QRadar: IP categorization set to N/A in the Log Activity tab

Question & Answer

Question

Why does the XFORCE_IP_CATEGORY display as N/A when searched for using AQL under the Log Activity tab?

Answer

Consider these AQL queries where the XFORCE_IP_CATEGORY column is included:

SELECT XFORCE_IP_CATEGORY('X.X.X.X') from events limit 1

SELECT sourceip, XFORCE_IP_CATEGORY(sourceip) as IPcategories from events

By default, QRadar populates categories for IP addresses that belong to any of these XForce IP categories. If the IP category is displayed as 'N/A', that particular IP is unsuspicious.

Example:

Here for the obfuscated IP addresses, the categorization is displayed as N/A.

If we right-click the IP to check its categorization on X-Force Exchange, it is categorized as 'Unsuspicious':

Hence, those IP addresses that have categorization as "Unsuspicious" in X-Force Exchange, have their XFORCE_IP_CATEGORY displayed as N/A in the Log Activity tab.

Related Information

https://www.ibm.com/docs/en/qsip/7.5?topic=integration-ip-address-url-categories

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS011314345","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

QRadar: IP categorization set to N/A in the Log Activity tab

Question & Answer

Question

Answer

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?