IBM®
QRadar® Network Threat Analytics generates events based
on findings in your network traffic. Using these events, you can write rules and create searches and
reports on the anomalous activity that is detected by the application.
Use this workflow
to learn how you can use IBM
QRadar Analyst Workflow to investigate QRadar Network Threat Analytics events and the offenses that were created
from them.
This workflow is an example only and is intended to highlight particular
information that you might find helpful throughout the investigation. Your method of investigating
events and offenses in your own network might differ from what is shown here. This workflow does not
provide step-by-step instructions for how to use QRadar Analyst
Workflow. For more information
about using the QRadar Analyst
Workflow
app, see QRadar
Analyst Workflow in the IBM
QRadar User Guide.
Attention: The images that are shown in this workflow were
captured with an earlier version of QRadar Network Threat Analytics.
Although the interface might be different, the workflow is still valid.
Procedure
-
In IBM
QRadar Analyst Workflow, start by
searching for events that were created by IBM
QRadar Network Threat Analytics.
The following list describes the annotations on the preceding image.
- Use a filter condition to find events where the log source type is IBM
QRadar Network Threat Analytics.
- Set the timeframe for the search and click Run
search.
- In the Event Name column, view the events that were created by
QRadar Network Threat Analytics.
The query results might
include Network Anomaly Observed, Network Anomaly
Detected, or Network Anomaly Updated events.
-
Review the information in the event table to decide which QRadar Network Threat Analytics events to investigate further.
The following list describes the annotations on the preceding image.
- Use the Source IP and Destination IP
columns to identify which devices exchanged information.
- The Threat Score represents the significance of the finding.
The score is calculated based on the outlier score of each flow record that contributed to the
event.
- The NTA Flow Count column shows the number of flows that
contribute to the finding. Higher numbers might indicate a higher threat level.
- The NTA Flow Direction shows the direction of the
communication, where L indicates the local network and
R indicates a remote network.
- The Technique column shows ATT&CK techniques that are suspected in
the finding.
-
Using the information about the events, you can write rules that create offenses when specific
conditions are met.
-
You can also use QRadar Analyst
Workflow to view information
about offenses that were created from QRadar Network Threat Analytics
events.
- On the Offense window, under Insights, you
can see which rule triggered to create the offense.
Click the rule name to view more
information about the rule tests and learn why the offense was created.
The following list describes the annotations on the preceding image.
- The Tests section shows the conditions that were tested against
the event.
- The Actions section shows the rule actions that were taken when
the conditions were met.
-
Review the rest of the information about the offense.
The following list describes the annotations on the preceding image.
- Offense Type shows that the offense was created based on a
finding.
- Start shows the time when the network anomaly was first
observed and the finding was created.
- Duration shows the length of time since the finding was first
observed.
- The Recent Events graph shows the events that occurred within
the timeframe. You can use the scrubber bar to zoom in on specific times and event spikes.
In this example, you can see that events were created near midnight on June 4-6. Patterns of
behavior over time might indicate traffic that warrants further investigation.
- Offense Source shows the Finding ID.
The Finding ID
is the same unique identifier that is used in both QRadar Network Threat Analytics and QRadar Analyst
Workflow.
-
In QRadar Network Threat Analytics, use the Finding ID to
continue the investigation.
The following list describes the annotations on the preceding image.
- On the home page, set the time frame to match the time frame that was used for the
Recent events graph in QRadar Analyst
Workflow.
- Use the Finding ID to locate the finding that you want to investigate further.
New in 1.2.0 To view findings that no
longer appear in the Findings table, click Load finding by
id and type the Finding ID.