Tuning the Asset Profiler retention settings

IBM® QRadar® uses the asset retention settings to manage the size of the asset profiles.

The default retention period for most asset data is 120 days after the last time it was either passively or actively observed in QRadar. User names are retained for 30 days.

Asset data that is added manually by QRadar users does not usually contribute to asset growth deviations. By default, this data is retained forever. For all other types of asset data, the Retain Forever flag is suggested only for static environments.

About this task

You can adjust the retention time based on the type of asset identity data that is in the event. For example, if multiple IP addresses are merging under one asset, you can change the Asset IP Retention period from 120 days to a lower value.

When you change the asset retention period for a specific type of asset data, the new retention period is applied to all asset data in QRadar. Existing asset data that already exceeds the new threshold is removed when the deployment is complete. To ensure that you can always identify named hosts even when the asset data is beyond the retention period, the asset retention cleanup process does not remove the last known host name value for an asset.

Before you determine how many days that you want to retain the asset data, understand the following characteristics about longer retention periods:
  • provides a better historical view of your assets.
  • creates larger data volumes per asset in the asset database.
  • increases the probability that stale data will contribute to asset growth deviation messages.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Asset Profiler Configuration.
  3. Click Asset Profiler Retention Configuration.
  4. Adjust the retention values and click Save.
  5. Deploy the changes into your environment for the updates to take effect.