IBM Support

QRadar: IP categorization set to N/A in the Log Activity tab

Question & Answer


Why does the XFORCE_IP_CATEGORY display as N/A when searched for using AQL under the Log Activity tab?


Consider these AQL queries where the XFORCE_IP_CATEGORY column is included:
SELECT XFORCE_IP_CATEGORY('X.X.X.X') from events limit 1

SELECT sourceip, XFORCE_IP_CATEGORY(sourceip) as IPcategories from events
By default, QRadar populates categories for IP addresses that belong to any of these XForce IP categories. If the IP category is displayed as 'N/A', that particular IP is unsuspicious.
Here for the obfuscated IP addresses, the categorization is displayed as N/A.
If we right-click the IP to check its categorization on X-Force Exchange, it is categorized as 'Unsuspicious':

Hence, those IP addresses that have categorization as "Unsuspicious" in X-Force Exchange, have their XFORCE_IP_CATEGORY displayed as N/A in the Log Activity tab.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS011314345","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
26 April 2023