QRadar Network Insights
IBM® QRadar® Network Insights 7.4.2 introduces stacking support for the new QRadar Network Insights 1940 appliance, as well as improvements to flow direction, content flows, and entity alerts.
QRadar Network Insights 1940 appliance stacking
You can stack the new QRadar Network Insights 1940 appliances (appliance type 6600) to scale performance by balancing the network packet data load across multiple appliances. By distributing the data processing and analysis, stacked appliances can help you handle higher data volumes and improve flow throughput performance at the highest inspection levels.
In a stacked configuration, the QRadar Network Insights 1940 appliances provide one port for incoming traffic and one port for outgoing traffic. Each appliance stack must include the same type of appliance. For example, you can't have one appliance stack that includes both QRadar Network Insights 1920 and 1940 appliances.
Content flows are more easily identified
In earlier versions of IBM QRadar, content flows that were received from IBM QRadar Network Insights were identified as a Standard flow with 0 bytes and 0 packet counters.
- In the Flow Information window, the Flow Type field shows Standard Flow (Content Flow).
- On the Network Activity tab, the tooltip for the Flow Type icon shows Standard Flow (Content Flow).
The new Standard Flow (Content Flow) annotation is for display purposes only. You can't use this information in queries and filters.
New TCP flow direction algorithms
IBM QRadar Network Insights now includes two new flow direction algorithms that are used when a TCP handshake is observed.
- QNI TCP Handshake Observed (reversed) (7)
- QNI TCP Handshake Observed (unaltered) (8)
Previously, the flow direction was determined exclusively by the QFlow process based on common destination ports or other flow information, resulting in the flow's direction to be incorrectly flipped.
Now, when QRadar Network Insights observes a TCP handshake, the QFlow process relies on the information from QRadar Network Insights to determine the flow direction. All other flows rely on the algorithms that are used by the QFlow process.
Easily determine the direction of a content flow
- Unknown (0)
- Default Direction (1)
- Source to Destination (2)
- Destination to Source (3)
You can use this information to help you interpret the attributes within the content flow. For example, the direction of the content flow can help you determine whether files were exfiltrated or brought into the organization.
More descriptive entity alerts
An entity alert indicates that IBM QRadar Network Insights found suspicious content, such as credit card numbers, social security numbers, IP addresses, and email addresses, in a network flow.
Previously, the entity alert didn't provide visibility into the type of suspect content that caused the alert. Now, the entity alert includes more information about the type of suspicious content that was found so that you can triage each type of entity alert separately.
- entity alert - IP address
- entity alert - MAC address
- entity alert - Phone number
- entity alert - Credit Card Number
- entity alert - Email Address
- entity alert - Social Security Number
- entity alert - UK NINO
- entity alert - UK postal code
- entity alert - Zip Code
You can view the entity alerts in the Suspect Content Descriptions field on the Flow Information window.