IBM Support

QRadar: Asset Profile Does Not Populate the 'Last User' Field



The assets show an empty value in the 'Last User' column of the Assets page of the QRadar web interface even when 'User Names' are seen in the Log Activity tab.

Diagnosing The Problem

To diagnose this issue, perform the following steps:

    1. Log in to the QRadar Web interface
    2. Click the Assets tab
    3. Review the 'Last User' column
      If this value is empty, read the next section.

Resolving The Problem

The Last User field is updated when an Identity event is created. Many events can contain a user name, however, the asset profiler does not associate the information to an asset unless the event is an identity event, such as a log in, a log out, DHCP request, or other relevant event data that can associate a user the access or usage of an asset. To view users that are associated to assets, QRadar users should filter for events that contain "Identity Username" is not N/A or any event where "Has Identity" is True.


From the related article on assets and identity events

In QRadar 7.2, we introduced asset relevance, which takes in to account more types of data, but also looks to keep assets information updated for administrators.

In previous versions, QRadar updated the user name in the interface and would continually display the name of the last user that logged in, until another event occurs. This could be problematic as a search could return results for users associated with two assets, when in reality there is only one asset that the user recently logged in and used. The asset model in QRadar processes both login and logout identity events to help clarify how the asset is used. The new asset model displays the user name with the asset when the login identity event occurs. When the user logs out, QRadar collects the logout identity event and updates the asset to show that the user has logged out and is no longer associated with the asset. The ability to keep asset information relevant to changes can be critical. This is especially important in complicated networks where users constantly move between networks from Ethernet NIC cards to unplugging and connecting through a WI-FI connection. The ability to collect and view relevant data on how assets are used is an important step in resolving security issues.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Assets","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018