Assets and describing critical infrastructure objects

[post-views]
August 10, 2017 · 2 min read
Assets and describing critical infrastructure objects

While implementing and using IBM QRadar, users often ask the following questions: what are Assets? What are they needed for? What can we do with them? How to automate the filling of the Assets model?
‘Assets’ is a model that describes infrastructure and allows IBM QRadar system to react differently to the events that are associated with the specified objects. The increase in magnitude and severity, as well as response, are at least the first steps to minimize false positives in the system and improve the response to incidents tied to critical objects in the infrastructure.
Before you start filling ‘Assets,’ you need to configure Asset Profiler. To do this, go to Admin – Asset Profiler Configuration

In the opened menu, you need to specify parameters that will describe the configuration:
Asset Profile Settings
Asset Service Port Discovery
Asset Profiler Configuration
Asset Profiler Retention Configuration
QVM Vulnerability Retention

If you need to create exclusion rules in Assets identification, it is necessary to create a Search without grouping that describes exclusion criteria and add Search to exceptions in the Manage Identity Exclusion tab. I recommend doing this only after 6-9 months of using IBM QRadar or if there are reasonable errors in Assets identification.

Filling Assets
You can fill Assets manually or automatically.

Manual filling:
Go to Assets – Asset Profiles – Add Asset menu.

In the opened window, you need to fill in the fields that describe Asset as accurately as possible.
Inputting all available information about Asset is crucial. It is also recommended to fill in the CVSS, Weight & Compliance and Owners tabs.

Filling these fields allows you to identify Asset while you create correlation rules or in a generated Offenses.

Automatic Assets Search
Go to Assets – Server Discovery menu.
This function works based on preconfigured Building Blocks. Additionally, you can specify ports to search for and restrict the search by network hierarchy for more accurate results.

Filling data on vulnerabilities requires a connected vulnerability scanner.
This allows you to automatically input information about the open ports, services and vulnerabilities on Asset.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts