Threat hunting in QRadar Network Threat Analytics

Use this workflow to learn how you can use IBM® QRadar® Network Threat Analytics to analyze anomalous traffic in your network. This threat-hunting workflow examines a data transfer from an application that is rarely seen on the network to assess whether further investigation is warranted.

This workflow is an example only and is intended to highlight particular information and processes that you might find helpful. Your method of investigating network traffic in your own environment might differ from what is shown here.

Attention: The images shown in this workflow were captured with an earlier version of QRadar Network Threat Analytics. Although the interface might be different, the workflow is still valid.

Procedure

  1. Looking at the dashboard, you can see the most and least common applications and the countries that have the highest and lowest traffic volumes.

    The following list describes the annotations on the preceding image.

    1. In this example, the least common application is Misc.MITMLDevice.
    2. Click View network data to look at the flow records that were analyzed.
  2. On the Network data page, you can see that some flow records have an outlier score of 100. Open the Flow record analytics page to learn more.

    The following list describes the annotations on the preceding image.

    1. The Outlier score is derived from the baseline occurrence and the amount that this traffic deviates from the baseline.
    2. Flow records that were never before seen in the baseline automatically receive an outlier score of 100.
    3. You can see the flow attribute that did not match the baseline traffic. In this example, it was the destination network.
    4. In the Connection overview widget, you can also see that the traffic is a local to local TLS communication.
    This TLS traffic that is suddenly going to one of your servers might be something that you want to investigate later. But right now, let's continue to focus on the network traffic.
  3. The Network data page has a number of filtering options to help you narrow the scope of flow records that you want to review.

    The following list describes the annotations on the preceding image.

    1. Click the Filter list to view the flow attributes that you can use for filtering.
    2. Expand the Is baselined traffic attribute and select True.
      This filter removes all of the flows that have an outlier score of 100. The Flow records table now shows only those flows that were previously observed in the baseline.
  4. Continue to apply more filter criteria to suit the use case that you want to investigate.

    The following list describes the annotations on the preceding image.

    1. Quick filters are pre-set filter sets that apply to common use cases. Review the filter descriptions to learn about the criteria for each one.
      In this example, the Least common applications filter is the most applicable to the use case.
    2. Click the arrow to apply the search and overwrite the existing filter selections. Or, you can merge the quick filter criteria to add the new filters to the existing selections.
      In this example, the quick filter is merged with the existing criteria.
  5. The filter criteria is applied to the flow records.

    The following list describes the annotations on the preceding image.

    1. The Filtered by section shows the filter criteria that is applied.
    2. With fewer flow records, it is easier to see that there are three flow records for the Misc.MITMLDevice application.
      Open the Flow record analytics page to take a closer look at one of those records.
  6. The Flow record analytics page provides detailed information about the flow record.

    The following list describes the annotations on the preceding images.

    1. At 18 out of 100, the outlier score is low indicating that the traffic deviates slightly from the normal baseline traffic.
    2. The baseline occurrence is rare, which indicates that the app does not expect to see this type of flow often.
    3. The Flow properties table shows the value for the flow attributes and compares it to the attribute values that are commonly found in the network baseline.
      In this example, you can see that the application ID (34208) is one of the baseline values. So, in this case, even though the traffic is rare, it is within the range of what is expected according to the baseline traffic. This correlation might be an indicator that the flow is benign.
  7. You have a couple of ways that you can investigate this flow record further.

    1. You can open the flow in IBM QRadar Analyst Workflow or Network Analytics, depending on what you have installed in your environment.
      Alternatively, you can stay within the QRadar Network Threat Analytics app and pivot on the IP address, flow ID, source network, or destination network.

      You can continue to look at the flow record from various angles until you are satisfied that it does not represent a threat to your environment.