Categories
Architecture

QRadar Network Activity

QRadar Network Activity is the second important tab in QRadar interface.

network tab

Each flow is a record of the communication between two machines, minute by minute in the network where resides QRadar. This value of one minute is constant and its change is not possible. Flows deliver information of existing network traffic. Information base on listening on each network interface or recorded network traffic, which QRadar receives in a few different formats, listed below.

It is also important, that QRadar can accept multiple flow formats at the same time and it attempts to automatically detect and add default Flow Sources for any physical devices. Depends on your configuration, you can select internal (QFlow or Napatech, and Endance) and/or external sources (NetFlow, sFlow, JFlow). Please note, that internal source doesn’t have to be on console but  you can use also  a separate QFlow device connected to the console as Managed Host.

  • NetFlow: Protocol defined by Cisco to share accounting information from switches and routers;
  • IPFIX: Protocol defined by IETF to share accounting information from switches and routers (NetFlow V9 resembles IPFIX);
  • sFlow: Advanced packet sampling technique and protocol used for network monitoring;
  • J-Flow: Packet sampling technique and protocol developed by Juniper;
  • Packeteer: Protocol developed by Bluecoat used for bandwidth management;

External flow sources use layer 4 of OSI model. Using QFlow Collectors QRadar captures network packages, which are including more details based on information provided in layer 7 (like time, source IP, destination IP, the port and protocols). QFlow collects raw packets, using a tap or span port and converts all received network data to flows similar as normalized events and we can them in a similar way on the Network Activity tab like events on Log Activity tab. Using the Network Activity tab, you can watch and investigate network activity (flows) in real-time or run advanced searches. Same as events Flows update and create assets inserts information about ports and services which are running on remote hosts. Nevertheless, a flow is different from an event, because flows have a start and end time, while the event has only one timestamp. Also flows contain related files and for connection to a webpage, you can find related files like images, HTML or flash files. QRadar can send external flows source data using spoofing, which resend the inbound data received from flow sources to a secondary destination or non-spoofing methods.

flow-sources

Adding a flow source

To add an Internal Flow Source follow steps below. You can also use an existing flow source as a template:
1.Name a Flow Source.
2.Assign a Flow Collector.
3.Select Flow Source Types like JFlow, Netflow, Packeteer FDR, or SFlow, and complete all the fields related to each type.

Optionally,  on  specific devices (QFlow 120x family), you can use the Filter String to select which packages to capture. This filter, we use to cut the number of flows created by the QFlow collector. It can decrease its impact on the Flows Per Minute license. Filter syntax follows the Berkeley Packet Filter (BPF) syntax.

Sometimes in networks,  we can configure traffic to use different paths for incoming and outgoing traffic. QRadar can join the traffic into a single flow.  We can configure a Flow Source to accept unidirectional flows also known as Asymmetric Flows. These are flows, where no sources or destination packets. These flow records show incoming or outgoing data. You can configure a QRadar Flow Processor to join Asymmetric Flows records running in the same session.  In a QRadar deployment, we can use this feature, where a one Flow Processor receives flow records from two sources and where first one inbound flow and the other is outbound records. To recombine Asymmetric Flows, the processor must assure the original flow direction has not been changed by the source. If the Enable Asymmetric Flows option is not checked, then source tries to correct the Asymmetric Flow direction using the known ports of the UDP or TCP protocol.

flow-sources

Flow Sources Aliases overview

A Flow Source alias distinguishes and identifies external flows such as NetFlow, J-Flow, and sFlow sent to the same port on a flow collector. The flow collector can have a single NetFlow flow source listening on port 2055 and multiple NetFlow sources sending to the same flow collector. By using Flow Source aliases, you can distinguish and find the different NetFlow sources on the Network Activity page based on their source IP addresses.

When a QRadar QFlow Collector receives traffic from a device with IP address without an alias, then it attempts a reverse DNS lookup to learn the hostname of the device. If the lookup fails, the system creates a default alias for the Flow Source based on the Flow Source Name and the source IP. You can manually edit the Alias.