The easiest way to check for events not in your Network Hierarchy is to look for R2R as the eventdestination. You should never have events interacting with your network where both the source and destination are R2R as this means that your Network Hierarchy needs a definition to add this value.
There are two easy ways to do this:
1. Use the new Tuning App for QRadar that includes a check for R2R event direction.
2. Use can use a filter or an AQL advanced search to find R2R events. For example,
select NETWORKNAME(sourceip) as srcnet, NETWORKNAME(destinationip) as dstnetsourceip , sourceip as "Is src in NH?", destinationip as "Is dst in NH?", Logsourcetypename(devicetype) AS "LogSourceType", Logsourcename(logsourceid) AS "LogSourceName" from events where eventdirection='L2R' GROUP BY sourceip
What next?
Any IP addresses that are not in your network space should be added to Admin tab > Network Hierarchy to identify CIDR ranges that are part of your corporate network. For a quick video, see: https://www.youtube.com/watch?v=lgb8ra1ZaXQ .
Let us know if you have follow up questions.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Thu May 23, 2019 07:47 AM
From: Asif Siddiqui
Subject: Local IP address is getting idetified as remote IP
Hi All,
I have a query, In my Qradar environment when I search for events I found that, Lots of internal IP addresses are showing as remote IP.
When the traffic is R TO L (Remote to local) then that remote IP should be outsider but the IP address which we are getting is our internal IP.
My question is how will I get the entire list of IP addresses which are local but are getting identified as remote?
Once I get such list, what will be my next step (How will I make Qradar treat these IP addresses as internal)
Please assist.
Regards
Asif Siddiqui
------------------------------
Asif Siddiqui
------------------------------