IBM Security QRadar

Hi community,

I struggle with a behavior of assets shown in the asset profiler tab. There are many profiles not containing an ip address, but a netbios entry exists.
And in the asset panel in the "asset name" column this netbios name is shown, although the field ( given name) for the asset profile is empty.

In the asset profiler configuration the setting "enable wins lookup for host identity" is disabled and the "unified asset name" is set to DNS Name.
A few month ago I could fix a similar issue, with the help of @IBM Support dealing with a known issue related to windows events.
We used an asset exclusion search, where the "identity netbios name" field of windows events contained a "-". 

This was the solution to this behavior back then. But in this case it seems to be something else, because there are no windows events with a "-" in the mentioned field .. Interesting with this is, that the last user seen status in the "affected" profiles mostly is current or close to now..

Any similar experiences out there, maybe @IBM Support, with this kind of "issue" or any ideas to remediate?

Regards,

Ralph

------------------------------
Ralph Belfiore
Managing Consultant | Senior SIEM Expert
connecT SYSTEMHAUS AG
Siegen
+491726365525
------------------------------

Not all assets have IP information as you indicated:
https://www.ibm.com/docs/en/qsip/7.5?topic=management-sources-asset-data

You also mentioned you are using DNS resolution as well:
https://www.ibm.com/support/pages/node/519507

Lastly, you can also use reference sets:
https://www.ibm.com/docs/en/qradar-common?topic=app-configuring-asset-identification

When the above is used I would still expect some with no identifications that can be cleaned up with deny lists or manually:
https://www.ibm.com/docs/en/qsip/7.5?topic=deviations-asset-blocklists-allowlists
https://www.ibm.com/docs/en/qsip/7.5?topic=management-clean-up-asset-data-after-growth-deviations

Hope this helps.

------------------------------
JOHN HANDROP
------------------------------

Original Message:
Sent: Thu March 14, 2024 11:01 AM
From: Ralph Belfiore
Subject: Asset Profiler - many asset profiles do not contain an ip address, but a netbios entry instead

Hi community,

I struggle with a behavior of assets shown in the asset profiler tab. There are many profiles not containing an ip address, but a netbios entry exists.
And in the asset panel in the "asset name" column this netbios name is shown, although the field ( given name) for the asset profile is empty.

In the asset profiler configuration the setting "enable wins lookup for host identity" is disabled and the "unified asset name" is set to DNS Name.
A few month ago I could fix a similar issue, with the help of @IBM Support dealing with a known issue related to windows events.
We used an asset exclusion search, where the "identity netbios name" field of windows events contained a "-". 

This was the solution to this behavior back then. But in this case it seems to be something else, because there are no windows events with a "-" in the mentioned field .. Interesting with this is, that the last user seen status in the "affected" profiles mostly is current or close to now..

Any similar experiences out there, maybe @IBM Support, with this kind of "issue" or any ideas to remediate?

Regards,

Ralph

------------------------------
Ralph Belfiore
Managing Consultant | Senior SIEM Expert
connecT SYSTEMHAUS AG
Siegen
+491726365525
------------------------------