Configuring the flow inspection level

The flow inspection level determines how much data is analyzed and extracted from the network flows. Each Flow Inspection Level setting provides deeper visibility and extracts more content than the preceding levels.

About this task

The following table explains the difference between each inspection level:
Table 1. Flow inspection levels
Flow Inspection Level Description
Basic Lowest level of inspection. Flows are detected by 5-tuple, and the number of bytes and packets that are flowing in each direction are counted.
Enriched Each flow is identified and inspected by one of the protocol or domain inspectors, and many kinds of attributes can be generated from that inspection.
Advanced The default setting. The highest level of inspection.

Flows are subjected to more rigorous content extraction processes, including scanning and inspecting the content of the files that it finds.

By default, the Flow Inspection Level for each appliance is inherited from the global setting that is defined in the System Settings on the Admin page. When you change the global setting, the new value is inherited by all QRadar Network Insights appliances that are configured to use the global setting. This includes new appliances that you add after the setting is changed.

For the QRadar Network Insights 6200, 6600, and 6610 appliances, you can override the global setting by configuring a custom flow inspection level for each appliance.

In a stacked configuration, each stack can have a different flow inspection level, but all appliances within a stack must have the same inspection level.

Procedure

  1. Log in to QRadar as an administrator.
  2. To configure the global setting for all appliances, follow these steps:
    1. On the Admin tab, click System Settings.
    2. Click QRadar Network Insights Settings.
    3. From the Flow Inspection Level, select the flow rate.
    4. Click Save.
  3. For appliance type 6200, 6600, and 6610, you can configure the flow inspection level for the individual appliance.
    1. On the Admin tab, click System and License Management.
    2. Select the appliance that you want to modify, and click Deployment actions > Edit Host Connection.
    3. Set the flow collector and the flow source connection and click Save.
    4. Specify the Flow Inspection Level for the appliance.
    5. Click Next and then click Save.
  4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.
    Warning: When you deploy the full configuration, QRadar services restart. During this time, events and flows are not collected, and offenses are not generated.
  5. Refresh your web browser.

What to do next

Deploy the QRadar Network Insights Processor.