- play_arrow What's New for Administrators
- play_arrow Overview of JSA Administration
- play_arrow User Management
- play_arrow License Management
- play_arrow System Management
- System Management
- System Health Information
- JSA Component Types
- Data Nodes
- Network Interface Management
- JSA System Time
- NAT-Enabled Networks
- Off-site Hosts Management
- Managed Hosts
- Configuration Changes in your JSA Environment
- Deploying Changes
- Restarting the Event Collection Service
- Shutting Down a System
- Restarting a System
- Collecting Log Files
- Changing the Root Password on Your JSA Console
- Resetting SIM
- play_arrow JSA Set Up Tasks
- JSA Set Up Tasks
- Network Hierarchy
- Automatic Updates
- Manual Updates
- Configuring System settings
- IF-MAP Server Certificates
- SSL Certificates
- IPv6 Addressing in JSA Deployments
- Advanced Iptables Rules Examples
- Data Retention
- System Notifications
- Custom Offense Close Reasons
- Configuring a Custom Asset Property
- Index Management
- Restrictions to Prevent Resource-intensive Searches
- App Hosts
- Checking the Integrity Of Event and Flow Logs
- Adding Custom Actions
- Managing Aggregated Data Views
- Accessing a GLOBALVIEW Database
- play_arrow Event Data Processing in JSA
- Event Data Processing in JSA
- DSM Editor Overview
- Properties in the DSM Editor
- Property Configuration in the DSM Editor
- Opening the DSM Editor
- Configuring a Log Source Type
- Configuring Property Autodetection for Log Source Types
- Configuring Log Source Autodetection for Log Source Types
- Configuring DSM Parameters for Log Source Types
- Custom Log Source Types
- Custom Property Definitions in the DSM Editor
- Event Mapping
- Exporting Contents from the DSM Editor
- play_arrow Using Reference Data in JSA
- play_arrow User Information Source Configuration
- play_arrow Juniper Networks X-Force Integration
- play_arrow Managing Authorized Services
- play_arrow Backup and Recovery
- play_arrow Flow Sources Management
- play_arrow Remote Networks and Services Configuration
- play_arrow Server Discovery
- play_arrow Domain Segmentation
- play_arrow Multitenant Management
- Multitenant Management
- User Roles in a Multitenant Environment
- Domains and Log Sources in Multitenant Environments
- Provisioning a New Tenant
- Monitoring License Usage in Multitenant Deployments
- Rules Management in Multitenant Deployments
- Network Hierarchy Updates in a Multitenant Deployment
- Retention Policies for Tenants
- play_arrow Configuring JSA to Forward Data to Other Systems
- Forward Data to Other Systems
- Adding Forwarding Destinations
- Configuring Forwarding Profiles
- Configuring Routing Rules to Forward Data
- Using Custom Rules and Rule Responses to Forward Data
- Configuring Routing Rules to Use the JSA Data Store
- Viewing Forwarding Destinations
- Viewing and Managing Forwarding Destinations
- Viewing and Managing Routing Rules
- play_arrow Event Store and Forward
- play_arrow Security Content
- play_arrow SNMP Trap Configuration
- play_arrow Protect Sensitive Data
- play_arrow Log Files
- play_arrow Event Categories
- play_arrow Common Ports and Servers Used by JSA
- play_arrow RESTful API
Clean Up Asset Data After Growth Deviations
JSA uses the asset model to connect offenses in your deployment to physical or virtual assets in your network. The ability to collect and view relevant data on how assets are used is an important step in resolving security issues. It is important to maintain the asset database to ensure that the data is current and accurate.
Whether you fix the source of the problem or block the asset updates, you must clean up the asset database by removing the invalid asset data and removing the asset blocklist entries.
Deleting Invalid Assets
After you fix the assets that contributed to the asset growth deviation, clean up your asset artifacts by using selective clean up or rebuilding the asset database.
Selective clean up--This method is for asset growth deviations of limited scope. Selectively removing the affected assets is the least invasive way to clean up asset artifacts, but if many assets were affected, it can also be the most tedious.
Rebuild the asset database--Rebuilding the asset database from scratch is the most efficient and precise method of deleting assets when asset growth deviations are pervasive.
This method passively regenerates assets in your database based on the new tuning that you configured to resolve the asset growth issues. With this approach, all scan results and residual asset data are lost, but the data can be reclaimed by rerunning a scan or re-importing scan results.
To selectively remove invalid artifacts in the asset database, perform these steps:
On the Log Activity tab, run the Deviating Asset Growth: Asset Report event search.
This search returns a report of assets that are affected by deviating asset growth and must be deleted.
On the Assets tab, click Actions >Delete Asset
There might be a delay before the asset no longer appears in JSA.
To rebuild the asset database from scratch, perform these steps:
Use SSH to log in to the JSA console as an administrator.
Run the /opt/qradar/support/cleanAssetModel.sh script from the console command line and select Option 1 when prompted.
Rebuilding the asset database restarts the asset reconciliation engine.
Purging a blocklist removes all blocklist entries, including those entries that were added manually. Blocklist entries that were manually added must be added again.
Deleting Blacklist Entries
After you fixed the cause of the blacklist entries, you must clean up the remnant entries. You can remove the individual blacklist entries, however it is better to purge all blacklist entries and allow the blacklist values that are unrelated to the asset growth deviation to regenerate.
To purge a blacklist by using the JSA Console:
On the navigation menu (
), click Admin.In the System Configuration section, click Reference Set Management.
Select a reference set and then click Delete.
Use the quick search text box to search for the reference sets that you want to delete, and then click Delete Listed.
To purge a blacklist by using the JSA console command-line interface:
Change directory to /opt/qradar/bin.
Run the following command.
./ReferenceDataUtil.sh purge "Reference Collection Name"
where Reference Collection Name is one of the following lists:
Asset Reconciliation NetBIOS Blacklist
Asset Reconciliation DNS Blacklist
Asset Reconciliation IPv4 Blacklist
Asset Reconciliation MAC Blacklist
Purging a blacklist removes all blacklist entries, including those entries that were added manually. Blacklist entries that were manually added must be added again.
