Asset Configuration Settings

Description of Settings

The asset configuration page displays a table of existing asset configurations. The table can be sorted by columns and filtered using the Search input field. You can create a new configuration using the New asset config button and edit an existing one by clicking the Edit button in the Actions column of the selected configuration. If necessary, you can import a new configuration or export an existing one using the Import and Export buttons in the table header.

Managing Configurations

To create your own configuration or edit an existing one, click the New asset config button or click Edit in the Actions section. This will open the configuration creation form (editing a configuration is similar).

List of Fields in the Configuration

note

All fields are required.

The list of fields that make up the configuration being created:

• Common Settings - Common information about the asset (configuration name, asset name, category, index)
• Base Fields - Fields that constitute the main information about the asset
• Additional Fields - Fields that contain optional information about the asset
• Sources - A list of sources used to create the asset database, and also includes the creation of a mapping rule between source fields and base/additional fields
• Binding - Source fields where their relationship is configured
• Priorities - A rule that determines the priority of extracting base/additional fields from sources

tip

The Asset Name parameter supports tokens based on base and additional fields. Example usage: $hostname$ - $os$.

Adding a New Source

To add a source, click the Add Sources button. This will open a submenu that needs to be expanded for configuration.

Source configuration consists of the following items:

• Name - The name of the source
• Index - The index where the necessary information is stored
• Time Period - The period during which information is collected
  note

  The Time Period field specifies the value of the filter interval for the @timestamp field. The filter is used to limit the data sample from the source. The interval value is specified as a positive number of time units, such as 90d (90 days), 24h (24 hours), 15m (15 minutes). The following time units are supported: m - minute, h - hour, d - day, w - week, M - month, y - year. More information about time units can be found in the OpenSearch documentation. If the value is specified incorrectly, the Inventory Processor will log an error message and apply the value 1h (1 hour). If the time interval is specified in minutes, the right boundary of the filter corresponds to the current moment (now); otherwise, the right boundary is equal to the beginning of the previous hour (now-1h/h). The left boundary is calculated as the difference between the right boundary and the time interval. The filter includes all source documents whose @timestamp is greater than or equal to the left boundary and less than or equal to the right boundary of the filter.

• Mapping - The mapping used to map fields from the source to the fields specified in the Base Fields and Additional Fields parameters

note

Use the Add field button to add to the mapping.

Binding

To fill in the information for key fields, click the Add Binding button. This will open a submenu that needs to be expanded for configuration.

Key field configuration consists of the following items:

• Sources - Which sources need to be linked
• Fields - Selection of fields that were specified in the Base Fields and Additional Fields parameters

Prioritization

To fill in the prioritization information, click the Add Priority button. This will open a submenu that needs to be expanded for configuration.

Priority configuration consists of the following items:

• Field - Which field the priority is for
• Priority Order - Extraction of the field from the source according to the specified priority
• To add to the prioritization rule, click the Add Source button.

note

The Priority Level indicates the order in which the field is extracted from the source. The field value from the source with the lowest priority level will be extracted first. If the same priorities are set, the field in the asset will be represented as an array.

Configuration Process

To navigate to the configuration list page, select Assets in the navigation menu under Inventory.

To configure a configuration, click the New asset config button or click Edit in the Actions section. This will take you to the configuration settings form.

After navigating to the form, fill in the fields in the Common Settings tab, then define the base and additional fields in the Fields tab.

note

The base field coefficient determines the degree of influence of the field on the similarity of two assets. It is used when an asset is obtained from source events and a decision needs to be made whether to create a new asset in the database or update an existing one. The decision is made by calculating the similarity coefficient of two assets.

Similarity is determined through the similarity coefficient k calculated using the formula k = c/(a+b-c), where:

• c - the number of matching base fields in the existing and new asset
• a - the number of base fields in the existing asset
• b - the number of base fields in the new asset.

Assets are considered similar if k >= 0.5 with b <= 5 or if k >= 0.554 with b > 5. The base field coefficient multiplies the presence of the field in the sums a, b, and c. If the coefficient is 0, the field is not considered in the sums. If the coefficient is 1, the field is considered in the sums once. If the coefficient is specified as n, the field will be considered in the sums n times.

In the Sources tab, add the necessary sources and fill them in.

In the Binding tab, link the sources and fields if necessary.

Then go to the Priorities tab and configure the field priorities.

When all the necessary settings are configured, click the Save button. You will then be automatically redirected to the configuration list page and receive a corresponding notification.