QRadar: Defining QRadar Flow Bias

Answer

Flow Bias is used to describe the relative size, or data transfer bias, of a flow, based on transfer into or out of the network, where local network resources are defined as those entered into the Network Hierarchy. Any address not defined in the Network Hierarchy are thus ‘unknown’, and are effectively considered as external or ‘Remote’. In/Out Bias requires traffic to be entering into or leaving your network.

1. In/Out Only Communication - These are considered Unidirectional Flows, one way only, where there are only bytes & packet counts on the Source or Destination address, but not both.
   
   In/Out Only traffic can indicate:
• Host or network scanning.
• Communication that is being blocked by a Firewall/IDS.
• The QRadar Flow collector is not seeing the other side of the traffic due to a problem with a span or tap being mis-configured.
• A routing issue at the network level, where external traffic is actually entering, then exiting your network.
• External flow (Netflow) data collection not sending both sides of a communication. For example you are only seeing traffic on an inbound communication, but not the corresponding outbound communication.
  
  
  
2. Mostly Out/In Communication - The ratio on these Flows is more than 70% in one direction.
   
• For most enterprise users, the majority of your traffic should be Mostly In, if most of your endpoints are user workstations, which would be pulling information towards the local workstations.
• Mostly out, could represent local file or web servers, which are sending out more data in the form of html responses or file downloads than they are receiving URL requests. An example use case for monitoring for DLP in QRadar, is to watch your user segments for “Mostly Out” traffic, indicating some sort of large outbound file transfer.
  
  
  
3. Near Same Communication - The ratio of these flows is between 30% and 70% per direction. Near Same communication is not as common as Mostly In/Out.
   
   Examples of Near Same could be:
• Video conference call, where video streams are Inbound & Outbound.
• VOIP voice call, where audio streams are both Inbound & Outbound.
• Interactive (text based) user session, where a user is navigating around a command line based operating system, such as SSH or Telnet.
• Internet messaging or chat applications.
• Any other example, where two hosts are connected directly, and would send and receive similar amounts of data.
  
  
  
4. Other - Local to Local (Internal) and Remote to Remote (both Source and Destination address unknown) traffic. If you are monitoring Internal Network Points within your organization, you should expect to see a fair amount of Other or Local to Local data.
   
   
• If you see a large amount of “Other” or “Remote to Remote”, it is often the case the one of the IP address ranges in use on your network was not included in the Network Hierarchy. It can also be an indicator of some device on your network being incorrectly configured with a non-internal address range, or perhaps some device is spoofing an internet based IP address, although this is normally quite rare.
• ISP users may see a large amount of Communication if they have a large internet transit point and do not define all their customer downstream networks within their Hierarchy. A rare possibility is that you are seeing traffic in your network that should not be there.
• Another possibility is that something on your network, by design (malicious intent) or by mis-configuration, is spoofing or using an incorrect, Non-Local defined IP Address.