Cyber Asset Management
Reconciliation and correlation
When several tools report the same machine, ThreatWeaver has to decide when two records are really the same asset — and when they're genuinely different. These screens are where you review those decisions, tune the rules behind them, compare what each source says, and teach ThreatWeaver how your environment names things so the matching gets it right on its own.
What it's for
- Clean up duplicates — review possible duplicate records and merge or separate them, with every decision logged.
- Resolve conflicts — see where sources disagree about the same asset and decide what to do.
- Tune the matching — adjust how confidently a shared serial number, hostname, or address ties two records together.
- Teach the system your environment — answer a short questionnaire so matching fits how you name and manage machines.
The screens in it
- Reconciliation — the workspace for reviewing and resolving duplicate and conflicting records.
- Correlation Rules — the match-strength settings for each identity signal.
- Compare by Signal — a read-only diagnostic for finding records that share a value.
- Identity & Matching — the guided setup that tunes matching to your environment.
Recording merges, flagging records, changing rules, and saving matching settings are administrator actions — though not necessarily granted together. Reconciliation decisions and Correlation Rule changes are governed by two separate permissions, so a role can be given access to one without the other.
Reconciliation
The Reconciliation screen is organized into tabs, each with a count of what's waiting there.
| Tab | What it shows |
|---|---|
| Overview | Summary cards (active assets, single- vs multi-source, stale, missing hostname or IP) and a per-source coverage table. |
| Review queue | Record pairs ThreatWeaver thinks might be the same asset, awaiting your decision. |
| Conflicts | Multi-source assets where the sources disagree on a field. |
| Unmanaged | Discovery-only records that need you to classify them. |
| Applied merges | A log of merges already made, each reversible. |
The review queue
Above the table, a search box filters the queue by hostname, FQDN, IP, or native ID, and an AI dropdown (All, AI reviewed, Not reviewed) narrows it to items that already carry an AI suggestion, with a running AI-reviewed count next to it. Once the queue is longer than a page, it's paginated — use Previous / Next to page through it.
Each row in the Identity review queue explains why it's in the queue and shows the candidate record next to its possible match, with the evidence for each. Depending on the row, you can:
- Merge the records (you pick which one survives).
- Mark distinct to confirm they're genuinely different assets.
- Attach here to tie a stray source record to the right asset, or Create new asset / Suppress source record if none fit.
Recording a decision by hand asks for a short reason and is permanent and audited. When AI assistance is enabled, each row can carry an AI suggestion (merge, distinct, or investigate, with a confidence level and rationale) that you can review before acting — the suggestion never acts on its own. AI bulk review can pre-generate suggestions across the queue.
Applying an AI suggestion straight from its panel records the AI's own rationale as the reason automatically, so that path skips the manual reason prompt. If you instead review the suggestion and then merge or mark distinct through the regular buttons, you're still asked for a reason as usual.
A merge decision doesn't consolidate the records the instant you confirm it — it's queued for a background worker to apply safely. When merges are waiting, a pending application count appears above the queue with an Apply now button so an administrator can apply them immediately instead of waiting for the worker. Mark distinct and the other non-merge actions resolve right away.
Conflicts
The Conflicts tab (Source evidence differences) groups multi-source assets where sources disagree — for example two tools reporting different operating systems for the same host. Each card shows an evidence matrix of what every source reported. You can Flag for review to send it to the review queue, or use Investigate to jump to Compare by Signal for a specific field value. Where AI is enabled, AI explain offers a plain-English read of the disagreement.
Unmanaged
The Unmanaged tab is a workspace for discovery-only records — assets a tool noticed but that aren't managed endpoints. The header lays out a four-step path: Review discovery → Preview action → Apply overlay → Reverse if needed. For each item you Preview an action (claim it, classify it, or ignore it), then, if it looks right, enter an operator reason and Apply triage. Every applied overlay is reversible.
Applied merges
The Applied merges tab lists merges that have already happened — the surviving record, what was merged into it, who applied it, and when. Because merges are non-destructive, an administrator can Reverse one, and the reversal is itself audited.
Workflow: merge two duplicate records
-
Open Reconciliation and go to the Review queue tab.
Step 1 — the review queue -
Find a pair that's clearly the same machine and click Merge.
-
Choose which record should survive (the others merge into it), enter a reason, and confirm.
Step 3 — choosing the surviving record and giving a reason -
The merge is queued for the background worker to consolidate the records safely — or, if you don't want to wait, click Apply now above the review queue to apply it immediately. Either way, once it's applied it appears under Applied merges, where it can be reversed later if needed.
Correlation Rules
Correlation Rules control how confidently a shared identity signal ties two records together. Every asset carries signals — a serial number, a MAC address, a hostname, an IP — and each signal has a default match strength. A rule lets you override that default for your environment.
The rules table lists each Signal, its Match strength (Certain, High, Medium, or Low), any Source filter, where the rule came from, and its status. To add one, click New rule and choose:
- Signal — the identity signal to adjust: Serial number match, Cloud instance ID match, MAC address match, FQDN match, Hostname + OS family match, Hostname-only match, IPv4 address match, or Fuzzy hostname match.
- Match strength — how strongly that signal should count, from 0 to 1.
- Source type filter (optional) — limit the rule to one kind of source.
- Description — a note for the audit trail (recommended).
For example, if your virtual machines recycle MAC addresses, you might lower the strength of MAC address match so a shared MAC alone never auto-merges two records. Existing rules can be locked, disabled, edited, or deleted by an administrator; without those permissions the page is read-only.
Rule status
Each rule's Status tells you whether it's actually shaping matching right now:
| Status | Meaning |
|---|---|
| Effective | Active and currently used to score matches for its signal. |
| Shadowed | A higher-precedence rule for the same signal is in effect instead, so this one currently has no effect. |
| Manual off | An administrator turned this specific rule off. |
| Disabled | Not active — for example, a generated rule that's been superseded. |
| Retired | Retired and kept only for history. |
Rules you create by hand take precedence over ones generated from Trust setup or the profiler, which is why a generated rule can show as Shadowed once you add your own for the same signal.
Compare by Signal
Compare by Signal is a quick, read-only diagnostic: pick an identity signal and see which asset records share the same value — a fast way to spot likely duplicates.
- Choose a Signal to compare — Private IP (IPv4), MAC address, Hostname (short), FQDN, or Serial number.
- Click Compare.
Summary cards show the total asset records, the count of unique values, and how many groups share a value. The table lists each shared value with how many records and sources carry it; expand a row to see the individual records. A Review in Reconciliation link on any group opens Reconciliation's Conflicts tab, scoped to that value, with a banner explaining why you landed there — from there you can flag individual records for review or work any matching items already sitting in the review queue. Compare by Signal only shows the overlaps — to actually merge or separate records, use Reconciliation.
Identity & Matching
Identity & Matching is the guided home for teaching ThreatWeaver how your environment names and manages machines, so matching gets it right automatically. It has four tabs.
- Onboarding — pick the environment shape closest to yours (for example AD-managed enterprise, Cloud-native, Mac-heavy / Jamf, Cloud / Linux servers, or Workgroup / manual CSV). Each archetype recommends which sources to connect and can pre-fill the setup form.
- Trust setup — a short questionnaire about how you name and manage assets, answered for your organization defaults or per connector. As you answer, ThreatWeaver suggests matching rules and shows a preview of what will change before you Save. A profiler panel — What your data says — measures how unique and complete each signal actually is in your data and turns that into recommendations you can accept with one click.
- Matching rules — the same Correlation Rules described above, embedded here for convenience.
- Trust Center — governs how much automation you allow. Each capability can be set to Off (no suggestions) or Suggest (human-reviewed recommendations). Auto is also available today for the identity data profiler specifically — it lets ThreatWeaver turn the profiler's own recommendations directly into matching rules without you accepting each one — while most other capabilities still show Auto as not yet available for them. Every change is audited and reversible.
Workflow: tune matching for your environment
-
Open Identity & Matching and, on the Onboarding tab, choose the environment shape closest to yours, then stage it in Trust setup.
Step 1 — picking an environment shape -
On Trust setup, answer the questionnaire and review the suggested matching rules and the change preview.
-
Accept the suggestions you agree with and click Save.
Step 3 — reviewing suggested rules before saving -
Over time, use Compute now in the profiler panel to let real data confirm or refine your answers.