Understanding Locator Order

Default Locator Order and Existing Assets

Cisco Vulnerability Management makes every attempt not to duplicate assets in an environment. The following list shows the order of preference (from high to low) assigned to asset locator data, if an asset already exists in an environment.

  1. Container identifier
  2. Image identifier
  3. EC2 identifier
  4. MAC address
  5. NetBIOS
  6. External IP address
  7. Hostname
  8. URL
  9. File name
  10. Fully qualified domain name (FQDN)
  11. Internal IP address (RFC 1918)
  12. Scanner-specific asset ID (such as Qualys host ID, Nexpose device-ID)
  13. Database
  14. Application

Important: The Crowdstrike Connector comes with its own default locator order. For more details, refer to the Crowdstrike Connector information.

When assets are processed during connector runs, Cisco Vulnerability Management starts at the top of the list with #1. If there is a value in that field, Cisco Vulnerability Management compares it to all existing assets. If Cisco Vulnerability Management finds a match, it updates the existing asset with the current information from that connector run. If Cisco Vulnerability Management doesn’t find a match, it creates a new asset. 

The only way Cisco Vulnerability Management proceeds to the second item in the list is if there is no value in that field. For example, if Cisco Vulnerability Management didn’t receive a Container identifier, it then moves to #2, Image identifier, and tries to compare it with that data. If there’s no Image identifier, Cisco Vulnerability Management moves to an #3, EC2 identifier, and so on down the list until it finds a value to use for de-duplication.

In a Dynamic Host Configuration Protocol (DHCP) environment where internal IP addresses are being reissued, ensure you use a credentialed scan to bring in more specific information for each asset, so IP addresses can be reissued to assets and be identified by another locator field. Also, ensure that the locator field is higher on the list than the IP address. For example, use a “hostname” to move it up the list or use the “MAC address.”

Custom Ordered Locators

You can adjust the default order for locators as a global setting, or you can adjust specific connectors. If you want to change your asset locator preference, contact Cisco Support. The Support team will help you assess the optimal custom locator order for your organization and perform an analysis to find the duplicate locators.

When using a custom order on the connector, all assets that the connector finds are de-duplicated according to that connector's order, and all other connectors are de-duplicated according to the client order.

Custom order locators aren't updated automatically to include Container and Image locators. If you are using custom order locators for the first time, contact Support to have them added to your custom list.

Note: If a locator is not present in the custom locator order, it isn't associated with the asset, even if you see a value for it. For a complete report of duplicate assets so you can do further analysis on how your primary locators are working, contact the Cisco Support.

Understanding Locators in the Cisco Vulnerability Management UI

One indicator of how your primary locator list is working is through the filters, located on the right-hand side of the Vulnerability Management Explore page. Look in the Asset Filters section to see checkboxes that display how many assets were matched to the primary locator.

Primary_Locator.png

Note: In this example, 1,634 assets were identified using the MAC address, because it was an asset with a new MAC address or de-duplicated since it found a match with an existing asset with the same MAC address.

Important: When you are viewing assets on the Vulnerability Management Explore page, the top locator (in blue) does not correspond to the Primary Locator used to identify that asset. Also, the order of the locators listed does not correspond to the order being used to de-duplicate assets. In the following example, although the assets' Primary Locators are MAC addresses, the Hostname displays first.

Primary_Vuln_and_Fixes.png

Use a Mac Address as a Locator

Although different vendors represent Mac addresses differently,  Mac addresses are "Normalized" in Cisco Vulnerability Management, allowing for the de-duplication assets to be identified by proper Mac addresses. As of August 11, 2021, and for all new customers, this is the default setting.

Important: If you became a customer before August 2021 and you want to turn on Mac Address Normalization, contact CSE or Customer Support. Enabling Normalization requires going into maintenance mode and connectors are unable to run so that the initial normalization process cannot occur. More importantly, after it is enabled, it cannot be disabled. 

Mac Normalization Process

The Mac normalization process uses the following rules: 

  • Mac addresses are normalized to be colon separated and all capital letters.
  • The Mac addresses must contain 12 characters for normalization to work.
  • For assets with a list of Mac addresses concatenated, they are sorted lexicographically (ordered), and then normalized to keep only the first Mac address.
  • When bad data (any data that is not a Mac address) is in the Mac address field and there are other locators, it accepts it and then nulls the field.

  • When bad data is in the Mac address field and there are no other locators, Cisco Vulnerability Management:

    • Puts in a placeholder hostname with “MAC ERROR: ‘insert_bad_mac_here’”

    • Makes the Hostname the Primary Locator for that asset

 

Was this article helpful?
1 out of 2 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.