Artur,
there is a straightforward solution for what you are looking for.
You need to set the retention period in advanced system settings - asset profiler settings to one day and import - see screenshot
Then import your IPAM data using a crontab script and REST API once a day.
The API gives you full control about the database tables including your own asset properties. See excerpt from REST API:
Last modified in API version: 15.1
Description
Sets asset configuration settings to the values provided if they are within the valid range for each configuration setting.
Response Description
An updated AssetConfigDTO object.
We have successfully setup this approach in a couple of customer projects.
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Wed December 01, 2021 05:55 AM
From: Artur Gazda
Subject: Removing Assets automatically
Hello,
Is there a way to keep the QRadar asset database in sync with a 3rd party tool like IPAM or CMDB?
Here's what I would like to do:
- Import all assets from IPAM (=IP address and hostname) into QRadar Assets.
- Update the QRadar Assets automatically whenever something changes in the IPAM.
All Changes in the IPAM are sent via syslog to QRadar, so the IP address and Hostname appear as Identity Information in the Events.
This provides the ability to add and update an asset, but there's no way to delete it automatically.
Also the QRadar REST API does not allow to delete Assets, so a custom rule action won't work either.
Another possibility I can think of is a daily cleanup of the whole QRadar Asset database and a full import of the IPAM database through REST API but this seems way to complicated.
It seems like the only two ways to delete an asset are by manually deleting it from the GUI or configuring a retention time for the asset but both options are not suitable for my scenario.
How to automatically delete an Asset from the QRadar Asset database when it gets deleted from IPAM?
Thank you.
Best Regards,
Artur Gazda
------------------------------
Artur Gazda
------------------------------