Greetings,
I have few office 365 rule which are indexed on source IP. most of the time the source ip is ipv4 and indexing works fine however I have noticed that when ipv6 is present source ip (ip4) becomes all 0.0.0.0 and generating false positive offenses because now the source ip is 0.0.0.0.
Is there a way so that if source ipv is all zeros and source ipv6 has value, then the rule should automatically index on source ipv6.
This is only for office365 events. CUrrent QRadar version is 7.4.1
I came across an old APAR but that does not help.
IJ16412: OFFICE 365 DSM IS POPULATING THE IPV4 LOG SOURCE ADDRESS AS SOURCE IP WHEN IT SHOULD BE USING IPV6 ADDRESS------------------------------
Hemant Kumar
------------------------------