Investigating flows

IBM® QRadar® correlates flows into an offense when it identifies suspicious activity in network communications. The flow analysis provides visibility into layer 7, or the application layer, for applications such as web browsers, NFS, SNMP, Telnet, and FTP. A flow can include information such as IP addresses, ports, applications, traffic statistics, and packet payload from unencrypted traffic.

By default, QRadar tries to extract normalized fields and custom flow properties from the first 64 bytes of flow data, but administrators can increase the content capture length to collect more data. For more information, see the IBM QRadar Administration Guide.

Procedure

  1. In the Offense Summary window, click Flows in the upper right menu.

    The Flow List window shows all flows that are associated with the offense.

  2. Specify the Start Time, End Time, and View options to view flows that occurred within a specific time frame.
  3. Click the flow column header to sort the flow list.
  4. In the list of flows, right-click the flow name to apply quick filter options to reduce the number of flows to review.

    You can apply quick filters to other columns in the flow list as well.

  5. Double-click a flow to review the flow details.
    Learn more about the flow details:
    Field Description
    Event Description When the application is not identified in the payload, QRadar uses built-in decoding to determine the application, and shows Application detected with state-based decoding in Event Description.
    Source Payload and Destination Payload Shows the size of the payload.

    When the size exceeds 64 bytes, the payload might contain additional information that is not shown in the QRadar interface.
    Custom Rules Partially Matched Shows rules for which the threshold value was not met, but otherwise the rule matched.
    Flow Direction Specifies the flow direction, where L indicates local network, and R indicates remote network.

What to do next

For more information about how to use QRadar to review flow data, see Network activity monitoring and Event and flow searches.