Default Locator Order and Existing Assets
Cisco Vulnerability Management makes every attempt not to duplicate assets in an environment. The following list shows the order of preference (from high to low) assigned to asset locator data, if an asset already exists in an environment.
- Container identifier
- Image identifier
- EC2 identifier
- MAC address
- NetBIOS
- External IP address
- Hostname
- URL
- File name
- Fully qualified domain name (FQDN)
- Internal IP address (RFC 1918)
- Scanner-specific asset ID (such as Qualys host ID, Nexpose device-ID)
- Database
- Application
Important: The Crowdstrike Connector comes with its own default locator order. For more details, refer to the Crowdstrike Connector information.
When assets are processed during connector runs, Cisco Vulnerability Management starts at the top of the list with #1. If there is a value in that field, Cisco Vulnerability Management compares it to all existing assets. If Cisco Vulnerability Management finds a match, it updates the existing asset with the current information from that connector run. If Cisco Vulnerability Management doesn’t find a match, it creates a new asset.
The only way Cisco Vulnerability Management proceeds to the second item in the list is if there is no value in that field. For example, if Cisco Vulnerability Management didn’t receive a Container identifier, it then moves to #2, Image identifier, and tries to compare it with that data. If there’s no Image identifier, Cisco Vulnerability Management moves to an #3, EC2 identifier, and so on down the list until it finds a value to use for de-duplication.
In a Dynamic Host Configuration Protocol (DHCP) environment where internal IP addresses are being reissued, ensure you use a credentialed scan to bring in more specific information for each asset, so IP addresses can be reissued to assets and be identified by another locator field. Also, ensure that the locator field is higher on the list than the IP address. For example, use a “hostname” to move it up the list or use the “MAC address.”
Custom Ordered Locators
You can adjust the default order for locators as a global setting, or you can adjust specific connectors. If you want to change your asset locator preference, contact Cisco Support. The Support team will help you assess the optimal custom locator order for your organization and perform an analysis to find the duplicate locators.
When using a custom order on the connector, all assets that the connector finds are de-duplicated according to that connector's order, and all other connectors are de-duplicated according to the client order.
Custom order locators aren't updated automatically to include Container and Image locators. If you are using custom order locators for the first time, contact Support to have them added to your custom list.
Note: If a locator is not present in the custom locator order, it isn't associated with the asset, even if you see a value for it. For a complete report of duplicate assets so you can do further analysis on how your primary locators are working, contact the Cisco Support.
Understanding Locators in the Cisco Vulnerability Management UI
One indicator of how your primary locator list is working is through the filters, located on the right-hand side of the Vulnerability Management Explore page. Look in the Asset Filters section to see checkboxes that display how many assets were matched to the primary locator.
Note: In this example, 1,634 assets were identified using the MAC address, because it was an asset with a new MAC address or de-duplicated since it found a match with an existing asset with the same MAC address.
Important: When you are viewing assets on the Vulnerability Management Explore page, the top locator (in blue) does not correspond to the Primary Locator used to identify that asset. Also, the order of the locators listed does not correspond to the order being used to de-duplicate assets. In the following example, although the assets' Primary Locators are MAC addresses, the Hostname displays first.
Comments
Please sign in to leave a comment.