Prevention of asset growth deviations
After you confirm that the reported asset growth is legitimate, there are several ways to prevent IBM® QRadar® from triggering growth deviation messages for that asset.
Use the following list to help you decide how to prevent asset growth deviations:
- Understand how QRadar handles stale asset data.
- Tune the asset profiler retention settings to limit the length of time that asset data is retained.
- Tune the number of IP addresses allowed for a single asset.
- Create identity exclusion searches to exclude certain events from providing asset updates.
- Tune the Asset Reconciliation Exclusion rules to refine the definition of deviating asset growth.
- Create asset allowlists to prevent data from reappearing on the asset blocklists.
- Modify the entries on the asset blocklists and asset allowlists.
- Ensure that your DSMs are up to date. QRadar provides a weekly automatic update that might contain DSM updates and corrections to parsing issues.