IBM Security QRadar

 View Only

False positive results or not on qid events?

  • 1.  False positive results or not on qid events?

    Posted Thu November 17, 2022 05:10 AM
    Hello people, I wanted to ask you about some logs that i have from the qradar with qid: 5000830 which is a successful login to a server or anything. I use a rule which tells me if someone logs in to the exchange server from an external ip out of my country. The problem is that i get logs with qid: 5000830 and a big part of the ips when i check them the ISP is Microsoft Corporation, services: Datacenter. I have doubts about this ips and i think that are fraudulent. I check then on ipqualityscore also and there the fraud score is 65. What do you think about this? I also read that the Microsoft corporation has partnered up with some company to provide some internet services but i am not so sure about this.. If the ips are fraudulent i am sure that i have to disable some accounts and change passwords also..
    In the attachment are the results from both of the web services i use to check the ips that connect to my exchange server..

    Can you please tell me if these results are false positive and the behavior of the exchange server is normal or the connections are from a fraudulent ips which i have to block on my firewall and also disable users and change their password..

    Thank you!

    Slavcho Andreevski