QRadar: Identity and how log source events update the Assets tab

Assets and asset profiles created for servers and hosts in your network provide important information to assist with security investigations. Networks, servers, and individual hosts within the network can be complicated. The ability to collect data and view information about an asset is the purpose of the Assets tab. The goal is to connect offenses triggered in your system to physical or virtual assets to provide a starting point in a security investigation. Asset data is helpful to identify threats and monitor asset exposure to security incidents.
 

How is the data in the Asset tab populated?
The Assets tab in QRadar is intended to provide a unified view of the information known about your assets. As QRadar discovers more information, the system updates the asset profile, and incrementally builds a complete picture about your asset.

Asset profiles are built dynamically and the information is based on:

1. Data that QRadar absorbs passively from the network about assets.
   
   Flow data
   The purpose of flow data is to provide administrators visibility on how systems are communicating on the network. Flows provide detailed information about network activity and allow QRadar to build a passive database on assets, ports, protocols, direction, applications, number of packets, bytes transferred, and even an index of the source and destination payload. QRadar can identify new assets from flow data passively collected from the Network Activity tab and use the data to create new assets.
   
   Event data
   Event data can be thought of as data that QRadar can collect from outside devices. This can be event streamed to QRadar by firewalls, intrusion systems, antivirus systems, operating systems, email servers, authentication systems, databases, or any appliance or software that creates a notification. QRadar supports event data from over 400 different log sources. QRadar uses device support modules (DSMs) to understand and categorize events from log sources. Log sources that generate identity contribute the building asset profiles in QRadar. To determine which log sources generate identity, you can view the appendix of the DSM Configuration Guide as a list of log sources that "Include identity" in events is provided to administrators.

2. Data that QRadar actively seeks out about assets.
Vulnerability assessment scanners that provide vulnerability and ports information collect from scanners responsible for evaluating network assets.

3. Information that is manually entered by users from the Assets tab.

Users have two methods to manually update the asset profile with information:

• Comma-separated value (CSV) file import.
  QRadar supports the ability to import CSV files that contain asset information. Asset imports let users update the asset profile and merge the information from the CSV file with existing information assets known to QRadar. CSV import files contain the IP address, asset name, weight ((0 - 10) not important - very important), and a description.
• Manually editing the information in an asset.
  Users can review asset and manually enter in information known about an asset.

 

How is asset information different from previous version of QRadar?
In QRadar, assets are no longer dependent on an IP address to be updated, as asset updates can key off of identity information from an IP address, DNS name, NetBIOS name, or MAC address. The ability to create assets from more types of information allows assets to update the data models in smarter ways with more flexible data. The ability to build detailed asset profiles to appended data to an asset profile from the IP address, the DNS name, or the NetBIOS name, along with the associated data from the event or flow to keep the information about the asset relevant when a security issue occurs.

The asset model in QRadar processes both login and logout identity events to help clarify how the asset is used. The asset model displays the user name with the asset when the login identity event occurs. When the user logs out, QRadar collects the logout identity event and updates the asset to show that the user has logged out and is no longer associated with the asset. The ability to keep asset information relevant to changes can be critical. This is especially important in complicated networks where users constantly move between networks from Ethernet NIC cards to unplugging and connecting through a wifi connection. The ability to collect and view relevant data on how assets are used is an important step in resolving security issues.