Incoming asset data workflow

IBM® QRadar® uses identity information in an event payload to determine whether to create a new asset or update an existing asset.

Important: Asset generation from IPv6 flows is not supported.
Figure 1. Asset data workflow diagram
A workflow diagram that describes how QRadar designates incoming asset data to existing assets or creates a new asset.
  1. QRadar receives the event. The asset profiler examines the event payload for identity information.
  2. If the identity information includes a MAC address, a NetBIOS host name, or a DNS host name that are already associated with an asset in the asset database, then that asset is updated with any new information.
  3. If the only available identity information is an IP address, the system reconciles the update to the existing asset that has the same IP address.
  4. If an asset update has an IP address that matches an existing asset but the other identity information does not match, the system uses other information to rule out a false-positive match before the existing asset is updated.
  5. If the identity information does not match an existing asset in the database, then a new asset is created based on the information in the event payload.