IBM Support

QRadar: How to effectively manage Asset Autodiscovery using exclusions

Question & Answer


Question

What is the best way to manage Assets Identity Exclusions?

Cause

Sometimes customers need to limit the automatic discovery of assets. Assets are added in multiple ways:
  • Event payloads
  • Flow payloads
  • Vulnerability scanners
  • User interface
  • Domain aware asset data
Assets can accumulate due to an infrastructure such as a VPN with DHCP. For example, if a VPN user connects on an IP address and then terminates their session allowing another user with a new MAC address to use the same IP address. DHCP is an example where asset growth deviation is caused by asset updates that contain information about more than one asset. Rather than stopping the assets service, which would turn off discovery of all assets, there is a more desirable method of managing assets. Identity exclusion searches are realtime searches that block the asset information from entering the asset database based on common event search fields, such as event type, event name, category, and log source. Administrators can create searches to prevent network assets that typically generate identity data by blocking that data from the asset profiler, which is responsible for updating assets in QRadar. By default assets tuned in this way will be removed from the Asset database is approximately 30 days.
Identity exclusions are typically more flexible than asset blacklists, which can specify only raw asset data, such as MAC addresses and host names of assets to be excluded. Creating identity exclusions for assets allows administrators to decide what asset information should be tracked by QRadar and can eliminate noise from your asset database, by excluding certain network services or asset types, like phones (BYOD), network infrastructure (VPN, DHCP, IoT, tape drives) that might not be monitored or patched by the security team. Asset exclusion searches can also help administrators on enterprise licenses with IBM tune their systems to properly count Managed Virtual Servers (MVS) licensing.

Answer

Keeping your assets for extended periods can assist you in monitoring your infrastructure for behavior, changes in the network. If a MAC address's change continually change within a short period, the MAC address could be flagged as contributing to an instance of deviating or abnormal asset growth. You can create searches and exclusion rules to locate these anomalies. Using exclusions from saved searches with Autodiscovery would be a way to manage abnormal asset growth. 
The recommended method of managing Asset Autodiscovery.
  1. Log in to the QRadar User Interface.
  2. Click Log Activity.
  3. Click Search > New Search.
  4. Create a real-time search that has the criteria that are required to exclude Assets.
    Note: Only searches without groups configured with an assigned time frame of real-time can be added to the managed identity exclusions list.
  5. Click Filter.
  6. Click Save Criteria.
  7. Give the search a name > assign search to a group.
  8. Click OK.
  9. Click Admin tab.
  10. Click Manage Identity Exclusion.
  11. Create a rule that suppresses any identify updates that fit the criteria to be excluded.
    image-20230307164534-1
  12. Click Save.

Results: You can now exclude assets per your search results.

 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;7.5.0"}]

Document Information

Modified date:
09 July 2024

UID

swg21995509