IBM Security QRadar

Hey everyone,

I understand that changes were introduced in 7.4 to allow aggregate tracking of MAC addresses and I'm seeing many deviation events listing asset ids being flagged for exceeding the number of MAC addresses.  However, 90% of these events show a MAC address count of "1".  Manual verification for many of these actually show no MAC address so I'm a little confused.  In the asset profiler settings, I'm still using the default of 10 MACs and can't seem to figure this out.  It is worth noting that in addition to log data, i am importing VA data as well. Any ideas are greatly appreciated!

SAMPLE NOTIFICATION

May 25 10:38:51 127.0.0.1  [AssetProfilerLogTimer] com.q1labs.assetprofile.updateresolution.UpdateResolutionManager: [WARN] [NOT:0000004000][REDACTED/- -] [-/- -]Vortex Asset Ids (cont'd): [ASSET ID:1069553, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069653, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069674, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069906, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069955, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070013, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070197, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070614, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070975, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1072211, REASON:Too many MAC Addresses, COUNT:1]

------------------------------
Paul
------------------------------

Paul,
this message is looking strange indeed. Too many MAC with count=1 seems to make no sense. I have not found this message in our life lab running 7.4.3 FP 5.  AssetProfilerLogTimer are system notifications produced by this logsource not by asset pofiler itself. So my 1st guess is your AP setting of MAC=10 does not apply at all. The notification messages related to MAC addresses in general are caused by MAC related custom rules. Unfortunately MAC tracking is not rule based. At least I could not find one. Please double check your rulebase for related MAC rules. 2nd guess was it maybe VA data import related. VA data being added to asset DB can cause strange effects sometimes. Have you checked if VA data import/update timer are being related to your system notifications?
Just my 0.2 cent

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Wed May 25, 2022 10:05 AM
From: Paul Goffar
Subject: Asset Profile Descrepencies (7.5)

Hey everyone,

I understand that changes were introduced in 7.4 to allow aggregate tracking of MAC addresses and I'm seeing many deviation events listing asset ids being flagged for exceeding the number of MAC addresses.  However, 90% of these events show a MAC address count of "1".  Manual verification for many of these actually show no MAC address so I'm a little confused.  In the asset profiler settings, I'm still using the default of 10 MACs and can't seem to figure this out.  It is worth noting that in addition to log data, i am importing VA data as well. Any ideas are greatly appreciated!

SAMPLE NOTIFICATION

May 25 10:38:51 127.0.0.1  [AssetProfilerLogTimer] com.q1labs.assetprofile.updateresolution.UpdateResolutionManager: [WARN] [NOT:0000004000][REDACTED/- -] [-/- -]Vortex Asset Ids (cont'd): [ASSET ID:1069553, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069653, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069674, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069906, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1069955, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070013, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070197, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070614, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1070975, REASON:Too many MAC Addresses, COUNT:1], [ASSET ID:1072211, REASON:Too many MAC Addresses, COUNT:1]

------------------------------
Paul
------------------------------