Dashboard findings

In IBM® QRadar® Network Threat Analytics, flows with the highest scores are subjected to advanced analytics and data aggregation, and the information is rolled up into a finding. A finding is an aggregation of similar network communications that deviate from the baseline traffic.

Tip:

If the IBM QRadar Network Threat Analytics dashboard does not show any findings, it might be because the authentication token does not have Admin permissions for the security profile and user role. Another possible reason for having no findings on the dashboard is that the baseline process is either incomplete or failed entirely. For more information, see QRadar Network Threat Analytics dashboard does not show any findings.

The Dashboard shows information about the findings in two different views:

Finding activity over time graph
Findings table

Note:

Learn more about the Findings on the Dashboard...

Finding activity over time graph

Shows the number of flow records that are associated with the finding. The records are plotted over the time frame that is specified on the dashboard.

Findings table

Shows the findings that were updated within the time frame that is specified on the dashboard.

The finding score indicates relative baseline deviation of the finding, which is calculated based on the outlier scores of the contributing flow records. Each finding has a score in the range of 0 - 100. By default, they are sorted by score value, with the highest ranking scores at the top. This makes it easier for you to focus your investigations on the most suspicious traffic that the app found in your network.

New in 1.2.0 To review findings that are no longer shown in the Findings table, click Load finding by id. You must know the finding ID.

In the Findings table, click the arrow at the end of the row to open the Finding detail page. Here, you can see aggregate information about the network communications that contribute to the finding.

Note:

Learn more about the information on the Finding detail page.

Behavioral analytics score

Indicates the relative baseline deviation of a finding. It is calculated based on the outlier scores of the contributing flows.

Network widget

Shows information about the network traffic within the finding.

For more information about the direction of the network communication that was observed, see Flow direction.

Analytics score by category

Shows flow characteristics that are grouped into categories. The groups with the highest deviations extend to the outer perimeter of the graph.

Tip: In the Analytics score by category widget, hover the mouse over the category name to see the highest deviating flow attribute within the group.

Further down the Finding detail page, the Network data table shows the communications that were deemed of interest by QRadar Network Threat Analytics.

Note:

Learn more about the information that is shown in the Network data table...

Score

Each network communication has a score that ranges 0 - 100. The scores are aggregated to derive the Behavioral analytics score for the finding.

A communication that has a score of 100 was never before observed in the network.

Deviating categories

The deviating categories are ordered by magnitude.

Communications that are part of the same finding are likely to share deviating categories. For more information about the attributes within each category, see Network baseline.

In the Network data table, click the Flow ID link to show the individual flow records in the communication.

In the Flow records table, click the arrow at the end of the row to open the Flow record analytics page.

Some flow records might show 0 bytes and 0 packets. These flows are content flows that contain information that is collected by QRadar Network Insights at deeper levels of analysis and metadata extraction. Content flows do not include payload samples. They are linked to the corresponding data flow by the Flow ID field.

For more information about QRadar Network Insights, see QRadar Network Insights overview.