Drilling down into a QRadar Network Threat Analytics finding

IBM® QRadar® Network Threat Analytics creates a finding when it detects network communications that deviate from the baseline traffic that was observed on the network.

Use this workflow to learn how you can drill down into a finding that was raised by QRadar Network Threat Analytics. This top-down approach to investigating network traffic shows how the app collects the detailed information that you need to truly understand what is happening in your network.

This workflow is an example only and is intended to highlight particular information that you might find helpful while you are analyzing a finding. Your method of investigating findings in your own network might differ from what is shown here.


  1. The QRadar Network Threat Analytics dashboard provides high-level information about the traffic that is observed on the network within the specified time frame.

    The following list describes the annotations on the preceding image.

    1. The time frame specifies the traffic analysis period. It applies to all widgets on the dashboard.
    2. The first row shows some basic network analysis metrics. The Baseline coverage shows the percentage of your network traffic that can be mapped to the network baseline.

      In this example, 99% of network traffic is mapped to the baseline, which means that the remaining 1% of traffic was never before seen in the environment.

    3. These widgets show the most and least common applications and countries out of the network traffic that was observed within the specified timeframe.
    4. Move the mouse over different areas of the map to view traffic summary information about the traffic to and from that country or region.
  2. Review the Findings table to decide which finding to investigate.

    The following list describes the annotations on the preceding image.

    1. The finding with the highest score appears first in the list. In this example, the finding also has a MITRE ATT&CK technique that is associated with it so you might want to dig deeper into that one.
    2. Click the ID or the arrow at the end of the row to view detailed information about the finding.
    Note: If the Finding activity over time graph and the Findings table do not show any findings, see QRadar Network Threat Analytics dashboard does not show any findings to explore possible reasons why.
  3. The Finding detail page provides more information about the finding.

    The following list describes the annotations on the preceding image.

    1. The Behavioral analytics score represents the significance of a finding. It is calculated based on the outlier scores of the contributing flows.
    2. In this example, the finding includes a suspected MITRE ATT&CK technique. Click the technique name to learn more about it.
    3. In the Network widget, you can view information about the communication, including the flow direction.
    4. The Analytics score by category chart shows flow characteristics that are grouped into categories.
      Tip: Hover the mouse over the category name to see the highest deviating flow attribute within the group.

      For more information about the attributes within each category, see Network baseline.

      The groups with the highest deviations extend to the outer perimeter of the graph. In this example, you can see that the Protocol & application group has the highest deviation.

  4. The Network data table shows the network communications that are involved in the finding.

    The following list describes the annotations on the preceding image.

    1. Each communication has a score that ranges 0 - 100. The scores are aggregated to derive the Behavioral analytics score for the finding.
      Important: A network communication that has a score of 100 was never before observed in the network.
    2. For each communication, you can see the deviating categories, which are ordered by their magnitude.
    3. To learn more about a single communication, click the Flow ID link to view the list of flow records in the communication.
  5. To view detailed information about the flow record, in the Flow records table, click the arrow at the end of the row to open the Flow record analytics page.

    The following list describes the annotations on the preceding image.

    1. The Outlier score is calculated based on how much the flow record deviates from the baseline and how rare the flow record is.
    2. The Baseline occurrence describes how frequently the app saw this type of communication in the network when the network baseline was created.

      Possible values are Common, Rare, Very Rare, and First Seen.

      Hover your mouse over the baseline score to see the expected frequency for this type of flow. If the analytics score is high and the baseline occurrence not typical, you might decide that the flow requires further investigation.

    3. Click the Finding ID to open the Finding detail page to view information about the finding that the flow contributes to.
    4. Click the name of the Behavioral MITRE ATT&CK technique to view more information about it.
    5. The Score contributers table shows the flow characteristics that contributed to the flow's outlier score.
      Some flow attributes are weighted more heavily than others, and the bar length indicates the relative contribution of the attribute to the outlier score.
      • A green status bar indicates that the value for the attributes falls within the normal range when compared to the network baseline, but the attribute value contributed to the outlier score.

        Non-deviating attributes still contribute to the outlier score even though they fall within the normal range that is found in the network baseline.

      • A purple status bar indicates that the value deviates from what was expected.
  6. On the Flow record analytics page, scroll down to view the Flow record properties table.

    Use this table to see how the flow attributes compared to the baseline values.