Hello Everyone,
I've built a way for us to track if a user logged in from multiple geographic locations in the same timeframe (60min atm)
However I've seen interesting behavior of the "Source Geographic Country/Region" in conjunction with mixed IPv4 and v6 Sources.
For reference here the rule set I've made the first rule is just to tune out cloud service users.
Now if this rule fires I get offense as such:
on first sight it looks OK, we got login success from Switzerland and from the US
However if I drill into the Loggin from the US I quickly see that the source IP is actually not US but actually Switzerland as well (but IPv6).
The US IP is actually the destination, and since if there is no IPv4 Source IP Qradar just copies the destination IP into that field.
My question now is, is there a way around this chaos?
------------------------------
Kind Regards,
Linus
------------------------------