Device Asset ID not created for devices

Hi Folks,

In our setup for few devices Device Asset ID are not populating in ESM. I can see events coming from those devices in console and if I try to search events by selecting the asset and filter by Device asset ID, the events are not displayed.

For the same device target asset id or source asset id are displayed. Kindly

  • From what I have observed "Device" is just a Categorization.  In other words there is a folder, and if an Asset is placed

    in there it will appear as a "Device".  One issue I have seen with events where Devices is populted, is that it's the last

    Device in the flow of events that retains the status of "Device"...

    So, for example you might have a firewall that is Categorized as a Device and the events flow through a ConnApp,

    after that you may find that the ConnApp is now the Device associated with those events.

    Cheers, David

  • Hi Siraj,

    U need to check ur Network Asset Model. All the Unidentified assets will not populate these Fields unless u have properly configured ur Network Asset Model. All Assets which falls under System Administration/Devices can be told as Partially mapped which Ip's are resolvable will contain the Asset ID's too(Not Configured through Asset Model)

  • Hi Bala,

    Another issue what I found is that, for ESM Internal events, custom zones are not taking effect and auto assets are not created for base events(auto assets are created for ESM componenets). Is this issue related to the above?

  • Another issue what I found is that, for ESM Internal events, custom zones are not taking effect and auto assets are not created for base events(auto assets are created for ESM componenets). Is this issue related to the above?

  • No Siraj,

    It's not about internal Assets of ESM Components... Even ArcSight Auto identifies devices reporting to ESM which are not part of Network Model or misconfigured Assets will have the same Issues of Asset Mappings too.

  • Bala, you are correct.  There is a Network Model, and part of it is the Asset Model.  Assets are not all modeled

    (ie. model confidence =0) generally only Assest of interest are modeled.  Take for example a Network ("Local"

    in the Network Model) with 1,000,000 nodes (Assets) during the day, 70%  of which are mobile devices that are

    not permanent and we don't own.  There are several ways to add Assets (through a csv file in the Network Modeling Wizard), through an Auto Asset SmartConnector, through a tool Professional Services uses, by turning on "Auto asset creation" when you are setting up ESM (this is one of the worst ways because it leads to a lot of duplicates).

    I like to use a Vulnerability Scanner with it's SmartConnector to feed the Auto Asset Connector because it can lead to a high degree of Categorization, like OS type, open ports, Vulnerabilities, etc.

    Cheers, David

  • Hi Siraj,

    Yes. Stopping Vulnerabilities feed is not required, u can just disable the asset auto creation from Vulnerability(there is a option).. And as david said u can enable to get the other info's but it ll throw license error, if u have license limitation in number of assets also.... Good to go if it is unlimited assets, but u need to properly maintain them as per the model. In my Environment. Vulnerability feed added 15k assets which wer just workstations screwing up the asset model.

  • Hi Bala/David,

    Thank you for your valuable comments

    My plan is to go with disabling auto asset creation, but prior to disabling that I need to rectify the issue with auto asset creation. Even I have raised a support ticket and they are still investigating on the same.

    Another point to note, If I configure an asset manually, IP to hostname resolution or vice versa is not working.

  • For un-modeled assets, let's call them "rouge nodes" say or example 5,000 student notebooks at a University,

    they come they go; we don't own them, we don't control them so we don't put them into the Asset/Network Model.

    Because they aren't in the Asset/Network Model I believe they won't have an Asset Id.  You may be able to see

    Source Address, or "Attacker Address" (which is derived from Source Address), you might be able to see

    Source Host Name depending on the event source, but Asset Id I believe means they have been modeled

    and they have a unique identifier in the Network Model... a URI (Universal Resource Identifier) once they have

    been modeled.

    Again you can create an Asset manually using the Editor, You can add one from an Auto Asset Connector,

    you can add an Asset using the Network Modeling Wizard.

    Does that help?

    Cheers, David

  • Hi Siraj,

    Regarding the Name Resolution. Check your Hostname Resolution settings in Connector Settings. Generally the Agent or Manager Host Entry doesn't have the resolved host entry and it might be not be able to resolve it. There is a few Thread regarding the same in our forum to make them Resolve , search them, here are few: