Default Locator Order and Existing Assets
Cisco Vulnerability Management makes every attempt not to duplicate assets in an environment. The following list has the order of preference (from high to low) assigned to asset locator data, if an asset already exists in an environment.
- Container identifier
- Image identifier
- EC2 identifier
- MAC address
- External IP address
- File name
- Fully qualified domain name (FQDN)
- Internal IP address (RFC 1918)
- Scanner-specific asset ID (eg Qualys host ID, Nexpose device-ID)
Important: The Crowdstrike Connector comes with its own default locator order. For more information, see the Crowdstrike Connector.
When assets are processed during connector runs, Cisco Vulnerability Management starts at the top of the list with #1. If there is a value in that field, Cisco Vulnerability Management compares it to all existing assets. If Cisco Vulnerability Management finds a match, it updates the existing asset with the current information from that connector run. If Cisco Vulnerability Management doesn’t find a match, it creates a new asset.
The only way Cisco Vulnerability Management proceeds to #2 is if there is no value in that field. For example, if Cisco Vulnerability Management didn’t receive a Container identifier, it then moves to #2, Image identifier, and tries to compare it with that data. If there’s no Image identifier, Cisco Vulnerability Management moves to an #3, EC2 identifier, and so on down the list until it finds a value to use for de-duplication.
In a Dynamic Host Configuration Protocol (DHCP) environment where internal IP addresses are being reissued, ensure you use a credentialed scan to bring in more specific information for each asset, so IP addresses can be reissued to assets and be identified by another locator field. Also, ensure that the locator field is higher on the list than the IP address. For example, use a “hostname” to move it up the list or use the “MAC address.”
Custom Ordered Locators
You can adjust the default order for locators as a global setting, or you can adjust specific connectors. If you want to change your asset locator preference, contact Support. The Support team will help you assess the optimal custom locator order for your organization by doing an analysis to find the duplicate locators.
When using a custom order on the connector, all assets that the connector finds are de-duped according to that connector's order, and all other connectors are de-duped according to the client order.
Custom order locators aren't updated automatically to include Container and Image locators. If you are using custom order locators for the first time, contact Support to have them added to your custom list.
Note: If a locator is not present in the custom locator order, it isn't associated to the asset, even if you see a value for it. For a complete report of duplicate assets so you can do further analysis on how your primary locators are working, contact the Support team.
Understanding Locators in the Cisco Vulnerability Management UI
One indicator of how your primary locator list is working is through the filters, located on the right-side panel. Look in Asset Filters to see checkboxes that display how many assets were “matched” to the primary locator.
Note: In this example, 1,634 assets were identified using the MAC address, because it was an asset with a new MAC address or de-duplicated since it found a match with an existing asset with the same MAC address.
Important: When you are viewing assets in Explore, the top locator (in blue) does not correspond to the Primary Locator used to identify that asset. Also, the order of the locators listed does not correspond to the order being used to de-duplicate assets. In the following example, although the assets' Primary Locators are MAC addresses, the Hostname displays first.
Using a Mac Address as a Locator
Although different vendors represent Mac addresses differently, Mac addresses are "Normalized" in Cisco Vulnerability Management, allowing for the de-duplication assets to be identified by proper Mac addresses. As of August 11, 2021, and for all new customers, this is the default setting.
Important: If you became a customer before August 2021 and you want to turn on Mac Address Normalization, contact CSE or Customer Support. Enabling Normalization requires going into maintenance mode and connectors are unable to run so that the initial normalization process cannot occur. More importantly, after it is enabled, it cannot be disabled.
Mac Normalization Process
The Mac normalization process uses the following rules:
- Mac addresses are normalized to be colon separated and all capital letters.
- The Mac addresses must contain 12 characters for normalization to work.
- For assets with a list of Mac addresses concatenated, they are sorted lexicographically (ordered), and then normalized to keep only the first Mac address.
When bad data (any data that is not a Mac address) is in the Mac address field and there are other locators, it accepts it and then nulls the field.
When bad data is in the Mac address field and there are no other locators, it:
Puts in a placeholder hostname with “MAC ERROR: ‘insert_bad_mac_here’”
Makes the Hostname the Primary Locator for that asset