IBM Security QRadar Network Visibility Pulse Dashboards
The IBM Security QRadar Network Visibility content extension provides a set of dashboards that enable
security and network operations analysts to get at-a-glance insights into the network traffic in their
environment. These visualizations enhance the data in Network Activity to provide readily available metrics
that align with various MITRE ATT&CK categories.
This extension include the following dashboards:
•
•
•
IBM Security QRadar Network Visibility - Overview: gain insights into activity across the entire
network, focusing on metrics that uncover unusual behavior. This is the recommended starting point
for a threat hunting workflow.
IBM Security QRadar Network Visibility - Application/Protocol Details: drill into a specific application
or protocol of interest and identify suspicious or atypical behavior.
IBM Security QRadar Network Visibility - IP Details: drill into a specific IPv4 address, highlighting
metrics that might indicate attacks that are associated with this address.
These dashboards not only use the data contained in flows from external flow sources (such as IPFIX and
NetFlow), but they also leverage deep insights that are uncovered by QRadar Network Insights (QNI) and XForce. After the extension is installed, it can be further customized by modifying the dashboard parameters or
editing the dashboard components to best suit the environment. By using the Pulse "Open in Network
Activity" capability, analysts can easily pivot between insights that are uncovered by Pulse and the raw data
available in Network Activity to verify and respond to threats.
Note: QRadar Pulse v2.2.4+ required. Internet connection is required to receive X-Force feeds.
Use cases and user personas
These dashboards are useful for security analysts who perform threat hunting and alert triaging, as well as
network operations engineers who want to gain insights into the network traffic in the environment. The
dashboards can be actively used in investigations, or they can simply act as a reference point for overall
network behavior.
Network traffic provides a rich source of information and can be used to detect a vast range of cyberattacks in
any environment. The widgets on each of the three dashboards target a number of different use cases. Many
of these use cases align with MITRE ATT&CK tactics and techniques. The following are some of the examples:
•
•
•
•
•
•
•
•
•
•
•
Initial Access: Spear Phishing, External Remote Services and more
Execution: Exploitation for Client Execution, User Execution and more
Persistence: Port Knocking, Create Account and more
Defense Evasion: Masquerading, Obfuscated Files or Information and more
Credential Access: Network Sniffing, Brute Force and more
Discovery: Remote System Discovery, Network Service Scanning and more
Lateral Movement: SSH Hijacking, Remote File Copy and more
Collection: Automated Collection, Data from Network Shared Drive and more
Command and Control: Uncommonly Used Port, Data Obfuscation and more
Exfiltration: Exfiltration Over Alternative Protocol, Data Transfer Size Limits and more
Impact: Network Denial of Service, Resource Hijacking and more
Go to MITRE ATT&CK for more details on each of these tactics and techniques.
Dashboard Details
Each of the three Network Visibility dashboards contain unique insights that are best suited to the context of
the dashboard. See Tips and Tricks below for information on the best way to triage and investigate data in the
dashboards.
Overview dashboard
This dashboard is the recommended starting point when performing threat hunting. It also provides a good
overview of all the activity in the environment and can be used as a source of insight for current activity. If you
find that you often navigate to this dashboard you may choose to set it as your default dashboard in Pulse.
This dashboard contains widgets that provide:
• Network summary information
• Insights into largest volume communications
• Insights into ingress and egress communications (i.e. R2L “Remote to Local” or L2R “Local to Remote”
communication respectively)
• Top sources and top destinations
• Views into traffic volume over time and the breakdown of flow direction, application and networks
involved
• Insights into long running flow sessions
• Superflow detection
• QNI entity alerts and confidential content moving on the network
• Most and least common applications and QNI content types
• Largest file transfers (with integration into the X-Force Exchange on click)
Certain widgets on this dashboard can be used to drill down into other screens:
• Top Sources by Traffic Volume: click a row to navigate to IP Details dashboard
• Top Destinations by Traffic Volume: click a row to navigate to IP Details dashboard
• Longest Flow Sessions: click a row to view the flow records in Network Activity
• Most Common Applications by Session Count: click a bar to navigate to Application Details dashboard
• Least Common Applications by Session Count: click a bar to navigate to Application Details dashboard
• QNI Largest File Transfers: click a row to open the X-Force Exchange webpage lookup for that MD5 file
hash
Application/Protocol Details dashboard
This dashboard allows a fuzzy search for data from a particular application or protocol (layer 4 to layer 7) in
your environment. The information displayed in this dashboard is all scoped to the parameters entered at the
top of the screen. As such, many of the visualizations on this page are designed to uncover anomalies by
comparing similar traffic.
This dashboard contains widgets that provide:
• Application/protocol summary information
• Insights into largest volume communications
• Top sources and top destinations
• Destination port usage and QNI non-standard port usage
• Traffic volume breakdown between networks
• Flow direction and flow duration distributions
• QNI entity alerts and confidential content moving on the network
• Insights into long running flow sessions
• Largest file transfers (with integration into the X-Force Exchange on click)
•
Most and least common QNI content types
Certain widgets on this dashboard can be used to drill down into other screens:
• Top Sources by Traffic Volume: Click a row to navigate to IP Details dashboard
• Top Destinations by Traffic Volume: Click a row to navigate to IP Details dashboard
• QNI Non-Standard Port Usage (MB) by Application: Click a bar to reload the Application Details
dashboard with the application in the selected bar
• Longest Flow Sessions: Click a row to view the flow records in Network Activity
• QNI Largest File Transfers: Click a row to open the X-Force Exchange webpage lookup for that MD5
file hash
IP Details dashboard
This dashboard searches for data specific to the IPv4 address entered in the parameters section at the top of
the dashboard. The widgets on this dashboard aim to uncover anomalies relating to the behavior of a specific
IPv4 address. Much of the information is split into “inbound” and “outbound” statistics, representing the
metrics for the IP when it was the “destination” and when it was the “source” respectively. This dashboard
may be useful when trying to get an overview of the typical behavior and characteristics of a particular IPv4
address.
This dashboard contains widgets that provide:
• IP summary information
• Hostname and username information
• Information about communication with remote assets
• Recent communication observed from/to the IP address
• Insights into QNI suspect content descriptions detected
• X-Force category lookups of QNI URLs
• Views into traffic volume over time and the breakdown of flow direction and application
• Application usage
• Flow direction and flow duration distributions
• Insights into long running flow sessions
• QNI file entropy insights
• Largest file transfers (with integration into the X-Force Exchange on click)
Certain widgets on this dashboard can be used to drill down into other screens:
• Inbound Applications by Session Count: Click a row to navigate to Application Details dashboard
• Outbound Applications by Session Count: Click a row to navigate to Application Details dashboard
• QNI Largest File Transfers: Click a row to open the X-Force Exchange webpage lookup for that MD5
file hash
• Most Recent Flow Sessions: Click a row to view the flow records in Network Activity
Installation Steps
To install the dashboards within IBM Security QRadar Network Visibility content extension perform the
following tasks.
1. Install the content extension into your QRadar environment. More details can be found here.
2. Synchronize the dashboard templates contained within the newly installed content extension with
the Pulse app. More details can be found here.
3. Install and create a new dashboard within Pulse from the newly synchronized templates. More details
can be found here.
Recommend Pre-Configuration
To get the most out of the IBM Security QRadar Network Visibility content extension, you are encouraged to
set up the following configurations before using the dashboards.
Network Hierarchy
Defining your network hierarchy is an essential step in realizing the value of these dashboards and your
QRadar deployment. The network hierarchy allows you to segment your network into regions, groups and
services and define “Local” and "Remote” traffic and devices.
These dashboards use the network hierarchy to highlight suspicious activity within a network segment and
provide insight into ingress, egress, lateral and external traffic. See here for details and guidelines for defining
your network hierarchy.
Asset Management
Maintaining an accurate asset model helps identify threats and vulnerabilities by connecting offenses and
alerts to assets in your network. Asset profiles can be built dynamically from identity information that is
collected from events or flows. You should always ensure the information gathered is accurate and up to date.
These dashboards use the asset model to correlate IP addresses with assets, with which you can effectively
assess the risk of a potential threat. Read more in the Asset Management chapter of the QRadar User Guide
for information about QRadar’s Asset Management capability, importing asset information and how to add or
edit an asset profile.
QRadar X-Force Threat Intelligence feed
The QRadar X-Force Threat Intelligence feed allows you to receive daily updates from X-Force with IP
reputation and URL categorization data. X-Force uses a series of datacenters across the globe to collect
malware samples, analyze web pages and URLs and analyze IP addresses to categorize IP information.
These dashboards use the insights provide by X-Force to highlight potentially suspicious and harmful behavior
within your organization. See here for more details about the QRadar X-Force Threat Intelligence feed and
how to enable it.
Dashboard Customization
There are a number of ways that you can customize the dashboards included in this content extension in order
for them to best suits the needs of your environment. It is important to note that after installing the content
extension, you are free to customize and edit all of the dashboards and widgets to best suit your needs.
Setting dashboard parameters
Each dashboard has a parameters section at the top to enable filtering and scoping of the data displayed on
the dashboard.
AQL Time Criteria Parameter
All three dashboards have the “AQL Time Criteria” parameter. This parameter defaults to “LAST 1 HOURS” and
is used to scope the time period data is retrieved from. This parameter supports both the “START x STOP y”
pattern to specify an absolute time period, as well as the “LAST x” pattern for relative time periods. See the
Ariel Query Language Guide section “Time criteria in AQL queries” for more details.
In some deployments the default value of “LAST 1 HOURS” may not be the optimal time window to populate
data from. The default value can be made longer or shorter, depending on the requirements. Note that a
larger time window will take longer for the AQL query to run and a shorter window will take less time.
The default value can be changed by clicking on the “three dots” option icon on the top right of the dashboard
and choosing the “Manage Parameters” option. From here each parameter and its’ "Default Value” can be
updated. All dashboards will then use the new defaults.
Network Filter Parameter
The Overview dashboard has a “Network Filter” parameter which scopes the data on the dashboard to a
particular network from the network hierarchy. This parameter defaults to “all” which combines data from all
networks in the environment into a single overview of your entire network. To use this parameter enter the
desired Network Name as it appears in the Network Hierarchy.
Application/Protocol Name Parameter
The Application/Protocol Details dashboard has a “Application/Protocol Name” parameter to specify which
application or protocol (layer 4 to layer 7) you wish to view data for. If you have drilled down to this dashboard
via another dashboard, then this parameter will be auto-filled in with the application/protocol that you have
drilled down on.
This parameter supports the application names seen in the Network Activity tab, layer 4 protocols as provided
by the ‘PROTCOLNAME’ AQL function (eg. TCP, UDP, ICMP, IPv6ICMP, etc) and if you have QRadar Network
Insights, the layer 5 to 7 protocol values provided by the “protocol name” field (e.g. HTTP, SMB, etc.). This
parameter supports fuzzy matching, so parameters entered here are case-insensitive and support partial name
matching.
IP Address Parameter
The IP Details dashboard has the “IP Address” parameter to specify the IP address you wish to see further
details about. If you have drilled down to this dashboard via another dashboard, then this parameter will be
auto-filled in with the IP address that you have drilled down on. This parameter only supports IPv4 addresses
and does not support CIDRs.
Moving, resizing and deleting widgets
Widgets can be moved up and down to a more desirable location on the dashboard. To move a widget, drag
the title and place it in its new location.
Widgets can be resized by dragging the bottom right corner and adjusting to fit in your desired location.
Widgets can be removed from the dashboard, which may be useful in scenarios where your environment is
lacking the required data to accurately populate the widget (e.g. your deployment does not contain QRadar
Network Insights). To remove a widget, click the “three dots” icon on the top right corner and select the
“Remove” option.
Editing thresholds
Many of the widgets have threshold values pre-defined to highlight potential outliers that you may want to
investigate. Depending on your environment you may wish to adjust these values to reflect what is considered
an outlier for you. To do this, click the edit icon in the top right of any widget and scroll to the “Threshold” tab
at the bottom. Adjust the values and colors to reflect the most appropriate values for your environment.
Changing Themes
Having the right color palette and theming can really make your dashboards stand out - whether they are on
your SOC wall or for your own personal use. See here for more details about changing the workspace theme
and branding.
Customizing Widget Colors
Some widgets allow for customization of the colors and symbols used in the visualizations. Click the edit icon in
the top right corner to explore what color and symbol customizations you can make to best suit your needs.
Adjusting the Results Limit
Every widget has a “Results Limit” which restricts the number of entries returned by the AQL query. This value
has been pre-defined in these dashboards and restricts the amount of data each widget will display.
It is especially important to be mindful of this limit in deployments processing large volumes of traffic or when
increasing the “AQL Time Criteria” parameter as some results may be omitted if the limit is hit. This is most
common in time series widgets.
To allow each widget to display more or less data you can adjust this value by clicking the edit icon in the top
right of any widget and editing the “Results Limit” input field.
Tips and Tricks – making the most of the dashboards
There are a number of tips and tricks that can help make the most of the data available in the Pulse
dashboards.
“Open in Network Activity” button
While triaging data in the dashboards you may uncover something that requires further investigation. You can
navigate directly to the data that populated the visualization by clicking the “three dots” icon in the top right
corner of the widget and select “Open in Network Activity”.
This will take you directly to the Network Activity results set. From there you are able to filter and sort the
data, edit the AQL query, open flow records and investigate the data as you normally would.
What is this widget telling me and what would I use it for?
Each widget has a description that explains what data is being displayed and provides suggestions about what
type of MITRE ATT&CK Tactics and Techniques you can look for in the data. To view the description, click the
Edit icon in the top left corner of the widget. You will see the description in the edit window.
Filtering the data displayed in a widget
Some Pulse widgets allow for filtering of the data displayed by selecting and deselecting items in the legend.
This is useful when triaging data in a chart, so that you can choose to remove and add data as required for
your investigation. This is possible with Pie Charts, Bar Charts, Time Series Charts and Scatter Plots by clicking
directly on the item in the legend that you wish to filter.
Improving performance in large deployments
In deployments processing large volumes of traffic, the Pulse dashboards may take multiple minutes to fully
populate visualizations while the AQL queries are running. If the dashboards are not loading fast enough for
your deployment there are some things you can do to customize. The dashboards to better suit your
environment:
1.
Change the default “AQL Time Criteria” to be a smaller time window. You can change the default
value by navigating to “Manage Parameters” and customizing the Default Value for the “AQL Time
Criteria” parameter. See “Setting dashboard parameters” for more information.
2.
Remove widgets from the dashboard that aren’t populated in your deployment or don’t fit your use
cases. See “Move, resizing and deleting widgets” above. This will improve performance by reducing
the number of AQL queries being run.
3.
If there are specific groupings of widgets that you only want to see at certain times you can remove
the widgets from the main dashboards and add them to a new dashboard that you create for your
own purposes. Spreading widgets across multiple dashboards help limit how many AQL queries need
to be run when the dashboard is loaded.
Setting the Overview dashboard as the default dashboard
If you find that you often navigate directly to the IBM Security QRadar Network Visibility - Overview dashboard
when opening Pulse you can choose to set this dashboard as the default. To set the default dashboard click the
“three dots” icon in the top right corner and select “Set As Default”.