IBM Support

QRadar: Individual assets merging into one asset with many IP addresses, MAC addresses, or hostnames

Troubleshooting


Problem

Assets can be reconciled for seemingly unknown reasons, resulting in one asset with many different MAC addresses, host names, or IP addresses. This behavior is called asset vortexing, and it occurs when multiple events come in sharing an attribute then the asset profiler assumes they belong together. This technical note provides scenarios where administrators might need to implement an allowlist or denylist to address unwanted asset vortexes.

Symptom

A single asset has hundreds or thousands of different IP addresses, MAC addresses, or host names. Users can receive a system notification stating "The system detected asset profiles that exceed the normal size threshold."

Cause

Depending on your environment, there are several reasons why an asset merges aggressively. Listed here are some common reasons:

  • Events forwarded through a central syslog server
  • Certain virtual machine image configurations
  • Preinstall environment images with fixed configurations
  • VPNs with shared MAC addresses

See the following full explanations to learn which might be affecting your environment.


A central Syslog server acting as an event proxy
If your logs are forwarded through a central syslog server, the identity information of the events passing through it might be altered with the information of the server. The following example illustrates this process:

A DHCP ACK event containing IP address 10.10.10.10 and MAC address ab:cd:ed:12:34:56 is forwarded to the central syslog server, but the host name of the syslog server is appended to it, resulting in a modified DHCP ACK event containing IP 10.10.10.10, MAC ab:cd:ed:12:34:56, and host name central-syslog.company.com being sent to QRadar. If every identity event forwards through that syslog server, every unique asset is appended with the same hostname, and as a result, QRadar uses that hostname to merge those assets together which results in a vortexed asset.


Virtual machine images

Events from virtual machine images can be vortexed depending on their configuration. If VM clients have DNS/NetBios hostnames that stay the same even when the VM image is loaded on to a different host or all VM clients on a VM host share a common MAC Address or IP, multiple clients and hosts can be vortexed together. The following example illustrates this process:

If two large ESX VM hosts with 20 live guests each share a MAC address, it can result in traffic from these clients having 20 different hostnames merged all under the same MAC address. This behavior is the desired for some users, but for others it is not. Additionally, if one of the VM guests is moved from ESX host 1 to host 2, the asset model sees an identity event that matches a known hostname from host 1 now on host 2 and merges them together, resulting in a single vortexed asset with 40 different hostnames and two different MAC addresses. Multiple virtual machine assets can quickly culminate in one large asset this way because it is common practice to move VM images around multiple ESX hosts.

Preinstall environments
Imaging tools that speed up hardware installation and setup times by using static preinstall environment images with fixed configurations (such as hostname and IP) can be another cause for vortexing. While installed hardware eventually acquires its own unique hostname and IP, during the preinstall phase, assets temporarily use a hostname or IP that is shared by every other asset that was installed with the core image. If these assets produce identity events, they might be merged together based on their common identity information.

VPN with shared MAC address

When a VPN uses a shared MAC address, identity events can be masked by the VPN server. The following example illustrates this process:

If a VPN appliance relays DHCP requests to a central DHCP server and the VPN's own address is used as the requesting MAC address, the DHCP event forwarded to QRadar can be merged, resulting in an asset with one common MAC address but many different IP addresses and hostnames.

Diagnosing The Problem

Review the Asset tab to see whether certain assets have multiple IP addresses, MAC address, or hostnames. If you see assets with unusually large numbers of entries assigned to a single asset, you might have an asset merge problem to investigate.

Resolving The Problem

To avoid asset merging, exclude these events from identity processing. For more information, see Prevention of asset growth deviations.

If you have a large number of vortexed assets, see the following technical note for instructions on how to generate a bulk report of them.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwu1AAA","label":"Assets"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 April 2023

UID

swg21650828

Page Feedback