IBM Support

QRadar: Source or Destination Network is displayed as other

Troubleshooting


Problem

In some instances, the Source Network or Destination Network fields do not display a network from the network hierarchy. Instead, they are displayed as 'other'This problem is generally observed when we investigate offenses or analyze logs. 

Symptom

These symptoms are seen as part of this issue:
  1. Source Network Or Destination Network in Log Activity does not show the expected network hierarchy instead being displayed as 'other'.
  2. Remote to Local and Local to Remote functionality does not work as expected sometimes causing rules to misfire.
Before Change

Cause

This issue can happen when these three conditions are met:

  1. An IPv6 address is present in an event along with an IPv4 address.
  2. The IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 parameter is set to FALSE in nva.conf.
  3. The IPv6 address is not defined in the network hierarchy.

Because of that parameter, an IPv6 address in an event takes precedence over an IPv4 address when QRadar is mapping the address in the network hierarchy. However, if the IPv6 address is not part of the network hierarchy, QRadar tags the network as 'other'.

For example, in the following event payload, the OriginatingComputer field has an IPv4 address, and Source Network Address has an IPv6 address:

Aug 04 16:30:21 info-EX8.example.com AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.1.22 Source=Microsoft-Windows-Security-Auditing Computer=info-ex8.example.com 
OriginatingComputer=10.10.110.18 User= Domain= EventID=4624 EventIDCode=4624 EventType=8 EventCategory=12544 RecordNumber=39589905 TimeGenerated=1659610741 TimeWritten=1659610741 
Level=Log Always Keywords=Audit Success Task=SE_ADT_LOGON_LOGON Opcode=Info Message=An account was successfully logged on.  Subject:  Security ID:  NULL SID  Account Name:  -  Account Domain:  -  Logon ID:  0x0  
Logon Type:   3  Impersonation Level:  Impersonation  New Logon:  Security ID:  EXAMPLE\HealthMailbox4eba3e5  Account Name:  HealthMailbox4eba3e5  Account Domain:  EXAMPLE  Logon ID:  0xCE2B234A  
Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: INFO-EX8  Source Network Address: fe80::3598:e361:5d9:16ae  
Source Port:  24190  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): NTLM V2  Key Length:  0 


The IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 setting decides whether the IPv4 address takes priority or the IPv6 address:

# grep IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 /opt/qradar/conf/nva.conf
IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=FALSE


In this case, the IPv6 address takes precedence. Let us assume, that the IPv6 Address is not defined by the network hierarchy but the IPv4 address is defined. Due to the lack of that IPv6 definition, QRadar tags the Source Network as 'other'.


 

Diagnosing The Problem

Use these steps to diagnose the problem:
  1. For an event that shows the Source Network or Destination Network as 'other', analyze the payload to check the presence of source or destination fields with both IPv4 and IPv6 addresses.
  2. Check whether the network hierarchy is updated correctly to include the IPV4 address but is not updated correctly to include the IPv6 address
  3. Confirm IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 in the nva.conf is set to FALSE
      
    # grep IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 /opt/qradar/conf/nva.conf
IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=FALSE

Resolving The Problem

You can correct this behavior by changing the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 setting in nva.conf to give priority to the IPv4 address over the IPv6 address.

NOTE: Another option is to have the IPv6 address added to the Network Hierarchy. If that is done, there is no need to change the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 parameter.


To change the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 setting, use these steps:

  1. Take the backup of nva.conf file by using this command:  
      
    # cp /store/configservices/staging/globalconfig/nva.conf /store/configservices/staging/globalconfig/nva.conf.backup
  2. Run this command to set the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 to TRUE:
      
    # sed -i 's/IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6\=FALSE/IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6\=TRUE/g' /store/configservices/staging/globalconfig/nva.conf
  3. Validate the change by using this command:
      
    # diff /store/configservices/staging/globalconfig/nva.conf /store/configservices/staging/globalconfig/nva.conf.backup

    The output looks like this:
      
    177c177
< IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=TRUE
---
> IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=FALSE
  4. Run a Full Deploy to ensure services are restarted and the parameter takes effect.

RESULT:

Assuming the IPv4 address is configured in the network hierarchy like this:

Network Hierarchy

The Source Network and Destination Network are displayed as expected:
 

After Change

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS009998653","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
30 August 2022

UID

ibm16613213

Page Feedback