Configuring the QRadar Network Threat Analytics app

After you install the IBM® QRadar® Network Threat Analytics app, you must configure it to add the authorized service token that is used for authentication with QRadar.

Immediately after the QRadar Network Threat Analytics app is configured with the authorized service token, the baseline process begins. The app reviews all existing flow data and creates a network baseline against which all future flow records are compared. When your deployment has lots of flow records, the baseline is more representative of the types of flow traffic that is typically observed on your network.

Important: The time that it takes to create the network baseline depends on the volume and complexity of the network data and the performance of your QRadar instance. The network baseline status indicator on the app Configuration page approximates the progress. It can take a long time to complete.

Before you begin

You must be logged in as an administrator.

You must have a QRadar security token that is configured with the Admin security profile and user role. For more information, see Creating an authorized service token.

Ensure that your QRadar deployment has at least one week of continuous flow data.

Procedure

  1. Click the Network Threat Analytics tab.
  2. In the Application not configured window, click Admin > Network Threat Analytics > Settings.

    If you do not see the link, confirm that you are logged in with administrator privileges.

  3. In the Authorized service token field, provide the QRadar token.
  4. Optional: Configure the rest of the application settings.
    Setting Description
    Default timeframe

    Refers to the time frame that is set for the app when it first loads.

    Depending on the amount of traffic in your network, you can configure this setting to suit the amount of traffic that you want to pull back.

    Default network data tab

    New in 1.2.0

    Select which view is shown when the Network data page first opens.

    Default latitude for unknown coordinates

    New in 1.2.0

    Sets the latitudinal location for traffic that is categorized as Unknown location.

    All network traffic that does not fit within the defined network hierarchy, or traffic that has an IP address that does not have a known geolocation, is grouped together. In the map view, the unknown traffic appears to originate from a common location.

    Default longitude for unknown coordinates

    New in 1.2.0

    Sets the longitudinal location for traffic that is categorized as Unknown location.

    Event generation score

    Sets the minimum score that is required in order for a finding to create an event.

    You can change this score so that events are only generated for the highest scoring findings on the system.

    Finding retention

    Sets the number of days to store the findings.

  5. Click Submit.

Results

The authorized service token is applied, and baseline process begins. QRadar Network Threat Analytics does not have to remain open during the baseline process.

Each time that you submit a configuration change, the baseline status briefly changes to Retrieving status. This message appears any time that you submit a configuration change, even when the baseline is not affected.

What to do next

Findings do not appear on the home page until the baseline process is complete. During this time, you can use the product interface to explore flows. After the first baseline is complete, you can explore findings and new flows that are scored against the baseline, even when the network baseline is updating.

If necessary, you can safely uninstall the app while the baseline process is in progress. The network baseline is not preserved, and the process starts over again when you reinstall the app.