IBM QRadar Network Insights Version User Guide IBM

Transcription

1 IBM QRadar Network Insights Version User Guide IBM

2 Note Before you use this information and the product that it supports, read the information in Notices on page 15. Product information This document applies to IBM QRadar Security Intelligence Platform V7.3.1 and subsequent releases unless superseded by an updated version of this document. Copyright IBM Corporation US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

3 Contents Introduction to installing QRadar Network Insights v 1 QRadar Network Insights QRadar Network Insights use cases QRadar Network Insights content QRadar Network Insights content extensions Content extension V Content extension V Content extension V Content extension V Notices Trademarks Terms and conditions for product documentation IBM Online Privacy Statement Copyright IBM Corp iii

4 iv QRadar Network Insights User Guide

5 Introduction to installing QRadar Network Insights This guide contains information about analyzing network data in real-time by using IBM QRadar Network Insights. Intended audience Investigators extract information from the network traffic and focus on security incidents, and threat indicators. Technical documentation To find IBM Security QRadar product documentation on the web, including all translated documentation, access the IBM Knowledge Center ( For information about how to access more technical documentation in the QRadar products library, see Accessing IBM Security Documentation Technical Note ( &uid=swg ). Contacting customer support For information about contacting customer support, see the Support and Download Technical Note ( Statement of good security practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Please Note: Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage. IBM Security QRadar may be used only for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM Security QRadar. Copyright IBM Corp v

6 vi QRadar Network Insights User Guide

7 1 QRadar Network Insights IBM QRadar Network Insights provides in-depth visibility into network communications on a real-time basis to extend the capabilities of your IBM Security QRadar deployment. Through the deep analysis of network activity and application content, QRadar Network Insights empowers QRadar Sense Analytics to detect threat activity that would otherwise go unnoticed. QRadar Network Insights provides in-depth analysis of both network metadata and application content to detect suspicious activity that is hidden among normal traffic and extract content to provide QRadar with visibility into network threat activity. The intelligence that is provided by QRadar Network Insights integrates seamlessly with traditional data sources and threat intelligence to extend QRadar detection, analysis, and threat detection capabilities. QRadar Network Insights provides visibility across a range of use cases, including: v Malware detection and analysis v Phishing and campaign detection v Insider threats v Lateral movement attack detection v Data exfiltration protection v Identify compliance gaps Benefits of QRadar Network Insights The following list highlights some of the benefits of using QRadar Network Insights: v Uses in-depth packet inspection to identify advanced threats and malicious content. v Extends the capabilities of QRadar to detect phishing attacks, malware intrusions, lateral movement, and data exfiltration. v Records application activities, captures key artifacts, and identifies assets, applications, and users that participate in network communications. v Applies Layer 7 content analysis for advanced security insights. v File analytics analyzes and enables tracking of files. Copyright IBM Corp

8 2 QRadar Network Insights User Guide

9 2 QRadar Network Insights use cases QRadar Network Insights provides in-depth visibility into network communications and application content to empower QRadar Sense Analytics to detect threat activity. You can use QRadar Network Insights to detect and analyze malware, phishing, insider threats, lateral movement attacks, data exfiltration, and compliance gaps. Malware detection and analysis Malware frequently morphs to avoid detection. You can use QRadar Network Insights to detect malware based on file hashes and file activity, and observe and analyze artifacts such as: v Names v Properties v Movement v Suspicious content Phishing and campaign detection Phishing can hide in plain sight by disguising its activity within the volumes of normal s. You can prepare for and react to malicious s by using QRadar Network Insights to analyze: v Sources v Targets v Subject v Content Insider threats You can integrate QRadar Network Insights with the User Behavior Analytics app to improve threat detection. Use the QRadar Network Insights analytics to recognize: v High-risk users v Potential targets of phishing v Negative sentiment v Suspicious behaviors Lateral movement attack detection QRadar Network Insights can trace anomalous communications: v Reconnaissance v Data transfers v Rogue and malicious actors Data exfiltration protection Data can be exfiltrated through many methods. Use QRadar Network Insights to identify and track suspicious files such as: v DNS abnormalities v Sensitive content v Aberrant connections Copyright IBM Corp

10 v Aliases Identify compliance gaps QRadar Network Insights allows for continuous monitoring of enterprise, industry, and regulatory compliance. 4 QRadar Network Insights User Guide

11 3 QRadar Network Insights content The QRadar Network Insights content that is populated depends on the inspection level and whether the data is available in the source system. For example, some content is populated by the X-Force Threat Intelligence feed, but the field may appear empty in QRadar if the information is not available in X-Force. To include the content in searches, select the fields in the Column Definition section of the QRadar query builder. For more information about creating searches, see Event and flow searches. You can also include the content in advanced searches. For more information about creating advanced searches, see the IBM Security QRadar Ariel Query Language Guide. Basic inspection level content When the inspection level is set to Basic, QRadar Network Insights populates these fields: Table 1. Content that is populated with Basic inspection level Query builder name Advanced search name Data source Source IP address sourceip IPv4 or IPv6 header of the flow packet. Source port sourceport TCP or UDP header of the flow packet. Destination IP address destinationip IPv4 or IPv6 header of the flow packet. Destination port destinationport TCP or UDP header of the flow packet. IP protocol protocolid IPv4 or IPv6 header of the flow. Flow ID flowid Assigned by QRadar Network Insights. Total Packets sourcepackets, destinationpackets Assigned and maintained by QRadar Network Insights*. Total bytes per packet sourcebytes, destinationbytes Assigned and maintained by QRadar Network Insights*. First Packet Time firstpackettime Assigned by QRadar Network Insights. Last Packet Time lastpackettime Assigned by QRadar Network Insights. Source DSCP sourcedscp IP quality of service derived from the IPv4 or IPv6 header of the flow packet*. Destination DSCP destinationdscp IP quality of service derived from the IPv4 or IPv6 header of the flow packet*. VLAN Tag "vlan tag" Populated only when the network traffic includes VLAN headers. Enriched inspection level attributes When the inspection level is set to Enriched, QRadar Network Insights populates these fields: Table 2. Content that is populated with Enriched inspection level Query Builder name Advanced Search name Data source Application applicationid Multiple sources, such as Inspectors and X-Force. The attribute is populated by default. Copyright IBM Corp

12 Table 2. Content that is populated with Enriched inspection level (continued) Query Builder name Advanced Search name Data source Action action Populated only when the X-Force data is available. Possible values for the application action are: v Write/Post/Chat v Stream/Download v Share v Start App v Audio Chat/Video Chat v Software/AV Updates Password password Populated only when the Inspector finds a cleartext password. File Name "file name" Populated only when a file is found. DNS Query "dns query" Populated only if it is DNS. DNS Response "dns response" Populated only if it is DNS. Recipient Users "recipient users" Multiple sources, such as or chat messages. Populated only when the data is available. File Entropy "file entropy" Populated only when a file is found. Content Type "content type" HTTP, Content Inspector Populated only when the file type is not recognized. Web Categories "web categories" Populated only when the X-Force data is available. File Hash "file hash" Populated only when a file is found. For example, the file hash might be SHA256, MD5, or SHA1. File Size "file size" Populated only when a file is found. HTTP Host "http host" Host field in the HTTP request. Populated only if HTTP protocol is used. HTTP Referrer "http referrer" Referrer field in the HTTP request. Populated only if HTTP protocol is used. HTTP Response Code "http response code" Response from the HTTP request. Populated only if HTTP protocol is used. Search Arguments "search arguments" Searching arguments in the HTTP request. Populated only if HTTP protocol is used. HTTP Server "http server" Server field in the HTTP request. Populated only if HTTP protocol is used. HTTP User Agent "http user agent" User Agent field in the HTTP request. Populated only if HTTP protocol is used. HTTP Version "http version" Version field in the HTTP request. Populated only if HTTP protocol is used. 6 QRadar Network Insights User Guide

13 Table 2. Content that is populated with Enriched inspection level (continued) Query Builder name Advanced Search name Data source Originating User "originating user" Multiple sources, such as or chat messages. Request URL "request url" URL string SMTP Hello "smtp hello" SMTP request Populated only when the data is available. Populated only if HTTP protocol is used. Populated only if SMTP protocol is used. Content subject "content subject" Extracted from user data, only when the data is available. For example, the subject might come from an or it could be embedded in the metadata. Suspect Content Descriptions "suspect content descriptions" Multiple sources. For example, the suspect content might come from the website category, embedded links, or Yara rules. Populated only when a suspicious entity is detected. For more information, see the Advanced inspection level attributes. Advanced inspection level attributes The Advanced inspection level captures the same content flow attributes as the Enriched inspection level. However, when the inspection level is set to Advanced and the suspect content list identifies a suspicious entity, the flows are subjected to more rigorous content extraction processes. The suspect content list is populated under the following conditions: v The IP address reputation of one of the flow's endpoints is suspicious. v The category of a website is one of several suspicious entries. v Detected suspicious content in the transferred information. v Via scanning with user provided Yara rules. v Detected scripts in Office or PDF files. v Detected embedded links in PDF files. v Detected excessive numbers of items that were discovered through regular expression matching. v Detected credit card numbers, social security numbers, IP addresses, and addresses. v Detected user-defined items that are discovered through regular expression matching that is marked as suspicious. v Detected an identified protocol that runs on a non-standard port. v Detected an SSL/TLS certificate that is used outside of its valid dates. v Detected the use of a self-signed certificate in SSL/TLS. v Detected the use of a weak public key length in SSL/TLS. 3 QRadar Network Insights content 7

14 8 QRadar Network Insights User Guide

15 4 QRadar Network Insights content extensions The IBM QRadar Network Insights content extension provides more QRadar rules, reports, searches, and custom properties for administrators. This custom rule engine content focuses on providing analysis, alerts, and reports for QRadar Network Insights deployments. Note: As of content extension V1.3.0, the QRadar Network Insights content extension is only supported by QRadar V7.3.0 or later. Content extension V1.1.0 The IBM QRadar Network Insights content extension V1.1.0 adds rules, searches, reports, and custom property extractions focus on providing analysis, alerts, and reports for QRadar Network Insights. This extension is intended to add content for administrators who have QRadar Network Insights appliances in their deployment (appliance type = 1901 or 1920). When an administrator installs this content pack, they are prompted to overwrite existing content because some custom properties are being updated as part of this content pack. Custom event properties added by content extension V1.1.0 The QRadar Network Insights content extension V1.1.0 includes new and updated custom event properties for capturing network content from events and flows, such as recipient users, file hash, file names, content subject, and reject code. Table 3. Custom event properties in content extension V1.1.0 Name Property Type Regular expression Action Flow IBM\(APP_ACTION\)=([^;]+); Content Subject Flow IBM\(SUBJECT\)=([^;]+); Content_Type Flow IBM\(HTTP_CONT_TYPE\)=([^;]+); DNS_Query_String Flow IBM\(DNS_QUERY_SDATA\)=\(([^)]+)\); DNS_Response_String Flow IBM\(DNS_RESP_SDATA\)=\(([^)]+)\); File Hash Flow IBM\(HTTP_FILES_CKSUM\)=0x([^;]+); File Name Flow IBM\(CONTENT_FILE_NAME\)=([^;]+); File_Size Flow IBM\(HTTP_FILES_SIZE\)=([^;]+); HTTP Host Flow IBM\(HTTP_HOST\)=([^;]+); HTTP Referrer Flow IBM\(HTTP_REFER\)=([^;]+); HTTP Response Code Flow IBM\(HTTP_RETURN_CODE\)=([^;]+); HTTP Server Flow IBM\(HTTP_SRV\)=([^;]+); HTTP User-Agent Flow IBM\(HTTP_UA\)=([A-Za-z0-9\s\-_.,:;()/\\]+); HTTP Version Flow IBM\(HTTP_VRS\)=HTTP/([^;]+); IP_Dest_Reputation Flow IBM\(IP_DST_REP\)=([^;]+); Originating_User Flow IBM\(ORIG_USER\)=([^;]+); Password Flow IBM\(ACTPASSWD\)=([^;]+); Recipient User Event Multiple Regex expressions for Microsoft Exchange, Linux OS, Solaris OS, and the Barracuda Spam and Virus Firewall. Copyright IBM Corp

16 Table 3. Custom event properties in content extension V1.1.0 (continued) Name Property Type Regular expression Recipient Users Flow IBM\(DEST_USER_LIST\)=\(([^)]+)\); Reject Code Event Multiple Regex expressions for Microsoft Exchange, Linux OS, Solaris OS, and Barracuda Spam and Virus Firewall. Request_URL Flow IBM\(REQ_URL\)=([^;]+); Search_Arguments Flow IBM\(HTTP_SEARCH_ARGS\)=([^;]+); SMTP HELO Flow IBM\(SMTPHELO\)=([^;]+); Suspect_Content Flow IBM\(SUSPECT_CONT_LIST\)=\(([^)]+)\); Web_Categories Flow IBM\(HTTP_CONT_CATEGORY_LIST\)=\(([^)]+)\); Rules added by content extension V1.1.0 The QRadar Network Insights content extension V1.1.0 includes four new rules that trigger on file hash and potential spam/phishing attempts. Table 4. Rules added in content extension V1.1.0 Rule Name Observed File Hash Associated with Malware Threat Observed File Hash Seen Across Multiple Hosts Potential Spam/Phishing Attempt Detected on Rejected Recipient Potential Spam/Phishing Subject Detected from Multiple Sending Servers Description This rule triggers when flow content includes a file hash that matches known bad file hashes included in a Threat Intelligence data feed. Indicates that someone transferred malware over the network. This rule triggers when the same file hash that is associated with malware is seen being transferred to multiple destinations. This rule triggers when rejected events sent to a non-existing recipient address are seen in the system. This might indicate a spam or phishing attempt. Configure the BB:CategoryDefinition: Rejected Recipient building block to include QRadar IDs (QID) relevant to your organization. It is pre-populated with QIDs for monitoring Microsoft Exchange, Linux OS [running sendmail], Solaris Operating System Sendmail Logs, and the Barracuda Spam & Virus Firewall. This rule triggers when multiple servers send the same subject in a period, which might indicate spam or phishing. Searches added by content extension V1.1.0 The QRadar Network Insights content extension V1.1.0 includes four new searches. These searches are designed to help users sort malware and phishing content from flow data that uses file and hash information or content subject information from s. The following searches were added in content extension V1.1.0: v Malware Distribution by File and Hash v Malware by Hash and Source Asset v Malware Traffic Summary v Phishing Subjects by Recipient User 10 QRadar Network Insights User Guide

17 Reports added by content extension V1.1.0 The QRadar Network Insights content extension V1.1.0 includes three new reports for security teams. These three new reports run searches that identify phishing by subject content and malware that uses file and hash information from flow data. These new reports run either weekly or daily. Table 5. Reports added in content extension V1.1.0 Report Name Top Phishing Subjects by Recipient User (QNI) Top Malware by Asset (QNI) Malware Distribution by File (QNI) Report Schedule Weekly Daily Daily Custom functions added by content extension V1.1.0 A custom AQL function :ISREPLY for Content Subjects can be called that uses an Advanced Search from the Network Activity tab. The purpose of this custom function is to identify subjects that are replies versus original s. For example, an AQL query might allow administrators to search flow data and return results for subjects that are not null (no subject) and content subjects that are not replies RE: [ subject content]. This allows users to sort for original phishing s or locate responses that are replies (RE:) to phishing s within your organization as the function specifically looks for when subject contains RE: as part of the subject that is extracted from the flow data. Table 6. Custom functions added in content extension V1.1.0 Content Subject function name Custom Function Usage Namespace Name/Execute Function Name Description Description isreply() :ISREPLY(Content_Subject) isreply This function checks if the property, Content_Subject, contains Re: Other reference content required by content extension V1.1.0 In most cases, these building blocks and reference data sets exist within QRadar, so no updates are required. However, this content is required for the rules, searches, reports, and custom properties included in the QRadar Network Insights content pack. If the content below does not exist in QRadar, it is created by this content pack. Building blocks that are required by the QRadar Network Insights content extension: v BB:HostDefinition: Mail Servers v BB:HostReference: Mail Servers v BB:PortDefinition: Mail Ports Reference data that is required by the QRadar Network Insights content extension: v Malware Hashes SHA v Malware Hashes MD5 v Phishing Subjects v Mail Servers 4 QRadar Network Insights content extensions 11

18 Content extension V1.2.0 The IBM QRadar Network Insights content extension V1.2.0 adds rules and custom property extractions that focus on providing analysis, alerts, and reports for QRadar Network Insights. This extension is intended to add content for administrators who have QRadar Network Insights appliances in their deployment (appliance type = 1901 or 1920). Note: Some custom properties are updated in this content pack; existing content might need to be overwritten. When an administrator installs this content pack, they are prompted to overwrite existing content as some custom properties are being updated as part of this content pack. Custom event properties and rules added by content extension V1.2.0 Table 7. Custom event properties and rules Type Content updated Change description Custom property Rule File_Size (flows) Updated the rule action to select "Ensure the detected event is part of an offense". In V1.1.0, this check box was not selected and V1.2.0 corrects this to ensure that offenses are created. Potential Spam/Phishing Attempt Detected on Rejected Recipient Rule Access to Improperly Secured Service - Certificate Invalid Rule Access to Improperly Secured Service - Weak Public Key Length Rule Access to Improperly Secured Service - Certificate Expired Rule Access to Improperly Secured Service - Self Signed Certificate Updated the File_Size (flows) custom property to change the field type from alphanumeric to numeric. This update also optimizes the custom property for both Source Payloads and Destination Payloads. Updated the rule action to select "Ensure the detected event is part of an offense". In V1.1.0, this check box was not selected and V1.2.0 corrects this to ensure offenses are created. New rule added for QRadar Network Insights to detect a SSL/TLS session which uses invalid certificates. New rule added for QRadar Network Insights to detect a SSL/TLS session which uses weak public key lengths. New rule added for QRadar Network Insights to detect a SSL/TLS session which uses expired certificates. New rule added for QRadar Network Insights to detect a SSL/TLS session which uses a self-signed certificate. Content extension V1.3.0 The IBM QRadar Network Insights content extension V1.3.0 adds support for QRadar versions and later. This extension is intended to support for administrators who have QRadar Network Insights appliances in their deployment (appliance type = 1901 or 1920). Custom properties from previous versions of the QRadar Network Insights content extension are now type-length-value (TLV) fields. Note: Some custom properties are updates in this content pack; existing content might need to be overwritten. 12 QRadar Network Insights User Guide

19 Content extension V1.4.0 The IBM QRadar Network Insights content extension V1.4.0 adds rules, reports, saved searches, and building blocks that focus on providing analysis, alerts, and reports for QRadar Network Insights. The QRadar Network Insights content extension V1.4.0 adds new saved searches, reports, rules, and building blocks, and adds integration between QRadar Network Insights and User Behavior Analytics rules. The User Behavior Analytics rules are enabled by default, but if you are not using the User Behavior Analytics app, you can disable them. The following table outlines the changes that are made in QRadar Network Insights content extension V Table 8. Content updated by QRadar Network Insights V1.4.0 Type Content updated Change description Saved Search Saved Search Report Rule File Transfer by Originating User and Content Type File Transfer by Source IP and Content Type User File Transfer by Content Type QNI: Confidential Content Being Transferred to Foreign Geography Rule UBA : QNI - Confidential Content Being Transferred to Foreign Geography Rule Rule Rule Rule UBA : QNI - Potential Spam/Phishing Subject Detected from Multiple Sending Servers UBA : QNI - Potential Spam/Phishing Attempt Detected on Rejected Recipient UBA : QNI - Observed File Hash Associated with Malware Threat UBA : QNI - Observed File Hash Seen Across Multiple Hosts This log and network activity search matches file transfers by their originating users and content types. This log and network activity search matches file transfers by their source IPs and content types. Shows the top 20 user file transfers by content type, by collating the following log and network activity searches: v File Transfer by Originating User and Content Type v File Transfer by Source IP and Content Type Looks for confidential content that is being transferred to countries/regions with restricted access. Sends events to the User Behavior Analytics app based on the QNI: Confidential Content Being Transferred to Foreign Geography rule. This rule is assigned a sensevalue, which is used whenever the User Behavior Analytics app calculates a risk score for a user. Sends events to the User Behavior Analytics app based on the QNI: Potential Spam/Phishing Subject Detected from Multiple Sending Servers rule. This rule is assigned a sensevalue, which is used whenever the User Behavior Analytics app calculates a risk score for a user. Sends events to the User Behavior Analytics app based on the QNI: Potential Spam/Phishing Attempt Detected on Rejected Recipient rule. This rule is assigned a sensevalue, which is used whenever the User Behavior Analytics app calculates a risk score for a user. Sends events to the User Behavior Analytics app based on the QNI: Observed File Hash Associated with Malware Threat rule, with a sensevalue assigned to it. This sensevalue is used when the User Behavior Analytics app calculates a risk score for a user. Sends events to the User Behavior Analytics app based on the QNI: Observed File Hash Seen Across Multiple Hosts rule, with a sensevalue assigned to it. This sensevalue is used when the User Behavior Analytics app calculates a risk score for a user. 4 QRadar Network Insights content extensions 13

20 Table 8. Content updated by QRadar Network Insights V1.4.0 (continued) Type Content updated Change description Rule Rule Rule Rule Building Block UBA : QNI - Access to Improperly Secured Service - Weak Public Key Length UBA : QNI - Access to Improperly Secured Service - Certificate Invalid UBA : QNI - Access to Improperly Secured Service - Certificate Expired UBA : QNI - Access to Improperly Secured Service - Self Signed Certificate BB: Category Definition: Countries/Regions with Restricted Access Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Weak Public Key Length rule. This rule is assigned a sensevalue, which is used whenever the User Behavior Analytics app calculates a risk score for a user. Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Weak Public Key Length rule. This rule is assigned a sensevalue, which is used whenever the User Behavior Analytics app calculates a risk score for a user. Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Certificate Expired rule. This rule is assigned a sensevalue, which is used whenever the User Behavior Analytics app calculates a risk score for a user. Sends events to the User Behavior Analytics app based on the QNI: Access to Improperly Secured Service - Self Signed Certificate rule. This rule is assigned a sensevalue, which is used whenever the User Behavior Analytics app calculates a risk score for a user. Edit this building block to include any geographic location that typically would not be allowed to access the enterprise. After it is configured, you can enable the Confidential Content Being Transferred to Foreign Geography rule. 14 QRadar Network Insights User Guide

21 Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY U.S.A. For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd , Nihonbashi-Hakozakicho, Chuo-ku Tokyo , Japan INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: Copyright IBM Corp

22 IBM Director of Licensing IBM Corporation North Castle Drive, MD-NC119 Armonk, NY US Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions.. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at Terms and conditions for product documentation Permissions for the use of these publications are granted subject to the following terms and conditions. Applicability These terms and conditions are in addition to any terms of use for the IBM website. Personal use You may reproduce these publications for your personal, noncommercial use provided that all proprietary notices are preserved. You may not distribute, display or make derivative work of these publications, or any portion thereof, without the express consent of IBM. 16 QRadar Network Insights User Guide

23 Commercial use You may reproduce, distribute and display these publications solely within your enterprise provided that all proprietary notices are preserved. You may not make derivative works of these publications, or reproduce, distribute or display these publications or any portion thereof outside your enterprise, without the express consent of IBM. Rights Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either express or implied, to the publications or any information, data, software or other intellectual property contained therein. IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of the publications is detrimental to its interest or, as determined by IBM, the above instructions are not being properly followed. You may not download, export or re-export this information except in full compliance with all applicable laws and regulations, including all United States export laws and regulations. IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. IBM Online Privacy Statement IBM Software products, including software as a service solutions, ( Software Offerings ) may use cookies or other technologies to collect product usage information, to help improve the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings. Some of our Software Offerings can help enable you to collect personally identifiable information. If this Software Offering uses cookies to collect personally identifiable information, specific information about this offering s use of cookies is set forth below. Depending upon the configurations deployed, this Software Offering may use session cookies that collect each user s session id for purposes of session management and authentication. These cookies can be disabled, but disabling them will also eliminate the functionality they enable. If the configurations deployed for this Software Offering provide you as customer the ability to collect personally identifiable information from end users via cookies and other technologies, you should seek your own legal advice about any laws applicable to such data collection, including any requirements for notice and consent. For more information about the use of various technologies, including cookies, for these purposes, See IBM s Privacy Policy at and IBM s Online Privacy Statement at the section entitled Cookies, Web Beacons and Other Technologies and the IBM Software Products and Software-as-a-Service Privacy Statement at Notices 17

24 18 QRadar Network Insights User Guide

25

26 IBM Printed in USA