IBM Security QRadar

 View Only
  • 1.  X-Force Premium rule question

    Posted Tue July 16, 2019 09:10 AM
    Hi, we are seeing many offenses titled "Non-Servers Communicating with External IP Classified as Dynamic" - this is related to an X-Force Premium rule. The rule note says:

    "This rule will notify when an internal host that is not a server, communicates with an IP that is considered to be dynamic. Usually there is no reason for internal hosts to be communicating with dynamic ranges."

    But what the rule actually tests for is whether the "Source IP is categorized by X-Force as Dynamic IPs". Shouldn't it be testing - as the note seems to indicate - for whether or not the Destination IP is categorized by X-Force as Dynamic IPs?

    Isn't the way the rule is currently configured alerting us to External Dynamic IPs trying to access local non-servers...which is the opposite of what the rule is titled and the note about what it should be doing.


    ------------------------------
    Amir Perlson
    ------------------------------


  • 2.  RE: X-Force Premium rule question

    Posted Thu July 18, 2019 07:58 AM
    Hi Amir

    I second you, even i did not get the logic of using Source IP, it should be destination IP, I have changed this in our deployment. 

    T&R
    Arjun

    ------------------------------
    Arjun Kumar Network & Security Engineer
    ------------------------------



  • 3.  RE: X-Force Premium rule question

    Posted Thu July 18, 2019 01:47 PM

    @Amir Perlson

    @Arjun Kumar

    Hey all,

    I saw this discussion and talked with the development team after a quick investigation and there is a defect logged for this issue as number 217996. I know that you both mentioned that you have this fixed manually, but if you wanted to follow this issue you could open a case and tell the support rep that you reported an X-Force Rule issue found in defect 217996 (they'll know what this number means) and they can associate your IBM ID/company to this issue. I'm going to request that an APAR (problem report in IBM) be created for this so other users can track the fix. 

    I just wanted to fill you in on the current status after I looked in to your message. Let me know if there are follow-up questions or concerns.  
    - Jonathan



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 4.  RE: X-Force Premium rule question

    Posted Sat July 20, 2019 06:03 AM
    Thanks for the update Jonathan.

    ------------------------------
    Arjun Kumar Network & Security Engineer
    ------------------------------



  • 5.  RE: X-Force Premium rule question

    Posted Sun July 21, 2019 04:59 AM
    Thank you

    ------------------------------
    Amir Perlson
    ------------------------------



  • 6.  RE: X-Force Premium rule question

    Posted Fri July 19, 2019 01:58 AM
    ​Hi All,

    Can you please share the logic of this rule, I would like to understand this and also if possible I will try to implement such rule in our environment. I also need to understand what is mean by dynamic IP (or dynamic ranges) as per xforce.


    Regards
    Asif Siddiqui

    ------------------------------
    Asif Siddiqui
    ------------------------------



  • 7.  RE: X-Force Premium rule question

    Posted Fri July 19, 2019 10:46 AM

    Dynamic IP meaning for X-Force is discussed here in the support forums: https://developer.ibm.com/answers/questions/472914/xforce-dynamic-ips-meaning/

    The rule discussed in this thread is added by the QRadar Threat Content Pack, so there should be no "Logic" for users to write, but these rules would be added when you install the Threat content pack via Admin > Extension Management. These are IBM maintained rules that are provided via the X-Force App Exchange. I've got a Frequently Asked Questions write-up on QRadar  X-Force Rules and content packs here: Frequently Asked Questions: QRadar X-Force Rules

    This dynamic rule for X-Force appears to have a Source/Destination issue in it's rule configuration. The dev team responsible for this feature has this rule in review now as mentioned above.  If there are follow-up questions, let me know.

    Hope this helps... 

    - Jonathan



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------