Incoming asset data workflow
IBM® QRadar® uses identity information in an event payload to determine whether to create a new asset or update an existing asset.
Important: Asset generation from IPv6 flows is not supported.
- QRadar receives the event. The asset profiler examines the event payload for identity information.
- If the identity information includes a MAC address, a NetBIOS host name, or a DNS host name that are already associated with an asset in the asset database, then that asset is updated with any new information.
- If the only available identity information is an IP address, the system reconciles the update to the existing asset that has the same IP address.
- If an asset update has an IP address that matches an existing asset but the other identity information does not match, the system uses other information to rule out a false-positive match before the existing asset is updated.
- If the identity information does not match an existing asset in the database, then a new asset is created based on the information in the event payload.