IBM Support

QRadar: Symantec Endpoint Protection Source IP does not match information in payload

Question & Answer


Why does the Source IP for the Symantec Endpoint Protection not matching what is in the payload?


Events are interpreted based on whether they are Inbound or Outbound


Symantec Endpoint Protection events are parsed according to whether they are Inbound or Outbound. Inbound rules will have the Source IP equal to the Remote IP inside the payload. Outbound rules will have the Source IP equal to the Local IP inside the payload. This is Intentional.

Example payload:

<50>Nov 11 17:57:58 SymantecServer test08: ADMIN-test,Local: 96.x.x.x,Local: 0,Local: 01005E000001,Remote: 180.x.x.x,Remote: ,Remote: 0,Remote: 0024975F762B,8,Inbound,Begin: 2015-11-10 22:35:30,End: 2015-11-10 22:35:30,Occurrences: 1,Application: ,Rule: Allow IGMP traffic,Location: IBM VPN,User: *******,Domain: ADMIN-test,Action: Allowed

The payload above will show up in QRadar with a Source IP of 180.x.x.x and a Destination IP of 96.x.x.x because the event is Inbound.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 August 2018