Troubleshooting
Problem
Symptom
This can lead to a scenario where the behavior of 'tenant A' local IP address can cause 'tenant B' to start generating incidents within QRadar. It can happen whenever both hosts are using the same local IP address. When an IP is marked, it is added to the 'compromised hosts' reference data set installed by default with the extensions, but not the tenant tag.
- Excessive System Tools Usage from a Single Host
- Suspicious Svchost Process
- Process Launched from Unusual Directory
- PsExec Process Masquerading
- Potential Keylogger Detected
- Rundll32 with qwerty Argument Usage
- Mimikatz IMP Hash Observed
- Malicious Service Installed
- Powershell Process Observed on a Compromised Host
- Service Installed on a Compromised Host
- Network Share Accessed from a Compromised Host
- Powershell Process Observed on a Compromised Host
- Successful Login From a Compromised Host
- Excessive System Tools Usage from a Single Host
- Scheduled Task Created on a Compromised Host
- Successful Login From a Compromised Host
- Service Installed on a Compromised Host
- Administrative Share Accessed from a Compromised Host
- SMB Traffic Permitted From a Compromised Host
- Administrative Share Accessed from a Compromised Host
- Network Share Added to a Compromised Host
- Excessive Denied SMB Traffic From a Compromised Host
- PsExec Process Observed on a Compromised Host
- Excessive Network Share Access Failures from a Compromised Host
- Network Share Accessed from a Compromised Host
Cause
Resolving The Problem
In a multi-tenant environment, the single Reference Set has to be modified and replaced by the reference map of sets, where:
< Tenant A, <compromised host list for tenant A > >,
< Tenant B, <compromised host list for tenant B > >,
etc
Configure each rule to match the tenant ID and source or destination host against the entries in the reference map of sets.
It protects the system from the problem where the compromised host in the 'tenant A' environment is valid for 'tenant B' though both use the same private IP.
After any extension upgrade, you might need to again modify the rules from a single Reference Set to a Reference Map of sets
For better management of the Reference map of sets, it is suggested to install the additional QRadar extension Reference Data Management.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
01 February 2024
UID
ibm16988519