and classifies servers in your network, providing for a faster initial deployment, and making tuning easier when network changes occur.

Server discovery uses the asset profile database to discover several types of servers in your network. You can select the servers that you want to include in your building blocks.

For more information about server discovery, see the IBM QRadar Administration Guide.

QRadar uses building blocks to tune the system and allow more correlation rules to be enabled, reducing the number of false positives that are detected by QRadar, and helping you to identify business-critical assets.

Administrators must determine what servers to discover.

Authorized servers

You can add authorized infrastructure servers to a selected building block. QRadar monitors these servers while it suppresses false positives that are specific to the server category.

Multiple building blocks

Servers might be in multiple categories. You must enable QRadar to place these servers in multiple building blocks. For example, Active Directory domain controllers might be identified as both Microsoft Windows and DNS servers.

Identify authorized servers

After you review the server discovery list, you might not be familiar with all the servers in the list. These servers might be in another business unit or operate within a testing or staging environment. If you identify these servers as authorized, then add them to the building block.

Categorize servers

You can enable QRadar to categorize unauthorized servers or servers that run unauthorized services into a related building block. If you find that categorizing servers results in generating an excessive number of offenses, then use server discovery to place the servers in a building block.