IBM Support

IJ04902: GEOGRAPHIC RULE TESTS CONTAINING COUNTRIES WITH SPACES IN THEIR NAMES (MULTIPLE WORDS) ARE NOT BEING MATCHED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that rule tests for geographic locations
    that contain countries with spaces in their names (multiple
    words) are not being matched.
    For example:
    Create an event rule
    -Give the rule a name
    -Rule Test: when the source is located in this geographic
    location
    -For the geographic location, choose:
    Asia.Hong_Kong_S.A.R_of_China or NorthAmerica.UnitedStates
    -Next
    -Check the box: Add to a Reference Set
    -Choose the Source IP for the first drop down
    -Click the Configure Reference Sets button beside the refresh
    button
    -Create a Reference Set (IP or Alphanumeric)
    -Close the Reference Set window
    -Make sure the rule wizard chose the new Reference Set
    -Check the box to Enable the rule right away
    Check the Reference Set.
    Result: Reference Set is never populated with the Source IP
    address if there were events processed from Hong Kong or United
    States.
    Using NorthAmerica.Canada or Europe.Denmark - Both countries
    populate the reference set as expected when events are
    processed.
    

Local fix

  • Only use the continent (eg. NorthAmerica).  Do not go down to
    the specific country level.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 731 patch 6.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 731 patch 6.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ04902

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-13

  • Closed date

    2018-09-18

  • Last modified date

    2018-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
18 September 2018