IBM Support

QRadar: How to effectively manage Asset Autodiscovery using exclusions.

Question & Answer


Question

What is the best way to manage Assets Identity Exclusions?

Cause

Sometimes customers need to limit the automatic discovery of assets. Rather than stopping the assets service which would turn off discovery of all assets, there is a more desirable method of doing this.

Answer

The recommended method of managing Asset Autodiscovery
  1. Log in to the QRadar User Interface.
  2. Click Log Activity.
  3. Click Search > New Search.
  4. Create a search that has the criteria that are required to exclude Assets.
  5. Click Filter.
  6. Click Save Criteria.
  7. Give the Search a name > Assign search to a Group.
  8. Click OK.
  9. Click Admin tab > Asset Profiler Configuration.
  10. Click Manage Identity Exclusion.

  11. Create a rule that suppresses any identify updates that fit the criteria to be excluded.

  12. Click Save.

Results: You can now exclude Assets per your search results.


[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
09 March 2021

UID

swg21995509