Advanced tuning of asset reconciliation exclusion rules
You can tune the Asset Reconciliation Exclusion rules to refine the definition of deviating asset growth in one or more of the rules.
Apply AssetExclusion: Exclude DNS Name By IP on events which are detected
by the Local system and NOT when any of
Identity Host Name are contained in any of
Asset Reconciliation DNS Whitelist - AlphaNumeric (Ignore Case),
Asset Reconciliation DNS Blacklist - AlphaNumeric (Ignore Case)
and when at least N1 events are seen with the same
Identity Host Name and different Identity IP in N2
Variable | Default value | Tuning result |
---|---|---|
N1 | 3 | Tuning this variable to a lower value results
in more data being added to the blacklist because fewer events with
conflicting data are needed for the rule to fire. Tuning this variable to a higher value results in less data being added to the blacklist because more events with conflicting data are needed for the rule to fire. |
N2 | 2 hours | Tuning this variable to a lower value reduces
the window of time in which N1 events must be seen for the rule to
fire. The time required to observe matching data is decreased, which
results in less data being added to the blacklist. Tuning this variable to a higher value increases the time in which N1 events must be seen for the rule to fire. The time to observe matching data is increased, which results in more data being added to the blacklist. Increasing the time period might impact system memory resources as data is tracked over longer periods of time. |
The Asset Reconciliation Exclusion rules are system-wide rules. Changes to the rules affect the way that the rule behaves throughout the entire system.