QRadar Technical Blog: To Flow Or Not To Flow
QRadar began life as a network product, converted to an event log management tool and is now returning to its roots with QRadar Network Insights (QNI).
What is QNI and what does it do?
For several years now QRadar has promoted its own flow technology, QFlow, a layer 7 technology that allows visibility of applications, the first bytes of the payload and all the basic flow information. This has proved very popular but now the development has taken a huge step with QNI.
QNI provides all the functionality of QFlow with the added benefits of extracting metadata, File Information, HTTP and DNS data and User Information. QNI can also utilise Yara rules to build detection of suspicious activity. This is achieved by real-time packet inspection of the relevant payload information.
A potential drawback of an event-only approach is that the event may not provide sufficient detail by itself, leaving the analyst with only half a picture. QFlow went a long way in providing the other half but now QNI can give the fullest picture possible.
Now the analyst has all the traffic information, from the basics: byte and packet counts; protocols used; source and destination data.
To the next level of flow data: User names; e-Mail and Chat IDs; Host information; File information; Application information; HTTP and DNS queries.
True flow insights: Embedded scripts; Personal information; Suspect content based upon Yara rules.
In conclusion, much has been made recently of the value of threat intelligence in enhancing the toolkit available to the analyst, but the true value is to combine the intelligence with deep packet inspection to rapidly identify malicious files and URLs and enable swift remediation.