QRadar Network Threat Analytics events

IBM® QRadar® Network Threat Analytics findings can generate three different types of events. You can use these events to write rules and create searches and reports.

Understanding the difference between each event type can help you determine which events warrant further investigation.

Network anomaly observed

This type of event is generated when the app creates a new finding after a potential network anomaly is discovered.

Further analysis is needed to determine whether the behavior is truly anomalous.

Network anomaly detected

After further analysis, an observed anomaly becomes a detected anomaly when the app confirms that the finding is truly anomalous and not previously unseen normal behavior.

If the behavior is determined to be normal but previously unseen, it is added to the network baseline as part of the next scheduled update.

Network anomaly update

As more traffic is analyzed over time, update events are created, indicating that a finding is ongoing.

The app creates three types of update events:

• Network Anomaly Update (continuing activity) indicates that a new communication was added to an existing finding, or that new flow records were added to an existing communication that is already part of a finding.
• Network Anomaly Update (score change) indicates that a finding score increased as more traffic was analyzed.
• Network Anomaly Update (MITRE mapping) indicates that a finding was updated with a new suspected MITRE ATT&CK technique.