Deleting blacklist entries

After you fixed the cause of the blacklist entries, you must clean up the remnant entries. You can remove the individual blacklist entries, however it is better to purge all blacklist entries and allow the blacklist values that are unrelated to the asset growth deviation to regenerate.

Procedure

  1. To purge a blacklist by using the IBM QRadar Console:
    1. On the navigation menu ( Navigation menu icon ), click Admin.
    2. In the System Configuration section, click Reference Set Management.
    3. Select a reference set and then click Delete.
    4. Use the quick search text box to search for the reference sets that you want to delete, and then click Delete Listed.
  2. To purge a blacklist by using the QRadar Console command-line interface:
    1. Change directory to /opt/qradar/bin.
    2. Run the following command. 
      ./ReferenceDataUtil.sh purge "Reference Collection Name"
      where Reference Collection Name is one of the following lists:
      • Asset Reconciliation NetBIOS Blacklist
      • Asset Reconciliation DNS Blacklist
      • Asset Reconciliation IPv4 Blacklist
      • Asset Reconciliation MAC Blacklist

Results

Purging a blacklist removes all blacklist entries, including those entries that were added manually. Blacklist entries that were manually added must be added again.