IBM®
QRadar® Network Threat Analytics analyzes existing
network flows to determine the type and frequency of normal flow traffic on your network. The result
of this process is a network baseline that contains information about the flows and flow attributes
that currently exist on the system. The app uses the network baseline as an indicator of the flow
traffic that is considered typical in your network.
Baseline fields
The following table shows the attributes that are analyzed. The attributes are grouped into
categories, which are used in the Analytics score by category chart on the
Finding detail page.
The attributes that are analyzed to create the network baseline are different, depending on which
software is installed. QRadar
flow attributes are always analyzed, but when QRadar Network
Insights is installed, even more data
is available for analysis.
Table 1. Flow attributes that are analyzed by QRadar Network Threat Analytics, grouped by category
Category |
QRadar flow
attributes |
QRadar Network
Insights flow
attributes |
Source
|
- Source IP
- Source network
- Source sub network New in 1.2.0
|
|
Destination
|
- Destination IP
- Destination network name
- Destination sub network New in 1.2.0
|
|
Source rate
|
- Accumulated source bytes
- Source bytes
- Source packets
- Flow duration New in 1.2.0
|
Not applicable
|
Destination rate
|
- Accumulated destination bytes
- Destination bytes
- Destination packets
|
Not applicable
|
Source to destination ratio
|
- Source bytes to destination bytes pairing
- Source packets to destination packets pairing
|
Not applicable
|
Protocol & application
|
- Application ID
- Destination flags
- Destination port
- Protocol ID
- Source flags
|
New in 1.2.0 (all attributes)
-
Application protocol name
-
Authentication mechanism
-
Content type
-
DNS domain name
-
DNS request type
-
DNS response code
-
FTP reply code
-
HTTP response code
-
Kerberos client principal name
-
Kerberos cipher suite
-
Kerberos realm
-
Kerberos server principal name
-
Last proxy IPv4
-
Last proxy IPv6
-
Protocol version
-
RDP encryption level
-
RDP encryption method
-
TFTP mode
-
TFTP status
|
X.509
|
Not applicable
|
-
x509 certificate version
-
x509 certificate signature algorithm
-
X509 certificate issuer common name New in 1.2.0
-
x509 certificate public key algorithm New in 1.2.0
-
X509 certificate public key size New in 1.2.0
-
X509 certificate to-be-signed signature algorithm New in 1.2.0
-
x509 certificate issuer name New in 1.2.0
|
SSL/TLS
|
Not applicable
|
- SSL/TLS Cipher Suite
- SSL/TLS Compression Method
- SSL/TLS Version
- TLS Application Layer
|
File
|
Not applicable
|
|
Uncategorized
|
|
Not applicable
|