QRadar Network Insights

IBM® QRadar® Network Insights 7.4.2 introduces stacking support for the new QRadar Network Insights 1940 appliance, as well as improvements to flow direction, content flows, and entity alerts.

QRadar Network Insights 1940 appliance stacking

You can stack the new QRadar Network Insights 1940 appliances (appliance type 6600) to scale performance by balancing the network packet data load across multiple appliances. By distributing the data processing and analysis, stacked appliances can help you handle higher data volumes and improve flow throughput performance at the highest inspection levels.

In a stacked configuration, the QRadar Network Insights 1940 appliances provide one port for incoming traffic and one port for outgoing traffic. Each appliance stack must include the same type of appliance. For example, you can't have one appliance stack that includes both QRadar Network Insights 1920 and 1940 appliances.

New information Learn more about stacking appliances...

Content flows are more easily identified

In earlier versions of IBM QRadar, content flows that were received from IBM QRadar Network Insights were identified as a Standard flow with 0 bytes and 0 packet counters.

QRadar 7.4.2 makes it easier to identify content flows that are received from QRadar Network Insights:
  • In the Flow Information window, the Flow Type field shows Standard Flow (Content Flow).
  • On the Network Activity tab, the tooltip for the Flow Type icon shows Standard Flow (Content Flow).

The new Standard Flow (Content Flow) annotation is for display purposes only. You can't use this information in queries and filters.

New information Learn more about content flows...

New TCP flow direction algorithms

IBM QRadar Network Insights now includes two new flow direction algorithms that are used when a TCP handshake is observed.

The new algorithms appear in the Flow Direction Algorithm field in the Flow Information window, and provide a clear indication of whether the flow direction was flipped.
  • QNI TCP Handshake Observed (reversed) (7)
  • QNI TCP Handshake Observed (unaltered) (8)

Previously, the flow direction was determined exclusively by the QFlow process based on common destination ports or other flow information, resulting in the flow's direction to be incorrectly flipped.

Now, when QRadar Network Insights observes a TCP handshake, the QFlow process relies on the information from QRadar Network Insights to determine the flow direction. All other flows rely on the algorithms that are used by the QFlow process.

New information Learn more about flow direction...

Easily determine the direction of a content flow

When you drill down on a content flow, the Flow Information window now includes a Content Flow Direction field. The direction of the content flow is indicated by one of the following annotations:
  • Unknown (0)
  • Default Direction (1)
  • Source to Destination (2)
  • Destination to Source (3)

You can use this information to help you interpret the attributes within the content flow. For example, the direction of the content flow can help you determine whether files were exfiltrated or brought into the organization.

New information Learn more about flow direction...

More descriptive entity alerts

An entity alert indicates that IBM QRadar Network Insights found suspicious content, such as credit card numbers, social security numbers, IP addresses, and email addresses, in a network flow.

Previously, the entity alert didn't provide visibility into the type of suspect content that caused the alert. Now, the entity alert includes more information about the type of suspicious content that was found so that you can triage each type of entity alert separately.

The following entity alerts are new in QRadar Network Insights 7.4.2:
  • entity alert - IP address
  • entity alert - MAC address
  • entity alert - Phone number
  • entity alert - Credit Card Number
  • entity alert - Email Address
  • entity alert - Social Security Number
  • entity alert - UK NINO
  • entity alert - UK postal code
  • entity alert - Zip Code

You can view the entity alerts in the Suspect Content Descriptions field on the Flow Information window.

New information Learn more about IBM QRadar Network Insights flow data ...