Question & Answer
What is QRadar Flow Bias?
Flow Bias is used to describe the relative size, or data transfer bias, of a flow, based on transfer into or out of the network, where local network resources are defined as those entered into the Network Hierarchy. Any address not defined in the Network Hierarchy are thus ‘unknown’, and are effectively considered as external or ‘Remote’. In/Out Bias requires traffic to be entering into or leaving your network.
|Flows in||Flows out||Flow Bias|
|1% to 30%||70% to 99%||Mostly Out|
|31% to 69%||31% to 69%||Nearly Same|
|70% to 99%||1% to 30%||Mostly In|
The possible values for Flow Bias are:
- In/Out Only Communication - These are considered Unidirectional Flows, one way only, where there are only bytes & packet counts on the Source or Destination address, but not both.
In/Out Only traffic can indicate:
- Host or network scanning.
- Communication that is being blocked by a Firewall/IDS.
- The QRadar Flow collector is not seeing the other side of the traffic due to a problem with a span or tap being mis-configured.
- A routing issue at the network level, where external traffic is actually entering, then exiting your network.
- External flow (Netflow) data collection not sending both sides of a communication. For example you are only seeing traffic on an inbound communication, but not the corresponding outbound communication.
- For most enterprise users, the majority of your traffic should be Mostly In, if most of your endpoints are user workstations, which would be pulling information towards the local workstations.
- Mostly out, could represent local file or web servers, which are sending out more data in the form of html responses or file downloads than they are receiving URL requests. An example use case for monitoring for DLP in QRadar, is to watch your user segments for “Mostly Out” traffic, indicating some sort of large outbound file transfer.
Examples of Near Same could be:
- Video conference call, where video streams are Inbound & Outbound.
- VOIP voice call, where audio streams are both Inbound & Outbound.
- Interactive (text based) user session, where a user is navigating around a command line based operating system, such as SSH or Telnet.
- Internet messaging or chat applications.
- Any other example, where two hosts are connected directly, and would send and receive similar amounts of data.
- If you see a large amount of “Other” or “Remote to Remote”, it is often the case the one of the IP address ranges in use on your network was not included in the Network Hierarchy. It can also be an indicator of some device on your network being incorrectly configured with a non-internal address range, or perhaps some device is spoofing an internet based IP address, although this is normally quite rare.
- ISP users may see a large amount of Communication if they have a large internet transit point and do not define all their customer downstream networks within their Hierarchy. A rare possibility is that you are seeing traffic in your network that should not be there.
- Another possibility is that something on your network, by design (malicious intent) or by mis-configuration, is spoofing or using an incorrect, Non-Local defined IP Address.
Where do you find more information?
Was this topic helpful?
10 May 2019