Investigating QRadar Network Threat Analytics events

IBM® QRadar® Network Threat Analytics generates events based on findings in your network traffic. Using these events, you can write rules and create searches and reports on the anomalous activity that is detected by the application.

Use this workflow to learn how you can use IBM QRadar Analyst Workflow to investigate QRadar Network Threat Analytics events and the offenses that were created from them.

This workflow is an example only and is intended to highlight particular information that you might find helpful throughout the investigation. Your method of investigating events and offenses in your own network might differ from what is shown here. This workflow does not provide step-by-step instructions for how to use QRadar Analyst Workflow. For more information about using the QRadar Analyst Workflow app, see QRadar Analyst Workflow in the IBM QRadar User Guide.

Attention: The images that are shown in this workflow were captured with an earlier version of QRadar Network Threat Analytics. Although the interface might be different, the workflow is still valid.

Procedure

  1. In IBM QRadar Analyst Workflow, start by searching for events that were created by IBM QRadar Network Threat Analytics.

    Using QRadar Analyst Workflow to find events that are created by QRadar Network Threat Analytics

    The following list describes the annotations on the preceding image.

    1. Use a filter condition to find events where the log source type is IBM QRadar Network Threat Analytics.
    2. Set the timeframe for the search and click Run search.
    3. In the Event Name column, view the events that were created by QRadar Network Threat Analytics.
      The query results might include Network Anomaly Observed, Network Anomaly Detected, or Network Anomaly Updated events.
  2. Review the information in the event table to decide which QRadar Network Threat Analytics events to investigate further.

    A table in QRadar Analyst Workflow shows more information about the QRadar Network Threat Analytics events.

    The following list describes the annotations on the preceding image.

    1. Use the Source IP and Destination IP columns to identify which devices exchanged information.
    2. The Threat Score represents the significance of the finding. The score is calculated based on the outlier score of each flow record that contributed to the event.
    3. The NTA Flow Count column shows the number of flows that contribute to the finding. Higher numbers might indicate a higher threat level.
    4. The NTA Flow Direction shows the direction of the communication, where L indicates the local network and R indicates a remote network.
    5. The Technique column shows ATT&CK techniques that are suspected in the finding.
  3. Using the information about the events, you can write rules that create offenses when specific conditions are met.

    For more information about writing rules, see Custom rules in IBM QRadar in the IBM QRadar User Guide.

  4. You can also use QRadar Analyst Workflow to view information about offenses that were created from QRadar Network Threat Analytics events.

    Using QRadar Analyst Workflow to view information about an offense.
    1. On the Offense window, under Insights, you can see which rule triggered to create the offense.
      Click the rule name to view more information about the rule tests and learn why the offense was created.

    Information about the rule tests that triggered an offense is presented in QRadar Analyst Workflow .

    The following list describes the annotations on the preceding image.

    1. The Tests section shows the conditions that were tested against the event.
    2. The Actions section shows the rule actions that were taken when the conditions were met.
  5. Review the rest of the information about the offense.

    Using QRadar Analyst Workflow to view more information about an offense.

    The following list describes the annotations on the preceding image.

    1. Offense Type shows that the offense was created based on a finding.
    2. Start shows the time when the network anomaly was first observed and the finding was created.
    3. Duration shows the length of time since the finding was first observed.
    4. The Recent Events graph shows the events that occurred within the timeframe. You can use the scrubber bar to zoom in on specific times and event spikes.

      In this example, you can see that events were created near midnight on June 4-6. Patterns of behavior over time might indicate traffic that warrants further investigation.

    5. Offense Source shows the Finding ID.
      The Finding ID is the same unique identifier that is used in both QRadar Network Threat Analytics and QRadar Analyst Workflow.
  6. In QRadar Network Threat Analytics, use the Finding ID to continue the investigation.

    The following list describes the annotations on the preceding image.

    1. On the home page, set the time frame to match the time frame that was used for the Recent events graph in QRadar Analyst Workflow.
    2. Use the Finding ID to locate the finding that you want to investigate further.

      New in 1.2.0 To view findings that no longer appear in the Findings table, click Load finding by id and type the Finding ID.