Troubleshooting
Problem
Symptom
- Source Network Or Destination Network in Log Activity does not show the expected network hierarchy instead being displayed as 'other'.
- Remote to Local and Local to Remote functionality does not work as expected sometimes causing rules to misfire.
Cause
This issue can happen when these three conditions are met:
- An IPv6 address is present in an event along with an IPv4 address.
- The IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 parameter is set to FALSE in nva.conf.
- The IPv6 address is not defined in the network hierarchy.
Because of that parameter, an IPv6 address in an event takes precedence over an IPv4 address when QRadar is mapping the address in the network hierarchy. However, if the IPv6 address is not part of the network hierarchy, QRadar tags the network as 'other'.
For example, in the following event payload, the OriginatingComputer field has an IPv4 address, and Source Network Address has an IPv6 address:
Aug 04 16:30:21 info-EX8.example.com AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.1.22 Source=Microsoft-Windows-Security-Auditing Computer=info-ex8.example.com
OriginatingComputer=10.10.110.18 User= Domain= EventID=4624 EventIDCode=4624 EventType=8 EventCategory=12544 RecordNumber=39589905 TimeGenerated=1659610741 TimeWritten=1659610741
Level=Log Always Keywords=Audit Success Task=SE_ADT_LOGON_LOGON Opcode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: EXAMPLE\HealthMailbox4eba3e5 Account Name: HealthMailbox4eba3e5 Account Domain: EXAMPLE Logon ID: 0xCE2B234A
Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: INFO-EX8 Source Network Address: fe80::3598:e361:5d9:16ae
Source Port: 24190 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 0
The IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 setting decides whether the IPv4 address takes priority or the IPv6 address:
# grep IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 /opt/qradar/conf/nva.conf
IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=FALSE
In this case, the IPv6 address takes precedence. Let us assume, that the IPv6 Address is not defined by the network hierarchy but the IPv4 address is defined. Due to the lack of that IPv6 definition, QRadar tags the Source Network as 'other'.
Diagnosing The Problem
- For an event that shows the Source Network or Destination Network as 'other', analyze the payload to check the presence of source or destination fields with both IPv4 and IPv6 addresses.
- Check whether the network hierarchy is updated correctly to include the IPV4 address but is not updated correctly to include the IPv6 address
- Confirm IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 in the nva.conf is set to FALSE
# grep IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 /opt/qradar/conf/nva.conf IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=FALSE
Resolving The Problem
You can correct this behavior by changing the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 setting in nva.conf to give priority to the IPv4 address over the IPv6 address.
NOTE: Another option is to have the IPv6 address added to the Network Hierarchy. If that is done, there is no need to change the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 parameter.
To change the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 setting, use these steps:
- Take the backup of nva.conf file by using this command:
# cp /store/configservices/staging/globalconfig/nva.conf /store/configservices/staging/globalconfig/nva.conf.backup
- Run this command to set the IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6 to TRUE:
# sed -i 's/IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6\=FALSE/IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6\=TRUE/g' /store/configservices/staging/globalconfig/nva.conf
-
Validate the change by using this command:
# diff /store/configservices/staging/globalconfig/nva.conf /store/configservices/staging/globalconfig/nva.conf.backup
The output looks like this:
177c177 < IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=TRUE --- > IPV4_ADDRESS_HAS_PRIORITY_OVER_IPV6=FALSE
-
Run a Full Deploy to ensure services are restarted and the parameter takes effect.
RESULT:
Assuming the IPv4 address is configured in the network hierarchy like this:
The Source Network and Destination Network are displayed as expected:
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
30 August 2022
UID
ibm16613213