IBM Security QRadar

 View Only
  • 1.  Removing Assets automatically

    Posted Wed December 01, 2021 05:56 AM
    Hello,

    Is there a way to keep the QRadar asset database in sync with a 3rd party tool like IPAM or CMDB?
    Here's what I would like to do:
    1. Import all assets from IPAM (=IP address and hostname) into QRadar Assets.
    2. Update the QRadar Assets automatically whenever something changes in the IPAM.

    All Changes in the IPAM are sent via syslog to QRadar, so the IP address and Hostname appear as Identity Information in the Events.
    This provides the ability to add and update an asset, but there's no way to delete it automatically.
    Also the QRadar REST API does not allow to delete Assets, so a custom rule action won't work either.
    Another possibility I can think of  is a daily cleanup of the whole QRadar Asset database and a full import of the IPAM database through REST API but this seems way to complicated.
    It seems like the only two ways to delete an asset are by manually deleting it from the GUI or configuring a retention time for the asset but both options are not suitable for my scenario.

    How to automatically delete an Asset from the QRadar Asset database when it gets deleted from IPAM?

    Thank you.

    Best Regards,
    Artur Gazda



    ------------------------------
    Artur Gazda
    ------------------------------


  • 2.  RE: Removing Assets automatically

    IBM Champion
    Posted Thu December 02, 2021 05:29 AM
    Artur,
    there is a straightforward solution for what you are looking for.
    You need to set the retention period in advanced system settings - asset profiler settings to one day and import - see screenshot


    Then import your IPAM data using a crontab script and REST API once a day.
    The API gives you full control about the database tables including your own asset properties. See excerpt from REST API:

    Last modified in API version: 15.1
    Description
    Sets asset configuration settings to the values provided if they are within the valid range for each configuration setting.
    Response Description
    An updated AssetConfigDTO object.
    We have successfully setup this approach in a couple of customer projects.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: Removing Assets automatically

    Posted Thu December 16, 2021 01:05 PM
    Hello Karl,

    Thank you for your response!
    Your solution sounds interesting and I would like to learn more about it.
    Have you had the chance to check the email I sent you?
    Looking forward to hearing from you!

    Best Regards,
    Artur Gazda

    ------------------------------
    Artur Gazda
    ------------------------------