Configuring the QRadar Network Threat Analytics app
After you install the IBM® QRadar® Network Threat Analytics app, you must configure it to add the authorized service token that is used for authentication with QRadar.
Immediately after the QRadar Network Threat Analytics app is configured with the authorized service token, the baseline process begins. The app reviews all existing flow data and creates a network baseline against which all future flow records are compared. When your deployment has lots of flow records, the baseline is more representative of the types of flow traffic that is typically observed on your network.
Before you begin
You must be logged in as an administrator.
You must have a QRadar security token that is configured with the Admin security profile and user role. For more information, see Creating an authorized service token.
Ensure that your QRadar deployment has at least one week of continuous flow data.
Procedure
Results
The authorized service token is applied, and baseline process begins. QRadar Network Threat Analytics does not have to remain open during the baseline process.
Each time that you submit a configuration change, the baseline status briefly changes to Retrieving status. This message appears any time that you submit a configuration change, even when the baseline is not affected.
What to do next
Findings do not appear on the home page until the baseline process is complete. During this time, you can use the product interface to explore flows. After the first baseline is complete, you can explore findings and new flows that are scored against the baseline, even when the network baseline is updating.
If necessary, you can safely uninstall the app while the baseline process is in progress. The network baseline is not preserved, and the process starts over again when you reinstall the app.