Reviewing Building Blocks

Building blocks are a reusable set of rule tests that can be used within rules when needed. Host definition building blocks (BB:HostDefinition) categorize assets and server types into CIDR/IP ranges. By populating host definition building blocks, QRadar can identify the type of appliance that belongs to an address or address range. These building blocks can then be used in rules to exclude or include entire asset categories in rule tests.

Use server discovery to populate host definition building blocks (BB:HostDefinition). Server discovery uses existing asset profile data so that administrators can define unknown server types and then assign them to a server definition and the network hierarchy.

From the main navigation menu in the app, click Host Definitions.
Optional: Watch tuning videos to learn more about the importance of defining host definitions, and to get tips on how to automatically populate them.
Click Host definitions and review and update IPs and ports in BBs from the Host Definition group or check when BBs were last updated.
Optional: To instantly refresh the rules from QRadar, click the Refresh icon. Otherwise, the app automatically updates data from the Console every 15 minutes.
To edit IPs in reference sets in building blocks, complete the following steps:
1. Click Host definitions >IPs & Ports.
2. Click a link or the pencil icon (Edit).
3. On the Edit reference set page, add an IP or select an existing IP and delete it from the reference set.
  
  The reference set opens in the QRadar Reference Data Management app, if the app is installed on the QRadar Console.
To edit ports in building blocks or rules sets, complete the following steps:
1. Click Host definitions >IPs & Ports.
2. Click a link or the pencil icon (Edit).
3. In the Edit ports window, edit the list of ports as needed, and click OK. A list accumulates the ports as you edit, displaying a star next to each update.
4. Click Save when you're done.

Reviewing Building Blocks

Related Documentation