IBM Support

QRadar: False positive is triggered when using Geolocation in a rule

Troubleshooting


Problem

QRadar relies on geolocation data from /opt/qradar/conf/geodata.conf, while MaxMind tags IPs by country. If the data from MaxMind and QRadar's geodata file do not match, rules using geolocation may trigger incorrectly. This happens because QRadar prioritizes its local geodata file over MaxMind's data.

Symptom

Working with geolocation in rules can lead to false positives.

Cause

The /opt/qradar/conf/geodata.conf file needs to be updated with the correct information.

Diagnosing The Problem

To diagnose the problem, administrators can run the following steps:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Search for a subnet definition on the geodata.conf file:
    Note: Replace <subnet_definition> with a real value. 
    grep '<subnet_definition>' /opt/qradar/conf/geodata.conf
    Example: 
    [root@console ~]# grep '23.33.200.0' /opt/qradar/conf/geodata.conf
Europe Germany 23.33.200.0/22 50 DE
  3. Search for the same subnet on IBM  X-Force Exchange:
    Note: The IPv4 23.33.200.0 is being used as an example.
    image-20241206171044-2
  4. Compare the location values from step 2 and step 3.

    Result
    The administrator has found a mismatch between the geolocation data from geodata.conf and X-Force Exchange.

Resolving The Problem

To workaround the problem, administrators can run the following steps:
  1. Log In to the QRadar WebUI as an Admin user.
  2. Click the Admin tab from the navigation bar.
  3. Click Network Hierarchy from the System Configuration section.
  4. A new window is open, click on the Add button:
    images
  5. Fill in the information and click on the Create button.
    image
  6. Deploy the changes.

    Result
    The system recognizes the IP based on how it is configured in the Network Hierarchy section. If the issue persists, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYS0N","label":"IBM QRadar SIEM (SaaS)"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
06 December 2024

UID

ibm17177550

Page Feedback