While implementing and using IBM QRadar, users often ask the following questions: what are Assets? What are they needed for? What can we do with them? How to automate the filling of the Assets model?
‘Assets’ is a model that describes infrastructure and allows IBM QRadar system to react differently to the events that are associated with the specified objects. The increase in magnitude and severity, as well as response, are at least the first steps to minimize false positives in the system and improve the response to incidents tied to critical objects in the infrastructure.
Before you start filling ‘Assets,’ you need to configure Asset Profiler. To do this, go to Admin – Asset Profiler Configuration
In the opened menu, you need to specify parameters that will describe the configuration:
Asset Profile Settings
Asset Service Port Discovery
Asset Profiler Configuration
Asset Profiler Retention Configuration
QVM Vulnerability Retention
If you need to create exclusion rules in Assets identification, it is necessary to create a Search without grouping that describes exclusion criteria and add Search to exceptions in the Manage Identity Exclusion tab. I recommend doing this only after 6-9 months of using IBM QRadar or if there are reasonable errors in Assets identification.
You can fill Assets manually or automatically.
Go to Assets – Asset Profiles – Add Asset menu.
In the opened window, you need to fill in the fields that describe Asset as accurately as possible.
Inputting all available information about Asset is crucial. It is also recommended to fill in the CVSS, Weight & Compliance and Owners tabs.
Filling these fields allows you to identify Asset while you create correlation rules or in a generated Offenses.
Automatic Assets Search
Go to Assets – Server Discovery menu.
This function works based on preconfigured Building Blocks. Additionally, you can specify ports to search for and restrict the search by network hierarchy for more accurate results.
Filling data on vulnerabilities requires a connected vulnerability scanner.
This allows you to automatically input information about the open ports, services and vulnerabilities on Asset.