IBM Support

QRadar Support Geodata FAQ

Question & Answer


Question

This technical note answers frequently asked questions and provides information related to geographic data that the QRadar® Support commonly answers.

Answer

1. About geographic data in QRadar

Geographic data (geodata) in QRadar is used to associate an IP address from the user interface to display a visual flag indicator or map overview to users. Geodata makes the source or destination for the IP address associated to an event, flow, or offense more easily understood than just displaying an IP address. Geographic data allows administrators to not only show the location of a host related to an event, flow, or offense, but to also define the location of your network assets. Geographic data also allows users to create searches or rules when events or flows occur outside or within a geographic range. For example, create an offense when an authentication occurs from an unusual location or more than 50 miles from an office location.

Where is geographic data used in QRadar?

  • IP address hover menus in the user interface
  • Flag icons to designate the country or region of an IP address
  • Searches
  • Rules
  • Reports
  • Advanced search (GEO::LOOKUP or GEO::DISTANCE)

image-20181022111411-2

2. Configuring a MaxMind account for geographic data updates

This procedure requires an Admin user to create a MaxMind account and update System Settings to ensure that geographic location data updates can complete successfully. This procedure is for QRadar versions 7.3.1 and later.

Important: If you are a QRadar on Cloud administrator, you must provide your User ID and License Key information in a QRadar Support case. The DevOps team for your QRadar on Cloud Console can enable geographic data for your deployment.
 
  1. Create a free MaxMind account: https://www.maxmind.com/en/geolite2/signup.
  2. After your account is created, an email is provided by MaxMind.
    image-20200115121457-3
  3. Create a password for your account. 
  4. After you assign an account password, use the credentials you created to sign in.
  5. Click My License Key.
    image-20200115122003-4
  6. Click Generate new license key.
    image-20200115122217-7
  7. Configure the following values:
    • In the License key description, type: QRadar License Key.
    • In the field, 'Will this key be used for GeoIP Update', select Yes.
    • Select Generate a license key and config file for geoipupdate versions older than 3.1.1.
      image-20200115123022-8
  8. Click Confirm.
  9. Record the Account/User ID and License Key information.
    Important: If you exit the license key screen without recording the information, you must generate a new license key from Step 4.
    image-20200115123436-10
  10. Important: If you are a QRadar on Cloud administrator, you must provide your User ID and License Key information in a QRadar Support case. The DevOps team for your QRadar on Cloud Console can enable geographic data for your deployment.
  11. Log in to QRadar as an administrator.
  12. Click the Admin tab.
  13. Click the System Settings icon.
  14. Navigate to Geographic Settings.
  15. Update the User ID and License Key values from Step 5.
    image-20200115124402-11
  16. Click Save.
  17. From the Admin tab, click Deploy Changes.
    image-20200115124545-12

    Results
    After the deploy changes is complete, geographic data settings are updated for the QRadar deployment. Administrators can confirm their MaxMind geographic settings from the command line of the QRadar Console.

3. How to verify your geographic data updates

Administrators can verify geographic data (geodata) updates from the QRadar command-line interface. After you update your System Settings to use your MaxMind User ID and License, you can attempt to run an update and verify whether any errors occur. To complete this procedure, you must have root access to QRadar.

 
  1. Use SSH to log in to your QRadar Console as the root user.
  2. To update geographic data, type: /opt/qradar/bin/geodata_update.sh

    Results
  • If successful, the administrator is returned to the command prompt with no errors displayed on screen.
  • If unsuccessful, a 401 Unauthorized error is displayed. If you experience an error, confirm the credentials in the QRadar System Settings from Step 10, then click Save and Deploy Changes. Repeat the verification procedure or generate a new license key from the MaxMind website. If you continue to experience problems or believe the Deploy Changes does not complete successfully, open a case with QRadar Support.
    image-20200319165041-1
 

4. Setting up geodata in QRadar

In QRadar 7.3.1, the default geographic data feed is provided through a free geographical lookup database provided by MaxMind® as a geolite2.mmdb file, which makes an API call to MaxMind® at 4:04 AM to look for daily updates for users who configured their QRadar System Settings to retrieve geographic data updates. In QRadar version 7.3.3, the API call to MaxMind® for daily updates occurs at 4:30 AM. Administrators who want a more guaranteed resolution for IP addresses can configure their own data feeds to get updates from external servers. Either option that administrators choose requires that the Console has an Internet connection and that a proxy is configured in QRadar for connections to external data sources.


What to configure

  1. Verify that your proxy is configured for QRadar Auto Updates.
    1a. Click Admin tab > Auto Updates > Change Settings > Advanced.
    1b. Most enterprise networks require a proxy to connect to external IP addresses. If you want to download free or paid geographic database updates, administrators need to configure a proxy address. 
  2. Verify that the Geographic Setting is configured to use the defined proxy.
    2a. Click Admin tab > System Settings > Geographic Settings > Use Proxy Settings Defined in Auto Update = True.
    2b. Attempts to access external data feeds might not succeed when a proxy is required and the field is set to False.
  3. Confirm your Geographic Settings to verify whether you want to use the Registered Location or Physical Location for flag information in QRadar.
    3a. Click Admin tab > System Settings > Geographic Settings > Country Selection.
    3b. Administrators need to define whether the flag and country information from the geographic data uses the registered or the physical location from the downloaded database. Registered locations can be drastically different from the actual physical location of the server and by using the registered location can lead to the wrong flags and search results or rules getting triggered unintentionally. The default value for resolving IP addresses in QRadar is Registered location.
  4. Optional. To have private IP addresses ranges show country and map mouse hover information, you must configure the Network Hierarchy in QRadar to include country for flag, latitude, and longitude for the map information.


 

5. Communication issues

A good test to verify that you can retrieve geographic data updates is to attempt to download the MaxMind® GeoIP2lite from the QRadar Console. If you can download the file from their site from the Console, it verifies that you can connect to the API get updates in QRadar.
 

  1. Using SSH, log in to the QRadar Console as the root user.
  2. Navigate to a temporary directory, such as /storetmp.
  3. To test internet connectivity, type the following command to download the GeoLite2-City database file:
      wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key={your_license_key}&suffix=tar.gz"
    Note: The {your_license_key} value is displayed to users on the Maxmind portal when you generate your geographic data license. To confirm your license key, you might be required to access your Maxmind account or contact the owner of your license in your corporation. The license key value cannot be retrieved from the QRadar System Settings as this value is obfuscated for security purposes.
    image 3093

    Results
    A. If successful, the file is downloaded to the temporary directory. This file can be removed from QRadar as the test is complete.
    B. If unsuccessful, verify the proxy settings in the Auto Update configuration of QRadar. Alternately, the administrator can review the proxy settings to ensure that a firewall is not blocking connections to maxmind.com for QRadar updates.

6. Incorrect geodata references

The MaxMind® data Geo2Lite-City used within QRadar is not guaranteed to be as accurate as paid geographic data versions. Administrators who require accurate updates of geographic data within QRadar can use a premium feed to ensure that the data accuracy is guaranteed to the precision level requirements of your organization. Geographic data updates to the Geo2lite database provided by MaxMind® are updated monthly.

Users who see incorrect geographic data references in QRadar can review the following information:
  1. Verify that you have the latest geographic data updates by running ./opt/qradar/bin/geodata_update.sh from the QRadar Console.
  2. Confirm the IP address online against the MaxMind® geographic lookup demonstration page to determine whether the incorrect reference is also contained within the premium GeoIP® precision city data that can be licensed by administrators from MaxMind.
  3. If you are using the free feed that is default in QRadar, you can download and to verify whether the Geolite2 CSV data includes an incorrect reference. IP address for CIDR ranges can be found in GeoLite2-Country-Blocks file for your IP addresses. The corresponding country codes can be referenced in the GeoLite2-Country-Locations file to confirm if the incorrect reference is included in the free Geolite2 data.
  4. Users with free geographic data feeds ought to know that changes to geographic updates are monthly. QRadar is not in control of when new geographic data versions are posted. A cron utility runs at 4:04 AM on the QRadar Console to update geopgrahic data from the MaxMind® API.
    Note: In QRadar version 7.3.3 or later, the API call to MaxMind® for daily updates occurs at 4:30 AM.
  5. If the incorrect data is for an IP address in a network controlled by your organization, you can update your Network Hierarchy to include Country and Latitude and Longitude information. Updates to the Network Hierarchy override the geographic data provided by the feed and use the country and coordinates provided by the administrator.

7. Can the flag and map mouse hover be disabled in the user interface?

You can disable the flag mouse hover, for maps in System Settings by changing the 'Country/Region Flags' setting or the 'Embedded Maps in IP Address Tooltips' setting to No. The default value in QRadar is to set the Country/Flag value to Yes (enabled). The region flags and embedded maps for IP address settings are global to QRadar, meaning that this configuration is set for all users. Currently, there is no method to selectively enable or disable country/region flags for certain users.

image-20181022132735-3

  1. To disable country/region flags, change the global system setting in QRadar.
    Click Admin tab > System Settings > Display Country/Region Flags.
    Yes= Enable country/region flags for all users (Default).
    No = Disable country/region flags for all users.
     
  2. To disable map mouse hovers for IP addresses in the user interface.
    Click Admin tab> System Settings > Display Embedded Maps in IP Address Tooltips.
    Yes= Enable map over for IP addresses for all users (Default).
    No = Disable map over for IP addresses for all users.

8. About Network Hierarchy

Administrators who are setting up QRadar for the first time ought to be aware that geographic data is not a requirement when you configure the Network Hierarchy in QRadar. It is possible for administrators to define a country, latitude, and longitude for your networks. If you decide to input either country, latitude, and longitude information in to your Network Hierarchy, you need to maintain it when you make network changes or reallocate addresses within your networks if that ever occurs. The Network Hierarchy in QRadar is used to define your networks by CIDR address and allows you to logically divide data coming in from outside networks (remote) to internal assets you are responsible for (local). When you define your Network Hierarchy, you are instructing QRadar how to apply metadata to your events and flows so we understand what is L2R, R2L, or L2L information.

  • L2R - Local-to-remote indicates that is a communication between a network asset and an external server.
  • R2L - Remote-to-local indicates a communication from an external server/network to an internal asset that is within your network hierarchy.
  • L2L - Local-to-local indicates a communication between two assets within your network hierarchy.
  • R2R - Remote-to-remote.  R2R connections in QRadar, is an indicator that you have a network hierarchy issue or need to make a network hierarchy update. One of the server IP addresses from the event or flow is supposed to belong to your network hierarchy.


What do I need to review related to geographic data?
If you are a QRadar administrator or user, you ought work with your organization to review the existing Network Hierarchy and determine update policies on Country, Latitude, and Longitude information. As the administrator you have the option to add overrides to the existing Network Hierarchy in QRadar, but these might require maintenance on your part to keep up with network changes. Users that create overrides for geolocation data in QRadar might create issues with the accuracy of the Network Hierarchy. Scheduling regular reviews will help maintain geodata and Network Hierarchy accuracy.

Do I need to configure country or coordinates for all my addresses in the Network Hierarchy?
The Network Hierarchy configuration is configured to accommodate most default networks. To improve accuracy or location of coordinates for a specific public IP address, you might need to update the Network Hierarchy IP addresses to ensure the data is more representative of the needs of your organization. If your organization makes use of geographic information for private IP address ranges, you can consider adding country, latitude, and longitude information in to the Network Hierarchy for your non-routable IP addresses. Adding geographic data for latitude and longitude in the QRadar Network Hierarchy for your private IP addresses, allows advanced searches for your private IP address ranges (GEO::LOOKUP or GEO::DISTANCE) and provides extra rule capability to administrators.

Overriding default geographic feed data in Network Hierarchy
IP addresses display a flag and a geographic over in the user interface for all public IP address ranges, unless disabled in QRadar. Administrators have the option to select a country/region for their latitude and longitude coordinates for their internal networks from the Network Hierarchy interface in the Admin tab. When country, latitude, and longitude information is added manually for a CIDR range by an administrator, the information from the Network Hierarchy is used as an override to define where that network exists geographically. Administrators are expected to maintain their geographic data in Network Hierarchy as it might require maintenance as networks change over time. If the administrator configures a country for a specific CIDR range in the Network Hierarchy, this information overrides the default geographic data. Each time you update values in your Network Hierarchy with country or coordinate data, the information provided is used for those IP addresses within the CIDR range for both flag icons and IP address coordinates. Country or coordinate data can be added in the Network Hierarchy for both public and private (non-routable) addresses.  In earlier versions of QRadar®, non-routeable IP address ranges would not appear with a specific country flag or region, since they are not within a public IP address range. If the administrator wants private IP address ranges to display on flags, you need to be using QRadar V7.3.1 or later to have country and coordinates entered in CIDR ranges that contain your private IP addresses.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3.2;7.3.3;7.4.3"}]

Document Information

Modified date:
13 September 2022

UID

ibm10736025