Hello Community,

Can we generate the alert whenever we get the offense from russian IP like we are using the maxmind where can check the IP details or IP origin. I just wanted to generate an alert whenever we get the offense or event from russian IP. how we can deal this. Please help. Thanks 

------------------------------
Ihtasham Babar
------------------------------

Hi Ihtasham

the check on events is easy to achieve. You just add an extra check in your event rules for the source io if its part of Europe.RussianFederation. See screenshot. The offense check is a bit more difficult, as you cant put this check in an offense rule. So you may want tu define a bulding block for this and include it as an extra check for your offense rules. Alternatively you can use the extra check and modify your offense rules rightaway. PS not sure what exactly you are referring to with "get the offense from russian IP like we are using the maxmind where can check the IP details or IP origin". Pls comment if I got something wrong. At least this the test provided by QRadar,

Karl

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]
------------------------------

Original Message:
Sent: Thu December 19, 2024 01:29 AM
From: Ihtasham Babar
Subject: Geographic Based Offense

Hello Community,

Can we generate the alert whenever we get the offense from russian IP like we are using the maxmind where can check the IP details or IP origin. I just wanted to generate an alert whenever we get the offense or event from russian IP. how we can deal this. Please help. Thanks 

------------------------------
Ihtasham Babar
------------------------------