IBM Security QRadar

Greetings,

I have few office 365 rule which are indexed on source IP.  most of the time the source ip is ipv4 and indexing works fine however I have noticed that when ipv6 is present source ip (ip4) becomes all 0.0.0.0 and generating false positive offenses because now the source ip is 0.0.0.0.

Is there a way so that if source ipv is all zeros and source ipv6 has value, then the rule should automatically index on source ipv6.

This is only for office365 events. CUrrent QRadar version is 7.4.1
I came across an old APAR but that does not help.
IJ16412: OFFICE 365 DSM IS POPULATING THE IPV4 LOG SOURCE ADDRESS AS SOURCE IP WHEN IT SHOULD BE USING IPV6 ADDRESS

------------------------------
Hemant Kumar
------------------------------

Hi,
this looks like a tuning issue. Unfortunately there is no easy way to change rule index from one attribute to another. Easiest thing to do is duplicate you rule(s), test for IPv4 and IPv6 content like 0.0.0.0 vs. real values and use the corresponding tuned office 365 rules. Use case manager app is recommended for tuning your office rules. If you dont know how to achieve that just provide an example of the rules here you need to get tuned.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Mon March 01, 2021 09:59 AM
From: Hemant Kumar
Subject: QRadar rule to index on ipv6

Greetings,

I have few office 365 rule which are indexed on source IP.  most of the time the source ip is ipv4 and indexing works fine however I have noticed that when ipv6 is present source ip (ip4) becomes all 0.0.0.0 and generating false positive offenses because now the source ip is 0.0.0.0.

Is there a way so that if source ipv is all zeros and source ipv6 has value, then the rule should automatically index on source ipv6.

This is only for office365 events. CUrrent QRadar version is 7.4.1
I came across an old APAR but that does not help.
IJ16412: OFFICE 365 DSM IS POPULATING THE IPV4 LOG SOURCE ADDRESS AS SOURCE IP WHEN IT SHOULD BE USING IPV6 ADDRESS

------------------------------
Hemant Kumar
------------------------------

Just another side note on this: QRadar can handle IPv4 and IPv6 addresses for some while now. So there is no need to differentiate between address formats in rule tests for instance. Of course when you run into a 0-address problem as outlined before you have to make sure to differentiate that from the N/A condition. Rule indexing should be just fine as long as real addresses are being used and 0-IPs have been excluded.

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Mon March 01, 2021 09:59 AM
From: Hemant Kumar
Subject: QRadar rule to index on ipv6

Greetings,

I have few office 365 rule which are indexed on source IP.  most of the time the source ip is ipv4 and indexing works fine however I have noticed that when ipv6 is present source ip (ip4) becomes all 0.0.0.0 and generating false positive offenses because now the source ip is 0.0.0.0.

Is there a way so that if source ipv is all zeros and source ipv6 has value, then the rule should automatically index on source ipv6.

This is only for office365 events. CUrrent QRadar version is 7.4.1
I came across an old APAR but that does not help.
IJ16412: OFFICE 365 DSM IS POPULATING THE IPV4 LOG SOURCE ADDRESS AS SOURCE IP WHEN IT SHOULD BE USING IPV6 ADDRESS

------------------------------
Hemant Kumar
------------------------------