Version 7.3.2 IBM QRadar Network Insights...Network Insights, this capability enables the same raw...

IBM QRadar Network InsightsVersion 7.3.2

Installation and Configuration Guide

IBM

Note

Before you use this information and the product that it supports, read the information in “Notices” onpage 33.

Product information

This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2017, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

Introduction to installing QRadar Network Insights................................................ v

Chapter 1. Real-time threat investigations with QRadar Network Insights.............. 1What's new in QRadar Network Insights V7.3.2.........................................................................................1What's new in QRadar Network Insights V7.3.1.........................................................................................2

Chapter 2. QRadar Network Insights appliances.....................................................3QRadar Network Insights 1901...................................................................................................................3QRadar Network Insights 1901-C............................................................................................................... 5QRadar Network Insights 1910-C............................................................................................................... 6QRadar Network Insights 1920...................................................................................................................8QRadar Network Insights 1920-C.............................................................................................................10

Chapter 3. Upgrading QRadar Network Insights....................................................13

Chapter 4. Installing QRadar Network Insights ....................................................15

Chapter 5. Flow inspection.................................................................................. 17Flow inspection levels............................................................................................................................... 17Performance impacts.................................................................................................................................18Supported protocols and document types............................................................................................... 18

Chapter 6. Appliance configuration...................................................................... 21Configuring the size of the raw payload data capture.............................................................................. 21Configuring the flow inspection level........................................................................................................ 22Configuring QFlow Collector format..........................................................................................................23Configuring DTLS communications protocol.............................................................................................24Installing the QRadar Network Insights content extension..................................................................... 25

Chapter 7. Stacking QRadar Network Insights appliances.....................................27Appliance cabling.......................................................................................................................................27Creating a stack......................................................................................................................................... 29Modifying an existing stack....................................................................................................................... 30Removing stacked appliances...................................................................................................................31

Notices................................................................................................................33Trademarks................................................................................................................................................ 34Terms and conditions for product documentation................................................................................... 34IBM Online Privacy Statement.................................................................................................................. 35General Data Protection Regulation..........................................................................................................35

iii

Introduction to installing QRadar Network Insights

This guide contains information about analyzing network data in real-time by using IBM QRadar NetworkInsights.

Intended audience

Investigators extract information from the network traffic and focus on security incidents, and threatindicators.

Technical documentation

To find IBM QRadar product documentation on the web, including all translated documentation, accessthe IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).

For information about how to access more technical documentation in the QRadar products library, seeQRadar Support – Assistance 101 (https://ibm.biz/qradarsupport).

Contacting customer support

For information about contacting customer support, see QRadar Support – Assistance 101 (https://ibm.biz/qradarsupport).

Statement of good security practices

IT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or product should be consideredcompletely secure and no single product, service or security measure can be completely effective inpreventing improper use or access. IBM systems, products and services are designed to be part of alawful comprehensive security approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be most effective. IBM DOES NOTWARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOURENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Note:

Use of this Program may implicate various laws or regulations, including those related to privacy, dataprotection, employment, and electronic communications and storage. IBM QRadar may be used only forlawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumesall responsibility for complying with, applicable laws, regulations and policies. Licensee represents that itwill obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBMQRadar.

© Copyright IBM Corp. 2017, 2019 v

http://www.ibm.com/support/knowledgecenter/SS42VS/welcome

https://ibm.biz/qradarsupport

https://ibm.biz/qradarsupport

vi IBM QRadar Network Insights: QRadar Network Insights Installation and Configuration Guide

Chapter 1. Real-time threat investigations withQRadar Network Insights

IBM QRadar Network Insights is a network threat analytics solution that provides visibility into deepapplication-level content to better detect insider threats, data exfiltration, and malware activity, andprovides real-time analysis of network data and an advanced level of threat detection and analysis.

Integration with IBM QRadar Incident Forensics

QRadar Network Insights provides QRadar with deep visibility into application activities, extracts artifacts,and identifies assets, applications, and users that participate in network communications. It is tightlyintegrated with IBM QRadar Incident Forensics for post incident investigations and threat huntingactivities.

QRadar Incident Forensics and IBM QRadar Network Packet Capture captures, reconstructs, and replaysthe entire conversation, but QRadar Network Insights provides the incident detection, and informs youwhether suspect items or topics of interest were discussed at any time during the conversation.

Suspect content can originate from a wide variety of sources, such as malware, non-standard ports,regex, or Yara rules. For more information about suspect content, see Advanced inspection levelattributes in the QRadar Network Insights User Guide.

What's new in QRadar Network Insights V7.3.2IBM QRadar Network Insights V7.3.2 includes the following new features and enhancements to help youadminister your IBM QRadar Network Insights appliances.

QRadar on Cloud support

QRadar Network Insights is now supported in IBM QRadar on Cloud deployments.

You can pair your QRadar Network Insights appliance with a QRadar on Cloud data gateway and sendflows into your QRadar on Cloud deployment.

To learn more about working with QRadar on Cloud data gateways, see the IBM QRadar on CloudGetting Started Guide.

Configuration improvements for stacked and stand-alone appliances

In IBM QRadar Network Insights, it is easier for you to manage the QRadar Network Insights stand-aloneand stacked appliances in your deployment. Now, you can easily add or reallocate processing capabilitiesacross your deployments by creating new stacks, and adding or removing devices from stacks.

With the new QRadar Network Insights configuration management, you can easily make the followingchanges:

• Edit a stack directly from the Deployment Actions menu.• Configure the flow inspection level for an individual QRadar Network Insights appliance.• Set the maximum amount of capture data that each appliance includes in the flow report.• Remove a stack and reconfigure each managed host as a stand-alone appliance.• In a stacked configuration, specify which QRadar Network Insights appliance is the primary host.

Learn more about configuring appliances...

Learn more about stacking appliances...

© Copyright IBM Corp. 2017, 2019 1

More control over the appliance inspection level

In V7.3.1, every QRadar Network Insights appliance in the deployment used the same global-set flowinspection level.

Now, in V7.3.2, you can configure the flow inspection level for individual appliances or stacks. In astacked configuration, each stack can have a different inspection level, but all appliances within a stackmust have the same inspection level.

Learn more about configuring the flow inspection level...

Support for raw payload capture

Now you can use IBM QRadar Network Insights to extract raw payload data.

For example, you can extract data from the beginning of the packet payload, and then use regexexpressions or custom properties to look for patterns. For QFlow users that are migrating to QRadarNetwork Insights, this capability enables the same raw payload analysis that you used in the past whilealso giving you QRadar Network Insights network analysis and data extraction capabilities.

On initial installation, IBM QRadar Network Insights is configured to capture a maximum of 64 bytes ofraw payload data. To stop capturing payload data, set the Maximum Raw Payload Size to 0. You canincrease the size to extract more data from the payload, but larger sizes result in higher network trafficand can negatively impact the performance of your QRadar deployment.

Learn more about configuring the raw payload capture size...

What's new in QRadar Network Insights V7.3.1IBM QRadar Network Insights V7.3.1 simplifies the configuration, deployment, and stacking of IBMQRadar Network Insights appliances.

Stack appliances by using the user interface

QRadar Network Insights V7.3.1 makes it easier to configure up to four appliances in a stack to distributedata across multiple CPUs and Napatech cards.

Stacking appliances helps you increase your data throughput at higher inspection levels.

Learn more about stacking appliances...

2 IBM QRadar Network Insights: QRadar Network Insights Installation and Configuration Guide

Chapter 2. QRadar Network Insights appliancesThe IBM QRadar Network Insights appliance is a managed host that you attach to the QRadar console.

QRadar Network Insights appliances connect to network TAPs, SPAN, or mirror ports to access full packetdata for real-time analysis. All QRadar Network Insights appliances provide detailed analysis of networkflows to extend the threat detection capabilities of QRadar.

This Installation Guide includes hardware specifications for the latest QRadar Network Insightsappliances. To view hardware specifications for older QRadar Network Insights appliances, see the IBMQRadar Hardware Guide.

Table 1. QRadar Network Insights appliances

QRadar Network Insights appliances Appliance ID

QRadar Network Insights 1901 6300



Appliance stacking

You can stack the QRadar Network Insights 1920 appliances (type 6200) to distribute network packetdata across multiple Napatech cards. By distributing the data processing and analysis across multipleappliances, stacking can help you handle higher data volumes and improve flow throughput performanceat the highest inspection levels.

For more information about stacking appliances, see Chapter 7, “Stacking QRadar Network Insightsappliances,” on page 27.

QRadar Network Insights 1901The IBM QRadar Network Insights 1901 (MTM 4412-F4Y) appliance provides detailed analysis of networkflows to extend the threat detection capabilities of IBM QRadar.

With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901 appliance provides thesame capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardwareplatform that is designed for 1 Gbps network connectivity.

The QRadar Network Insights 1901 appliance has the following hardware specifications:

Table 2. QRadar Network Insights 1901 overview

Hardware Description

Dimensions 28.9 inches deep x 17.1 inches wide x 1.7 inches high

Power Dual redundant 750 Watt AC power supply

Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)

The storage is labeled as [1] in the appliance diagram.

Memory 64 GB (4 x 16 GB DDR4 2400MHz)


Table 2. QRadar Network Insights 1901 overview (continued)

Hardware Description

Network capturetransceivers

2 x 1 G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)

2 x 1 G SX LC Transceivers (Avago AFBR-5715PZ)

Use these transceivers with the network packet capture card, labeled as [4] in theappliance diagram.

Networkmanagementtransceivers

2 x 10 G Short Range SFP

The transceivers may have one of the following part numbers:

• Avago AFBR-709SMZ-IB8• Finisar FTLX8571D3BCL-BN• BNT BN-CKM-SP-SR

Use these transceivers with the management ports, labeled as [5] in the appliancediagram.

System performance of QRadar Network Insights appliances varies depending on the exact configurationand tuning of the system components. It is influenced not only by hardware, but also factors such as thesearch, extraction criteria, and the amount of network data. For more information, see Performanceimpacts in the IBM QRadar Network Insights Installation Guide.

Figure 1. Back panel of the QRadar Network Insights 1901 appliance


Table 3. Legend for use with the QRadar Network Insights 1901 image

Label Description

1 QRadar Firmware Storage

2 IMM Port (1GbE TX)

3 Management ports (1 GbE TX)

4 Network Packet Capture (SFP)

5 Management ports (10 GbE SFP+)

Note: Only the Network Packet Capture card [4] can be used for capturing network packet data.

For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://www-01.ibm.com/support/knowledgecenter/api/redirect/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html)

For more information about the QRadar Network Insights 1901, including front and back panel diagrams,see IBM System X3550 M5 (https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-type-8869).

QRadar Network Insights 1901-CThe IBM QRadar Network Insights 1901-C (MTM 4654-F6Y) appliance provides detailed analysis ofnetwork flows to extend the threat detection capabilities of IBM QRadar.

With four 1G capture ports on a Napatech card, the QRadar Network Insights 1901-C appliance providesthe same capabilities as the QRadar Network Insights 1920 appliance but on a lower-price hardwareplatform that is designed for 1 Gbps network connectivity.

Table 4. QRadar Network Insights 1901-C overview

Description Value

Physical dimensions 31.1 inches deep x 17.1 inches wide x 1.7 inches high

Unit weight 48.5 lbs

CPU 2 x Xeon Gold 5118 12C 2.3 GHz 16 MB Cache 3.20 GHz 105 W

Memory 64 GB, 4 x 16 GB

Storage / Hard disks 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)

Network interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)and 4 x LR (LC Long range fiber) transceivers

4 x 10/100/1000 Base-T Ethernet management interfaces

1 x 10/100/1000 Base-T integrated management module interface

2 x 10 Gbps SFP+ management interfaces

Network CaptureTransceivers



NetworkManagementTransceivers

2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or FinisarFTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)

Traffic rate 1 Gbps

Chapter 2. QRadar Network Insights appliances 5

http://systemx.lenovofiles.com/help/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html

https://lenovopress.com/lp0067-lenovo-system-x3550-m5-machine-type-8869

Table 4. QRadar Network Insights 1901-C overview (continued)

Description Value

Power supply Dual redundant 750 W AC

Picture: © 2018 Dell Inc. or its subsidiaries. All Rights Reserved

Figure 2. QRadar Network Insights 1901-C

Table 5. Legend for use with the QRadar Network Insights 1901-C image

Label Description

1 QRadar firmware storage

2 IMM port (1 GbE TX)



5 Network packet capture (SFP)

Ports are numbered 0, 1, 2, 3, from left to right.

QRadar Network Insights 1910-CThe IBM QRadar Network Insights 1910-C (MTM 4654-Q9C) appliance offers 1 Gbps and 10 Gbpsconnectivity in a smaller, lower-cost appliance for deployments that require 10 Gbps connectivity butdon't require the same level of processing or performance that is found in the more powerful 1920appliance.

Table 6. QRadar Network Insights 1910-C overview

Description Value


Unit weight 48.5 lbs





Table 6. QRadar Network Insights 1910-C overview (continued)

Description Value

Network interfaces 4 x 10 Gb SFP+ network capture interfaces, including 4 x SR (LC short range fiber)and 4 x LR (LC Long range fiber) transceivers




Network CaptureTransceivers

4 x 10 G SR LC Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)

4 x 10 G LR LC Transceivers (Avago AFCT-739SMZ-IB2)

NetworkManagementTransceivers

2 x 10 G SR LC Transceivers (Avago AFBR-709SMZ-IB8 or FinisarFTLX8571D3BCL-BN or BNT BN-CKM-SP-SR)

Traffic rate 10 Gbps





Label Description





5 Network Packet Capture (SFP/SFP+)



QRadar Network Insights 1920The IBM QRadar Network Insights 1920 (MTM 4412-F3F) appliance provides detailed analysis of networkflows to extend the threat detection capabilities of IBM QRadar.

The appliance has two Napatech cards, each with four ports. By default, the four ports on the firstnetwork capture card are configured for inbound traffic from the network tap. If the appliance is includedin a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cablingstacked appliances, see the IBM QRadar Network Insights Installation Guide.

The second Napatech card is cabled internally for load balancing and cannot not be used. If you use theseports when you cable the appliance, you do not get any data.

The following table shows the hardware information and requirements for the IBM QRadar NetworkInsights 1920 (MTM 4412-F3F) appliance:

Table 8. QRadar Network Insights 1920 overview

Description Value

Dimensions 29.5 inches deep x 17.6 inches wide (19 inches with EIA) x 3.4 inches high

Power Dual redundant 900 Watt AC power supply

Storage 2 x 240 GB SATA 2.5" SSD, 240 GB Total (RAID1)

The storage is labeled as [1] in the appliance diagram.

Memory 128 GB (8 x16 GB DDR4 2400MHz)


2x 10Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ or AFBR-709SMZ)

2x 1G TX RJ-45 Transceivers (Avago ABCU-5710RZ or ABCU-5740RZ)

2x 1G SX LC Transceivers (Avago AFBR-5715PZ)



2x 10G Short Range SFP




System performance of QRadar Network Insights appliances varies depending on the exact configurationand tuning of the system components. It is influenced not only by hardware, but also factors such as thesearch, extraction criteria, and the amount of network data. For more information, see Performanceimpacts in the IBM QRadar Network Insights Installation Guide.


Figure 4. Back panel of the QRadar Network Insights 1920 appliance

Table 9. Legend for use with the QRadar Network Insights 1920 image

Label Description

1 QRadar Firmware Storage


3 IMM Port (1GbE TX)


5 Cabled internally. Do not use these ports.


For battery removal steps, see Removing the coin-cell battery (also called CMOS battery) (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html)

For more information about the front panel, see Front view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html).

For more information about the back panel, see Rear view (http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html).

For more information, you can also see System x3650 M5 (https://lenovopress.com/lp0068-lenovo-system-x3650-m5-machine-type-8871.html).


http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/t_removing_system_battery.html

http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_front_view.html

http://publib.boulder.ibm.com/infocenter/systemx/documentation/index.jsp?topic=/com.lenovo.sysx.8871.doc/c_rear_view.html

https://lenovopress.com/lp0068-lenovo-system-x3650-m5-machine-type-8871.html

QRadar Network Insights 1920-CThe IBM QRadar Network Insights 1920-C (MTM 4654-F4F) appliance provides detailed analysis ofnetwork flows to extend the threat detection capabilities of IBM QRadar.

The appliance has two Napatech cards, each with four ports. By default, the four ports on the firstnetwork capture card are configured for inbound traffic from the network tap. If the appliance is includedin a stack, the ports are reconfigured for 2 inbound and 2 outbound. For more information about cablingstacked appliances, see the IBM QRadar Network Insights Installation Guide.

The second Napatech card is cabled internally for load balancing and cannot not be used. If you use theseports when you cable the appliance, you do not get any data.

The following table shows the hardware information and requirements for the IBM QRadar NetworkInsights 1920-C (MTM 4654-F4F) appliance.

Table 10. QRadar Network Insights 1920-C

Description Value


Unit weight 73 lbs




Network interfaces 4 x 10 Gb SFP+ network capture interfaces (Left-Side), including 2 x SR (LC shortrange fiber), 2 x SX (LC short range fiber), and 2 x TX (RJ-45 copper) transceivers





2 x 10 Gb Short Range Fiber Transceivers (Avago AFBR-703SDZ orAFBR-709SMZ)





2 x 10 G Short Range SFP




Traffic rate 10 Gbps






Label Description







6 Do not use these ports


Chapter 3. Upgrading QRadar Network InsightsYou must upgrade all of your IBM QRadar products in your deployment to the same version.

Restriction: Resizing logical volumes by using a logical volume manager (LVM) is not supported.

Procedure

1. Download the <QRadar_patchupdate>.sfs file from IBM Fix Central (www.ibm.com/support/fixcentral).

2. Use SSH to log in to your system as the root user.3. Copy the patch file to the /tmp directory or to another location that has sufficient disk space.4. To create the /media/updates directory, type the following command:

mkdir -p /media/updates5. Change to the directory where you copied the patch file.6. To mount the patch file to the /media/updates directory, type the following command:

mount -o loop -t squashfs <QRadar_patchupdate>.sfs /media/updates/7. To run the upgrade installer, type the following command:

/media/updates/installer

The first time that you run the patch installer script, there might be a delay before the first patchinstaller menu is displayed.

8. Provide answers to the pre-patch questions based on your deployment.9. Use the upgrade installer to upgrade all hosts in your deployment.

Note: If you do not select Patch All, you must upgrade systems in the following order:

• QRadar Console• QRadar Incident Forensics

If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. Whenyou reopen your SSH session and rerun the installer, the installation resumes.

10. After the upgrade is complete, type the following command to unmount the software update:

umount /media/updates


http://www.ibm.com/support/fixcentral

Chapter 4. Installing QRadar Network InsightsIBM QRadar Network Insights is already installed when you purchase a QRadar Network Insightsappliance. However, you might need to reinstall the software if, for example, you have a hardware failure.

Before you begin

Before you install QRadar Network Insights, ensure that the following requirements are met:

• The appliance hardware is installed.• A keyboard and monitor are connected by using the VGA connection.• The activation key is available.

About this taskInstall the QRadar Console on one appliance, and the QRadar Network Insights managed host on anotherappliance.

Restriction: Software versions for all appliances in a deployment must be the same version and fix level.Deployments that use different versions of software are not supported.

Resizing logical volumes by using a logical volume manager (LVM) is not supported.

You install QRadar Network Insights using the QRadar ISO. QRadar Network Insights requires only aconnection to the QRadar console. You can deploy QRadar Network Insights separately from the IBMQRadar Incident Forensics Processor deployment.

Procedure

1. For installations on your own hardware, copy the QRadar ISO to the root directory.a) Create the /media/dvd directory by typing the following command:

mkdir /media/dvdb) Mount the QRadar ISO by using the following command:

mount -o loop <QRadar.iso>/media/dvd2. Use the setup script to start the installation.

a) Change the working directory by typing the command:cd /media/dvd

b) Start the setup script by typing the command:setup.sh

3. Follow the instructions in the installation wizard.

On the Select the Appliance ID page, choose the IBM QRadar Network Insights component to install.4. Apply your license key.

a) Log in to QRadar:https://IP_Address_QRadar

The default user name is admin. The password is the password of the root user account.b) Click the login.

c) On the navigation menu ( ), click Admin.d) In the navigation pane, click System Configuration.e) Click the System and License Management icon.f) From the Display list, select Licenses, and upload you license key.


g) Select the unallocated license and click Allocate System to License.h) From the list of licenses, select and license, and click Allocate License to System.

For a QRadar Network Insights deployment, only the 6200 managed host requires a license. TheQRadar console does not need a QRadar Network Insights license.

What to do next

Configure your QRadar Network Insights appliance. For more information, see Chapter 6, “Applianceconfiguration,” on page 21.


Chapter 5. Flow inspectionFlows provide QRadar with visibility into network activity. QRadar Network Insights analyzes the networkactivity, and correlates flow data with event data to detect threats that cannot be identified by using logsalone, thereby revealing previously hidden threats and malicious behaviors.

Flow inspection levelsThe flow inspection level determines how much data is analyzed and extracted from the network flows.

By default, the flow inspection level is a global setting that is configured in the System Settings on theAdmin tab. It applies to all appliances in your deployment. You can override the global setting byconfiguring a custom flow inspection level for each appliance. In a stacked configuration, each stack canhave a different inspection level, but all appliances within a stack must have the same inspection level.

Basic inspection level

Basic flows is the lowest level of inspection. Basic flows are detected by 5-tuple, and the number of bytesand packets that are flowing in each direction are counted. This kind of information is similar to what youget out of a router or network switch that does not perform deep packet inspection. This level supportsthe highest bandwidth, but generates the least amount of flow information.

The attributes that QRadar Network Insights generates using the basic flows inspection level are: 5-tuplevalues, a flow ID, packet and octet counts in each direction, and flow start and end times.

For more information about the content fields that are extracted with the Basic inspection level, see theQRadar Network Insights User Guide.

Enriched inspection level

With the enriched inspection level, each flow is identified and inspected by one of the protocol or domaininspectors, and many kinds of attributes can be generated from that inspection.

The following list describes the attributes that QRadar Network Insights generates by using the Enrichedflow inspection level are:

• HTTP metadata values - including categorization of URLs• Application ID and action• File information (name, size, hash)• Originating and recipient user names• Limited suspect content values

For more information about the content fields that are extracted with the Enriched inspection level, seethe QRadar Network Insights User Guide.

Advanced inspection level

Advanced is the default setting and the highest level of inspection. It adds to the flow attributes extractedat the Enriched inspection level through comprehensive analysis of the application content. Additionalsuspect content can also be detected through this content analysis. This analysis can yield more suspectcontent values that result from the inspection of the file contents.

The following list describes the attributes that QRadar Network Insights generates by using theAdvanced flow inspection level:

• Personal information• Confidential data


• Embedded scripts• Redirects• Configurable content-based suspect content

For more information about the types of suspect content that are identified at the Advanced inspectionlevel, see the QRadar Network Insights User Guide.

Performance impactsFlow inspection levels are cumulative, and each level collects more data than the level before it. You mustconfigure the flow inspection level to suit the flow rate that you want to achieve. System performancevaries based on the exact configuration and tuning of the system components. It is influenced not only byhardware, but also factors such as the search, extraction criteria, and the amount of network data.

Table 12. Flow inspection level performance for QRadar Network Insights appliances

Flow InspectionLevel

1901 appliances 1910 appliance 1920 appliances

Basic ~ 4 Gbps ~ 10 Gbps ~ 10 Gbps

Enriched ~ 3 Gbps ~ 3 Gbps ~ 6 Gbps

Advanced ~ 1.2 Gbps

Does not supportstacking.

~ 1.2 Gbps

Does not supportstacking.

~ 2.5 Gbps

You can achieve up to 10Gbps by stacking multipleappliances.

Scaling performance with the 1920 appliances

To achieve higher flow rates, you can stack the QRadar Network Insights 1920 appliances (type 6200) todistribute data processing across multiple Napatech cards and CPUs.

In a stacked configuration, the performance scales linearly according to the number of appliances in thestack. For example, a stack with two appliances can achieve up to 2x the performance. You can have upto four appliances in a stack.

For more information, see Chapter 7, “Stacking QRadar Network Insights appliances,” on page 27.

Supported protocols and document typesAs network traffic data is processed and protocols are identified, the data is further inspected by theappropriate protocol and domain inspectors.

Protocol inspectors

Protocol inspectors can identify protocols such as HTTP, POP3, FTP, and telnet. You can also excludeprotocol inspectors. When the inspectors are excluded, any network traffic data that is associated withthe inspector is still ingested, but the traffic is identified and indexed only on a generic level.

Any protocol that is not identifiable by a protocol inspector is categorized as Unknown.

The following list describes the supported protocols that QRadar Network Insights can process:

• AIM• DHCP• DNS• Exchange


• FTP• HTTP• iCAP• IMAP• IRC• Jabber• Myspace• MySQL• NFS• NetBIOS• Oracle• POP3• SIP• SMB V2 / V3• SMTP• SPDY• SSH• Telnet• TLS (SSL)• Yahoo Messenger

With exception of SIP (Session Initiation Protocol) traffic, by default, all inspectors are turned on and youcan see traffic from all protocols. The SIP call setup protocol, which operates at the application layer, isturned off by default.

Domain inspectors

When network traffic data is identified by the HTTP protocol inspector, additional analysis is done by thedomain inspector. For domain inspectors to be active, the HTTP protocol inspector must also be active.

The following list describes the supported domains (websites) as well as the supported languages foreach domain:

• AOL (Accessible, Basic, Standard) (EN)• Charter (EN)• Comcast (Zimbra) (EN)• Facebook (Mobile, Desktop) (AR,CN,DE,EN,ES,FR,RU)• Gmail (Classic, Standard) (AR,CN,DE,EN,ES,FR,RU)• Hotmail (AR,CN,DE,EN,ES,FR,RU)• LinkedIn (DE,EN,ES,FR,RU)• MailCom (CN,EN,ES,FR,RU)• MailRu (RU)• Maktoob (AR,EN)• Myspace (EN)• QQMail (EN,CN)• Twitter (EN)• YAHOO Mail (Standard, Classic) (EN)• YAHOO Note (EN)

Chapter 5. Flow inspection 19

• YouTube (AR,CN,DE,EN,ES,FR,RU)

You can also exclude domain inspectors. When you exclude domain inspectors, any HTTP network trafficdata that is associated with the inspector is still ingested, but the traffic is identified and indexed only atthe HTTP level.

Supported document formats

The following list describes the supported document formats that QRadar Network Insights can process:

• HyperText Markup Language• XML and derived formats• Microsoft Office document formats• OpenDocument Format• Portable Document Format• Electronic Publication Format• Rich Text Format• Compression and packaging formats• Text formats• Audio formats• Image formats• Video formats• Java™ class files and archives• mbox format

Application detection

Application detection is used when no other inspectors can detect an application, session, or protocol.

Application detection inspects the first 64 bytes of a packet for a signature and attempts to identify theapplication from the signature and port.

The following list shows examples of applications, sessions, or protocols that can be identified with theapplication detection processes:

• BitTorrent• Blubster• CitrixICA• Google Talk• Gnucleuslan• Gnutella• GSS-SPNEGO• NTLMMSSP• OpenNap• PeerEnabler• Piolet• UpdateDaemon• VNC


Chapter 6. Appliance configurationAfter your IBM QRadar Network Insights appliance is installed and attached to the QRadar Console as amanaged host, you must configure the appliance before you can use it for investigating threats on yournetwork.

After the appliance is configured, it reads the raw packets from the network tap or span port and thengenerates IPFIX packets. The IPFIX packets are sent to flow processes in the deployment.

For more information about installing IBM QRadar, see the IBM QRadar Installation Guide.

For more information about adding a managed host to your deployment, see Managed hosts in the IBMQRadar Administration Guide.

Configuring the size of the raw payload data captureYou can use IBM QRadar Network Insights to extract raw payload data. The Maximum Raw Payload Sizefor each appliance is inherited from the QRadar Network Insights global settings.

About this task

On initial installation, IBM QRadar Network Insights is configured to capture a maximum of 64 bytes ofraw payload data. To stop capturing payload data, set the Maximum Raw Payload Size to 0.

When you change the global setting, the new value is inherited by all QRadar Network Insights appliancesthat are configured to use the global setting. This includes new appliances that you add after the setting ischanged.

You can override the global settings by configuring custom Maximum Raw Payload Size settings forindividual QRadar Network Insights appliances. After an appliance is configured to use a custom setting,it is not affected by changes to the global setting. To revert an appliance back to using the global setting,you must edit the host connection and set the Maximum Raw Payload Size to Global.

Note: You can increase the raw payload size up to 32 768 bytes, but larger payloads can impactperformance. Adjust the byte size in small increments, and monitor the disk capacity to ensure that itdoes not fill up quickly.

Procedure

1. Log in to QRadar as an administrator.2. To configure the global settings, follow these steps:

a) On the Admin tab, click System Settings.b) Click QRadar Network Insights Settings.c) In the Maximum Raw Payload Size, select the maximum amount of data that you want to capture.

To turn payload data capture off, set the Maximum Raw Payload Size to 0.

Appliances that use a custom Maximum Raw Payload Size setting are not affected by changes tothe global setting. You must configure the customized appliances individually.

d) Click Save.3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:

a) On the Admin tab, click System and License Management.b) Select the appliance that you want to modify, and click Deployment actions > Edit Host

Connection.c) Set the flow collector and the flow source connection and click Save.d) Specify the Maximum Raw Payload Size for the appliance.


https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_adm_system_mgmt_mh.html

Appliances that are configured to use a custom Maximum Raw Payload Size are not affected byfuture changes to the global setting.

e) Click Next and then click Save.4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.

Warning: When you deploy the full configuration, QRadar services restart. During this time,events and flows are not collected, and offenses are not generated.

5. Refresh your web browser.

What to do next

Deploy the changes.

Configuring the flow inspection levelThe flow inspection level determines how much data is analyzed and extracted from the network flows.Each Flow Inspection Level setting provides deeper visibility and extracts more content than thepreceding levels.

About this task

The following table explains the difference between each inspection level:

Table 13. Flow inspection levels

Flow Inspection Level Description

Basic Lowest level of inspection. Flows are detected by 5-tuple, and thenumber of bytes and packets that are flowing in each direction arecounted.

Enriched Each flow is identified and inspected by one of the protocol or domaininspectors, and many kinds of attributes can be generated from thatinspection.

Advanced The default setting. The highest level of inspection.

Flows are subjected to more rigorous content extraction processes,including scanning and inspecting the content of the files that it finds.

By default, the Flow Inspection Level for each appliance is inherited from the global setting that isdefined in the System Settings on the Admin page. When you change the global setting, the new value isinherited by all QRadar Network Insights appliances that are configured to use the global setting. Thisincludes new appliances that you add after the setting is changed.

You can override the global setting by configuring custom settings for individual QRadar Network Insightsappliances.

In a stacked configuration, each stack can have a different flow inspection level, but all appliances withina stack must have the same inspection level.

Procedure

1. Log in to QRadar as an administrator.2. To configure the global setting, follow these steps:

a) On the Admin tab, click System Settings.b) Click QRadar Network Insights Settings.c) From the Flow Inspection Level, select the flow rate.


d) Click Save.3. To configure the settings for individual QRadar Network Insights appliances, follow these steps:

a) On the Admin tab, click System and License Management.b) Select the appliance that you want to modify, and click Deployment actions > Edit Host

Connection.c) Set the flow collector and the flow source connection and click Save.d) Specify the Flow Inspection Level for the appliance.e) Click Next and then click Save.

4. From the menu bar on the Admin tab, click Advanced > Deploy Full Configuration.

Warning: When you deploy the full configuration, QRadar services restart. During this time,events and flows are not collected, and offenses are not generated.


What to do next

Deploy the QRadar Network Insights Processor.

Configuring QFlow Collector formatYou can choose the format that your QRadar QFlow Collectors use to export data to the QFlow processor:TLV (type-length-value) or Payload.

The TLV format stores the content metadata properties in the flow record, and can be searched withoutextra configuration in QRadar.

The payload format stores the content metadata properties in the payload field of the flow record. To runsearches on the data, you must use custom properties to extract the data from the payload.

Before you begin

Before you configure the QRadar QFlow Collector format, ensure that you complete the following tasks:

__ • Install a QRadar Console with a QRadar Network Insights appliance attached as a managed host.__ • Perform a full deployment after you attach the IBM QRadar Network Insights appliance as a managed

host.

Important: Content extension v1.3.0 introduced support for TLV fields, which supersedes earlier contentextensions that were based on custom properties. If you are using content extension v1.3.0 or later, youmust set the QFlow format setting to TLV; otherwise the rules in the content pack don't work.

Procedure

1. Log in to QRadar: https://QRadar_IP_Address

The default user name is admin. The password is the password of the root user account.

2. On the navigation menu ( ), click Admin.3. In the navigation pane, click System Settings.4. Click the QFlow Settings menu, and choose the QFlow format.

Chapter 6. Appliance configuration 23

Table 14. QFlow format options

QFlow format Description

TLV Default QFlow format setting.

Must be used when there is a QRadar Network Insights appliance inthe environment.

Can be used when there is no QRadar Network Insights appliance inthe environment.

QRadar Network Insights V7.3.0 or later supports only TLV for contentflows.

Payload Can be used when there is no QRadar Network Insights appliance inthe environment.

5. Click Save.6. From the menu bar on the Admin tab, click Deploy Full Configuration and confirm your changes.

Warning: When you deploy the full configuration, QRadar services are restarted. During thistime, events and flows are not collected, and offenses are not generated.


Configuring DTLS communications protocolTo prevent eavesdropping and tampering, you can set up Datagram Transport Layer Security (DTLS) on aQRadar Network Insights managed host.

Configuring DTLS is optional, and is not required for QRadar Network Insights to work.

Before you beginEnsure that your deployment has a QRadar Network Insights (appliance type 6200) managed host that isattached. For more information about how to add a managed host, see the IBM QRadar AdministrationGuide.

About this task

You can have more than one QRadar Network Insights appliance that points to a single DTLS port, butconfiguring multiple DTLS ports is not supported.

If, after you configure the DTLS communications protocol, you change the QRadar Flow Collector or flowsource of any QRadar Network Insights managed hosts in your deployment, you must deploy the changes.

Procedure

1. To configure a flow source, complete these steps:a) Log in to the QRadar Console as an administrator.b) Click the Admin tab.c) In the Flows section, click Flow Sources.d) Click the Add icon.e) In the Flow Source Name field, type a descriptive name.f) In the Target Flow Collector field, select a flow collector or accept the value provided.g) In the Flow Source Type list, select Netflow v.1/v.5/v.7/v.9/IPFIX.h) In the Monitoring Port field, select a port or accept the value provided.i) In the Linking Protocol list, select DTLS.


j) Click Save.2. To configure DTLS communication, complete these steps:

a) On the Admin tab, in the System Configuration section, click System and License Management.b) Select the managed host, and on the Deployment Actions menu, click Edit Host Connection.c) On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and

flow source.d) Click Save.e) Specify whether to configure the QRadar Network Insights appliance as a stand-alone or stacked

appliance.f) Click Next, and then click Save.g) Close the System and License Management page.h) On the Admin tab menu bar, click the Deploy Changes icon.

Installing the QRadar Network Insights content extensionQRadar Network Insights content extensions include extra content, such as rules, reports, searches, andcustom properties, that can be used to provide in-depth analysis, alerts, and reports in QRadar NetworkInsights deployments.

Before you begin

Download the QRadar Network Insights v7.3.0 content extension to your local computer from the IBMSecurity App Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/5faf57a09236654323cbc4db41bd74f4).

Procedure

1. Log in to the QRadar Console as an administrator.

2. On the navigation menu ( ), click Admin.3. Click Extension Management.4. To upload an extension and install it immediately, follow these steps:

a) Click Add and select the extension to upload.b) To install the extension immediately, select the Install immediately check box, and then click Add.

5. To preview the contents of an extension before you install it, follow these steps:a) Select the extension from the list, and click More Details.

The content items are compared to content items that are already in the deployment. If the contentitems exist, you can choose to overwrite them or to keep the existing data.

b) Select Replace existing items. This setting ensures that existing custom properties are updatedwhen the extension is installed.

c) Click Install.d) Review the installation summary, and click OK.

Results

After the extension is added, a yellow caution icon in the Status column indicates potential issues withthe digital signature. Hover the mouse over the triangle for more information. Extensions that areunsigned or are signed by the developer, but not validated by your vendor, might cause compatibilityissues in your deployment.

Chapter 6. Appliance configuration 25

https://exchange.xforce.ibmcloud.com/hub/extension/5faf57a09236654323cbc4db41bd74f4

https://exchange.xforce.ibmcloud.com/hub/extension/5faf57a09236654323cbc4db41bd74f4

Chapter 7. Stacking QRadar Network Insightsappliances

With QRadar Network Insights stacking, you can distribute network packet data across multiple Napatechcards. By distributing the data processing and analysis across multiple appliances, stacking can help youhandle higher data volumes and improve flow throughput performance at the highest inspection levels.

If any of the appliances in the stack experience a failure and becomes unavailable, the entire stack isimpacted. For example, if the first appliance in a stack has a hardware failure, the data is not received bythe rest of the stacked appliances.

Appliance cablingYou can stack the QRadar Network Insights 1920 appliances (type 6200) only. Each stack can have amaximum of four appliances, but you can have more than one stack in a deployment. You cannot stackthe QRadar Network Insights 1901 appliance.

Each QRadar Network Insights 1920 appliance is configured with 2 Napatech cards. The portconfiguration on the first Napatech card changes, depending on whether the appliance is part of astandalone configuration or a stacked configuration.

Standalone configurationIn a standalone configuration, the four ports on the first Napatech card are configured to acceptinbound traffic from the network tap.

The second Napatech card is a load balancer that is configured internally. Do not use the ports on thiscard; if you use them, you do not get any data.

Stacked configurationIn a stacked configuration, the four ports on the first Napatech card are reconfigured, two ports forinbound traffic and two ports for outbound traffic. The ports are configured as linked pairs, so the datathat comes in on port 0 goes out on port 2, and the data that comes in on port 1 goes out on port 3.Similar to a standalone configuration, the second Napatech card cannot be used in a stackedconfiguration.

Single incoming TAP line

When your deployment has incoming data on one network tap only, the stacked appliances must becabled like this:


Figure 6. Cabling for stacked 1920 appliances with single network TAP

Dual incoming TAP lines

When your deployment has incoming data on two network taps, the stacked appliances must be cabledlike this:


Figure 7. Cabling for stacked 1920 appliances with dual network TAP

Creating a stackYou can stack QRadar Network Insights 1920 appliances (type 6200) to scale performance at higherinspection levels by load balancing the network packet data across multiple appliances.

Before you beginEnsure that all appliances that you want to include in the stack are racked and cabled. For moreinformation about how to cable the appliances for use in a stacked configuration, see “Appliance cabling”on page 27.

Ensure that the appliance and the QRadar Console used to manage it are at the same QRadar version andfix pack level.

About this task

By default, the Flow Inspection Level for each appliance is inherited from the global settings that aredefined in the System Settings on the Admin page. You can override the global setting by configuring theflow inspection level for each appliance. In a stacked configuration, each stack can have a differentinspection level, but all appliances within a stack must have the same inspection level.

The Maximum Raw Payload Size is also inherited from the global system settings, but you can change itfor individual appliances. The default size of the payload is 64 bytes, and the maximum size is 32 768bytes. Large payloads can impact performance. You should adjust the byte size in small increments, andmonitor the disk capacity to ensure that it does not fill up quickly.

Chapter 7. Stacking QRadar Network Insights appliances 29

Procedure

1. If required, add the QRadar Network Insights appliance to your deployment as a managed host.

a) On the navigation menu ( ), click Admin.b) In the System Configuration section, click System and License Management.c) In the Display list, select Systems.d) On the Deployment Actions menu, click Add Host.e) Configure the settings for the managed host by providing the fixed IP address and the root

password for the appliance.f) Click Add.

The managed host is added and the new configuration is ready to deploy.g) On the Admin tab, click Advanced > Deploy Full Configuration.

QRadar V7.3.1 and later continues to collect events when you deploy the full configuration. Inearlier versions of QRadar, event collection stops while the new configuration is deployed.

2. To configure the managed host as part of a QRadar Network Insights stack, edit the host connectioninformation.a) On the Admin tab, click System and License Management.b) In the Display list, select Systems.c) Select the QRadar Network Insights managed host, and on the Deployment Actions menu, click

Edit Host Connection.d) On the Modify QRadar Network Insights Connection page, select the QRadar Flow Collector and

the NetFlow source.

By default, the flow collector is the IP address of the QRadar Console.e) Click Save.

The console recognizes that the managed host is a 6200 appliance that can be configured as part ofa stack.

f) In the Host Action field, select Create new stack and type a descriptive name.g) Change the Flow Inspection Level and the Maximum Raw Payload Size.h) Select Next.

The Configure QNI Ports window shows that the ports are now reconfigured from four inboundports to two ports for inbound traffic and two ports for outbound traffic.

i) Click Save.

The System and License Management window now shows the new QRadar Network Insights stackwith one QRadar Network Insights appliance.

What to do nextYou must deploy the changes for the new configuration to take effect.

Modifying an existing stackYou can edit an existing stack to add or remove QRadar Network Insights appliances, set the primary hostin the stack, and set the flow inspection level and the raw payload size for all appliances in the stack.

Before you beginBefore you add an appliance to a stack, ensure that the appliance is deployed into your QRadarenvironment. For more information about cabling appliances for use in a stacked configuration, see“Appliance cabling” on page 27.


All appliances in the stack must be at the same QRadar version and fix pack level as the QRadar Consolethat manages them.

About this task

You can add up to four QRadar Network Insights managed hosts (1920 and 1920-C only) to an appliancestack. The primary host appliance is the appliance that receives data from the network TAP.

By default, the stack uses the global Flow Inspection Level and the Maximum Raw Payload Sizesettings, as defined in the System Settings on the Admin tab. You can override the global settings bychoosing a different setting in the stack configuration. The setting that you choose applies to allappliances in the stack.

Procedure

1. On the Admin tab, click System and License Management.2. In the Display list, select Systems.3. In the host table, select that stack that you want to configure, and click Deployment Actions > Edit

Stack.4. To set custom settings for the Flow Inspection Level level and the Maximum Raw Payload Size, click

Change in the appropriate section.5. To modify the number of hosts in the stack or to set the primary host, in the Hosts in Stack section,

click Change.6. Click Save.


Removing stacked appliancesWhen you remove a stack, each managed host in the stack is re-configured as a standalone appliance.

Remember to re-cable the managed hosts as standalone appliances. For more information about how tocable the standalone appliance, see Chapter 2, “QRadar Network Insights appliances,” on page 3.

Procedure

1. On the Admin tab, click System and License Management.2. In the Display list, select Systems.3. To remove a single appliance from a stack, follow these steps.

a) In the host table, select that stack that you want to configure.b) Click Deployment Actions > Edit Stack.c) In the Hosts in Stack section, click Change.d) Click the minus (-) symbol next to the appliance that you want to remove, and then click Save.

4. To remove the entire stack, follow these steps.a) In the host table, select that stack that you want to remove.b) Click Deployment Actions > Unstack.


Chapter 7. Stacking QRadar Network Insights appliances 31

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply that onlythat IBM product, program, or service may be used. Any functionally equivalent product, program, orservice that does not infringe any IBM intellectual property right may be used instead. However, it is theuser's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.


The licensed program described in this document and all licensed material available for it are provided byIBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or anyequivalent agreement between us.

The performance data and client examples cited are presented for illustrative purposes only. Actualperformance results may vary depending on specific configurations and operating conditions..

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to actual people or business enterprises isentirely coincidental.

TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBM website.

Personal use

You may reproduce these publications for your personal, noncommercial use provided that all proprietarynotices are preserved. You may not distribute, display or make derivative work of these publications, orany portion thereof, without the express consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within your enterprise provided thatall proprietary notices are preserved. You may not make derivative works of these publications, orreproduce, distribute or display these publications or any portion thereof outside your enterprise, withoutthe express consent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses or rights are granted, eitherexpress or implied, to the publications or any information, data, software or other intellectual propertycontained therein.

34 Notices

http://www.ibm.com/legal/copytrade.shtml

IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use ofthe publications is detrimental to its interest or, as determined by IBM, the above instructions are notbeing properly followed.

You may not download, export or re-export this information except in full compliance with all applicablelaws and regulations, including all United States export laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS AREPROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“Software Offerings”) may use cookiesor other technologies to collect product usage information, to help improve the end user experience, totailor interactions with the end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offerings can help enable you tocollect personally identifiable information. If this Software Offering uses cookies to collect personallyidentifiable information, specific information about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use session cookies that collecteach user’s session id for purposes of session management and authentication. These cookies can bedisabled, but disabling them will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer the ability to collectpersonally identifiable information from end users via cookies and other technologies, you should seekyour own legal advice about any laws applicable to such data collection, including any requirements fornotice and consent.

For more information about the use of various technologies, including cookies, for these purposes, SeeIBM’s Privacy Policy at http://www.ibm.com/privacy and IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details the section entitled “Cookies, Web Beacons and Other Technologies” andthe “IBM Software Products and Software-as-a-Service Privacy Statement” at http://www.ibm.com/software/info/product-privacy.

General Data Protection RegulationClients are responsible for ensuring their own compliance with various laws and regulations, including theEuropean Union General Data Protection Regulation. Clients are solely responsible for obtaining advice ofcompetent legal counsel as to the identification and interpretation of any relevant laws and regulationsthat may affect the clients’ business and any actions the clients may need to take to comply with suchlaws and regulations. The products, services, and other capabilities described herein are not suitable forall client situations and may have restricted availability. IBM does not provide legal, accounting orauditing advice or represent or warrant that its services or products will ensure that clients are incompliance with any law or regulation.

Learn more about the IBM GDPR readiness journey and our GDPR capabilities and Offerings here: https://ibm.com/gdpr

Notices 35

http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/software/info/product-privacy

http://www.ibm.com/software/info/product-privacy

https://ibm.com/gdpr

https://ibm.com/gdpr

Version 7.3.2 IBM QRadar Network Insights...Network Insights, this capability enables the same raw...

Documents

Transcript of Version 7.3.2 IBM QRadar Network Insights...Network Insights, this capability enables the same raw...