Advanced tuning of asset reconciliation exclusion rules

You can tune the Asset Reconciliation Exclusion rules to refine the definition of deviating asset growth in one or more of the rules.

For example, consider this normalized template from an Asset Reconciliation Exclusion rule.

Apply AssetExclusion: Exclude DNS Name By IP on events which are detected
 by the Local system and NOT when any of 
Identity Host Name are contained in any of 
Asset Reconciliation DNS Whitelist - AlphaNumeric (Ignore Case),
 Asset Reconciliation DNS Blacklist - AlphaNumeric (Ignore Case)
 and when at least N1 events are seen with the same 
Identity Host Name and different Identity IP in N2

This table lists the variables in the rule template that can be tuned and the result of the change. Avoid changing other variables in the template.

Table 1. Options for tuning the asset reconciliation rules
Variable	Default value	Tuning result
N1	3	Tuning this variable to a lower value results in more data being added to the blacklist because fewer events with conflicting data are needed for the rule to fire. Tuning this variable to a higher value results in less data being added to the blacklist because more events with conflicting data are needed for the rule to fire.
N2	2 hours	Tuning this variable to a lower value reduces the window of time in which N1 events must be seen for the rule to fire. The time required to observe matching data is decreased, which results in less data being added to the blacklist. Tuning this variable to a higher value increases the time in which N1 events must be seen for the rule to fire. The time to observe matching data is increased, which results in more data being added to the blacklist. Increasing the time period might impact system memory resources as data is tracked over longer periods of time.

The Asset Reconciliation Exclusion rules are system-wide rules. Changes to the rules affect the way that the rule behaves throughout the entire system.