Hello QRadar Community,
I’m using the "Impossible Travel Detected" rule included in the IBM Security QRadar Network Anomaly Content Extension. The rule works as expected and generates offenses when a user successfully authenticates from geographically distant locations within a short period.
However, in the events associated with the offense, I can only see the latest IP address (sourceIP) from which the user authenticated. I would like to also include the previous IP address from which the user authenticated in the event details or offense annotations.
The rule is leveraging a Reference Table named "Impossible Travel" to store and compare the last known IP (ipKey) and timestamp (dateKey) for each user. Is there a way to modify the rule or event annotations so that both the current and previous IPs are included in the events or the offense?
Here’s what I’ve considered:
- Adding a new annotation to the event using the Reference Table to include the
ipKey (previous IP).
- Creating a custom event with both the current and previous IPs in the description.
- Using a separate Reference Set to temporarily store the previous IP before the Reference Table is updated.
I’d appreciate guidance or examples on how to implement this. Thanks in advance for your help!