IBM Support

IJ05592: NETWORK NAME AND EVENT 'DIRECTION' CAN BE DISPLAYED INCORRECTLY WHEN EVENTS CONTAIN IPV6 ADDRESSES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified in QRadar 7.3.1 that the Source Network
    and Destination Network fields are populated with matching
    Network Hierarchy entries based off of IPv6 first (if it
    exists) and IPv4 second.
    For example:
    If there is a Source IPv4 address that matches something in the
    Network Hierarchy, and in the same event there is also a Source
    IPv6 address, then the IPv6 address is used to do the Network
    Hierarchy lookup.
    If there are no IPv6 addresses defined in the Network
    Hierarchy, then the Source Network is set to 'Other' and the
    source is classified as "remote".
    This behavior is also the case for Destination fields.
    

Local fix

  • Define IPv6 entries in the Network Hierarchy of QRadar.
    Admin -> Network Hierarchy
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 731 patch 6.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 731 patch 6.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ05592

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-04-09

  • Closed date

    2018-09-18

  • Last modified date

    2018-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 September 2018