Identification Of Asset Growth Deviations
Sometimes, asset data sources produce updates that JSA cannot handle properly without manual remediation. Depending on the cause of the abnormal asset growth, you can either fix the asset data source that is causing the problem or you can block asset updates that come from that data source.
Asset growth deviations occur when the number of asset updates for a single device grows beyond the limit that is set by the retention threshold for a specific type of the identity information. Proper handling of asset growth deviations is critical to maintaining an accurate asset model.
At the root of every asset growth deviation is an asset data source whose data is untrustworthy for updating the asset model. When a potential asset growth deviation is identified, you must look at the source of the information to determine whether there is a reasonable explanation for the asset to accumulate large amounts of identity data. The cause of an asset growth deviation is specific to an environment.
DHCP Server Example Of Unnatural Asset Growth in an Asset Profile
Consider a virtual private network (VPN) server in a Dynamic Host Configuration Protocol (DHCP) network. The VPN server is configured to assign IP addresses to incoming VPN clients by proxying DHCP requests on behalf of the client to the network's DHCP server.
From the perspective of the DHCP server, the same MAC address repeatedly requests many IP address assignments. In the context of network operations, the VPN server is delegating the IP addresses to the clients, but the DHCP server can't distinguish when a request is made by one asset on behalf of another.
The DHCP server log, which is configured as a JSA log source, generates a DHCP acknowledgment (DHCP ACK) event that associates the MAC address of the VPN server with the IP address that it assigned to the VPN client. When asset reconciliation occurs, the system reconciles this event by MAC address, which results in a single existing asset that grows by one IP address for every DHCP ACK event that is parsed.
Eventually, one asset profile contains every IP address that was allocated to the VPN server. This asset growth deviation is caused by asset updates that contain information about more than one asset.
Threshold Settings
When an asset in the database reaches a specific number of properties, such as multiple IP addresses or MAC addresses, JSA blocks that asset from receiving more updates.
The Asset Profiler threshold settings specify the conditions under which an asset is blocked from updates. The asset is updated normally up to the threshold value. When the system collects enough data to exceed the threshold, the asset shows an asset growth deviation. Future updates to the asset are blocked until the growth deviation is rectified.
System Notifications That Indicate Asset Growth Deviations
JSA generates system notifications to help you identify and manage the asset growth deviations in your environment.
The following system messages indicate that JSA identified potential asset growth deviations:
The system detected asset profiles that exceed the normal size threshold
The asset blacklist rules have added new asset data to the asset blacklists
The system notification messages include links to reports to help you identify the assets that have growth deviations.
Asset Data That Changes Frequently
Asset growth can be caused by large volumes of asset data that changes legitimately, such as in these situations:
A mobile device that travels from office-to-office frequently and is assigned a new IP address whenever it logs in.
A device that connects to a public wifi with short IP addresses leases, such as at a university campus, might collect large volumes of asset data over a semester.
Example: How Configuration Errors for Log Source Extensions Can Cause Asset Growth Deviations
Customized log source extensions that are improperly configured can cause asset growth deviations.
You configure a customized log source extension to provide asset updates to JSA by parsing user names from the event payload that is on a central log server. You configure the log source extension to override the event host name property so that the asset updates that are generated by the custom log source always specify the DNS host name of the central log server.
Instead of JSA receiving an update that has the host name of the asset that the user logged in to, the log source generates many asset updates that all have the same host name.
In this situation, the asset growth deviation is caused by one asset profile that contains many IP addresses and user names.
Troubleshooting Asset Profiles That Exceed the Normal Size Threshold
JSA generates the following system notification when the accumulation of data under a single asset exceeds the configured threshold limits for identity data.
The system detected asset profiles that exceed the normal size threshold
Explanation
The payload of the notification shows a list of the top five most frequently deviating assets and why the system marked each asset as a growth deviation. As shown in the following example, the payload also shows the number of times that the asset attempted to grow beyond the asset size threshold.
Feb 13 20:13:23 127.0.0.1 [AssetProfilerLogTimer] com.q1labs.assetprofile.updateresolution.UpdateResolutionManager: [INFO] [NOT:0010006101][192.0.2.83/- -] [-/- -] The top five most frequently deviating asset profiles between Feb 13, 2015 8:10:23 PM AST and Feb 13, 2015 8:13:23 PM AST: [ASSET ID:1003, REASON:Too Many IPs, COUNT:508], [ASSET ID:1002, REASON:Too many DNS Names, COUNT:93], [ASSET ID:1001, REASON:Too many MAC Addresses, COUNT:62]
When the asset data exceeds the configured threshold, JSA blocks the asset from future updates. This intervention prevents the system from receiving more corrupted data and mitigates the performance impacts that might occur if the system attempts to reconcile incoming updates against an abnormally large asset profile.
Required User Action
Use the information in the notification payload to identify the assets that are contributing to the asset growth deviation and determine what is causing the abnormal growth. The notification provides a link to a report of all assets that experienced deviating asset growth over the past 24 hours.
After you resolve the asset growth deviation in your environment, you can run the report again.
Click the Log Activity tab and click Search >New Search.
Select the Deviating Asset Growth: Asset Report saved search.
Use the report to identify and repair inaccurate asset data that was created during the deviation.
New Asset Data is Added to the Asset Blocklists
JSA generates the following system notification when a piece of asset data exhibits behavior that is consistent with deviating asset growth.
The asset blacklist rules have added new asset data to the asset blacklists
Explanation
Asset exclusion rules monitor asset data for consistency and integrity. The rules track specific pieces of asset data over time to ensure that they are consistently being observed with the same subset of data within a reasonable time.
For example, if an asset update includes both a MAC address and a DNS host name, the MAC address is associated with that DNS host name for a sustained period. Subsequent asset updates that contain that MAC address also contain that same DNS host name when one is included in the asset update. If the MAC address suddenly is associated with a different DNS host name for a short period, the change is monitored. If the MAC address changes again within a short period, the MAC address is flagged as contributing to an instance of deviating or abnormal asset growth.
Required User Action
Use the information in the notification payload to identify the rules that are used to monitor asset data. Click the Asset deviations by log source link in the notification to see the asset deviations that occurred in the last 24 hours.
If the asset data is valid, JSA administrators can configure JSA to resolve the problem.
If your blocklists are populating too aggressively, you can tune the asset reconciliation exclusion rules that populate them.
If you want to add the data to the asset database, you can remove the asset data from the blocklist and add it to the corresponding asset allowlist. Adding asset data to the whitelist prevents it from inadvertently reappearing on the blocklist.