IBM Security QRadar

 View Only

What to do when Source IPs are being NAT'd by the Firewall due to policies and compliance

  • 1.  What to do when Source IPs are being NAT'd by the Firewall due to policies and compliance

    Posted Thu June 18, 2020 09:26 AM
    Hi,
    I am working on a customer engagement where we are onboarding log sorces that comes from NXLog agents on windows servers. As it has to pass through another Log Management solution (LogPoint) in JSON format. For that reason I have created a custom JSON parser.

    Events are being parsed and mapped as they should. But policies and governance dictate that source ips must be NAT'd so know every event coming in have the same source ip. I have discussed this with a number of people but it is turned down to change this due to the policies and compliance as well as the approved design of the network.

    So I see a way of using Reference Data to be able to map hostname that is unchanged in the payload and map it to the original source ip. That will at least help when investigating offenses when using searhes. Rules creation will also be able to make of it.

    My question is if anybody has a solid solution to solve this in QRadar? Can we in a smart way work around this issues of having the same source ip for every event coming into QRadar?

    Your help and support on this is highly recomended.

    Thanks,
    Peter Eibak

    ------------------------------
    Peter Eibak
    IBM Security Expert Lab
    Denmark
    eibak@dk.ibm.xom
    ------------------------------