Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Direct Lookups for IP Reputation Classifications

Deprecated in 7.4.0 Suspect content warnings that are based on X-Force IP reputation categories are deprecated in QRadar Network Insights 7.4.0 and will be removed in a future release.

SUMMARY To ensure that your IP reputation classifications are using the most recent classification information that is available, update your rules and queries to use direct X-Force IP reputation lookups. Direct lookups also provide more classifications that were not available as part of the former suspect content warnings.

The following IP reputation suspect content warnings are deprecated:
  • spam
  • anonymous proxy
  • scanning IP
  • malware
  • botnet
Rules and queries that use the deprecated suspect content warnings can be updated to use the following X-Force IP categorizations:
  • Anonymization Services
  • Botnet Command and Control Server
  • Bots
  • Cryptocurrency Mining
  • Dynamic IPs
  • Malware
  • Scanning IPs
  • Spam

For example, a rule that was previously defined as when any of Suspect Content Descriptions match anonymous proxy can be updated to use the following rule instead:

You can tune the threshold value to suit your needs.

In Ariel Query Language (AQL), you can use the XFORCE_IP_CATEGORY function instead.