QRadar Network Threat Analytics events

IBM® QRadar® Network Threat Analytics findings can generate three different types of events. You can use these events to write rules and create searches and reports.

Understanding the difference between each event type can help you determine which events warrant further investigation.

Network anomaly observed
This type of event is generated when the app creates a new finding after a potential network anomaly is discovered.

Further analysis is needed to determine whether the behavior is truly anomalous.

Network anomaly detected
After further analysis, an observed anomaly becomes a detected anomaly when the app confirms that the finding is truly anomalous and not previously unseen normal behavior.

If the behavior is determined to be normal but previously unseen, it is added to the network baseline as part of the next scheduled update.

Network anomaly update
As more traffic is analyzed over time, update events are created, indicating that a finding is ongoing.
The app creates three types of update events:
  • Network Anomaly Update (continuing activity) indicates that a new communication was added to an existing finding, or that new flow records were added to an existing communication that is already part of a finding.
  • Network Anomaly Update (score change) indicates that a finding score increased as more traffic was analyzed.
  • Network Anomaly Update (MITRE mapping) indicates that a finding was updated with a new suspected MITRE ATT&CK technique.
By default, all findings will generate events but you might want to generate events only for the highest-scoring findings. You can change the threshold for event generation on the Application Settings page.
  1. In IBM QRadar, click the Network Threat Analytics tab.
  2. Click the gear icon () to open the settings for the app.
  3. Set the minimum threshold analytic score or finding score for which you want to generate events.

    Applications Settings page for the app that shows the numerical threshold setting (0-100) for generating events.