Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Updates to Asset Data

JSA uses identity information in an event payload to determine whether to create a new asset or update an existing asset.

Each asset update must contain trusted information about a single asset. When JSA receives an asset update, the system determines which asset to which the update applies.

Asset reconciliation is the process of determining the relationship between asset updates and the related asset in the asset database. Asset reconciliation occurs after JSA receives the update but before the information is written to the asset database.

Identity Information

Every asset must contain at least one piece of identity data. Subsequent updates that contain one or more pieces of that same identity data are reconciled with the asset that owns that data. Updates that are based on IP addresses are handled carefully to avoid false-positive asset matches. False positive asset matches occur when one physical asset is assigned ownership of an IP address that was previously owned by another asset in the system.

When multiple pieces of identity data are provided, the asset profiler prioritizes the information from the most deterministic to the least in the following order:

  • MAC address

  • NetBIOS host name

  • DNS host name

  • IP address

MAC addresses, NetBIOS host names, and DNS host names are unique and therefore are considered as definitive identity data. Incoming updates that match an existing asset only by the IP address are handled differently than updates that match more definitive identity data.

Asset Reconciliation Exclusion Rules

With each asset update that enters JSA, the asset reconciliation exclusion rules apply tests to the MAC address, NetBIOS host name, DNS host name, and IP address in the asset update.

By default, each piece of asset data is tracked over a two-hour period. If any one piece of identity data in the asset update exhibits suspicious behavior two or more times within 2 hours, that piece of data is added to the asset blacklists. Each type of identity asset data that is tested results in a new blacklist.

Tip:

JSA excludes events based on data that is received in the event, not on any data that is later inferred or linked to the event.

In domain-aware environments, the asset reconciliation exclusion rules track the behavior of asset data separately for each domain.

The asset reconciliation exclusion rules test the following scenarios:

Table 1: Rule Tests and Responses

Scenario

Rule response

When a MAC address is associated to three or more different IP addresses in 2 hours or less

Add the MAC address to the Asset Reconciliation Domain MAC blacklist

When a DNS host name is associated to three or more different IP addresses in 2 hours or less

Add the DNS host name to the Asset Reconciliation Domain DNS blacklist

When a NetBIOS host name is associated to three or more different IP addresses in 2 hours or less

Add the NetBIOS host name to the Asset Reconciliation Domain NetBIOS blacklist

When an IPv4 address is associated to three or more different MAC addresses in 2 hours or less

Add the IP address to the Asset Reconciliation Domain IPv4 blacklist

When a NetBIOS host name is associated to three or more different MAC addresses in 2 hours or less

Add the NetBIOS host name to the Asset Reconciliation Domain NetBIOS blacklist

When a DNS host name is associated to three or more different MAC addresses in 2 hours or less

Add the DNS host name to the Asset Reconciliation Domain DNS blacklist

When an IPv4 address is associated to three or more different DNS host names in 2 hours or less

Add the IP address to the Asset Reconciliation Domain IPv4 blacklist

When a NetBIOS host name is associated to three or more different DNS host names in 2 hours or less

Add the NetBIOS host name to the Asset Reconciliation Domain NetBIOS blacklist

When a MAC address is associated to three or more different DNS host names in 2 hours or less

Add the MAC address to the Asset Reconciliation Domain MAC blacklist

When an IPv4 address is associated to three or more different NetBIOS host names in 2 hours or less

Add the IP address to the Asset Reconciliation Domain IPv4 blacklist

When a DNS host name is associated to three or more different NetBIOS host names in 2 hours or less

Add the DNS host name to the Asset Reconciliation Domain DNS blacklist

When a MAC address is associated to three or more different NetBIOS host names in 2 hours or less

Add the MAC address to the Asset Reconciliation Domain MAC blacklist

You can view these rules on the Offenses tab by clicking Rules and then selecting the asset reconciliation exclusion group in the drop-down list.

Example: Asset Exclusion Rules That Are Tuned to Exclude IP Addresses from the Blacklist

You can exclude IP addresses from being blacklisted by tuning the asset exclusion rules.

As the Network security administrator, you manage a corporate network that includes a public wifi network segment where IP address leases are typically short and frequent. The assets on this segment of the network tend to be transient, primarily notebooks and hand-held devices that log in and out of the public wifi frequently. Commonly, a single IP address is used multiple times by different devices over a short time.

In the rest of your deployment, you have a carefully managed network that consists only of inventoried, well-named company devices. IP address leases are much longer in this part of the network, and IP addresses are accessed by authentication only. On this network segment, you want to know immediately when there are any asset growth deviations and you want to keep the default settings for the asset reconciliation exclusion rules.

Blacklisting IP Addresses

In this environment, the default asset reconciliation exclusion rules inadvertently blacklist the entire network in a short time.

Your security team finds the asset-related notifications that are generated by the wifi segment are a nuisance. You want to prevent the wifi from triggering any more deviating asset growth notifications.

Tuning Asset Reconciliation Rules to Ignore Some Asset Updates

You review the Asset deviation by log source report in the last system notification. You determine that the blacklisted data is coming from the DHCP server on your wifi.

The values in the Event Count column, Flow Count column and the Offenses column for the row corresponding to the AssetExclusion: Exclude IP By MAC Address rule indicate that your wifi DHCP server is triggering this rule.

You add a test to the existing asset reconciliation exclusion rules to stop rules from adding wifi data to the blacklist.

Apply AssetExclusion:Exclude IP by MAC address on events which are detected by the Local system and NOT when the event(s) were detected by one or more of MicrosoftDHCP @ microsoft.dhcp.test.com and NOT when any of Domain is the key and any of Identity IP is the value in any of Asset Reconciliation Domain IPv4 Whitelist - IP Asset Reconciliation Domain IPv4 Blacklist - IP and when at least 3 events are seen with the same Identity IP and different Identity MAC in 2 hours.

The updated rule tests only the events from the log sources that are not on your wifi DHCP server. To prevent wifi DHCP events from undergoing more expensive reference set and behavior analysis tests, you also moved this test to the top of the test stack.

Asset Merging

Asset merging is the process where the information for one asset is combined with the information for another asset under the premise that they are actually the same physical asset.

Asset merging occurs when an asset update contains identity data that matches two different asset profiles. For example, a single update that contains a NetBIOS host name that matches one asset profile and a MAC address that matches a different asset profile might trigger an asset merge.

Some systems can cause high volumes of asset merging because they have asset data sources that inadvertently combine identity information from two different physical assets into a single asset update. Some examples of these systems include the following environments:

  • Central syslog servers that act as an event proxy

  • Virtual machines

  • Automated installation environments

  • Non-unique host names, common with assets like iPads and iPhones.

  • Virtual private networks that have shared MAC addresses

  • Log source extensions where the identity field is OverrideAndAlwaysSend=true

Assets that have many IP addresses, MAC addresses, or host names show deviations in asset growth and can trigger system notifications.

Related Documentation