Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Updates to Asset Data

JSA uses identity information in an event payload to determine whether to create a new asset or update an existing asset.

Each asset update must contain trusted information about a single asset. When JSA receives an asset update, the system determines which asset to which the update applies.

Asset reconciliation is the process of determining the relationship between asset updates and the related asset in the asset database. Asset reconciliation occurs after JSA receives the update but before the information is written to the asset database.

Identity Information

Every asset must contain at least one piece of identity data. Subsequent updates that contain one or more pieces of that same identity data are reconciled with the asset that owns that data. Updates that are based on IP addresses are handled carefully to avoid false-positive asset matches. False positive asset matches occur when one physical asset is assigned ownership of an IP address that was previously owned by another asset in the system.

When multiple pieces of identity data are provided, the asset profiler prioritizes the information from the most deterministic to the least in the following order:

  • MAC address

  • NetBIOS host name

  • DNS host name

  • IP address

MAC addresses, NetBIOS host names, and DNS host names are unique and therefore are considered as definitive identity data. Incoming updates that match an existing asset only by the IP address are handled differently than updates that match more definitive identity data.

Asset Reconciliation Exclusion Rules

With each asset update that enters JSA, the asset reconciliation exclusion rules apply tests to the MAC address, NetBIOS host name, DNS host name, and IP address in the asset update.

By default, each piece of asset data is tracked over a two-hour period. If any one piece of identity data in the asset update exhibits suspicious behavior two or more times within 2 hours, that piece of data is added to the asset blacklists. Each type of identity asset data that is tested results in a new blacklist.

Tip:

JSA excludes events based on data that is received in the event, not on any data that is later inferred or linked to the event.

In domain-aware environments, the asset reconciliation exclusion rules track the behavior of asset data separately for each domain.

The asset reconciliation exclusion rules test the following scenarios:

Table 1: Rule Tests and Responses

Scenario

Rule response

When a MAC address is associated to three or more different IP addresses in 2 hours or less

Add the MAC address to the Asset Reconciliation Domain MAC blacklist

When a DNS host name is associated to three or more different IP addresses in 2 hours or less

Add the DNS host name to the Asset Reconciliation Domain DNS blacklist

When a NetBIOS host name is associated to three or more different IP addresses in 2 hours or less

Add the NetBIOS host name to the Asset Reconciliation Domain NetBIOS blacklist

When an IPv4 address is associated to three or more different MAC addresses in 2 hours or less

Add the IP address to the Asset Reconciliation Domain IPv4 blacklist

When a NetBIOS host name is associated to three or more different MAC addresses in 2 hours or less

Add the NetBIOS host name to the Asset Reconciliation Domain NetBIOS blacklist

When a DNS host name is associated to three or more different MAC addresses in 2 hours or less

Add the DNS host name to the Asset Reconciliation Domain DNS blacklist

When an IPv4 address is associated to three or more different DNS host names in 2 hours or less

Add the IP address to the Asset Reconciliation Domain IPv4 blacklist

When a NetBIOS host name is associated to three or more different DNS host names in 2 hours or less

Add the NetBIOS host name to the Asset Reconciliation Domain NetBIOS blacklist

When a MAC address is associated to three or more different DNS host names in 2 hours or less

Add the MAC address to the Asset Reconciliation Domain MAC blacklist

When an IPv4 address is associated to three or more different NetBIOS host names in 2 hours or less

Add the IP address to the Asset Reconciliation Domain IPv4 blacklist

When a DNS host name is associated to three or more different NetBIOS host names in 2 hours or less

Add the DNS host name to the Asset Reconciliation Domain DNS blacklist

When a MAC address is associated to three or more different NetBIOS host names in 2 hours or less

Add the MAC address to the Asset Reconciliation Domain MAC blacklist

You can view these rules on the Offenses tab by clicking Rules and then selecting the asset reconciliation exclusion group in the drop-down list.

Asset Merging

Asset merging is the process where the information for one asset is combined with the information for another asset under the premise that they are actually the same physical asset.

Asset merging occurs when an asset update contains identity data that matches two different asset profiles. For example, a single update that contains a NetBIOS host name that matches one asset profile and a MAC address that matches a different asset profile might trigger an asset merge.

Some systems can cause high volumes of asset merging because they have asset data sources that inadvertently combine identity information from two different physical assets into a single asset update. Some examples of these systems include the following environments:

  • Central syslog servers that act as an event proxy

  • Virtual machines

  • Automated installation environments

  • Non-unique host names, common with assets like iPads and iPhones.

  • Virtual private networks that have shared MAC addresses

  • Log source extensions where the identity field is OverrideAndAlwaysSend=true

Assets that have many IP addresses, MAC addresses, or host names show deviations in asset growth and can trigger system notifications.