IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Local Host Sending Malware rule triggering REPEATEDLY

  • 1.  Local Host Sending Malware rule triggering REPEATEDLY

    Posted Wed September 22, 2021 10:28 AM

    This rule has suddenly begun triggering frequently in the last 48 hours, but when I look at the offenses raised, the destination IPs that are triggering them are from organisations such as Google, Cloudflare, etc. When I look at the Malware IP reference set that is linked to the rules it also contains large numbers of IPs that (Google etc) that appear innocuous.

    Why is this rule suddenly going off, and what can I do to reduce the frequency - set the Malware IPs ref set to expire perhaps?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Local Host Sending Malware rule triggering REPEATEDLY

    Posted Thu September 23, 2021 01:08 AM

    This probably needs a case to review and resolve to understand the full picture.

    Potential options:

    1. You could tune the confidence value in the rule. The confidence percentage is shown next to the category for the IP. For example, this is Spam with 100% confidence as it is a known phishing URL: https://exchange.xforce.ibmcloud.com/ip/111.119.187.0
    2. Reducing the TTL on the reference sets as you mentioned. It could be IPs being reused by threat actors. It is a good idea even if not the root cause to set TTLs on your reference sets. As if you don't have TTLs, the sets can grow out of control and cause performance issues.
    3. You could review the IP's on X-Force directly to see if there is a classification issue and what is the source of the reported IP. For example, I picked an IP in the recently commented list as an example: https://exchange.xforce.ibmcloud.com/ip/104.152.52.34. If you comment on any errors or report an issue to the X-Force team they can fix issues on those IPs.

    There might be other options, but these are the first three I thought of. If you get stuck, you could open a support case a representative to review, but they will likely advise the same steps. If you have issues enabling a TTL, this is something support can definitely assist with if you are having issues.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Local Host Sending Malware rule triggering REPEATEDLY

    Posted Thu September 23, 2021 01:16 AM

    I'll also add that this app is pretty handy when looking up stuff in reference sets. It hasn't been updated in a while, but might not be a bad idea to add temporarily if you find yourself looking up data in reference sets. As it will tell you where the data is and in what reference set by URL, IP, or filehash. https://exchange.xforce.ibmcloud.com/hub/extension/57e93c51cafc23553b9192cc57fb6182



    #QRadar
    #Support
    #SupportMigration


Related Content