The following features are new in IBM® QRadar® Network Threat Analytics.
Map viewNew in 1.2.0
Now, you can view network traffic as an overlay on a global map view. On the Dashboard, the map view shows traffic volume by country or region. On the Network data page, you can view more granular data about network traffic to or from a specific map location.
The map view makes it easier to identify network traffic that originates or ends in countries or regions that you do not expect.
Network baseline status informationNew in 1.2.0
The QRadar Network Threat Analytics Configuration page now provides more information about the status of the network baseline.
The status information now includes messages that indicate when the system is preparing to create the baseline, the progress of the baseline creation, and when it is complete. The system also shows messages that indicate that the baseline cannot be created or updated.
Learn more about how QRadar Network Threat Analytics creates the network baseline...
Ability to update the network baselineNew in 1.2.0
Now you can restart the process to update the network baseline.
View a finding based on the finding IDNew in 1.2.0
The Findings table shows findings that are updated within the time period that is specified on the dashboard. In previous releases of QRadar Network Threat Analytics, you could not review findings after they were removed from the Findings table. Now, if you have the finding ID, you can open the Findings detail page for a specific finding.
More flow data on the Finding Detail windowNew in 1.2.0
On the Finding detail page, the Network data table shows all flows that contribute to a finding. In previous versions, only the top 20 flows with the highest score were shown.
Updated app signing certificatesChanged in 1.1.1
In QRadar Network Threat Analytics 1.1.1, the app signing certificates were updated for use with IBM QRadar 7.5.0 Update Package 3 or later.
Tier 2 analyticsNew in 1.1.0
In QRadar Network Threat Analytics 1.0.0, the network traffic that is monitored by QRadar is parsed by using Tier 1 algorithms that compare the incoming network traffic against the network baseline that is created by the app. Using the real-time baseline comparisons, the app measures how much the flow records deviate or comply with the normal traffic patterns that are observed on your network. Each flow is scored based on how much it deviates from the baseline, making it easier for you to investigate the flows with the highest scores.
QRadar Network Threat Analytics 1.1.0 introduces Tier 2 analytics. Flows with the highest scores are subjected to advanced analytics and data aggregation, and the information is rolled up into a finding. A finding is an aggregation of similar communications on the network that deviate from the baseline traffic. On the app dashboard, the findings with the highest scores are presented in table format with the highest ranking scores shown first. This presentation makes it easier for you to focus your investigations on the most suspicious traffic that the app found in your network.
Event generationNew in 1.1.0
IBM QRadar Network Threat Analytics generates events based on findings so that you can write rules and create searches and reports based on anomalous flow traffic in your network.
- Network Anomaly Observed
- Network Anomaly Detected
- Network Anomaly Update (continuing activity)
- Network Anomaly Update (score change)
- Network Anomaly Update (MITRE mapping)
New product interfaceNew in 1.1.0
The QRadar Network Threat Analytics app is redesigned, making it easier to see the most suspicious traffic in your network.
Network communications that are found to deviate from the baseline traffic in a similar way are aggregated into a finding. With prominent visibility on the Dashboard page, findings make it easier than ever to prioritize your area of focus when you are investigating anomalous flow traffic.
The new product interface encourages top-down investigations so that you can drill down into deeper levels of information with each successive click. And the new advanced filtering options help you to quickly narrow the scope of the flows that you want to investigate.
Learn more about the new product interface by walking through some QRadar Network Threat Analytics workflows...