QRadar Network Insights

What is QNI

QNI ( QRadar Network Insights) is an appliance, which can provide detailed analysis of network flows to extend the threat detection capabilities of IBM Security QRadar. QNI requires QRadar in version 7.3 Attackers can’t hide on the network with QRadar Network Insights. Security teams are flooded with security log activity every day, but inspecting those logs does not always generate the level of insight required to detect modern threats. They are eager to find additional methods to provide more accurate threat detection. QRadar Network Insights analyzes network data in real-time to uncover an attacker’s footprints and expose hidden security threats in many scenarios before they can damage your organization, including: phishing e-mails, malware, data exfiltration, lateral movement, DNS and other application abuse, and compliance gaps.

What is different between QNI and QFlow?

While QFlow analyzes network data to collect basic flow information, identify applications and can extract the beginning of the payload, QRadar Nework Insights does all of that plus delves much deeper in it’s analysis. QNI can uniquely extract metadata such as:

  • File information (name, size, type, hash, entropy, etc.)
  • User information (across e-mails, chat sessions, applications)
  • HTTP parameters and DNS strings
  • And more

QNI can also detect a wide range of suspicious activity using Suspect Content which customers can add to with their own unique criteria using Yara rules. (YARA was originally developed by Victor Alvarez of Virustotal. The name is either an abbreviation of YARA: Another Recursive Acronym, or Yet Another Ridiculous Acronym)

What is different between QNI and XGS?

XGS is an IPS / IDS IDS/IPS solution that can be used to hunt for specific threat or risk indicators while also providing flow information to QRadar.
QNI can not only detect known threats or risks, it also enables security teams to harvest the necessary content for security analysis of previously unknown threats and performs deep content analysis. Comparing to PCAP and QRIF, QNI can detect threats in real time