Building blocks are a reusable set of rule tests that can be used within rules when
needed. Host definition building blocks (BB:HostDefinition) categorize assets and server types into
CIDR/IP ranges. By populating host definition building blocks, IBM®
QRadar® can identify the type of
appliance that belongs to an address or address range. These building blocks can then be used in
rules to exclude or include entire asset categories in rule tests.
About this task
Use server discovery to populate host definition building blocks (BB:HostDefinition). Server
discovery uses existing asset profile data so that administrators can define unknown server types
and then assign them to a server definition and the network hierarchy.
Procedure
-
From the main navigation menu in the app, click Host Definitions.
- Optional:
Watch tuning videos to learn more about the importance of defining host
definitions, and to get tips on how to automatically populate them.
-
Click Host definitions and review and update IPs and ports in BBs from
the Host Definition group or check when BBs were last updated.
- Optional:
To instantly refresh the rules from QRadar, click the
Refresh icon. Otherwise, the app automatically updates data from the Console
every 15 minutes.
-
To edit IPs in reference sets in building blocks, complete the following steps:
-
Click .
-
Click a link or the pencil icon (Edit).
-
On the Edit reference set page, add an IP or select an existing IP and
delete it from the reference set.
The reference set opens in the QRadar Reference Data Management
app, if the app is installed on the QRadar
Console.
-
To edit ports in building blocks or rules sets, complete the following steps:
-
Click .
-
Click a link or the pencil icon (Edit).
-
In the Edit ports window, edit the list of ports as needed, and click
OK.
A list accumulates the ports as you edit, displaying a star next to each
update.
-
Click Save when you're done.
- To tune the findings for an individual Host Definition, click , and then follow the steps in the Investigating tuning findings.