Dynamic IP meaning for X-Force is discussed here in the support forums: https://developer.ibm.com/answers/questions/472914/xforce-dynamic-ips-meaning/
The rule discussed in this thread is added by the QRadar Threat Content Pack, so there should be no "Logic" for users to write, but these rules would be added when you install the Threat content pack via Admin > Extension Management. These are IBM maintained rules that are provided via the X-Force App Exchange. I've got a Frequently Asked Questions write-up on QRadar X-Force Rules and content packs here: Frequently Asked Questions: QRadar X-Force Rules
This dynamic rule for X-Force appears to have a Source/Destination issue in it's rule configuration. The dev team responsible for this feature has this rule in review now as mentioned above. If there are follow-up questions, let me know.
Hope this helps...
- Jonathan
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Fri July 19, 2019 01:57 AM
From: Asif Siddiqui
Subject: X-Force Premium rule question
Hi All,
Can you please share the logic of this rule, I would like to understand this and also if possible I will try to implement such rule in our environment. I also need to understand what is mean by dynamic IP (or dynamic ranges) as per xforce.
Regards
Asif Siddiqui
------------------------------
Asif Siddiqui
Original Message:
Sent: Tue July 16, 2019 07:27 AM
From: Amir Perlson
Subject: X-Force Premium rule question
Hi, we are seeing many offenses titled "Non-Servers Communicating with External IP Classified as Dynamic" - this is related to an X-Force Premium rule. The rule note says:
"This rule will notify when an internal host that is not a server, communicates with an IP that is considered to be dynamic. Usually there is no reason for internal hosts to be communicating with dynamic ranges."
But what the rule actually tests for is whether the "Source IP is categorized by X-Force as Dynamic IPs". Shouldn't it be testing - as the note seems to indicate - for whether or not the Destination IP is categorized by X-Force as Dynamic IPs?
Isn't the way the rule is currently configured alerting us to External Dynamic IPs trying to access local non-servers...which is the opposite of what the rule is titled and the note about what it should be doing.
------------------------------
Amir Perlson
------------------------------