Event direction
The QRadar® Advisor with Watson™ app uses the event direction to determine which network objects are not part of your internal network, such as remoe IP addresses, domains, and URLs. Only the external network objects are sent to the cloud for analysis.
You must set up QRadar network hierarchy for your QRadar system to correctly identify remote network objects. For more information, see Network hierarchy. You must also have log sources that are from egress boundaries in your infrastructure, such as firewall logs, proxy logs, and IPS/IDS logs. For more information, see http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_dsm_guide.pdf.