Network hierarchy

IBM QRadar uses the network hierarchy to determine which hosts are local or remote. QRadar also uses the hierarchy to monitor specific logical groups or services that are in your network, such as specific office locations, regions, departments, or network ranges such as DMZs, VPN pools, or VOIP networks.

You must ensure that all internal address spaces, both routable and non-routable, are defined within your network hierarchy. Otherwise, QRadar might generate an excessive number of false positives because QRadar treats internal systems differently from external systems. QRadar ignores typical internal network activity from internal IP address ranges.

Administrators must define the following top-level objects:

• Internet facing IP address for a DMZ.
• IP addresses used for remote access in Virtual Private Network (VPN) systems.
• Data centers and server networks.
• Network devices and network management devices.

For more information about creating your network hierarchy, see the IBM QRadar Administration Guide.

Use the IBM QRadar Use Case Manager to review your network hierarchy. Download the app at the IBM® Security App Exchange (https://exchange.xforce.ibmcloud.com/hub).