Troubleshooting
Problem
IP addresses that are categorized as local in Log Activity are recognized as remote by a rule causing false positives.
Symptom
In the following example, the admin wants to identify events with some QID or characteristics, but only when the source IP address is remote.
So, the following rule is created with these tests:
- when the event QID is one of the following (3503982) IP ip WebVPN session started.
- when the source is Remote
The Network Hierarchy is defined as follows. The IP 10.10.10.5 has an entry, so it is a local IP:
Although the IP is defined as local in the Network Hierarchy, the rule detects this IP as a remote IP address generating false positives offenses:
Cause
The issue in this configuration is the IP address 10.10.10.5, which is defined as local under the Default Domain in the Network Hierarchy.
The previous Offense Summary shows that the Domain for this offense is different. It is BlueDomain.
Qradar rules work in the context of a single or multiple domains. Domain separation enables users to separate data like IP addresses into logical groupings called domains.
In this particular case, since the IP address is under the Default Domain, QRadar still thinks that this IP is a remote IP for the BlueDomain context.
Resolving The Problem
In order to solve this issue and make the test rules to detect the IP as Remote, the IP has to be added under the BlueDomain as well.
For example, in the following capture, the IP address 10.10.10.5 is assigned to both domains:
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS010177353","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 October 2022
UID
ibm16831789