Displaying the flow direction algorithm field in search results

Use the search feature to add the flow direction algorithm to the Flow Details window. You can use the flow direction algorithm to identify the criteria that caused QRadar to reverse the flow direction.

Procedure

  1. To display the flow direction algorithm field on the Flow Details window, follow these steps:
    1. Click the Network Activity tab.
    2. From the Search list, select New Search.
    3. In the Column Definition section, scroll down the list of available columns and add Flow Direction Algorithm to the list of columns to display.
    4. Click Filter.
      The Flow Direction Algorithm column appears on the Network Activity tab, displaying a value that represents the algorithm that was used.
  2. To display the flow direction algorithm in an advanced search, use the LOOKUP function to show the text description for the enumerated flow direction algorithm field. For example, the AQL query might look like this:
    SELECT sourceip, destinationip, LOOKUP('flow direction algorithm', "flow direction algorithm") FROM flows