IBM Support

QRadar: Individual assets merging into one asset with many IP addresses, MAC addresses, or hostnames

Troubleshooting


Problem

Assets can be reconciled for seemingly unknown reasons, resulting in one asset with many different MAC addresses, host names, or IP addresses. This behavior is called asset vortexing, and it occurs when multiple events come in sharing an attribute then the asset profiler assumes they belong together. This technical note provides scenarios where administrators might need to implement an allowlist or denylist to address unwanted asset vortexes.

Symptom

A single asset has hundreds or thousands of different IP addresses, MAC addresses, or host names. Users can receive a system notification stating "The system detected asset profiles that exceed the normal size threshold."

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwu1AAA","label":"Assets"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
21 April 2023

UID

swg21650828

Page Feedback