Direct Lookups for IP Reputation Classifications
Deprecated in 7.4.0 Suspect content warnings that are based on X-Force IP reputation categories are deprecated in QRadar Network Insights 7.4.0 and will be removed in a future release.
SUMMARY To ensure that your IP reputation classifications are using the most recent classification information that is available, update your rules and queries to use direct X-Force IP reputation lookups. Direct lookups also provide more classifications that were not available as part of the former suspect content warnings.
spam
anonymous proxy
scanning IP
malware
botnet
- Anonymization Services
- Botnet Command and Control Server
- Bots
- Cryptocurrency Mining
- Dynamic IPs
- Malware
- Scanning IPs
- Spam
For example, a rule that was previously defined as when any of Suspect Content
Descriptions match anonymous proxy
can be updated to use the following rule instead:
when Destination IP is categorized by X-Force as Anonymization Services with confidence value greater than 50
You can tune the threshold value to suit your needs.
In Ariel Query Language (AQL), you can use the XFORCE_IP_CATEGORY
function
instead.