QRadar: Symantec Endpoint Protection Source IP does not match information in payload

Question & Answer

Question

Why does the Source IP for the Symantec Endpoint Protection not matching what is in the payload?

Cause

Events are interpreted based on whether they are Inbound or Outbound

Answer

Symantec Endpoint Protection events are parsed according to whether they are Inbound or Outbound. Inbound rules will have the Source IP equal to the Remote IP inside the payload. Outbound rules will have the Source IP equal to the Local IP inside the payload. This is Intentional.

Example payload:

<50>Nov 11 17:57:58 SymantecServer test08: ADMIN-test,Local: 96.x.x.x,Local: 0,Local: 01005E000001,Remote: 180.x.x.x,Remote: ,Remote: 0,Remote: 0024975F762B,8,Inbound,Begin: 2015-11-10 22:35:30,End: 2015-11-10 22:35:30,Occurrences: 1,Application: ,Rule: Allow IGMP traffic,Location: IBM VPN,User: *******,Domain: ADMIN-test,Action: Allowed

The payload above will show up in QRadar with a Source IP of 180.x.x.x and a Destination IP of 96.x.x.x because the event is Inbound.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Symantec Endpoint Protection Source IP does not match information in payload

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?