IBM Support

Individual assets merging into one asset with many IP addresses, MAC addresses, or hostnames

Troubleshooting


Problem

In QRadar SIEM, there are times when assets merge or reconcile for seemingly unknown reasons. When this issue occurs, you have one asset with many MAC addresses, host names, or IP addresses. Assets vortex is the term QRadar support uses to define a single asset that incorrectly includes hundreds or thousands of any one of those attributes. This technical note provides scenarios where administrators might need to implement an allowlist or denylist for asset vortexes.

Symptom

Single asset has hundreds or thousands of IP addresses, MAC addresses, or host names.

Cause

There are multiple reasons why an asset appears to merge aggressively.

Central Syslog server acting as an event proxy
In some deployments logs are forwarded through a central syslog server. A bug exists in the event forwarding process that replaces or adds identity information of the syslog server to every identity event that passes through it. For instance, a DHCP ACK event containing IP '10.10.10.10' and MAC 'ab:cd:ed:12:34:56' is forwarded to the central syslog server, but the host name of the syslog server is appended to it. The issue results in a modified DHCP ACK event containing IP '10.10.10.10', MAC 'ab:cd:ed:12:34:56' and host name 'central-syslog.company.com' being sent to QRadar. If every identity event forwards through that syslog server every unique asset is appended with the same host name, then QRadar uses that host name to reconcile those assets together, resulting in a 'vortex' asset.

Virtual machine images
Virtual machine images can cause the vortex issue, depending on how it is set up. VM clients potentially have DNS/NetBios hostnames that stay the same even when the VM image is loaded on a different host. Compounding the issue is the possibility that, due to configuration, ALL VM clients on a VM host share a common MAC Address or IP. Picture two large ESX VM Hosts that have 15 - 20 live guests each. As the guests on each host could share a MAC address, identity traffic from these clients can result in two large assets each with 15 to 20 hostnames. So far, one could perhaps argue that QRadar is reporting asset data consistent with the described configuration, but what happens when one of the VM guests is moved from ESX host 1 to ESX host 2? Eventually, the asset model sees an identity event that matches one of the hostnames on ESX Host 1 with a MAC Address on ESX Host 2. To QRadar, these hosts are the same asset and merges the two assets together, which results in 1 asset with 30 to 40 hostnames. It is easy to see how virtual machine assets can quickly culminate in one large asset, as it is common practice to move VM images around multiple ESX hosts.

Preinstall environments
An imaging tool that speeds up hardware installation and setup times by using static preinstall environment images with fixed configurations (such as hostname and IP) can be another cause for a merged asset problem. The intention is for installed hardware to eventually acquire its own unique hostname and IP. However, during the preinstall phase, assets temporarily use a hostname or IP that is shared by every other asset that was installed with the core image. If said assets emitted identity events, then these assets (due to the commonality that existed in their phases) can possibly be reconciled together with their common identity information.

VPN with shared MAC address
In this instance, the environment has identity events being masked by the VPN server. For instance, VPN appliance could relay DHCP requests to a central DHCP server and the VPN's own MAC address is used as the requesting MAC address. The DHCP events are forwarded to QRadar. These events have a common MAC address, but many IP addresses or host names cause assets to merge.

Diagnosing The Problem

When you review the Asset tab, you might notice certain assets have multiple IP addresses, MAC address, or hostnames. If you see assets with unusually large numbers of entries assigned to a single asset, you might have an asset merge problem to investigate.

Resolving The Problem

To avoid asset merging, you need to exclude these events from identity processing. For more information, see Prevention of asset growth deviations.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwu1AAA","label":"Assets"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 June 2022

UID

swg21650828