IBM Security QRadar

Expand all | Collapse all

CRE issue

  • 1.  CRE issue

    Posted Mon August 17, 2020 10:09 AM
    Hello All,

    I have a issue when upgraded QR to last version i see CRE called Communication with a Potential Hostile IP Address (Flows) generate a lot of offenses with different applications, and because its flow when searching with Source IP in the Log Activity see the Log source is the Firewall and all session denied, any suggestions to how tune this CRE 

    Thanks  


    ------------------------------
    Ahmed ElHabashi
    ------------------------------


  • 2.  RE: CRE issue

    Posted Tue August 18, 2020 12:54 PM
    'thinking out loud:
    - modify this rule not to create offense
    - create another rule that recognizes the firewall event that is NOT block/deny
    - use both of these in another rule that would create the offense - something like:  and when all of these rules, in order, from the same source IP to the same destination IP, over this many seconds

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: CRE issue

    Posted Fri September 11, 2020 08:51 AM
    Very often this type of rule triggers because the network hierarchy is not setup correctly or is missing some address space.  I also make sure the RFC1918, multicast and locally administered IP space is listed in there and that takes care of a lot of it.  Seems the default rules think all that traffic is to\from BOGON networks.

    ------------------------------
    Frank Eargle
    ------------------------------