Suspicious content in network flows
IBM QRadar Network Insights checks for suspicious content in network flows at the enriched and advanced inspection levels.
The Suspect Content Descriptions field is populated by multiple data sources, such as website categories, embedded links, and Yara rules, and contains data only when a suspicious entity is detected.
The following list shows examples of the types of suspicious content that are detected at the
enriched and advanced inspection levels:
- Enriched inspection
-
- Identified a protocol that runs on a non-standard port.
- SSL/TLS certificate expired because the
not valid aftertimestamp is in the past. - SSL/TLS certificate invalid because the
not valid beforetimestamp is in the future. - Use of a self-signed certificate in SSL/TLS.
- Use of a weak public key length in SSL/TLS.
- Suspicious content via scanning with user-provided Yara rules.
- Category of a website is one of several suspicious entries.
- Certificate has a non-DNS subject alternative name.
- Signature algorithm does not match the to-be-signed signature algorithm.
- BitTorrent handshake verification failure.
- X-Force signatures.
For more information, see Suspect content descriptions derived from X-Force.
- Advanced inspection
-
- Suspicious content in the transferred information.
- Excessive numbers of items that were discovered through regular expression matching.
- Credit card numbers, social security numbers, IP addresses, and email addresses.
- User-defined items that are discovered through regex matching that is marked as suspicious.
- Scripts in Office or PDF files.
- Embedded links in PDF files.