IBM®
QRadar® Network Threat Analytics creates a finding when it
detects network communications that deviate from the baseline traffic that was observed on the
network.
Use this workflow to learn how you can drill down into a finding that was raised by QRadar Network Threat Analytics. This top-down approach to investigating
network traffic shows how the app collects the detailed information that you need to truly
understand what is happening in your network.
This workflow is an example only and is intended to highlight particular information that you
might find helpful while you are analyzing a finding. Your method of investigating findings in your
own network might differ from what is shown here.
Tip:
New in 1.3.0Filter your findings with
the list of filter attributes so that you search for findings that meet specific criteria. These
filters apply across all tabs that display findings.
Procedure
-
The QRadar Network Threat Analytics home page provides
high-level information about the traffic that is observed on the network within the specified time
frame.
The following list describes the annotations on the preceding image.
-
The time frame specifies the traffic analysis period. It applies to all widgets on the home
page.
-
The first row shows some basic network analysis metrics. The Baseline
coverage shows the percentage of your network traffic that can be mapped to the network
baseline.
In this example, 99% of network traffic is mapped to the baseline, which means that the remaining
1% of traffic was never before seen in the environment.
-
These widgets show the most and least common applications and countries out of the network
traffic that was observed within the specified timeframe.
- Move the mouse over different areas of the map to view traffic summary information
about the traffic to and from that country or region.
-
Review the Findings tab to decide which finding to investigate.
New in 1.3.0 Filter your findings
with the list of filter attributes so that you search for findings that meet specific criteria.
The following list describes the annotations on the preceding image.
-
The finding with the highest score appears first in the list. In this example, the finding also
has a MITRE ATT&CK technique that is
associated with it so you might want to dig deeper into that one.
-
Click the ID or the arrow at the end of the row to view detailed
information about the finding.
-
The Finding detail page provides more information about the finding.
The following list describes the annotations on the preceding image.
-
The Behavioral analytics score represents the significance of a finding.
It is calculated based on the outlier scores of the contributing flows.
-
In this example, the finding includes a suspected MITRE ATT&CK technique. Click the technique
name to learn more about it.
-
In the Network widget, you can view information about the communication,
including the flow direction.
-
The Analytics score by category chart shows flow characteristics that
are grouped into categories.
Tip: Hover the mouse over the category name to see the highest deviating flow attribute
within the group.
For more information about the attributes within each category, see Network
baseline.
The groups with the highest deviations extend to the outer perimeter of the graph. In this
example, you can see that the Protocol & application group has the
highest deviation.
-
The Network data table shows the network communications that are
involved in the finding.
The following list describes the annotations on the preceding image.
-
For each communication, you can see the deviating categories, which are ordered by their
magnitude.
-
Each communication has a score that ranges 0 - 100. The scores are aggregated to derive the
Behavioral analytics score for the finding.
Important: A network communication that has a score of 100 was never before observed in
the network.
-
To learn more about a single communication, click the Flow ID link to
view the list of flow records in the communication.
New in 1.3.0 If the flow record
includes
QRadar Network
Insights metadata, you can
expand the row to see what metadata applies to the record.
- To view detailed information about the flow record, in the Flow
records table, click the arrow at the end of the row to open the Flow record
analytics page.
The following list describes the annotations on the preceding image.
-
The Outlier score is calculated based on how much the flow record
deviates from the baseline and how rare the flow record is.
-
The Baseline occurrence describes how frequently the app saw this type
of communication in the network when the network baseline was created.
Possible values are Common, Rare, Very
Rare, and First Seen.
Hover your mouse over the baseline score to see the expected frequency for this type of flow. If
the analytics score is high and the baseline occurrence not typical, you might decide that the flow
requires further investigation.
-
Click the Finding ID to open the Finding detail
page to view information about the finding that the flow contributes to.
-
Click the name of the Behavioral MITRE ATT&CK technique to view more information
about it.
-
The Score contributers table shows the flow characteristics that
contributed to the flow's outlier score.
Some flow attributes are weighted more heavily than others, and the
bar length indicates the relative contribution of the attribute to the outlier score.
-
On the Flow record analytics page, scroll down to view the Flow
record properties table.
Use this table to see how the flow attributes compared to the baseline values.