Question & Answer
Question
Are the flags displayed in the Log Activity and the Network Activity tabs that of the registrant country of the IP address?
Cause
There are two different pieces of geographic location information available for each IP address: Location and Registrant Country. In some circumstances, IP addresses registered in one country might be in use in other countries.
For example, the IP address range in use by IBM are registered in the USA by IBM. However, IBM, being a global company, has servers in many places around the world. If you are viewing an event or a flow involving a such server, you would notice that these fields differ.
Answer
To investigate the geographical location information for an IP address, select the event or flow and right-click the IP address. From the menu that is displayed, click More Options > Plugin options > X-Force Exchange Lookup. A new browser window with X-Force IP Report is displayed.
The report includes the two pieces of geographic information that might be available for each IP address:
Location: The location information for the IP address is the last known location in the world from which that the IP address is communicating with the rest of the internet.
Registrant Country: The Registrant Country information for the IP address is the country where the IP address registrant registered the IP address.
For QRadar version 7.3.0 and above:
We use only the registered location of the IP address as provided by MaxMind to identify the flag.
For other versions of QRadar:
If these locations differ, the flag that is displayed in the UI is based on the location information, and not the registrant country information.
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21993433