New features

The following features are new in IBM® QRadar® Network Threat Analytics.

Security updates

New in 1.3.1

The QRadar Network Threat Analytics 1.3.1 version includes security updates.

New user interface for home page

New in 1.3.0

The Dashboard and Network View pages are combined into a single home page with four tabs.

The main tab with assorted widgets that show a mix of flow and finding information. Use the overview for general insight into what is happening on your network.
The tab that shows findings in a timeline chart and a table. Use the filters that are available to help you search through findings. You can click a finding in the timeline or table to go to a Finding page for more information about that finding.
Geographic view
Formerly known as the map view, this tab has the same display and functions as before, including the ability to click a line or country and drill into the flow records. When you click a line or country, you open the record in the Table view tab.
Table view
The same table view that previously existed on the Network View page. It has all the same display and functions as before. Clicking a flow record in the table takes you to the Flow Record page that includes more information on that flow record.

Findings filtering

New in 1.3.0

Now, you can filter findings just as you could filter on the Geographic view and Table view. Quickly locate findings of interest by using Filter attributes on the Findings tab. The Findings tab has finding-specific filters that do not apply on the Geographic view and Table view tabs.

For example, you can exclude trusted hosts from the findings list, or you can choose focus areas like specific apps or MITRE ATT&CK techniques.

Minimum score filter

New in 1.3.0

The Minimum score filter uses the score value to filter flows and findings. Choose the minimum score that you want to show up by using the filter. The filter persists across all tabs. For example, if you set the filter on the Findings tab, the filter is applied even when you switch to the Geographic view or Table view tabs.

Map view

New in 1.2.0

Now, you can view network traffic as an overlay on a global map view. On the Dashboard, the map view shows traffic volume by country or region. On the Network data page, you can view more granular data about network traffic to or from a specific map location.

The map view makes it easier to identify network traffic that originates or ends in countries or regions that you do not expect.

New information Learn more about using the map view...

Network baseline status information

New in 1.2.0

The QRadar Network Threat Analytics Configuration page now provides more information about the status of the network baseline.

The status information now includes messages that indicate when the system is preparing to create the baseline, the progress of the baseline creation, and when it is complete. The system also shows messages that indicate that the baseline cannot be created or updated.

Note: The terminology that is used to refer to the creation of the network baseline is changed in this release. Previous releases referred to the baseline creation process as the training phase.

New information Learn more about how QRadar Network Threat Analytics creates the network baseline...

Ability to update the network baseline

New in 1.2.0

Now you can restart the process to update the network baseline.

New information Learn more about restarting the baselining process...

View a finding based on the finding ID

New in 1.2.0

The Findings table shows findings that are updated within the time period that is specified on the dashboard. In previous releases of QRadar Network Threat Analytics, you could not review findings after they were removed from the Findings table. Now, if you have the finding ID, you can open the Findings detail page for a specific finding.

New information Learn more about reviewing findings on the dashboard...

More flow data on the Finding Detail window

New in 1.2.0

On the Finding detail page, the Network data table shows all flows that contribute to a finding. In previous versions, only the top 20 flows with the highest score were shown.

New information Learn more about reviewing findings on the dashboard...

Updated app signing certificates

Changed in 1.1.1

In QRadar Network Threat Analytics 1.1.1, the app signing certificates were updated for use with IBM QRadar 7.5.0 Update Package 3 or later.

Tier 2 analytics

New in 1.1.0

In QRadar Network Threat Analytics 1.0.0, the network traffic that is monitored by QRadar is parsed by using Tier 1 algorithms that compare the incoming network traffic against the network baseline that is created by the app. Using the real-time baseline comparisons, the app measures how much the flow records deviate or comply with the normal traffic patterns that are observed on your network. Each flow is scored based on how much it deviates from the baseline, making it easier for you to investigate the flows with the highest scores.

QRadar Network Threat Analytics 1.1.0 introduces Tier 2 analytics. Flows with the highest scores are subjected to advanced analytics and data aggregation, and the information is rolled up into a finding. A finding is an aggregation of similar communications on the network that deviate from the baseline traffic. On the app dashboard, the findings with the highest scores are presented in table format with the highest ranking scores shown first. This presentation makes it easier for you to focus your investigations on the most suspicious traffic that the app found in your network.

Event generation

New in 1.1.0

IBM QRadar Network Threat Analytics generates events based on findings so that you can write rules and create searches and reports based on anomalous flow traffic in your network.

The QRadar Network Threat Analytics app generates the following types of events:
  • Network Anomaly Observed
  • Network Anomaly Detected
  • Network Anomaly Update (continuing activity)
  • Network Anomaly Update (score change)
  • Network Anomaly Update (MITRE mapping)

Learn more about QRadar Network Threat Analytics events...

New product interface

New in 1.1.0

The QRadar Network Threat Analytics app is redesigned, making it easier to see the most suspicious traffic in your network.

Network communications that are found to deviate from the baseline traffic in a similar way are aggregated into a finding. With prominent visibility on the Dashboard page, findings make it easier than ever to prioritize your area of focus when you are investigating anomalous flow traffic.

The new product interface encourages top-down investigations so that you can drill down into deeper levels of information with each successive click. And the new advanced filtering options help you to quickly narrow the scope of the flows that you want to investigate.

Learn more about the new product interface by walking through some QRadar Network Threat Analytics workflows...