IBM Security QRadar

 View Only

Geographic Data Enhancements

By JEFF RUSK posted Mon August 19, 2019 09:25 AM

  

Geographic Data Enhancements

 

By Brandon Howell and Jeff Rusk

 

The geographic location of IP addresses associated with incoming event data to the QRadar SIEM is a key input to the SOC Analyst. The information itself is based on a free database released by MaxMind named GeoLite2 - https://www.maxmind.com/en/home- and the geographic queries are determined at the time of display and not written to Ariel event database records on disk.  MaxMind updates their free database on the first Tuesday of every month (https://dev.maxmind.com/geoip/geoip2/geolite2/). In QRadar, a cron job runs at 4:30 AM daily to check for and pull new versions of MaxMind’s database via an API call.  Earlier versions of QRadar, prior to QRadar 7.3.1, had somewhat limited granularity and usability of this important data.  QRadar users were limited to simple visibility into the Country/Region of the incoming source and destination IPs of the data. 

 

Since the release of QRadar 7.3.1, there have been many enhancements to how geographic information is presented in QRadar, and how the geographic data is maintained.

 

Mouse Over Geo Location


Default ‘Country Select’ system setting switched from ‘Registered’ to ‘Physical’

With the implementation of MaxMind’s GeoIP service into our geographic functionality, we can retrieve accurate physical location information for an IP. We felt that providing the physical location by default is the better business use case, thanks to the improved security visibility when compared to the address’ registered location.  The default setting change is only enforced on fresh QRadar installs; patches will maintain whichever option that the user had saved.

 

Geographic Settings


Using MaxMind GeoIP2 paid subscriptions

Users with access to a paid MaxMind GeoIP2 subscription will soon be free to enter their User ID and License Key under Geographic Settings in QRadar’s System Settings. Compared to the default GeoLite2 database, GeoIP2 databases provide more accurate location data and are updated more frequently. Further accuracy can be achieved with a GeoIP2 Precision Services subscription, which provides location data down to exact cities with postal codes and time zones.

 

Flag Icons for Countries/Regions

In various areas of QRadar, we display the IP addresses of events or flows with accompanying country flag icons representing the IP’s location. QRadar’s ability to do this is configurable in the UI under System Settings through the “Display Country/Region Flags” setting.  As new countries or regions are identified and/or recognized, these flags are updated into QRadar for display; an example of this is inclusion of the flag for South Sudan.

 

System Settings

 

Flag Display

 

Network Hierarchy and IP Addresses

In the local network hierarchy editor, when enabled, users can now apply two optional geographic details per network object: a country (which will trigger the display of a country flag icon with the IP in the UI) and longitude/latitude coordinates (which will display a map along with location pin when hovering over the IP).

Edit Network


AQL Functions

There are also new AQL Functions the allow the user to operate on these IP addresses, including querying the physical and/or registered country, calculating distance, and other operations.  API functions are available under /api/services/geolocations/

 

The GEO::LOOKUP AQL function returns the location data for a selected IP address and the GEO::DISTANCE AQL function returns the distance (km) between two IP addresses.

 

GEO LOOKUP

 

GEO DISTANCE

 

Summary

IBM is continually enhancing the geographic data capabilities of the QRadar SIEM. Features such as geographic data AQL functions, additional of geographic details to network hierarchy, updates to country/region flags, and support for MaxMind GeoIP2 paid subscriptions will ensure QRadar SOC analysts have the best available data in triaging offenses, threat hunting, and monitoring.

0 comments
34 views

Permalink