Asset blocklists and allowlists

IBM® QRadar® uses a group of asset reconciliation rules to determine if asset data is trustworthy. When asset data is questionable, QRadar uses asset blocklists and alowlists to determine whether to update the asset profiles with the asset data.

An asset blocklist is a collection of data that QRadar considers untrustworthy. Data in the asset blocklist is likely to contribute to asset growth deviations and QRadar prevents the data from being added to the asset database.

An asset allowlist is a collection of asset data that overrides the asset reconciliation engine logic about which data is added to an asset blocklist. When the system identifies a blocklist match, it checks the allowlist to see whether the value exists. If the asset update matches data that is on the allowlist, the change is reconciled and the asset is updated. Allowlisted asset data is applied globally for all domains.

The asset blocklists and allowlists are reference sets. You can view and modify the asset blocklist and allowlist data using the Reference Set Management tool in the QRadar Console. For more information about working with reference sets, see Reference sets overview.

Alternatively, you can use the command line interface (CLI) or the RestFUL API endpoint to update the content of the asset blocklists and allowlists.