Highlighted
Trusted Contributor.
Trusted Contributor.
813 views

Device Asset ID not created for devices

Hi Folks,

In our setup for few devices Device Asset ID are not populating in ESM. I can see events coming from those devices in console and if I try to search events by selecting the asset and filter by Device asset ID, the events are not displayed.

For the same device target asset id or source asset id are displayed. Kindly

Labels (2)
Tags (1)
0 Likes
Reply
18 Replies
Highlighted
Absent Member.
Absent Member.

Re: Device Asset ID not created for devices


From what I have observed "Device" is just a Categorization.  In other words there is a folder, and if an Asset is placed

in there it will appear as a "Device".  One issue I have seen with events where Devices is populted, is that it's the last

Device in the flow of events that retains the status of "Device"...

So, for example you might have a firewall that is Categorized as a Device and the events flow through a ConnApp,

after that you may find that the ConnApp is now the Device associated with those events.

Cheers, David

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Device Asset ID not created for devices

Hi Siraj,

U need to check ur Network Asset Model. All the Unidentified assets will not populate these Fields unless u have properly configured ur Network Asset Model. All Assets which falls under System Administration/Devices can be told as Partially mapped which Ip's are resolvable will contain the Asset ID's too(Not Configured through Asset Model)

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Device Asset ID not created for devices

Hi Bala,

Another issue what I found is that, for ESM Internal events, custom zones are not taking effect and auto assets are not created for base events(auto assets are created for ESM componenets). Is this issue related to the above?

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Device Asset ID not created for devices

Another issue what I found is that, for ESM Internal events, custom zones are not taking effect and auto assets are not created for base events(auto assets are created for ESM componenets). Is this issue related to the above?

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Device Asset ID not created for devices

No Siraj,

It's not about internal Assets of ESM Components... Even ArcSight Auto identifies devices reporting to ESM which are not part of Network Model or misconfigured Assets will have the same Issues of Asset Mappings too.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Device Asset ID not created for devices

Bala, you are correct.  There is a Network Model, and part of it is the Asset Model.  Assets are not all modeled

(ie. model confidence =0) generally only Assest of interest are modeled.  Take for example a Network ("Local"

in the Network Model) with 1,000,000 nodes (Assets) during the day, 70%  of which are mobile devices that are

not permanent and we don't own.  There are several ways to add Assets (through a csv file in the Network Modeling Wizard), through an Auto Asset SmartConnector, through a tool Professional Services uses, by turning on "Auto asset creation" when you are setting up ESM (this is one of the worst ways because it leads to a lot of duplicates).

I like to use a Vulnerability Scanner with it's SmartConnector to feed the Auto Asset Connector because it can lead to a high degree of Categorization, like OS type, open ports, Vulnerabilities, etc.

Cheers, David

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Device Asset ID not created for devices

Hi Siraj,

Yes. Stopping Vulnerabilities feed is not required, u can just disable the asset auto creation from Vulnerability(there is a option).. And as david said u can enable to get the other info's but it ll throw license error, if u have license limitation in number of assets also.... Good to go if it is unlimited assets, but u need to properly maintain them as per the model. In my Environment. Vulnerability feed added 15k+ assets which wer just workstations screwing up the asset model.

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Device Asset ID not created for devices

Hi Bala/David,

Thank you for your valuable comments

My plan is to go with disabling auto asset creation, but prior to disabling that I need to rectify the issue with auto asset creation. Even I have raised a support ticket and they are still investigating on the same.

Another point to note, If I configure an asset manually, IP to hostname resolution or vice versa is not working.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Device Asset ID not created for devices

For un-modeled assets, let's call them "rouge nodes" say or example 5,000 student notebooks at a University,

they come they go; we don't own them, we don't control them so we don't put them into the Asset/Network Model.

Because they aren't in the Asset/Network Model I believe they won't have an Asset Id.  You may be able to see

Source Address, or "Attacker Address" (which is derived from Source Address), you might be able to see

Source Host Name depending on the event source, but Asset Id I believe means they have been modeled

and they have a unique identifier in the Network Model... a URI (Universal Resource Identifier) once they have

been modeled.

Again you can create an Asset manually using the Editor, You can add one from an Auto Asset Connector,

you can add an Asset using the Network Modeling Wizard.

Does that help?

Cheers, David

0 Likes
Reply
Acclaimed Contributor.
Acclaimed Contributor.

Re: Device Asset ID not created for devices

Hi Siraj,

Regarding the Name Resolution. Check your Hostname Resolution settings in Connector Settings. Generally the Agent or Manager Host Entry doesn't have the resolved host entry and it might be not be able to resolve it. There is a few Thread regarding the same in our forum to make them Resolve , search them, here are few:

0 Likes
Reply
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Device Asset ID not created for devices

HI Bala - you mention that Stopping Vulnerabilities feed is not required to stop the auto asset creation - "u can just disable the asset auto creation from Vulnerability(there is a option)..".  Can you tell me how to do this?  I don't want the scanner creating assets (right now) but I do want the feed so I get the additional categorization, etc.

Many thanks.....

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.