IBM Support

QRadar: How to use custom properties to locate asset changes

Troubleshooting


Problem

Using a Custom Event Property (CEP) and the Asset Profiler-2:: DSM events, you can track asset profile changes on an asset.

Resolving The Problem

Overview

When investigating assets, it can be important to determine how the asset was created or updated in QRadar. All asset changes or updates logged by the "Asset Profiler-2" device support module (DSM). This is an internal DSM, meaning that it does not contribute to your event license and parses events related to asset profile changes in QRadar. The Asset Profiler log source can be used to investigate why an asset change was made and the source of the data. The details of the Asset Profiler event allows users to determine whether an asset change was from an identity event, a vulnerability scan, flow data, or if the asset was added or updated by a QRadar user. This article provides insight on how a user can run searches in QRadar to determine why a new asset was added to QRadar or what data contributed to an asset update.

Creating a Custom Event Property (CEP) to search for Asset Details

By creating a Custom Event Property called AssetId, you can simplify searching for asset details in the audit logs. To do this, use these steps.

  1. Click Log Activity.
  2. Click Add Filter.
  3. In the search parameters, select Payload Contains > is > assetId.
  4. Click Add Filter.
  5. From the search results, pause the Log Activity screen and double-click on an event to open the Event Details.
  6. Click Extract Property.
  7. In the Property Type field, select Extraction based.
  8. In the Property Definition field, select New Property.
  9. Type AssetId for the name of the new property.
  10. In the Property Expression Definition:
    • From the Log Source Type list, select Asset Profiler.
    • From the Log Source list, select Asset Profiler-2.
    • Select Category High Level Category any, Low Level Category any.
    • In the RegEx field, type: assetId=(\d+)\s+
    • Click Enabled.
  11. Click Save.  

Asset Creation update times

After you have an asset that you want to find its origin, you can look at the asset summary screen to see some of the details of the asset. The important part is to find the last seen and the created times if at all possible.

Example: The search can contain the either the ID of the asset or the ID of the interface.

Searching for Asset Creation details

After you learned the history of the asset, you can use the Log Activity User Interface to search for details on how the asset was created or updated. To search for the asset, use this procedure.

  1. Click Log Activity tab.
  2. Click Add Filter.
  3. Select Parameter: Log Source indexed > Operator: Equals > Log Source: Asset Profiler-2::
  4. Click Add Filter to add to Current Filters.
  5. In QRadar 7.3.x, click Search to display the results. In QRadar 7.2.x, click Filter to display search results.
  6. Select Parameter: AssetID (custom) > Operator: Equals any of > Value: AssetId number > click (+) > Add Filter.
  7. From the View: drop-down menu, choose a time interval to search for these events.

Digging into the details

Next, you need to dig into details. The sample shows the highlighted values.

Jun 14 10:16:49 127.0.0.1 [com.q1labs.assetprofile.changelistener.impl.audit.AuditChangeListenerThread] com.q1labs.assetprofile.changelistener.impl.audit.AuditChangeListener: [INFO] LEEF:1.4|QRadar|AssetProfiler|7.0|IPADDRESS_UPDATED|assetId=1007 domainId=0 action=UPDATED id=1005 isuservalueNew=false interfaceIdNew=1005 interfaceIdOld=1005 ipv4addressNew=192.168.0.30 ipv4addressOld=192.168.0.30 ipaddressNew=192.168.0.30 netIdNew=23 ipVersion=IPV4 causedBy=HOST_PROFILER:QRadar731.ibm.com (192.168.0.30) auditDate=1528985806610

Field Details
assetid ID of Asset
action The action field can have two possibly values: Created - new asset or asset details Upsert/Updated - new or updated asset details
causedBy The causedby field indicates what type of data PROFILER, - A flow was seen for an asset that contained new information. SCANNER - A scan report from a vulnerability scanner contained asset updates or new asset information. USER a user with access to the Asset tab manually entered the asset in to QRadar. IDENTITY indicates that an event with Identity = true was seen by the system. The details of that identity event updated the asset profile with information from the event payload. Administrators can filter for events that include identity from the Log Activity tab.
auditDate This is unix epoch time in milliseconds that defines when the data was seen that triggered the asset creation or update. This field identifies when the flow, identity event, user, or scan data caused the asset update.

In the example, the Asset Profiler made the update on June 14, 2018 10:16:49 local time, but if you convert the auditDate (1528985806610) to human readable form, you get June 14, 2018 10:16:46.610 AM GMT-04:00 DST. Notice the time difference. In this case the Asset Profiler was busy and fell a little behind, it took about 3 seconds for the update to be processed.

Now you know when the update occurred and what caused it

Event Search

If you have an update from Identity, then you need to find the event that caused the update. You'll need to do a log activity search for the event. Create a search with the following criteria:

  • Time period of search should be centered around the auditDate time.Be mindful of the time zones (GMT).
  • Filter according to what updates were giving you. The updates could be Hostname created, interface created, IP address created.
  • filter for Identity IP, Identity MAC address or Identity Hostname/Identity NetBios based on the asset details.
  • add Has Identity = TRUE. If the search shows that 6 events came in with the same NetBios name. Hence the asset has all the different MAC addresses.

Searching for details on updates to the Asset Database

The next thing we need is to look for the updates to the Asset Database, which created this mapping. This could have happened a long time ago, but maybe it is happening now. If so, we need to perform a search:

  1. Log into the QRadar Console.
  2. Click Log Activity tab.
  3. Click Add Filter from the menu bar.
  4. Select Log Source [Indexed] > Operator: Equals > "Asset Profiler-2 :: "
  5. Click Add Filter.
  6. From the menu bar, click Add Filter.
  7. Select Payload Contains > "is" > add in the text box, the name of the system.
  8. Click Add Filter.
  9. From the View drop-down, select Last 3 days.
  10. If there are events reported.
    1. Click Log Activity tab.
    2. Click Actions > Click Export to XML > Click Full Export (All Columns).

Note: If there are no events, try a longer time period.

If you cannot find any events then:

  1. Click Assets tab.
  2. Select the Asset you need to investigate.
  3. Click Actions > Delete Asset.
  4. If the asset returns with a questionable value, then re-run the search above to find when it was created.

Searching for the event

From that export, we can see that the hostname was updated. The event is identified as:

  • "Event Name": "Hostname Created"
  • "Low Level Category": "Asset Hostname Created"
  • "Source IP": "127.0.0.1"
  • "Destination IP": "127.0.0.1"
  • Looking at the event detail, it has:
  • "QID": "68750002"
  • In the payload, we should see something like hostnameNew=<HOSTNAME>.

First, find the Asset profile event we are interested in again in a Specific Interval search. This is to ensure we are looking at the right interval.

  1. Log into the QRadar Console.
  2. Click Log Activity tab.
  3. Click Search > New Search.
  4. Scroll down to Time Range > click the check box Specific Interval.
  5. Pick a suitable "Start Time" and "End Time" around the Asset Profiler message discovered before. Try a 5 minute window centered on that time.
  6. Scroll down to Search Parameters, add the following filters:
  7. Select Log Source [Indexed] > Equals > Asset Profiler-2
  8. Click Add Filter to add to Current Filters.
  9. Return to Search Parameters.
  10. Select Parameter: Payload Contains > Operator: "is" and the name of the system.
  11. Click Add Filter to add to the Current Filters.
  12. Search for results.
    1. In QRadar 7.3.x Click Search to display search results.
    2. In QRadar 7.2.x Click Filter to display search results.
  13. Ensure the Asset Profiler event found before is displayed.

Now that we are sure we are looking at the right time range, let's find the event which triggered the Asset Profiler update.

Finding the event which triggered the Asset Profiler update

Using the previous search results:

  1. From the menu bar, click Search > Edit Search.
  2. Scroll down to Search Parameters.
  3. Highlight Log Source is Asset Profiler-2 :: > click Remove Selected Filters.
  4. Highlight "Payload Contains is <HOSTNAME> and click Remove Selected Filters.
  5. Click Parameter: Has Identity [Indexed] > Operator: Equals > Value: True.
  6. Click "Add Filter" to add to Current Filters.
  7. Search for results.
    1. In QRadar 7.3.x Click Search to display search results.
    2. In QRadar 7.2.x Click Filter to display search results.

Note: If too many results are returned, you can add another filter in the search to include the hostname.
For example: Identity Net Bios Name > Equals any of > {your hostname}.

After we have that event (or events) in the results, export it as a "Full XML Export".

To do this:

  1. Click Log Activity tab.
  2. Click Actions > Export to XML > Full Export (All Columns).

Results: You now have a procedure to investigate assets.

Document Location

Worldwide

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Assets","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
01 March 2021

UID

swg22017372

Page Feedback