Basic inspection
The Basic inspection level supports high bandwidth but generates the least amount of flow information. The Basic level inspection creates standard flow records known as data flows.
Important: The data must exist in the source content so that the field is populated in
QRadar. For example, some
content is populated by the X-Force
Threat Intelligence feed, but the field may
appear empty in QRadar if the
information is not available in X-Force.
The following table shows the fields that are populated when QRadar Network Insights is configured to use the Basic inspection level.
| Query builder name | Advanced search name | Data source |
|---|---|---|
| Application | applicationid |
Multiple sources, such as Inspectors and X-Force. The attribute is populated by default. |
| Customer VLAN ID | "customer vlan id" |
Populated only when the flow source or destination address came from 802.1q VLAN header data. |
| Destination DSCP | destinationdscp |
IP quality of service derived from the IPv4 or IPv6 header of the flow packet. |
| Destination Flags | destinationflags |
TCP header of the flow packet. |
| Destination IP address | destinationip |
IPv4 or IPv6 header of the flow packet. |
| Destination Port | destinationport |
TCP or UDP header of the flow packet. |
| Enterprise VLAN ID | "enterprise vlan id" |
Populated only when the flow source or destination address came from 802.1q VLAN header data. |
| First Packet Time | firstpackettime |
Assigned by QRadar Network Insights. |
| Flow ID | flowid |
Assigned by QRadar Network Insights. |
| IP protocol | protocolid |
IPv4 or IPv6 header of the flow. |
| Last Packet Time | lastpackettime |
Assigned by QRadar Network Insights. |
| Source DSCP | sourcedscp |
IP quality of service derived from the IPv4 or IPv6 header of the flow packet. |
| Source Flags | sourceflags |
TCP header of the flow packet. |
| Source IP address | sourceip |
IPv4 or IPv6 header of the flow packet. |
| Source port | sourceport |
TCP or UDP header of the flow packet. |
| Total bytes per packet | sourcebytes, destinationbytes
|
Assigned and maintained by QRadar Network Insights*. |
| Total Packets | sourcepackets, destinationpackets |
Assigned and maintained by QRadar Network Insights*. |
| VLAN Tag | "vlan tag" |
Populated only when the flow source or destination address came from 802.1q VLAN header data. |
| VXLAN Network Identifier | "vxlan network indentifier" |
Populated only when the flow contains VXLAN header data. |