How can I disable asset creation from sdkscannerxml connector?
Tell me please how can I disable auto asset creation from sdkscannerxml connector?
The auto-asset creation option is disabled in server.properties on manager, but i receive assets from this connector.
Thanks for help!
Arcsight ver 18.104.22.1685.1
The name of the connector type you have mentioned suggests that this is a scanner connector, which I believe to be the FlexConnector for XML Reports.
As this is a flexconnector, you may be using it for multiple reasons, but as a scanner, it could be that it is being used to process reports from a vulnerabiity scanner such as Nessus, Qualys etc. The intention of such scanners is normally to provide vulnerability information to ESM that requires the associated asset to be present in the network model. As such the asset is automatically created by ESM and there is no easy way to stop it from doing that.
Other auto-asset creation can be controlled thru filters (such as connector filters and device filters) as described in the ESM Console Guide (Ch5) and the ArcSight Administration and ArcSight System Standard Content Guide (Ch4) . There is no such control for assets created by the events from scanner connectors since the asset creation is implied.
Do you have information about the connector in question? Can you confirm that it is of type "ArcSight FlexConnector Scanner XML Reports"? According to the ArcSight FlexConnector Developer's Guide (p49) , this connector has the following function:
ArcSight FlexConnector Scanner XML Reports
Choose this type to import the results of a scan from a scanner device and forward the data to ESM so
that ESM can model an organization’s assets, open ports, operating systems, applications, and
vulnerabilities. The connector imports periodic scans to ESM, which uses this information for event
prioritization, reporting, and correlation.
An XML report contains results for a single scan with scan results organized in the form of nested XML
elements. XQuery/XPath-based parsers are used to extract relevant information from the report.
So the intention is to create assets. Are you using the connector in a different way that does not need asset creation?
If the scanner creates new assets on every run but for existing devices that are already modelled, then you may have issues with duplication, possibly due to non-unique host/IP/MAC information being supplied in the report or due to settings in the network model configuration. There are certain rules that ESM uses to determine if an incoming event describes an asset that already exists (again as described in the ESM Console Guide (Ch5 - p 135 onwards) ).
In summary, there is no documented method to disable the creation of events from scanners at ESM. If you need to continue to use this scanner but disable the asset creation then please open a support case for the question of an undocumented workaround to be explored.
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.