Creating identity exclusion searches

To exclude certain events from providing asset data to the asset database, you can create an IBM® QRadar® identity exclusion search.

About this task

The filters that you create for the search must match events that you want to exclude, not the events that you want to keep.

You might find it helpful to run the search against events that are already in the system. However, when you save the search, you must select Real Time (streaming) in the Timespan options. If you do not choose this setting, the search does not match any results when it runs against the live stream of events that are coming into QRadar.

When you update the saved identity exclusion search without changing the name, the identity exclusion list that is used by the Asset Profiler is updated. For example, you might edit the search to add more filtering of the asset data that you want to exclude. The new values are included and the asset exclusion starts immediately after the search is saved.

Procedure

  1. Create a search to identify the events that do not provide asset data to the asset database.
    1. On the Log Activity tab, click Search > New Search.
    2. Create the search by adding search criteria and filters to match the events that you want to exclude from asset updates.
    3. In the Time Range box, select Real Time (streaming) and then click Filter to run the search.
    4. On the search results screen, click Save Criteria and provide the information for the saved search.
      Note: You can assign the saved search to a search group. An Identity Exclusion search group exists in the Authentication, Identity and User Activity folder.
    5. Click OK to save the search.
  2. Identify the search that you created as an identity exclusion search.
    1. On the navigation menu ( Navigation menu icon ), click Admin.
    2. In the System Configuration section, click Asset Profiler Configuration.
    3. Click Manage Identity Exclusion at the bottom of the screen.
    4. Select the identity exclusion search that you created from the list of searches on the left and click the add icon (>).
      Tip: If you can't find the search, type the first few letters into the filter at the top of the list.
    5. Click Save.
  3. On the Admin tab, click Deploy changes for the updates to take effect.