QRadar and Flows

Unlike many other SIEM products QRadar has the ability to collect, correlate and analyse flows within a network.

Flows can be generated for sessions that take place within a network. A QRadar QFlow collector device can collect network packages and combine them into minute by minute flow records that can be processed by QRadar.

Not only can QRadar collect network package from taps and spanports and process them, QRadar is also able to collect and process network statistics like for instance Netflow generated by Cisco devices.

The nice thing about collecting flows is that one can develope all kind of new usecases and analyse the network by creating searches.

Its for instance possible to use Ariel Query Language (AQL) to find open ports in a network. A simple search like: select sourceip, sourceport, destinationip, destinationport from flows where flow direction = 'L2R' last 24 hours Will show you open ports within your network. I strongly advice QRadar users to take a few hours to learn AQL as this give you many possibilities to analyse network behavior.

Another example of the use of flows is creating usecases where one detects if certain devices have communication with IP-addresses that are not supposed to communicate with them. Think in this case of ATM's being accessed by other IP addresses than those of technicians that are allowed to do the maintenance during their hours on duty. Or think of SCADA systems in factories or energy companies that should have a limited amount of IP addresses that they should communicate with.

So QRadar QFlow and QRadar Flow provide a lot of possibilities to analyse networks in ways not possible with SIEMS that only process events.  

Pieter Nierop

www.q-musketeers.com