Asset from vulnerability scan report not linked to device under ArcSight System Administration
When Asset is created through Vulnerability management connector first, it is created under the tree inherited from zone. If this asset send events (asset is device, right now) we expect asset is created/linked in Device tree under the ArcSight System Administration but it is not. Is it possible to cover this with some configuration ?
Re: Asset from vulnerability scan report not linked to device under ArcSight System Administration
I am not completely sure that I am grasping your question here, but I'll try to provide some useful information.
Although assets can be added thru use of various vulnerability scanners (for example Nessus, Foundstone etc), typically, the scanner itself does not provide information about the destination zones and networks; the assumption is that these have already been configured, either manually, or using one of the other options to create the network model such as the network model wizard.
Whether or not an asset will be created on a scanner report, depends on a number of things. These are rather complex,so instead of trying to print them all here I will refer to some attached/mentioned documents below.
There are a number of other ways that assets could be created with auto-creation, such as using an Asset Import FlexConnector or as devices reports thru SmartConnectors. Depending on which are used, can affect the decision on whether or not an asset is created or not.
If you have already setup network/zones that the vulnerability scanner is reporting to, and an asset was added there, if a new event arrives for that asset, then a search of the network model will try to identify that asset by IP/hostname/MAC. If there is a conflict it may leave the asset alone, if there is no sign of the asset it may create it, and depending on static/dynamic zones, it could move the asset from one place to another. Based on your current question, the likliehood is that the asset will remain in whatever zone it was created when your ran the vulnerability scanner.
As this is rather a complex subject, can I suggest that you take a look at the following information to see if it helps explain what you are seeing:
ESM 101 - Chapter 12 The Network Model https://www.protect724.hpe.com/docs/DOC-13714
ESM Console Guide - P797 onwards Assets: : https://www.protect724.hpe.com/docs/DOC-13716
These guides outline the various asset creation methods, some of the decisions being made when an event from an asset arrives, and also some properties which can affect how those decisions are made.
There is an old technical note (attached) that contains mostly the same information in one large section that you may like for convenience, but bear in mind that it's age - ESM asset management has changed a little since it was written, so it is best to also check the newer manuals outlined above.
If after all of this you cannot see the issue, please open a support case. We can try to examine the information more closely, possibly by trying to reproduce that locally using your information and scanner data to try and understand any issue there.
Thanks and regards,
HPE ArcSight Technical Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.