Create Asset Identification Rules
Click to view navigation pane


Creating Asset Identification Rules

As mentioned in the feature activation step in the Third-Party Asset Import Workflow, contact the Technical Account Manager (TAM) to activate the third-party asset feature. Once done, you can create the asset identification rules to identify the third-party party assets scanned or discovered by various connectors, such as Webhook, Active Directory, and ServiceNow.

Before creating the asset identification rule, see the details that you can view from the Configuration Asset Identification Rules tab.

Asset Identification Rules tab detailsAsset Identification Rules tab details

Asset Identification Tab details.

(a) Create New Rule: Create a new asset identification rule.

(b) Reset: Retain only the default system-generated asset identification rules.

(c) Default system-generated rules: See the default system-generated rules that are created using specific identification attributes.

(d) Reorder: Reorder the asset identification rules.

Complete the following steps to create the asset identification rule:

1.  Navigate to Configuration > Asset Identification Rules tab, and click Create New Rule

2.  Enter the rule name.

3.  Select the checkboxes next to the required fields from the Available Fields section and click the single arrow key Single arrow key icon. icon. The fields are moved to the Selected Fields section. These fields are the attributes based on which you create the asset identification rule, and these attributes are used to identify whether the assets identified by third-party sources already exist in Qualys or not. 

The best practice is to select one field, not multiple, or at most two to three fields that are related closely, such as IP and Mac Address. When the rule is run, it MUST match ALL fields for the asset match to occur. But most of the time, you must enter only one field.

In the next step, the rules defined here are offered as selections in the Connectors application. For more information, refer to the Asset Identification Rule Selection section. From the Connectors application, you can specify the attributes required for the given Connector.

Note:
- To move the selected fields from the Available Fields section to Selected Fields section, click Single arrow key icon., and to do vice versa, click Reverse arrow key icon..
- To move all fields from the Available Fields section to Selected Fields section, click Double arrow key., and to do vice versa, click Reverse arrow key icon..

4.  Click the arrow next to the required connectors and select the connector sources. The assets scanned or discovered by these connectors are identified and imported into the CSAM inventory.

Note: 
- The Rule Applicability section is not visible if no connectors are created.

- The checkboxes next to all connectors are selected by default. You can clear the checkboxes if you don't want to choose the respective connectors.

- VMware ESXi version 1.0.0 is a prerequisite for the functioning of the VMware ESXi connector scanned asset import from CSAM. If the VMware ESXi connector is created from the Qualys Connector application, you can see the ESXI checkbox on the Create New Asset Identification Rule page. 

5.  Click Create.

Create new asset identification rule.

The rule is created, and you can view the rule details from the Configuration Asset Identification Rules tab. You can view, edit, or delete it from the "Quick Actions" menu of the respective rule.  Also, you can select multiple rules and delete them by selecting Delete from the Actions list.

Asset Identification Rules DetailsAsset Identification Rules Details

Asset identification rule created.

- From the Identification Attribute column, you can see the selected attributes for the rule. Two attributes are mentioned in the column. Click the link next to the attributes to see all the selected attributes. 

- From the Sources column, you can see the value All if you selected all connectors and Partial if you selected a couple of connector sources. 

- From the Connector column, you can see the value All if you selected all connectors from the connector sources and Partial if you selected a couple of connectors from the connector sources. 

Note: Suppose you don't select a couple of connector sources or connectors while creating the asset identification rule; you can see the list of those connectors and connector sources from the info icon next to the Partial status. 

- From the Created and Updated columns, you can see the values System for the default rules. For the rules you create, you can see the user name.

Third-Party Assets into CSAM InventoryThird-Party Assets into CSAM Inventory

After the assets are imported based on the asset identification rules selected for the respective connector, they are merged and shown in the CSAM inventory. You can see the connector sources, first found, and last seen details under the Sources column.

Third-party imported assets in inventory.

When you view the asset details, you can see the connector details, such as connector sources and connector names, on the Summary tab in the Sources section.

Summary tab.

When you click the Identification Log link, you can see the asset identification rule names, identification attributes, and the result about whether the asset single match, no match, or multi-match is found. Asset Group Rule Version count shows the number of times the rule is edited.

Asset Identification Log.

Source Native Key Rule:

The same asset is detected in the next sync from the same connector source and with the same connector source native key, then the default source native key rule is applied to it.

Source Native Key rule.

Qualys default asset ID rule:

If the Qualys asset ID is identified in the sync, the Qualys default asset ID rule gets applied.

Qualys Asset Default rule.
 

(a) On the "Asset Details" page, you can see a new tab for the respective connector source added under the Sources section. From this tab, you can see the connector created for that connector source and its custom and identification attribute details.

Note: If the asset is identified and imported into the CSAM inventory from multiple connectors, the tabs for the respective connectors are added.

(b) If multiple connectors are created, you can see an individual tab for each connector. 

Connector related tab.

What to do Next?

1.  Connectors CreationConnectors Creation

The Webhook, Active Directory, and ServiceNow connector sources are created from the Connectors application. You need to create the required connectors for the respective connector sources. For more information, see Create Active Directory Connector, Create ServiceNow Connector, Create Webhook Connector, and Create VMWare ESXi Connector.

2.  Asset Identification Rule Selection for ConnectorAsset Identification Rule Selection for Connector (Optional) 

You can specify the Asset Identification Rule for the connector from the Connectors application. 

Note: The toggles next to the default or system-generated and user-created asset identification rules are turned ON by default. If you want to exclude specific Asset Identification Rules, you can do it by turning the toggles OFF.

To find detailed information about how the identification rules logic work, how the newly identified assets are merged into the existing assets, and the logic that explains how single-match and multi-match assets are found, refer to Identification Rule Selection