Blocklist notification

38750136 - The Asset Reconciliation Exclusion rules added new asset data to the asset blocklists.

Explanation

A piece of asset data, such as an IP address, hostname, or MAC address, shows behavior that is consistent with asset growth deviations.

An asset blocklist is a collection of asset data that is considered untrustworthy by the asset reconciliation exclusion custom engine rules. The rules monitor asset data for consistency and integrity. If a piece of asset data shows suspicious behavior twice or more within 2 hours, that piece of data is added to the asset blocklists. Subsequent updates that contain blocklisted asset data are not applied to the asset database.

User response

In the notification description, click Asset Reconciliation Exclusion rules to see the rules that are used to monitor asset data.
In the notification description, click Asset deviations by log source to view the asset deviation reports that occurred in the last 24 hours.
If your blocklists are populating too aggressively, you can tune the asset reconciliation exclusion rules that populate them.
If you want the asset data to be added to the asset database, remove the asset data from the blocklist and add it to the corresponding asset allowlist. Adding asset data to the allowlist prevents it from inadvertently reappearing on the blocklist.
Review Updates to asset data (https://www.ibm.com/docs/en/SS42VS_latest/com.ibm.qradar.doc/c_qradar_ug_asset_reconciliation.html).