IBM Security QRadar

New Network Visibility Dashboards

By Holly Wright posted Fri December 18, 2020 12:34 AM


By Holly Wright and Thomas Obremski.

For those who haven’t yet tried out the new IBM Security QRadar Network Visibility Pulse dashboards available on the IBM X-Force App Exchange, here are some of the highlights.


Overview Dashboard


The overview dashboard provides an at-a-glance view of what is happening across your network.  Not only can you see geographical representations showing communication patterns across your organization, you can also see the frequency of communication to detect low level communications patterns buried within normal business activity.  There are breakouts by application, protocol, network segment and direction (ingress vs egress). This makes it easy to spot communications patterns that don’t belong for your organization.


In the following example we look at the number of ingress and egress sessions from various geographies and spot those that are unusual for our organization.


Network Visibility Overview - Ingress and Egress Regions


To investigate further, you can right click and pivot into the details for these communications.


Open in Network Activity


We can correlate spikes and dips in traffic volume, and get quick insights into the direction, application and networks associated with these patterns.


Network Visibility Overview - Traffic Volume over TimeNetwork Visibility Overview - Traffic Volume over Time


We can also utilise side by side comparisons to compare the least and most common applications to quickly assess the applications in use across our networks and those that may be unexpected.  We can also do similar comparisons with Content Type to ensure that the content traversing our networks is what we would expect.


Network Visibility Overview - Most and Least Common Applications and Content Type


The dashboards allow us to easily identify long running network sessions and through correlation with traffic volume we can detect long and slow communication patterns that could be indicative of data exfiltration.


Network Visibility Overview - Long Running Flows


IP Details Dashboard


Should your investigation lead you to specific IP Addresses of interest, there is an IP Details dashboard that provides visualizations that allow you to see everything that is happening on the network with that IP Address.

Simply select the IP Details dashboard.


Switch to IP Details Dashboard


The IP Details dashboard allows you to enter an address of interest and gain insights into the communications with that IP.


Network Visibility IP Details - Choosing an IP


The IP details page has a number of visualisations that can help detect anomalies associated with the selected IP address. The below visualisation can be used to gain an intuitive understanding of the typical volume and type of traffic that you would see from this device. You can use this chart to spot discrepancies in usual behaviour, whether it is unexpected application usage or unusual data volumes at points in time.


Network Visibility IP Details - Volume over Time


Here we can see a breakdown showing the duration of communications with this IP. We can see that sessions typically will only last for a few minutes, so the long-lived sessions may warrant further investigation.


Network Visibility IP Details - Flow Duration Distribution

We can utilise QRadar Network Insights to help detect potentially malicious files based on their content.  Here we see file entropy (the degree of randomness within the content) to look for outliers based on the type of file.


Network Visibility IP Details - File Entropy by Content Type


Delving further using this dashboard we can get an at-a-glance understanding of the types of communication that this IP engages in, both in terms of inbound and outbound traffic.


Network Visibility IP Details - Inbound and Outbound Applications


Application/Protocol Details Dashboard


Similarly, we can visualize and investigate the activity on the network pertaining to a particular application or protocol with the Application/Protocol Details dashboard.


Network Visibility Application/Protocol Details Dashboard Selection


In this example we look for patterns within web traffic.


Network Visibility Application/Protocol Details - Select Application/Protocol


The dashboard shows us a range of statistics about the application or protocol of interest. We can see how many of these flows are associated with offenses, how common this application/protocol is and what the bias (ingress vs egress) of communication volume is for this application/protocol.


Network Visibility Application/Protocol Details - Overview

We would typically expect web traffic on port 80 (or 443), but below we can easily see other ports are being used on an infrequent basis.  For those with QRadar Network Insights these sessions will be automatically identified as nonstandard port usage through the Suspect Content Description fields.

Network Visibility Application/Protocol Details - Non-Standard Port Usage


There are many additional visualizations to help you attain the deepest insights into what is happening on your network. More information including a video tutorial on the IBM Security QRadar Network Visibility dashboards can be found on the X-Force App Exchange.