IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Tracking Login from multiple geographic locations with IPv6

  • 1.  Tracking Login from multiple geographic locations with IPv6

    Posted Thu November 15, 2018 05:27 AM
    Hello Everyone,

    I've built a way for us to track if a user logged in from multiple geographic locations in the same timeframe (60min atm)

    However I've seen interesting behavior of the "Source Geographic Country/Region" in conjunction with mixed IPv4 and v6 Sources.

    For reference here the rule set I've made the first rule is just to tune out cloud service users.


    Now if this rule fires I get offense as such:
    on first sight it looks OK, we got login success from Switzerland and from the US

    However if I drill into the Loggin from the US I quickly see that the source IP is actually not US but actually Switzerland as well (but IPv6).
    The US IP is actually the destination, and since if there is no IPv4 Source IP Qradar just copies the destination IP into that field.


    My question now is, is there a way around this chaos?

    ------------------------------
    Kind Regards,

    Linus
    ------------------------------