Asset Notifications for JSA Appliances
Asset Change Discarded
38750106 - Asset Changes Aborted.
An asset change exceeded the change threshold and the asset profile manager ignores the asset change request.
The asset profile manager includes an asset persistence process that updates the profile information for assets. The process collects new asset data and then queues the information before the asset model is updated. When a user attempts to add or edit an asset, the data is stored in temporary storage and added to the end of the change queue. If the change queue is large, the asset change can time out and the temporary storage is deleted.
Select one of the following options:
Add or edit the asset a second time.
Adjust or stagger the start time for your vulnerability scans or reduce the size of your scans.
Asset Growth Deviations Detected
38750137 - The system detected asset profiles that exceed the normal size threshold.
The system detected one or more asset profiles in the asset database that show deviating or abnormal growth. Deviating growth occurs when a single asset accumulates more IP addresses, DNS host names, NetBIOS names, or MAC addresses than the system thresholds allow. When growth deviations are detected, the system suspends all subsequent incoming updates to these asset profiles.
Determine the cause of the asset growth deviations:
Hover your mouse over the notification description to review the notification payload. The payload shows a list of the top five most frequently deviating assets. It also provides information about why the system marked each asset as a growth deviation and the number of times that the asset attempted to grow beyond the asset size threshold.
In the notification description, click Review a report of these assets to see a complete report of asset growth deviations over the last 24 hours.
38750136 - The Asset Reconciliation Exclusion rules added new asset data to the asset blacklists.
A piece of asset data, such as an IP address, hostname, or MAC address, shows behavior that is consistent with asset growth deviations.
An asset blacklist is a collection of asset data that is considered untrustworthy by the asset reconciliation exclusion custom engine rules. The rules monitor asset data for consistency and integrity. If a piece of asset data shows suspicious behavior twice or more within 2 hours, that piece of data is added to the asset blacklists. Subsequent updates that contain blacklisted asset data are not applied to the asset database.
In the notification description, click Asset Reconciliation Exclusion rules to see the rules that are used to monitor asset data.
In the notification description, click Asset deviations by log source to view the asset deviation reports that occurred in the last 24 hours.
If your blacklists are populating too aggressively, you can tune the asset reconciliation exclusion rules that populate them.
If you want the asset data to be added to the asset database, remove the asset data from the blacklist and add it to the corresponding asset whitelist. Adding asset data to the whitelist prevents it from inadvertently reappearing on the blacklist.
External Scan Of an Unauthorized IP Address or Range
38750126 - An external scan execution tried to scan an unauthorized IP address or address range.
When a scan profile includes a CIDR range or IP address outside of the defined asset list, the scan continues. However, any CIDR ranges or IP addresses for assets that are not within your external scanner list are ignored.
Update the list of authorized CIDR ranges or IP addresses for assets that are scanned by your external scanner. Review your scan profiles to ensure that the scan is configured for assets that are included in the external network list.