Servers and building blocks

IBM® QRadar® automatically discovers and classifies servers in your network, providing a faster initial deployment and easier tuning when network changes occur.

To ensure that the appropriate rules are applied to the server type, you can add individual devices or entire address ranges of devices. You can manually enter server types that do not conform to unique protocols into their respective Host Definition Building Block. For example, adding the following server types to building blocks reduces the need for further false positive tuning:

Add network management servers to the BB:HostDefinition: Network Management Servers building block.
Add proxy servers to the BB:HostDefinition: Proxy Servers building block.
Add virus and Windows update servers to the BB:HostDefinition: Virus Definition and Other Update Servers building block.
Add vulnerability assessment (VA) scanners to the BB-HostDefinition: VA Scanner Source IP building block.

The Server Discovery function uses the asset profile database to discover several types of servers on your network. The Server Discovery function lists automatically discovered servers and you can select which servers you want to include in building blocks.

For more information about discovering servers, see Server discovery

Using Building blocks, you can reuse specific rule tests in other rules. You can reduce the number of false positives by using building blocks to tune QRadar and enable extra correlation rules.