QRadar Network Activity: A Step-by-Step Guide to Efficient Monitoring and Analysis

February 24, 2024

QRadar Network Activity is a powerful tool for monitoring and analyzing network traffic. By leveraging its capabilities, you can gain insights into your network's security posture, identify potential threats, and take proactive measures to protect your infrastructure.

 

Network Flow and QRadar:

 

NetFlow is a feature that was introduced by Cisco in the mid-1990s for their routers. It allows network administrators to gather statistics about the traffic passing through the router. Basically, when data packets enter or exit a router, NetFlow collects information about them.

 

With NetFlow, administrators can analyze this collected data to gain insights about various aspects of the network. This includes details about the source and destination of the traffic, the amount of data transferred, and even potential reasons for congestion in the network.

 

The specific information collected by NetFlow includes:

 

Ø The interface through which the traffic enters or exits the router.

 

Ø The start and end times of the flow (when the data transfer occurred).

 

Ø The number of bytes and packets observed during the flow.

Ø Details about the Layer 3 headers, such as the source and destination IP addresses, ICMP (Internet Control Message Protocol) information, IP protocol, and Type of Service (ToS) value.

 

Ø Source and destination port numbers (which help identify specific applications or services).

 

Ø For TCP flows (a type of network connection), NetFlow records information about the various TCP flags used throughout the flow's duration.

 

Benefits of Flow-based Analysis:

 

1.    Quick Identification of Anomalies:

 

Ø  Focusing on flows instead of individual packets allows for quick detection of unusual data transfers, new ports being used, or new hosts on a network.

Ø  Flow-based analysis helps in promptly identifying potential issues that require further investigation.

 

2. Space-Efficient Storage:

 

Ø  Flow records occupy significantly less storage space compared to complete packet captures.

Ø  Aggregating lower layer information and excluding payload data further reduces storage requirements.

Ø  This enables longer monitoring periods and provides a good overview of network activity for analysis.

 

3. Insight into Encrypted Connections:

 

Ø  Flow-based analysis provides valuable information even for encrypted connections.

Ø  Analysts can still observe data movement, timing, volume, and destination without accessing specific content details.

Ø  This proves useful in identifying patterns and detecting potential threats without decrypting the data.

 

4. Baseline for Anomaly Detection:

 

Ø  Flow data establishes historical patterns of regular traffic, enabling easier detection of abnormal or potentially dangerous traffic.

Ø  Comparing current flows to established baselines aids in identifying deviations and potential security incidents.

 

5. Reliable Source of Data:

 

Ø  Flow data is typically generated by a separate, uncompromised source, such as a router.

Ø  Even if the system is compromised, the initial collection point for flow data is less likely to be targeted or affected.

 

6. Distributed View and Analysis:

 

Ø  Gathering flow data from different network points allows for a more distributed view of network activity.

Ø  This aids in pinpointing the origin of an attack, analyzing the overall situation, and enhancing situational awareness.

 

7. Versatile Implementation:

 

Ø  Flow exports can be conveniently implemented on both local and remote networks, providing an additional layer of visibility and detection.

 

Transition:

Although Cisco initially introduced NetFlow, it has been succeeded by the Internet Protocol Flow Information Export (IPFIX) protocol. IPFIX, an IETF standard, provides a universal export format for Internet Protocol flow information, irrespective of the flow's origin. This standardized format ensures consistent formatting and transfer of IP flow information between exporters and collectors.

 

QRadar Flow Processing: Internal and External Sources

 

Internal Flow Sources:

 

QRadar can process network flows from internal sources, which involve the following setup:

 

Ø  Network Router or TAP Device: A SPAN (Switched Port Analyzer) port on a network router or a network TAP (Test Access Point) device is configured to forward raw packet data to a monitoring port on the QRadar Flow Collector.

 

Ø  Flow Conversion: The QRadar Flow Collector receives the forwarded data and converts it into flow records. It's important to note that QRadar does not store the entire packet payload but captures a snapshot of the flow, typically the first 64 bytes (default setting).

 

External Flow Sources:

 

QRadar also supports processing network flows from external sources, which include the following:

 

Ø  Aggregated Flow Data: External devices collect and aggregate network flow data from various sources.

 

Ø  Supported Protocols: The external devices forward the aggregated flow data to QRadar using one of the supported protocols, such as IPFIX, NetFlow, J-Flow, sFlow, or Packeteer.

 

Ø  Payload Exclusion: When using external flow sources, QRadar does not include payload information in the captured flow records. Instead, it focuses on the flow metadata, such as source and destination addresses, ports, and timing.

 

Flow Direction Determination:

 

Flow direction is an essential aspect of flow processing in QRadar. It involves determining who initiated a flow. Here are the key considerations:

 

Ø  Observation Point: According to the IPFIX standard, flow direction depends on the flow's observation point. It is determined based on whether the flow data was collected from an interface for incoming traffic or outgoing traffic.

 

Ø  Default Flow Review: By default, QRadar reviews incoming flow data and assigns flow direction accordingly. If the reported flow direction does not align with the expected direction (e.g., traffic supposedly originating from the Server to the Client), QRadar adjusts the order accordingly.

 

Ø  Advanced Configuration Options: QRadar provides advanced configuration options to address flow direction-related issues and resolve any discrepancies that may arise in certain scenarios.

 

By supporting both internal and external flow sources and effectively determining flow direction, QRadar ensures comprehensive network flow processing and accurate representation of network activity for monitoring and analysis purposes.

 

Distinguishing Flows from Events in Network Analysis

 

1. Flow Characteristics:

   - Flows have a specific beginning and end time or a lifespan of several seconds.

   - A flow encompasses multiple elements involved in a process, such as connecting to a website, including files like flash files, HTML files, and images.

   - Flows provide a holistic view of the interactions and activities that occur during a specific network process.

 

2. Event Nature:

   - Events, on the other hand, refer to individual occurrences or incidents within the network.

   - Examples of events include login actions, firewall blocking attempts, or any singular network-related actions.

 

Benefits of QRadar in Network Visibility:

 

 

     1.   Comprehensive Overview:

 

   - QRadar offers enhanced visibility compared to regular logs from switches and firewall routers.

   - It provides a broader and more comprehensive perspective of the network's overall activity and behavior.

 

2.     Environment-Aware:

 

   - QRadar is environment-aware and can automatically discover assets and protocols within the network.

   - This feature simplifies the process of asset management and protocol identification.

 

3.     Passive Asset Database:

 

   - QRadar builds a passive database that includes all assets present in the network, along with their associated ports.

   - This comprehensive asset database allows for the creation of precise rules and alerts that trigger only when necessary, minimizing false positives and improving efficiency.

 

Network Activity Overview

 

The Network Activity tab serves as the primary search page for network flows within QRadar. By default, it provides a real-time display of ongoing flows. The key components of this page include:

 

 

1. Run/Pause Button:        

  

This button allows you to control the streaming of real-time flow events. You can start or pause the display of new events.

 

2. Quick Filter Search Bar:

 

   The Quick Filter search bar enables you to quickly search for specific flow events based on predefined filters or custom search queries.

 

4.     Time Range Selector Dropdown:

 

   The Time Range selector dropdown allows you to choose a specific time frame for analyzing flow events. By default, the page shows real-time events, but selecting a time range allows for focused analysis within a specific period.

 

5.     Add Filter Button:

 

    The Add Filter button enables you to apply additional filters to refine your search results. These filters can be based on various criteria, such as source IP, destination IP, ports, protocols, or other flow attributes.

 

6.     Overview of Search Results:

 

    The Network Activity page provides an overview of the search results, presenting a list or visual representation of the flow events that meet the applied filters and selected time range.

 

When using the Network Activity page, any filters added are applied to new events as they arrive. If you wish to search for events within a specific time frame, you must select the appropriate time window. Once the initial time window is chosen, you can further refine and analyze the desired time range using more granular controls.

 

Network Activity Details

 

When viewing the search results table in the Network Activity tab, you have the option to access more detailed flow information by double-clicking on a specific flow record. This action opens up a flow information view where you can delve deeper into the details of that particular flow.

 

Ø The flow information view provides a menu bar at the top, allowing you to easily navigate between different flow records and return to the results list. Within this view, you can explore comprehensive information and meta-information extracted by QRadar from the flow record data.

 

Ø It is important to note that some fields in the flow information view may display "N/A" or empty values. Additionally, QRadar does not show Source or Destination Payload data. This is because the current flow records being sent to QRadar are primarily from NetFlow, which does not include payload data.

 

Ø However, if the QRadar appliance were directly connected to a SPAN (Switched Port Analyzer) port on a network router, QRadar would be able to analyze the first 64 bytes of each network flow. In such a scenario, the flow information page would display more extensive information, including the first 64 bytes of the source and destination payloads.

 

 

 

Quick Search:

 

Analyzing flow data can lead to valuable insights. Compared to event logs, all flow records have a very uniform structure with only a limited number of fields available (e.g., source IP, source port, destination IP, destination port, bytes, protocol, and, in some cases, payload information). To help analyze flow data, QRadar has several built-in quick search dashboards available.

 

Grouping and Drill-Down

 

You can further explore the flow records by grouping them on specific fields or columns. First, you need to select an appropriate time window from the View dropdown, then open the Display dropdown for grouping options.

 

Conclusion:

 

In conclusion, QRadar Network Activity is a powerful tool that enables efficient monitoring and analysis of network flows. By providing real-time visibility into flow records, QRadar empowers network administrators and security analysts to gain valuable insights, detect anomalies, and respond effectively to potential threats.

Stay Tuned

The best articles, links, and news delivered once a week to your inbox.

DMCA.com Protection Status