Clean Up Asset Data After Growth Deviations
JSA uses the asset model to connect offenses in your deployment to physical or virtual assets in your network. The ability to collect and view relevant data on how assets are used is an important step in resolving security issues. It is important to maintain the asset database to ensure that the data is current and accurate.
Whether you fix the source of the problem or block the asset updates, you must clean up the asset database by removing the invalid asset data and removing the asset blocklist entries.
Deleting Invalid Assets
After you fix the assets that contributed to the asset growth deviation, clean up your asset artifacts by using selective clean up or rebuilding the asset database.
Selective clean up--This method is for asset growth deviations of limited scope. Selectively removing the affected assets is the least invasive way to clean up asset artifacts, but if many assets were affected, it can also be the most tedious.
Rebuild the asset database--Rebuilding the asset database from scratch is the most efficient and precise method of deleting assets when asset growth deviations are pervasive.
This method passively regenerates assets in your database based on the new tuning that you configured to resolve the asset growth issues. With this approach, all scan results and residual asset data are lost, but the data can be reclaimed by rerunning a scan or re-importing scan results.
To selectively remove invalid artifacts in the asset database, perform these steps:
On the Log Activity tab, run the Deviating Asset Growth: Asset Report event search.
This search returns a report of assets that are affected by deviating asset growth and must be deleted.
On the Assets tab, click Actions >Delete Asset
There might be a delay before the asset no longer appears in JSA.
To rebuild the asset database from scratch, perform these steps:
Use SSH to log in to the JSA console as an administrator.
Run the /opt/qradar/support/cleanAssetModel.sh script from the console command line and select Option 1 when prompted.
Rebuilding the asset database restarts the asset reconciliation engine.
Purging a blocklist removes all blocklist entries, including those entries that were added manually. Blocklist entries that were manually added must be added again.
Deleting Blacklist Entries
After you fixed the cause of the blacklist entries, you must clean up the remnant entries. You can remove the individual blacklist entries, however it is better to purge all blacklist entries and allow the blacklist values that are unrelated to the asset growth deviation to regenerate.
To purge a blacklist by using the JSA Console:
On the navigation menu (), click Admin.
In the System Configuration section, click Reference Set Management.
Select a reference set and then click Delete.
Use the quick search text box to search for the reference sets that you want to delete, and then click Delete Listed.
To purge a blacklist by using the JSA console command-line interface:
Change directory to /opt/qradar/bin.
Run the following command.
./ReferenceDataUtil.sh purge "Reference Collection Name"
where Reference Collection Name is one of the following lists:
Asset Reconciliation NetBIOS Blacklist
Asset Reconciliation DNS Blacklist
Asset Reconciliation IPv4 Blacklist
Asset Reconciliation MAC Blacklist
Purging a blacklist removes all blacklist entries, including those entries that were added manually. Blacklist entries that were manually added must be added again.