QNAD 71MR1 AdminGuide

IBM Security QRadar Network Anomaly Detection
Version 7.1.0 MR1
Installation Guide

Note: Before using this information and the product that it supports, read the information in “Notices and
Trademarks” on page 1.
© Copyright IBM Corp. 2012, 2013 All Rights Reserved US Government Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
CONTENTS
ABOUT THIS GUIDE

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1 OVERVIEW
Supported Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Enabling Compatibility View for Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . 4
About the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Using the Admin Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Deploying Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Updating User Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Resetting SIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Monitoring QRadar Network Anomaly Detection Systems with SNMP . . . . . . . . . . . . 7
2 MANAGING USER ROLES AND ACCOUNTS

User Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Creating a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Editing a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deleting a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Managing Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Creating a Security Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Editing a Security Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Duplicating a Security Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Deleting a Security Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Viewing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Creating a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Editing a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Deleting a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authenticating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring your SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3 MANAGING THE SYSTEM
Managing Your License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Updating your License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Exporting Your License Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Restarting a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Shutting Down a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Access Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring Firewall Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Updating Your Host Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring Interface Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Changing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Updating System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4 SETTING UP IBM SECURITY QRADAR NETWORK ANOMALY

DETECTION
Creating Your Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Defining Your Network Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Managing Automatic Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Viewing Your Pending Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configuring Automatic Update Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Scheduling an Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Clearing Scheduled Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Checking for New Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Manually Installing Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Viewing Your Update History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Restoring Hidden Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Viewing the Autoupdate Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring your IF-MAP Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using Event and Flow Retention Buckets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring Event Retention Buckets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring Flow Retention Buckets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Managing Retention Buckets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring System Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring the Console Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Managing Custom Offense Close Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Adding a Custom Offense Close Reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Editing Custom Offense Close Reason. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Deleting a Custom Offense Close Reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Index Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Viewing the Index Management Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Enabling Indexes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Disabling Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5 MANAGING REFERENCE SETS
Reference Set Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Viewing Reference Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Adding a Reference Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Editing a Reference Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Deleting Reference Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Viewing the Contents of a Reference Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Adding a New Element to a Reference Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Deleting Elements from a Reference Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Importing Elements into a Reference Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Exporting Elements from a Reference Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6 MANAGING AUTHORIZED SERVICES

Authorized Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Viewing Authorized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Adding an Authorized Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Revoking Authorized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring the Customer Support Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Dismissing an Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Closing an Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Adding Notes to an Offense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
7 MANAGING BACKUP AND RECOVERY

Backup and Recovery Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Managing Backup Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Viewing Backup Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Importing a Backup Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Deleting a Backup Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Backing Up Your Configuration Information and Data . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring Your Scheduled Nightly Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Creating an On-demand Configuration Backup Archive . . . . . . . . . . . . . . . . . . . 101
Restoring Your Backup Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Restoring a Backup Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Restoring a Backup Archive Created on a Different QRadar Network Anomaly
Detection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8 USING THE DEPLOYMENT EDITOR

Deployment Editor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
About the Deployment Editor User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Accessing the Deployment Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Using the Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Building Your Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Before you Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring Deployment Editor Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Building Your Event View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Adding Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Connecting Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Forwarding Normalized Events and Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Renaming Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Managing Your System View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Setting Up Managed Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Using NAT with QRadar Network Anomaly Detection . . . . . . . . . . . . . . . . . . . . 126
Configuring a Managed Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Assigning a Component to a Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring Host Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configuring an Accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Configuring QRadar Network Anomaly Detection Components . . . . . . . . . . . . . . . 134
Configuring a QRadar QFlow Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configuring an Event Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Configuring an Event Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Configuring the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Configuring an Off-site Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Configuring an Off-site Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
9 MANAGING FLOW SOURCES

Flow Sources Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
NetFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
IPFIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
J-Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Packeteer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Flowlog File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Napatech Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Managing Flow Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Adding a Flow Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Editing a Flow Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Enabling and Disabling a Flow Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Deleting a Flow Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Managing Flow Source Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Adding a Flow Source Alias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Editing a Flow Source Alias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Deleting a Flow Source Alias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
10 CONFIGURING REMOTE NETWORKS AND SERVICES

Remote Networks and Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Managing Remote Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Default Remote Network Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Adding a Remote Networks Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Editing a Remote Networks Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Managing Remote Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Default Remote Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Adding a Remote Services Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Editing a Remote Services Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Using Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
11 DISCOVERING SERVERS
Server Discovery Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Discovering Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
12 FORWARDING EVENT DATA

Event Forwarding Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Add Forwarding Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring Bulk Event Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Configuring Selective Event Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Managing Forwarding Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Viewing Forwarding Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Enabling and Disabling a Forwarding Destination . . . . . . . . . . . . . . . . . . . . . . . 171
Resetting the Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Editing a Forwarding Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Delete a Forwarding Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Managing Routing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Viewing Routing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Editing a Routing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Enabling or Disabling a Routing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Deleting a Routing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
A ENTERPRISE TEMPLATE
Default Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Default Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
B VIEWING AUDIT LOGS

Audit Log Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Logged Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Viewing the Log File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
C EVENT CATEGORIES
High-Level Event Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Recon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Suspicious Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
CRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Potential Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
SIM Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
VIS Host Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
D NOTICES AND TRADEMARKS

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
INDEX
ABOUT THIS GUIDE
The IBM Security QRadar Network Anomaly Detection Administration Guide

provides you with information for managing QRadar Network Anomaly Detection
functionality requiring administrative access.
Intended Audience This guide is intended for the system administrator responsible for setting up
QRadar Network Anomaly Detection in your network. This guide assumes that you
have QRadar Network Anomaly Detection administrative access and a knowledge
of your corporate network and networking technologies.
Conventions The following conventions are used throughout this guide:
Indicates that the procedure contains a single instruction.
NOTE
Indicates that the information provided is supplemental to the associated feature
or instruction.
CAUTION
Indicates that the information is critical. A caution alerts you to potential loss of
data or potential damage to an application, system, device, or network.
WARNING
Indicates that the information is critical. A warning alerts you to potential dangers,
threats, or potential personal injury. Read any and all warnings carefully before
proceeding.
Technical For information on how to access more technical documentation, technical notes,
Documentation and release notes, see the Accessing IBM Security QRadar Documentation
Technical Note.
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644)
IBM Security QRadar Network Anomaly Detection Administration Guide

2 ABOUT THIS GUIDE
Contacting For information on contacting customer support, see the Support and Download
Customer Support Technical Note.
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861)

1 OVERVIEW
This section includes the following topics:

• Supported Web Browsers
• About the User Interface
• Using the Admin Tab
• Deploying Changes
• Resetting SIM
• Updating User Details
• Monitoring QRadar Network Anomaly Detection Systems with SNMP
Supported Web You can access the Console from a standard web browser. When you access the
Browsers system, a prompt is displayed asking for a user name and a password, which must
be configured in advance by the IBM Security QRadar Network Anomaly Detection
administrator.
Table 1-1 Supported Web Browsers
Web Browser Supported Versions

Mozilla Firefox • 10.0
Due to Mozilla’s short release cycle, we cannot commit to testing on the
latest versions of the Mozilla Firefox browser. However, we are fully
committed to investigating any issues that are reported.
Microsoft® Windows Internet • 8.0
Explorer, with Compatibility View • 9.0
Enabled
For instructions on how to enable Compatibility View, see Enabling
Compatibility View for Internet Explorer.

4 OVERVIEW
Enabling To enable Compatibility View for Internet Explorer 8.0 and 9.0:
Compatibility View
for Internet Explorer
Step 1 Press F12 to open the Developer Tools window.
Step 2 Configure the following compatibility settings:
Table 1-2 Internet Explorer Compatibility Settings
Browser Version Option Description

Internet Explorer 8.0 Browser Mode From the Browser Mode list box, select Internet Explorer 8.0.
Document Mode From the Document Mode list box, select Internet Explorer
7.0 Standards.
Internet Explorer 9.0 Browser Mode From the Browser Mode list box, select Internet Explorer 9.0.
Document Mode From the Document Mode list box, select Internet Explorer
7.0 Standards.
About the User You must have administrative privileges to access administrative functions. To
Interface access administrative functions, click the Admin tab on the QRadar Network
Anomaly Detection user interface.
The Admin tab provides access to the following functions:

• Manage users. See Managing User Roles and Accounts.
• Manage your network settings. See Managing the System.
• Manage QRadar Network Anomaly Detection settings. See Setting Up IBM
Security QRadar Network Anomaly Detection.
• Manage High Availability. (This feature is not supported for QRadar Network
Anomaly Detection at this time)
• Manage authorized services. See Managing Authorized Services.
• Backup and recover your data. See Managing Backup and Recovery.
• Manage your deployment views. See Using the Deployment Editor.
• Manage flow sources. See Managing Flow Sources.
• Configure remote networks and remote services. See Configuring Remote
Networks and Services.
• Discover servers. See Discovering Servers.
• Configure syslog forwarding. See Forwarding Event Data.
• Managing vulnerability scanners. For more information, see the IBM Security
QRadar Vulnerability Assessment Configuration Guide.
• Manage log sources. For more information, see the IBM Security QRadar Log
Sources Users Guide.

Using the Admin Tab 5
Using the Admin The Admin tab provides several tab and menu options that allow you to configure
Tab QRadar Network Anomaly Detection, including:
• System Configuration - Provides access to administrative functionality, such
as automatic updates, backup and recovery, Console configuration, global
system notifications, network hierarchy, system and license management,
system settings, user management, authentication, and authorized services.
• Data Sources - Provides access to log source management, forwarding
destinations, routing rules, custom event and flow properties, event and flow
retention buckets, flow sources management, and vulnerability scanner
management.
• Remote Networks and Services Configuration - Provides access to QRadar
Network Anomaly Detection remote networks and services.
The Admin tab also includes several menu options, including:

Table 1-3 Admin Tab Menu Options
Menu Option Description

Deployment Editor Opens the Deployment Editor window. For more
information, see Using the Deployment Editor.
Deploy Changes Deploys any configuration changes from the current
session to your deployment. For more information, see
Deploying Changes.
Advanced The Advanced menu provides the following options:
Clean SIM Model - Resets the SIM module. See
Resetting SIM.
Deploy Full Configuration - Deploys all configuration
changes. For more information, see Deploying Changes.
Deploying Changes When you update your configuration settings using the Admin tab, your changes
are saved to a staging area where they are stored until you manually deploy the
changes.
Each time you access the Admin tab and each time you close a window on the
Admin tab, a banner at the top of the Admin tab displays the following message:
Checking for undeployed changes.
If undeployed changes are found, the banner updates to provide information about
the undeployed changes.
To view the detailed undeployed changes:

Step 1 Click View Details.
The details are displayed in groups.
Step 2 Choose one of the following options:

6 OVERVIEW
• To expand a group to display all items, click the plus sign (+) beside the text.
When done, you can click the minus sign (-).
• To expand all groups, click Expand All. When done, you can click Collapse All.
If the list of undeployed changes is lengthy, a scroll bar is provided to allow you to
scroll through the list.
Step 3 Click Hide Details to hide the details from view again.
The banner message also recommends which type of deployment change to

make. The two options are:
• Deploy Changes - Click the Deploy Changes icon on the Admin tab toolbar to
deploy any configuration changes from the current session to your deployment.
• Deploy Full Configuration - Select Advanced > Deploy Full Configuration
from the Admin tab menu to deploy all configuration settings to your
deployment. All deployed changes are then applied throughout your
deployment.
CAUTION
When you click Deploy Full Configuration, QRadar Network Anomaly Detection
restarts all services, resulting in a gap in data collection for events and flows until
deployment completes.
After you deploy your changes, the banner clears the list of undeployed changes
and checks the staging area again for any new undeployed changes. If none are
present, the following message is displayed: There are no changes to
deploy.
Updating User You can access your administrative user details through the main QRadar Network
Details Anomaly Detection interface.
To access your user details, click Preferences.
The User Details window displays information such as your user name and email
address. You can edit your administrative user details, if required. For more
information on the pop-up notifications, see the IBM Security QRadar Network
Anomaly Detection Users Guide.
Resetting SIM Using the Admin tab, you can reset the SIM module, which allows you to remove
all offense, source IP address, and destination IP address information from the
database and the disk. This option is useful after tuning your deployment to avoid
receiving any additional false positive information.

Monitoring QRadar Network Anomaly Detection Systems with SNMP 7
To reset the SIM module:

Step 1 Click the Admin tab.
Step 2 From the Advanced menu, select Clean SIM Model.
Step 3 Read the information on the window.
Step 4 Select one of the following options:
• Soft Clean - Closes all offenses in the database. If you select the Soft Clean
option, you can also select the Deactivate all offenses check box.
• Hard Clean - Purges all current and historical SIM data including offenses,
source IP addresses, and destination IP addresses.
Step 5 If you want to continue, select the Are you sure you want to reset the data
model? check box.
Step 6 Click Proceed.
A message is displayed, indicating that the SIM reset process has started. This
process can take several minutes, depending on the amount of data in your
system.
Step 7 Click Close.
Step 8 When the SIM reset process is complete, reset your browser.
NOTE
If you attempt to navigate to other areas of the QRadar Network Anomaly
Detection user interface during the SIM reset process, an error message is
displayed.
Monitoring QRadar QRadar Network Anomaly Detection supports the monitoring of our appliances
Network Anomaly through SNMP polling. QRadar Network Anomaly Detection uses the Net-SNMP
Detection Systems agent, which supports a variety of system resource monitoring MIBs that can be
with SNMP polled by Network Management solutions for the monitoring and alerting of system
resources. For more information on Net-SNMP, refer to Net-SNMP documentation.

2 MANAGING USER ROLES AND
ACCOUNTS
When you initially configure IBM Security QRadar Network Anomaly Detection,
you must create user accounts for all users that require access to QRadar Network
Anomaly Detection.

• User Management Overview
• Managing Roles
• Managing Security Profiles
• Managing User Accounts
• Authenticating Users
User Management A user account defines the user name, default password, and email address for a
Overview user. For each new user account you create, you must assign the following items:
• User Role - Determines the privileges the user is granted to access
functionality and information in QRadar Network Anomaly Detection. QRadar
Network Anomaly Detection includes two default user roles: Admin and All.
Before you add user accounts, you must create additional user roles to meet
the specific permission requirement of your users.
• Security Profile - Determines the networks and log sources the user is granted
access to. QRadar Network Anomaly Detection includes one default security
profile for administrative users. The Admin security profile includes access to all
networks and log sources. Before you add user accounts, you must create
additional security profiles to meet the specific access requirements of your
users.
After initial configuration, you can edit user accounts to ensure that user
information is current. You can also add and delete user accounts as required.
Managing Roles Before you can create user accounts, you must create the user roles required for
your deployment. By default, QRadar Network Anomaly Detection provides a
default administrative user role, which provides access to all areas of QRadar
Network Anomaly Detection.

Users who are assigned an administrative user role cannot edit their own account.
This restriction applies to the default Admin user role. Another administrative user
must make any account changes.

• Creating a Role
• Editing a Role
• Deleting a Role
Creating a Role To create a role:

Step 2 On the navigation menu, click System Configuration > User Management.
Step 3 Click the User Roles icon.
NOTE
You can also access the User Role Management window from the User Details
window. The User Details window allows you to configure a user account. For
more information on user accounts, see Managing User Accounts.
Two default user roles are listed in the left pane of the window: Admin and All. You
can select a role in the left pane to view the associated role permissions in the right
pane.
Step 4 On the toolbar, click New.
After you click New, the parameters in the right pane are cleared, allowing you to
create a new user role.
Step 5 Configure the following parameters:
Table 2-1 User Role Management Window Parameters
Parameter Description
User Role Name Type a unique name for the role. The user role name must
meet the following requirements:
• Minimum of three characters
• Maximum of 30 characters

Managing Roles 11
Table 2-1 User Role Management Window Parameters (continued)
Admin Select this check box to grant the user administrative access
to the QRadar Network Anomaly Detection user interface.
After you select the Admin check box, all permissions check
boxes are selected by default. Within the Admin role, you can
grant individual access to the following Admin permissions:
• Administrator Manager - Select this check box to allow
users to create and edit other administrative user
accounts. If you select this check box, the System
Administrator check box is automatically selected.
• Remote Networks and Services Configuration - Select
this check box to allow users to configure remote networks
and services on the Admin tab.
• System Administrator - Select this check box to allow
users to access all areas of QRadar Network Anomaly
Detection. Users with this access are not able to edit other
administrator accounts.
Offenses Select this check box to grant the user access to all Offenses
tab functionality. Within the Offenses role, you can grant
individual access to the following permissions:
• Assign Offenses to Users - Select this check box to
allow users to assign offenses to other users.
• Customized Rule Creation - Select this check box to
allow users to create custom rules.
• Manage Offense Closing Reasons - Select this check
box to allow users to manage offense closing reasons.
For more information on the Offenses tab, see the IBM
Security QRadar Network Anomaly Detection Users Guide.
Log Activity Select this check box to grant the user access to all Log
Activity tab functionality. Within the Log Activity role, you can
also grant users individual access to the following
permissions:
allow users to create rules using the Log Activity tab.
• Manage Time Series - Select this check box to allow
users to configure and view time series data charts.
• User Defined Event Properties - Select this check box to
allow users to create custom event properties. For more
information on custom event properties, see the IBM
Security QRadar Network Anomaly Detection Users
Guide.
For more information on the Log Activity tab, see the IBM
Security QRadar Network Anomaly Detection Users Guide.

Assets Select this check box to grant the user access to all Assets
tab functionality. Within the Assets role, you can grant
• Perform VA Scans - Select this check box to allow users
to perform vulnerability assessment scans. For more
information on vulnerability assessment, see the IBM
Security QRadar Vulnerability Assessment Configuration
guide.
• Remove Vulnerabilities - Select this check box to allow
user to remove vulnerabilities from assets.
• Server Discovery - Select this check box to allow users to
discover servers.
• View VA Data - Select this check box to allow users
access to vulnerability assessment data. For more
information on vulnerability assessment, see the IBM
Security QRadar Vulnerability Assessment Configuration
guide.
Network Activity Select this check box to grant the user access to all Network
Activity tab functionality. Within the Network Activity role,
you can grant individual access to the following permissions:
allow users to create rules using the Network Activity tab.
• Manage Time Series - Select this check box to allow
users to configure and view time series data charts.
• User Defined Flow Properties - Select this check box to
allow users to create custom flow properties.
• View Flow Content - Select this check box to allow users
access to flow data. For more information on viewing
flows, see the IBM Security QRadar Network Anomaly
Detection Users Guide.
For more information on the Network Activity tab, see the
IBM Security QRadar Network Anomaly Detection Users
Guide.
Reports Select this check box to grant the user access to all Reports
tab functionality. Within the Reports role, you can grant users
• Distribute Reports via Email - Select this check box to
allow users to distribute reports through email.
• Maintain Templates - Select this check box to allow users
to edit reporting templates.
For more information, see the IBM Security QRadar Network
Anomaly Detection Users Guide.
IP Right Click Menu Select this check box to grant the user access to options
Extensions added to the right-click menu.

Managing Roles 13
Risks This option is only available if IBM Security QRadar Risk
Manager is activated. Select this check box to grant users
access to IBM Security QRadar Risk Manager functionality.
For more information, see the IBM Security QRadar Risk
Manager Users Guide.
Step 6 Click Save.

The user role is added to the list in the left pane of the User Role Management
window. The following message is displayed next to the Save icon: User Role
<role_name> saved, where <role_name> is the name of the user role you
added.
Step 7 Close the User Role Management window.
Step 8 On the Admin tab menu, click Deploy Changes.
Editing a Role To edit a role:

NOTE
The left pane provides a list of user roles. You can select a role in the left pane to
view the associated role permissions in the right pane.
Step 4 In the left pane, select the role you want to edit.
NOTE
You can locate a role by typing a role name in the Type to filter text box, which is
located above the left pane.
Step 5 Update the parameters (see Table 2-1), as necessary.

Step 6 Click Save.
If you changed the name of the user role, the user role name is updated in the left
pane. The user role parameters are updated in the right pane. The following
message is displayed next to the Save icon: User Role <role_name> saved,
where <role_name> is the name of the user role you edited.

Deleting a Role To delete a role:

NOTE
The left pane provides a list of user roles. You can select a role in the left pane to
view the associated role permissions in the right pane.
Step 4 In the left pane, select the role you want to delete.
NOTE
You can locate a role by typing a role name in the Type to filter text box, which is
located above the left pane.
Step 5 On the toolbar, click Delete.

Step 6 Click OK.
If user accounts are assigned to this user role, the Users are Assigned to this
User Role window is displayed. Go to Step 7.
If no user accounts are assigned to this role, the user role is successfully deleted.
go to Step 8.
Step 7 Reassign the listed user accounts to another user role:
a From the User Role to assign list box, select a user role.
b Click Confirm.
The user role is deleted and all listed user accounts are reassigned to the selected
user role.
Managing Security The Security Profile Management feature allows you to create and manage
Profiles security profiles. Security profiles define which networks and log sources a user
can access. Using the Security Profile Management window, you can view, create,
update, and delete security profiles.

Managing Security Profiles 15

• Creating a Security Profile
• Editing a Security Profile
• Duplicating a Security Profile
• Deleting a Security Profile
Creating a Security QRadar Network Anomaly Detection includes one default security profile for
Profile administrative users. The Admin security profile includes access to all networks
and log sources. Before you add user accounts, you must create additional
security profiles to meet the specific access requirements of your users.
To add a security profile:

Step 3 Click the Security Profiles icon.
NOTE
You can also access the Security Profile Management window from the User
Details window. The User Details window allows you to configure a user account.
For more information on user accounts, see Managing User Accounts.
The left pane provides a list of security profiles. You can select a security profile in
the left pane to view the associated Security Profile details in the right pane.
After you click New, the parameters in the right pane are cleared, allowing you to
create a new security profile.
Table 2-2 Security Profile Management Window Parameters
Security Profile Type a unique name for the security profile. The
Name security profile name must meet the following
requirements:
• Minimum of three characters
Description Optional. Type a description of the security
profile. The maximum number of characters is
255.
The Summary tab is displayed; however, the summary is not editable. After you
create this security profile, the Summary tab is populated.
Step 6 Click the Permission Precedence tab.

Permission precedence determines which Security Profile components to consider

when displaying events in the Log Activity tab and flows in the Network Activity
tab.
Step 7 In the Permission Precedence Setting pane, select a permission precedence
option. Options include:
• No Restrictions - Select this option if you do not want to place restrictions on
which events are displayed in the Log Activity tab and which flows are
displayed in the Network Activity tab. This is the default permission
precedence.
• Network Only - Select this option to restrict the user to only view events and
flows associated with the networks specified in this security profile.
• Log Sources Only - Select this option to restrict the user to only view events
associated with the log sources specified in this security profile.
• Networks AND Log Sources - Select this option to allow the user to only view
events and flows associated with the log sources and networks specified in this
security profile.
For example, if an event is associated with a log source the security profile
allows access to, but the destination network is restricted, the event is not
displayed in the Log Activity tab. The event must match both requirements.
• Networks OR Log Sources - Select this option to allow the user to only view
events and flows associated with the log sources or networks specified in this
security profile.
For example, if an event is associated with a log source the security profile
allows access to, but the destination network is restricted, the event is
displayed in the Log Activity tab. The event only needs to match one
requirement.
Step 8 Configure the networks you want to assign to the security profile:
a Click the Networks tab.
b From the navigation tree in the left pane, locate and select the network you
want this security profile to have access to. Choose one of the following
options:
- From the All Networks list box, select a network group or network.
- Select the network group or network in the navigation tree.
NOTE
You can also select multiple network or network groups by holding the Control key
while you select each network or network group you want to add.
c Click the Add (>) icon.

The added network is displayed in the Assigned Networks pane. To remove the
network from the Assigned Networks pane, select the network and click the
Remove (<) icon. To remove all selected networks, click Remove All.
d Repeat for each network you want to add.

Managing Security Profiles 17
Step 9 Configure the log sources you want to assign to the security profile:
a Click the Log Sources tab.
b From the navigation tree in the left pane, locate and select the log source group
or log source you want this security profile to have access to. Choose one of
the following options:
- From the Log Sources list box, select a log source group or log source.
- Double-click the folder icons in the navigation tree to navigate to a specific
log source group or log source.
NOTE
You can also select multiple log source or log source groups by holding the
Control key while you select each log source or log source groups you want to
add.
c Click the Add (>) icon.

The added log source is displayed in the Assigned Log Sources pane. To
remove the log source from the Assigned Log Sources pane, select the log
source and click the Remove (<) icon. To remove all selected log sources, click
Remove All.
d Repeat for each log source you want to add.
Step 10 Click Save.
Step 11 Close the Security Profile Management window.
Editing a Security To edit a security profile:

Profile
NOTE
You can also access the Security Profiles Management window from the User
Step 4 In the left pane, select the security profile you want to edit.
NOTE
You can locate a security profile by typing a security profile name in the Type to
filter text box, which is located above the left pane.
Step 5 On the toolbar, click Edit.

Step 6 Update the parameters as required. For more information on the Security Profile
Management window parameters, see Creating a Security Profile.
Step 7 Click Save.
NOTE
If the Security Profile Has Time Series Data window is displayed, see Step 8.
The security profile is added to the list in the left pane of the Security Profile
Management window. The following message is displayed next to the Save icon:
<security_profile_name> saved, where <security_profile_name> is the
name of the security profile you edited.
Step 8 If the Security Profile Has Time Series Data window is displayed, select one of
• Keep Old Data and Save - Select this option to keep previously accumulated
time series data. Choosing this option can cause issues when users associated
with this security profile views time series charts.
• Hide Old Data and Save - Select this option to hiding the time-series data.
Choosing this option restarts time series data accumulation after you deploy
your configuration changes.
If you changed the name of the security profile, the security profile name is
updated in the left pane. The security profile parameters are updated in the right
pane. The following message is displayed next to the Save icon:
<security_profile_name> saved, where <security_profile_name> is the
name of the security profile you edited.
Duplicating a To duplicate a security profile:

Security Profile
NOTE
You can also access the Security Profiles Management window from the User
Step 4 In the left pane, select the security profile you want to duplicate.
NOTE

Managing User Accounts 19
Step 5 On the toolbar, click Duplicate.

Step 6 Type a unique name for the duplicated security profile.
Step 7 Click OK.
Deleting a Security To delete a security profile:

Profile
Step 4 In the left pane, select the security profile you want to delete.
NOTE

Step 6 Click OK.
If user accounts are assigned to this security profile, the Users are Assigned to
this Security Profile window is displayed. Go to Step 7.
If no user accounts are assigned to this security profile, the security profile is
successfully deleted. Go to Step 8.
Step 7 Reassign the listed user accounts to another security profile:
a From the User Security Profile to assign list box, select a security profile.
b Click Confirm.
The security profile is deleted and the user accounts are reassigned to the
selected security profile.
Managing User When you initially configure QRadar Network Anomaly Detection, you must create
Accounts user accounts for each of your users. After initial configuration, you may be
required to create additional user accounts or edit existing user accounts.
When you create a new user account, you must assign access credentials, a user
role, and a security profile to the user. User Roles define what actions the user has
permission to perform. Security Profiles define what data the user has permission
to access.

You can create multiple user accounts that include administrative privileges;
however, any Administrator Manager user accounts can create other
administrative user accounts.

• Viewing User Accounts
• Creating a User Account
• Editing a User Account
• Deleting a User Account
Viewing User To view user accounts:

Accounts
Step 3 Click the Users icon.
The User Management window provides the following information:
Table 2-3 User Management Window Parameters
Username Displays the user name of this user account.
Description Displays the description of the user account.
E-mail Displays the email address of this user account.
User Role Displays the user role assigned to this user account.
User Roles define what actions the user has
permission to perform.
Security Profile Displays the security profile assigned to this user
account. Security Profiles define what data the
user has permission to access.

Managing User Accounts 21
The User Management window toolbar provides the following functions:

Table 2-4 User Management Window Toolbar Functions
Function Description
New Click this icon to create a user account. For more
information on creating a user account, see
Creating a User Account.
Edit Click this icon to edit the selected user account. For
more information on editing a user account, see
Editing a User Account.
Delete Click this icon to delete the selected user account.
For more information on deleting a user account, see
Deleting a User Account.
Search Users In this text box, you can type a keyword and then
press Enter to locate a specific user account.
Creating a User To create a user account:

Account
Step 5 Enter values for the following parameters:
Table 2-5 User Details Window Parameters
Username Type a unique user name for the new user. The user name must
meet contain a maximum 30 characters.
E-mail Type the user’s email address. The email address must meet the
following requirements:
• Must be a valid email address
• Minimum of 10 characters
Password Type a password for the user to gain access. The password must
meet the following criteria:
• Minimum of five characters
Confirm Password Type the password again for confirmation.
Description Optional. Type a description for the user account. The maximum
number of characters is 2,048.

Table 2-5 User Details Window Parameters (continued)
User Role From the list box, select the user role you want to assign to this
user.
To add, edit, or delete user roles, you can click the Manage User
Roles link. For information on user roles, see Managing Roles.
Security Profile From the list box, select the security profile you want to assign to
this user.
To add, edit, or delete security profiles, you can click the Manage
Security Profiles link. For information on security profiles, see
Managing Security Profiles.
Step 6 Click Save.

The following message is displayed next to the Save icon: User <username>
saved, where <username> is the name of the user account you added. The user
account is added to the User Management window.
Step 7 Close the User Details window.
Step 8 Close the User Management window.
Editing a User To edit a user account:

Account
Step 4 Select the user account you want to edit.
Step 6 Update parameters, as necessary. See Table 2-5
Step 7 Click Save.
The following message is displayed next to the Save icon: User <username>
saved, where <username> is the name of the user account you edited. The user
account is updated in the User Management window.
Step 8 Close the User Details window.
Deleting a User To delete a user account:

Account

Authenticating Users 23

Step 4 Select the user you want to delete.
Step 6 Click OK.
This user no longer has access to the QRadar Network Anomaly Detection user
interface. If this user attempts to log in to QRadar Network Anomaly Detection, the
following message is displayed: The username and password you supplied are
not valid. Please try again.
After you delete a user, items the user created, such as saved searches, reports,
and assigned offenses, remain associated with the deleted user.
Authenticating You can configure authentication to validate QRadar Network Anomaly Detection
Users users and passwords. QRadar Network Anomaly Detection supports the following
user authentication types:
• System Authentication - Users are authenticated locally by QRadar Network
Anomaly Detection. This is the default authentication type.
• RADIUS Authentication - Users are authenticated by a Remote Authentication
Dial-in User Service (RADIUS) server. When a user attempts to log in, QRadar
Network Anomaly Detection encrypts the password only, and forwards the user
name and password to the RADIUS server for authentication.
• TACACS Authentication - Users are authenticated by a Terminal Access
Controller Access Control System (TACACS) server. When a user attempts to
log in, QRadar Network Anomaly Detection encrypts the user name and
password, and forwards this information to the TACACS server for
authentication. TACACS Authentication uses Cisco Secure ACS Express as a
TACACS server. QRadar Network Anomaly Detection supports up to Cisco
Secure ACS Express 4.3.
• Active Directory - Users are authenticated by a Lightweight Directory Access
Protocol (LDAP) server using Kerberos.
• LDAP - Users are authenticated by a Native LDAP server.
To configure RADIUS, TACACS, Active Directory, or LDAP as the authentication

type, you must:
• Configure the authentication server before you configure authentication in
QRadar Network Anomaly Detection.
• Ensure the server has the appropriate user accounts and privilege levels to
communicate with QRadar Network Anomaly Detection. See your server
documentation for more information.
• Ensure the time of the authentication server is synchronized with the time of the
QRadar Network Anomaly Detection server. For more information on setting

QRadar Network Anomaly Detection time, see Setting Up IBM Security QRadar
• Ensure all users have appropriate user accounts and roles in QRadar Network
Anomaly Detection to allow authentication with the vendor servers.
When authentication is configured and a user enters an invalid user name and
password combination, a message is displayed indicating the login was invalid. If
the user attempts to access the system multiple times using invalid information, the
user must wait the configured amount of time before attempting to access the
system again. For more information on configuring Console settings for
authentication, see Setting Up IBM Security QRadar Network Anomaly Detection
- Configuring the Console Settings.
An administrative user can access QRadar Network Anomaly Detection through a

vendor authentication module or by using the local QRadar Network Anomaly
Detection Admin password. The QRadar Network Anomaly Detection Admin
password still functions if you have set up and activated a vendor authentication
module, however, you cannot change the QRadar Network Anomaly Detection
Admin password while the authentication module is active. To change the QRadar
Network Anomaly Detection admin password, you must temporarily disable the
vendor authentication module, reset the password, and then reconfigure the
vendor authentication module.
To configure authentication:
Step 3 Click the Authentication icon.
Step 4 From the Authentication Module list box, select the authentication type you want
to configure.
Step 5 Configure the selected authentication type:
a If you selected System Authentication, go to Step 6.
b If you selected RADIUS Authentication, enter values for the following
parameters:
Table 2-6 RADIUS Authentication Parameters
RADIUS Server Type the host name or IP address of the RADIUS server.
RADIUS Port Type the port of the RADIUS server.

Table 2-6 RADIUS Authentication Parameters (continued)
Authentication From the list box, select the type of authentication you want to
Type perform. The options are:
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a Point-to-Point Protocol (PPP) connection
between the user and the server.
• MSCHAP (Microsoft® Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• ARAP (Apple Remote Access Protocol) - Establishes
authentication for AppleTalk network traffic.
• PAP (Password Authentication Protocol) - Sends clear text
between the user and the server.
Shared Secret Type the shared secret that QRadar Network Anomaly Detection
uses to encrypt RADIUS passwords for transmission to the
RADIUS server.
c If you selected TACACS Authentication, enter values for the following

parameters:
Table 2-7 TACACS Authentication Parameters
TACACS Server Type the host name or IP address of the TACACS server.
TACACS Port Type the port of the TACACS server.
Authentication From the list box, select the type of authentication you want to
Type perform. The options are:
• ASCII
• PAP (Password Authentication Protocol) - Sends clear text
between the user and the server. This is the default
authentication type.
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a PPP connection between the user and the
server.
• MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• MSCHAP2 (Microsoft Challenge Handshake Authentication
Protocol version 2) - Authenticates remote Windows
workstations using mutual authentication.
• EAPMD5 (Extensible Authentication Protocol using MD5
Protocol) - Uses MD5 to establish a PPP connection.
Shared Secret Type the shared secret that QRadar Network Anomaly Detection
uses to encrypt TACACS passwords for transmission to the
TACACS server.
d If you selected Active Directory, enter values for the following parameters:

Table 2-8 Active Directory Parameters
Server URL Type the URL used to connect to the LDAP server. For example,
ldap://<host>:<port>
LDAP Context Type the LDAP context you want to use, for example,
DC=Q1LABS,DC=INC.
LDAP Domain Type the domain you want to use, for example q1labs.inc.
e If you selected LDAP, enter values for the following parameters:

Table 2-9 LDAP Parameters
Server URL Type the URL used to connect to the LDAP server. For example,
ldap://<host>:<port>
You can use a space-separated list to specify multiple LDAP
servers.
SSL Connection From the list box, select True to use Secure Socket Layer (SSL)
encryption when connecting to the LDAP server. The default is
True.
Before enabling the SSL connection to your LDAP server, you
must import the SSL certificate from the LDAP server to the your
QRadar Network Anomaly Detection system. For more
information on how to configure the SSL certificate, see
Configuring your SSL Certificate.
TLS From the list box, select True to start Transport Layer Security
Authentication (TLS) encryption when connecting to the LDAP server. The
default is True.
Search Entire From the list box, select one of the following options:
Base • True - Enables searching all subdirectories of the specified
Directory Name (DN).
• False - Enables searching the immediate contents of the Base
DN. The subdirectories are not searched.
The default is True.
LDAP User Field Type the user field identifier you want to search on, for example,
uid. You can use a comma-separated list to search for multiple
user identifiers.
Base DN Type the base DN for performing searches, for example,
DC=Q1LABS,DC=INC.
Step 6 Click Save.

Your authentication is now configured.

Configuring your SSL If you use LDAP for user authentication and you want to enable SSL, you must
Certificate configure your SSL certificate.
To configure your SSL certificate for connection to your LDAP server:

Step 1 Using SSH, log in to QRadar Network Anomaly Detection as the root user.
User Name: root
Password: <password>
Step 2 Type the following command to create the /opt/qradar/conf/trusted_certificates/
directory:
mkdir -p /opt/qradar/conf/trusted_certificates
Step 3 Copy the SSL certificate from the LDAP server to the
/opt/qradar/conf/trusted_certificates directory on your QRadar Network Anomaly
Detection system.
Step 4 Verify that the certificate file name extension is .cert, which indicates that the
certificate is trusted. QRadar Network Anomaly Detection only loads .cert files.

Using features in the System Configuration pane of the Admin tab, you can
manage your license keys, restart or shut down your system, and configure access
settings.

• Managing Your License Keys
• Restarting a System
• Shutting Down a System
• Configuring Access Settings
Managing Your For your IBM Security QRadar Network Anomaly Detection Console, a default
License Keys license key provides you access to the QRadar Network Anomaly Detection user
interface for 5 weeks. You must manage your license key using the System and
License Management window, which you can access using the Admin tab. This
window provides the status of the license key for each system (host) in your
deployment. Statuses include:
• Valid - The license key is valid.
• Expired - The license key has expired. To update your license key, see
Updating your License Key.
• Override Console License - This host is using the Console license key. You
can use the Console key or apply a license key for this system. If you want to
use the Console license for any system in your deployment, click Revert to
Console on the License window.
A license key allows a certain number of log sources to be configured in your

system. If you exceed the limit of configured logs sources, as established by the
license key, an error message is displayed. If additional log sources are
auto-discovered, they are automatically disabled. To extend the number of log
sources allowed, contact your marketing representative.

• Updating your License Key
• Exporting Your License Key Information

Updating your For your QRadar Network Anomaly Detection Console, a default license key
License Key provides you with access to the QRadar Network Anomaly Detection user interface
for 5 weeks. Choose one of the following options for assistance with your license
key:
• For a new or updated license key, contact your local sales representative.
• For all other technical issues, contact Customer Support.
If you log in to QRadar Network Anomaly Detection and your Console license key
has expired, you are automatically directed to the System and License
Management window. You must update the license key before you can continue. If
one of your non-Console systems includes an expired license key, a message is
displayed when you log in indicating a system requires a new license key. You
must navigate to the System and License Management window to update that
license key.
To update your license key:

Step 2 On the navigation menu, click System Configuration.
Step 3 Click the System and License Management icon.
The System and License Management window displays a list of all hosts in your
deployment.
Step 4 Select the host for which you want to view the license key.
Step 5 From the Actions menu, select Manage License.
The License window displays the current license key limits. If you want to obtain
additional licensing capabilities, contact your sales representative.
Step 6 Click Browse beside the New License Key File field and select the license key.
Step 7 Click Open.
Step 8 Click Save.
Step 9 On the System and License Management window, click Deploy License Key.
NOTE
If you want to revert back to the previous license key, click Revert to Deployed. If
you revert to the license key used by the QRadar Network Anomaly Detection
Console system, click Revert to Console.
The license key information is updated in your deployment.

Restarting a System 31
Exporting Your To export your license key information for all systems in your deployment:
License Key
Information
The System and License Management window displays a list of all hosts in your
deployment.
Step 4 Select the system that includes the license you want to export.
Step 5 From the Actions menu, select Export Licenses.
Step 6 Select one of the following options:
• Open with - Opens the license key data using the selected application.
• Save File - Saves the file to your desktop.
Step 7 Click OK.
Restarting a To restart a QRadar Network Anomaly Detection system:

System
Step 4 Select the system you want to restart.
Step 5 From the Actions menu, select Restart System.
NOTE
Data collection stops while the system is shutting down and restarting.
Shutting Down a To shutdown a QRadar Network Anomaly Detection system:

System
Step 4 Select the system you want to shut down.
Step 5 From the Actions menu, select Shutdown.
NOTE
Data collection stops while the system is shutting down.

Configuring The System and License Management window provides access to the System
Access Settings Setup window, which allows you to configure firewall rules, interface roles,
passwords, and system time.

• Configuring Firewall Access
• Updating Your Host Setup
• Configuring Interface Roles
• Changing Passwords
• Updating System Time
NOTE
If you require network setting changes, such as changing an IP address, to your
Console and non-Console systems after your deployment is initially installed, you
must use the qchange_netsetup utility to make these changes. For more
information on changing network settings, see the IBM Security QRadar Network
Anomaly Detection Installation Guide.
Configuring Firewall You can configure local firewall access to enable communications between
Access devices and QRadar Network Anomaly Detection. Also, you can define access to
the System Setup window.
To enable QRadar Network Anomaly Detection managed hosts to access specific

devices or interfaces:
Step 4 Select the host for which you want to configure firewall access settings.
Step 5 From the Actions menu, select Manage System.
Step 6 Log in to the System Setup window. The default is:
User Name: root
Password: <your root password>
NOTE
The user name and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Local Firewall.
Step 8 In the Device Access box, you must include any QRadar Network Anomaly
Detection systems you want to access to this managed host. Only the listed
managed hosts have access. For example, if you only enter one IP address, only
that IP address is granted access to the managed host. All other managed hosts
are blocked.
To configure access:

Configuring Access Settings 33
a In the IP Address field, type the IP address of the managed host you want to
have access.
b From the Protocol list box, select the protocol you want to enable access for
the specified IP address and port. Options include:
- UDP - Allows UDP traffic.
- TCP - Allows TCP traffic.
- Any - Allows any traffic.
c In the Port field, type the port on which you want to enable communications.
NOTE
If you change the External Flow Source Monitoring Port parameter in the
QFlow configuration, you must also update your firewall access configuration. For
more information about QFlow configuration, see Using the Deployment Editor.
d Click Allow.
Step 9 In the System Administration Web Control box, type the IP addresses of
managed hosts that you want to allow access to the System Setup window in the
IP Address field. Only IP addresses listed have access to the QRadar Network
Anomaly Detection user interface. If you leave the field blank, all IP addresses
have access. Click Allow.
NOTE
Make sure you include the IP address of your client desktop you want to use to
access the QRadar Network Anomaly Detection user interface. Failing to do so
may affect connectivity.
Step 10 Click Apply Access Controls.

Wait for the System Setup window to refresh before continuing to another task.
Updating Your Host You can use the System Setup window to configure the mail server you want
Setup QRadar Network Anomaly Detection to use and the global password for QRadar
Network Anomaly Detection configuration:
To configure your host setup:

Step 4 Select the host for which you want to update your host setup settings.
User Name: root

NOTE
Step 7 From the menu, select Managed Host Config > QRadar Setup.
Step 8 In the Mail Server field, type the address for the mail server you want QRadar
Network Anomaly Detection to use. QRadar Network Anomaly Detection uses this
mail server to distribute alerts and event messages. To use the mail server
provided with QRadar Network Anomaly Detection, type localhost.
Step 9 In the Enter the global configuration password, type the password you want to
use to access the host. Type the password again for confirmation.
The global configuration password does not accept special characters. The global
configuration password must be the same throughout your deployment. If you edit
this password, you must also edit the global configuration password on all systems
in your deployment.
Step 10 Click Apply Configuration.
Configuring Interface You can assign specific roles to the network interfaces on each managed host.
Roles
To assign roles:
Step 4 Select the host for which you want to configure interface role settings.
User Name: root
NOTE
Step 7 From the menu, select Managed Host Config > Network Interfaces.
NOTE
For assistance with determining the appropriate role for each interface, contact
Customer Support.
Step 8 For each interface listed, select the role you want to assign to the interface from
the Role list box.
Step 9 Click Save Configuration.
Step 10 Wait for the System Setup window to refresh before continuing.

Changing Passwords To change the passwords:

Step 4 Select the host for which you want to configure interface role settings.
User Name: root
NOTE
Step 7 From the menu, select Managed Host Config > Root Password.
Step 8 Update the passwords:
Make sure you record the entered values. The root password does not accept the
following special characters: apostrophe (‘), dollar sign ($), exclamation mark (!).
• New Root Password - Type the root password necessary to access the
System Setup window.
• Confirm New Root Password - Type the password again for confirmation.
Step 9 Click Update Password.
Updating System You are able to change the time for the following options:
Time • System time
• Hardware time
• Time Zone
• Time Server
NOTE
All system time changes must be made within the System Time page. You can
only change the system time information on the host operating the Console. The
change is then distributed to all managed hosts in your deployment.
You can configure time for your system using one of the following methods:
• Configuring Your Time Server Using RDATE
• Manually Configuring Time Settings For Your System
Configuring Your Time Server Using RDATE

To update the time settings using RDATE:


Step 4 Select the host for which you want to configure system time settings.
User Name: root
NOTE
Step 7 From the menu, select Managed Host Config > System Time.
Step 8 Configure the time zone:
a Click the Change time zone tab.
b From the Change timezone to list box, select the time zone in which this
managed host is located.
c Click Save.
Step 9 Configure the time server:
a Click the Time server sync tab.
b Configure the following parameters:
Table 3-1 Time Server Parameters
Timeserver hostnames or Type the time server host name or IP address.
addresses
Set hardware time too Select the check box if you want to set the hardware
time.
Synchronize on schedule? Select one of the following options:
• No - Select this option if you do not want to
synchronize the time. Go to c.
• Yes - Select this option if you want to synchronize
the time.
Simple Schedule Select this option if you want the time update to
occur at a specific time. After you select this option,
select a simple schedule from the list box.
Times and dates are selected Select this option to specify time you want the time
below update to occur. After you select this option, select
the times and dates in the list boxes.
c Click Sync and Apply.

Manually Configuring Time Settings For Your System

To update the time settings for your system:
Step 4 Select the host for which you want to configure system time settings.
User Name: root
NOTE
Step 7 From the menu, select Managed Host Config > System Time.
Step 8 Click the Set time tab.
The Set Time page is divided into tabs. You must save each setting before
continuing. For example, when you configure system time, you must click Apply in
the System Time pane before continuing.
Step 9 Set the system time:
a Choose one of the following options:
- In the System Time pane, using the list boxes, select the current date and
time you want to assign to the managed host.
- Click Set system time to hardware time.
b Click Apply.
Step 10 Set the hardware time:
a Choose one of the following options:
- In the Hardware Time pane, using the list boxes, select the current date and
time you want to assign to the managed host.
- Click Set hardware time to system time.
b Click Save.
Step 11 Configure the time zone:
a Click the Change time zone tab.
b From the Change Timezone To list box, select the time zone in which this
managed host is located.
c Click Save.

4 SETTING UP IBM SECURITY
QRADAR NETWORK ANOMALY
DETECTION
Using various options on the Admin tab, you can configure your network
hierarchy, automatic updates, system settings, event and flow retention buckets,
system notifications, console settings, offense close reasons, and index
management.

• Creating Your Network Hierarchy
• Managing Automatic Updates
• Configuring System Settings
• Using Event and Flow Retention Buckets
• Configuring System Notifications
• Configuring the Console Settings
• Managing Custom Offense Close Reasons
• Index Management
Creating Your QRadar Network Anomaly Detection uses the network hierarchy to understand
Network Hierarchy your network traffic and provide you with the ability to view network activity for your
entire deployment.
When you develop your network hierarchy, you should consider the most effective
method for viewing network activity. The network you configure in QRadar Network
Anomaly Detection does not have to resemble the physical deployment of your
network. QRadar Network Anomaly Detection supports any network hierarchy that
can be defined by a range of IP addresses. You can create your network based on
many different variables, including geographical or business units.
Best Practices Consider the following best practice s when defining your network hierarchy:
• To create a clear view of your network, group together systems and user groups
that have similar behavior.
• If your deployment is processing more than 600,000 flows, create multiple
top-level groups.

40 SETTING UP IBM SECURITY QRADAR NETWORK ANOMALY DETECTION
• Organize your systems and networks by role or similar traffic patterns. For
example, mail servers, departmental users, labs, or development groups. This
organization allows you to differentiate network behavior and enforce network
management security policies.
• Do not group a server that has unique behavior with other servers on your
network. Placing a unique server alone provides the server greater visibility in
QRadar Network Anomaly Detection, allowing you to manage specific policies.
• Within a group, place servers with high volumes of traffic, such as mail servers,
at the top of the group. This provides you with a clear visual representation
when a discrepancy occurs.
• Do not configure a network group with more than 15 objects. Large network
groups can cause you difficulty in viewing detailed information for each object.
• Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a
single network group to conserve disk space. For example:
Group Description IP Address
1 Marketing 10.10.5.0/24
2 Sales 10.10.8.0/21
3 Database Cluster 10.10.1.3/32
10.10.1.4/32
10.10.1.5/32
• Add key servers as individual objects and group other major but related servers
into multi-CIDR objects.
• Define an all-encompassing group so when you define new networks, the
appropriate policies and behavioral monitors are applied. For example:
Group Subgroup IP Address
Cleveland Cleveland misc 10.10.0.0/16
Cleveland Cleveland Sales 10.10.8.0/21
Cleveland Cleveland Marketing 10.10.1.0/24
If you add a new network to the above example, such as 10.10.50.0/24, which
is an HR department, the traffic is displayed as Cleveland-based and any rules
applied to the Cleveland group are applied by default.
Defining Your To define your network hierarchy:

Network Hierarchy
Step 3 Click the Network Hierarchy icon.
Step 4 From the menu tree, select the area of the network in which you want to add a
network object.

Creating Your Network Hierarchy 41
Step 5 Click Add.

Table 4-1 Add New Object Parameters
Parameter Action
Group From the list box, select the group in which you want to add the
new network object.
If required, you can create a new group.
1 Click Add Group.
2 Type a unique name for the group.
3 Click OK.
Name Type a unique name for the object.
Weight Type or select the weight of the object. The range is 0 to 100 and
indicates the importance of the object in the system.
IP/CIDR(s) Type the CIDR range for this object and click Add. For more
information on CIDR values, see Acceptable CIDR Values.
Description Type a description for this network object.
Color Click Select Color and select a color for this object.
Database Length From the list box, select the database length.
Step 7 Click Save.

Step 8 Repeat for all network objects.
Step 9 Click Re-Order.
Step 10 Organize the network objects as required.
Step 11 Click Save.
Acceptable CIDR Values

The following table provides a list of the CIDR values that QRadar Network
Anomaly Detection accepts:
Table 4-2 Acceptable CIDR Values
CIDR Number of
Length Mask Networks Hosts
/1 128.0.0.0 128 A 2,147,483,392
/2 192.0.0.0 64 A 1,073,741,696
/3 224.0.0.0 32 A 536,870,848
/4 240.0.0.0 16 A 268,435,424
/5 248.0.0.0 8A 134,217,712
/6 252.0.0.0 4A 67,108,856
/7 254.0.0.0 2A 33,554,428
/8 255.0.0.0 1A 16,777,214

Table 4-2 Acceptable CIDR Values (continued)
CIDR Number of
Length Mask Networks Hosts
/9 255.128.0.0 128 B 8,388,352
/10 255.192.0.0 64 B 4,194,176
/11 255.224.0.0 32 B 2,097,088
/12 255.240.0.0 16 B 1,048,544
/13 255.248.0.0 8B 524,272
/14 255.252.0.0 4B 262,136
/15 255.254.0.0 2B 131,068
/16 255.255.0.0 1B 65,534
/17 255.255.128.0 128 C 32,512
/18 255.255.192.0 64 C 16,256
/19 255.255.224.0 32 C 8,128
/20 255.255.240.0 16 C 4,064
/21 255.255.248.0 8C 2,032
/22 255.255.252.0 4C 1,016
/23 255.255.254.0 2C 508
/24 255.255.255.0 1C 254
/25 255.255.255.128 2 subnets 124
/26 255.255.255.192 4 subnets 62
/27 255.255.255.224 8 subnets 30
/28 255.255.255.240 16 subnets 14
/29 255.255.255.248 32 subnets 6
/30 255.255.255.252 64 subnets 2
/31 255.255.255.254 none none
/32 255.255.255.255 1/256 C 1
For example, a network is called a supernet when the prefix boundary contains
fewer bits than the natural (or classful) mask of the network. A network is called a
subnet when the prefix boundary contains more bits than the natural mask of the
network:
• 209.60.128.0 is a class C network address with a mask of /24.
• 209.60.128.0 /22 is a supernet that yields:
209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24
209.60.131.0 /24
• 192.0.0.0 /25

Managing Automatic Updates 43
Subnet Host Range

0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
• 192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.190
3 192.0.0.193 - 192.0.0.254
• 192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 - 192.0.0.30
1 192.0.0.33 - 192.0.0.62
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.126
4 192.0.0.129 - 192.0.0.158
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.222
7 192.0.0.225 - 192.0.0.254
Managing QRadar Network Anomaly Detection uses system configuration files to provide
Automatic Updates useful characterizations of network data flows. You can automatically or manually
update your configuration files to ensure your configuration files contain the latest
network security information.
Update files are available for manual download from the Qmmunity website:
https://qmmunity.q1labs.com/
QRadar Network Anomaly Detection update files can include the following
updates:
• Configuration updates, which include configuration file changes, vulnerability,

QID map, and security threat information updates.
• DSM updates, which include corrections to parsing issues, scanner changes,
and protocol updates.
• Major updates, which include items such as updated JAR files.
• Minor updates, which include items such as additional Online Help content or
updated scripts.

QRadar Network Anomaly Detection allows you to either replace your existing
configuration files or integrate the updated files with your existing files to maintain
the integrity of your current configuration and information.
After you install updates on your Console and deploy your changes, the Console
updates its managed hosts if your deployment is defined in your deployment editor.
For more information on using the deployment editor, see Using the Deployment
Editor.
CAUTION
Failing to build your system and event views in the deployment editor before you
configure automatic or manual updates results in your managed hosts not being
updated.
The Console must be connected to the Internet to receive the updates. If your
Console is not connected to the Internet, you must configure an internal update
server for your Console to download the files from. For more information on setting
up an automatic update server, see the Setting Up a QRadar Update Server
Technical Note.

• Viewing Your Pending Updates
• Configuring Automatic Update Settings
• Scheduling an Update
• Clearing Scheduled Updates
• Checking for New Updates
• Manually Installing Automatic Updates
• Viewing Your Update History
• Restoring Hidden Updates
• Viewing the Autoupdate Log

Viewing Your Your system is preconfigured to perform weekly automatic updates. If no updates
Pending Updates are displayed in the Updates window, either your system has not been in operation
long enough to retrieve the weekly updates or no updates have been issued. If this
occurs, you can manually check for new updates. For more information on
checking for new updates, see Checking for New Updates.
To view your pending updates:

Step 3 Click the Auto Update icon.
The window automatically displays the Check for Updates page, providing the
following information:
Table 4-3 Check for Updates Window Parameters
Updates were Specifies the date and time the last update was installed. If no
installed updates have been installed, this following text is displayed: No
updates have been installed.
Next Check for Specifies the date and time the next update is scheduled to be
Updates installed. If auto updates are disabled, the following text is
displayed: Auto Update Schedule is disabled.
Name Specifies the name of the update.
Type Specifies the type of update. Types include:
• DSM, Scanner, Protocol Updates
• Minor Updates
Status Specifies the status of the update. Status types include:
• New - The update is not yet scheduled to be installed.
• Scheduled - The update is scheduled to be installed.
• Installing - The update is currently installing.
• Failed - The updated failed to install.
Date to Install Specifies the date on which this update is scheduled to be
installed.
The Check for Updates page toolbar provides the following functions:
Table 4-4 Check for Updates Page Parameters Toolbar Functions
Hide Select one or more updates, and then click Hide to remove the
selected updates from the Check for Updates page. You can
view and restore the hidden updates on the Restore Hidden
Updates page. For more information, see Restoring Hidden
Updates.

Table 4-4 Check for Updates Page Parameters Toolbar Functions (continued)
Install From this list box, you can manually install updates. When you
manually install updates, the installation process starts within a
minute. For more information, see Manually Installing
Automatic Updates.
Schedule From this list box, you can configure a specific date and time to
manually install selected updates on your Console. This is useful
when you want to schedule the update installation during
off-peak hours. For more information, see Scheduling an
Update.
Unschedule From this list box, you can remove preconfigured schedules for
manually installing updates on your Console. For more
information, see Scheduling an Update.
Search By Name In this text box, you can type a keyword and then press Enter to
locate a specific update by name.
Next Refresh This counter displays the amount of time until the next automatic
refresh. The list of updates on the Check for Updates page
automatically refreshes every 60 seconds. The timer is
automatically paused when you select one or more updates.
Pause Click this icon to pause the automatic refresh process. To
resume automatic refresh, click the Play icon.
Refresh Click this icon to manually refresh the list of updates.
Step 4 To view details on an update, select the update.

The description and any error messages are displayed in the right pane of the
window.
Configuring You can customize the automatic update settings to change the frequency, update
Automatic Update type, server configuration, and backup settings.
Settings To configure automatic updates settings:
Step 4 On the navigation menu, click Change Settings.
Step 5 In the Auto Update Schedule pane, configure the schedule for updates:

Table 4-5 Schedule Update Pane Parameters
Frequency From this list box, select the frequency with which you want to
receive updates. Options include:
• Disabled
• Weekly
• Monthly
• Daily
The default frequency is Weekly.
Hour From this list box, select the time of day you want your system to
update. The default hour is 3 am.
Week Day This option is only available if you select Weekly as the update
frequency.
From this list box, select the day of the week you want to
receive updates. The default week day is Monday.
Month Day This option is only active when you select Monthly as the update
frequency.
From this list box, select the day of the month you want to
receive updates. The default month day is 1.
Step 6 In the Update Types pane, configure the types of updates you want to install:
Table 4-6 Choose Updates Pane Parameters
Configuration From this list box, select the method you want to use for updating
Updates your configuration files:
• Auto Integrate - Select this option to integrate the new
configuration files with your existing files and maintain the
integrity of your information. This is the default setting.
• Auto Update - Select this option to replace your existing
configuration files with the new configuration files.
• Disable - Select this option to prevent configuration updates.

Table 4-6 Choose Updates Pane Parameters (continued)
DSM, Scanner, From this list box, select one of the following options for DSM
Protocol Updates updates:
• Disable - Select this option to prevent DSM, scanner, and
protocol updates being installed on your system.
• Manual Install - Select this option to download the DSM,
scanner, and protocol updates to the designated download
path location. If you choose this option, you must manually
install the updates. See Manually Installing Automatic
Updates.
• Auto Install - Select this option to download the DSM,
scanner, and protocol updates to the designated download
path location and automatically install the update. This is the
default setting.
Major Updates From this list box, select one of the following options for major
updates:
• Disable - Select this option to prevent major updates being
installed on your system. This is the default setting.
• Download - Select this option to download the major updates
to the designated download path location. If you choose this
option, you must manually install the updates from a
command line interface (CLI). See the readme file in the
download files for installation instructions.
Note: Major updates cause service interruptions during
installation.
Minor Updates From this list box, select one of the following options for minor
updates:
• Disable - Select this option to prevent minor updates being
installed on your system.
• Manual Install- Select this option to download the minor
updates to the designated download path location. if you
choose this option, you must manually install the updates. See
Manually Installing Automatic Updates.
• Auto Install - Select this option to automatically install minor
updates on your system. This is the default setting.
Step 7 Select the Auto Deploy check box if you want to deploy update changes
automatically after updates are installed.
If this check box is clear, a system notification is displayed on the Dashboard tab
indicating that you must deploy changes after updates are installed. By default, the
check box is selected.
Step 8 Select the Auto Restart Service check box if you want to restart the user interface
service automatically after updates are installed.
When this option is enabled, automatic updates that require the user interface to
restart is automatically performed. A user interface disruption occurs when the

service restarts. When this option is disabled, updates that require your user
interface to restart are prevented from automatically installing. You can manually
install the updated from the Check for Updates window.
Step 9 Click the Advanced tab.
Step 10 In the Server Configuration pane, configure the server settings:
Table 4-7 Server Configuration Pane Parameters
Web Server Type the web server from which you want to obtain the updates.
The default web server is:
https://qmmunity.q1labs.com/
Directory Type the directory location on which the web server stores the
updates. The default directory is autoupdates/.
Proxy Server Type the URL for the proxy server. The proxy server is only
required if the application server uses a proxy server to connect
to the Internet.
Proxy Port Type the port for the proxy server. The proxy port is only required
if the application server uses a proxy server to connect to the
Internet.
Proxy Username Type the user name for the proxy server. A user name is only
required if you are using an authenticated proxy.
Proxy Password Type the password for the proxy server. A password is only
required if you are using an authenticated proxy.
Step 11 In the Other Settings pane, configure the update settings:
Table 4-8 Update Settings Pane Parameters
Send feedback Select this check box if you want to send feedback to IBM
regarding the update. Feedback is sent automatically using a
web form when errors occur with the update. By default, this
check box is clear.
Backup Retention Type or select the length of time, in days, that you want to store
Period (days) files that are replaced during the update process. The files are
stored in the location specified in the Backup Location
parameter. The default backup retention period is 30 days. The
minimum is 1 day and the maximum is 65535 years.
Backup Location Type the location where you want to store backup files.
Download Path Type the directory path location to which you want to store DSM,
minor, and major updates. The default directory path is
/store/configservices/staging/updates.
Step 12 Click Save.

Scheduling an QRadar Network Anomaly Detection performs automatic updates on a recurring

Update schedule according to the settings on the Update Configuration page; however, if
you want to schedule an update or a set of updates to run at a specific time, you
can schedule an update using the Schedule the Updates window. This is useful
when you want to schedule a large update to run during off-peak hours, thus
reducing any performance impacts on your system.
For detailed information on each update, select the update. A description and
any error messages are displayed in the right pane of the window.
To schedule an update:
Step 4 Optional. If you want to schedule specific updates, select the updates you want to
schedule.
Step 5 From the Schedule list box, select the type of update you want to schedule.
Options include:
• All Updates
• Selected Updates
• Minor Updates
Step 6 Using the calendar, select the start date and time of when you want to start your
scheduled updates.
Step 7 Click OK.
The selected updates are now scheduled.
Clearing Scheduled Scheduled updates display a status of Scheduled in the Status field. If required,
Updates you can clear a scheduled update.
To clear scheduled updates:

Step 4 On the navigation menu, click Check for Updates.
Step 5 Optional. If you want to clear specific scheduled updates, select the updates you
want to clear.
Step 6 From the Unschedule list box, select the type of scheduled update you want to
clear. Options include:
• All Updates


• Minor Updates
Step 7 Click OK.
The selected updates are now cleared. The status of the update now displays as
New.
Checking for New IBM provides updates on a regular basis. By default, the Auto Update feature is
Updates scheduled to automatically download and install updates. If you require an update
at a time other than the preconfigured schedule, you can download new updates
using the Get new updates icon.
To check for new updates:

Step 5 Click Get new updates.
Step 6 Click OK.
The system retrieves the new updates from the Qmmunity website. This may take
an extended period of time. When complete, new updates are listed on the
Updates window.
Manually Installing IBM provides updates on a regular basis. By default, the Auto Update feature is
Automatic Updates scheduled to automatically download and install updates. If you want to install an
update at a time other than the preconfigured schedule, you can install an update
using the Install list box on the toolbar.
To manually install automatic updates:
Step 5 Optional. If you want to install specific updates, select the updates you want to
schedule.
Step 6 From the Install list box, select the type of update you want to install. Options
include:
• All Updates
• Minor Updates

Viewing Your Update After an update was successfully installed or failed to install, the update is
History displayed on the View Update History page.
To view your update history:

Step 4 On the navigation menu, click View Update History.
The View Update History page provides the following information:
Table 4-9 View Update Window Parameters
Name Specifies the name of the update.
Type Specifies the type of update. Types include:
• Minor Updates
Status Specifies the status of the update. Status types include:
• Installed
• Failed
Installed Date Specifies the date on which the update was installed or failed.
Step 5 Optional. Using the Search by Name text box, you can type a keyword and then
press Enter to locate a specific update by name.
Step 6 To investigate a specific update, select the update.
A description of the update and any installation error messages are displayed in
the right pane.
Restoring Hidden Using the Hide icon, you can remove selected updates from the Check for Updates
Updates page. You can view and restore the hidden updates on the Restore Hidden Updates
page.
To restore hidden updates:

Step 4 On the navigation menu, click Restore Hidden Updates.
Step 5 Optional. To locate an update by name, type a keyword in the Search by Name
text box and press Enter.
Step 6 Select the hidden update you want to restore.
Step 7 Click Restore.

Configuring System Settings 53
Viewing the The Autoupdate feature logs the most recent automatic update run on your
Autoupdate Log system. You can view the Autoupdate log on the QRadar Network Anomaly
Detection user interface using the View Log feature.
To view the Autoupdate log:
Step 4 On the navigation menu, click View Log.
Configuring To configure system settings:

System Settings
Step 3 Click the System Settings icon.
Table 4-10 System Settings Parameters
System Settings
Administrative Email Type the email address of the designated system
Address administrator. The default email address is
root@localhost.
Alert Email From Address Type the email address from which you want to receive
email alerts. This address is displayed in the From field of
the email alerts. A valid address is required by most email
servers. The default email address is
root@<hostname.domain>.
Resolution Interval Length Resolution interval length determines at what interval the
QRadar QFlow Collectors and Event Collectors send
bundles of information to the Console. From the list box,
select the interval length, in minutes. The options include:
• 30 seconds
• 1 minute (default)
• 2 minutes
Note: If you select the 30 seconds option, results are
displayed on the QRadar Network Anomaly Detection
user interface as the data enters the system.
However, with shorter intervals, the volume of time
series data is larger and the system may experience
delays in processing the information.

Table 4-10 System Settings Parameters (continued)
Delete Root Mail Root mail is the default location for host context
messages. From the list box, select one of the following
options:
• Yes - Delete the local administrator email. This is the
default setting.
• No - Do not delete the local administrator email.
Temporary Files From the list box, select the period of time you want the
Retention Period system to retain temporary files. The default storage
location for temporary files is the /store/tmp directory. The
default retention period is 6 hours. The minimum is 6
hours and the maximum is 2 years.
Asset Profile Reporting Type or select the interval, in seconds, that the database
Interval stores new asset profile information. The default reporting
interval is 900 seconds. The minimum is zero (0) and the
maximum is 4294967294.
Asset Profile Query From the list box, select the period of time for an asset
Period search to process before a time-out occurs. The default
query period is 1 day. The minimum is 1 day and 1 week.
VIS Passive Asset Profile Type or select the interval, in seconds, that the database
Interval stores all passive asset profile information. The default
interval is 86400 seconds. The minimum is zero (0) and
the maximum is 4294967294.
TNC Recommendation Trusted Network Computing (TNC) recommendations
Enable enable you to restrict or deny access to the network
based on user name or other credentials. From the list
box, select one of the following options:
• Yes - Enables the TNC recommendation functionality.
• No - Disables the TNC recommendation functionality.
The default setting is No.
Coalescing Events From the list box, select one of the following options:
• Yes - Enables log sources to coalesce (bundle) events.
• No - Prevents log sources from coalescing (bundling)
events.
This value applies to all log sources. However, if you want
to alter this value for a specific log source, edit the
Coalescing Event parameter in the log source
configuration. For more information, see the IBM Security
QRadar Log Sources Users Guide.
The default setting is Yes.

Store Event Payload From the list box, select one of the following options:
• Yes - Enables log sources to store event payload
information.
• No - Prevents log sources from storing event payload
information.
This value applies to all log sources. However, if you want
to alter this value for a specific log source, edit the Event
Payload parameter in the log source configuration. For
more information, see the IBM Security QRadar Log
Sources Users Guide.
Global Iptables Access Type the IP addresses of non-Console systems that do
not have iptables configuration to which you want to
enable direct access. To enter multiple systems, type a
comma-separated list of IP addresses.
Syslog Event Timeout Type or select the amount of time, in minutes, that the
(minutes) status of a syslog device is recorded as error if no events
have been received within the timeout period. The status
is displayed on the Log Sources window (for more
information, see the IBM Security QRadar Log Sources
Users Guide).
The default setting is 720 minutes (12 hours). The
minimum value is zero (0) and the maximum value is
4294967294.
Partition Tester Timeout Type or select the amount of time, in seconds, for a
(seconds) partition test to perform before a time-out occurs. The
default setting is 30. The minimum is zero (0) and the
maximum is 4294967294. The default setting is 86400.
Max Number of TCP Type or select the maximum number of Transmission
Syslog Connections Control Protocol (TCP) syslog connections you want to
allow your system. The minimum is 0 and the maximum is
4294967294. The default is 2500.
Export Directory Type the location where offense, event, and flow exports
are stored. The default location is /store/exports.
Database Settings
User Data Files Type the location of the user profiles. The default location
is /store/users.
Accumulator Retention - From the list box, select the period of time you want to
Minute-By-Minute retain minute-by-minute data accumulations. The default
setting is 1 week. The minimum is 1 day and the
maximum is 2 years.
Every 60 seconds, the data is aggregated into a single
data set.

Hourly retain hourly data accumulations. The default setting is 33
days. The minimum is 1 day and the maximum is 2 years.
At the end of every hour, the minute-by minute data sets
are aggregated into a single hourly data set.
Daily retain daily data accumulations. The default setting is 1
year. The minimum is 1 day and the maximum is 2 years.
At the end of every day, the hourly data sets are
aggregated into a single daily data set.
Payload Index Retention From the list box, select the amount of time you want to
store event and flow payload indexes. The default setting
is 1 week. The minimum is 1 day and the maximum is 2
years.
For more information on payload indexing, see the
Enabling Payload Indexing for Quick Filtering Technical
Note.
Offense Retention Period From the list box, select the period of time you want to
retain closed offense information. The default setting is 30
days. The minimum is 1 day and the maximum is 2 years.
After the offense retention period has elapsed, closed
offenses are purged from the database.
Note: Offenses can be retained indefinitely as long as
they are not closed and they are still receiving events.
The magistrate automatically closes an offense if the
offense has not received an event for 5 days. This
5-day period is known as the dormant time. If an event
is received during the dormant time, the dormant time
is reset back to zero. When an offense is closed either
by you or the magistrate, the Offense Retention
Period setting is applied.
Attacker History Retention From the list box, select the amount of time that you want
Period to store the attacker history. The default setting is 6
months. The minimum is 1 day and the maximum is 2
years.
Ariel Database Settings
Flow Data Storage Type the location that you want to store the flow log
Location information. The default location is /store/ariel/flows.
Note: This is a global setting, applied to all Consoles and
managed hosts in your deployment.
Asset Profile Storage Type the location where you want to store asset profile
Location information. The default location is /store/ariel/hprof.

Asset Profile Retention From the list box, select the period of time, in days, that
Period you want to store the asset profile information. The default
setting is 30 days. The minimum is 1 day and the
maximum is 2 years.
Log Source Storage Type the location where you want to store the log source
Location information. The default location is /store/ariel/events.
Note: This is a global setting, applied to Consoles and
managed hosts in your deployment.
Search Results Retention From the list box, select the amount of time you want to
Period store event and flow search results. The default setting is
1 day. The minimum is 1 day and the maximum is 3
months.
Reporting Max Matched Type or select the maximum number of results you want a
Results report to return. This value applies to the search results
on the Offenses, Log Activity, and Network Activity
tabs. The default setting is 1,000,000. The minimum value
is zero (0) and the maximum value is 4294967294.
Command Line Max Type or select the maximum number of results you want
Matched Results the AQL command line to return. The default setting is 0.
The minimum value is zero (0) and the maximum value is
4294967294.
Web Execution Time Limit Type or select the maximum amount of time, in seconds,
you want a query to process before a time-out occurs.
This value applies to the search results on the Offenses,
Log Activity, and Network Activity tabs. The default
setting is 600 seconds. The minimum value is zero (0)
and the maximum value is 4294967294.
Reporting Execution Time Type or select the maximum amount of time, in seconds,
Limit for Manual Reports you want a reporting query to process before a time-out
occurs. The default setting is 57600 seconds. The
minimum value is zero (0) and the maximum value is
4294967294.
Command Line Execution Type or select the maximum amount of time, in seconds,
Time Limit you want a query in the AQL command line to process
before a time-out occurs. The default setting is 0 seconds.
The minimum value is zero (0) and the maximum value is
4294967294.
Web Last Minute (Auto From the list box, select the maximum amount of time, in
refresh) Execution Time seconds, you want an auto refresh to process before a
Limit time-out occurs. The default setting is 10 seconds. The
maximum is 40 seconds.

Flow Log Hashing From the list box, select one of the following options:
• Yes - Enables QRadar Network Anomaly Detection to
store a hash file for every stored flow log file.
• No - Prevents QRadar Network Anomaly Detection
from storing a hash file for every stored flow log file.
Event Log Hashing From the list box, select one of the following options:
store a hash file for every stored event log file.
from storing a hash file for every stored event log file.
HMAC Encryption This parameter is only displayed when the Event Log
Hashing or Flow Log Hashing system setting is
enabled.
From the list box, select one of the following options:
encrypt the integrity hashes on stored event and flow
log files.
from encrypting the integrity hashes on stored event
and flow log files.
HMAC Key This parameter is only displayed when the HMAC
Encryption system setting is enabled.
Type the key you want to use for HMAC encryption. The
maximum character length is 128 characters. The key
must be unique.
Verify This parameter is only displayed when the HMAC
Encryption system setting is enabled.
Retype the key you want to use for HMAC encryption.
The key must match the key you typed in the HMAC Key
field.

Hashing Algorithm You can use a hashing algorithm for database integrity.
QRadar Network Anomaly Detection uses the following
hashing algorithm types:
• Message-Digest Hash Algorithm - Transforms digital
signatures into shorter values called Message-Digests
(MD).
• Secure Hash Algorithm (SHA) Hash Algorithm -
Standard algorithm that creates a larger (60 bit) MD.
From the list box, select the log hashing algorithm
you want to use for your deployment.
If the HMAC Encryption parameter is disabled, the

following options are displayed:
• MD2 - Algorithm defined by RFC 1319.
• MD5 - Algorithm defined by RFC 1321.
• SHA-1 - Algorithm defined by Secure Hash Standard
(SHS), NIST FIPS 180-1. This is the default setting.
• SHA-256 - Algorithm defined by the draft Federal
Information Processing Standard 180-2, SHS.
SHA-256 is a 255-bit hash algorithm intended for 128
bits of security against security attacks.
SHA-384 is a bit hash algorithm, created by truncating
the SHA-512 output.
SHA-512 is a bit hash algorithm intended to provide
256 bits of security.
If the HMAC Encryption parameter is enabled, the
following options are displayed:
• HMAC-MD5 - An encryption method based on the
MD5 hashing algorithm.
• HMAC-SHA-1 - An encryption method based on the
SHA-1 hashing algorithm.
• HMAC-SHA-512 An encryption method based on the

Transaction Sentry Settings
Transaction Max Time A transaction sentry detects unresponsive applications
Limit using transaction analysis. If an unresponsive application
is detected, the transaction sentry attempts to return the
application to a functional state.
From the list box, select the length of time you want the
system to check for transactional issues in the database.
The default setting is 10 minutes. The minimum is 1
minute and the maximum is 30 minutes.
Resolve Transaction on From the list box, select whether you want the transaction
Non-Encrypted Host sentry to resolve all error conditions detected on the
Console or non-encrypted managed hosts.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
Resolve Transaction on From the list box, select whether you want the transaction
Encrypted Host sentry to resolve all error conditions detected on the
encrypted managed host.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
SNMP Settings
SNMP Version From the list box, choose one of the following options:
• Disabled - Select this option if you do not want SNMP
responses in the QRadar Network Anomaly Detection
custom rules engine. Disabling SNMP indicates that
you do not want to accept events using SNMP. This
the default.
• SNMPv3 - Select this option if you want to use SNMP
version 3 in your deployment.
• SNMPv2c - Select this option if you want to use SNMP
version 2 in your deployment.
SNMPv2c Settings
Destination Host Type the IP address to which you want to send SNMP
notifications.
Destination Port Type the port number to which you want to send SNMP
notifications. The default port is 162.
Community Type the SNMP community, such as public.
SNMPv3 Settings
Destination Host Type the IP address to which you want to send SNMP
notifications.
Destination Port Type the port to which you want to send SNMP
notifications. The default port is 162.

Username Type the name of the user you want to access SNMP
related properties.
Security Level From the list box, select the security level for SNMP. The
options are:
• NOAUTH_NOPRIV - Indicates no authorization and no
privacy. This the default.
• AUTH_NOPRIV - Indicates authorization is permitted
but no privacy.
• AUTH_PRIV - Allows authorization and privacy.
Authentication Protocol From the list box, select the algorithm you want to use to
authenticate SNMP traps.
Authentication Password Type the password you want to use to authenticate SNMP
traps.
Privacy Protocol From the list box, select the protocol you want to use to
decrypt SNMP traps.
Privacy Password Type the password used to decrypt SNMP traps.
Embedded SNMP Daemon Settings
Enabled From the list box, select one of the following options:
• Yes - Enables access to data from the SNMP Agent
using SNMP requests.
• No - Disables access to data from the SNMP Agent
using SNMP requests.
After you enable the embedded SNMP daemon, you must
access the host specified in the Destination Host
parameter and type qradar in the Username field. A
password is not required. The location where you
configure a destination host to communicate with QRadar
Network Anomaly Detection can vary depending on the
vendor host. For more information on configuring your
destination host to communicate with QRadar Network
Anomaly Detection, see your vendor documentation.
Daemon Port Type the port you want to use for sending SNMP
requests.
Community String Type the SNMP community, such as public. This
parameter only applies if you are using SNMPv2 and
SNMPv3.
IP Access List Type the systems that can access data from the SNMP
agent using an SNMP request. If the Enabled option is
set to Yes, this option is enforced.

IF-MAP Client/Server Settings
IF-MAP Version The Interface For Metadata Access Points (IF-MAP) rule
response enables QRadar Network Anomaly Detection to
publish alert and offense data derived from events, flows,
and offense data on an IF-MAP server.
From the list box, select one of the following options:
• Disabled - Select this option if you want to disable
access to the IF-MAP Server. This is the default
setting. When disabled, the other IF-MAP Client/Server
settings are not displayed.
• 1.1 - Select this option if you want to use IF-MAP
version 1.1 in your deployment.
• 2.0 - Select this option if you want to use IF-MAP
version 2.0 in your deployment.
Server Address Type the IP address of the IF-MAP server.
Basic Server Port Type or select the port number for the basic IF-MAP
server. The default port is 8443.
Credential Server Port Type or select the port number for the credential server.
The default port is 8444.
Authentication Before you can configure IF-MAP authentication, you
must configure your IF-MAP server certificate. For more
information on how to configure your IF-MAP certificate,
see Configuring your IF-MAP Server Certificates.
Using the list box, select the authentication type from the
following options:
• Basic - Select this option to use basic authentication.
When you select this option, the Username and User
Password parameters are displayed.
• Mutual - Select this option to use mutual
authentication. When you select this option, the Key
Password parameter is displayed. The default
authentication type is Mutual.
Key Password This setting is displayed only when you select the Mutual
option for the Authentication setting.
Type the key password to be shared between the IF-MAP
client and server.
Username This setting is displayed only when you select the Basic
Type the user name required to access the IF-MAP
server.
User Password This setting is displayed only when you select the Basic
Type the password required to access the IF-MAP server.

Step 5 Click Save.

Step 6 On the Admin tab menu, select Advanced > Deploy Full Configuration.
Configuring your Before you can configure IF-MAP authentication, you must configure your IF-MAP
IF-MAP Server server certificate.
Certificates
• Configuring IF-MAP Server Certificate for Basic Authentication
• Configuring IF-MAP Server Certificate for Mutual Authentication
Configuring IF-MAP Server Certificate for Basic Authentication

To configure your IF-MAP certificate for basic authentication:
Step 1 Contact your IF-MAP server administrator to obtain a copy of the IF-MAP server
public certificate. The certificate must have the .cert file extension, for example,
ifmapserver.cert.
Step 2 Log in to QRadar Network Anomaly Detection as root and copy the certificate to
the /opt/qradar/conf/trusted_certificates directory.
Configuring IF-MAP Server Certificate for Mutual Authentication

Mutual authentication requires certificate configuration on your QRadar Network
Anomaly Detection Console and your IF-MAP server. For assistance configuring
the certificate on your IF-MAP server, contact your IF-MAP server administrator.
To configure your IF-MAP certificate for mutual authentication:

Step 1 Contact your IF-MAP server administrator to obtain a copy of the IF-MAP server
public certificate. The certificate must have the .cert file extension, for example,
ifmapserver.cert.
Step 2 Using SSH, log in to QRadar Network Anomaly Detection as the root user and
access the certificate to the /opt/qradar/conf/trusted_certificates directory
Step 3 Copy the SSL intermediate certificate and SSL Verisign root certificate to your
IF-MAP server as CA certificates. For assistance, contact your IF-MAP server
administrator.
Step 4 Type the following command to create the Public-Key Cryptography Standards file
with the .pkcs12 file extension using the following command:
openssl pkcs12 -export -inkey <private_key> -in <certificate>
-out <pkcs12_filename.pkcs12> -name "IFMAP Client"
Step 5 Type the following command to copy the pkcs12 file to the
/opt/qradar/conf/key_certificates directory:
cp <pkcs12_filename.pkcs12> /opt/qradar/conf/key_certificates
Step 6 Create a client on the IF-MAP server with the Certificate authentication and upload
the SSL certificate. For assistance, contact your IF-MAP server administrator.
Step 7 Change the permissions of the directory by typing the following commands:

chmod 755 /opt/qradar/conf/trusted_certificates

chmod 644 /opt/qradar/conf/trusted_certificates/*.cert
Step 8 Type the following command to restart the Tomcat service:
service tomcat restart
Using Event and Using the Event Retention and Flow Retention features available on the Admin
Flow Retention tab, you can configure retention buckets. Each retention bucket defines a retention
Buckets policy for events and flows that match custom filter requirements. As QRadar
Network Anomaly Detection receives events and flows, each event and flow is
compared against retention bucket filter criteria. When an event or flow matches a
retention bucket filter, it is stored in that retention bucket until the retention policy
time period is reached. This feature enables you to configure multiple retention
buckets.
Retention buckets are sequenced in priority order from the top row to the bottom
row on the Event Retention and Flow Retention windows. A record is stored in the
bucket that matches the filter criteria with highest priority. If the record does not
match any of your configured retention buckets, the record is stored in the default
retention bucket, which is always located below the list of configurable retention
buckets.

• Configuring Event Retention Buckets
• Configuring Flow Retention Buckets
• Managing Retention Buckets
Configuring Event By default, the Event Retention feature provides a default retention bucket and 10
Retention Buckets unconfigured retention buckets. Until you configure an event retention bucket, all
events are stored in the default retention bucket.
To configure an event retention bucket:

Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Event Retention icon.
The Event Retention window provides the following information for each retention
bucket:
Table 4-11 Event Retention Window Parameters
Order Specifies the priority order of the retention buckets.
Name Specifies the name of the retention bucket.
Retention Specifies the retention period of the retention bucket.

Using Event and Flow Retention Buckets 65
Table 4-11 Event Retention Window Parameters (continued)
Compression Specifies the compression policy of the retention bucket.
Deletion Policy Specifies the deletion policy of the retention bucket.
Filters Specifies the filters applied to the retention bucket. Move your
mouse pointer over the Filters parameter for more information on
the applied filters.
Distribution Specifies the retention bucket usage as a percentage of total
event retention in all your retention buckets.
Enabled Specifies whether the retention bucket is enabled (true) or
disabled (false). The default setting is true.
Creation Date Specifies the date and time the retention bucket was created.
Modification Date Specifies the date and time the retention bucket was last
modified.
The Event Retention toolbar provides the following functions:

Table 4-12 Event Retention Window Toolbar
Edit Click Edit to edit a retention bucket. For more information on
editing a retention bucket, see Editing a Retention Bucket.
Enable/Disable Click Enable/Disable to enable or disable a retention bucket.
For more information on enabling and disabling retention
buckets, see Enabling and Disabling a Retention Bucket.
Delete Click Delete to delete a retention bucket. For more
information on deleting retention buckets, see Deleting a
Retention Bucket.
Step 4 Double-click the first available retention bucket.

Table 4-13 Retention Properties Window Parameters
Name Type a unique name for the retention bucket.
Keep data placed From the list box, select a retention period. When the retention
in this bucket for period is reached, events are deleted according to the Delete
data in this bucket parameter. The default setting is 1 month.
The minimum is 1 day and the maximum is 2 years.

Table 4-13 Retention Properties Window Parameters (continued)
Allow data in this Select the check box to enable data compression, and then
bucket to be select a time frame from the list box. When the time frame is
compressed reached, all events in the retention bucket are eligible to be
compressed. This increases system performance by
guaranteeing that no data is compressed within the specified time
period. Compression only occurs when used disk space reaches
83% for payloads and 85% for records.
The default setting is 1 week. The minimum is Never and the
maximum is 2 weeks.
Delete data in this From the list box, select a deletion policy. Options include:
bucket • When storage space is required - Select this option if you
want events that match the Keep data placed in this bucket
for parameter to remain in storage until the disk monitoring
system detects that storage is required. If used disk space
reaches 85% for records and 83% for payloads, data will be
deleted. Deletion continues until the used disk space reaches
82% for records and 81% for payloads.
When storage is required, only events that match the Keep
data placed in this bucket for parameter are deleted.
• Immediately after the retention period has expired - Select
this option if you want events to be deleted immediately on
matching the Keep data placed in this bucket for parameter.
The events are deleted at the next scheduled disk
maintenance process, regardless of free disk space or
compression requirements.
Description Type a description for the retention bucket. This field is optional.
Current Filters In the Current Filters pane, configure your filters.
To add a filter:
1 From the first list box, select a parameter you want to filter for.
For example, Device, Source Port, or Event Name.
2 From the second list box, select the modifier you want to use
for the filter. The list of modifiers depends on the attribute
selected in the first list.
3 In the text field, type specific information related to your filter.
4 Click Add Filter.
The filters are displayed in the Current Filters text box. You can
select a filter and click Remove Filter to remove a filter from the
Current Filter text box.
Step 6 Click Save.

Your event retention bucket configuration is saved.
Step 7 Click Save.
Your event retention bucket starts storing events that match the retention
parameters immediately.

Configuring Flow By default, the Flow Retention feature provides a default retention bucket and 10
Retention Buckets unconfigured retention buckets. Until you configure a flow retention bucket, all
flows are stored in the default retention bucket.
To configure a flow retention bucket:

Step 3 Click the Flow Retention icon.
The Flow Retention window provides the following information for each retention
bucket:
Table 4-14 Flow Retention Window Parameters
Order Specifies the priority order of the retention buckets.
Name Specifies the name of the retention bucket.
Retention Specifies the retention period of the retention bucket.
Compression Specifies the compression policy of the retention bucket.
Deletion Policy Specifies the deletion policy of the retention bucket.
Filters Specifies the filters applied to the retention bucket. Move your
mouse pointer over the Filters parameter for more information on
the applied filters.
Distribution Specifies the retention bucket usage as a percentage of total
event or flow retention in all your retention buckets.
Enabled Specifies whether the retention bucket is enabled (true) or
disabled (false). The default setting is true.
Creation Date Specifies the date and time the retention bucket was created.
Modification Date Specifies the date and time the retention bucket was last
modified.
The Flow Retention toolbar provides the following functions:

Table 4-15 Flow Retention Window Toolbar
Edit Click Edit to edit a retention bucket. For more information on
editing a retention bucket, see Editing a Retention Bucket.
Enable/Disable Click Enable/Disable to enable or disable a retention bucket.
By default, retention buckets are enabled. For more
information on disabling retention buckets, see Enabling and
Disabling a Retention Bucket.
Delete Click Delete to delete a retention bucket. For more
information on deleting retention buckets, see Deleting a
Retention Bucket.
Step 4 Double-click the first available retention bucket.


Table 4-16 Retention Properties Window Parameters
Name Type a unique name for the retention bucket.
Keep data placed From the list box, select a retention period. When the retention
in this bucket for period is reached, flows are deleted according to the Delete data
in this bucket parameter. The default setting is 1 month. The
minimum is 1 day and the maximum is 2 years.
Allow data in this Select the check box to enable data compression, and then
bucket to be select a time frame from the list box. When the time frame is
compressed reached, all flows in the retention bucket are eligible to be
compressed. This increases system performance by
guaranteeing that no data is compressed within the specified time
period. Compression only occurs when used disk space reaches
83% for payloads and 85% for records.
The default setting is 1 week. The minimum is Never and the
maximum is 2 weeks.
Delete data in this From the list box, select a deletion policy. Options include:
bucket • When storage space is required - Select this option if you
want events that match the Keep data placed in this bucket
for parameter to remain in storage until the disk monitoring
system detects that storage is required. If used disk space
reaches 85% for records and 83% for payloads, data will be
deleted. Deletion continues until the used disk space reaches
82% for records and 81% for payloads.
When storage is required, only events that match the Keep
data placed in this bucket for parameter are deleted.
• Immediately after the retention period has expired - Select
this option if you want events to be deleted immediately on
matching the Keep data placed in this bucket for parameter.
The events are deleted at the next scheduled disk
maintenance process, regardless of free disk space or
compression requirements.
Description Type a description for the retention bucket. This field is optional.

Table 4-16 Retention Properties Window Parameters (continued)
Current Filters In the Current Filters pane, configure your filters.
To add a filter:
1 From the first list box, select a parameter you want to filter for.
For example, Device, Source Port, or Event Name.
2 From the second list box, select the modifier you want to use
for the filter. The list of modifiers depends on the attribute
selected in the first list.
3 In the text field, type specific information related to your filter.
4 Click Add Filter.
The filters are displayed in the Current Filters text box. You can
select a filter and click Remove Filter to remove a filter from the
Current Filter text box.
Note: This parameter is not displayed when editing the default
retention bucket.
Step 6 Click Save.

Your flow retention bucket is saved and starts storing flows that match the retention
parameters immediately.
Managing Retention After you configure your retention buckets, you can manage the buckets using the
Buckets Event Retention and Flow Retention windows.

• Managing Retention Bucket Sequence
• Editing a Retention Bucket
• Enabling and Disabling a Retention Bucket
• Deleting a Retention Bucket
Managing Retention Bucket Sequence

Retention buckets are sequenced in priority order from the top row to the bottom
row on the Event Retention and Flow Retention windows. A record is stored in the
first retention bucket that matches the record parameters. You can change the
order of the retention buckets to ensure that events and flows are being matched
against the retention buckets in the order that matches your requirements.
To manage the retention bucket sequence:


a To manage the event retention bucket sequence, click the Event Retention
icon.
b To manage the flow retention bucket sequence, click the Flow Retention icon.
Step 4 Select the retention bucket you want to move, and then click one of the following
icons:
• Up - Click this icon to move the selected retention bucket up one row in priority
sequence.
• Down - Click this icon to move the selected retention bucket down one row in
priority sequence.
• Top - Click this icon to move the selected retention bucket to the top of the
priority sequence.
• Bottom - Click this icon to move the selected retention bucket to the bottom of
the priority sequence.
NOTE
You cannot move the default retention bucket. It always resides at the bottom of
the list.
Editing a Retention Bucket
To edit a retention bucket:

• To edit an event retention bucket, click the Event Retention icon.
• To edit a flow retention bucket, click the Flow Retention icon.
Step 4 Select the retention bucket you want to edit, and then click Edit.
Step 5 Edit the parameters. For more information on event retention parameters, see
Table 4-13. For more information on flow retention parameters, see Table 4-16.
NOTE
On the Retention Parameters window, the Current Filters pane is not displayed
when editing a default retention bucket.
Step 6 Click Save.

Your changes are saved.
Enabling and Disabling a Retention Bucket

When you configure and save a retention bucket, it is enabled by default. You can
tune your event or flow retention by disabling a bucket.
When you disable a bucket, any new events or flows that match the requirements
for the disabled bucket are stored in the next bucket that matches the event or flow
properties.

Configuring System Notifications 71
To enable or disable a retention bucket:

a To disable an event retention bucket, click the Event Retention icon.
b To disable a flow retention bucket, click the Flow Retention icon.
Step 4 Select the retention bucket you want to disable, and then click Enable/Disable.
The retention bucket is disabled. You can click Enable/Disable to enable the
retention bucket again.
Deleting a Retention Bucket

When you delete a retention bucket, the events or flows contained in the retention
bucket are not removed from the system, only the criteria defining the bucket is
deleted. All events or flows are maintained in storage.
To delete a retention bucket:
a To delete an event retention bucket, click the Event Retention icon.
b To delete a flow retention bucket, click the Flow Retention icon.
Step 4 Select the retention bucket you want to delete, and then click Delete.
The retention bucket is deleted.
Configuring You can configure system performance alerts for thresholds using the Admin tab.
System This section provides information on configuring your system thresholds.
Notifications
To configure system thresholds:
Step 3 Click the Global System Notifications icon.
Step 4 Enter values for the parameters. For each parameter, you must select the following
options:
• Enabled - Select the check box to enable the option.
• Respond if value is - From the list box, select one of the following options:
- Greater Than - An alert occurs if the parameter value exceeds the
configured value.
- Less Than - An alert occurs if the parameter value is less than the
configured value.

• Resolution Message - Type a description of the preferred resolution to the

alert.
Table 4-17 Global System Notifications Parameters
System load over 1 Type the threshold system load average over the last
minute minute.
System load over 5 Type the threshold system load average over the last 5
minutes minutes.
System load over 15 Type the threshold system load average over the last 15
minutes minutes.
Percentage of swap used Type the threshold percentage of used swap space.
Received packets per Type the threshold number of packets received per
second second.
Transmitted packets per Type the threshold number of packets transmitted per
second second.
Received bytes per Type the threshold number of bytes received per second.
second
Transmitted bytes per Type the threshold number of bytes transmitted per
second second.
Receive errors Type the threshold number of corrupted packets received
per second.
Transmit errors Type the threshold number of corrupted packets
transmitted per second.
Packet collisions Type the threshold number of collisions that occur per
second while transmitting packets.
Dropped receive packets Type the threshold number of received packets that are
dropped per second due to a lack of space in the buffers.
Dropped transmit packets Type the threshold number of transmitted packets that
are dropped per second due to a lack of space in the
buffers.
Transmit carrier errors Type the threshold number of carrier errors that occur
per second while transmitting packets.
Receive frame errors Type the threshold number of frame alignment errors that
occur per second on received packets.
Receive fifo overruns Type the threshold number of First In First Out (FIFO)
overrun errors that occur per second on received
packets.
Transmit fifo overruns Type the threshold number of First In First Out (FIFO)
overrun errors that occur per second on transmitted
packets.
Step 5 Click Save.


Configuring the Console Settings 73
Configuring the The QRadar Network Anomaly Detection Console provides the user interface for
Console Settings QRadar Network Anomaly Detection. The Console provides real-time views,
reports, alerts, and in-depth investigation of flows for network traffic and security
threats. You can configure the Console to manage distributed QRadar Network
Anomaly Detection deployments.
To configure QRadar Network Anomaly Detection Console settings:

Step 3 Click the Console icon.
Step 4 Enter values for the parameters:
Table 4-18 QRadar Network Anomaly Detection Console Parameters
Console Settings
ARP - Safe Interfaces Type the interfaces you want to be excluded from ARP
resolution activities.
Results Per Page Type the maximum number of results you want to display
on the main QRadar Network Anomaly Detection user
interface. This parameter applies to the Offenses, Log
Activity, Assets, Network Activity, and Reports tabs.
For example, if the Default Page Size parameter is
configured to 50, the Offenses tab displays a maximum
of 50 offenses.
The default setting is 40. The minimum is 0 and the
Authentication Settings
Persistent Session Type the length of time, in days, that a user system will be
Timeout (in days) persisted. The default setting is 0, which disables this
feature. The minimum is 0 and the maximum is
4294967294.
Maximum Login Failures Type the number of times a login attempt can fail. The
default setting is 5. The minimum is 0 and the maximum is
4294967294.
Login Failure Attempt Type the length of time during which a maximum number
Window (in minutes) of login failures can occur before the system is locked.
The default setting is 10 minutes. The minimum is 0 and
the maximum is 4294967294.
Login Failure Block Time Type the length of time that the system is locked if the
(in minutes) maximum login failures value is exceeded. The default
setting is 30 minutes. The minimum is 0 and the
Login Host Whitelist Type a list of hosts who are exempt from being locked out
of the system. Enter multiple entries using a
comma-separated list.

Table 4-18 QRadar Network Anomaly Detection Console Parameters (continued)
Inactivity Timeout (in Type the amount of time that a user will be automatically
minutes) logged out of the system if no activity occurs. The default
setting is 0. The minimum is 0 and the maximum is
4294967294.
Login Message File Type the location and name of a file that includes content
you want to display on the QRadar Network Anomaly
Detection login window. The contents of the file are
displayed below the current log in window.
The login message file must be located in the
opt/qradar/conf directory on your system. This file may be
in text or HTML format.
Event Permission From the list box, select the level of network permissions
Precedence you want to assign to users. This parameter affects the
events that are displayed on the Log Activity tab. The
options include:
• Network Only - A user must have access to either the
source network or the destination network of the event
to have that event display on the Log Activity tab.
• Devices Only - A user must have access to either the
device or device group that created the event to have
that event display on the Log Activity tab.
• Networks and Devices - A user must have access to
both the source or the destination network and the
device or device group to have an event display on the
Log Activity tab.
• None - All events are displayed on the Log Activity
tab. Any user with Log Activity role permissions is able
to view all events.
For more information on managing users, see Managing
User Roles and Accounts.
DNS Settings
Enable DNS Lookups for From the list box, select whether you want to enable or
Asset Profiles disable the ability for QRadar Network Anomaly Detection
to search for DNS information in asset profiles. When
enabled, this information is available in the right-click
menu for the IP address or host name located in the Host
Name (DNS Name) field in the asset profile. The default
setting is False.
Enable DNS Lookups for From the list box, select whether you want to enable or
Host Identity disable the ability for QRadar Network Anomaly Detection
to search for host identity information. When enabled, this
information is available in the right-click menu for any IP
address or asset name. The default setting is True.
WINS Settings
WINS Server Type the location of the Windows Internet Naming Server
(WINS) server.

Managing Custom Offense Close Reasons 75
Table 4-18 QRadar Network Anomaly Detection Console Parameters (continued)
Reporting Settings
Report Retention Period Type the period of time, in days, that you want the system
to maintain reports. The default setting is 30 days. The
minimum is 0 and the maximum is 4294967294.
Data Export Settings
Include Header in CSV From the list box, select whether you want to include a
Exports header in a CSV export file.
Maximum Simultaneous Type the maximum number of exports you want to occur
Exports at one time. The default setting is 1. The minimum is 0
and the maximum is 4294967294.
Step 5 Click Save.

Managing Custom When a user closes an offense on the Offenses tab, the Close Offense window is
Offense Close displayed. The user is prompted to select a reason from the Reason for Closing
Reasons list box. Three default options are listed:
• False-positive, tuned
• Non-issue
• Policy violation
Administrators can add, edit, and delete custom offense close reasons from the
Admin tab.

• Adding a Custom Offense Close Reason
• Editing Custom Offense Close Reason
• Deleting a Custom Offense Close Reason

Adding a Custom When you add a custom offense close reason, the new reason is listed on the
Offense Close Custom Close Reasons window and in the Reason for Closing list box on the
Reason Close Offense window of the Offenses tab.
To add a custom offense close reason:
Step 3 Click the Custom Offense Close Reasons icon.
The Custom Offense Close Reasons window provides the following information:
Table 4-19 Custom Close Reasons Window Parameters
Reason Specifies the reason that is displayed in the Reason
for Closing list box on the Close Offense window of
the Offenses tab.
Created by Specifies the user that created this custom offense
close reason.
Date Created Specifies the date and time of when the user created
this custom offense close reason
NOTE
You can also access the Custom Offense Close Reasons window by clicking the
Manage Close Reasons icon on the Close Offense window of the Offenses tab.
Step 4 Click Add.

Step 5 Type a unique reason for closing offenses. Reasons must be between 5 and 60
characters in length.
Step 6 Click OK.
Your new custom offense close reason is now listed in the Custom Close Reasons
window. The Reason for Closing list box on the Close Offense window of the
Offenses tab also displays the custom reason you added.
Editing Custom Editing a custom offense close reason updates the reason in the Custom Close
Offense Close Reasons window and the Reason for Closing list box on the Close Offense
Reason window of the Offenses tab.
To edit a custom offense close reason:

Step 4 Select the reason you want to edit.
Step 5 Click Edit.
Step 6 Type a new unique reason for closing offenses. Reasons must be between 5 and
60 characters in length.

Index Management 77
Step 7 Click OK.

The custom offense close reason is now edited.
Deleting a Custom Deleting a custom offense close reason removes the reason from the Custom
Offense Close Close Reasons window and the Reason for Closing list box on the Close Offense
Reason window of the Offenses tab.
To delete a custom offense close reason:

Step 4 Select the reason you want to delete.
Step 5 Click Delete.
Step 6 Click OK.
The custom offense close reason is now deleted.
Index Management The Index Management feature allows you to control database indexing on event
properties. Indexing event properties allows you to optimize your searches. You
can enable indexing on any property that is listed in the Index Management
window and you can enable indexing on more than one property.
The Index Management feature also provides statistics, such as:

• The percentage of saved searches running in your deployment that include the
indexed property
• The volume of data that is written to the disk by the index during the selected
time frame
NOTE
To enable payload indexing, you must enable indexing on the Quick Filter
property. For more information on payload indexing, see the Enable Payload
Indexing for Quick Filtering Technical Note.

• Viewing the Index Management Window
• Enabling Indexes
Viewing the Index The Index Management window lists all event and flow properties that can be
Management Window indexed and provides statistics for the properties. Toolbar options allow you to
enable and disable indexing on selected event and flow properties.

NOTE
Modifying database indexing may decrease system performance, therefore, we
recommend that you monitor the statistics after enabling indexing on multiple
properties.
To view the Index Management window:

Step 3 Click the Index Management icon.
The Index Management window provides the following information:
Table 4-20 Index Management Window Parameters
Display Displays the time range used to calculate the
statistics for each property. From the list box, you
can select a new time range. The minimum time
range is Last Hour and the maximum time range is
Last 30 Days. The default time range is Last 24
Hours.
After you select a new time range option, the
statistics are refreshed.
View Allows you to display properties filtered on the
Indexed parameter. From the list box, select one of
• All - Displays all properties in the Index
Management list.
• Enabled - Displays only indexed properties in the
Index Management list.
• Disabled - Displays only properties that are not
indexed in the Index Management list.
Database Allows you to display properties filtered on the
Database parameter. From the list box, select one of
Management list.
• Events - Displays only event properties in the
Index Management list.

Index Management 79
Table 4-20 Index Management Window Parameters (continued)
Show Allows you to display all properties or only custom
properties. Options include:
Management list.
• Custom - Displays only custom event properties.
Custom properties are properties that you can create
by extracting from unnormalized data using RegEx
statements or calculated properties that are created
by performing operations on existing properties. For
more information on custom properties, see the IBM
Security QRadar Network Anomaly Detection Users
Guide.
Indexed Indicates whether the property is indexed or not:
• Green dot - Indicates that the property is indexed.
• Empty cell - Indicates that the property is not
indexed.
Property Displays the name of the property.
% of Searches Displays the percentage of searches that include this
Using Property property that have performed in the specified time
range.
Hitting Index property that have performed in the specified time
range and successfully used the index.
Missing Index property that have performed in the specified time
range and did not use the index.
Data Written Displays the volume of data written to the disk by the
index in the time range specified in the Display list
box.
Database Specifies that the property is stored in the event
database.

The Index Management toolbar provides the following options:

Table 4-21 Index Management Window Parameters
Option Description
Enable Index Select one or more properties in the Index
Management list, and then click this icon to enable
indexing on the selected parameters.
Disable Index Select one or more properties in the Index
Management list, and then click this icon to disable
indexing on the selected parameters.
Quick Search Type your keyword in the Quick Search field and
click the Quick Filter icon or press Enter on the
keyboard. All properties that match your keyword are
displayed in the Index Management list.
Enabling Indexes To enable indexing on selected properties:

Step 4 Select one or more properties from the Index Management list.
Step 5 Click Enable Index.
NOTE
You can also right-click a property and select Enable Index from the menu.
Step 6 Click Save.

Step 7 Click OK.
The selected properties are now indexed. In lists that include event properties,
indexed property names are appended with the following text: [Indexed].
Examples of such lists include the search parameters on the Log Activity tab
search criteria pages and the Add Filter window.
Disabling Indexes To disable indexing on selected properties:

Step 4 Select one or more properties from the Index Management list.
Step 5 Click Disable Index.
NOTE
You can also right-click a property and select Disable Index from the menu.
Step 6 Click Save.

Step 7 Click OK.

Index Management 81
The selected properties are no longer indexed. In lists that include event
properties, indexed property names are no longer appended with the following
text: [Indexed].

The Reference Set Management feature allows you to create and manage
reference sets. You can also import elements into a reference set from an external
file.
• Reference Set Overview
• Viewing Reference Sets
• Adding a Reference Set
• Editing a Reference Set
• Deleting Reference Sets
• Adding a New Element to a Reference Set
• Deleting Elements from a Reference Set
• Importing Elements into a Reference Set
• Exporting Elements from a Reference Set
Reference Set A reference set is a set of elements, such as a list of IP addresses or user names,
Overview that are derived from events and flows occurring on your network.
After you create a reference set, you can create rules in the Rule Wizard to detect
when log or network activity associated with the reference set occurs on your
network. For example, you can create a rule to detect when a terminated user
attempts to access your network resources. You can also configure a rule to add
an element to a reference set when log activity or network activity matches the rule
conditions. For example, you can create a rule to detect when an employee has
accessed a prohibited website and add that employee’s IP address to a reference
set. For more information on configuring rules, see the IBM Security QRadar
Network Anomaly Detection Users Guide.

Viewing Reference To view reference sets:

Sets
Step 1 Log in to the QRadar Network Anomaly Detection user interface.
Step 3 From the navigation menu, select System Configuration.
Step 4 Click Reference Set Management.
The Reference Set Management window provides the following information:
Table 5-1 Reference Set Management Window Parameters
Name Displays the name of this reference set.
Number of Displays the number of elements that this reference
Elements set contains.
Type Displays the data type of this reference set. Options
include:
• AlphaNumeric
• Numeric
• IP
• Port
• AlphaNumeric_Ignore_Case
Associated Rules Displays the number of rules that are configured to
contribute elements to this reference set.
Capacity Displays a visual indication of the reference set
capacity used by the elements contained in the set.
Reference sets can contain up to 100,000 elements.
The Reference Set Management toolbar provides the following functions:

Table 5-2 Reference Set Management Toolbar Function
New Click this icon to create a new reference set. See
Adding a Reference Set.
Edit Select a reference set, and then click this icon to edit
the reference set. See Editing a Reference Set.
View Contents Select a reference set, and then click this icon to
view the elements and associated rules for this
reference set. See Viewing the Contents of a
Reference Set.
Delete Select a reference set, and then click this icon to
delete the reference set. See Deleting Reference
Sets.

Adding a Reference Set 85
Table 5-2 Reference Set Management Toolbar Function (continued)
Delete Listed Use the Quick Search field to filter for specific
reference sets, and then click the Delete Listed icon
to delete these reference sets. See Deleting
Reference Sets.
Quick Search Type your keyword in the Quick Search field, and
then click the Quick Search icon or press Enter on
the keyboard. All reference sets that match your
keyword are displayed in the Reference Set
Management list. To display all reference sets again,
click the eraser icon.
Adding a Reference To add a reference set:

Set
Step 1 On the Reference Set Management window, click New.
Table 5-3 New Reference Set Dialog Box Parameters
Name Type a unique name for this reference set. The
maximum length is 255 characters.
Type Using the list box, select a reference set type from
• AlphaNumeric
• Numeric
• IP
• Port
• AlphaNumeric_Ignore_Case
Note: You cannot edit the Type parameter after you
create a reference set.
Time to Live of Using the list boxes, select the amount of time that
Elements you want to maintain each element in the reference
set or select Lives Forever.
If you specify an amount of time, you must also
indicate when you want to start tracking time for an
element. Select one of the following options:
• Since first seen
• Since last seen
Lives Forever is the default setting.
Step 3 Click Create.

The reference set that you created is listed. In the Rule Wizard, this reference set
is now listed as an option on the Rule Response page. After you configure one or
more rules to send elements to this reference set, the Number of Elements,
Associated Rules, and Capacity parameters are automatically updated.
Editing a Reference To edit a reference set:

Set
Step 1 On the Reference Set Management window, select a reference set, and then click
Edit.
Step 2 Edit the parameters, as required. See Table 5-3.
Step 3 Click Submit.
The reference set that you edited is now updated.
Deleting Reference When deleting reference sets, a confirmation window indicates if the reference
Sets sets that you want to delete have rules associated with them. After you delete a
reference set, the Add to Reference Set configuration is cleared from the
associated rules. Before you delete a reference set, you can view associated rules
in the Reference tab. See Viewing the Contents of a Reference Set.
To delete a reference set:

Step 1 Choose one of the following:
• On the Reference Set Management window, select a reference set, and then
click Delete.
• On the Reference Set Management window, use the Quick Search text box to
display only the reference sets that you want to delete, and then click Delete
Listed.
The reference sets that you deleted is removed from the list.
Viewing the To view the contents of a reference set:

Contents of a
Reference Set
View Contents.
NOTE
You can also double-click a reference set to view the contents.
Step 2 Click the Content tab.

Viewing the Contents of a Reference Set 87
The Content tab provides a list of the elements that are included in this reference
set. The Content tab provides the following information:
Table 5-4 Content Tab Parameters
Value Displays the value for this element. For example, if
the reference set contains a list of IP addresses, this
parameter displays an IP address.
Origin Indicates the source of this element. Options include:
• System - This element was placed in this
reference set as a response to a rule.
• User - This element was imported from an
external file or manually added to the reference
set.
Time to Live Displays the time remaining until this element is
removed from the reference set.
Date Last Seen Displays the date and time that this element was last
detected on your network.
The Content tab toolbar provides the following functions:

Table 5-5 Content Tab Toolbar Functions
New Click this icon to manually add an element to the
reference set. See Adding a New Element to a
Reference Set.
Delete Select an element, and then click this icon to delete
the element.
Delete Listed Use the Quick Search field to filter for specific
elements, and then click the Delete Listed icon to
delete these elements.
Import Click this icon to import elements from a
Comma-Separated Value (CSV) file. See Importing
Elements into a Reference Set.
Export Click this icon to export the contents of this reference
set to a CSV file.
Refresh Table Click this icon to refresh the Content tab.
Quick Search Type your keyword in the Quick Search field, and
then click the Quick Search icon or press Enter on
the keyboard. All elements that match your keyword
are displayed in the Content list. To display all
elements again, click the eraser icon.
Step 3 Click the References tab.

The References tab provides a list of rules that are configured to add elements to
this reference set. The References tab provides the following information:
Table 5-6 References Tab Parameters
Rule Name Displays the name of this rule.
Group Displays the name of the group this rule belongs to.
Category Displays the category of this rule. Options include
Custom Rule or Anomaly Detection Rule.
Type Displays the type of this rule. Options include: Event,
Flow, Common, or Offense.
Enabled Indicates whether the rule is enabled or disabled:
• true - Indicates that this rule is enabled.
• false - Indicates that this rule is disabled.
Response Specifies the responses configured for this rule.
Origin Indicates the origin of this rule. Options include:
• System - Indicates that this is a default rule.
• Modified - Indicates that this is a default rule that
has been customized.
• User - Indicates that this is a user-created rule.
The References tab toolbar provides the following functions:

Table 5-7 References Tab Toolbar Functions
Edit Click this icon to edit the rule in the Rule Wizard. You
can also double-click the rule to open the Rule
Wizard.
Refresh Table Click this icon to refresh the References list.
Step 4 To view or edit an associated rule, double-click the rule in the References list.
In the Rule Wizard, you can edit rule configuration settings, if required.
Adding a New To add a new element to a reference set:

Element to a
Reference Set
View Contents.

Deleting Elements from a Reference Set 89
Table 5-8 Add Reference Set Data Dialog Box Parameters
Value(s) Type the value for the element that you want to add.
If you want to type multiple values, include a
separator character between each value, and then
specify the separator character in the Separator
Character field.
Separator Type the separator character that you used in the
Character Value(s) field.
Step 5 Click Add.

The elements you added are now displayed on the Content tab.
Deleting Elements To delete elements from a reference set:

from a Reference
Set
View Contents.
Step 3 Choose one of the following:
• Select an element, and then click Delete.
• Use the Quick Search text box to display only the elements that you want to
delete, and then click Delete Listed.
The element you deleted is removed from the list.
Importing Elements You can import elements from an external CSV file. Before you begin, ensure that
into a Reference the CSV file that you want to import is stored on your local desktop.
Set To import a CSV file into a reference set:
View Contents.
Step 3 On the toolbar, click Export.
Step 4 Click Browse.
Step 5 Select the CSV file that you want to import.
Step 6 Click Import.
The elements in the CSV file you imported are now displayed in the list.

Exporting Elements You can export reference set elements to an external CSV file.
from a Reference To export the contents of a reference set to a CSV file:
Set
View Contents.
Step 3 On the toolbar, click Export.
• If you want to open the list for immediate viewing, select the Open with option
and select an application from the list box.
• If you want to save the list, select the Save File option.
Step 5 Click OK.

You can configure authorized services on the Admin tab to pre-authenticate a

customer support service for your IBM Security QRadar Network Anomaly
Detection deployment.

• Authorized Services Overview
• Viewing Authorized Services
• Adding an Authorized Service
• Revoking Authorized Services
• Configuring the Customer Support Service
Authorized Authenticating a customer support service allows the service to connect to your
Services Overview QRadar Network Anomaly Detection user interface and either dismiss or update
notes to an offense using a web service. You can add or revoke an authorized
service at any time.
Viewing Authorized To view authorized services for your QRadar Network Anomaly Detection
Services deployment:
Step 3 Click the Authorized Services icon.
The Manage Authorized Services window provides the following information:
Table 6-1 Manage Authorized Services Parameters
Service Name Specifies the name of the authorized service.
Authorized By Specifies the name of the user or administrator that
authorized the addition of the service.
Authentication Token Specifies the token associated with this authorized service.
User Role Specifies the user role associated with this authorized
service.

Table 6-1 Manage Authorized Services Parameters (continued)
Created Specifies the date that this authorized service was created.
Expires Specifies the date and time that the authorized service will
expire. Also, this field indicates when a service has expired.
Step 4 To select a token from an authorized service, select the appropriate authorized
service. The token is displayed in the Selected Token field in the top bar. This
allows you to copy the token into your vendor software to authenticate with
Adding an To add an authorized service:

Authorized Service
Step 4 Click Add Authorized Service.
Table 6-2 Add Authorized Services Parameters
Service Name Type a name for this authorized service. The name can be up
to 255 characters in length.
User Role From the list box, select the user role you want to assign to
this authorized service. The user roles assigned to an
authorized service determines the functionality on the
QRadar Network Anomaly Detection user interface this
service can access.
Expiry Date Type or select a date you want this service to expire or select
the No Expiry check box if you do not want this service to
expire. By default, the authorized service is valid for 30 days.
Step 6 Click Create Service.

The confirmation message contains a token field that you must copy into your
vendor software to authenticate with QRadar Network Anomaly Detection. For
more information on setting up your vendor software to integrate with QRadar
Network Anomaly Detection, contact your system administrator.

Revoking Authorized Services 93
Revoking To revoke an authorized service:

Authorized
Services
Step 4 Select the service you want to revoke.
Step 5 Click Revoke Authorization.
Step 6 Click OK.
Configuring the After you have configured an authorized service in QRadar Network Anomaly
Customer Support Detection, you must configure your customer support service to access QRadar
Service Network Anomaly Detection offense information. For example, you can configure
QRadar Network Anomaly Detection to send an SNMP trap that includes the
offense ID information. Your service must be able to authenticate to QRadar
Network Anomaly Detection using the provided authorized token by passing the
information through an HTTP query string. When authenticated, the service should
interpret the authentication token as the user name for the duration of the session.
Your customer support service must use a query string to update notes, dismiss, or
close an offense.

• Dismissing an Offense
• Closing an Offense
• Adding Notes to an Offense
Dismissing an To dismiss an offense, your customer support service must use the following query
Offense string:
https://<IP address >/console/do/sem/properties?appName=Sem&
dispatch=updateProperties&id=<Offense ID>&nextPageId=
OffenseList&nextForward=offensesearch&attribute=dismiss&daoName
=offense&value=1&authenticationToken=<Token>
Where:
<IP address> is the IP address of your QRadar Network Anomaly Detection
system.
<Offense ID> is the identifier assigned to the QRadar Network Anomaly
Detection offense. To obtain the offense ID, see the Offenses tab. For more
information, see the IBM Security QRadar Network Anomaly Detection Users
Guide.

<Token> is the token identifier provided to the authorized service on the QRadar
Network Anomaly Detection user interface.
Closing an Offense To close an offense, your customer support service must use the following query
string:
https://<IP Address>/console/do/sem/properties?appName=Sem&
OffenseList&nextForward=offensesearch&attribute=dismiss&daoName
=offense&value=2&authenticationToken=<Token>
Where:
system.
Guide.
Network Anomaly Detection user interface. For information on copying the token,
see the IBM Security QRadar Network Anomaly Detection Administration Guide.
Adding Notes to an To add notes to an offense, your customer support service must use the following
Offense query string:
https://<IP Address>/console/do/sem/properties?appName=Sem&
OffenseList&nextForward=offensesearch&attribute=notes&daoName
=offense&value=<NOTES>&authenticationToken=<Token>
Where:
system.
Guide.
Network Anomaly Detection user interface. For information on copying the token,
see the IBM Security QRadar Network Anomaly Detection Administration Guide.

7 MANAGING BACKUP AND
RECOVERY
Using the Backup and Recovery feature, you can backup and recover IBM
Security QRadar Network Anomaly Detection configuration information and data.
• Backup and Recovery Overview
• Managing Backup Archives
• Backing Up Your Configuration Information and Data
• Restoring Your Backup Archives
Backup and QRadar Network Anomaly Detection enables you to perform two types of backup:
Recovery Overview • Configuration backups, which include the following components:
- Assets
- Custom logos
- Custom rules
- Device Support Modules (DSMs)
- Event categories
- Flow sources
- Flow and event searches
- Groups
- License key information
- Log sources
- Offenses
- User and user roles information
- Vulnerability data
- Certificates
• Data backups, which include the following information:
- Audit log information
- Event data

- Flow data
- Report data
NOTE
You can back up your event and flow data using the Backup and Recovery
feature, however, you must restore event and flow data manually. For assistance
in restoring your event and flow data, see the Restoring Your Data Technical Note.
Managing Backup By default, QRadar Network Anomaly Detection creates a backup archive of your
Archives configuration information daily at midnight. The backup archive includes
configuration information, data, or both from the previous day. QRadar Network
Anomaly Detection lists all successful backup archives on the Backup Archives
window, which is the first window displayed when you access the Backup and
Recovery feature from the Admin tab. From this window, you can view and
manage all successful backup archives.

• Viewing Backup Archives
• Importing a Backup Archive
• Deleting a Backup Archive
Viewing Backup To view all successful backup archives:

Archives
Step 3 Click the Backup and Recovery icon.
If a backup is in progress, a status pane is displayed, providing the following
Information:
• Host - Specifies the host on which the backup is currently running.
• Name - Specifies the user-defined name of the backup archive.
• Backup Type - Specifies the type of backup that is in progress.
• Initiated by - Specifies the user account that initiated the backup process.
• Initiated at - Specifies the date and time the backup process was initiated.
• Duration - Specifies the elapsed time since the backup process was initiated.
Until the backup is complete, you are unable to start any new backup or restore
processes.
• Existing backup archives are displayed on the window. Each archive file
includes the data from the previous day. The list of archives is sorted by the
Time Initiated column in descending order. If a backup file is deleted, it is
removed from the disk and from the database. Also, the entry is removed from
this list and an audit event is generated to indicate the removal.

Managing Backup Archives 97
The Existing Backups pane on the Backup Archives window provides the following
information for each backup archive:
Table 7-1 Existing Backups Pane Parameters
Host Specifies the host that initiated the backup process.
Name Specifies the name of the backup archive. To download the
backup file, click the name of the backup.
Type Specifies the type of backup. The options include:
• config - Configuration data
• data - Events, flows, asset, and offense information
Size Specifies the size of the archive file.
Time Initiated Specifies the time that the backup file was initiated.
Duration Specifies the time to complete the backup process.
Initialized By Specifies whether the backup file was created by a user or
through a scheduled process.
Importing a Backup You can import a backup archive into the Existing Backups pane on your Backup
Archive Archives window. This is useful if you want to restore a backup archive that was
created on another QRadar Network Anomaly Detection host.
NOTE
If you place a QRadar Network Anomaly Detection backup archive file in the
/store/backupHost/inbound directory on the Console server, the backup
archive file is automatically imported.
To import a QRadar Network Anomaly Detection backup archive file:

Step 4 In the Upload Archive field, click Browse.
Step 5 Locate and select the archive file you want to upload. The archive file must include
a .tgz extension.
Step 6 Click Open.
Step 7 Click Upload.
The imported archive file is displayed in the Existing Backups pane.
Deleting a Backup To delete a backup archive file, the backup archive file and the Host Context
Archive component must reside on the same system. The system must also be in
communication with the Console and no other backup can be in progress. If a
backup file is deleted, it is removed from the disk and from the database. Also, the
entry is removed from this list and an audit event is generated to indicate the
removal.

To delete a backup archive:

Step 4 In the Existing Backups pane, select the archive you want to delete.
Step 6 Click OK.
Backing Up Your By default, QRadar Network Anomaly Detection creates a backup archive of your
Configuration configuration information daily at midnight. The backup archive includes your
Information and configuration information, data, or both from the previous day. Using the Backup
Data and Recovery feature on the Admin tab, you can customize this nightly backup
and create an on-demand configuration backup, as required.

• Configuring Your Scheduled Nightly Backup
• Creating an On-demand Configuration Backup Archive
Configuring Your By default, the nightly backup process includes only your configuration files. You
Scheduled Nightly can customize your nightly backup process to include data from your Console and
Backup selected managed hosts. You can also customize your backup retention period,
backup archive location, the time limit for a backup to process before timing out,
and the backup priority in relation to other QRadar Network Anomaly Detection
processes.
To configure your scheduled nightly backup:

Step 4 On the toolbar, click Configure.
Step 5 To customize your nightly backup, configure the values for the following
parameters, as required:
Table 7-2 Backup Recovery Configuration Parameters
General Backup Configuration

Backing Up Your Configuration Information and Data 99
Table 7-2 Backup Recovery Configuration Parameters (continued)
Backup Type the location where you want to store your backup file. The
Repository Path default location is /store/backup. This path must exist before
the backup process is initiated. If this path does not exist, the
backup process aborts.
If you modify this path, make sure the new path is valid on every
system in your deployment.
Note: Active data is stored on the /store directory. If you have
both active data and backup archives stored in the same
directory, data storage capacity may easily be reached and
your scheduled backups may fail. We recommend you
specify a storage location on another system or copy your
backup archives to another system after the backup process
is complete. You can use a Network File System (NFS)
storage solution in your QRadar Network Anomaly Detection
deployment. For more information on using NFS, see the
Using the NFS for QRadar Backups Technical Note.
Backup Retention Type or select the length of time, in days, that you want to store
Period (days) backup files. The default is 2 days.
This period of time only affects backup files generated as a result
of a scheduled process. On-demand backups or imported
backup files are not affected by this value.
Nightly Backup Select one of the following options:
Schedule • No Nightly Backups - Disables the nightly scheduled backup
process.
• Configuration Backup Only - Enables a nightly backup
archive that includes configuration information only. This is the
default option.
• Configuration and Data Backups - Enables a nightly backup
that includes configuration information and data.
Select the This option is only displayed if you select the Configuration and
managed hosts Data Backups option.
you would like to All hosts in your deployment are listed. The first host in the list is
run data backups: your Console; it is enabled for data backup by default, therefore
no check box is displayed. If you have managed hosts in your
deployment, the managed hosts are listed below the Console
and each managed host includes a check box.
Select the check box for the managed hosts you want to run data
backups on.
For each host (Console or managed hosts), you can optionally
clear the data items you want to exclude from the backup
archive. Choices include Event Data and Flow Data. Both
options are selected by default.
Configuration Only Backup

Table 7-2 Backup Recovery Configuration Parameters (continued)
Backup Time Limit Type or select the length of time, in minutes, that you want to
(min) allow the backup to run. The default is 180 minutes. If the backup
process exceeds the configured time limit, the backup process is
automatically canceled.
Backup Priority From this list box, select the level of importance that you want
the system to place on the configuration backup process
compared to other processes. Options include:
• LOW
• MEDIUM
• HIGH
A priority of medium or high have a greater impact on system
performance.
Data Backup
Backup Time Limit Type or select the length of time, in minutes, that you want to
(min) allow the backup to run. The default is 1020 minutes. If the
backup process exceeds the configured time limit, the backup is
automatically canceled.
Backup Priority From the list box, select the level of importance you want the
system to place on the data backup process compared to other
processes. Options include:
• LOW
• MEDIUM
• HIGH
A priority of medium or high have a greater impact on system
performance.
Step 6 Click Save.

The Backup Recovery Configuration window closes.
Step 7 Close the Backup Archives window.

Backing Up Your Configuration Information and Data 101
Creating an To backup your configuration files at a time other than your nightly scheduled
On-demand backup, you can create an on-demand backup archive. On-demand backup
Configuration archives include only configuration information.
Backup Archive
CAUTION
We recommend that you initiate an on-demand backup archive during a period
when QRadar Network Anomaly Detection has low processing load, such as after
normal office hours. During the backup process, system performance is affected.
To create an on-demand backup:

Step 4 From the toolbar, click On Demand Backup.
• Name - Type a unique name you want to assign to this backup archive. The
name can be up to 100 alphanumeric characters in length. Also, the name can
contain following characters: underscore (_), dash (-), or period (.).
• Description - Optional. Type a description for this configuration backup
archive. The description can be up to 255 characters in length.
Step 6 Click Run Backup.
Step 7 Click OK.
The on-demand backup process begins. Information about the backup is
displayed, including:
• Host - Specifies the host on which the backup is currently running.
• Name - Specifies the user-defined name of the backup archive.
• Backup Type - Specifies that this is a configuration backup.
• Initiated by - Specifies the user account that initiated the backup process.
• Initiated at - Specifies the date and time the backup process was initiated.
• Duration - Specifies the elapsed time since the backup process was initiated.
Until the backup is complete, you are unable to start any new backup or restore
processes.
When the on-demand backup is complete, the backup process information is no
longer displayed and the backup archive is listed in the Existing Backups pane.

Restoring Your Using the Restore a Backup window, you can restore a backup archive. This is
Backup Archives useful if you want to restore previously archived configuration files, asset data, and
offense data on your QRadar Network Anomaly Detection system.
Reasons to restore a backup archive include:

• You have had a system hardware failure.
• You want to store a backup archive on a replacement appliance.
Before you begin, note the following considerations:

• You can only restore a backup archive created within the same release of
software, including the patch level. For example, if you are running IBM
Security QRadar Network Anomaly Detection 7.1 (MR1), the backup archive
must have been created in IBM Security QRadar Network Anomaly Detection
7.1 (MR1).
• The restore process only restores your configuration information, asset data,
and offense data. For assistance in restoring your event or flow data, see the
Restoring Your Data Technical Note.
• If the backup archive originated on a NATed Console system, you can only
restore that backup archive on a NATed system.

• Restoring a Backup Archive
• Restoring a Backup Archive Created on a Different QRadar Network Anomaly
Detection System
Restoring a Backup To restore your backup archive:

Archive
Step 4 Select the archive you want to restore.
Step 6 Configure the following parameters, as required:
Table 7-3 Restore a Backup Window Parameters
Name Displays the name of the backup archive.
Description Displays the description, if any, of the backup
archive.

Restoring Your Backup Archives 103
Table 7-3 Restore a Backup Window Parameters (continued)
Type Specifies the type of backup. Only configuration
backups can be restored, therefore, this parameter
displays config.
Select All When selected, this option indicates that all
Configuration configuration items are included in the restoration of
Items the backup archive. This check box is selected by
default. To clear all configuration items, clear the
check box.
Restore The Restore Configuration pane lists the
Configuration configuration items to include in the restoration of the
backup archive. All items are selected by default. To
remove items, you can clear the check boxes for
each item you want to remove or clear the Select All
Configuration Items check box.
Options include:
• Custom Rules Configuration
• Deployment Configuration, which includes:
Assets
Custom logos
Device Support Modules (DSMs)
Event categories
Flow sources
Flow and event searches
Groups
Log sources
Offenses
Certificates
Vulnerability data
• User and user roles information
• License key information
Select All Data When selected, this option indicates that all data
Items items are included in the restoration of the backup
archive. This check box is selected by default. To
clear all data items, clear this check box.

Restore Data The Restore Data pane lists the configuration items
to include in the restoration of the backup archive. All
items are cleared by default. To restore data items,
you can select the check boxes for each item you
want to restore.
Options include:
• Assets
• Offenses

Step 8 Click OK.
The restore process begins.
Do not restart the Console until the restore process is complete. During the restore
process, the following steps are taken on the Console:
• Existing files and database tables are backed up.
• Tomcat is shut down.
• All system processes are shut down.
• Files are extracted from the backup archive and restored to disk.
• Database tables are restored.
• All system processes are restarted.
• Tomcat restarts.
The restore process can take up to several hours depending on the size of the
backup archive being restored. When complete, a confirmation message is
displayed.
Step 9 Click OK.
• If the QRadar Network Anomaly Detection user interface was closed during the
restore process, open a browser and log in to QRadar Network Anomaly
Detection.
• If the QRadar Network Anomaly Detection user interface has not been closed,
the login window is displayed. Log in to QRadar Network Anomaly Detection.
A window is displayed, providing the status of the restore process. This window
provides any errors for each host and instructions for resolving the errors.
Step 11 Follow the instructions on the status window.
NOTE
After you have verified that your data is restored to your system, you must
re-apply RPMs for any DSMs, vulnerability assessment (VA) scanners, or log
source protocols.

Restoring a Backup Each backup archive includes IP address information of the system from which the
Archive Created on a backup archive was created. When restoring a backup archive from a different
Different QRadar QRadar Network Anomaly Detection system, the IP address of the backup archive
Network Anomaly and the system you are restoring the backup are mismatched. This procedure
Detection System provides steps to correct this.
To restore your backup archive that was created on a different QRadar Network
Anomaly Detection system:
Step 4 Select the archive you want to restore.
The Restore a Backup window is displayed, including a message asking you to
stop the iptables service on each managed host in your deployment. The Iptables
service is a Linux®-based firewall.
Step 6 Stop IP tables:
a Using SSH, log into the managed host as the root user.
User Name: root
Password: <password>
b Type the following command:
service iptables stop
c Repeat for all managed hosts in your deployment.
Step 7 On the Restore a Backup window, click Test Hosts Access.
The Restore a Backup (Managed Hosts Accessibility) window provides the
following information.
Table 7-4 Restore a Backup (Managed Host Accessibility Parameters
Host Name Specifies the managed host name.
IP Address Specifies the IP address of the managed host.
Access Status Specifies the access status to the managed host. The options
include:
• Testing Access - Specifies the test to determine access
status is not complete.
• No Access - Specifies the managed host cannot be accessed.
• OK - Specifies the managed host is accessible.
Step 8 After testing is complete for all managed hosts, verify that the status in the Access
Status column indicates a status of OK.

If the Access Status column indicates a status of No Access for a host, stop
iptables (see Step 6) again and click Test Host Access again to attempt a
connection.
Step 9 Configure the following parameters, as required:
Table 7-5 Restore a Backup Window Parameters
Name Displays the name of the backup archive.
Description Displays the description, if any, of the backup archive.
Select All When selected, this option indicates that all configuration items
Configuration are included in the restoration of the backup archive. This check
Items box is selected by default. To clear all configuration items, clear
this check box.
Restore The Restore Configuration pane lists the configuration items to
Configuration include in the restoration of the backup archive. All items are
selected by default. To remove items, you can clear the check
boxes for each item you want to remove or clear the Select All
Configuration Items check box.
Options include:
• Custom Rules Configuration
• Deployment Configuration, which includes:
Assets
Custom logos
Device Support Modules (DSMs)
Event categories
Flow sources
Flow and event searches
Groups
Log sources
Offenses
Certificates
Vulnerability data
• User and user roles information
• License key information
Select All Data When selected, this option indicates that all data items are
Items included in the restoration of the backup archive. This check box
is selected by default. To clear all data items, clear the check
box.

Restore Data The Restore Data pane lists the configuration items to include in
the restoration of the backup archive. All items are cleared by
default. To restore data items, you can select the check boxes for
each item you want to restore.
Options include:
• Assets
• Offenses

Step 11 Click OK.
The restore process begins. Do not restart the Console until the restore process is
complete.
The restore process can take up to several hours depending on the size of the
backup archive being restored. When complete, a message is displayed.
Step 12 Click OK to log in. Choose one of the following options:
• If the QRadar Network Anomaly Detection user interface has been closed
during the restore process, open a browser and log in to QRadar Network
Anomaly Detection.
• If the QRadar Network Anomaly Detection user interface has not been closed,
the login window is automatically displayed. Log in to QRadar Network
Anomaly Detection.
A window is displayed providing the status of the restore process. This window
provides any errors for each host. This window also provides instructions for
resolving errors that have occurred.
Step 13 View the results of the restore process and follow the instructions to resolve errors,
if required.
Step 14 Refresh your browser window.
Step 15 From the Admin tab, select Advanced > Deploy Full Configuration.
NOTE
After you have verified that your data is restored to your system, you must
re-apply RPMs for any DSMs, vulnerability assessment (VA) scanners, or log
source protocols.

Using the deployment editor, you can manage the individual components of your
IBM Security QRadar Network Anomaly Detection deployment.

• Deployment Editor Overview
• About the Deployment Editor User Interface
• Building Your Event View
• Managing Your System View
• Configuring QRadar Network Anomaly Detection Components
Deployment Editor After you configure your deployment, you can access and configure the individual
Overview components of each managed host in your deployment.
NOTE
The Deployment Editor requires JavaTM Runtime Environment (JRE). You can
download Java 1.6.0_u24 at the following website: http://www.java.com. Also, If
you are using the Firefox browser, you must configure your browser to accept
JavaTM Network Language Protocol (JNLP) files.
CAUTION
Many Web browsers that use the Internet Explorer engine, such as Maxthon or
MyIE, install components that may be incompatible with the Admin tab. You may
be required to disable any Web browsers installed on your system. For further
assistance, contact Customer Support.
To access the deployment editor from behind a proxy server or firewall, you must
configure the appropriate proxy settings on your desktop. This allows the software
to automatically detect the proxy settings from your browser.
To configure the proxy settings:
Open the JavaTM configuration located in your Control Pane and configure the
IP address of your proxy server.

For more information on configuring proxy settings, see your Microsoft®

documentation.
About the You can access the deployment editor using the Admin tab. You can use the
Deployment Editor deployment editor to create your deployment, assign connections, and configure
User Interface each component.
The deployment editor provides the following views of your deployment:

• System View - Use the System View page to assign software components,
such as a QRadar QFlow Collector, to managed hosts in your deployment. The
System View page includes all managed hosts in your deployment. A managed
host is a system in your deployment that has QRadar Network Anomaly
Detection software installed. By default, the System View page also includes
the following components:
- Host Context - Monitors all QRadar Network Anomaly Detection
components to ensure that each component is operating as expected.
- Accumulator - Analyzes flows, events, reporting, writing database data,
and alerting a DSM. An accumulator resides on any host that contains an
Event Processor.
• Event View - Use the Event View page to create a view of your components
including QRadar QFlow Collectors, Event Processors, Event Collectors,
Off-site Sources, Off-site Targets, and Magistrate components.
On the Event View page, the left pane provides a list of components you can add
to the view, and the right pane provides a view of your deployment.
On the System View page, the left pane provides a list of managed hosts, which
you can view and configure. The deployment editor polls your deployment for
updates to managed hosts. If the deployment editor detects a change to a
managed host in your deployment, a message is displayed notifying you of the
change. For example, if you remove a managed host, a message is displayed,
indicating that the assigned components to that host must be re-assigned to
another host. Also, if you add a managed host to your deployment, the deployment
editor displays a message indicating that the managed host has been added.
Accessing the On the Admin tab, click Deployment Editor. The deployment editor is displayed.
Deployment Editor After you update your configuration settings using the deployment editor, you must
save those changes to the staging area. You must manually deploy all changes
using the Admin tab menu option. All deployed changes are then enforced
throughout your deployment.

About the Deployment Editor User Interface 111
Using the Editor The deployment editor provides you with several menu and toolbar options when
configuring your views, including:
• Menu Options
• Toolbar Functions
Menu Options
The displayed menu options depend on the selected component in your view.
Table 8-1 provides a list of the menu options.
Table 8-1 Deployment Editor Menu Options
Menu Option Sub Menu Option Description

File Save to staging Saves deployment to the staging area.
Save and close Saves deployment to the staging area and
closes the deployment editor.
Open staged Opens a deployment that was previously
deployment saved to the staging area.
Open production Opens a deployment that was previously
deployment saved.
Close current Closes the current deployment.
deployment
Revert Reverts current deployment to the
previously saved deployment.
Edit Preferences Opens the Deployment Editor Settings
window.
Close editor Closes the deployment editor.
Edit Delete Deletes a component, host, or connection.

Table 8-1 Deployment Editor Menu Options (continued)
Menu Option Sub Menu Option Description

Actions Add a managed host Opens the Add a Managed Host wizard.
Manage NATed Opens the Manage NATed Networks
Networks window, which allows you to manage the list
of NATed networks in your deployment.
Rename component Renames an existing component.
This option is only available when a
component is selected.
Configure Configures QRadar Network Anomaly
Detection components.
This option is only available when a QRadar
QFlow Collector, Event Collector, Event
Processor, or Magistrate is selected.
Assign Assigns a component to a managed host.
QFlow Collector, Event Collector, Event
Processor, or Magistrate is selected.
Unassign Unassigns a component from a managed
host.
QFlow Collector is selected. The host for the
selected component must be running the
version of QRadar Network Anomaly
Detection software as the managed host.

About the Deployment Editor User Interface 113
Toolbar Functions
The toolbar functions include:
Table 8-2 Toolbar Functions
Save and Close Saves deployment to the staging area and closes the deployment
editor.
Open Current Opens current production deployment.
Deployment
Open Staged Opens a deployment that was previously saved to the staging area.
Deployment
Discard Discards recent changes and reloads last saved model.
Remove Deletes selected item from the deployment view.
This option is only available when the selected component has a
managed host running a compatible version of QRadar Network
Anomaly Detection software.
Add Managed Opens the Add a Managed Host wizard, which allows you to add a
Host managed host to your deployment.
Manage NATed Opens the Manage NATed Networks window, which allows you to
Networks manage the list of NATed networks in your deployment.
Reset the zoom Resets the zoom to the default.
Zoom in Zooms in.
Zoom Out Zooms out.
Building Your To build your deployment, you must:

Deployment
1 Build your Event View. See Building Your Event View.
2 Build your System View. See Managing Your System View.
3 Configure components. See Configuring QRadar Network Anomaly Detection
Components.
4 Stage your deployment change. From the deployment editor menu, select File >
Save to Staging.
5 Deploy all configuration changes. On the Admin tab menu, select Advanced >
Deploy Changes.
For more information on the Admin tab, see the Overview.

Before you Begin Before you begin, you must:

• Install all necessary hardware and QRadar Network Anomaly Detection
software.
• Install the JavaTM Runtime Environment (JRE). You can download Java
1.6.0_u24 at the following website: http://www.java.com.
• If you are using the Firefox browser, you must configure your browser to accept
JavaTM Network Language Protocol (JNLP) files.
• Plan your QRadar Network Anomaly Detection deployment, including the IP
addresses and login information for all devices in your QRadar Network
Anomaly Detection deployment.
NOTE
If you require assistance, contact Customer Support.
Configuring To configure the deployment editor preferences:

Deployment Editor
Preferences
Step 1 Select File > Edit Preferences.
Step 2 Configure the parameters:
• Presence Poll Frequency - Type how often, in milliseconds, you want the
managed host to monitor your deployment for updates, for example, a new or
updated managed host.
• Zoom Increment - Type the increment value when the zoom option is selected.
For example. 0.1 indicates 10%.
Building Your The Event View page allows you to create and manage the components for your
Event View deployment, including the following components:
• QRadar QFlow Collector - Collects data from devices, and various live and
recorded feeds, such as network taps, span/mirror ports, NetFlow, and QRadar
Network Anomaly Detection flow logs. When the data is collected, the QRadar
QFlow Collector groups related individual packets into a flow. QRadar Network
Anomaly Detection defines these flows as a communication session between
two pairs of unique IP address and ports that use the same protocol. A flow
starts when the QRadar QFlow Collector detects the first packet with a unique
source IP address, destination IP address, source port, destination port, and
other specific protocol options that determine the start of a communication.
Each additional packet is evaluated. Counts of bytes and packets are added to
the statistical counters in the flow record. At the end of an interval, a status
record of the flow is sent to an Event Collector and statistical counters for the
flow are reset. A flow ends when no activity for the flow is detected within the
configured period of time.
Flow reporting generates records of all active or expired flows during a
specified period of time. If the protocol does not support port-based

Building Your Event View 115
connections, QRadar Network Anomaly Detection combines all packets

between the two hosts into a single flow record. However, a QRadar QFlow
Collector does not record flows until a connection is made to another QRadar
Network Anomaly Detection component and data is retrieved.
• Event Collector - Collects security events from various types of security
devices, known as log sources, in your network. The Event Collector gathers
events from local and remote log sources. The Event Collector then normalizes
the events and sends the information to the Event Processor. The Event
Collector also bundles all virtually identical events to conserve system usage.
• Event Processor - An Event Processor processes event and flow data from
the Event Collector. The events are bundled to conserve network usage. When
received, the Event Processor correlates the information from QRadar Network
Anomaly Detection and distributes to the appropriate area, depending on the
type of event. The Event Processor also includes information gathered by
QRadar Network Anomaly Detection to indicate any behavioral changes or
policy violations for that event. Rules are then applied to the events that allow
the Event Processor to process according to the configured rules. When
complete, the Event Processor sends the events to the Magistrate.
A non-Console Event Processor can be connected to the Event Processor on
the Console or connected to another Event Processor in your deployment. The
Accumulator is responsible for gathering flow and event information from the
Event Processor.
NOTE
The Event Processor on the Console is always connected to the magistrate. This
connection cannot be deleted.
• Off-site Source - Indicates an off-site event or flow data source that forwards
normalized data to an Event Collector. You can configure an off-site source to
receive flows or events and allows the data to be encrypted before forwarding.
• Off-site Target - Indicates an off-site device that receives event or flow data.
An off-site target can only receive data from an Event Collector.
• Magistrate - The Magistrate component provides the core processing
components of the security information and event management (SIEM) system.
You can add one Magistrate component for each deployment. The Magistrate
provides views, reports, alerts, and analysis of network traffic and security
events. The Magistrate processes the events or flows against the defined
custom rules to create an offense. If no custom rules exist, the Magistrate uses
the default rule set to process the offending event or flow. An offense is an
event or flow that has been processed through QRadar Network Anomaly
Detection using multiple inputs, individual events or flows, and combined events
or flows with analyzed behavior and vulnerabilities. Magistrate prioritizes the
offenses and assigns a magnitude value based on several factors, including the
amount of offenses, severity, relevance, and credibility.
When processed, the Magistrate produces a list for each offense source,
providing you with a list of attackers and their offense for each event or flow.

After the Magistrate establishes the magnitude, the Magistrate then provides
multiple options for resolution.
By default, the Event View page includes a Magistrate component. The following
diagram shows an example of a QRadar Network Anomaly Detection deployment
that includes SIEM components. The example shows a QRadar QFlow Collector,
an Event Collector, and an Event Processor connected to the Magistrate, which
allows for the collection, categorizing, and processing of flow and event
information.
To build your Event View:

1 Add SIEM components to your view. See Adding Components.
2 Connect the components. See Connecting Components.
3 Connect deployments. See Forwarding Normalized Events and Flows.
4 Rename the components so each component has a unique name. See Renaming
Components.

Adding Components You can add the following QRadar Network Anomaly Detection components to
your Event View:
• Event Collector
• Event Processor
• Off-site Source
• Off-site Target
• QRadar QFlow Collector
NOTE
The procedures in the section provide information on adding QRadar Network
Anomaly Detection components using the Event View page.
You can also add components using the System View page. For information on the
System View page, see Managing Your System View.
To add components to your Event View:

Step 1 On the Admin tab, click Deployment Editor.
Step 2 In the Event Components pane, select a component you want to add to your
deployment.
Step 3 Type a unique name for the component you want to add. The name can be up to
20 characters in length and may include underscores or hyphens. Click Next.
Step 4 From the Select a host to assign to list box, select a managed host you want to
assign the new component to. Click Next.
Step 5 Click Finish.
Step 6 Repeat for each component you want to add to your view.
Step 7 From the deployment editor menu, select File > Save to staging.
The deployment editor saves your changes to the staging area and automatically
closes.
Connecting After you add all the necessary components in your Event View page, you must
Components connect them. The Event View page only allows you to connect appropriate
components together. For example, you can connect an Event Collector to an
Event Processor, but not a Magistrate component.
To connect components:
Step 1 In the Event View page, select the component for which you want to establish a
connection.
Step 2 From the menu, select Actions > Add Connection.
NOTE
You can also right-click a component to access the Action menu item.

An arrow is displayed in your map. The arrow represents a connection between

two components.
Step 3 Drag the end of the arrow to the component you want to establish a connection to.
Table 8-3 provides a list of components you are able to connect.
Table 8-3 Component Connections
You can connect a... To Connection Guide

QRadar QFlow Event Collector A QRadar QFlow Collector can
Collector only be connected to an Event
Collector.
The number of connections is not
restricted.
Event Collector Event Processor An Event Collector can only be
connected to one Event Processor.
A Console Event Collector can only
be connected to a Console Event
Processor. This connection cannot
be removed.
A non-Console Event Collector can
be connected to an Event
Processor on the same system.
A non-Console Event Collector can
be connected to a remote Event
Processor, but only if the Event
Processor does not already exist
on the Console.
Event Collector Off-site Target The number of connections is not
restricted.
Off-site Source Event Collector The number of connections is not
restricted.
An Event Collector connected to an
Event-only appliance cannot
receive an off-site connection from
system hardware that has the
Receive Flows feature enabled.
For more information, see
Forwarding Normalized Events
and Flows.
An Event Collector connected to a
QFlow-only appliance cannot
receive an off-site connection from
a remote system if the system has
the Receive Events feature
enabled. For more information, see
Forwarding Normalized Events
and Flows.

Table 8-3 Component Connections (continued)
You can connect a... To Connection Guide

Event Processor Magistrate (MPC) Only one Event Processor can
connect to a Magistrate.
Event Processor Event Processor A Console Event Processor cannot
connect to a non-Console Event
Processor.
A non-Console Event Processor
can be connected to another
Console or non-Console Event
Processor, but not both at the
same time.
A non-Console Event Processor is
connected to a Console Event
Processor when a non-Console
managed host is added.
Step 4 Optional. Configure flow filtering on a connection between a QRadar QFlow

Collector and an Event Collector.
a Right-click the arrow between the QRadar QFlow Collector and the Event
Collector and select Configure.
b In the text field for the Flow Filter parameter, type the IP addresses or CIDR
addresses for the Event Collectors you want the QRadar QFlow Collector to
send flows to.
c Click Save.
Step 5 Repeat for all remaining components that require connections.
Forwarding To forward normalized events and flows, you must configure an off-site Event
Normalized Events Collector (target) in your current deployment to receive events and flows from an
and Flows associated off-site Event Collector in the receiving deployment (source).
You can add the following components to your Event View page:
• Off-site Source - An off-site Event Collector from which you want to receive
event and flow data. The off-site source must be configured with appropriate
permissions to send event or flow data to the off-site target.
• Off-site Target - An off-site Event Collector to which you want to send event
data.

For example:
To forward normalized events between two deployments (A and B), where

deployment B wants to receive events from deployment A:
1 Configure deployment A with an off-site target to provide the IP address of the
managed host that includes Event Collector B.
2 Connect Event Collector A to the off-site target.
3 In deployment B, configure an off-site source with the IP address of the managed
host that includes Event Collector A and the port that Event Collector A is
monitoring.
If you want to disconnect the off-site source, you must remove the connections
from both deployments. From deployment A, remove the off-site target and in
deployment B, remove the off-site source.
To enable encryption between deployments, you must enable encryption on both

off-site source and target. Also, you must ensure the SSH public key for the off-site
source (client) is available to the target (server) to ensure appropriate access. For
example, if you want to enable encryption between the off-site source and Event
Collector B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from
the off-site source to Event Collector B (add the contents of the file to
/root/.ssh/authorized_keys).

NOTE
If the off-site source or target is an all-in-one system, the public key is not
automatically generated, therefore, you must manually generate the public key.
For more information on generating public keys, see your Linux® documentation.
To forward normalized events and flows:

Step 1 On the Admin tab, click Deployment Editor.
Step 2 In the Event Components pane, select one of the following options:
• Off-site Source
• Off-site Target
Step 3 Type a unique name for the off-site source or off-site target. The name can be up
to 20 characters in length and may include underscores or hyphens. Click Next.
• Enter a name for the off-site host - Type the name of the off-site host. The
name can be up to 20 characters in length and may include the underscores or
hyphens characters.
• Enter the IP address of the source server - Type the IP address of the
managed host you want to connect the off-site host to.
• Receive Events - Select the check box to enable the off-site host to receive
events.
• Receive Flows - Select the check box to enable the off-site host to receive
flows.
• Encrypt traffic from off-site source - Select the check box to encrypt traffic
from an off-site source. When enabling encryption, you must select this check
box on the associated off-site source and target.
Step 5 Click Next.
Step 7 Repeat for all remaining off-site sources and targets.
Step 8 From the deployment editor menu, select File > Save to staging.
The deployment editor saves your changes to the staging area and automatically
closes.
NOTE
If you update your Event Collector configuration or the monitoring ports, you must
manually update your source and target configurations to maintain the connection
between deployments.

Renaming You can rename a component in your view to uniquely identify components
Components through your deployment.
To rename a component:
Step 1 In the Event Components pane, select the component you want to rename.
Step 2 From the menu, select Actions > Rename Component.
NOTE
You can also right-click a component to access the Action menu items.
Step 3 Type a new name for the component. The name must be alphanumeric with no
special characters.
Step 4 Click OK.
Managing Your The System View page allows you to manage all managed hosts in your network.
System View A managed host is a component in your network that includes QRadar Network
Anomaly Detection software. If you are using a QRadar Network Anomaly
Detection appliance, the components for that appliance model are displayed on
the System View page. If your QRadar Network Anomaly Detection software is
installed on your own hardware, the System View page includes a Host Context
component. The System View page allows you to select which components you
want to run on each managed host.
Using the System View page, you can:

• Set up managed hosts in your deployment. See Setting Up Managed Hosts.
• Use QRadar Network Anomaly Detection with NATed networks in your
deployment. See Using NAT with QRadar Network Anomaly Detection.
• Update the managed host port configuration. See Configuring a Managed
Host.
• Assign a component to a managed host. See Assigning a Component to a
Host.
• Configure Host Context. See Configuring Host Context.
• Configure an Accumulator. See Configuring an Accumulator.
Setting Up Managed Using the deployment editor, you can manage all hosts in your deployment,
Hosts including:
• Add a managed host to your deployment. See Adding a Managed Host.
• Edit an existing managed host. See Editing a Managed Host.
• Remove a managed host. See Removing a Managed Host.
You cannot add, assign or configure components on a non-Console managed host
when the QRadar Network Anomaly Detection software version is incompatible
with the software version that the Console is running. If a managed host has
previously assigned components and is running an incompatible software version,

Managing Your System View 123
you can still view the components, however, you are not able to update or delete
the components. For more information, contact Customer Support.
Encryption provides greater security for all QRadar Network Anomaly Detection
traffic between managed hosts. To provide enhanced security, QRadar Network
Anomaly Detection also provides integrated support for OpenSSH software.
OpenSSH software provides a FIPS 140-2 certified encryption solution. When
integrated with QRadar Network Anomaly Detection, OpenSSH provides secure
communication between QRadar Network Anomaly Detection components.
Encryption occurs between managed hosts in your deployment, therefore, your

deployment must consist of more than one managed host before encryption is
possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from
the client. A client is the system that initiates a connection in a client/server
relationship. When encryption is enabled for a managed host, encryption tunnels
are created for all client applications on a managed host to provide protected
access to the respective servers. If you enable encryption on a non-Console
managed host, encryption tunnels are automatically created for databases and
other support service connections to the Console.
Figure 8-1 shows the movement of traffic within a QRadar Network Anomaly
Detection deployment, including flows and event traffic and the client/server
relationships within the deployment. When enabling encryption on a managed
host, the encryption SSH tunnel is created on the client host. For example, if you
enable encryption for the Event Collector in the deployment depicted in the figure
below, the connection between the Event Processor and Event Collector and the
connection between the Event Processor and Magistrate are encrypted. Figure 8-1
also displays the client/server relationship between the Console and the Ariel
database. When you enable encryption on the Console, an encryption tunnel is
used when performing event searches through the Offenses tab.
NOTE
You can right-click a component to enable encryption between components.

CAUTION
Enabling encryption reduces the performance of a managed host by at least 50%.
Figure 8-1 Encryption Tunnels
Adding a Managed Host

To add a managed host:
NOTE
Before you add a managed host, make sure the managed host includes QRadar
Network Anomaly Detection software.
Step 1 From the menu, select Actions > Add a Managed Host.
Step 2 Click Next.
• Enter the IP of the server or appliance to add - Type the IP address of the
host you want to add to your System View.
• Enter the root password of the host - Type the root password for the host.
• Confirm the root password of the host - Type the password again.
• Host is NATed - Select the check box to use an existing Network Address
Translation (NAT) on this managed host. For more information on NAT, see
Using NAT with QRadar Network Anomaly Detection.
NOTE
If you want to enable NAT for a managed host, the NATed network must be using
static NAT translation. For more information on using NAT, see Using NAT with

• Enable Encryption - Select the check box to create an SSH encryption tunnel
for the host.
• Enable Compression - Select the check box to enable data compression
between two managed hosts.
If you selected the Host is NATed check box, the Configure NAT Settings page is
displayed. Go to Step 4. Otherwise, go to Step 5.
NOTE
If you want to add a non-NATed managed host to your deployment when the
Console is NATed, you must change the Console to a NATed host (see Changing
the NAT Status for a Managed Host) before adding the managed host to your
deployment.
Step 4 To select a NATed network, enter values for the following parameters:
• Enter public IP of the server or appliance to add - Type the public IP
address of the managed host. The managed host uses this IP address to
communicate with other managed hosts in different networks using NAT.
• Select NATed network - From the list box, select the network you want this
managed host to use.
- If the managed host is on the same subnet as the Console, select the
Console of the NATed network.
- If the managed host is not on the same subnet as the Console, select the
managed host of the NATed network.
NOTE
For information on managing your NATed networks, see Using NAT with QRadar
Step 5 Click Next.

NOTE
If your deployment included undeployed changes, a window is displayed
requesting you to deploy all changes.
The System View is displayed, including the host in the Managed Hosts pane.
Editing a Managed Host

To edit an existing managed host:
Step 1 Click the System View tab.
Step 2 Right-click the managed host you want to edit and select Edit Managed Host.
NOTE
This option is only available when the selected component has a managed host
running a compatible version of QRadar Network Anomaly Detection software.
Step 3 Click Next.

Step 4 Edit the following values, as necessary:

• Host is NATed - Select the check box if you want to use existing Network
Address Translation (NAT) on this managed host. For more information on NAT,
see Using NAT with QRadar Network Anomaly Detection.
NOTE
static NAT translation. For more information on using NAT, see Using NAT with
• Enable Encryption - Select the check box if you want to create an encryption
tunnel for the host.
If you selected the Host is NATed check box, the Configure NAT settings page is
displayed. Go to Step 5. Otherwise, go to Step 6.
• Enter public IP of the server or appliance to add - Type the public IP
communicate with another managed host that belongs to a different network
using NAT.
managed host to use. For information on managing your NATed networks, see
Using NAT with QRadar Network Anomaly Detection.
Step 6 Click Next.
The System View page is displayed, including the updated host in the Managed
Hosts pane.
Removing a Managed Host

You can remove non-Console managed hosts from your deployment. You cannot
remove a managed host that is hosting the QRadar Network Anomaly Detection
Console.
To remove a managed host:

Step 2 Right-click the managed host you want to delete and select Remove host.
NOTE
This option is only available when the selected component has a managed host
running a compatible version of QRadar Network Anomaly Detection software.
Step 3 Click OK.

Using NAT with Network Address Translation (NAT) translates an IP address in one network to a
QRadar Network different IP address in another network. NAT provides increased security for your
Anomaly Detection deployment since requests are managed through the translation process and
essentially hides internal IP addresses.

Before you enable NAT for a QRadar Network Anomaly Detection managed host,
you must set up your NATed networks using static NAT translation. This ensures
communications between managed hosts that exist within different NATed
networks. For example, in the following diagram, the QFlow 1101 in Network 1 has
an internal IP address of 10.100.100.1. When the QFlow 1101 wants to
communicate with the Event Collector in Network 2, the NAT router translates the
IP address to 192.15.2.1.
NOTE
Before you enable NAT using QRadar Network Anomaly Detection, your static
NATed networks must be set up and configured on your network. For more
information, see your network administrator.

You can add a non-NATed managed host using inbound NAT for a public IP
address. You can also use a dynamic IP address for outbound NAT. However, both
must be located on the same switch as the Console or managed host. You must
configure the managed host to use the same IP address for the public and private
IP addresses.
When adding or editing a managed host, you can enable NAT for that managed
host. You can also use the deployment editor to manage your NATed networks,
including:
• Adding a NATed Network to QRadar Network Anomaly Detection
• Editing a NATed Network
• Deleting a NATed Network From QRadar Network Anomaly Detection
• Changing the NAT Status for a Managed Host
Adding a NATed Network to QRadar Network Anomaly Detection

To add a NATed network to your QRadar Network Anomaly Detection deployment:
Step 1 In the deployment editor, click the NATed Networks icon.
NOTE
You can also select the Actions > Manage NATed Networks menu option to
access the Manage NATed Networks window.
Step 2 Click Add.

Step 3 Type a name for a network you want to use for NAT.
Step 4 Click OK.
The Manage NATed Networks window is displayed, including the added NATed
network.
Step 5 Click OK.
Step 6 Click Yes.
Editing a NATed Network

To edit a NATed network:
NOTE
Step 2 Select the NATed network you want to edit. Click Edit.
Step 3 Type a new name for of the NATed network.
Step 4 Click OK.
The Manage NATed Networks window is displayed, including the updated NATed
networks.
Step 5 Click OK.

Step 6 Click Yes.
Deleting a NATed Network From QRadar Network Anomaly Detection

To delete a NATed network from your deployment:
NOTE
Step 2 Select the NATed network you want to delete.

Step 4 Click OK.
Step 5 Click Yes.
Changing the NAT Status for a Managed Host

To change your NAT status for a managed host, make sure you update the
managed host configuration within QRadar Network Anomaly Detection before you
update the device. This prevents the host from becoming unreachable and allows
you to deploy changes to that host.
To change the status of NAT (enable or disable) for an existing managed host:
Step 1 In the deployment editor, click the System View tab.
Step 2 Right-click the managed host you want to edit and select Edit Managed Host.
Step 3 Click Next.
a If you want to enable NAT for the managed host, select the Host is NATed
check box and click Next. Go to Step 5
NOTE
static NAT translation.
b If you want to disable NAT for the managed host, clear the Host is NATed
check box. Go to Step 6
• Change public IP of the server or appliance to add - Type the public IP
communicate with another managed host that belongs to a different network
using NAT.
managed host to use.
• Manage NATs List - Click this icon to update the NATed network configuration.
For more information, see Using NAT with QRadar Network Anomaly
Detection.

Step 6 Click Next.

The System View page is displayed, including the updated host in the Managed
Hosts pane.
NOTE
When you change the NAT status for an existing managed host, error messages
may be displayed. Ignore these error messages.
Step 8 Update the configuration for the device (firewall) to which the managed host is
communicating.
Configuring a To configure a managed host:

Managed Host
Step 1 From the System View page, right-click the managed host you want to configure
and select Configure.
• Minimum port allowed - Type the minimum port for which you want to
establish communications.
• Maximum port allowed - Type the maximum port for which you want to
establish communications.
• Ports to exclude - Type the ports you want to exclude from communications.
Separate multiple ports using a comma.
Step 3 Click Save.
Assigning a You can assign the QRadar Network Anomaly Detection components that you
Component to a Host added in the Event View page to the managed hosts in your deployment.
NOTE
This section provides information on assigning a component to a host using the
System View page, however, you can also assign components to a host on the
Event View page.
To assign a host:
Step 2 From the Managed Host list, select the managed host you want to assign a
QRadar Network Anomaly Detection component to.
Step 3 Select the component you want to assign to a managed host.
Step 4 From the menu, select Actions > Assign.
NOTE
You can also right-click a component to access the Actions menu items.

Step 5 From the Select a host list box, select the host that you want to assign to this
component. Click Next.
NOTE
The list box only displays managed hosts that are running a compatible version of
QRadar Network Anomaly Detection software.
Configuring Host The Host Context component monitors all QRadar Network Anomaly Detection
Context components to make sure that each component is operating as expected.
To configure the Host Context component:

Step 2 Select the managed host that includes the host context you want to configure.
Step 3 Select the Host Context component.
Step 4 From the menu, select Actions > Configure.
NOTE
You can also right-click a component to access the Actions menu item.
Table 8-4 Host Context Parameters
Disk Usage Sentinel Settings
Warning Threshold When the configured threshold of disk usage is exceeded,
an email is sent to the administrator indicating the current
state of disk usage. The default warning threshold is 0.75,
therefore, when disk usage exceeds 75%, an email is sent
indicating that disk usage is exceeding 75%. If disk usage
continues to increase above the configured threshold, a new
email is sent after every 5% increase in usage. By default,
Host Context monitors the following partitions for disk usage:
• /
• /store
• /store/tmp
Type the warning threshold for disk usage.
Note: Notification emails are sent from the email address
specified in the Alert Email From Address parameter to
the email address specified in the Administrative Email
Address parameter. These parameters are configured
on the System Settings window. For more information,
see Setting Up IBM Security QRadar Network
Anomaly Detection.

Table 8-4 Host Context Parameters (continued)
Recovery Threshold When the system has exceeded the shutdown threshold,
disk usage must fall below the recovery threshold before
QRadar Network Anomaly Detection processes are
restarted. The default is 0.90, therefore, processes are not
restarted until disk usage is below 90%.
Type the recovery threshold.
Anomaly Detection.
Shutdown Threshold When the system exceeds the shutdown threshold, all
QRadar Network Anomaly Detection processes are stopped.
An email is sent to the administrator indicating the current
state of the system. The default is 0.95, therefore, when disk
usage exceeds 95%, all QRadar Network Anomaly
Detection processes stop.
Type the shutdown threshold.
Anomaly Detection.
Inspection Interval Type the frequency, in milliseconds, that you want to
determine disk usage.
SAR Sentinel Settings
Inspection Interval Type the frequency, in milliseconds, that you want to inspect
SAR output. The default is 300,000 ms.
Alert Interval Type the frequency, in milliseconds, that you want to be
notified that the thresholds have been exceeded. The default
is 7,200,000 ms.
Time Resolution Type the time, in seconds, that you want the SAR inspection
to be engaged. The default is 60 seconds.
Log Monitor Settings
Inspection Interval Type the frequency, in milliseconds, that you want to monitor
the log files. The default is 60,000 ms.
Monitored SYSLOG Type a filename for the SYSLOG file. The default is
File Name /var/log/qradar.error.
Alert Size Type the maximum number of lines you want to monitor from
the log file. The default is 1000.

Step 6 Click Save.
Configuring an The accumulator component assists with data collection and anomaly detection for
Accumulator the Event Processor on a managed host. The accumulator component is
responsible for receiving streams of flows and events from the local Event
Processor, writing database data, and contains the Anomaly Detection Engine
(ADE).
To configure an accumulator:
Step 2 Select the managed host you want to configure.
Step 3 Select the accumulator component.
NOTE
You can also right-click a component to access the Actions menu item.
The Accumulator Configuration window provides the following information:

Table 8-5 Accumulator Parameters
Central Accumulator Specifies if the current component is a central accumulator.
A central accumulator only exists on a Console system.
Options include:
• True - Specifies that the component is a central
accumulator on the Console and receives TCP data from
non-central accumulators.
• False - Specifies that the component is not a central
accumulator, but is deployed on the Event Processor and
forwards data to a central accumulator on the Console.
Anomaly Detection Type the address and port of the ADE. The ADE is
Engine responsible for analyzing network data and forwarding the
data to the rule system for resolution.
For the central accumulator, type the address and port using
the following syntax: <Console>:<port>
For a non-central accumulator, type the address and port
using the following syntax: <non-Console IP
Address>:<port>
Streamer Accumulator Type the listen port of the accumulator responsible for
Listen Port receiving streams of flows from the event processor.
The default value is 7802.
Alerts DSM Address Type the DSM address for forwarding alerts from the
accumulator using the following syntax: <DSM_IP
address>:<DSM port number>.
Step 5 Click Save.

Configuring This section includes the following topics:

QRadar Network • Configuring a QRadar QFlow Collector
Anomaly Detection
Components • Configuring an Event Collector
• Configuring an Event Processor
• Configuring the Magistrate
• Configuring an Off-site Source
• Configuring an Off-site Target
Configuring a This section provides information on how to configure a QRadar QFlow Collector.
QRadar QFlow For an overview of the QRadar QFlow Collector component, see Building Your
Collector Event View.
NOTE
You can configure a flow filter on the connection from a QRadar QFlow Collector
and multiple Event Collectors. A flow filter controls which flows a component
receives. The Flow Filter parameter is available on the Flow Connection
Configuration window. Right-click the arrow between the component you want to
configure for flow filtering and select Configure. For more information on
configuring a flow filter, see Connecting Components.
To configure a QRadar QFlow Collector:

Step 1 From either the Event View or System View pages, select the QRadar QFlow
Collector you want to configure.
NOTE
You can also right-click a component to access the Actions menu items.
Table 8-6 QRadar QFlow Collector Parameters
Event Collector Specifies the Event Collector component connected to
Connections this QRadar QFlow Collector. The connection is
displayed in the following format: <Host IP
Address>:<Port>.
If the QRadar QFlow Collector is not connected to an
Event Collector, the parameter is empty.
QRadar QFlow Collector ID Type a unique ID for the QRadar QFlow Collector.

Configuring QRadar Network Anomaly Detection Components 135
Table 8-6 QRadar QFlow Collector Parameters (continued)
Maximum Content Capture Type the capture length, in bytes, to attach to a flow.
The range is from 0 to 65535. A value of 0 disables
content capture. The default is 64 bytes.
QRadar QFlow Collectors capture a configurable
number of bytes at the start of each flow. Transferring
large amounts of content across the network may affect
network and QRadar Network Anomaly Detection
performance. On managed hosts where the QRadar
QFlow Collectors are located on close high-speed links,
you can increase the content capture length.
Note: Increasing content capture length increases disk
storage requirements for recommended disk
allotment.
Alias Autodetection Type one of the following values:
• Yes - Enables the QRadar QFlow Collector to detect
external flow source aliases. When a QRadar QFlow
Collector receives traffic from a device with an IP
address, but no current alias, the QRadar QFlow
Collector attempts a reverse DNS lookup to
determine the host name of the device. If the lookup
is successful, the QRadar QFlow Collector adds this
information to the database and reports this
information to all QRadar QFlow Collectors in your
deployment.
• No - Prevents the QRadar QFlow Collector from
detecting external flow sources aliases.
For more information on flow sources, see Managing
Flow Sources.
Step 4 On the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters are displayed.
Step 5 Enter values for the parameters, as necessary:
Table 8-7 QRadar QFlow Collector Parameters
Event Collector Type the Event Collector connected to this QRadar QFlow
Connections Collector. The connection is displayed in the following
format: <Host IP Address>:<Port>.
If the QRadar QFlow Collector is not connected to an Event
Collector, the parameter is empty.

Flow Routing Mode Type one of the following values:
• 0 - Type 0 to enable Distributor Mode, which allows
QRadar QFlow Collector to group flows that have similar
properties.
• 1 - Type 1 to enable Flow Mode, which prevents the
bundling of flows.
Maximum Data Type the amount of bytes and packets you want the QRadar
Capture/Packet QFlow Collector to capture.
Time Synchronization Type the IP address or host name of the time server.
Server IP Address
Time Synchronization Type the length of time you want the managed host to
Timeout Period continue attempting to synchronize the time before timing
out. The default is 15 minutes.
Endace DAG Interface Type the Endace Network Monitoring Interface card
Card Configuration parameters. For more information on the required input for
this parameter, contact Customer Support.
Flow Buffer Size Type the amount of memory, in MB, that you want to
reserve for flow storage. The default is 400 MB.
Maximum Number of Type the maximum number of flows you want to send from
Flows the QRadar QFlow Collector to an Event Collector.
Remove duplicate flows Type one of the following values:
• Yes - Enables the QRadar QFlow Collector to remove
duplicate flows.
removing duplicate flows.
Verify NetFlow Type one of the following values:
Sequence Numbers • Yes - Enables the QRadar QFlow Collector to check the
incoming NetFlow sequence numbers to ensure that all
packets are present and in order. A notification is
displayed if a packet is missing or received out-of-order.
checking the incoming NetFlow sequence numbers to
ensure that all packets are present and in order.

External Flow Type the method you want to use to remove duplicate
De-duplication method external flow sources (de-duplication). Options include:
• Source - Enables the QRadar QFlow Collector to
compare originating flow sources. This method compares
the IP address of the device that exported the current
external flow record to that of the IP address of the
device that exported the first external record of the
particular flow. If the IP addresses do not match, the
current external flow record is discarded.
• Record - Enables the QRadar QFlow Collector to
compare individual external flow records. This method
logs a list of every external flow record detected by a
particular device and compares each subsequent record
to that list. If the current record is found in the list, that
record is discarded.
Flow Carry-over Type the number of seconds before the end of an interval
Window that you want one-sided flows to be held over until the next
interval if the flow. This allows time for the inverse side of
the flow to arrive before being reported.
External flow record Note: This parameter is only valid if you typed Record in
comparison mask the External Flow De-duplication method parameter.
Type the external flow record fields you want to use to
remove duplicate flows. Valid options include:
• D - Direction
• B - ByteCount
• P - (PacketCount
You can combine these options. Possible combinations of
the options include:
• DBP - Uses direction, byte count, and packet count when
comparing flow records.
• XBP - Uses byte count and packet count when
comparing flow records.
• DXP - Uses direction and packet count when comparing
flow records.
• DBX - Uses direction and byte count when comparing
flow records.
• DXX - Uses direction when comparing flow records.
• XBX - Uses byte count when comparing records.
• XXP - Uses packet count when comparing records.
Create Superflows Type one of the following options:
• Yes - Enables the QRadar QFlow Collector to create
Superflows from group flows that have similar properties.
• No - Prevents the creation of Superflows.

Type A Superflows Type the threshold for type A superflows.
A type A superflow is a group of flows from one host to
many hosts. This is a unidirectional flow that is an aggregate
of all flows that have the same different destination hosts,
but following parameters are the same:
• Protocol
• Source bytes
• Source hosts
• Destination network
• Destination port (TCP and UDP flows only)
• TCP flags (TCP flows only)
• ICMP type, and code (ICMP flows only)
Type B Superflows Type the threshold for type B superflows.
A type B superflow is group of flows from many hosts to one
host. This is unidirectional flow that is an aggregate of all
flows that have different source hosts, but the following
parameters are the same:
• Protocol
• Source bytes
• Source packets
• Destination host
• Source network
• Destination port (TCP and UDP flows only)
• TCP flags (TCP flows only)
• ICMP type, and code (ICMP flows only)
Type CSuperflows Type the threshold for type C superflows.
Type C superflows are a group of flows from one host to
another host. This is a unidirectional flow that is an
aggregate of all non-ICMP flows have different source or
destination ports, but the following parameters are the
same:
• Protocol
• Source host
• Destination host
• Source bytes
• Destination bytes
• Source packets
• Destination packets

Recombine In some networks, traffic is configured to take alternate
Asymmetric Superflows paths for inbound and outbound traffic. This is called
asymmetric routing. You can combine flows received from
one or more QRadar QFlow Collectors. However, if you
want to combine flows from multiple QRadar QFlow
Collectors, you must configure flow sources in the
Asymmetric Flow Source Interface(s) parameter in the
QRadar QFlow Collector configuration.
Choose one of the following options:
• Yes - Enables the QRadar QFlow Collector to recombine
asymmetric flows.
recombining asymmetric flows.
Ignore Asymmetric Type one of the following options:
Superflows • Yes - Enables the QRadar QFlow Collector to create
superflows while asymmetric flows are enabled.
• No - Prevents the QRadar QFlow Collector from creating
superflows while asymmetric flows are enabled.
Minimum Buffer Data Type the minimum amount of data, in bytes, that you want
the Endace Network Monitoring Interface Card to receive
before the captured data is returned to the QRadar QFlow
Collector process. For example, if this parameter is 0 and no
data is available, the Endace Network Monitoring Interface
Card allows non-blocking behavior.
Maximum Wait Time Type the maximum amount of time, in microseconds, that
you want the Endace Network Monitoring Interface Card to
wait for the minimum amount of data, as specified in the
Minimum Buffer Data parameter.
Polling Interval Type the interval, in microseconds, that you want the
Endace Network Monitoring Interface Card to wait before
checking for additional data. A polling interval avoids
excessive polling traffic to the card and, therefore,
conserves bandwidth and processing time.
Step 6 Click Save.

Step 7 Repeat for all QRadar QFlow Collectors in your deployment you want to configure.
Configuring an Event This section provides information on how to configure an Event Collector. For an
Collector overview of the Event Collector component, see Building Your Event View.
To configure an Event Collector:

Step 1 From either the Event View or System View pages, select the Event Collector you
want to configure.

NOTE
Table 8-8 Event Collector Parameters
Destination Event Specifies the Event Processor component connected to
Processor this QRadar QFlow Collector. The connection is
displayed in the following format: <Host IP
Address>:<Port>.
If the QRadar QFlow Collector is not connected to an
Event Processor, the parameter is empty.
Flow Listen Port Type the listen port for flows.
Event Forwarding Listen Type the Event Collector event forwarding port.
Port
Flow Forwarding Listen Type the Event Collector flow forwarding port.
Port

Table 8-9 Event Collector Advanced Parameters
Primary Collector Specifies one of the following values:
• True - Specifies that the Event Collector is located on a
Console system.
• False - Specifies that the Event Collector is located on a
non-Console system.
Autodetection Enabled Type of the following values:
• Yes - Enables the Event Collector to automatically
analyze and accept traffic from previously unknown log
sources. The appropriate firewall ports are opened to
enable Autodetection to receive events. This is the
default.
• No - Prevents the Event Collector from automatically
analyzing and accepting traffic from previously unknown
log sources.
For more information on configuring log sources, see the
IBM Security QRadar Log Sources Users Guide.
Flow Deduplication Type the amount of time in seconds flows are buffered
Filter before they are forwarded.
Asymmetric Flow Filter Type the amount of time in seconds asymmetric flows will be
buffered before they are forwarded.

Step 6 Click Save.

Step 7 Repeat for all Event Collectors in your deployment you want to configure.
Configuring an Event This section provides information on how to configure an Event Processor. For an
Processor overview of the Event Processor component, see Building Your Event View.
To configure an Event Processor:

Step 1 From either the Event View or System View pages, select the Event Processor you
want to configure.
NOTE
Table 8-10 Event Processor Parameters
Event Collector Type the port that the Event Processor monitors for
Connections Listen Port incoming Event Collector connections. The default value is
port 32005.
Event Processor Type the port that the Event Processor monitors for
Connections Listen Port incoming Event Processor connections. The default value
is port 32007.

Step 5 Enter values for the parameters, as necessary:
Table 8-11 Event Processor Advanced Parameters
Test Rules Note: The test rules list box in the Deployment Editor is
available for non-Console Event Processors only.
Type one of the following options:
• Locally - Rules are tested on the Event Processor
and not shared with the system. Testing rules locally
is the default for Console Event Processors.
• Globally - Allows individual rules for every Event
Processor to be shared and tested system wide.
Each rule in Offenses > Rules can be toggled to
Global for detection by any Event Processor on the
system.

Table 8-11 Event Processor Advanced Parameters (continued)
Note: If a rule is configured to test locally, the Globally
option does not override the rule setting.
For example, you can create a rule to alert you when
there is five failed login attempts within 5 minutes. The
default for the rule is set to local. When the Event
Processor containing the local rule observes five failed
login attempts, the rule generates a response. When the
rule in the example above is set to Global, when five
failed login attempts within 5 minutes is detected on any
Event Processor, the rule generates a response. This
means that when rules are shared globally, the rule can
detect when one failed login attempt comes from five
separate event processors. Testing rules globally is the
default for non-Console Event Processors, with each
rule on the Event Processor set to test locally.
Overflow Event Routing Type the events per second threshold that the Event
Threshold Processor can manage. Events over this threshold are
placed in the cache.
Overflow Flow Routing Type the flows per minute threshold that the Event
Threshold Processor can manage. Flows over this threshold are
placed in the cache.
Events database path Type the location you want to store events. The default
is /store/ariel/events.
Payloads database length Type the location you want to store payload information.
The default is /store/ariel/payloads.
Step 6 Click Save.

Step 7 Repeat for all Event Processors in your deployment you want to configure.
Configuring the This section provides information on how to configure the Magistrate. For an
Magistrate overview of the Magistrate component, see Building Your Event View.
To configure the Magistrate component:

Step 1 From either the Event View or System View pages, select the Magistrate
component you want to configure.
NOTE

Step 4 In the Overflow Routing Threshold field, type the events per second threshold
that the Magistrate can manage events. Events over this threshold are placed in
the cache. The default is 20,000.

Step 5 Click Save.
Configuring an This section provides information on how to configure an off-site source. For an
Off-site Source overview of the off-site source component, see Building Your Event View.
NOTE
When configuring off-site source and target components, we recommend that you
deploy the Console with the off-site source first and the Console with the off-site
target second to prevent connection errors.
To configure an off-site source component:

Step 1 From either the Event View or System View pages, select the off-site source you
want to configure.
NOTE
Table 8-12 Off-site Source Parameters
Receive Events Type one of the following values:
• True - Enables the system to receive events from the
off-site source host.
• False - Prevents the system from receiving events from
the off-site source host.
Receive Flows Type one of the following values:
• True - Enables the system to receive flows from the
off-site source host.
• False - Prevents the system from receiving flows from
the off-site source host.
Step 4 Click Save.

Step 5 Repeat for all off-site sources in your deployment you want to configure.
Configuring an This section provides information on how to configure an off-site target. For an
Off-site Target overview of the off-site target component, see Building Your Event View.
NOTE
When configuring off-site source and target components, we recommend that you
deploy the Console with the off-site source first and the Console with the off-site
target second to prevent connection errors.

To configure an off-site target component:

Step 1 From either the Event View or System View pages, select the off-site target you
want to configure.
NOTE
Table 8-13 Off-site Target Parameters
Event Collector Listen Type the Event Collector listen port for receiving event
Port data. The default listen port for events is 32004.
Note: If the off-site target system has been upgraded from
a previous QRadar Network Anomaly Detection
software version, you must change the port from the
default (32004) to the port specified in the Event
Forwarding Listen Port parameter for the off-site
target. For more information on how to access the
Event Forwarding Listen port on the off-site target, see
Configuring an Event Collector.
Flow Collector Listen Type the Event Collector listen port for receiving flow data.
Port The default listen port for flows is 32000.
Step 4 Click Save.

Using the Flow Sources feature, you can manage the flow sources in your
deployment.

• Flow Sources Overview
• Managing Flow Sources
• Managing Flow Source Aliases
Flow Sources IBM Security QRadar Network Anomaly Detection allows you to integrate flow
Overview sources. Flow sources are classed as either internal or external:
• Internal flow sources - Includes any additional hardware installed on a
managed host, such as a Network Interface Card (NIC). Depending on the
hardware configuration of your managed host, the internal flow sources may
include:
- Network interface Card
- Endace Network Monitoring Interface Card
- Napatech Interface
• External flow sources - Includes any external flow sources that send flows to
the QRadar QFlow Collector. If your QRadar QFlow Collector receives multiple
flow sources, you can assign each flow source a distinct name, providing the
ability to distinguish one source of external flow data from another when
received on the same QRadar QFlow Collector. External flow sources may
include:
- NetFlow
- IPFIX
- sFlow
- J-Flow
- Packeteer
- Flowlog File

QRadar Network Anomaly Detection can forward external flows source data
using the spoofing or non-spoofing method:
- Spoofing - Resends the inbound data received from flow sources to a
secondary destination. To ensure flow source data is sent to a secondary
destination, configure the Monitoring Interface in the Flow Source
configuration (see Adding a Flow Source) to the port on which data is being
received (management port). When you use a specific interface, the QRadar
QFlow Collector uses a promiscuous mode capture to obtain flow source
data, rather than the default UDP listening port on port 2055. This allows the
QRadar QFlow Collector to capture flow source packets and forward the
data.
- Non-Spoofing - For the non-spoofing method, configure the Monitoring
Interface parameter in the Flow Source Configuration (see Adding a Flow
Source) as Any. The QRadar QFlow Collector opens the listening port,
which is the port configured as the Monitoring Port to accept flow source
data. The data is processed and forwarded to another flow source
destination. The source IP address of the flow source data becomes the IP
address of the QRadar Network Anomaly Detection system, not the original
router that sent the data.
NetFlow A proprietary accounting technology developed by Cisco Systems® Inc. that

monitors traffic flows through a switch or router, interprets the client, server,
protocol, and port used, counts the number of bytes and packets, and sends that
data to a NetFlow collector. The process of sending data from NetFlow is often
referred to as a NetFlow Data Export (NDE). You can configure QRadar Network
Anomaly Detection to accept NDE's and thus become a NetFlow collector. QRadar
Network Anomaly Detection supports NetFlow versions 1, 5, 7, and 9. For more
information on NetFlow, see http://www.cisco.com.
While NetFlow expands the amount of the network that is monitored, NetFlow uses
a connection-less protocol (UDP) to deliver NDEs. After an NDE is sent from a
switch or router, the NetFlow record is purged. As UDP is used to send this
information and does not guarantee the delivery of data, NetFlow records
inaccurate recording and reduced alerting capabilities. This can result in
inaccurate presentations of both traffic volumes and bi-directional flows.
When you configure an external flow source for NetFlow, you must:
• Make sure the appropriate firewall rules are configured. If you change your
External Flow Source Monitoring Port parameter in the QRadar QFlow
Collector configuration, you must also update your firewall access
configuration. For more information about QRadar QFlow Collector
configuration, see Using the Deployment Editor.
• Make sure the appropriate ports are configured for your QRadar QFlow
Collector.

Flow Sources Overview 149
If you are using NetFlow version 9, make sure the NetFlow template from the
NetFlow source includes the following fields:
• FIRST_SWITCHED
• LAST_SWITCHED
• PROTOCOL
• IPV4_SRC_ADDR
• IPV4_DST_ADDR
• L4_SRC_PORT
• L4_DST_PORT
• IN_BYTES or OUT_BYTES
• IN_PKTS or OUT_PKTS
• TCP_FLAGS (TCP flows only)
IPFIX Internet Protocol Flow Information Export (IPFIX) is an accounting technology that
monitors traffic flows through a switch or router, interprets the client, server,
protocol, and port used, counts the number of bytes and packets, and sends that
data to a IPFIX collector. IBM Security Network Protection XGS 5000, a next
generation IPS, is an example of a device that sends flow traffic in IPFIX flow
format.
The process of sending IPFIX data is often referred to as a NetFlow Data Export
(NDE). IPFIX provides more flow information and deeper insight than NetFlow v9.
You can configure QRadar Network Anomaly Detection to accept NDE's and thus
become an IPFIX collector. IPFIX uses User Datagram Protocol (UDP) to deliver
NDEs. After a NDE is sent from the IPFIX forwarding device, the IPFIX record may
be purged.
To configure QRadar Network Anomaly Detection to accept IPFIX flow traffic, you
must add a NetFlow flow source. The NetFlow flow source processes IPFIX flows
using the same process.
NOTE
Your QRadar Network Anomaly Detection system may include a default NetFlow
flow source; therefore, you may not be required to configure a Netflow flow
source. To confirm that your system includes a default NetFlow flow source, select
Admin > Flow Sources. If default_Netflow is listed in the flow source list, IPFIX
is already configured.
When you configure an external flow source for IPFIX, you must:
• Ensure the appropriate firewall rules are configured. If you change your
External Flow Source Monitoring Port parameter in the QRadar QFlow
Collector configuration, you must also update your firewall access
configuration. For more information on QRadar QFlow Collector configuration,

see the IBM Security QRadar Network Anomaly Detection Administration

Guide.
• Ensure the appropriate ports are configured for your QRadar QFlow Collector.
• Ensure the IPFIX template from the IPFIX source includes the following fields:
- FIRST_SWITCHED
- LAST_SWITCHED
- PROTOCOL
- IPV4_SRC_ADDR
- IPV4_DST_ADDR
- L4_SRC_PORT
- L4_DST_PORT
- IN_BYTES or OUT_BYTES
- IN_PKTS or OUT_PKTS
- TCP_FLAGS (TCP flows only)
sFlow A multi-vendor and end-user standard for sampling technology that provides
continuous monitoring of application level traffic flows on all interfaces
simultaneously. sFlow combines interface counters and flow samples into sFlow
datagrams that are sent across the network to an sFlow collector. QRadar Network
Anomaly Detection supports sFlow versions 2, 4, and 5. Note that sFlow traffic is
based on sampled data and, therefore, may not represent all network traffic. For
more information on sFlow, see http://www.sflow.org.
sFlow uses a connection-less protocol (UDP). When data is sent from a switch or
router, the sFlow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, sFlow records inaccurate recording and
reduced alerting capabilities. This can result in inaccurate presentations of both
traffic volumes and bi-directional flows.
When you configure an external flow source for sFlow, you must:
• Make sure the appropriate firewall rules are configured.
Collector.
J-Flow A proprietary accounting technology used by Juniper® Networks that allows you to
collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on
a J-Flow collector. Using J-Flow, you can also enable J-Flow on a router or
interface to collect network statistics for specific locations on your network. Note
that J-Flow traffic is based on sampled data and, therefore, may not represent all
network traffic. For more information on J-Flow, see http://www.juniper.net.

Flow Sources Overview 151
J-Flow uses a connection-less protocol (UDP). When data is sent from a switch or
router, the J-Flow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, J-Flow records inaccurate recording and
reduced alerting capabilities. This can result in inaccurate presentations of both
traffic volumes and bi-directional flows.
When you configure an external flow source for J-Flow, you must:
Collector.
Packeteer Packeteer devices collect, aggregate, and store network performance data. After
you configure an external flow source for Packeteer, you can send flow information
from a Packeteer device to QRadar Network Anomaly Detection.
Packeteer uses a connection-less protocol (UDP). When data is sent from a switch
or router, the Packeteer record is purged. As UDP is used to send this information
and does not guarantee the delivery of data, Packeteer records inaccurate
recording and reduced alerting capabilities. This can result in inaccurate
presentations of both traffic volumes and bi-directional flows.
To configure Packeteer as an external flow source, you must:

• Make sure that you configure Packeteer devices to export flow detail records
and configure the QRadar QFlow Collector as the destination for the data
export.
Collector.
• Make sure the class IDs from the Packeteer devices can automatically be
detected by the QRadar QFlow Collector.
• For additional information on mapping Packeteer applications into QRadar
Network Anomaly Detection, see the Mapping Packeteer Applications into
QRadar Technical Note.
Flowlog File A file generated from the QRadar Network Anomaly Detection flow logs.
Napatech Interface If you have a Napatech Network Adapter installed on your QRadar Network
Anomaly Detection system, the Naptatech Interface option is displayed as a
configurable packet-based flow source on the QRadar Network Anomaly Detection
user interface. The Napatech Network Adapter provides next-generation
programmable and intelligent network adapter for your network. For more
information regarding Napatech Network Adapters, see your Napatech vendor
documentation.

Managing Flow For QRadar Network Anomaly Detection appliances, QRadar Network Anomaly
Sources Detection automatically adds default flow sources for the physical ports on the
appliance. Also, QRadar Network Anomaly Detection also includes a default
NetFlow flow source. If QRadar Network Anomaly Detection is installed on your
own hardware, QRadar Network Anomaly Detection attempts to automatically
detect and add default flow sources for any physical devices, such as a Network
Interface Card (NIC). Also, when you assign a QRadar QFlow Collector, QRadar
Network Anomaly Detection includes a default NetFlow flow source.

• Adding a Flow Source
• Editing a Flow Source
• Enabling and Disabling a Flow Source
• Deleting a Flow Source
Adding a Flow To add a flow source:

Source
Step 3 On the navigation menu, click Flows.
Step 4 Click the Flow Sources icon.
Step 5 Click Add.
Table 9-1 Add Flow Source Window Parameters
Build from existing flow Select the check box if you want to create this flow source
source using an existing flow source as a template. After you
select the check box, use the list box to select a flow
source and click Use as Template.
Flow Source Name Type a name for the flow source. We recommend that for
an external flow source that is also a physical device, use
the device name as the flow source name. If the flow
source is not a physical device, make sure you use a
meaningful name. For example, if you want to use IPFIX
traffic, type ipf1. If you want to use NetFlow traffic, type
nf1.
Target Collector Using the list box, select the Event Collector you want to
use for this flow source.

Managing Flow Sources 153
Table 9-1 Add Flow Source Window Parameters (continued)
Flow Source Type Using the list box, select the flow source type for this flow
source. The options are:
• Flowlog File
• JFlow
• Netflow v.1, v5, v7, or v9
• Network Interface
• Packeteer FDR
• SFlow v.2, v.4, or v.5
• Napatech, if applicable
• Endace, if applicable
Enable Asymmetric Flows In some networks, traffic is configured to take alternate
paths for inbound and outbound traffic. This is asymmetric
routing. Select this check box is you want to enable
asymmetric flows for this flow source.
Source File Path Type the source file path for the flowlog file.

a If you select the Flowlog File option in the Flow Source Type parameter,
configure the Source File Path, which is the source path location for the flow
log file.
b If you select the JFlow, Netflow, Packeteer FDR, or sFlow options in the Flow
Source Type parameter, configure the following parameters:
Table 9-2 External Flow parameters
Monitoring Interface Using the list box, select the monitoring interface you want
to use for this flow source.
Monitoring Port Type the port you want this flow source to use.
For the first NetFlow flow source configured in your network,
the default port is 2055. For each additional NetFlow flow
source, the default port number increments by 1. For
example, the default NetFlow flow source for the second
NetFlow flow source is 2056.
Enable Flow Select the check box to enable flow forwarding for this flow
Forwarding source. When you select the check box, the following
options are displayed:
• Forwarding Port - Type the port you want to forward
flows. The default is 1025.
• Forwarding Destinations - Type the destinations you
want to forward flows to. You can add or remove
addresses from the list using the Add and Remove
icons.

c If you select the Napatech Interface option in the Flow Source Type
parameter, type the Flow Interface you want to assign to this flow source.
NOTE
The Napatech Interface option is only displayed if you have a Napatech Network
Adapter installed in your system.
d If you select the Network Interface option as the Flow Source Type
parameter, configure the following parameters:
Table 9-3 Network Interface Parameters
Flow Interface Using the list box, select the log source you want to assign
to this flow source.
Note: You can only configure one log source per Ethernet
Interface. Also, you cannot send different flow types to
the same port.
Filter String Type the filter string for this flow source.
Step 8 Click Save.

Editing a Flow To edit a flow source:

Source
Step 5 Select the flow source you want to edit.
Step 6 Click Edit.
Step 7 Edit values, as necessary. For more information on values for flow source types,
see Adding a Flow Source.
Step 8 Click Save.
Enabling and To enable or disable a flow source:

Disabling a Flow
Source

Managing Flow Source Aliases 155
Step 5 Select the flow source you want to enable or disable.

Step 6 Click Enable/Disable.
The Enabled column indicates if the flow source is enabled or disabled. If the flow
source was previously disabled, the column now indicates True to indicate the flow
source is now enabled. If the flow source was previously enabled, the column now
indicates False to indicate the flow source is now disabled.
Deleting a Flow To delete a flow source:

Source
Step 5 Select the flow source you want to delete.
Step 7 Click OK.
Managing Flow You can configure a virtual name (or alias) for flow sources. You can identify
Source Aliases multiple sources being sent to the same QRadar QFlow Collector, using the source
IP address and virtual name. An alias allows a QRadar QFlow Collector to
uniquely identify and process data sources being sent to the same port.
When a QRadar QFlow Collector receives traffic from a device with an IP address
but no current alias, the QRadar QFlow Collector attempts a reverse DNS lookup
to determine the host name of the device. If the lookup is successful, the QRadar
QFlow Collector adds this information to the database and is reported to all
QRadar QFlow Collectors in your deployment.
NOTE
Using the deployment editor, you can configure the QRadar QFlow Collector to
automatically detect flow source aliases. For more information, see Managing
Flow Sources.

• Adding a Flow Source Alias
• Editing a Flow Source Alias
• Deleting a Flow Source Alias

Adding a Flow To add a flow source alias:

Source Alias
Step 4 Click the Flow Source Aliases icon.
Step 5 Click Add.
• IP - Type the IP address of the flow source alias.
• Name - Type a unique name for the flow source alias.
Step 7 Click Save.
Editing a Flow To edit a flow source alias:

Source Alias
Step 5 Select the flow source alias you want to edit.
Step 6 Click Edit.
Step 7 Update values, as necessary.
Step 8 Click Save.
Deleting a Flow To delete a flow source alias:

Source Alias
Step 5 Select the flow source alias you want to delete.
Step 7 Click OK.

10 CONFIGURING REMOTE NETWORKS
AND SERVICES
On the Admin tab, you can group remote networks and services for use in flow
and event searches and the custom rules engine.

• Remote Networks and Services Overview
• Managing Remote Networks
• Managing Remote Services
• Using Best Practices
Remote Networks Remote network and service groups enable you to represent traffic activity on your
and Services network for a specific profile. All remote network and service groups have group
Overview levels and leaf object levels.
You can edit remote network and service groups by adding objects to existing
groups or changing pre-existing properties to suit your environment.
CAUTION
If you move an existing object to another group (select a new group and click Add
Group), the object name moves from the existing group to the newly selected
group; however, when the configuration changes are deployed, the object data
stored in the database is lost and the object ceases to function. We recommend
that you create a new view and re-create the object (that exists with another
group).
Managing Remote Remote networks groups display user traffic originating from named remote
Networks networks. After you create remote network groups, you can aggregate flow and
event search results on remote network groups, and create rules that test for
activity on remote network groups.


• Default Remote Network Groups
• Adding a Remote Networks Object
• Editing a Remote Networks Object
Default Remote QRadar Network Anomaly Detection includes the following default remote network
Network Groups groups:
Table 10-1 Default Remote Network Groups
Group Description
BOT Specifies traffic originating from BOT applications.
Bogon Specifies traffic originating from un-assigned IP addresses.
For more information on bogons, see
http://www.team-cymru.org/Services/Bogons/.
HostileNets Specifies traffic originating from known hostile networks.
HostileNets has a set of 20 (rank 1 to 20 inclusive) configurable
CIDR ranges.
Neighbours This group is blank by default. You must configure this group to
classify traffic originating from neighboring networks.
Smurfs Specifies traffic originating from Smurf attacks. A Smurf attack is
a type of denial-of-service attack that floods a destination system
with spoofed broadcast ping messages.
Superflows This group is non-configurable. A superflow is a flow that is an
aggregate of a number of flows that have a similar predetermined
set of elements.
TrustedNetworks This group is blank by default. You must configure this group to
classify traffic originating from trusted networks.
Watchlists This group is blank by default. You can configure this group to
classify traffic originating from networks you want monitor.
NOTE
Groups and objects that include superflows are for informational purposes only
and cannot be edited. Groups and objects that include bogons are configured by
the Automatic Update function.
Adding a Remote To add a remote network object:

Networks Object
Step 2 On the navigation menu, click Remote Networks and Services Configuration.
Step 3 Click the Remote Networks icon.
Step 4 Click Add.

Managing Remote Networks 159
Table 10-2 Remote Networks - Add New Object Parameters
Group From the list box, select a group for this object or click Add
Group to add a new group.
Name Type a unique name for the object.
Weight Type or select a weight for the object.
IP/CIDR(s) Type the IP address or CIDR range for the object. Click Add.
Description Type a description for the object.
Step 6 Click Save.

Step 7 Click Return.
Step 8 Close the Remote Networks window.
All changes are deployed.
Editing a Remote To edit an existing Remote Networks object:

Networks Object
Step 3 Click the Remote Networks icon.
The Remote Networks window provides the following information in the Manage
Group pane.
Table 10-3 Manage Group Pane Parameters
Name Specifies the name assigned to the view.
Actions Click the Open icon to view the properties window.
Step 4 Click the group you want to display.

The Manage Group pane refreshes, displaying a list of objects in the group you
selected.
Table 10-4 Manage Group Pane Parameters for Selected Group
Name Specifies the name assigned to the object.
Value(s) Specifies IP addresses or CIDR ranges assigned to
this object.

Table 10-4 Manage Group Pane Parameters for Selected Group (continued)
Actions Specifies the actions available for each object,
including:
• Edit - Click the Edit icon to edit object properties.
• Delete - Click the Delete icon to delete object.
Step 5 Click the Edit icon.

Step 6 Edit values as necessary. See Table 10-2.
Step 7 Click Save.
Step 9 Close the Remote Networks window.
Managing Remote Remote services groups organize traffic originating from user-defined network
Services ranges or the IBM automatic update server. After you create remote service
groups, you can aggregate flow and event search results, and create rules that test
for activity on remote service groups.

• Default Remote Service Groups
• Adding a Remote Services Object
• Editing a Remote Services Object
Default Remote QRadar Network Anomaly Detection includes the following default remote service
Service Groups groups:
Table 10-5 Default Remote Service Groups
IRC_Servers Specifies traffic originating from addresses commonly known as
chat servers.
Online_Services Specifies traffic originating from addresses commonly known
online services that may involve data loss.
Porn Specifies traffic originating from addresses commonly known to
contain explicit pornographic material.
Proxies Specifies traffic originating from commonly known open proxy
servers.
Reserved_IP_ Specifies traffic originating from reserved IP address ranges.
Ranges

Managing Remote Services 161
Table 10-5 Default Remote Service Groups (continued)
Spam Specifies traffic originating from addresses commonly known to
produce SPAM or unwanted email.
Spy_Adware Specifies traffic originating from addresses commonly known to
contain spyware or adware.
Superflows Specifies traffic originating from addresses commonly known to
produce superflows.
Warez Specifies traffic originating from addresses commonly known to
contain pirated software.
Adding a Remote To add a Remote Services Object:

Services Object
Step 3 Click the Remote Services icon.
Step 4 Click Add.
Table 10-6 Remote Services - Add New Object Parameters
Group From the list box, select a group for the object or click Add
Group to add a new group.
Name Type the name for the object.
Weight Type or select a weight for the object.
IP/CIDR(s) Type the IP address or CIDR range for the object. Click Add.
Description Type a description for the object.
Step 6 Click Save.

Step 8 Close the Remote Services window.
Editing a Remote To edit an existing Remote Services object:

Services Object

Step 3 Click the Remote Services icon.

The Remote Services window provides a list of groups in the Manage Group pane.
Table 10-7 Manage Group Parameters
Name Specifies the name assigned to the group.
Actions Click the Open icon to view properties.
Step 4 Click the group you want to display.

The Manage Group pane is refreshed, providing a list of the objects in group you
selected.
Table 10-8 Manage Group Parameters
Name Specifies the name assigned to the object.
Value Specifies ports assigned to this object:
Actions Specifies the actions available for each object,
including:
• Edit - Click the Edit icon to edit the object
properties.
• Delete - Click the Delete icon to delete the object.
Step 5 Click the Edit icon.

Step 6 Edit values as necessary. See Table 10-6.
Step 7 Click Save.
Step 9 Close the Remote Services window.
Using Best Given the complexities and network resources required for QRadar Network
Practices Anomaly Detection in large structured networks, we recommend the following best
practices:
• Bundle objects and use the Network Activity and Log Activity tabs to analyze
your network data. Fewer objects create less input and output to your disk.
• Typically, no more than 200 objects per group (for standard system
requirements). More objects may impact your processing power when
investigating your traffic.

The Server Discovery function uses the Asset Profile database to discover
different server types based on port definitions, and then allows you to select
which servers to add to a server-type building block for rules.
This sections includes the following topics:

• Server Discovery Overview
• Discovering Servers
Server Discovery This feature makes the discovery and tuning process simpler and faster by
Overview providing a quick mechanism to insert servers into building blocks.
The Server Discovery function is based on server-type building blocks. Ports are
used to define the server type so that the server-type building block essentially
functions as a port-based filter when searching the Asset Profile database.
For more information on building blocks, see the IBM Security QRadar Network
Anomaly Detection User Guide.
Discovering To discover servers:

Servers
Step 1 Click the Assets tab.
Step 2 On the navigation menu, click Server Discovery.
Step 3 From the Server Type list box, select the server type you want to discover.
Step 4 Select the option to determine the servers you want to discover, including:
• All - Search all servers in your deployment with the currently selected Server
Type.
• Assigned - Search servers in your deployment that have been previously
assigned to the currently selected Server Type.
• Unassigned - Search servers in your deployment that have not been
previously assigned.
Step 5 From the Network list box, select the network you want to search.

Step 6 Click Discover Servers.

The discovered servers are displayed.
Step 7 In the Matching Servers table, select the check boxes of all servers you want to
assign to the server role.
NOTE
If you want to modify the search criteria, click either Edit Port or Edit Definition.
The Rules Wizard is displayed. For more information on the rules wizard, see the
IBM Security QRadar Network Anomaly Detection User Guide.
Step 8 Click Approve Selected Servers.


• Event Forwarding Overview
• Add Forwarding Destinations
• Configuring Bulk Event Forwarding
• Configuring Selective Event Forwarding
• Managing Forwarding Destinations
• Managing Routing Rules
Event Forwarding IBM Security QRadar Network Anomaly Detection allows you to forward raw log
Overview data received from log sources and QRadar Network Anomaly
Detection-normalized event data to one or more vendor systems, such as ticketing
or alerting systems. On the QRadar Network Anomaly Detection user interface,
these vendor systems are called forwarding destinations. QRadar Network
Anomaly Detection ensures that all forwarded data is unaltered.
To configure QRadar Network Anomaly Detection to forward events, you must first
configure one or more forwarding destinations. Then you can configure routing
rules, custom rules, or both to determine what log data you want to forward and
what routing options apply to the log data.
For example, you can configure all log data from a specific event collector to
forward to a specific vendor ticketing system. You can also choose from various
routing options such as removing the log data that matches a routing rule from
your QRadar Network Anomaly Detection system and bypassing correlation.
Correlation is the process of matching events to rules, which in turn can generate
offenses.

Add Forwarding Before you can configure bulk or select event forwarding, you must add forwarding
Destinations destinations on the Forwarding Destinations window.
To add a forwarding destination:

Step 3 Click the Forwarding Destinations icon.
Step 4 On the toolbar, click Add.
Table 12-1 Forwarding Destinations Parameters
Name Type a unique name for the forwarding destination.
Event Format From the list box, select an event format. Options
include:
• Raw event - Raw event data is event data in the
format that the log source sent. This is the default
option.
• Normalized event - Normalized data is raw event
data that QRadar Network Anomaly Detection has
parsed and prepared for the display as readable
information on the QRadar Network Anomaly
Detection user interface.
Note: Normalized event data cannot transmit using
the UDP protocol. If you select the Normalized
Event option, the UDP option in the Protocol list
box is disabled.
Destination Type the IP address or host name of the vendor
Address system you want to forward event data to.
Destination Port Type the port number of the port on the vendor
system you want to forward event data to. The
default port is 514.

Configuring Bulk Event Forwarding 167
Table 12-1 Forwarding Destinations Parameters (continued)
Protocol Using the list box, select the protocol you want to use
to forward event data. Choices include:
• TCP - Transmission Control Protocol.
To send normalized event data using the TCP
protocol, you must create an off-site source at the
destination address on port 32004. For more
information on creating off-site sources, see
Using the Deployment Editor.
• UDP - User Datagram Protocol
Normalized event data cannot transmit using the
UDP protocol. If you select the UDP option, the
Normalized Event option in the Event Format
list box is disabled.
The default protocol is TCP.
Prefix a syslog When QRadar Network Anomaly Detection forwards
header if it is syslog messages, the outbound message is verified
missing or invalid to ensure it has a proper syslog header.
Select this check box to prefix a syslog header if
a header is not detected on the original syslog
message.
The prefixed syslog header includes the QRadar

Network Anomaly Detection appliance host name in
the Hostname field of the syslog header.
If this check box is clear, the syslog message is sent
unmodified.
Step 6 Click Save.

The forwarding destination you added is now displayed on the Forwarding
Destinations window. The forwarding destination is enabled by default and is
available for you to include in routing rules and custom rules. For more information
on managing forwarding destinations, see Managing Forwarding Destinations.
Configuring Bulk After you have added one or more forwarding destinations, you can create
Event Forwarding filter-based routing rules to allow QRadar Network Anomaly Detection to forward
large quantities of event data.
To configure bulk event forwarding:

Step 3 Click the Routing Rules icon.
Step 4 On the toolbar, click Add.

Table 12-2 Event Routing Rules Parameters
Name Type a unique name for the routing rule.
Description Type a description for the routing rule.
Forwarding Event From the list box, select the event collector you want
Collector to forward events from.
Current Filters
Match All Select this check box to specify that you want this
Incoming Events rule to forward all incoming events. If you select this
option, the Add Filter functionality is no longer
displayed.
Add Filter Using the options in the Current Filters pane,
configure your filters:
1 From the first list box, select a property you want
to filter for. Options include all normalized and
custom event properties.
2 From the second list box, select an operator.
Choices include Equals and Equals any of.
3 In the text box, type the value you want to filter
for.
4 Click Add Filter.
5 Repeat for each filter you want to add.
Routing Options
Forward Select this check box to forward log data that
matches the current filters, and then select the check
box for each forwarding destination that forward log
data to.
If you select the Forward check box, you can also
select either the Drop or Bypass Correlation check
boxes, but not both of them.
If you want to edit, add, or delete a forwarding
destination, click the Manage Destinations link. For
more information, see Managing Forwarding
Destinations.
Drop Select this check box if you to remove the log data
that matches the current filters from the QRadar
Network Anomaly Detection database.
Note: If you select the Drop check box, the Bypass
Correlation check box is automatically cleared.

Configuring Selective Event Forwarding 169
Table 12-2 Event Routing Rules Parameters (continued)
Bypass Select this check box if you want the log data that
Correlation matches the current filters to bypass correlation.
When correlation is bypassed, the log data that
matches the current filter is stored in the QRadar
Network Anomaly Detection database, but it is not
tested in the CRE.
Note: If you select the Bypass Correlation check
box, the Drop check box is automatically
cleared.
Step 6 Click Save.

The routing rule is now displayed on the Event Routing Rules window. The routing
rule is enabled by default and automatically starts processing events for bulk
forwarding. For more information on managing routing rules, see Managing
Routing Rules.
Configuring Using the Custom Rule Wizard, you can configure rules to forward event data to
Selective Event one or more forwarding destinations as a rule response. The criteria for what data
Forwarding gets forwarded to a forwarding destination is based on the tests and building
blocks included in the rule. This method provides you a means to configure highly
selective event forwarding.
To configure selective event forwarding:

Step 1 Click the Offenses tab.
Step 2 On the navigation menu, select Rules.
Step 3 Edit or add a rule, ensuring that you select the Send to Forwarding Destinations
option on the Rule Response page in the Rule Wizard. For more information on
how to edit or add a rule, see the IBM Security QRadar Network Anomaly
Detection Users Guide.
When the rule is configured and enabled, all events matching the rule tests are
automatically forwarded to the specified forwarding destinations.
Managing This section includes the following topics:

Forwarding • Viewing Forwarding Destinations
Destinations
• Editing a Forwarding Destination
• Delete a Forwarding Destination

Viewing Forwarding The Forwarding Destinations window provides valuable information on your
Destinations forwarding destinations, including statistics for the data sent to each forwarding
destination.
To view your forwarding destinations:

The Forwarding Destinations window provides the following information:
Table 12-3 Forwarding Destination Window Parameters
Name Specifies the name of this forwarding destination.
Event Format Specifies whether raw event data or normalized
event data is sent to this forwarding destination.
Host / IP Address Specifies the IP address or host name of this
forwarding destination host.
Port Specifies the receiving port on this forwarding
destination host.
Protocol Specifies whether the protocol for this forwarding
event data is TCP or UDP.
Seen Specifies how many total number events were seen
for this forwarding destination.
Sent Specifies how many events have actually been sent
to this forwarding destination.
Dropped Specifies how many events have been dropped
before reaching this forwarding destination.
Enabled Specifies whether this forwarding destination is
enabled or disabled. For more information, see
Enabling and Disabling a Forwarding
Destination.
Creation Date Specifies the date that this forwarding destination
was created.
Modification Date Specifies the date that this forwarding destination
was last modified.
The Forwarding Destinations window toolbar provides the following functions:

Table 12-4 Forwarding Destinations Window Toolbar
Add Click Add to add a new forwarding destination. See Add
Forwarding Destinations.
Edit Click Edit to edit a selected forwarding destination. See
Editing a Forwarding Destination.

Managing Forwarding Destinations 171
Table 12-4 Forwarding Destinations Window Toolbar (continued)
Enable/Disable Click Enable/Disable to enable or disable a selected
forwarding destination. For more information, see Enabling
and Disabling a Forwarding Destination.
Delete Click Delete to delete a selected forwarding destination. See
Delete a Forwarding Destination.
Reset Counters Click Reset Counters to reset the Seen, Sent, and Dropped
parameters for all forwarding destinations back to zero (0).
See Resetting the Counters.
Enabling and When you create a forwarding destination, it is enabled by default. Using the
Disabling a Enable/Disable icon, you can toggle the forwarding destination on or off.
Forwarding
Destination To enable or disable a forwarding destination:
Step 4 Select the forwarding destination you want to enable or disable.
Step 5 On the toolbar, click Enable/Disable.
Depending on the current status of the forwarding destination, the result of clicking
Enable/Disable is as follows:
• If the Enabled status is False, the forwarding destination is now enabled.
• If the Enabled status is True, a confirmation message is provides a list of
associated rules. Click OK to confirm you want to disable the forwarding
destination.
Resetting the The Seen, Sent, and Dropped parameters provide counts that continue to
Counters accumulate until you reset the counters. You may want to reset the counters to
provide a more targeted view of how your forwarding destinations are performing.
To reset the counters:

Step 4 On the toolbar, click Reset Counters.
The Seen, Sent, and Dropped parameters display a value of zero (0), until the
counters start accumulating again.

Editing a Forwarding You can edit a forwarding destination to change the configured name, format, IP
Destination address, port, or protocol.
To edit a forwarding destination:

Step 4 Select the forwarding destination you want to edit.
Step 6 Update the parameters, as necessary. See Table 12-1.
Step 7 Click Save.
Delete a Forwarding You can delete a forwarding destination. If the forwarding destination is associated
Destination with any active rules, you must confirm that you want to delete the forwarding
destination.
To delete a forwarding destination:

Step 4 Select the forwarding destination you want to delete.
Step 6 Click OK.
Managing Routing This section includes the following topics:

Rules • Viewing Routing Rules
• Enabling or Disabling a Routing Rule
• Deleting a Routing Rule
Viewing Routing The Event Routing Rules window provides valuable information on your routing
Rules rules, such as the configured filters and actions that are performed when event
data matches each rule.
To view your routing rules:


Managing Routing Rules 173
The Event Routing Rules window provides the following information:

Table 12-5 Event Routing Rules Window Parameters
Name Specifies the name of this routing rule.
Event Collector Specifies the Event Collector you want this routing
rule process data from.
Filters Specifies the configured filters for this routing rule.
Routing Options Specifies the configured routing options for this
routing rule. Options include:
• Forward - Event data is forwarded to the
specified forwarding destination. Event data is
also stored in the QRadar Network Anomaly
Detection database and processed by the Custom
Rules Engine (CRE).
• Forward & Drop - Event data is forwarded to the
specified forwarding destination. Event data is not
stored in the QRadar Network Anomaly Detection
database, but it is processed by the CRE.
• Forward & Bypass - Event data is forwarded to
the specified forwarding destination. Event data is
also stored in the QRadar Network Anomaly
Detection database, but it is not processed by the
CRE.
• Drop - Event data is not stored in the QRadar
Network Anomaly Detection database. The event
data is not forwarded to a forwarding destination,
but it is processed by the CRE.
• Bypass - Event data is not processed by the
CRE, but it is stored in the QRadar Network
Anomaly Detection database. The event data is
not forwarded to a forwarding destination.
Enabled Specifies whether this routing rule is enabled or
disabled.
Creation Date Specifies the date that this routing rule was created.
Modification Date Specifies the date that this routing rule was modified.
The Event Routing Rules window toolbar provides the following functions:
Table 12-6 Event Routing Rules Window Toolbar
Add Click Add to add a new routing rule. See Configuring Bulk
Event Forwarding.
Edit Click Edit to edit a selected routing rule. See Editing a
Routing Rule.
Enable/Disable Click Enable/Disable to enable or disable a selected routing
rule. See Enabling or Disabling a Routing Rule.

Table 12-6 Event Routing Rules Window Toolbar (continued)
Delete Click Delete to delete a selected routing rule. For more
information, see Deleting a Routing Rule.
Editing a Routing You can edit a routing rule to change the configured name, Event Collector, filters,
Rule or routing options.
To edit a routing rule:

Step 4 Select the routing rule you want to edit.
Step 6 Update the parameters, as necessary. See Table 12-5.
Step 7 Click Save.
Enabling or Disabling When you first create a routing rule, it is enabled by default. Using the
a Routing Rule Enable/Disable icon, you can toggle the routing rule on or off. To enable or disable
a routing rule:
Step 4 Select the routing rule you want to enable or disable.
Step 5 On the toolbar, click Enable/Disable.
Depending on the current status of the routing rule, the result of clicking
Enable/Disable is as follows:
• If the Enabled status is True, the routing rule is disabled.
• If the Enabled status is False and the routing rule is configured to drop events,
a confirmation message is displayed. Click OK.
Deleting a Routing You can delete a routing rule. You are required to confirm that you want to delete
Rule the routing rule.
To delete a routing rule:
Step 4 Select the routing rule you want to delete.

Managing Routing Rules 175

Step 6 Click OK.


A ENTERPRISE TEMPLATE
The Enterprise template includes settings with emphasis on internal network

activities.

• Default Rules
• Default Building Blocks
Default Rules Default rules for the Enterprise template include:

Table A-1 Default Rules
Rule
Rule Group Type Enabled Description
Anomaly: Devices with Anomaly Event False Monitors devices for high event rates. Typically,
High Event Rates the default threshold is low for most networks and
we recommend that you adjust this value before
enabling this rule. To configure which devices will
be monitored, edit the BB:DeviceDefinition:
Devices to Monitor for High Event Rates BB.
Anomaly: DMZ Jumping Anomaly Common False Reports when connections are bridged across
your Demilitarized Zone (DMZ).
Anomaly: DMZ Reverse Anomaly Common False Reports when connections are bridged across
Tunnel your DMZ through a reverse tunnel.
Anomaly: Long Duration Anomaly Flow True Reports a flow communicating to or from the
Flow Involving a Internet with a sustained duration of more than 48
Remote Host hours.
Anomaly: Long Duration Anomaly Flow False Reports a flow communicating using ICMP with a
ICMP Flows sustained duration of more than 60 minutes.
Anomaly: Outbound Anomaly Event False Reports successful logins or access from an IP
Connection to a Foreign address known to be in a country that does not
Country have remote access right. Before you enable this
rule, we recommend that you configure the
BB:CategoryDefinition: Countries with no Remote
Access BB.

176
Table A-1 Default Rules (continued)
Rule
Anomaly: Potential Anomaly Event False Reports an event that has a source or destination
Honeypot Access IP address defined as a honeypot or tarpit
address. Before enabling this rule, you must
configure the BB:HostDefinition: Honeypot like
addresses BB.
Anomaly: Remote Anomaly Event False Reports successful logins or access from an IP
Access from Foreign address known to be in a country that does not
Country have remote access right. Before you enable this
rule, we recommend that you configure the
Access BB.
Anomaly: Remote Anomaly Flow False Reports a flow communicating from an IP address
Inbound Communication known to be in a country that does not have
from a Foreign Country remote access right. Before you enable this rule,
we recommend that you configure the
Access BB.
Anomaly: Single IP with Anomaly Event False Reports when the MAC address of a single IP
Multiple MAC address changes multiple times over a period of
Addresses time.
Botnet: Local Host on Botnet Common True Reports when a source IP address is a member
Botnet CandC List of a known Botnet CandC host.
(SRC)
Botnet: Local host on Botnet Common True Reports when a local destination IP address is a
Botnet CandC List member of a known Botnet CandC host.
(DST)
Botnet: Potential Botnet Botnet Common False Reports a host connecting or attempting to
Connection (DNS) connect to a DNS server on the Internet. This
may indicate a host connecting to a Botnet.
Botnet: Potential Botnet Botnet Event True Enable this rule if you want all events categorized
Events Become as exploits to create an offense.
Offenses
Botnet: Potential Botnet Common True Reports when a potential connection to a know
connection to known BotNet CandC host is detected. To reduce false
Botnet CandC positive offenses, connections on ports 25 and 53
are removed from the rule.
Botnet: Successful Botnet Common True Reports when a successful inbound connection
Inbound Connection from a BotNet CandC host in detected.
from a Known Botnet
CandC
Policy: Remote: IRC Botnet, Policy Common True Reports a local host issuing an excessive number
Connections of IRC connections to the Internet.
DDoS: DDoS Attack D\DoS Event True Reports network Distributed Denial of Service
Detected (DDoS) attacks on a system.

Default Rules 177
Rule
DDoS: DDoS Events D\DoS Event True Reports when offenses are created for
with High Magnitude DoS-based events with high magnitude.
Become Offenses
DDoS: Potential DDoS D\DoS Flow False Reports when more than 500 hosts send packets
Against Single Host to a single destination using ICMP in one minute
(ICMP) and there is no response.
DDoS: Potential DDoS D\DoS Flow False Reports when more than 500 hosts send packets
Against Single Host to a single destination using IPSec or an
(Other) uncommon protocol in one minute and there is no
response.
DDoS: Potential DDoS D\DoS Flow True Reports when more than 500 hosts send packets
Against Single Host to a single destination using TCP in one minute
(TCP) and there is no response.
DDoS: Potential DDoS D\DoS Flow False Detects when more than 500 hosts send packets
Against Single Host to a single destination using UPD in one minute
(UDP) and there is no response.
DoS: DoS Events from D/DoS Event False Reports when DoS attack events are identified on
Darknet Darknet network ranges.
DoS: DoS Events with D\DoS Event True Rule forces the creation of an offense for DoS
High Magnitude based events with a high magnitude.
Become Offenses
DoS: Local Flood D\DoS Flow False Reports when a single local host sends more than
(ICMP) three flows containing 60,000 packets to an
Internet destination using ICMP in 5 minutes.
DoS: Local Flood D\DoS Flow False Reports when a single local host sends more than
(Other) three flows containing 60,000 packets to an
Internet destination using IPSec or an uncommon
protocol in 5 minutes.
DoS: Local Flood (TCP) D\DoS Flow True Reports when a single local host sends more than
60,000 packets at a packet rate of 1,000 packets
per second to an Internet destination using TCP.
DoS: Local Flood (UDP) D\DoS Flow False Reports when a single local host sends more than
three flows containing 60,000 packets to an
Internet destination using UDP in 5 minutes.
DoS: Network DoS D\DoS Event True Reports network Denial of Service (DoS) attacks
Attack Detected on a system.
DoS: Remote Flood D\DoS Flow False Reports when a single host on the Internet
(ICMP) containing than 60,000 packets to an Internet
destination using ICMP in 5 minutes.
DoS: Remote Flood D\DoS Flow False Reports when a single host on the Internet sends
(Other) more than three flows containing 60,000 packets
to an Internet destination using IPSec or an
uncommon protocol in 5 minutes.

178
Rule
(TCP) more than three flows containing than 60,000
packets to an Internet destination using TCP in 5
minutes.
(UDP) more than three flows containing 60,000 packets
to an Internet destination using UDP in 5 minutes.
DoS: Service DoS D\DoS Event True Reports a DoS attack against a local destination
Attack Detected IP address that is known to exist and the target
port is open.
Exploit:All Exploits Exploit Event False Reports all exploit events. By default, this rule is
Become Offenses disabled. Enable this rule if you want all events
categorized as exploits to create an offense.
Exploit: Attack followed Exploit Event False Reports when exploit events are followed by
by Attack Response typical responses, which may indicate a
successful exploit.
Exploit: Destination Exploit Event True Reports an exploit against a vulnerable local
Vulnerable to Detected destination IP address, where the destination IP
Exploit address is known to exist, and the host is
vulnerable to the exploit.
Exploit: Destination Exploit Event True Reports an exploit against a vulnerable local
Vulnerable to Detected destination IP address, where the destination IP
Exploit on a Different address is known to exist, and the host is
Port vulnerable to the exploit on a different port.
Exploit: Destination Exploit Event False Reports an exploit against a vulnerable local
Vulnerable to Different destination IP address, where the target is known
Exploit than Attempted to exist, and the host is vulnerable to some exploit
on Targeted Port but not the one being attempted.
Exploit: Exploit/Malware Exploit Event True Reports a source IP address generating multiple
Events Across Multiple (at least five) exploits or malicious software
Destinations (malware) events in the last 5 minutes. These
events are not targeting hosts that are vulnerable
and may indicate false positives generating from
a device.
Exploit: Exploits Events Exploit Event True Rule generates offenses for exploit-based events
with High Magnitude with a high magnitude.
Become Offenses
Exploit: Multiple Exploit Exploit Event True Reports a destination IP address being exploited
Types Against Single using multiple types of exploit types from one or
Destination more source IP address.
Exploit: Multiple Vector Exploit Event False Reports when a source IP address attempts
Attack Source multiple attack vectors. This may indicate a
source IP address specifically targeting an asset.

Default Rules 179
Rule
Exploit: Potential VoIP Exploit Event False Reports when at least three failed login attempts
Toll Fraud within 30 seconds followed by sessions being
opened are detected on your VoIP hardware. This
action can indicate that illegal users are executing
VoIP sessions on your network.
Exploit: Recon followed Exploit Event True Reports reconnaissance events followed by an
by Exploit exploit from the same source IP address to the
same destination port within 1 hour.
Exploit: Source Exploit Event False Reports an exploit from a local host where the
Vulnerable to any source IP address has at least one vulnerability to
Exploit any exploit. It is possible the source IP address
was a destination IP address in an earlier offense.
Exploit: Source Exploit Event False Reports an attack from a local host where the
Vulnerable to this source IP address has at least one vulnerability to
Exploit the exploit being used. It is possible the source IP
address was a destination IP address in an earlier
offense.
FalsePositive: False False Positive Event True Reports events that include false positive rules
Positive Rules and and BBs, such as, BB:FalsePositive: Windows
Building Blocks Server False Positive Events. Events that match
the rule are stored and dropped from the event
pipeline. If you add any new BBs or rules to
remove events from becoming offenses, you
must add these new rules or BBs to this rule.
Magnitude Adjustment: Magnitude Common True Adjusts the relevance of flows and events when
Context is Local to Local Adjustment there is local to local communication
Context is Local to Adjustment there is local to remote communication.
Remote
Context is Remote to Adjustment there is remote to local communication.
Local
Magnitude Adjustment: Magnitude Common True Adjusts the relevance and credibility of flows and
Destination Asset Exists Adjustment events where the destination is a local asset.
Magnitude Adjustment: Magnitude Common True Adjusts the relevance and credibility of events
Destination Asset Port is Adjustment and flows when the destination port is known to
Open be active.
Magnitude Adjustment: Magnitude Common True Adjusts the relevance of events and flows if the
Destination Network Adjustment destination network weight is high.
Weight is High
Destination Network Adjustment destination network weight is low.
Weight is Low

180
Rule
Destination Network Adjustment destination network weight is medium.
Weight is Medium
Magnitude Adjustment: Magnitude Common True Adjusts the severity of events and flows when the
Source Address is a Adjustment source IP is a known bogon address. Traffic from
Bogon IP known bogon addresses may indicate the
possibility of the source IP address being
spoofed.
Magnitude Adjustment: Magnitude Common True Adjusts the severity of events and flows when the
Source Address is a Adjustment source IP is a known questionable host.
Known Questionable IP
Magnitude Adjustment: Magnitude Common True Adjusts the relevance and credibility of flows and
Source Asset Exists Adjustment events where the source is a local asset.
Source Network Weight Adjustment source network weight is high.
is High
Source Network Weight Adjustment source network weight is low.
is Low
Source Network Weight Adjustment source network weight is medium.
is Medium
Malware: Malware Flow False Reports communication with a website that has
Communication with a been involved in previous SQL injection.
site that has been
involved in previous
SQL injection
Malware: Malware Flow True Reports communication with a website that is
Communication with a listed on a known blacklist or uses fast flux.
site that is listed on a
known blacklist or uses
fast flux
Malware: Malware Flow False Reports communication with a website known to
Communication with a aid in distribution of malware.
Web site known to aid in
distribution of malware
Communication with a be a phishing or fraud site.
Web site known to be a Note: Phishing is the process of attempting to
phishing or fraud side
acquire information such as user names,
passwords and credit card details by
pretending to be a trustworthy entity.

Default Rules 181
Rule
Malware: Malware Flow True Reports communication with a website known to
Communication with a be associated with the Russian business network.
Web site known to be
associated with the
Russian business
network
Communication with a be delivering code which may be a trojan.
delivering code which
may be a trojan
Communication with a be involved in botnet activity.
involved in botnet
activity
Malware: Local Host Malware Event False Reports malware being sent from local hosts.
Sending Malware
Malware: Remote: Malware Flow True Reports when a host is attempting to connect to a
Client Based DNS DNS server that is not defined as a local network.
Activity to the Internet
Policy: Connection to a Policy Common True Reports events or flows associated with inbound
remote proxy or remote proxy and anonymization services.
anonymization service
(inbound)
Policy: Connection to a Policy Common True Reports events or flows associated with outbound
remote proxy or remote proxy and anonymization services.
anonymization service
(outbound)
Policy: Connection to Policy Common False Reports events or flows connecting to the Internet
Internet on on unauthorized ports.
Unauthorized Port
Policy: Create Offenses Policy Flow False Reports flows associated with chat traffic.
for All Chat Traffic
based on Flows
Policy: Create Offenses Policy Event False Reports Instant Messenger traffic or any event
for All Instant categorized as Instant Messenger traffic where
Messenger Traffic the source is local and the destination IP address
is remote.
Policy: Create Offenses Policy Event False Reports Peer-to-Peer (P2P) traffic or any event
for All P2P Usage categorized as P2P.
Policy: Create Offenses Policy Event False Reports policy events. By default, this rule is
for All Policy Events disabled. Enable this rule if you want all events
categorized as policy to create an offense.

182
Rule
Policy: Create Offenses Policy Event False Reports any traffic that contains illicit materials or
for All Porn Usage any event categorized as porn. By default, this
rule is disabled. Enable this rule if you want all
events categorized as porn to create an offense.
Policy: Host has SANS Policy Event False Reports when an event is detected on an asset
Top 20 Vulnerability that is vulnerable to a vulnerability identified in the
SANS Top 20 Vulnerabilities.
(http://www.sans.org/top20/)
Policy: Large Outbound Policy Flow True Reports a single host sending more data out of
Transfer High Rate of the network than received. This rule detects over
Transfer 2 MB of data transferred over 12 minutes.
Policy: Large Outbound Policy Flow True Reports a single host sending more data out of
Transfer Slow Rate of the network than received. This rule detects over
Transfer 2 MB of data transferred over 2 hour. This is fairly
slow and can indicate stealthy data leakage.
Policy: Local: Clear Text Policy Flow False Reports flows to or from the Internet where the
Application Usage application type uses clear text passwords. This
may include applications such as Telnet or FTP.
Policy: Local: Hidden Policy Flow True Reports a FTP server on a non-standard port.
FTP Server The default port for FTP is TCP port 21. Detecting
FTP on other ports may indicate an exploited
host, where this server provides backdoor access
to the host.
Policy: Local: SSH or Policy Flow True Reports a SSH or Telnet server on a
Telnet Detected on non-standard port. The default port for SSH and
Non-Standard Port Telnet servers is TCP ports 22 and 23. Detecting
SSH or Telnet operating on other ports may
indicate an exploited host, where these servers
provide backdoor access to the host.
Policy: New DHCP Policy Flow False Reports when a DHCP server is discovered on
Server Discovered the network.
Policy: New Host Policy Event False Reports when a new host has been discovered
Discovered on the network.
Policy: New Host Policy Event False Reports when a new host has been discovered in
Discovered in DMZ the DMZ.
Policy: New Service Policy Event False Reports when a new service is discovered on an
Discovered existing host.
Policy: New Service Policy Event False Reports when a new service has been discovered
Discovered in DMZ on an existing host in the DMZ.
Policy: Possible Local Policy Common True Reports a local host running a service on a typical
IRC Server IRC port or a flow that was detected as IRC. This
is not typical for enterprises and should be
investigated.

Default Rules 183
Rule
Policy: Remote: Clear Policy Flow True Reports flows to or from the Internet where the
Text Application Usage application type uses clear text passwords. This
based on Flows may include applications such as Telnet or FTP.
Policy: Remote: Hidden Policy Flow True Reports an FTP server on a non-standard port.
FTP Server The default port for FTP is TCP port 21. Detecting
FTP on other ports may indicate an exploited
host, where this server to provide backdoor
access to the host.
Policy: Remote: IM/Chat Policy Flow True Reports an excessive amount of IM and Chat
traffic from a single source.
Policy: Remote: IRC Policy Common False Reports a local host issuing an excessive number
Connections of IRC connections to the Internet.
Policy: Remote: Local Policy Flow True Reports local hosts operating as a P2P client.
P2P Client Connected This indicates a violation of local network policy
to more than 100 and may indicate illegal activities, such as
Servers copyright infringement.
Policy: Remote: Local Policy Flow False Reports local hosts operating as a P2P client.
P2P Client Detected This indicates a violation of local network policy
and may indicate illegal activities, such as
copyright infringement.
Policy: Remote: Local Policy Flow True Reports local hosts operating as a P2P server.
P2P Server connected This indicates a violation of local network policy
to more than 100 Clients and may indicate illegal activities, such as
Policy: Remote: Local Policy Flow False Reports local hosts operating as a P2P server.
P2P Server Detected This indicates a violation of local network policy
and may indicate illegal activities, such as
Policy: Remote: Long Policy Flow True Reports a flow communicating to the Internet with
Duration Flow Detected a sustained duration of more than 48 hours. This
is not typical behavior for most applications.
Investigate the host for potential malware
infections.
Policy: Remote: Policy Flow True Reports potential tunneling that can be used to
Potential Tunneling bypass policy or security controls.
Policy: Remote: Remote Policy Flow True Reports the Microsoft Remote Desktop Protocol
Desktop Access from from the Internet communicating to a local host.
the Internet Most companies consider this a violation of
corporate policy. If this is normal activity on your
network, you should disable this rule.
Policy: Remote: SMTP Policy Flow True Reports a local host sending a large number of
Mail Sender SMTP flows from the same source to the Internet
in one interval. This may indicate a mass mailing,
worm, or spam relay is present.

184
Rule
Policy: Remote: SSH or Policy Flow True Reports a SSH or Telnet server on a
Telnet Detected on non-standard port. The default port for SSH and
Non-Standard Port Telnet servers is TCP port 22 and 23. Detecting
SSH or Telnet operating on other ports may
indicate an exploited host, where these servers
provide backdoor access to the host.
Policy: Remote: Usenet Policy Flow True Reports flows to or from a Usenet server. It is
Usage uncommon for legitimate business
communications to use Usenet or NNTP services.
The hosts involved may be violating corporate
policy.
Policy: Remote: VNC Policy Flow True Reports when VNC (a remote desktop access
Access from the Internet application) is communicating from the Internet to
to a Local Host a local host. Many companies consider this a
policy issue that should be addressed. If this is
normal activity on your network, disable this rule.
Policy: Upload to Local Policy Event False Reports potential file uploads to a local web
WebServer server. To edit the details of this rule, edit the
BB:CategoryDefinition: Upload to Local
WebServer BB.
Recon: Aggressive Recon Common True Reports an aggressive scan from a local source
Local L2L Scanner IP address, scanning other local IP addresses.
Detected More than 400 destination IP addresses received
reconnaissance or suspicious events in less than
2 minutes. This may indicate a manually driven
scan, an exploited host searching for other
destination IP addresses, or a worm is present on
the system.
Recon: Aggressive Recon Common True Reports an aggressive scan from a local source
Local L2R Scanner IP address, scanning remote IP addresses. More
Detected than 400 destination IP addresses received
reconnaissance or suspicious events in less than
2 minutes. This may indicate a manually driven
scan, an exploited host searching for other
destination IP addresses, or a worm is present on
the system.
Recon: Aggressive Recon Common True Reports an aggressive scan from a remote
Remote Scanner source IP address, scanning other local or remote
Detected IP addresses. More than 50 destination IP
addresses received reconnaissance or
suspicious events in less than 3 minutes. This
may indicate a manually driven scan, an exploited
host searching for other destination IP addresses,
or a worm on a system.
Recon: Host Port Scan Recon Common True Reports when more than 400 ports are scanned
Detected by Remote from a single source IP address in under 2
Host minutes.

Default Rules 185
Rule
Recon: Increase Recon Event True If a high rate flow-based scanning attack is
Magnitude of High Rate detected, this rule increases the magnitude of the
Scans current event.
Recon: Increase Recon Event True If a medium rate flow-based scanning attack is
Magnitude of Medium detected, this rule increases the magnitude of the
Rate Scans current event.
Recon: Local L2L LDAP Recon Common True Reports a source local IP address attempting
Server Scanner reconnaissance or suspicious connections on
common local LDAP ports to more than 60 hosts
in 10 minutes.
Recon: Local L2R LDAP Recon Common True Reports a source local IP address attempting
common remote LDAP ports to more than 60
hosts in 10 minutes.
Recon: Local L2L Recon Common True Reports a scan from a local host against other
Database Scanner local destination IP addresses. At least 30 host
were scanned in 10 minutes.
Recon: Local L2R Recon Common True Reports a scan from a local host against remote
Database Scanner destination IP addresses. At least 30 host were
scanned in 10 minutes.
Recon: Local L2L DHCP Recon Common True Reports a source IP address attempting
Scanner reconnaissance or suspicious connections on
common local DHCP ports to more than 60 hosts
in 10 minutes.
Recon: Local L2R Recon Common True Reports a source IP address attempting
DHCP Scanner reconnaissance or suspicious connections on
common remote DHCP ports to more than 60
Recon: Local L2L DNS Recon Common True Reports a source IP address attempting
common local DNS ports to more than 60 hosts in
10 minutes.
Recon: Local L2R DNS Recon Common True Reports a source IP address attempting
common remote DNS ports to more than 60 hosts
in 10 minutes.
Recon: Local L2L FTP Recon Common True Reports a local source IP address attempting
common local FTP ports to more than 30 hosts in
10 minutes.
Recon: Local L2R FTP Recon Common True Reports a local source IP address attempting
common remote FTP ports to more than 30 hosts
in 10 minutes.

186
Rule
Recon: Local L2L Game Recon Common True Reports a local source IP address attempting
common local game server ports to more than 60
Recon: Local L2R Recon Common True Reports a local source IP address attempting
Game Server Scanner reconnaissance or suspicious connections on
common remote game server ports to more than
60 hosts in 10 minutes.
Recon: Local L2L ICMP Recon Common True Reports a local source IP address attempting
common local ICMP ports to more than 60 hosts
in 10 minutes.
Recon: Local L2R ICMP Recon Common True Reports a local source IP address attempting
common remote ICMP ports to more than 60
Recon: Local L2L IM Recon Common True Reports a local source IP address attempting
common local IM server ports to more than 60
Recon: Local L2R IM Recon Common True Reports a local source IP address attempting
common remote IM server ports to more than 60
Recon: Local L2L IRC Recon Common True Reports a local source IP address attempting
common local IRC server ports to more than 10
Recon: Local L2R IRC Recon Common True Reports a local source IP address attempting
common remote IRC server ports to more than 10
Recon: Local L2L Mail Recon Common True Reports a local source IP address attempting
common local mail server ports to more than 60
Recon: Local L2R Mail Recon Common True Reports a local source IP address attempting
common remote mail server ports to more than
Recon: Local L2L P2P Recon Common True Reports a local source IP address attempting
common local P2P server ports to more than 60

Default Rules 187
Rule
Recon: Local L2R P2P Recon Common True Reports a local source IP address attempting
common remote P2P server ports to more than
Recon: Local L2L Proxy Recon Common True Reports a local source IP address attempting
common local proxy server ports to more than 60
Recon: Local L2R Proxy Recon Common True Reports a local source IP address attempting
common remote proxy server ports to more than
Recon: Local L2L RPC Recon Common True Reports a local source IP address attempting
common local RPC server ports to more than 60
Recon: Local L2R RPC Recon Common True Reports a local source IP address attempting
common remote RPC server ports to more than
Recon: Local L2L Recon Common True Reports a scan from a local host against other
Scanner Detected local destination IP addresses. At least 60 hosts
were scanned within 20 minutes. This activity was
using a protocol other than TCP, UDP, or ICMP.
Recon: Local L2R Recon Common True Reports a scan from a local host against remote
Scanner Detected destination IP addresses. At least 60 hosts were
scanned within 20 minutes. This activity was
using a protocol other than TCP, UDP, or ICMP.
Recon: Local L2L Recon Common True Reports a local source IP address attempting
SNMP Scanner reconnaissance or suspicious connections on
common local SNMP ports to more than 60 hosts
in 10 minutes.
Recon: Local L2R Recon Common True Reports a local source IP address attempting
SNMP Scanner reconnaissance or suspicious connections on
common remote SNMP ports to more than 60
Recon: Local L2L SSH Recon Common True Reports a source IP address attempting
common local SSH ports to more than 30 hosts in
10 minutes.
Recon: Local L2R SSH Recon Common True Reports a source IP address attempting
common remote SSH ports to more than 30 hosts
in 10 minutes.

188
Rule
Recon: Local L2L Recon Common False Reports when various suspicious or
Suspicious Probe reconnaissance events have been detected from
Events Detected the same local source IP address to more than
five local destination IP address in 4 minutes.
This can indicate various forms of host probing,
such as Nmap reconnaissance, which attempts to
identify the services and operation systems of the
host.
Recon: Local L2R Recon Common False Reports when various suspicious or
Suspicious Probe reconnaissance events have been detected from
Events Detected the same remote source IP address to more than
five local destination IP address in 4 minutes.
This can indicate various forms of host probing,
such as Nmap reconnaissance, which attempts to
identify the services and operation systems of the
host.
Recon: Local L2L TCP Recon Common True Reports a local source IP address attempting
common local TCP ports to more than 60 hosts in
10 minutes.
Recon: Local L2R TCP Recon Common True Reports a local source IP address attempting
common remote TCP ports to more than 60 hosts
in 10 minutes.
Recon: Local L2L UDP Recon Common True Reports a local source IP address attempting
common local UDP ports to more than 60 hosts in
10 minutes.
Recon: Local L2R UDP Recon Common True Reports a local source IP address attempting
common Remote UDP ports to more than 60
Recon: Local L2L Web Recon Common True Reports a local source IP address attempting
common local web server ports to more than 60
Recon: Local L2R Web Recon Common True Reports a local source IP address attempting
common remote web server ports to more than
Recon: Potential Local Recon Common True Reports on potential local port scans.
Port Scan Detected
Recon: Recon Followed Recon Common False Reports when a host that has been performing
by Accept reconnaissance also has a firewall accept
following the reconnaissance activity.

Default Rules 189
Rule
Recon: Remote Recon Common True Reports a scan from a remote host against other
Database Scanner local or remote destination IP addresses. At least
30 hosts were scanned in 10 minutes.
Recon: Remote DHCP Recon Common True Reports a remote host attempting
common DHCP ports to more than 30 hosts in 10
minutes.
Recon: Remote DNS Recon Common True Reports a source IP address attempting
common DNS ports to more than 60 hosts in 10
minutes.
Recon: Remote FTP Recon Common True Reports a remote host attempting
common FTP ports to more than 30 hosts in 10
minutes.
Recon: Remote Game Recon Common True Reports a remote host attempting
common game server ports to more than 30 hosts
in 10 minutes.
Recon: Remote ICMP Recon Common True Reports a remote host attempting
common ICMP ports to more than 60 hosts in 10
minutes.
Recon: Remote IM Recon Common True Reports a remote host attempting
common IM server ports to more than 60 hosts in
10 minutes.
Recon: Remote IRC Recon Common True Reports a remote host attempting
common IRC server ports to more than 10 hosts
in 10 minutes.
Recon: Remote LDAP Recon Common True Reports a scan from a remote host against other
Server Scanner local or remote destination IP addresses. At least
30 hosts were scanned in 10 minutes.
Recon: Remote Mail Recon Common True Reports a remote host attempting
common mail server ports to more than 30 hosts
in 10 minutes.
Recon: Remote Proxy Recon Common True Reports a remote host attempting
common proxy server ports to more than 30 hosts
in 10 minutes.
Recon: Remote RPC Recon Common True Reports a remote host attempting
common RPC server ports to more than 30 hosts
in 10 minutes.

190
Rule
Recon: Remote Recon Common True Reports a scan from a remote host against other
Scanner Detected hosts or remote destination IP addresses. At least
60 hosts were scanned within 20 minutes. This
activity was using a protocol other than TCP,
UDP, or ICMP.
Recon: Remote SNMP Recon Common True Reports a remote host scans at least 30 local or
Scanner remote hosts in 10 minutes.
Recon: Remote SSH Recon Common True Reports a remote host attempting
common SSH ports to more than 30 hosts in 10
minutes.
Recon: Remote Recon Common False Reports various suspicious or reconnaissance
Suspicious Probe events from the same remote source IP address
Events Detected to more then five destination IP addresses in 4
minutes. This may indicate various forms of host
probing, such as Nmap reconnaissance that
attempts to identify the services and operating
system of the destination IP addresses.
Recon: Remote TCP Recon Common False Reports a remote host attempting
common TCP ports to more than 60 hosts in 10
minutes.
Recon: Remote UDP Recon Common True Reports a remote host attempting
common UDP ports to more than 60 hosts in 10
minutes.
Recon: Remote Web Recon Common True Reports a remote host attempting
common local web server ports to more than 60
Recon: Remote Recon Common True Reports a remote host attempting
Windows Server reconnaissance or suspicious connections on
Scanner common Windows server ports to more than 60
Recon: Single Merged Recon Common True Reports merged reconnaissance events
Recon Events Local generated by local scanners. This rule causes all
Scanner these events to create an offense. All devices of
this type and their event categories should be
added to the BB:ReconDetected: Devices which
Merge Recon into Single Events BB.
Recon: Single Merged Recon Common True Reports merged reconnaissance events
Recon Events Remote generated by remote scanners. This rule causes
Scanner all these events to create an offense. All devices
of this type and their event categories should be
added to the BB:ReconDetected: Devices which
Merge Recon into Single Events BB.

Default Rules 191
Rule
Default-Response- Response Offense False Reports any offense matching the severity,
Email: Offense Email credibility, and relevance minimums to email. You
Sender must configure the email address. You can limit
the number of emails sent by tuning the severity,
credibility, and relevance limits. This rule only
sends one email every hour, per offense.
Default-Response- Response Offense False Reports any offense matching the severity,
Syslog: Offense credibility, or relevance minimum to syslog.
SYSLOG Sender
SuspiciousActivity: Suspicious Common False Rule identifies events that have common internal
Common Non-Local to only ports, communicating outside of the local
Remote Ports network.
SuspiciousActivity: Suspicious Common False Reports events associated with known hostile
Communication with networks.
Known Hostile Networks
SuspiciousActivity: Suspicious Common False Reports events associated with networks
Communication with identified as websites that may involve data loss.
Known Online Services
SuspiciousActivity: Suspicious Common False Reports events associated with networks you
Communication with want to monitor.
Known Watched
Networks
System: 100% Accurate System Event True Creates an offense when an event matches a
Events 100% accurate signature for successful
compromises.
System: Device System Event False Reports when a log source has not sent an event
Stopped Sending to the system in over 1 hour. Edit this rule to add
Events devices you want to monitor.
System: Device System Event True Reports when a firewall, IPS, VPN or switch log
Stopped Sending source has not sent an event in over 30 minutes
Events (Firewall, IPS,
VPN or Switch)
System: Flow Source System Flow True Reports when a flow interface stops generating
Stopped Sending Flows flows for over 30 minutes.
System: Host Based System Event False Reports when QRadar Network Anomaly
Failures Detection detects events that indicate failures
within services or hardware.
System: Load Building System Event True Loads the BBs required to assist with reporting.
Blocks This rule has no actions or responses.
System: Multiple System Event False Reports when a source IP address has 10 system
System Errors errors within 3 minutes.
System: Service System Event False Reports when a services has been stopped on a
Stopped and not system and not restarted.
Restarted

192
Rule
WormDetection: Local Worms Event True Reports a local host sending more than 20 SMTP
Mass Mailing Host flows in 1 minute. This may indicate a host being
Detected used as a spam relay or infected with a form of
mass mailing worm.
WormDetection: Worms Event True Reports a local host generating reconnaissance
Possible Local Worm or suspicious events across a large number of
Detected hosts (greater than 300) in 20 minutes. This may
indicate the presence of a worm on the network or
a wide spread scan.
WormDetection: Worms Event True Reports when a host is connecting to many hosts
Successful Connections on the Internet on ports commonly known for
to the Internet on worm propagation.
Common Worm Ports
WormDetection: Worm Worms Event True Reports exploits or worm activity on a system for
Detected (Events) local-to-local or local-to-remote traffic.
Default Building Default building blocks for the Enterprise template include:
Blocks
Table A-2 Default Building Blocks
Block Associated Building

Building Block Group Type Description Blocks, if applicable
BB:CategoryDefinition: Category Event Edit this BB to include all
Access Denied Definition event categories that
indicate access denied.
BB:CategoryDefinition: Category Flow Edit this BB to include all
Any Flow Definition flow types.
BB: CategoryDefinition: Category Event Edit the BB to include all
Service Started Definition event categories that
indicate a service has
started.
BB: CategoryDefinition: Category Event Edit the BB to include all
Service Stopped Definition event categories that
indicate a service has
stopped.
BB:CategoryDefinition: Category Event Edit this BB to define all
Session Closed Definition session closed events.
BB:CategoryDefinition: Category Event Edit this BB to define all
Session Opened Definition session opened events.
BB: CategoryDefinition: Category Event Edit this BB to include user
Superuser Accounts Definition names associated with
superuser accounts, such as
admin, superuser, and root.

Default Building Blocks 193
Table A-2 Default Building Blocks (continued)

BB: CategoryDefinition: Category Event Edit this BB is include event
System or Device Definition categories associated with
Configuration Change system or device
configuration changes.
BB: CategoryDefinition: Category Flow Edit this BB to include all BB: CategoryDefinition:
Unidirectional Flow Definition unidirectional flows. Unidirectional Flow DST
BB: CategoryDefinition:
Unidirectional Flow SRC
BB: CategoryDefinition: Category Flow Edit this BB to define
Unidirectional Flow DST Definition unidirectional flow from the
source IP address to the
destination IP address.
BB: CategoryDefinition: Category Flow Edit this BB to define
Unidirectional Flow SRC Definition unidirectional flow from the
destination IP address to the
source IP address.
BB:CategoryDefinition: Category Event Edit this BB to define all virus
Virus Detected Definition detection events.
VPN Access Accepted Definition events that indicates
permitted access.
VPN Access Denied Definition events that are considered
Denied Access events.
Windows SOX Definition event categories that
Compliance Events indicate SOX compliance
events.
BB:CategoryDefinition: Category Event Edit this BB to define worm
Worm Events Definition events. This BB only applies
to events not detected by a
custom rule.
BB:BehaviorDefinition: Category Event Edit this BB to include event
Compromise Activities Definitions categories that are
considered part of events
detected during a typical
compromise.
BB:BehaviorDefinition: Category Event Edit this BB to include event
Post Compromise Definitions categories that are
Activities considered part of events
detected after a typical
compromise.

194

BB: CategoryDefinition: Category Event Edit this BB to include event
Application or Service Definitions categories that are
Installed or Modified considered part of events
detected when an
application or service is
installed or modified on a
host.
BB: CategoryDefinition: Category Event Edit this BB to include event
Auditing Changed Definitions categories that are
considered part of events
detected when auditing has
changed on a host.
Authentication Failures Definitions events that indicate an
unsuccessful attempt to
access the network.
Authentication to Definitions events that indicate failed
Disabled Account attempts to access the
network using a disabled
account.
Authentication to Expired Definitions events that indicate failed
Account attempts to access the
network using an expired
account.
Authentication User or Definitions events that indicate
Group Added or Changed modification to accounts or
groups.
BB: CategoryDefinition: Category Flow Edit this BB to include
Communication with File Definitions applications that indicate
Sharing Sites communication with file
sharing sites.
BB: CategoryDefinition: Category Flow Edit this BB to include
Communication with Free Definitions applications that indicate
Email Sites communication with free
email sites
BB:CategoryDefinition: Category Event Edit this BB to include any
Countries with no Remote Definitions geographic location that
Access typically is not allowed
remote access to the
enterprise. When configured,
you can enable the Anomaly:
Remote Access from Foreign
Country rule.


BB:CategoryDefinition: Category Event Edit this BB to define
Database Connections Definitions successful logins to
databases. You may be
required to add additional
device types for this BB.
DDoS Attack Events Definitions event categories that you
want to categorize as a
DDoS attack.
Exploits, Backdoors, and Definitions events that are typically
Trojans exploits, backdoor, or
trojans.
Firewall or ACL Accept Definitions events that indicate access
to the firewall.
Firewall or ACL Denies Definitions events that indicate
unsuccessful attempts to
access the firewall.
Firewall System Errors Definitions events that may indicate a
firewall system error. By
default, this BB applies when
an event is detected by one
or more of the following
devices:
• Check Point
• Generic Firewall
• Iptables
• NetScreen Firewall
• Cisco Pix
BB:CategoryDefinition: Category Event Edit this BB to the severity,
High Magnitude Events Definitions credibility, and relevance
levels you want to generate
an event. The defaults are:
• Severity = 6
• Credibility = 7
• Relevance = 7
BB:CategoryDefinition: Category Flow Edit this BB to identify flows
Inverted Flows Definitions that may be inverted.

196

BB:CategoryDefinition: Category Flow This Building Block to BB:CategoryDefinition:
IRC Detected Based on Definitions include applications that are Successful Communication
Application typically associated with IRC
traffic.
BB:CategoryDefinition: Category Event This Building Block to
IRC Detected Based on Definitions include event categories that
Event Category are typically associated with
IRC traffic.
BB:CategoryDefinition: Category Event This Building Block to BB:CategoryDefinition:
IRC Detection Based on Definitions include event categories and Firewall or ACL Accept
Firewall Events port definitions that are BB:PortDefinition: IRC Ports
typically associated with IRC
traffic.
KeyLoggers Definitions events associated with key
logger monitoring of user
activities.
BB:CategoryDefinition: Category Event Edit this BB to include event
Malware Annoyances Definitions categories that are typically
associated with spyware
infections.
Network DoS Attack Definitions event categories that you
want to categorize as a
network DoS attack.
BB:CategoryDefinition: Category Event Edit this BB to define actions
Post DMZ Jump Definitions that may be seen within a
Remote-to-Local (R2L) and a
DMZ host jumping scenario.
Post Exploit Account Definitions event categories that may
Activity indicate exploits to accounts.
Pre DMZ Jump Definitions that may be seen within a
Local-to-Local (L2L) and a
DMZ host jumping scenario.
Pre Reverse DMZ Jump Definitions that may be seen within a
Pre DMZ jump followed by a
reverse DMZ jump.
Recon Event Categories Definitions event categories that
indicate reconnaissance
activity.


BB:CategoryDefinition: Category Common Edit this BB to include all
Recon Events Definitions events that indicate
reconnaissance activity.
Recon Flows Definitions flows that indicate
BB:CategoryDefinition: Category Common Edit this BB to define actions
Reverse DMZ Jump Definitions that may be seen within a
Remote-to-Local (R2L) and a
DMZ host reverse jumping
scenario.
BB:CategoryDefinition: Category Event Edit this BB to define Denial
Service DoS Definitions of Service (DoS) attack
events.
Successful Definitions flows that are typical of a
Communication successful communication.
Tuning this BB to reduce the
byte to packet ratio to 64 can
cause excessive false
positives. Further tuning
using additional tests may be
required.
Suspicious Event Definitions event categories that
Categories indicate suspicious activity.
BB:CategoryDefinition: Category Common Edit this BB to include all
Suspicious Events Definitions events that indicate
suspicious activity.
Suspicious Flows Definitions flows that indicate suspicious
activity.
BB:CategoryDefinition: Category Event Edits this BB to define
System Configuration Definitions system configuration events.
BB:CategoryDefinition: Category Event Edit this BB to define system
System Errors and Definitions errors and failures.
Failures

198

BB:CategoryDefinition: Category Event Typically, most networks are
Upload to Local Definitions configured to restrict
WebServer applications that use the
PUT method running on their
web application servers. This
BB detects if a remote host
has used this method on a
local server. The BB can be
duplicated to also detect
other unwanted methods or
for local hosts using the
method connecting to remote
servers. This BB is referred
to by the Policy: Upload to
Local WebServer rule.
VoIP Authentication Definitions events that indicate a VoIP
Failure Events login failure.
VoIP Session Opened Definitions events that indicate the start
of a VoIP session.
Authentication Success Definitions events that indicate
successful attempts to
access the network.
Database Access Denied Definition events that indicates denied
access to the database.
Database Access Definition events that indicates
Permitted permitted access to the
database.
BB:CategoryDefinition: Compliance Event Edit this BB that indicate
Failure Service or failure within a service or
Hardware hardware.
BB:CategoryDefinition: Compliance Event Edit this BB to define mail
Mail Policy Violation policy violations.
BB:CategoryDefinition: Compliance Event Edit this BB to include all
Policy Events event categories that may
indicate a violation to
network policy.
BB:CategoryDefinition: Compliance Event Edit this BB to include all
Windows Compliance event categories that
Events indicate compliance events.


BB:ComplianceDefinition: Compliance Common Edit this BB to include your
GLBA Servers GLBA IP systems. You must
then apply this BB to rules
related to failed logins such
as remote access.
HIPAA Servers HIPAA Servers by IP
address. You must then
apply this BB to rules related
to failed logins such as
remote access.
PCI DSS Servers PCI DSS servers by IP
address. You must apply this
BB to rules related to failed
logins such as remote
access.
SOX Servers SOX IP Servers. You must
then apply this BB to rules
related to failed logins such
as remote access.
BB:HostBased: Critical Compliance Event Edit this BB to define event
Events categories that indicate
critical events.
BB:DoS: Local: D/DoS Flow Edit this BB to detect a high
Distributed DoS Attack number of hosts (greater
(High Number of Hosts) than 100,000) sending
identical, non-responsive
packets to a single
BB:DoS: Local: D/DoS Flow Edit this BB to detect a low
(Low Number of Hosts) than 500) sending identical,
non-responsive packets to a
single destination IP
address.
BB:DoS: Local: D/DoS Flow Edit this BB to detect a
Distributed DoS Attack medium number of hosts
(Medium Number of (greater than 5,000) sending
Hosts) identical, non-responsive
packets to a single

200

BB:DoS: Local: Flood D/DoS Flow Edit this BB to detect flood
Attack (High)) attacks above 100,000
packets per second. This
activity may indicate an
attack.
Attack (Low) attacks above 500 packets
per second. This activity may
indicate an attack.
Attack (Medium)) attacks above 5,000 packets
indicate an attack.
BB:DoS: Local: Potential D/DoS Flow Edit this BB to detect flows
ICMP DoS that appear to be an ICMP
DoS attack attempt.
TCP DoS that appear to be an TCP
DoS attack attempt.
UDP DoS that appear to be an UDP
DoS attack attempt.
BB:DoS: Local: Potential D/DoS Flow Edit this BB to detect a low
Unresponsive Server or number of hosts sending
Distributed DoS identical, non-responsive
packets to a single
destination. In this case, the
destination is treated as the
source on the Offenses tab.
BB:DoS: Remote: D/DoS Flow Edit this BB to detect a high
(High Number of Hosts) than 100,000) sending
identical, non-responsive
packets to a single
BB:DoS: Remote: D/DoS Flow Edit this BB to detect a low
(Low Number of Hosts) than 500) sending identical,
non-responsive packets to a
single destination IP
address.


BB:DoS: Remote: D/DoS Flow Edit this BB to detect a
Distributed DoS Attack medium number of hosts
(Medium Number of (greater than 5,000) sending
Hosts) identical, non-responsive
packets to a single
BB:DoS: Remote: Flood D/DoS Flow Edit this BB to detect flood
Attack (High) attacks above 100,000
packets per second. This
activity may indicate an
attack.
BB:DoS: Remote: Flood D/DoS Flow Edit this BB to detect flood
Attack (Low) attacks above 500 packets
indicate an attack.
BB:DoS:Remote: Flood D/DoS Flow Edit this BB to detect flood
Attack (Medium) attacks above 5,000 packets
indicate an attack.
BB:DoS: Remote: D/DoS Flow Edit this BB to detect flows
Potential ICMP DoS that appear to be an ICMP
DoS attack attempt.
Potential TCP DoS that appear to be an TCP
DoS attack attempt.
Potential UDP DoS that appear to be an UDP
DoS attack attempt.
BB:DoS: Remote: D/DoS Flow Edit this BB to detect a low
Potential Unresponsive number of hosts sending
Server or Distributed DoS identical, non-responsive
packets to a single
destination. In this case, the
destination is treated as the
source in the Offenses tab.
BB:FalseNegative: False Event Edit this BB to include events
Events That Indicate Positive that indicate a successful
Successful Compromise compromise. These events
generally have 100%
accuracy.
BB:FalsePositive: All False Common Edit this BB to include all All BB:False
Default False Positive Positive false positive BBs. Positive BBs
BBs

202

BB:FalsePositive: False Common Edit this BB to define all the
Broadcast Address False Positive false positive categories that
Positive Categories occur to or from the
broadcast address space.
BB:FalsePositive: False Common Edit this BB to define all the BB:HostDefinition: Database
Database Server False Positive false positive categories that Servers
Positive Categories occur to or from database
servers that are defined in
the BB:HostDefinition:
Database Servers BB.
BB:FalsePositive: False Event Edit this BB to define all the BB:HostDefinition: Database
Database Server False Positive false positive QIDs that Servers
Positive Events occur to or from database
Database Servers BB.
BB:FalsePositive: Device False Event Edit this BB to include the
and Specific Event Positive devices and QID of devices
that continually generate
false positives.
BB:FalsePositive: DHCP False Common Edit this BB to define all the BB:HostDefinition: DHCP
Server False Positive Positive false positive categories that Servers
Categories occur to or from DHCP
the BB:HostDefinition: DHCP
Servers BB.
BB:FalsePositive: DHCP False Event Edit this BB to define all the BB:HostDefinition: DHCP
Server False Positive Positive false positive QIDs that Servers
Events occur to or from DHCP
the BB:HostDefinition: DHCP
Servers BB.
BB:FalsePositive: DNS False Common Edit this BB to define all the BB:HostDefinition: DNS
Categories occur to or from DNS based
the BB:HostDefinition: DNS
Servers BB.
BB:FalsePositive: DNS False Event Edit this BB to define all the BB:HostDefinition: DNS
Events occur to or from DNS-based
the BB:HostDefinition: DNS
Servers BB.
BB:FalsePositive: False Event Edit this BB to define firewall
Firewall Deny False Positive deny events that are false
Positive Events positives


BB:FalsePositive: FTP False Event Edit this BB to define all the BB:HostDefinition: FTP
False Positive Events Positive false positive QIDs that Servers
occur to or from FTP-based
the BB:HostDefinition: FTP
Servers BB.
BB:FalsePositive: FTP False Common Edit this BB to define all the BB:HostDefinition: FTP
Categories occur to or from FTP based
the BB:HostDefinition: FTP
Servers BB.
BB:FalsePositive: Global False Event Edit this BB to include any
False Positive Events Positive event QIDs that you want to
ignore.
BB:FalsePositive: Large False Event Edit this BB to define specific
Volume Local FW Events Positive events that can create a
large volume of false
positives in general rules.
BB:FalsePositive: LDAP False Common Edit this BB to define all the BB:HostDefinition: LDAP
Categories occur to or from LDAP
the BB:HostDefinition: LDAP
Servers BB.
BB:FalsePositive: LDAP False Event Edit this BB to define all the BB:HostDefinition: LDAP
Events occur to or from LDAP
the BB:HostDefinition: LDAP
Servers BB.
BB:FalsePositive: Local False Event Edit this BB to define all the
Source to Local Positive false positive QIDs that
Destination False occur to or from
Positives Local-to-Local (L2L) based
servers.
BB:FalsePositive: Local False Event Edit this BB to define all the
Source to Remote Positive false positive QIDs that
Positives Local-to-Remote (L2R)
based servers.
BB:FalsePositive: Mail False Common Edit this BB to define all the BB:HostDefinition: Mail
Categories occur to or from mail servers
that are defined in the
BB:HostDefinition: Mail
Servers BB.

204

BB:FalsePositive: Mail False Event Edit this BB to define all the BB:HostDefinition: Mail
Events occur to or from mail servers
BB:HostDefinition: Mail
Servers BB.
BB:FalsePositive: False Event Edit this BB to define all the BB:HostDefinition: Network
Network Management Positive false positive categories that Management Servers
Servers Recon occur to or from network
management servers that
are defined in the
BB:HostDefinition: Network
Management Servers BB.
BB:FalsePositive: Proxy False Common Edit this BB to define all the BB:HostDefinition: Proxy
Categories occur to or from proxy
the BB:HostDefinition: Proxy
Servers BB.
BB:FalsePositive: Proxy False Event Edit this BB to define all the BB:HostDefinition: Proxy
Events occur to or from proxy
the BB:HostDefinition: Proxy
Servers BB.
BB:FalsePositive: False Flow Edit this BB to prevent rules
Reversed Flows Positive from processing flows that
have changed direction.
BB:FalsePositive: False Event Edit this BB to define all the
Remote Source to Local Positive false positive QIDs that
Positives Remote-to-Local (R2L)
based servers.
BB:FalsePositive: RPC False Common Edit this BB to define all the BB:HostDefinition: RPC
Categories occur to or from RPC servers
BB:HostDefinition: RPC
Servers BB.
BB:FalsePositive: RPC False Event Edit this BB to define all the BB:HostDefinition: RPC
Events occur to or from RPC servers
BB:HostDefinition: RPC
Servers BB.


BB:FalsePositive: SNMP False Common Edit this BB to define all the BB:HostDefinition: SNMP
Sender or Receiver False Positive false positive categories that Servers
Positive Categories occur to or from SNMP
SNMP Servers BB.
BB:FalsePositive: SNMP False Event Edit this BB to define all the BB:HostDefinition: SNMP
Sender or Receiver False Positive false positive QIDs that Sender or Receiver
Positive Events occur to or from SNMP
SNMP Sender or Receiver
BB.
BB:FalsePositive: Source False Event Edit this BB to include source
IP and Specific Event Positive IP addresses or specific
events that you want to
remove.
BB:FalsePositive: SSH False Common Edit this BB to define all the BB:HostDefinition: SSH
Categories occur to or from SSH servers
BB:HostDefinition: SSH
Servers BB.
BB:FalsePositive: SSH False Event Edit this BB to define all the BB:HostDefinition: SSH
Events occur to or from SSH servers
BB:HostDefinition: SSH
Servers BB.
BB:FalsePositive: Syslog False Common Edit this BB to define all false BB:HostDefinition: Syslog
Sender False Positive Positive positive categories that occur Servers and Senders
Categories to or from syslog sources.
BB:FalsePositive: Syslog False Event Edit this BB to define all false BB:HostDefinitionBB:HostDef
Sender False Positive Positive positive events that occur to inition: Syslog Servers and
Events or from syslog sources or Senders
destinations.
BB:FalsePositive: Virus False Common Edit this BB to define all the BB:HostDefinition: Virus
Definition Update Positive false positive QIDs that Definition and Other Update
Categories occur to or from virus Servers
definition or other automatic
update hosts that are defined
in the BB:HostDefinition:
Virus Definition and Other
Update Servers BB.

206

BB:FalsePositive: Web False Common Edit this BB to define all the BB:HostDefinition: Web
Categories occur to or from web servers
BB:HostDefinition: Web
Servers BB.
BB:FalsePositive: Web False Event Edit this BB to define all the BB:HostDefinition: Web
Events occur to or from Web servers
BB:HostDefinition: Web
Servers BB.
BB:FalsePositive: False Event Edit this BB to add
Windows AD Source Positive addresses of Windows
Authentication Events Authentication and Active
Directory (AD) servers. This
BB prevents the AD servers
from being the source of
authentication messages.
BB:FalsePositive: False Common Edit this BB to define all the BB:HostDefinition: Windows
Windows Server False Positive false positive categories that Servers
Positive Categories Local occur to or from Windows
Windows Servers BB.
BB:FalsePositive: False Event Edit this BB to define all the BB:HostDefinition: Windows
Windows Server False Positive false positive QIDs that Servers
Positive Events occur to or from Windows
Windows Servers BB.
BB:Flowshape: Balanced Flowshape Flow This BB detects flows that
have a balanced flow bias.
BB:Flowshape: Inbound Flowshape Flow This BB detects flows that
Only have an inbound only flow
bias.
BB:Flowshape: Local Flowshape Flow This BB detects local flows
Balanced that have a balanced flow
bias.
BB:Flowshape: Local Flowshape Flow This BB detects
Unidirectional unidirectional flows within the
local network.
BB:Flowshape: Mostly Flowshape Flow This BB detects flows that
Inbound have a mostly inbound flow
bias.


BB:Flowshape: Mostly Flowshape Flow This BB detects flows that
Outbound have a mostly outbound flow
bias.
BB:Flowshape: Outbound Flowshape Flow This BB detects flows that
Only have an outbound only flow
bias.
BB:HostDefinition: Host Common Edit this BB to include any
Consultant Assets Definitions consultant assets, which
includes any asset
connected to your network
that is supplied or owned by
a consultant and not
considered to be your asset.
BB:HostDefinition: Host Common Edit this BB to define typical BB:FalsePositive: Database
Database Servers Definitions database servers. Server False Positive
Categories
BB:FalsePositive: Database
Server False Positive Events
BB:HostDefinition: DHCP Host Common Edit this BB to define typical BB:False Positive: DHCP
Servers Definitions DHCP servers. Server False Positives
Categories
BB:FalsePositive: DHCP
BB:HostDefinition: DMZ Host Common Edit this BB to include any
Assets Definitions DMZ assets.
BB:HostDefinition: DNS Host Common Edit this BB to define typical BB:False Positive: DNS
Servers Definitions DNS servers. Server False Positives
Categories
BB:FalsePositive: DNS
BB:HostDefinition: FTP Host Common Edit this BB to define typical BB:False Positive: FTP
Servers Definitions FTP servers. Server False Positives
Categories
BB:FalsePositive: FTP
BB:HostDefinition: Host Host Common Edit this BB to include a host
with Port Open Definitions and port that is actively or
passively seen.
BB:HostDefinition: LDAP Host Common Edit this BB to define typical BB:False Positive: LDAP
Servers Definitions LDAP servers. Server False Positives
Categories
BB:FalsePositive: LDAP

208

BB:HostDefinition: Local Host Common Edit this BB to include any
Assets Definitions local assets.
BB:HostDefinition: Mail Host Common Edit this BB to define typical BB:False Positive: Mail
Servers Definitions mail servers. Server False Positives
Categories
BB:FalsePositive: Mail
MailServer Assets Definitions mail server assets.
BB:HostDefinition: Host Common Edit this BB to define typical
Network Management Definitions network management
Servers servers.
Protected Assets Definitions protected assets.
BB:HostDefinition: Proxy Host Common Edit this BB to define typical BB:False Positive: Proxy
Servers Definitions proxy servers. Server False Positives
Categories
BB:FalsePositive: Proxy
Regulatory Assets Definitions regulatory assets.
Remote Assets Definitions remote assets.
BB:HostDefinition: RPC Host Common Edit this BB to define typical BB:False Positive: RPC
Servers Definitions RPC servers. Server False Positives
Categories
BB:FalsePositive: RPC
BB:HostDefinition: Host Event Edit this BB to define generic
Servers Definitions servers.
BB:HostDefinition: SNMP Host Common Edit this BB to define SNMP BB:PortDefinition: SNMP
Sender or Receiver Definitions senders or receivers. Ports
BB:HostDefinition: SSH Host Common Edit this BB to define typical BB:False Positive: SSH
Servers Definitions SSH servers. Server False Positives
Categories
BB:FalsePositive: SSH
BB:HostDefinition: Syslog Host Common Edit this BB to define typical BB:FalsePositive: Syslog
Servers and Senders Definitions host that send or receive Server False Positive
syslog traffic. Categories
BB:FalsePositive: Syslog


BB:HostDefinition: VA Host Common Edit this BB to include the
Scanner Source IP Definitions source IP address of your VA
scanner. By default, this BB
applies when the source IP
address is 127.0.0.2.
BB:HostDefinition: Virus Host Common Edit this BB to include all
Definition and Other Definitions servers that include virus
Update Servers protection and update
functions.
BB:HostDefinition: VoIP Host Common Edit this BB to define typical
PBX Server Definitions VoIP IP PBX servers.
BB:HostDefinition: VPN Host Common Edit this BB to include any
Assets Definitions VPN assets.
BB:HostDefinition: Web Host Common Edit this BB to define typical BB:False Positive: Web
Servers Definitions web servers. Server False Positives
Categories
BB:FalsePositive: Web
BB:HostDefinition: Host Common Edit this BB to define typical BB:False Positive: Windows
Windows Servers Definitions Windows servers, such as Server False Positives
domain controllers or Categories
exchange servers. BB:FalsePositive: Windows
BB:DeviceDefinition: Log Source Event Edit this BB to include all
Access/Authentication/ Definitions access, authentication, and
Audit audit devices.
AntiVirus Definitions antivirus services on the
system.
Application Definitions application and OS devices
on the network.
BB:DeviceDefinition: Log Source Event Edit this BB to include MAC
Consumer Grade Routers Definitions addresses of known
consumer grade routers.
BB:DeviceDefinition: Log Source Event Edit this BB to include MAC
Consumer Grade Definitions addresses of known
Wireless APs consumer grade wireless
access points.
BB:DeviceDefinition: Log Source Event Edit this BB to define all
Database Definitions databases on the system.

210

BB:DeviceDefinition: Log Source Event Edit this BB to include
Devices to Monitor for Definitions devices you want to monitor
High Event Rates for high event rates. The
event rate threshold is
controlled by the Anomaly:
Devices with High Event
Rates.
FW/Router/ Definitions firewall (FW), routers, and
Switch switches on the network.
BB:DeviceDefinition: Log Source Event Edit this BB to include all IDS
IDS/IPS Definitions and IPS devices on the
network.
BB:DeviceDefinition:VPN Log Source Event Edit this BB to include all
Definition VPNs on the network.
BB:NetworkDefinition: Network Common Edit this BB to include the
Broadcast Address Space Definition broadcast address space of
your network. This is used to
remove false positive events
that may be caused by the
use of broadcast messages.
BB:NetworkDefinition: Network Common Edit this BB to include all
Client Networks Definition networks that include client
hosts.
BB:NetworkDefinition: Network Common Edit this BB to include
Darknet Addresses Definition networks that you want to
add to a Darket list.
DLP Addresses Definition networks that you want to
add to a Data Loss
Prevention (DLP) list.
DMZ Addresses Definition networks that you want to
add to a Demilitarized Zone
(DMZ) list.
DMZ Addresses(DST) Definition destination networks that you
want to add to a
Demilitarized Zone (DMZ)
list.
BB:NetworkDefinition: Network Common Edit this BB to include source
DMZ Addresses(SRC) Definition networks that you want to
add to a Demilitarized Zone
(DMZ) list.


BB:NetworkDefinition: Network Common Edit this BB by replacing
Honeypot like Addresses Definition other network with network
objects defined in your
network hierarchy that are
currently not in use in your
network or are used in a
honeypot or tarpit
installation. When these
have been defined, you must
enable the Anomaly:
Potential Honeypot Access
rule. You must also add a
security or policy BB to these
network objects to generate
events based on attempted
access.
BB:NetworkDefinition: Network Common Edit this BB to include all
Inbound Communication Definition traffic from the Internet to
from Internet to Local you local networks.
Host
Multicast Address Space Definition networks that you want to
add to a multicast address
space list.
BB:NetworkDefinition: Network Common Edit this BB to define typical
NAT Address Range Definition Network Address Translation
(NAT) range you want to use
in your deployment.
BB:NetworkDefinition: Network Common Edit this BB to include the
Server Networks Definition networks where your servers
are located.
BB:NetworkDefinition: Network Common Edit this BB to include event
Trusted Network Definition categories that are trusted
Segment local networks.
BB:NetworkDefinition: Network Common Edit this BB to include areas
Undefined IP Space Definition of your network that does not
contain any valid hosts.
Untrusted Local Networks Definition untrusted local networks.
BB:NetworkDefinition: Network Common Edit this BB to include any BB:NetworkDefinition:
Untrusted Network Definition untrusted networks. Untrusted Local Network
Segment BB:NetworkDefinition:
Inbound Communication from
Internet to Local Host

212

Watch List Addresses Definition networks that should be
added to a watch list.
BB:Policy Violation: Policy Flow Edit this BB to include
Application Policy applications that are
Violation: NNTP to commonly associated with
Internet NNTP traffic to the Internet
Application Policy applications that are
Violation: Unknown Local commonly associated with
Service potentially unknown local
services.
Compliance Policy applications that are
Violation: Clear Text commonly associated with
Application Usage unencrypted protocols like
telnet and FTP.
BB: Policy Violation: Policy Flow Edit this BB to include
Connection to Social applications that are
Networking Web site commonly associated with
social networking websites.
BB:Policy Violation: IRC Policy Flow Edit this BB to include
IM Policy Violation: IM applications that are
Communications commonly associated with
Instant Messaging
communications.
BB:Policy Violation: IRC PolicyRecon Flow Edit this BB to include
IM Policy Violation: IRC applications that are
Connection to Internet commonly associated with
IRC connections to a remote
host.
BB:Policy Violation: Large Policy Flow Edit this BB to include
Outbound Transfer applications that are
commonly associated with
significant transfer of data to
outside the local network.
This may indicate suspicious
activity.
BB:Policy Violation: Mail Policy Flow Edit this BB to include
Policy Violation: applications that are
Outbound Mail Sender commonly associated with a
local host sending mail to
remote hosts.


BB:Policy Violation: Mail Policy Flow Edit this BB to include
Policy Violation: Remote applications that are
Connection to Internal commonly associated with
Mail Server potential unauthorized
internal mail servers.
BB:Policy Violation: P2P Policy Flow Edit this BB to include
Policy Violation: Local applications that are
P2P Client commonly associated with
local P2P clients. This BB
detects flows coming from a
local PSP server.
BB:Policy Violation: P2P Policy Flow Edit this BB to include
Policy Violation: Local applications that are
P2P Server commonly associated with
local P2P clients. This BB
detects flows coming from a
local P2P client.
Remote Access Policy applications that are
Violation: Remote Access commonly associated with
Shell remote access. This BB
detects a remote access
attempt from a remote host.
BB:Policy: Application Policy Event Edit this BB to define policy
Policy Violation Events application and violation
events.
BB:Policy: IRC/IM Policy Event Edit this BB to define all
Connection Violations policy IRC and IM
connection violations.
BB:Policy: Policy P2P Policy Event Edit this BB to include all
events that indicate P2P
events.
BB:PortDefinition: Port\ Common Edit this BB to include ports
Authorized L2R Ports Protocol that are commonly detected
Definition in Local-to-Remote (L2R)
traffic.
BB:PortDefinition: Port\ Common Edit this BB to include all
Common Worm Ports Protocol ports that are generally not
Definition seen in L2R traffic.
Database Ports Protocol common database ports.
Definition
BB:PortDefinition: DHCP Port\ Common Edit this BB to include all
Ports Protocol common DHCP ports.
Definition

214

BB:PortDefinition: DNS Port\ Common Edit this BB to include all
Ports Protocol common DNS ports.
Definition
BB:PortDefinition: FTP Port\ Common Edit this BB to include all
Ports Protocol common FTP ports.
Definition
BB:PortDefinition: Game Port\ Common Edit this BB to include all
Server Ports Protocol common game server ports.
Definition
BB:PortDefinition: IM Compliance Common Edit this BB to include all
Ports common IM ports.
BB:PortDefinition: IRC Port\ Common Edit this BB to include all
Ports Protocol common IRC ports.
Definition
BB:PortDefinition: LDAP Port\ Common Edit this BB to include all
Ports Protocol common ports used by
Definition LDAP servers.
BB:PortDefinition: Mail Port\ Common Edit this BB to include all
Ports Protocol common ports used by mail
Definition servers.
BB:PortDefinition: P2P Port\ Common Edit this BB to include all
Ports Protocol common ports used by P2P
Definition servers.
BB:PortDefinition: Proxy Port\ Common Edit this BB to include all
Ports Protocol common ports used by proxy
Definition servers.
BB:PortDefinition: RPC Port\ Common Edit this BB to include all
Ports Protocol common ports used by RPC
Definition servers.
BB:PortDefinition: SNMP Port\ Common Edit this BB to include all
Ports Protocol common ports used by
Definition SNMP servers.
BB:PortDefinition: SSH Port\ Common Edit this BB to include all
Ports Protocol common ports used by SSH
Definition servers.
BB:PortDefinition: Syslog Port\ Common Edit this BB to include all
Ports Protocol common ports used by the
Definition syslog servers.
BB:PortDefinition: Web Port\ Common Edit this BB to include all
Ports Protocol common ports used by Web
Definition servers.
Windows Ports Protocol common ports used by
Definition Windows servers.


BB:ProtocolDefinition: Port\ Common Edit this BB to include all
Windows Protocols Protocol common protocols (not
Definition including TCP) used by
Windows servers that will be
ignored for false positive
tuning rules.
BB:Recon: Local: ICMP Recon Flow Edit this BB to identify BB:Threats: Scanning: ICMP
Scan (High) applications and protocols Scan High
ICMP traffic. This BB detects
when a host is scanning
more than 100,000 hosts per
minute using ICMP. This
activity indicates a host
performing reconnaissance
activity at an extremely high
rate. This is typical of a worm
infection or a standard
scanning application.
Scan (Low) applications and protocols Scan Low
a host scanning more than
500 hosts per minute using
ICMP. This may indicate a
host configured for network
management or normal
server behavior on a busy
internal network. If this
behavior continues for
extended periods of time,
this may indicate classic
behavior of worm activity.
Scan (Medium) applications and protocols Scan Medium
a host scanning more than
5,000 hosts per minute using
ICMP. This indicates a host
infection or a host configured
for network management
purposes.

216

BB:Recon: Local: Recon Flow This BB detects a host BB:Threats: Scanning:
Potential Network Scan sending identical packets to Potential Scan
a number of hosts that are
not responding. This may
indicate a host configured for
network management or
normal server behavior on a
busy internal network.
However, client hosts in your
network should not be
exhibiting this behavior for
long periods of time.
BB:Recon: Local: Recon Flow This BB detects a host BB:Threats: Scanning: Empty
Scanning Activity (High) performing reconnaissance Responsive Flows High
rate (more than 100,000
hosts per minute), which is
typical of a worm infection of
a scanning application.
Scanning Activity (Low) scanning more than 500 Responsive Flows Low
hosts per minute. This
indicates a host performing
reconnaissance activity at a
high rate. This is typical of a
worm infection or a host
configured for network
management purposes.
Scanning Activity scanning more than 5,000 Responsive Flows Medium
(Medium) hosts per minute. This
BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning: ICMP
ICMP Scan (High) scanning more than 100,000 Scan High
hosts per minute using
infection or a standard
scanning application.


BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning: ICMP
ICMP Scan (Low) scanning more than 500 Scan Low
ICMP. This may indicate a
host configured for network
management or normal
server behavior on a busy
internal network. If this
behavior continues for
extended periods of time,
this may indicate classic
behavior of worm activity.
We recommend that you
check the host of infection or
malware installation.
BB:Recon: Remote: Recon Flow This BB detects a host B:Threats: Scanning: ICMP
ICMP Scan (Medium) scanning more than 5,000 Scan Medium
infection or a host configured
for network management
purposes.
BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning:
Potential Network Scan sending identical packets to Potential Scan
a number of hosts that are
not responding. This may
indicate a host configured for
network management or
normal server behavior on a
busy internal network.
However, client hosts in your
network should not be
exhibiting this behavior for
long periods of time.
BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning: Empty
Scanning Activity (High) performing reconnaissance Responsive Flows High
rate (more than 100,000
hosts per minute), which is
typical of a worm infection of
a scanning application.

218

Scanning Activity (Low) scanning more than 500 Responsive Flows Low
hosts per minute. This
Scanning Activity scanning more than 5,000 Responsive Flows Medium
(Medium) hosts per minute. This
BB:Recon Recon Event Edit this BB to include all
Detected: Devices That devices that accumulate
Merge Recon into Single reconnaissance across
Events multiple hosts or ports into a
single event. This rule forces
these events to become
offenses.
BB:Recon Recon Event Edit this BB to define
Detected: Host Port Scan reconnaissance scans on
hosts in your deployment.
BB:Recon Recon Event Edit this BB to indicate port
Detected: Port Scan scanning activity across
Detected Across Multiple multiple hosts. By default,
Hosts this BB applies when a
source IP address is
against more than five hosts
within 10 minutes. If internal,
this may indicate an
exploited system or a worm
scanning for destination IP
addresses.
BB:Suspicious: Local: Suspicious Flow This BB detects an BB:Threats: Suspicious IP
Anomalous ICMP Flows excessive number of ICMP Protocol Usage: Suspicious
flows from one source IP ICMP Type Code
address, where the applied
ICMP types and codes are
considered abnormal when
seen entering or leaving the
network.


Inbound Unidirectional excessive rate (more than Protocol
Flows Threshold 1,000) of unidirectional flows Usage:Unidirectional UDP
within the last 5 minutes. and Misc Flows
This may indicate a scan is BB:Threats: Suspicious IP
in progress, worms, DoS Protocol
attack, or issues with your Usage:Unidirectional TCP
network configuration. Flows
BB:Threats: Suspicious IP
Protocol Usage:
Unidirectional ICMP Flows
BB:Suspicious: Local: Suspicious Flow This BB detects flows that BB:Threats: Suspicious IP
Invalid TCP Flag Usage appear to have improper flag Protocol Usage: Illegal TCP
combinations. This may Flag Combination
indicate various behaviors,
such as OS detection, DoS
attacks, or even forms of
reconnaissance.
Outbound Unidirectional excessive rate of outbound Protocol
Flows Threshold unidirectional flows (remote Usage:Unidirectional UDP
host not responding) within 5 and Misc Flows
minutes. BB:Threats: Suspicious IP
Protocol
Usage:Unidirectional TCP
Flows
B:Threats: Suspicious IP
Protocol Usage:
BB:Suspicious: Local: Suspicious Flow This BB detects flows with BB:Threats: Suspicious IP
Port 0 Flows Detected Port 0 as the destination or Protocol Usage: TCP or UDP
source port. This may be Port 0
considered suspicious.
Rejected Communication indicate a host is attempting Protocol Usage: Zero
Attempts to establish connections to Payload Bidirectional Flows
other hosts and is being
refused by the hosts.
BB:Suspicious: Local: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP traffic Protocol Usage:
Detected from a single source. This Unidirectional ICMP Flows
may indicate an attempt to
enumerate hosts on the
network or other serious
network issues.

220

BB:Suspicious: Local: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP Protocol Usage:
Responses Detected responses from a single Unidirectional ICMP Replies
source. This may indicate an
attempt to enumerate hosts
on the network or other
serious network issues.
Unidirectional TCP Flows indicate a host is sending an Protocol
excessive quantity (at least Usage:Unidirectional TCP
15) of unidirectional flows. Flows
These types of flows may be
considered normal, however,
client workstations and other
devices, should not be seen
emitting large quantities of
such flows. This activity
should be considered
suspicious.
Unidirectional UDP or excessive number of Protocol
Misc Flows unidirectional UDP and Usage:Unidirectional TCP
miscellaneous flows from a Flows
single source.
BB:Suspicious: Remote: Suspicious Flow This BB detects an BB:Threats: Suspicious IP
Anomalous ICMP Flows excessive number of ICMP Protocol Usage: Suspicious
flows from one source IP ICMP Type Code
address and the applied
ICMP types and codes are
considered abnormal when
seen entering or leaving the
network.
Inbound Unidirectional excessive rate (more than Protocol
Flows Threshold 1,000) of unidirectional flows Usage:Unidirectional UDP
within the last 5 minutes. and Misc Flows
This may indicate a scan is BB:Threats: Suspicious IP
in progress, worms, DoS Protocol
attack, or issues with your Usage:Unidirectional TCP
network configuration. Flows
Protocol Usage:


BB:Suspicious: Remote: Suspicious Flow This BB detects flows that BB:Threats: Suspicious IP
Invalid TCP Flag Usage appear to have improper flag Protocol Usage: Illegal TCP
combinations. This may Flag Combination
indicate various troubling
behaviors, such as OS
detection, DoS attacks, or
reconnaissance.
Outbound Unidirectional excessive rate of outbound Protocol
Flows Threshold unidirectional flows (remote Usage:Unidirectional UDP
host not responding) within 5 and Misc Flows
minutes. BB:Threats: Suspicious IP
Protocol
Flows
Protocol Usage:
BB:Suspicious: Remote: Suspicious Flow This BB detects flows with BB:Threats: Suspicious IP
Port 0 Flows Detected Port 0 as the destination or Protocol Usage: TCP or UDP
source port. This may be Port 0
considered suspicious.
Rejected indicate a host is attempting Protocol Usage: Zero
Communications to establish connections to Payload Bidirectional Flows
Attempts other hosts and is being
refused by the hosts.
BB:Suspicious: Remote: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP traffic Protocol Usage:
Detected from a single source. This Unidirectional ICMP Flows
may indicate an attempt to
enumerate hosts on the
network or other serious
network issues.
BB:Suspicious: Remote: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP Protocol Usage:
Responses Detected responses from a single Unidirectional ICMP Replies
source. This may indicate an
attempt to enumerate hosts
on the network or other
serious network issues.

222

Unidirectional TCP Flows indicate a host is sending an Protocol
excessive quantity (at least Usage:Unidirectional TCP
15) of unidirectional flows. Flows
These types of flows may be
considered normal, however,
client workstations and other
devices, should not be seen
emitting large quantities of
such flows. This activity
should be considered
suspicious.
Unidirectional UDP or excessive number of Protocol
Misc Flows unidirectional UDP and Usage:Unidirectional TCP
miscellaneous flows from a Flows
single source.
BB:Threats: DoS: Threats Flow This BB detects a denial of
Inbound Flood with No service condition where the
Response High source packet count is
greater than 6,000,000 and
there is no response from the
hosts being targeted.
Response Low source packet count is
greater than 30,000 and
Response Medium source packet count is
BB:Threats: DoS: Threats Flow This BB detects a high
Multi-Host Attack High number of hosts potentially
performing a denial of
service attack.
BB:Threats: DoS: Threats Flow This BB detects a lower
Multi-Host Attack Low number of hosts potentially
service attack.
BB:Threats: DoS: Threats Flow This BB detects a medium
Multi-Host Attack Medium number of hosts potentially
service attack.


Outbound Flood with No service condition where the
Response High source packet count is
greater than 6,000,000 and
Response Low source packet count is
Response Medium source packet count is
BB:Threats: DoS: Threats Flow This BB detects potential a
Potential ICMP DoS potential ICMP DoS attacks.
BB:Threats: DoS: Threats Flow This BB detects multiple
Potential Multihost Attack hosts potentially performing
a denial of service attack.
Potential TCP DoS potential TCP DoS attacks.
Potential UDP DoS potential UDP DoS attacks.
BB:Threats: Port Scans: Threats Flow This BB detects potential
Host Scans reconnaissance by flows.
BB:Threats: Port Scans: Threats Flow This BB detects UDP based
UDP Port Scan port scans.
BB:Threats: Remote Threats Flow This BB detects flows where
Access Violations: a remote desktop application
Remote Desktop Access is being accessed from a
from Remote Hosts remote host.
BB:Threats: Remote Threats Flow This BB detects flows where
Access Violations: VNC a VNC service is being
Activity from Remote accessed from a remote
Hosts host.
BB:Threats: Scanning: Threats Flow This BB detects potential
Empty Responsive Flows reconnaissance activity
High where the source packet
count is greater than
100,000.

224

Low where the source packet
count is greater than 500.
Medium where the source packet
count is greater than 5,000.
BB:Threats: Scanning: Threats Flow This BB detects a high level
ICMP Scan High of ICMP reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a low level
ICMP Scan Low of ICMP reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a medium
ICMP Scan Medium level of ICMP
Potential Scan reconnaissance activity.
BB:Threats: Scanning: Threats Flow This BB detects a high level
Scan High of potential reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a low level
Scan Low of potential reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a medium
Scan Medium level of potential
BB:Threats: Suspicious Threats Flow This BB detects suspicious
Activity: Suspicious IRC IRC traffic.
Traffic
BB:Threats: Suspicious Threats Flow This BB detects flows that
IP Protocol Usage: Illegal have an illegal TCP flag
TCP Flag Combination combination.
BB:Threats: Suspicious Threats Flow This BB detects abnormally
IP Protocol Usage: Large large DNS traffic.
DNS Packets
BB:Threats: Suspicious Threats Flow This BB detects flows with
IP Protocol Usage: Large abnormally large ICMP
ICMP Packets packets.
BB:Threats: Suspicious Threats Flow This BB detects flows that
IP Protocol Usage: Long have been active for more
Duration Outbound Flow than 48 hours


BB:Threats: Suspicious Threats Flow This BB detects ICMP flows
IP Protocol Usage: with suspicious ICMP type
Suspicious ICMP Type codes.
Code
BB:Threats: Suspicious Threats Flow This BB detects suspicious
IP Protocol Usage: TCP flows using port 0.
or UDP Port 0
BB:Threats: Suspicious Threats Flow This BB detects
IP Protocol Usage: unidirectional ICMP flows.
Unidirectional ICMP
Flows
BB:Threats: Suspicious Threats Flow This BB detects traffic where
IP Protocol Usage: ICMP replies are seen with
Unidirectional ICMP no request.
Replies
BB:Threats: Suspicious Threats Flow This BB detects bidirectional
IP Protocol Usage: Zero traffic that does not include
Payload Bidirectional payload.
Flows
IP Protocol unidirectional TCP flows.
Flows
IP Protocol unidirectional UDP and other
Usage:Unidirectional miscellaneous flows.
UDP and Misc Flows
User-BB:FalsePositive: User Tuning Common This BB contains any events
User Defined False that you have tuned using
Positives Tunings the False Positive tuning
function. For more
information, see the QRadar
Network Anomaly Detection
Users Guide.
User-BB:FalsePositive: User Tuning Event Edit this BB to include any User-BB:HostDefinition:
Server Type 1 - User event categories you want to Server Type 1 - User Defined
Defined False Positive consider false positives for
Categories hosts defined in the
associated BB.
User-BB:FalsePositive: User Tuning Event Edit this BB to include any User-BB:HostDefinition:
Server Type 1 - User events you want to consider Server Type 1 - User Defined
Defined False Positive false positives for hosts
Events defined in the associated BB.

226

User-BB:FalsePositive: User Tuning Event Edit this BB to include any User:BB:HostDefinition:
User Defined Server Type event categories you want to Server Type 2 - User Defined
2 False Positive consider false positives for
associated BB.
User Defined Server Type events you want to consider Server Type 2 - User Defined
2 False Positive Events false positives for hosts
defined in the associated BB.
User Defined Server Type event categories you want to Server Type 3 - User Defined
3 False Positive consider false positives for
associated BB.
User Defined Server Type events you want to consider Server Type 3 - User Defined
3 False Positive Events false positives for hosts
defined the associated BB.
User-BB:HostDefinition: User Tuning Event Edit this BB to include the IP User-BB:FalsePositives:
Server Type 1 - User address of your custom Server Type 1 - User Defined
Defined server type. After you have False Positive Category
added the servers, add any User-BB:False Positives:
events or event categories Server Type 1 - User Defined
you want to consider false False Positive Events
positives to these servers as
defined in the associated
BBs.
Server Type 2 - User address of your custom User Defined Server Type 2
events or event categories User Defined Server Type 2
defined in the associated
BBs.
Server Type 3 - User address of your custom User Defined Server Type 3
events or event categories User Defined Server Type 3
defined in the as defined in
the associated BBs.
BB:CategoryDefinition: Other Common Edit this BB to specify your
Off Hours regular office hours.

B VIEWING AUDIT LOGS
Changes made by IBM Security QRadar Network Anomaly Detection users are
recorded in the audit logs. You can view the audit logs to monitor changes to
QRadar Network Anomaly Detection and the users performing those changes.

• Logged Actions
• Viewing the Log File
Audit Log Overview All audit logs are stored in plain text and are archived and compressed when the
audit log file reaches a size of 200 MB. The current log file is named audit.log.
When the file reaches a size of 200 MB, the file is compressed and renamed as
follows: audit.1.gz, audit.2.gz, with the file number incrementing each time
a log file is archived. QRadar Network Anomaly Detection stores up to 50 archived
log files.
Logged Actions QRadar Network Anomaly Detection logs the following categories of actions in the
audit log file:
NOTE
You can view audit log events using the Log Activity tab. Table B-1 provides a
record of the logged actions.
Table B-1 Logged Actions
Category Action
Administrator Authentication Log in to the QRadar Network Anomaly Detection
Administration Console.
Log out of the QRadar Network Anomaly Detection
Administration Console.
Assets Delete an asset.
Delete all assets.
Audit Log Access Perform a search that includes events with a
high-level event category of Audit.

228
Table B-1 Logged Actions (continued)
Category Action
Backup and Recovery Edit the configuration.
Initiate the backup.
Complete the backup.
Fail the backup.
Delete the backup.
Synchronize the backup.
Cancel the backup.
Initiate the restore.
Upload a backup.
Upload an invalid backup.
Initiate the restore.
Purge the backup.
Custom Properties Add a custom event property.
Edit a custom event property.
Delete a custom event property.
Add a custom flow property.
Edit a custom flow property.
Delete a custom flow property.
Chart Configuration Save flow or event chart configuration.
Custom Property Expressions Add a custom event property expression.
Edit a custom event property expression.
Delete a custom event property expression.
Add a custom flow property expression.
Edit a custom flow property expression.
Delete a custom flow property expression.
Event and Flow Retention Add a bucket.
Buckets Delete a bucket.
Edit a bucket.
Enable or disable a bucket.
Flow Sources Add a flow source.
Edit a flow source.
Delete a flow source.
Groups Add a group.
Delete a group.
Edit a group.
Installation Install a .rpm package, such as a DSM update.

Logged Actions 229
Category Action
Log Sources Add a log source.
Edit a log source.
Delete a log source.
Add a log source group.
Edit a log source group.
Delete a log source group.
Edit the DSM parsing order.
License Add a license key.
Edit a license key.
Log Source Extension Add an log source extension.
Edit the log source extension.
Delete a log source extension.
Upload a log source extension.
Upload a log source extension successfully.
Upload an invalid log source extension.
Download a log source extension.
Report a log source extension.
Modify a log sources association to a device or
device type.
Offenses Hide an offense.
Close an offense.
Close all offenses.
Add a destination note.
Add a source note.
Add a network note.
Add an offense note.
Protocol Configuration Add a protocol configuration.
Delete a protocol configuration.
Edit a protocol configuration.
QIDmap Add a QID map entry.
Edit a QID map entry.
Reference Sets Create a reference set.
Edit a reference set.
Purge elements in a reference set.
Delete a reference set.

230
Category Action
Reports Add a template.
Delete a template.
Edit a template.
Generate a report.
Delete a report.
Delete generated content.
View a generated report.
Email a generated report.
Root Login Log in to QRadar Network Anomaly Detection, as
root.
Log out of QRadar Network Anomaly Detection, as
root.
Rules Add a rule.
Delete a rule.
Edit a rule.
Scanner Add a scanner.
Delete a scanner.
Edit a scanner.
Scanner Schedule Add a schedule.
Edit a schedule.
Delete a schedule.
Session Authentication Create a new administration session.
Terminate an administration session.
Deny an invalid authentication session.
Expire a session authentication.
Create an authentication session.
Terminate an authentication session.
SIM Clean a SIM model.
Syslog Forwarding Add a syslog forwarding.
Delete a syslog forwarding.
Edit a syslog forwarding.
System Management Shutdown a system.
Restart a system.
TNC Recommendations Create a recommendation.
Edit a recommendation.
Delete a recommendation.

Viewing the Log File 231
Category Action
User Accounts Add an account.
Edit an account.
Delete an account.
User Authentication Log in to QRadar Network Anomaly Detection.
Log out of QRadar Network Anomaly Detection.
User Authentication Ariel Deny a login attempt.
Add an Ariel property.
Delete an Ariel property.
Edit an Ariel property.
Add an Ariel property extension.
Delete an Ariel property extension.
Edit an Ariel property extension.
User Roles Add a role.
Edit a role.
Delete a role.
VIS Discover a new host.
Discover a new operating system.
Discover a new port.
Discover a new vulnerability.
Viewing the Log To view the audit logs:

File
Step 1 Using SSH, log in to QRadar Network Anomaly Detection as the root user:
• User Name: root
• Password: <password>
Step 2 Go to the following directory:
/var/log/audit
Step 3 Open the audit log file.
Each entry in the log file displays using the following format:
NOTE
The maximum size of any audit message (not including date, time, and host
name) is 1024 characters.
<date_time> <host name> <user>@<IP address> (thread ID)
[<category>] [<sub-category>] [<action>] <payload>
Where:

232
<date_time> is the date and time of the activity in the format: Month Date
HH:MM:SS.
<host name> is the host name of the Console where this activity was logged.
<user> is the name of the user that performed the action.
<IP address> is the IP address of the user that performed the action.
(thread ID) is the identifier of the JavaTM thread that logged this activity.
<category> is the high-level category of this activity.
<sub-category> is the low-level category of this activity.
<action> is the activity that occurred.
<payload> is the complete record that has changed, if any. This may include a
user record or an event rule.
For example:
Nov 6 12:22:31 localhost.localdomain admin@10.100.100.15
(Session) [Authentication] [User] [Login]
Nov 6 12:22:31 localhost.localdomain jsam@10.100.100.15 (0)
[Configuration] [User Account] [Account Modified]
username=james, password=/oJDuXP7YXUYQ, networks=ALL,
email=sam@q1labs.com, userrole=Admin
Nov 13 10:14:44 localhost.localdomain admin@10.100.45.61 (0)
[Configuration] [FlowSource] [FlowSourceModified] Flowsource(
name="tim", enabled="true", deployed="false",
asymmetrical="false", targetQflow=DeployedComponent(id=3),
flowsourceType=FlowsourceType(id=6),
flowsourceConfig=FlowsourceConfig(id=1))

C EVENT CATEGORIES
This document provides information on the types of event categories and the
processing of events.

• High-Level Event Categories
• Recon
• DoS
• Authentication
• Access
• Exploit
• Malware
• Suspicious Activity
• System
• Policy
• CRE
• Potential Exploit
• SIM Audit
• VIS Host Discovery
• Application
• Audit

234
High-Level Event The high-level event categories include:

Categories Table C-1 High-Level Event Categories
Category Description
Recon Events relating to scanning and other techniques used to identify
network resources, for example, network or host port scans.
DoS Events relating to Denial of Service (DoS) or Distributed Denial of
Service (DDoS) attacks against services or hosts, for example,
brute force network DoS attacks.
Authentication Events relating to authentication controls, group, or privilege
change, for example, log in or log out.
Access Events resulting from an attempt to access network resources,
for example, firewall accept or deny.
Exploit Events relating to application exploits and buffer overflow
attempts, for example, buffer overflow or web application
exploits.
Malware Events relating to viruses, trojans, back door attacks, or other
forms of hostile software. This may include a virus, trojan,
malicious software, or spyware.
Suspicious The nature of the threat is unknown but behavior is suspicious
Activity including protocol anomalies that potentially indicate evasive
techniques, for example, packet fragmentation or known IDS
evasion techniques.
System Events related to system changes, software installation, or status
messages.
Policy Events regarding corporate policy violations or misuse.
CRE Events generated from an offense or event rule. For more
information on creating custom rules, see the IBM Security
QRadar Network Anomaly Detection Administration Guide.
Potential Exploit Events relating to potential application exploits and buffer
overflow attempts.
SIM Audit Events relating to user interaction with the Console and
administrative functions.
VIS Host Events relating to the host, ports, or vulnerabilities that the VIS
Discovery component discovers.
Application Events relating to application activity.

Recon 235
Recon The Recon category indicates events relating to scanning and other techniques
used to identify network resources. The associated low-level event categories
include:
Table C-2 Recon Categories
Low Level Event Severity Level

Category Description (0 to 10)
Unknown Form of Recon Indicates an unknown form of 2
reconnaissance.
Application Query Indicates reconnaissance to 3
applications on your system.
Host Query Indicates reconnaissance to a host in 3
your network.
Network Sweep Indicates reconnaissance on your 4
network.
Mail Reconnaissance Indicates reconnaissance on your mail 3
system.
Windows Reconnaissance Indicates reconnaissance for windows. 3
Portmap / RPC Request Indicates reconnaissance on your 3
portmap or RPC request.
Host Port Scan Indicates a scan occurred on the host 4
ports.
RPC Dump Indicates Remote Procedure Call 3
(RPC) information is removed.
DNS Reconnaissance Indicates reconnaissance on the DNS 3
server.
Misc Reconnaissance Indicates a miscellaneous 2
Event reconnaissance event.
Web Reconnaissance Indicates web reconnaissance on your 3
network.
Database Reconnaissance Indicates database reconnaissance on 3
your network.
ICMP Reconnaissance Indicates reconnaissance on ICMP 3
traffic.
UDP Reconnaissance Indicates reconnaissance on UDP 3
traffic.
SNMP Reconnaissance Indicates reconnaissance on SNMP 3
traffic.
ICMP Host Query Indicates an ICMP host query. 3
UDP Host Query Indicates a UDP host query. 3
NMAP Reconnaissance Indicates NMAP reconnaissance. 3
TCP Reconnaissance Indicates TCP reconnaissance on your 3
network.

236
Table C-2 Recon Categories (continued)

Unix Reconnaissance Indicates reconnaissance on your 3
UNIX® network.
FTP Reconnaissance Indicates FTP reconnaissance. 3
DoS The DoS category indicates events relating to Denial Of Service (DoS) attacks
against services or hosts. The associated low-level event categories include:
Table C-3 DoS Categories

Unknown DoS Attack Indicates an unknown DoS attack. 8
ICMP DoS Indicates an ICMP DoS attack. 9
TCP DoS Indicates a TCP DoS attack. 9
UDP DoS Indicates a UDP DoS attack. 9
DNS Service DoS Indicates a DNS service DoS attack. 8
Web Service DoS Indicates a web service DoS attack. 8
Mail Service DoS Indicates a mail server DoS attack. 8
Distributed DoS Indicates a distributed DoS attack. 9
Misc DoS Indicates a miscellaneous DoS attack. 8
Unix DoS Indicates a Unix DoS attack. 8
Windows DoS Indicates a Windows DoS attack. 8
Database DoS Indicates a database DoS attack. 8
FTP DoS Indicates an FTP DoS attack. 8
Infrastructure DoS Indicates a DoS attack on the 8
infrastructure.
Telnet DoS Indicates a Telnet DoS attack. 8
Brute Force Login Indicates access to your system 8
through unauthorized methods.
High Rate TCP DoS Indicates a high rate TCP DoS attack. 8
High Rate UDP DoS Indicates a high rate UDP DoS attack. 8
High Rate ICMP DoS Indicates a high rate ICMP DoS attack. 8
High Rate DoS Indicates a high rate DoS attack. 8
Medium Rate TCP DoS Indicates a medium rate TCP attack. 8
Medium Rate UDP DoS Indicates a medium rate UDP attack. 8
Medium Rate ICMP DoS Indicates a medium rate ICMP attack. 8
Medium Rate DoS Indicates a medium rate DoS attack. 8

DoS 237
Table C-3 DoS Categories (continued)

Medium Rate DoS Indicates a medium rate DoS attack. 8
Low Rate TCP DoS Indicates a low rate TCP DoS attack. 8
Low Rate UDP DoS Indicates a low rate UDP DoS attack. 8
Low Rate ICMP DoS Indicates a low rate ICMP DoS attack. 8
Low Rate DoS Indicates a low rate DoS attack. 8
Distributed High Rate TCP Indicates a distributed high rate TCP 8
DoS DoS attack.
Distributed High Rate UDP Indicates a distributed high rate UDP 8
DoS DoS attack.
Distributed High Rate Indicates a distributed high rate ICMP 8
ICMP DoS DoS attack.
Distributed High Rate DoS Indicates a distributed high rate DoS 8
attack.
Distributed Medium Rate Indicates a distributed medium rate 8
TCP DoS TCP DoS attack.
UDP DoS UDP DoS attack.
ICMP DoS ICMP DoS attack.
DoS DoS attack.
Distributed Low Rate TCP Indicates a distributed low rate TCP 8
DoS DoS attack.
Distributed Low Rate UDP Indicates a distributed low rate UDP 8
DoS DoS attack.
Distributed Low Rate ICMP Indicates a distributed low rate ICMP 8
DoS DoS attack.
Distributed Low Rate DoS Indicates a distributed low rate DoS 8
attack.
High Rate TCP Scan Indicates a high rate TCP scan. 8
High Rate UDP Scan Indicates a high rate UDP scan. 8
High Rate ICMP Scan Indicates a high rate ICMP scan. 8
High Rate Scan Indicates a high rate scan. 8
Medium Rate TCP Scan Indicates a medium rate TCP scan. 8
Medium Rate UDP Scan Indicates a medium rate UDP scan. 8
Medium Rate ICMP Scan Indicates a medium rate ICMP scan. 8
Medium Rate Scan Indicates a medium rate scan. 8
Low Rate TCP Scan Indicates a low rate TCP scan. 8
Low Rate UDP Scan Indicates a low rate UDP scan. 8

238
Table C-3 DoS Categories (continued)

Low Rate ICMP Scan Indicates a low rate ICMP scan. 8
Low Rate Scan Indicates a low rate scan. 8
VoIP DoS Indicates a VoIP DoS attack. 8
Flood Indicates a Flood attack. 8
TCP Flood Indicates a TCP flood attack. 8
UDP Flood Indicates a UDP flood attack. 8
ICMP Flood Indicates a ICMP flood attack. 8
SYN Flood Indicates a SYN flood attack. 8
URG Flood Indicates a flood attack with the urgent 8
(URG) flag on.
SYN URG Flood Indicates a SYN flood attack with the 8
urgent (URG) flag on.
SYN FIN Flood Indicates a SYN FIN flood attack. 8
SYN ACK Flood Indicates a SYN ACK flood attack. 8
Authentication The authentication category indicates events relating to authentication, sessions

and access controls to monitor users on the network. The associated low-level
event categories include:
Table C-4 Authentication Categories

Unknown Authentication Indicates unknown authentication. 1
Host Login Succeeded Indicates a successful host login. 1
Host Login Failed Indicates the host login has failed. 3
Misc Login Succeeded Indicates that the login sequence 1
succeeded.
Misc Login Failed Indicates that login sequence failed. 3
Privilege Escalation Failed Indicates that the privileged escalation 3
failed.
Privilege Escalation Indicates that the privilege escalation 1
Succeeded succeeded.
Mail Service Login Indicates that the mail service login 1
Mail Service Login Failed Indicates that the mail service login 3
failed.
Auth Server Login Failed Indicates that the authentication server 3
login failed.

Authentication 239
Table C-4 Authentication Categories (continued)

Auth Server Login Indicates that the authentication server 1
Succeeded login succeeded.
Web Service Login Indicates that the web service login 1
Web Service Login Failed Indicates that the web service login 3
failed.
Admin Login Successful Indicates an administrative login has 1
been successful.
Admin Login Failure Indicates the administrative login failed. 3
Suspicious Username Indicates that a user attempted to 4
access the network using an incorrect
user name.
Login with username/ Indicates that a user accessed the 4
password defaults network using the default user name
successful and password.
Login with username/ Indicates that a user has been 4
password defaults failed unsuccessful accessing the network
using the default user name and
password.
FTP Login Succeeded Indicates that the FTP login has been 1
successful.
FTP Login Failed Indicates that the FTP login failed. 3
SSH Login Succeeded Indicates that the SSH login has been 1
successful.
SSH Login Failed Indicates that the SSH login failed. 2
User Right Assigned Indicates that user access to network 1
resources has been successfully
granted.
User Right Removed Indicates that user access to network 1
resources has been successfully
removed.
Trusted Domain Added Indicates that a trusted domain has 1
been successfully added to your
deployment.
Trusted Domain Removed Indicates that a trusted domain has 1
been removed from your deployment.
System Security Access Indicates that system security access 1
Granted has been successfully granted.
System Security Access Indicates that system security access 1
Removed has been successfully removed.
Policy Added Indicates that a policy has been 1
successfully added.

240

Policy Change Indicates that a policy has been 1
successfully changed.
User Account Added Indicates that a user account has been 1
successfully added.
User Account Changed Indicates a change to an existing user 1
account.
Password Change Failed Indicates that an attempt to change an 3
existing password failed.
Password Change Indicates that a password change has 1
Succeeded been successful.
User Account Removed Indicates that a user account has been 1
successfully removed.
Group Member Added Indicates that a group member has 1
been successfully added.
Group Member Removed Indicates that a group member has 1
been removed.
Group Added Indicates that a group has been 1
successfully added.
Group Changed Indicates a change to an existing 1
group.
Group Removed Indicates a group has been removed. 1
Computer Account Added Indicates a computer account has been 1
successfully added.
Computer Account Indicates a change to an existing 1
Changed computer account.
Computer Account Indicates a computer account has been 1
Removed successfully removed.
Remote Access Login Indicates that access to the network 1
Succeeded using a remote login has been
successful.
Remote Access Login Indicates that an attempt to access the 3
Failed network using a remote login failed.
General Authentication Indicates that the authentication 1
Successful processes has been successful.
General Authentication Indicates that the authentication 3
Failed process failed.
Telnet Login Succeeded Indicates that the telnet login has been 1
successful.
Telnet Login Failed Indicates that the telnet login failed. 3
Suspicious Password Indicates that a user attempted to login 4
using a suspicious password.

Authentication 241

Samba Login Successful Indicates a user successfully logged in 1
using Samba.
Samba Login Failed Indicates user login failed using 3
Samba.
Auth Server Session Indicates that a communication session 1
Opened with the authentication server has been
started.
Auth Server Session Indicates that a communication session 1
Closed with the authentication server has been
closed.
Firewall Session Closed Indicates that a firewall session has 1
been closed.
Host Logout Indicates that a host successfully 1
logged out.
Misc Logout Indicates that a user successfully 1
logged out.
Auth Server Logout Indicates that the process to log out of 1
the authentication server has been
successful.
Web Service Logout Indicates that the process to log out of 1
the web service has been successful.
Admin Logout Indicates that the administrative user 1
successfully logged out.
FTP Logout Indicates that the process to log out of 1
the FTP service has been successful.
SSH Logout Indicates that the process to log out of 1
the SSH session has been successful.
Remote Access Logout Indicates that the process to log out 1
using remote access has been
successful.
Telnet Logout Indicates that the process to log out of 1
the Telnet session has been
successful.
Samba Logout Indicates that the process to log out of 1
Samba has been successful.
SSH Session Started Indicates that the SSH login session 1
has been initiated on a host.
SSH Session Finished Indicates the termination of an SSH 1
login session on a host.
Admin Session Started Indicates that a login session has been 1
initiated on a host by an administrative
or privileged user.

242

Admin Session Finished Indicates the termination of an 1
administrator or privileged users login
session on a host.
VoIP Login Succeeded Indicates a successful VoIP service 1
login
VoIP Login Failed Indicates an unsuccessful attempt to 1
access VoIP service.
VoIP Logout Indicates a user logout, 1
VoIP Session Initiated Indicates the beginning of a VoIP 1
session.
VoIP Session Terminated Indicates the end of a VoIP session. 1
Database Login Indicates a successful database login. 1
Succeeded
Database Login Failure Indicates a database login attempt 3
failed.
IKE Authentication Failed Indicates a failed Internet Key 3
Exchange (IKE) authentication has
been detected.
IKE Authentication Indicates a successful IKE 1
Succeeded authentication has been detected.
IKE Session Started Indicates an IKE session started. 1
IKE Session Ended Indicates an IKE session ended. 1
IKE Error Indicates an IKE error message. 1
IKE Status Indicates IKE status message. 1
RADIUS Session Started Indicates a RADIUS session started. 1
RADIUS Session Ended Indicates a RADIUS session ended. 1
RADIUS Session Denied Indicates a RADIUS session has been 1
denied.
RADIUS Session Status Indicates a RADIUS session status 1
message.
RADIUS Authentication Indicates a RADIUS authentication 3
Failed failure.
RADIUS Authentication Indicates a RADIUS authentication 1
Successful succeeded.
TACACS Session Started Indicates a TACACS session started. 1
TACACS Session Ended Indicates a TACACS session ended. 1
TACACS Session Denied Indicates a TACACS session has been 1
denied.
TACACS Session Status Indicates a TACACS session status 1
message.

Authentication 243

TACACS Authentication Indicates a TACACS authentication 1
Successful succeeded.
TACACS Authentication Indicates a TACACS authentication 1
Failed failure.
Deauthenticating Host Indicates that the deauthentication of a 1
Succeeded host has been successful.
Deauthenticating Host Indicates that the deauthentication of a 3
Failed host failed.
Station Authentication Indicates that the station authentication 1
Succeeded has been successful.
Station Authentication Indicates that the station authentication 3
Failed of a host failed.
Station Association Indicates that the station association 1
Station Association Failed Indicates that the station association 3
failed.
Station Reassociation Indicates that the station reassociation 1
Station Reassociation Indicates that the station association 3
Failed failed.
Disassociating Host Indicates that the disassociating a host 1
Disassociating Host Failed Indicates that the disassociating a host 3
failed.
SA Error Indicates a Security Association (SA) 5
error message.
SA Creation Failure Indicates a Security Association (SA) 3
creation failure.
SA Established Indicates that a Security Association 1
(SA) connection established.
SA Rejected Indicates that a Security Association 3
(SA) connection rejected.
Deleting SA Indicates the deletion of a Security 1
Association (SA).
Creating SA Indicates the creation of a Security 1
Association (SA).
Certificate Mismatch Indicates a certificate mismatch. 3
Credentials Mismatch Indicates a credentials mismatch. 3
Admin Login Attempt Indicates an admin login attempt. 2
User Login Attempt Indicates a user login attempt. 2
User Login Successful Indicates a successful user login. 1

244

User Login Failure Indicates a failed user login. 3
Access The access category indicates authentication and access controls for monitoring
network events. The associated low-level event categories include:
Table C-5 Access Categories

Unknown Network Indicates an unknown network 3
Communication Event communication event.
Firewall Permit Indicates access to the firewall has 0
been permitted.
Firewall Deny Indicates access to the firewall has 4
been denied.
Flow Context Response Indicates events from the Classification 5
Engine in response to a SIM request.
Misc Network Indicates a miscellaneous 3
Communication Event communications event.
IPS Deny Indicates Intrusion Prevention Systems 4
(IPS) denied traffic.
Firewall Session Opened Indicates the firewall session has been 0
opened.
Firewall Session Closed Indicates the firewall session has been 0
closed.
Dynamic Address Indicates that dynamic address 0
Translation Successful translation has been successful.
No Translation Group Indicates that no translation group has 2
Found been found.
Misc Authorization Indicates that access has been granted 2
to a miscellaneous authentication
server.
ACL Permit Indicates that an Access Control List 0
(ACL) permitted access.
ACL Deny Indicates that an Access Control List 4
(ACL) denied access.
Access Permitted Indicates that access has been 0
permitted.
Access Denied Indicates that access has been denied. 4
Session Opened Indicates that a session has been 1
opened.

Access 245
Table C-5 Access Categories (continued)

Session Closed Indicates that a session has been 1
closed.
Session Reset Indicates that a session has been 3
reset.
Session Terminated Indicates that a session has been 4
terminated.
Session Denied Indicates that a session has been 5
denied.
Session in Progress Indicates that a session is currently in 1
progress.
Session Delayed Indicates that a session has been 3
delayed.
Session Queued Indicates that a session has been 1
queued.
Session Inbound Indicates that a session is inbound. 1
Session Outbound Indicates that a session is outbound. 1
Unauthorized Access Indicates that an unauthorized access 6
Attempt attempt has been detected.
Misc Application Action Indicates that an application action has 1
Allowed been permitted.
Misc Application Action Indicates that an application action has 3
Denied been denied.
Database Action Allowed Indicates that a database action has 1
been permitted.
Database Action Denied Indicates that a database action has 3
been denied.
FTP Action Allowed Indicates that a FTP action has been 1
permitted.
FTP Action Denied Indicates that a FTP action has been 3
denied.
Object Cached Indicates an object cached. 1
Object Not Cached Indicates an object not cached. 1
Rate Limiting Indicates that the network is rate 4
limiting traffic.
No Rate Limiting Indicates that the network is not rate 0
limiting traffic.

246
Exploit The exploit category indicates events where a communication or access has
occurred. The associated low-level event categories include:
Table C-6 Exploit Categories

Unknown Exploit Attack Indicates an unknown exploit attack. 9
Buffer Overflow Indicates a buffer overflow. 9
DNS Exploit Indicates a DNS exploit. 9
Telnet Exploit Indicates a Telnet exploit. 9
Linux Exploit Indicates a Linux® exploit. 9
Unix Exploit Indicates a Unix exploit. 9
Windows Exploit Indicates a Windows exploit. 9
Mail Exploit Indicates a mail server exploit. 9
Infrastructure Exploit Indicates an infrastructure exploit. 9
Misc Exploit Indicates a miscellaneous exploit. 9
Web Exploit Indicates a web exploit. 9
Session Hijack Indicates a session in your network has 9
been interceded.
Worm Active Indicates an active worm. 10
Password Guess/Retrieve Indicates that a user has requested 9
access to their password information
from the database.
FTP Exploit Indicates an FTP exploit. 9
RPC Exploit Indicates an RPC exploit. 9
SNMP Exploit Indicates an SNMP exploit. 9
NOOP Exploit Indicates an NOOP exploit. 9
Samba Exploit Indicates an Samba exploit. 9
Database Exploit Indicates a database exploit. 9
SSH Exploit Indicates an SSH exploit. 9
ICMP Exploit Indicates an ICMP exploit. 9
UDP Exploit Indicates a UDP exploit. 9
Browser Exploit Indicates an exploit on your browser. 9
DHCP Exploit Indicates a DHCP exploit 9
Remote Access Exploit Indicates a remote access exploit 9
ActiveX Exploit Indicates an exploit through an ActiveX 9
application.
SQL Injection Indicates that an SQL injection has 9
occurred.

Malware 247
Table C-6 Exploit Categories (continued)

Cross-Site Scripting Indicates a cross-site scripting 9
vulnerability.
Format String Vulnerability Indicates a format string vulnerability. 9
Input Validation Exploit Indicates that an input validation exploit 9
attempt has been detected.
Remote Code Execution Indicates that a remote code execution 9
attempt has been detected.
Memory Corruption Indicates that a memory corruption 9
exploit has been detected.
Command Execution Indicates that a remote command 9
execution attempt has been detected.
Malware The malicious software (malware) category indicates events relating to application
exploits and buffer overflow attempts. The associated low-level event categories
include:
Table C-7 Malware Categories

Unknown Malware Indicates an unknown virus. 4
Backdoor Detected Indicates that a backdoor to the system 9
has been detected.
Hostile Mail Attachment Indicates a hostile mail attachment. 6
Malicious Software Indicates a virus. 6
Hostile Software Download Indicates a hostile software download 6
to your network.
Virus Detected Indicates a virus has been detected. 8
Misc Malware Indicates miscellaneous malicious 4
software
Trojan Detected Indicates a trojan has been detected. 7
Spyware Detected Indicates spyware has been detected 6
on your system.
Content Scan Indicates that an attempted scan of 3
your content has been detected.
Content Scan Failed Indicates that a scan of your content 8
has failed.
Content Scan Successful Indicates that a scan of your content 3
has been successful.
Content Scan in Progress Indicates that a scan of your content is 3
currently in progress.

248
Table C-7 Malware Categories (continued)

Keylogger Indicates that a key logger has been 7
detected.
Adware Detected Indicates that Ad-Ware has been 4
detected.
Suspicious Activity The suspicious activity category indicates events relating to viruses, trojans, back
door attacks, and other forms of hostile software. The associated low-level event
categories include:
Table C-8 Suspicious Categories

Unknown Suspicious Indicates an unknown suspicious 3
Event event.
Suspicious Pattern Indicates a suspicious pattern has 3
Detected been detected.
Content Modified By Indicates that content has been 3
Firewall modified by the firewall.
Invalid Command or Data Indicates an invalid command or data. 3
Suspicious Packet Indicates a suspicious packet. 3
Suspicious Activity Indicates suspicious activity. 3
Suspicious File Name Indicates a suspicious file name. 3
Suspicious Port Activity Indicates suspicious port activity. 3
Suspicious Routing Indicates suspicious routing. 3
Potential Web Vulnerability Indicates potential web vulnerability. 3
Unknown Evasion Event Indicates an unknown evasion event. 5
IP Spoof Indicates an IP spoof. 5
IP Fragmentation Indicates IP fragmentation. 3
Overlapping IP Fragments Indicates overlapping IP fragments. 5
IDS Evasion Indicates an IDS evasion. 5
DNS Protocol Anomaly Indicates a DNS protocol anomaly. 3
FTP Protocol Anomaly Indicates an FTP protocol anomaly. 3
Mail Protocol Anomaly Indicates a mail protocol anomaly. 3
Routing Protocol Anomaly Indicates a routing protocol anomaly. 3
Web Protocol Anomaly Indicates a web protocol anomaly. 3
SQL Protocol Anomaly Indicates an SQL protocol anomaly. 3

Suspicious Activity 249
Table C-8 Suspicious Categories (continued)

Executable Code Detected Indicates that an executable code has 5
been detected.
Misc Suspicious Event Indicates a miscellaneous suspicious 3
event.
Information Leak Indicates an information leak. 1
Potential Mail Vulnerability Indicates a potential vulnerability in the 4
mail server.
Potential Version Indicates a potential vulnerability in the 4
Vulnerability QRadar Network Anomaly Detection
version.
Potential FTP Vulnerability Indicates a potential FTP vulnerability. 4
Potential SSH Vulnerability Indicates a potential SSH vulnerability. 4
Potential DNS Vulnerability Indicates a potential vulnerability in the 4
DNS server.
Potential SMB Vulnerability Indicates a potential SMB (Samba) 4
vulnerability.
Potential Database Indicates a potential vulnerability in the 4
Vulnerability database.
IP Protocol Anomaly Indicates a potential IP protocol 3
anomaly
Suspicious IP Address Indicates a suspicious IP address has 2
been detected.
Invalid IP Protocol Usage Indicates an invalid IP protocol. 2
Invalid Protocol Indicates an invalid protocol. 4
Suspicious Window Events Indicates a suspicious event with a 2
screen on your desktop.
Suspicious ICMP Activity Indicates suspicious ICMP activity. 2
Potential NFS Vulnerability Indicates a potential Network File 4
System (NFS) vulnerability.
Potential NNTP Indicates a potential Network News 4
Vulnerability Transfer Protocol (NNTP) vulnerability.
Potential RPC Vulnerability Indicates a potential RPC vulnerability. 4
Potential Telnet Indicates a potential Telnet vulnerability 4
Vulnerability on your system.
Potential SNMP Indicates a potential SNMP 4
Vulnerability vulnerability.
Illegal TCP Flag Indicates an invalid TCP flag 5
Combination combination has been detected.
Suspicious TCP Flag Indicates a potentially invalid TCP flag 4
Combination combination has been detected.

250

Illegal ICMP Protocol Indicates an invalid use of the ICMP 5
Usage protocol has been detected.
Suspicious ICMP Protocol Indicates a potentially invalid use of the 4
Usage ICMP protocol has been detected.
Illegal ICMP Type Indicates an invalid ICMP type has 5
been detected.
Illegal ICMP Code Indicates an invalid ICMP code has 5
been detected.
Suspicious ICMP Type Indicates a potentially invalid ICMP 4
type has been detected.
Suspicious ICMP Code Indicates a potentially invalid ICMP 4
code has been detected.
TCP port 0 Indicates a TCP packet using a 4
reserved port (0) for source or
destination.
UDP port 0 Indicates a UDP packets using a 4
reserved port (0) for source or
destination.
Hostile IP Indicates the use of a known hostile IP 4
address.
Watch list IP Indicates the use of an IP address from 4
a watch list of IP addresses.
Known offender IP Indicates the use of an IP address of a 4
known offender.
RFC 1918 (private) IP Indicates the use of an IP address from 4
a private IP address range.
Potential VoIP Vulnerability Indicates a potential VoIP vulnerability. 4
Blacklist Address Indicates that an IP address is on the 8
black list.
Watchlist Address Indicates that the IP address is on the 7
list of IP addresses being monitored.
Darknet Address Indicates that the IP address is part of a 5
darknet.
Botnet Address Indicates that the address is part of a 7
botnet.
Suspicious Address Indicates that the IP address should be 5
monitored.
Bad Content Indicates bad content has been 7
detected.
Invalid Cert Indicates an invalid certificate has been 7
detected.

System 251

User Activity Indicates that user activity has been 7
detected.
Suspicious Protocol Usage Indicates suspicious protocol usage 5
has been detected.
Suspicious BGP Activity Indicates that suspicious Border 5
Gateway Protocol (BGP) usage has
been detected.
Route Poisoning Indicates that route corruption has 5
been detected.
ARP Poisoning Indicates that ARP-cache poisoning 5
has been detected.
Rogue Device Detected Indicates a rogue device has been 5
detected.
System The system category indicates events relating to system changes, software
installation, or status messages. The associated low-level event categories
include:
Table C-9 System Categories

Unknown System Event Indicates an unknown system event. 1
System Boot Indicates a system boot. 1
System Configuration Indicates a change in the system 1
configuration.
System Halt Indicates the system has been halted. 1
System Failure Indicates a system failure. 6
System Status Indicates any information event. 1
System Error Indicates a system error. 3
Misc System Event Indicates a miscellaneous system 1
event.
Service Started Indicates system services have started. 1
Service Stopped Indicates system services have 1
stopped.
Service Failure Indicates a system failure. 6
Successful Registry Indicates that a modification to the 1
Modification registry has been successful.
Successful Host-Policy Indicates that a modification to the host 1
Modification policy has been successful.

252
Table C-9 System Categories (continued)

Successful File Indicates that a modification to a file 1
Modification has been successful.
Successful Stack Indicates that a modification to the 1
Modification stack has been successful.
Successful Application Indicates that a modification to the 1
Modification application has been successful.
Successful Configuration Indicates that a modification to the 1
Modification configuration has been successful.
Successful Service Indicates that a modification to a 1
Modification service has been successful.
Failed Registry Indicates that a modification to the 1
Modification registry has failed.
Failed Host-Policy Indicates that a modification to the host 1
Modification policy has failed.
Failed File Modification Indicates that a modification to a file 1
has failed.
Failed Stack Modification Indicates that a modification to the 1
stack has failed.
Failed Application Indicates that a modification to an 1
Modification application has failed.
Failed Configuration Indicates that a modification to the 1
Modification configuration has failed.
Failed Service Modification Indicates that a modification to the 1
service has failed.
Registry Addition Indicates that an new item has been 1
added to the registry.
Host-Policy Created Indicates that a new entry has been 1
added to the registry.
File Created Indicates that a new has been created 1
in the system.
Application Installed Indicates that a new application has 1
been installed on the system.
Service Installed Indicates that a new service has been 1
installed on the system.
Registry Deletion Indicates that a registry entry has been 1
deleted.
Host-Policy Deleted Indicates that a host policy entry has 1
been deleted.
File Deleted Indicates that a file has been deleted. 1
Application Uninstalled Indicates that an application has been 1
uninstalled.

System 253

Service Uninstalled Indicates that a service has been 1
uninstalled.
System Informational Indicates system information. 3
System Action Allow Indicates that an attempted action on 3
the system has been authorized.
System Action Deny Indicates that an attempted action on 4
the system has been denied.
Cron Indicates a crontab message. 1
Cron Status Indicates a crontab status message. 1
Cron Failed Indicates a crontab failure message. 4
Cron Successful Indicates a crontab success message. 1
Daemon Indicates a daemon message. 1
Daemon Status Indicates a daemon status message. 1
Daemon Failed Indicates a daemon failure message. 4
Daemon Successful Indicates a daemon success message. 1
Kernel Indicates a kernel message. 1
Kernel Status Indicates a kernel status message. 1
Kernel Failed Indicates a kernel failure message.
Kernel Successful Indicates a kernel successful message. 1
Authentication Indicates an authentication message. 1
Information Indicates an informational message. 2
Notice Indicates a notice message. 3
Warning Indicates a warning message. 5
Error Indicates an error message. 7
Critical Indicates a critical message. 9
Debug Indicates a debug message. 1
Messages Indicates a generic message. 1
Privilege Access Indicates that privilege access has 3
been attempted.
Alert Indicates an alert message. 9
Emergency Indicates an emergency message. 9
SNMP Status Indicates an SNMP status message. 1
FTP Status Indicates an FTP status message. 1
NTP Status Indicates an NTP status message. 1
Access Point Radio Failure Indicates an access point radio failure. 3

254

Encryption Protocol Indicates an encryption protocol 3
Configuration Mismatch configuration mismatch.
Client Device or Indicates a client device or 5
Authentication Server authentication server has been not
Misconfigured configured properly.
Hot Standby Enable Failed Indicates a hot standby enable failure. 5
Hot Standby Disable Indicates a hot standby disable failure. 5
Failed
Hot Standby Enabled Indicates hot standby has been 1
Successfully enabled successfully.
Hot Standby Association Indicates a hot standby association has 5
Lost been lost.
MainMode Initiation Failure Indicates MainMode initiation failure. 5
MainMode Initiation Indicates that the MainMode initiation 1
MainMode Status Indicates a MainMode status message 1
has been reported.
QuickMode Initiation Indicates that the QuickMode initiation 5
Failure failed.
Quickmode Initiation Indicates that the QuickMode initiation 1
Quickmode Status Indicates a QuickMode status message 1
has been reported.
Invalid License Indicates an invalid license. 3
License Expired Indicates an expired license. 3
New License Applied Indicates a new license applied. 1
License Error Indicates a license error. 5
License Status Indicates a license status message. 1
Configuration Error Indicates that a configuration error has 5
been detected.
Service Disruption Indicates that a service disruption has 5
been detected.
License Exceeded Indicates that the license capabilities 3
have been exceeded.
Performance Status Indicates that the performance status 1
has been reported.
Performance Degradation Indicates that the performance is being 4
degraded.
Misconfiguration Indicates that a incorrect configuration 5
has been detected.

Policy 255
Policy The policy category indicates events relating to administration of network policy
and the monitoring network resources for policy violations. The associated
low-level event categories include:
Table C-10 Policy Categories

Unknown Policy Violation Indicates an unknown policy violation. 2
Web Policy Violation Indicates a web policy violation. 2
Remote Access Policy Indicates a remote access policy 2
Violation violation.
IRC/IM Policy Violation Indicates an instant messenger policy 2
violation.
P2P Policy Violation Indicates a Peer-to-Peer (P2P) policy 2
violation.
IP Access Policy Violation Indicates an IP access policy violation. 2
Application Policy Violation Indicates an application policy violation. 2
Database Policy Violation Indicates a database policy violation. 2
Network Threshold Policy Indicates a network threshold policy 2
Violation violation.
Porn Policy Violation Indicates a porn policy violation. 2
Games Policy Violation Indicates a games policy violation. 2
Misc Policy Violation Indicates a miscellaneous policy 2
violation.
Compliance Policy Indicates a compliance policy violation. 2
Violation
Mail Policy Violation Indicates a mail policy violation. 2
IRC Policy Violation Indicates an IRC policy violation 2
IM Policy Violation Indicates a policy violation related to 2
instant messaging (IM) activities.
VoIP Policy Violation Indicates a VoIP policy violation 2
Succeeded Indicates a policy successful message. 1
Failed Indicates a policy failure message. 4
CRE The CRE category indicates events generated from a custom offense, flow or
event rule. The associated low-level event categories include:
Table C-11 CRE Category

Unknown CRE Event Indicates an unknown custom rules 5
engine event.

256
Table C-11 CRE Category (continued)

Single Event Rule Match Indicates a single event rule match. 5
Event Sequence Rule Indicates an event sequence rule 5
Match match.
Cross-Offense Event Indicates a cross-offense event 5
Sequence Rule Match sequence rule match.
Offense Rule Match Indicates an offense rule match. 5
Potential Exploit The Potential Exploit category indicates events relating to potential application
exploits and buffer overflow attempts. The associated low-level event categories
include:
Table C-12 Potential Exploit Category

Unknown Potential Exploit Indicates a potential exploitative attack 7
Attack has been detected.
Potential Buffer Overflow Indicates a potential buffer overflow 7
has been detected.
Potential DNS Exploit Indicates a potentially exploitative 7
attack through the DNS server has
been detected.
Potential Telnet Exploit Indicates a potentially exploitative 7
attack through Telnet has been
detected.
Potential Linux Exploit Indicates a potentially exploitative 7
attack through Linux has been
detected.
Potential Unix Exploit Indicates a potentially exploitative 7
attack through Unix has been detected.
Potential Windows Exploit Indicates a potentially exploitative 7
attack through Windows has been
detected.
Potential Mail Exploit Indicates a potentially exploitative 7
attack through mail has been detected.
Potential Infrastructure Indicates a potential exploitative attack 7
Exploit on the system infrastructure has been
detected.
Potential Misc Exploit Indicates a potentially exploitative 7
attack has been detected.

SIM Audit 257
Table C-12 Potential Exploit Category (continued)

Potential Web Exploit Indicates a potentially exploitative 7
attack through the web has been
detected.
Potential Botnet Indicates a potentially exploitative 6
connection attack using Botnet has been detected.
Potential worm activity Indicates a potentially exploitive attack 6
using worm activity has been detected.
SIM Audit The SIM Audit events category indicates events related to user interaction with the
Console and administrative functionality. User login and configuration changes will
generate events that are sent to the Event Collector, which correlates with other
security events from the network. The associated low-level event categories
include:
Table C-13 SIM Audit Event Category

SIM User Authentication Indicates a user login or logout on the 5
Console.
SIM Configuration Change Indicates that a user has made a 3
change to the SIM configuration or
deployment.
SIM User Action Indicates that a user has initiated a 3
process in the SIM module. This may
include starting a backup process or
generated a report.
Session Created Indicates a user session has been 3
created.
Session Destroyed Indicates a user session has been 3
destroyed.
Admin Session Created Indicates an admin session has been
created.
Admin Session Destroyed Indicates an admin session has been 3
destroyed.
Session Authentication Indicates an invalid session 5
Invalid authentication.
Session Authentication Indicates a session authentication 3
Expired expired.

258
VIS Host Discovery When the VIS component discovers and stores new hosts, ports, or vulnerabilities
detected on the network, the VIS component generates events. These events are
sent to the Event Collector to be correlated with other security events.
The associated low-level event categories include:

Table C-14 VIS Host Discovery Category

New Host Discovered Indicates that the VIS component has 3
detected a new host.
New Port Discovered Indicates that the VIS component has 3
detected a new open port.
New Vuln Discovered Indicates that the VIS component has 3
detected a new vulnerability.
New OS Discovered Indicates that the VIS component has 3
detected a new operating system on a
host.
Bulk Host Discovered Indicates that the VIS component has 3
detected many new hosts in a short
period of time.
Application The Application category indicates events relating to application activity, such as
email or FTP activity. The associated low-level event categories include:
Table C-15 Application Category

Mail Opened Indicates that an email connection has 1
been established.
Mail Closed Indicates that an email connection has 1
been closed.
Mail Reset Indicates that an email connection has 3
been reset.
Mail Terminated Indicates that an email connection has 4
been terminated.
Mail Denied Indicates that an email connection has 4
been denied.
Mail in Progress Indicates that an email connection is 1
being attempted.
Mail Delayed Indicates that an email connection has 4
been delayed.
Mail Queued Indicates that an email connection has 3
been queued.

Application 259
Table C-15 Application Category (continued)

Mail Redirected Indicates that an email connection has 1
been redirected.
FTP Opened Indicates that an FTP connection has 1
been opened.
FTP Closed Indicates that an FTP connection has 1
been closed.
FTP Reset Indicates that an FTP connection has 3
been reset.
FTP Terminated Indicates that an FTP connection has 4
been terminated.
FTP Denied Indicates that an FTP connection has 4
been denied.
FTP In Progress Indicates that an FTP connection is 1
FTP Redirected Indicates that an FTP connection has 3
been redirected.
HTTP Opened Indicates that an HTTP connection has 1
been established.
HTTP Closed Indicates that an HTTP connection has 1
been closed.
HTTP Reset Indicates that an HTTP connection has 3
been reset.
HTTP Terminated Indicates that an HTTP connection has 4
been terminated.
HTTP Denied Indicates that an HTTP connection has 4
been denied.
HTTP In Progress Indicates that an HTTP connection is 1
HTTP Delayed Indicates that an HTTP connection has 3
been delayed.
HTTP Queued Indicates that an HTTP connection has 1
been queued.
HTTP Redirected Indicates that an HTTP connection has 1
been redirected.
HTTP Proxy Indicates that an HTTP connection is 1
being proxied.
HTTPS Opened Indicates that an HTTPS connection 1
has been established.
HTTPS Closed Indicates that an HTTPS connection 1
has been closed.

260

HTTPS Reset Indicates that an HTTPS connection 3
has been reset.
HTTPS Terminated Indicates that an HTTPS connection 4
has been terminated.
HTTPS Denied Indicates that an HTTPS connection 4
has been denied.
HTTPS In Progress Indicates that an HTTPS connection is 1
HTTPS Delayed Indicates that an HTTPS connection 3
has been delayed.
HTTPS Queued Indicates that an HTTPS connection 3
has been queued.
HTTPS Redirected Indicates that an HTTPS connection 3
has been redirected.
HTTPS Proxy Indicates that an HTTPS connection is 1
proxied.
SSH Opened Indicates than an SSH connection has 1
been established.
SSH Closed Indicates that an SSH connection has 1
been closed.
SSH Reset Indicates that an SSH connection has 3
been reset.
SSH Terminated Indicates that an SSH connection has 4
been terminated.
SSH Denied Indicates that an SSH session has 4
been denied.
SSH In Progress Indicates that an SSH session is 1
RemoteAccess Opened Indicates that a remote access 1
connection has been established.
RemoteAccess Closed Indicates that a remote access 1
connection has been closed.
RemoteAccess Reset Indicates that a remote access 3
connection has been reset.
RemoteAccess Indicates that a remote access 4
Terminated connection has been terminated.
RemoteAccess Denied Indicates that a remote access 4
connection has been denied.
RemoteAccess In Indicates that a remote access 1
Progress connection is currently in progress.

Application 261

RemoteAccess Delayed Indicates that a remote access 3
connection has been delayed.
RemoteAccess Redirected Indicates that a remote access 3
connection has been redirected.
VPN Opened Indicates that a VPN connection has 1
been opened.
VPN Closed Indicates that a VPN connection has 1
been closed.
VPN Reset Indicates that a VPN connection has 3
been reset.
VPN Terminated Indicates that a VPN connection has 4
been terminated.
VPN Denied Indicates that a VPN connection has 4
been denied.
VPN In Progress Indicates that a VPN connection is 1
VPN Delayed Indicates that a VPN connection has 3
been delayed
VPN Queued Indicates that a VPN connection has 3
been queued.
VPN Redirected Indicates that a VPN connection has 3
been redirected.
RDP Opened Indicates that an RDP connection has 1
been established.
RDP Closed Indicates that an RDP connection has 1
been closed.
RDP Reset Indicates that an RDP connection has 3
been reset.
RDP Terminated Indicates that an RDP connection has 4
been terminated.
RDP Denied Indicates that an RDP connection has 4
been denied.
RDP In Progress Indicates that an RDP connection is 1
RDP Redirected Indicates that an RDP connection has 3
been redirected.
FileTransfer Opened Indicates that a file transfer connection 1
FileTransfer Closed Indicates that a file transfer connection 1
has been closed.

262

FileTransfer Reset Indicates that a file transfer connection 3
has been reset.
FileTransfer Terminated Indicates that a file transfer connection 4
FileTransfer Denied Indicates that a file transfer connection 4
has been denied.
FileTransfer In Progress Indicates that a file transfer connection 1
is currently in progress.
FileTransfer Delayed Indicates that a file transfer connection 3
has been delayed.
FileTransfer Queued Indicates that a file transfer connection 3
has been queued.
FileTransfer Redirected Indicates that a file transfer connection 3
DNS Opened Indicates that a DNS connection has 1
been established.
DNS Closed Indicates that a DNS connection has 1
been closed.
DNS Reset Indicates that a DNS connection has 5
been reset.
DNS Terminated Indicates that a DNS connection has 5
been terminated.
DNS Denied Indicates that a DNS connection has 5
been denied.
DNS In Progress Indicates that a DNS connection is 1
DNS Delayed Indicates that a DNS connection has 5
been delayed.
DNS Redirected Indicates that a DNS connection has 4
been redirected.
Chat Opened Indicates that a chat connection has 1
been opened.
Chat Closed Indicates that a chat connection has 1
been closed.
Chat Reset Indicates that a chat connection has 3
been reset.
Chat Terminated Indicates that a chat connection has 3
been terminated.
Chat Denied Indicates that a chat connection has 3
been denied.

Application 263

Chat In Progress Indicates that a chat connection is 1
Chat Redirected Indicates that a chat connection has 1
been redirected.
Database Opened Indicates that a database connection 1
Database Closed Indicates that a database connection 1
has been closed.
Database Reset Indicates that a database connection 5
has been reset.
Database Terminated Indicates that a database connection 5
Database Denied Indicates that a database connection 5
has been denied.
Database In Progress Indicates that a database connection is 1
Database Redirected Indicates that a database connection 3
SMTP Opened Indicates that an SMTP connection has 1
been established.
SMTP Closed Indicates that an SMTP connection has 1
been closed.
SMTP Reset Indicates that an SMTP connection has 3
been reset.
SMTP Terminated Indicates that an SMTP connection has 5
been terminated.
SMTP Denied Indicates that an SMTP connection has 5
been denied.
SMTP In Progress Indicates that an SMTP connection is 1
SMTP Delayed Indicates that an SMTP connection has 3
been delayed.
SMTP Queued Indicates that an SMTP connection has 3
been queued.
SMTP Redirected Indicates that an SMTP connection has 3
been redirected.
Auth Opened Indicates that an authorization server 1
Auth Closed Indicates that an authorization server 1
connection has been closed.

264

Auth Reset Indicates that an authorization server 3
connection has been reset.
Auth Terminated Indicates that an authorization server 4
connection has been terminated.
Auth Denied Indicates that an authorization server 4
connection has been denied.
Auth In Progress Indicates that an authorization server 1
connection is currently in progress.
Auth Delayed Indicates that an authorization server 3
connection has been delayed.
Auth Queued Indicates that an authorization server 3
connection has been queued.
Auth Redirected Indicates that an authorization server 2
connection has been redirected.
P2P Opened Indicates that a Peer-to-Peer (P2P) 1
P2P Closed Indicates that a P2P connection has 1
been closed.
P2P Reset Indicates that a P2P connection has 4
been reset.
P2P Terminated Indicates that a P2P connection has 4
been terminated.
P2P Denied Indicates that a P2P connection has 3
been denied.
P2P In Progress Indicates that a P2P connection is 1
Web Opened Indicates that a web connection has 1
been established.
Web Closed Indicates that a web connection has 1
been closed.
Web Reset Indicates that a web connection has 4
been reset.
Web Terminated Indicates that a web connection has 4
been terminated.
Web Denied Indicates that a web connection has 4
been denied.
Web In Progress Indicates that a web connection is 1
Web Delayed Indicates that a web connection has 3
been delayed.

Application 265

Web Queued Indicates that a web connection has 1
been queued.
Web Redirected Indicates that a web connection has 1
been redirected.
Web Proxy Indicates that a web connection has 1
been proxied.
VoIP Opened Indicates that a Voice Over IP (VoIP) 1
VoIP Closed Indicates that a VoIP connection has 1
been closed.
VoIP Reset Indicates that a VoIP connection has 3
been reset.
VoIP Terminated Indicates that a VoIP connection has 3
been terminated.
VoIP Denied Indicates that a VoIP connection has 3
been denied.
VoIP In Progress Indicates that a VoIP connection is 1
VoIP Delayed Indicates that a VoIP connection has 3
been delayed.
VoIP Redirected Indicates that a VoIP connection has 3
been redirected.
LDAP Session Started Indicates a LDAP session has started. 1
LDAP Session Ended Indicates a LDAP session has ended. 1
LDAP Session Denied Indicates a LDAP session has been 3
denied.
LDAP Session Status Indicates a LDAP session status 1
message has been reported.
LDAP Authentication Indicates a LDAP authentication has 4
Failed failed.
LDAP Authentication Indicates a LDAP authentication has 1
Succeeded been successful.
AAA Session Started Indicates that an Authentication, 1
Authorization and Accounting (AAA)
session has started.
AAA Session Ended Indicates that an AAA session has 1
ended.
AAA Session Denied Indicates that an AAA session has 3
been denied.
AAA Session Status Indicates that an AAA session status 1

266

AAA Authentication Failed Indicates that an AAA authentication 4
has failed.
AAA Authentication Indicates that an AAA authentication 1
IPSEC Authentication Indicates that an Internet Protocol 4
Failed Security (IPSEC) authentication has
failed.
IPSEC Authentication Indicates that an IPSEC authentication 1
IPSEC Session Started Indicates that an IPSEC session has 1
started.
IPSEC Session Ended Indicates that an IPSEC session has 1
ended.
IPSEC Error Indicates that an IPSEC error message 5
has been reported.
IPSEC Status Indicates that an IPSEC session status 1
IM Session Opened Indicates that an Instant Messenger 1
(IM) session has been established.
IM Session Closed Indicates that an IM session has been 1
closed.
IM Session Reset Indicates that an IM session has been 3
reset.
IM Session Terminated Indicates that an IM session has been 3
terminated.
IM Session Denied Indicates that an IM session has been 3
denied.
IM Session In Progress Indicates that an IM session is in 1
progress.
IM Session Delayed Indicates that an IM session has been 3
delayed
IM Session Redirected Indicates that an IM session has been 3
redirected.
WHOIS Session Opened Indicates that a WHOIS session has 1
been established.
WHOIS Session Closed Indicates that a WHOIS session has 1
been closed.
WHOIS Session Reset Indicates that a WHOIS session has 3
been reset.
WHOIS Session Indicates that a WHOIS session has 3
Terminated been terminated.

Application 267

WHOIS Session Denied Indicates that a WHOIS session has 3
been denied.
WHOIS Session In Indicates that a WHOIS session is in 1
Progress progress.
WHOIS Session Indicates that a WHOIS session has 3
Redirected been redirected.
Traceroute Session Indicates that a Traceroute session has 1
Opened been established.
Traceroute Session Closed Indicates that a Traceroute session has 1
been closed.
Traceroute Session Indicates that a Traceroute session has 3
Denied been denied.
Traceroute Session In Indicates that a Traceroute session is 1
Progress in progress.
TN3270 Session Opened TN3270 is a terminal emulation 1
program, which is used to connect to
an IBM 3270 terminal. This category
indicates that a TN3270 session has
been established.
TN3270 Session Closed Indicates that a TN3270 session has 1
been closed.
TN3270 Session Reset Indicates that a TN3270 session has 3
been reset.
TN3270 Session Indicates that a TN3270 session has 3
TN3270 Session Denied Indicates that a TN3270 session has 3
been denied.
TN3270 Session In Indicates that a TN3270 session is in 1
Progress progress.
TFTP Session Opened Indicates that a TFTP session has 1
been established.
TFTP Session Closed Indicates that a TFTP session has 1
been closed.
TFTP Session Reset Indicates that a TFTP session has 3
been reset.
TFTP Session Terminated Indicates that a TFTP session has 3
been terminated.
TFTP Session Denied Indicates that a TFTP session has 3
been denied.
TFTP Session In Progress Indicates that a TFTP session is in 1
progress.

268

Telnet Session Opened Indicates that a Telnet session has 1
been established.
Telnet Session Closed Indicates that a Telnet session has 1
been closed.
Telnet Session Reset Indicates that a Telnet session has 3
been reset.
Telnet Session Terminated Indicates that a Telnet session has 3
been terminated.
Telnet Session Denied Indicates that a Telnet session has 3
been denied.
Telnet Session In Progress Indicates that a Telnet session is in 1
progress.
Syslog Session Opened Indicates that a syslog session has 1
been established.
Syslog Session Closed Indicates that a syslog session has 1
been closed.
Syslog Session Denied Indicates that a syslog session has 3
been denied.
Syslog Session In Indicates that a syslog session is in 1
Progress progress.
SSL Session Opened Indicates that a Secure Socket Layer 1
(SSL) session has been established.
SSL Session Closed Indicates that an SSL session has been 1
closed.
SSL Session Reset Indicates that an SSL session has been 3
reset.
SSL Session Terminated Indicates that an SSL session has been 3
terminated.
SSL Session Denied Indicates that an SSL session has been 3
denied.
SSL Session In Progress Indicates that an SSL session is in 1
progress.
SNMP Session Opened Indicates that a Simple Network 1
Management Protocol (SNMP) session
SNMP Session Closed Indicates that an SNMP session has 1
been closed.
SNMP Session Denied Indicates that an SNMP session has 3
been denied.
SNMP Session In Indicates that an SNMP session is in 1
Progress progress.

Application 269

SMB Session Opened Indicates that a Server Message Block 1
(SMB) session has been established.
SMB Session Closed Indicates that an SMB session has 1
been closed.
SMB Session Reset Indicates that an SMB session has 3
been reset.
SMB Session Terminated Indicates that an SMB session has 3
been terminated.
SMB Session Denied Indicates that an SMB session has 3
been denied.
SMB Session In Progress Indicates that an SMB session is in 1
progress.
Streaming Media Session Indicates that a Streaming Media 1
Opened session has been established.
Closed session has been closed.
Reset session has been reset.
Terminated session has been terminated.
Denied session has been denied.
In Progress session is in progress.
RUSERS Session Opened Indicates that a (Remote Users) 1
RUSERS session has been
established.
RUSERS Session Closed Indicates that a RUSERS session has 1
been closed.
RUSERS Session Denied Indicates that a RUSERS session has 3
been denied.
RUSERS Session In Indicates that a RUSERS session is in 1
Progress progress.
RSH Session Opened Indicates that a Remote Shell (RSH) 1
session has been established.
RSH Session Closed Indicates that an RSH session has 1
been closed.
RSH Session Reset Indicates that an RSH session has 3
been reset.
RSH Session Terminated Indicates that an RSH session has 3
been terminated.

270

RSH Session Denied Indicates that an RSH session has 3
been denied.
RSH Session In Progress Indicates that an RSH session is in 1
progress.
RLOGIN Session Opened Indicates that a Remote Login 1
(RLOGIN) session has been
established.
RLOGIN Session Closed Indicates that an RLOGIN session has 1
been closed.
RLOGIN Session Reset Indicates that an RLOGIN session has 3
been reset.
RLOGIN Session Indicates that an RLOGIN session has 3
RLOGIN Session Denied Indicates that an RLOGIN session has 3
been denied.
RLOGIN Session In Indicates that an RLOGIN session is in 1
Progress progress.
REXEC Session Opened Indicates that a (Remote Execution) 1
REXEC session has been established.
REXEC Session Closed Indicates that an REXEC session has 1
been closed.
REXEC Session Reset Indicates that an REXEC session has 3
been reset.
REXEC Session Indicates that an REXEC session has 3
REXEC Session Denied Indicates that an REXEC session has 3
been denied.
REXEC Session In Indicates that an REXEC session is in 1
Progress progress.
RPC Session Opened Indicates that a Remote Procedure Call 1
(RPC) session has been established.
RPC Session Closed Indicates that an RPC session has 1
been closed.
RPC Session Reset Indicates that an RPC session has 3
been reset.
RPC Session Terminated Indicates that an RPC session has 3
been terminated.
RPC Session Denied Indicates that an RPC session has 3
been denied.
RPC Session In Progress Indicates that an RPC session is in 1
progress.

Application 271

NTP Session Opened Indicates that a Network Time Protocol 1
(NTP) session has been established.
NTP Session Closed Indicates that an NTP session has 1
been closed.
NTP Session Reset Indicates that an NTP session has 3
been reset.
NTP Session Terminated Indicates that an NTP session has 3
been terminated.
NTP Session Denied Indicates that an NTP session has 3
been denied.
NTP Session In Progress Indicates that an NTP session is in 1
progress.
NNTP Session Opened Indicates that a Network News Transfer 1
Protocol (NNTP) session has been
established.
NNTP Session Closed Indicates that an NNTP session has 1
been closed.
NNTP Session Reset Indicates that an NNTP session has 3
been reset.
NNTP Session Terminated Indicates that an NNTP session has 3
been terminated.
NNTP Session Denied Indicates that an NNTP session has 3
been denied.
NNTP Session In Progress Indicates that an NNTP session is in 1
progress.
NFS Session Opened Indicates that a Network File System 1
(NFS) session has been established.
NFS Session Closed Indicates that an NFS session has 1
been closed.
NFS Session Reset Indicates that an NFS session has 3
been reset.
NFS Session Terminated Indicates that an NFS session has 3
been terminated.
NFS Session Denied Indicates that an NFS session has 3
been denied.
NFS Session In Progress Indicates that an NFS session is in 1
progress.
NCP Session Opened Indicates that a Network Control 1
Program (NCP) session has been
established.
NCP Session Closed Indicates that an NCP session has 1
been closed.

272

NCP Session Reset Indicates that an NCP session has 3
been reset.
NCP Session Terminated Indicates that an NCP session has 3
been terminated.
NCP Session Denied Indicates that an NCP session has 3
been denied.
NCP Session In Progress Indicates that an NCP session is in 1
progress.
NetBIOS Session Opened Indicates that a NetBIOS session has 1
been established.
NetBIOS Session Closed Indicates that a NetBIOS session has 1
been closed.
NetBIOS Session Reset Indicates that a NetBIOS session has 3
been reset.
NetBIOS Session Indicates that a NetBIOS session has 3
NetBIOS Session Denied Indicates that a NetBIOS session has 3
been denied.
NetBIOS Session In Indicates that a NetBIOS session is in 1
Progress progress.
MODBUS Session Opened Indicates that a MODBUS session has 1
been established.
MODBUS Session Closed Indicates that a MODBUS session has 1
been closed.
MODBUS Session Reset Indicates that a MODBUS session has 3
been reset.
MODBUS Session Indicates that a MODBUS session has 3
MODBUS Session Denied Indicates that a MODBUS session has 3
been denied.
MODBUS Session In Indicates that a MODBUS session is in 1
Progress progress.
LPD Session Opened Indicates that a Line Printer Daemon 1
(LPD) session has been established.
LPD Session Closed Indicates that an LPD session has 1
been closed.
LPD Session Reset Indicates that an LPD session has 3
been reset.
LPD Session Terminated Indicates that an LPD session has 3
been terminated.

Application 273

LPD Session Denied Indicates that an LPD session has 3
been denied.
LPD Session In Progress Indicates that an LPD session is in 1
progress.
Lotus Notes Session Indicates that a Lotus Notes session 1
Opened has been established.
Closed has been closed.
Lotus Notes Session Reset Indicates that a Lotus Notes session 3
has been reset.
Terminated has been terminated.
Denied has been denied.
Lotus Notes Session In Indicates that a Lotus Notes session is 1
Progress in progress.
Kerberos Session Opened Indicates that a Kerberos session has 1
been established.
Kerberos Session Closed Indicates that a Kerberos session has 1
been closed.
Kerberos Session Reset Indicates that a Kerberos session has 3
been reset.
Kerberos Session Indicates that a Kerberos session has 3
Kerberos Session Denied Indicates that a Kerberos session has 3
been denied.
Kerberos Session In Indicates that a Kerberos session is in 1
Progress progress.
IRC Session Opened Indicates that an Internet Relay Chat 1
(IRC) session has been established.
IRC Session Closed Indicates that an IRC session has been 1
closed.
IRC Session Reset Indicates that an IRC session has been 3
reset.
IRC Session Terminated Indicates that an IRC session has been 3
terminated.
IRC Session Denied Indicates that an IRC session has been 3
denied.
IRC Session In Progress Indicates that an IRC session is in 1
progress.

274

IEC 104 Session Opened Indicates that an IEC 104 session has 1
been established.
IEC 104 Session Closed Indicates that an IEC 104 session has 1
been closed.
IEC 104 Session Reset Indicates that an IEC 104 session has 3
been reset.
IEC 104 Session Indicates that an IEC 104 session has 3
IEC 104 Session Denied Indicates that an IEC 104 session has 3
been denied.
IEC 104 Session In Indicates that an IEC 104 session is in 1
Progress progress.
Ident Session Opened Indicates that a TCP Client Identity 1
Protocol (Ident) session has been
established.
Ident Session Closed Indicates that an Ident session has 1
been closed.
Ident Session Reset Indicates that an Ident session has 3
been reset.
Ident Session Terminated Indicates that an Ident session has 3
been terminated.
Ident Session Denied Indicates that an Ident session has 3
been denied.
Ident Session In Progress Indicates that an Ident session is in 1
progress.
ICCP Session Opened Indicates that an Inter-Control Center 1
Communications Protocol (ICCP)
session has been established.
ICCP Session Closed Indicates that an ICCP session has 1
been closed.
ICCP Session Reset Indicates that an ICCP session has 3
been reset.
ICCP Session Terminated Indicates that an ICCP session has 3
been terminated.
ICCP Session Denied Indicates that an ICCP session has 3
been denied.
ICCP Session In Progress Indicates that an ICCP session is in 1
progress.
Groupwise Session Indicates that a Groupwise session has 1
Opened been established.
Groupwise Session Closed Indicates that a Groupwise session has 1
been closed.

Application 275

Groupwise Session Reset Indicates that a Groupwise session 3
has been reset.
Groupwise Session Indicates that a Groupwise session has 3
Groupwise Session Denied Indicates that a Groupwise session has 3
been denied.
Groupwise Session In Indicates that a Groupwise session is in 1
Progress progress.
Gopher Session Opened Indicates that a Gopher session has 1
been established.
Gopher Session Closed Indicates that a Gopher session has 1
been closed.
Gopher Session Reset Indicates that a Gopher session has 3
been reset.
Gopher Session Indicates that a Gopher session has 3
Gopher Session Denied Indicates that a Gopher session has 3
been denied.
Gopher Session In Indicates that a Gopher session is in 1
Progress progress.
GIOP Session Opened Indicates that a General Inter-ORB 1
Protocol (GIOP) session has been
established.
GIOP Session Closed Indicates that a GIOP session has 1
been closed.
GIOP Session Reset Indicates that a GIOP session has 3
been reset.
GIOP Session Terminated Indicates that a GIOP session has 3
been terminated.
GIOP Session Denied Indicates that a GIOP session has 3
been denied.
GIOP Session In Progress Indicates that a GIOP session is in 1
progress.
Finger Session Opened Indicates that a Finger session has 1
been established.
Finger Session Closed Indicates that a Finger session has 1
been closed.
Finger Session Reset Indicates that a Finger session has 3
been reset.
Finger Session Terminated Indicates that a Finger session has 3
been terminated.

276

Finger Session Denied Indicates that a Finger session has 3
been denied.
Finger Session In Progress Indicates that a Finger session is in 1
progress.
Echo Session Opened Indicates that an Echo session has 1
been established.
Echo Session Closed Indicates that an Echo session has 1
been closed.
Echo Session Denied Indicates that an Echo session has 3
been denied.
Echo Session In Progress Indicates that an Echo session is in 1
progress.
Remote .NET Session Indicates that a Remote .NET session 1
Opened has been established.
Closed has been closed.
Reset has been reset.
Terminated has been terminated.
Denied has been denied.
Remote .NET Session In Indicates that a Remote .NET session 1
Progress is in progress.
DNP3 Session Opened Indicates that a Distributed Network 1
Proctologic (DNP3) session has been
established.
DNP3 Session Closed Indicates that a DNP3 session has 1
been closed.
DNP3 Session Reset Indicates that a DNP3 session has 3
been reset.
DNP3 Session Terminated Indicates that a DNP3 session has 3
been terminated.
DNP3 Session Denied Indicates that a DNP3 session has 3
been denied.
DNP3 Session In Progress Indicates that a DNP3 session is in 1
progress.
Discard Session Opened Indicates that a Discard session has 1
been established.
Discard Session Closed Indicates that a Discard session has 1
been closed.

Application 277

Discard Session Reset Indicates that a Discard session has 3
been reset.
Discard Session Indicates that a Discard session has 3
Discard Session Denied Indicates that a Discard session has 3
been denied.
Discard Session In Indicates that a Discard session is in 1
Progress progress.
DHCP Session Opened Indicates that a Dynamic Host 1
Configuration Protocol (DHCP) session
DHCP Session Closed Indicates that a DHCP session has 1
been closed.
DHCP Session Denied Indicates that a DHCP session has 3
been denied.
DHCP Session In Progress Indicates that a DHCP session is in 1
progress.
DHCP Success Indicates that a DHCP lease has been 1
successfully obtained
DHCP Failure Indicates that a DHCP lease cannot be 3
obtained.
CVS Session Opened Indicates that a Concurrent Versions 1
System (CVS) session has been
established.
CVS Session Closed Indicates that a CVS session has been 1
closed.
CVS Session Reset Indicates that a CVS session has been 3
reset.
CVS Session Terminated Indicates that a CVS session has been 3
terminated.
CVS Session Denied Indicates that a CVS session has been 3
denied.
CVS Session In Progress Indicates that a CVS session is in 1
progress.
CUPS Session Opened Indicates that a Common Unix Printing 1
System (CUPS) session has been
established.
CUPS Session Closed Indicates that a CUPS session has 1
been closed.
CUPS Session Reset Indicates that a CUPS session has 3
been reset.

278

CUPS Session Terminated Indicates that a CUPS session has 3
been terminated.
CUPS Session Denied Indicates that a CUPS session has 3
been denied.
CUPS Session In Progress Indicates that a CUPS session is in 1
progress.
Chargen Session Started Indicates that a Character Generator 1
(Chargen) session has been started.
Chargen Session Closed Indicates that a Chargen session has 1
been closed.
Chargen Session Reset Indicates that a Chargen session has 3
been reset.
Chargen Session Indicates that a Chargen session has 3
Chargen Session Denied Indicates that a Chargen session has 3
been denied.
Chargen Session In Indicates that a Chargen session is in 1
Progress progress.
Misc VPN Indicates that a miscellaneous VPN 1
session has been detected
DAP Session Started Indicates that a DAP session has been 1
established.
DAP Session Ended Indicates that a DAP session has 1
ended.
DAP Session Denied Indicates that a DAP session has been 3
denied.
DAP Session Status Indicates that a DAP session status 1
request has been made.
DAP Session in Progress Indicates that a DAP session is in 1
progress.
DAP Authentication Failed Indicates that a DAP authentication has 4
failed.
DAP Authentication Indicates that DAP authentication has 1
TOR Session Started Indicates that a TOR session has been 1
established.
TOR Session Closed Indicates that a TOR session has been 1
closed.
TOR Session Reset Indicates that a TOR session has been 3
reset.

Audit 279

TOR Session Terminated Indicates that a TOR session has been 3
terminated.
TOR Session Denied Indicates that a TOR session has been 3
denied.
TOR Session In Progress Indicates that a TOR session is in 1
progress.
Game Session Started Indicates a game session has started. 1
Game Session Closed Indicates a game session has been 1
closed.
Game Session Reset Indicates a game session has been 3
reset.
Game Session Terminated Indicates a game session has been 3
terminated.
Game Session Denied Indicates a game session has been 3
denied.
Game Session In Progress Indicates a game session is in 1
progress.
Admin Login Attempt Indicates that an attempt to log in as an 2
administrative user has been detected.
User Login Attempt Indicates that an attempt to log in as a 2
non-administrative user has been
detected.
Audit The Audit category indicates audit related events. The associated low-level event
categories include:
Table C-16 Audit Categories

General Audit Event Indicates a general audit event has 1
been started.
Built-in Execution Indicates that a built-in audit task has 1
been run.
Bulk Copy Indicates that a bulk copy of data has 1
been detected.
Data Dump Indicates that a data dump has been 1
detected.
Data Import Indicates that a data import has been 1
detected.
Data Selection Indicates that a data selection process 1
has been detected.

280
Table C-16 Audit Categories (continued)

Data Truncation Indicates that the data truncation 1
process has been detected.
Data Update Indicates that the data update process 1
has been detected.
Procedure/Trigger Indicates that the database procedure 1
Execution or trigger execution has been detected.
Schema Change Indicates that the schema for a 1
procedure or trigger execution has
been altered.

D NOTICES AND TRADEMARKS
What’s in this appendix:

• Notices
• Trademarks
This section describes some important notices, trademarks, and compliance

information.
Notices This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information,
contact the IBM Intellectual Property Department in your country or send inquiries,
in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:

282
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express
or implied warranties in certain transactions, therefore, this statement may not
apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those
Web sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of
enabling: (i) the exchange of information between independently created programs
and other programs (including this one) and (ii) the mutual use of the information
which has been exchanged, should contact:
IBM Corporation
170 Tracer Lane,
Waltham MA 02451, USA
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some
measurements may have been estimated through extrapolation. Actual results
may vary. Users of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM
has not tested those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the

Trademarks 283
capabilities of non-IBM products should be addressed to the suppliers of those

products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual
business enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color illustrations
may not appear.
Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at http:\\www.ibm.com/legal/copytrade.shtml.
The following terms are trademarks or registered trademarks of other companies:
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Linux is a registered trademark of Linus Torvalds in the United States, other

countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.

INDEX
viewing backup archive 96

A
access category 244
accumulator
about 110
C
changes
retention settings 55
deploying 5
accumulator retention
coalescing events 54
daily 56
command line max matched results 57
hourly 56
components 134
admin tab
console settings 73
about 4
content capture 135
using 5
conventions 1
administrative email address 53
CRE category 255
administrator role 11
aeriel database settings 56
alert email from address 53
asset profile query period 54 D
asset profile reporting interval 54 database settings 55
assets role 12 delete root mail setting 54
asymmetric flows 153 deleting backup archives 97
audit log deploying changes 5
viewing 231 deployment editor
authentication about 109
active directory 23 accessing 110
configuring 24 components 134
LDAP 23 creating your deployment 113
LDAP or active directory 23 event view 114
RADIUS 23 requirements 114
system 23 system view 122
TACACS 23 toolbar 113
user 23 using 111
authentication category 238 device access 32
authorized services device management 34
about 91 discovering servers 163
adding 92 DoS category 236
revoking 93 duplicating a security profile 18
token 91
viewing 91
auto detection 136, 141 E
automatic update encryption 121, 122
about 43 enterprise template 175
scheduling 50 default building blocks 192
default rules 175
event categories 233
B event category correlation
backing up your information 98 access category 244
backup and recovery audit events category 257
about 95 authentication category 238
deleting backup archives 97 CRE category 255
importing backup archives 97 DoS category 236
initiating backup 101 exploit category 246
managing backup archives 96 flow category 256, 257, 258
restoring configuration information 102 high-level categories 234
scheduling backups 98 malware category 247
policy category 255
QRadar Network Anomaly Detection Administration Guide

286 INDEX
potential exploit category 256

recon category 235 H
suspicious category 248 hashing
system category 251 event log 58
Event Collector flow log 58
about 115 hashing algorithm settings 59
configuring 140 high-level categories 234
Event Collector Connections 135 host
Event Processor adding 124
about 115 host context 110, 131
configuring 142
event retention
configuring 64
deleting 71 I
editing 70 IF-MAP 62
enabling and disabling 70 importing backup archives 97
managing 69 index management 77
sequencing 69 initiating a backup 101
event view intended audience 1
about 110 interface roles 34
adding components 117 internal flow sources 147
building 114 IP right click menu extension role 12
renaming components 122 IPFIX 149
exploit category 246
external flow sources 147
J
J-Flow 150
F
firewall access 32
flow category 257, 258 L
flow configuration 152 LDAP 23
flow retention license key
configuring 67 exporting 31
deleting 71 managing 29
editing 70 log activity role 11
enabling and disabling 70
managing 69
sequencing 69
flow source M
about 147 Magistrate
adding aliases 156 about 115
adding flow source 152 configuring 143
deleting aliases 156 malware category 247
deleting flow source 155 managed host
editing aliases 156 adding 124
editing flow source 154 assigning components 131
enabling or disabling 154 editing 125
external 147 removing 126
internal 147 setting-up 33
managing aliases 155 managing backup archives 96
managing flow sources 147
virtual name 155
flowlog file 151 N
forwarding normalized events and flows 119 NAT
editing 128
enabling 126
G removing 129
global IPtables access 55 using 126
NetFlow 135, 148
Net-SNMP 7
network activity role 12

INDEX 287
Network Address Translation. See NAT IP right click menu extension 12

network hierarchy log activity 11
creating 39 network activity 12
network taps 135 offenses 11
reporting 12
risks 13
O rules
about 83
offenses role 11
off-site source 121
off-site target 121
S
scheduling your backup 98
P search results retention period 57
security profiles 14
Packeteer 151
servers
partition tester time-out 55
discovering 163
passwords
services
changing 35
authorized 91
policy category 255
sFlow 150
potential exploit category 256, 257
shutting down system 31
preferences 6
SIM
resetting 6
SNMP settings 60
Q source
QFlow Collector off-site 121
configuring 135 storage location
QFlow Collector ID 135 asset profile 56
flow data 56
log source 57
R store event payload 55
RADIUS authentication 23 suspicious category 248
RDATE 35 syslog
recon category 235 forwarding 165
remote networks groups 157 deleting 172
remote networks object editing 171
adding 158 syslog event timeout 55
editing 159 system
remote service groups 160 restarting 31
remote services object shutting down 31
adding 161 system authentication 23
editing 161 system category 251
reporting max matched results 57 system settings
reporting roles 12 administrative email address 53
resetting SIM 6 alert email from address 53
resolution interval length 53 asset profile query period 54
restarting system 31 asset profile reporting interval 54
restoring configuration information 102 asset profile retention period 57
different IP address 105 asset profile storage location 56
same IP address 102 attacker history retention period 56
retention buckets 64 coalescing events 54
retention period command line execution time limit 57
asset profile 57 command line max matched results 57
attacker history 56 configuring 53
offense 56 daily accumulator retention 56
roles delete root mail 54
about 9 event log hashing 58
admin 11 flow data storage location 56
assets 12 flow log hashing 58
creating 10 global IPtables access 55
deleting 14 hashing algorithm 59
editing 13 hourly accumulator retention 56
IF-MAP 62

288 INDEX
log source storage location 57

partition tester time-out 55
reporting execution time limit 57
reporting max matched results 57
resolution interval length 53
retention period
offense 56
search results retention period 57
store event payload 55
syslog event timeout 55
temporary files retention period 54
TNC recommendation enable 54
user data files 55
VIS passive host profile interval 54
web execution time limit 57
web last minute execution time limit 57
system time 35
system view
about 110
adding a host 124
assigning components 131
Host Context 131
managed host 130
managing 122
T
TACACS authentication 23
target
off-site 121
templates
enterprise 175
temporary files retention period 54
thresholds 71
time limit
command line execution 57
reporting execution 57
web execution 57
web last minute execution 57
TNC recommendation enable 54
transaction sentry 60
U
updating user details 6
user accounts
managing 19
user data files 55
user roles 9
users
authentication 23
creating account 21
disabling account 22
editing account 22
managing 9
V
viewing backup archives 96
VIS passive host profile interval 54

QNAD 71MR1 AdminGuide

Uploaded by

Copyright:

Available Formats

QNAD 71MR1 AdminGuide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QNAD 71MR1 AdminGuide

Uploaded by

Copyright:

Available Formats

IBM Security QRadar Network Anomaly Detection

Version 7.1.0 MR1

ABOUT THIS GUIDE

2 MANAGING USER ROLES AND ACCOUNTS

4 SETTING UP IBM SECURITY QRADAR NETWORK ANOMALY

6 MANAGING AUTHORIZED SERVICES

7 MANAGING BACKUP AND RECOVERY

8 USING THE DEPLOYMENT EDITOR

9 MANAGING FLOW SOURCES

10 CONFIGURING REMOTE NETWORKS AND SERVICES

12 FORWARDING EVENT DATA

B VIEWING AUDIT LOGS

D NOTICES AND TRADEMARKS

The IBM Security QRadar Network Anomaly Detection Administration Guide

Conventions The following conventions are used throughout this guide:

Indicates that the procedure contains a single instruction.

IBM Security QRadar Network Anomaly Detection Administration Guide

IBM Security QRadar Network Anomaly Detection Administration Guide

This section includes the following topics:

Web Browser Supported Versions

IBM Security QRadar Network Anomaly Detection Administration Guide

Browser Version Option Description

The Admin tab provides access to the following functions:

IBM Security QRadar Network Anomaly Detection Administration Guide

The Admin tab also includes several menu options, including:

Menu Option Description

To view the detailed undeployed changes:

IBM Security QRadar Network Anomaly Detection Administration Guide

The banner message also recommends which type of deployment change to

To access your user details, click Preferences.

IBM Security QRadar Network Anomaly Detection Administration Guide

To reset the SIM module:

IBM Security QRadar Network Anomaly Detection Administration Guide

This section includes the following topics:

IBM Security QRadar Network Anomaly Detection Administration Guide

This section includes the following topics:

Creating a Role To create a role:

Table 2-1 User Role Management Window Parameters

IBM Security QRadar Network Anomaly Detection Administration Guide

Table 2-1 User Role Management Window Parameters (continued)

IBM Security QRadar Network Anomaly Detection Administration Guide

Table 2-1 User Role Management Window Parameters (continued)

IBM Security QRadar Network Anomaly Detection Administration Guide

Table 2-1 User Role Management Window Parameters (continued)

Step 6 Click Save.

Editing a Role To edit a role:

Step 5 Update the parameters (see Table 2-1), as necessary.

IBM Security QRadar Network Anomaly Detection Administration Guide

Deleting a Role To delete a role:

Step 1 Click the Admin tab.

Step 5 On the toolbar, click Delete.

IBM Security QRadar Network Anomaly Detection Administration Guide

This section includes the following topics:

To add a security profile:

Table 2-2 Security Profile Management Window Parameters

IBM Security QRadar Network Anomaly Detection Administration Guide

Permission precedence determines which Security Profile components to consider

c Click the Add (>) icon.

IBM Security QRadar Network Anomaly Detection Administration Guide