Tuning the number of MAC addresses allowed for a single asset

New in 7.4.2 IBM QRadar monitors the number of MAC addresses that a single asset accumulates over time.

By default, QRadar generates a system message when a single asset accumulates more than ten MAC addresses. If you expect assets to accumulate more than ten MAC addresses, you can tune the Number of MAC Addresses Allowed for a Single Asset value to avoid future system messages.

About this task

Setting the limit for the number of MAC addresses too high prevents QRadar from detecting asset growth deviations before they have a negative impact on the rest of the deployment. Setting the limit too low increases the number of asset growth deviations that are reported.

You can use the following guideline when you tune the Number of MAC Addresses Allowed for a Single Asset setting for the first time.

Number of MAC addresses that are allowed for a single asset = (<retention time (days)> x <estimated MAC addresses per day>) + <buffer number of MAC addresses>

Where
  • <estimated MAC addresses per day> is the number of MAC addresses that a single asset might accumulate in one day under normal conditions
  • <retention time (days)> is the preferred amount of time to retain the asset MAC addresses

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Assets section, click Asset Profiler Configuration.
  3. Click Asset Profiler Configuration.
  4. Adjust the Number of MAC Addresses Allowed for a Single Asset value and click Save.
  5. Deploy the changes into your environment for the updates to take effect.