Version 7.3.2 IBM QRadar Network Insights...• Uses in-depth packet inspection to identify advanced...

IBM QRadar Network InsightsVersion 7.3.2

User Guide

IBM

Note

Before you use this information and the product that it supports, read the information in “Notices” onpage 27.

Product information

This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2017, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

Introduction to installing QRadar Network Insights................................................ v

Chapter 1. QRadar Network Insights...................................................................... 1What's new in QRadar Network Insights V7.3.2 Patch 3............................................................................1What's new in QRadar Network Insights V7.3.2.........................................................................................2

Chapter 2. QRadar Network Insights use cases...................................................... 5

Chapter 3. QRadar Network Insights content..........................................................7Basic inspection........................................................................................................................................... 7Enriched inspection..................................................................................................................................... 8

Parsing DNS query and response fields...............................................................................................13Advanced inspection................................................................................................................................. 16Suspicious content in network flows........................................................................................................ 16Including QRadar Network Insights data in searches.............................................................................. 17

Chapter 4. QRadar Network Insights content extensions...................................... 19Content extension V1.1.0.......................................................................................................................... 19Content extension V1.2.0.......................................................................................................................... 22Content extension V1.3.0.......................................................................................................................... 23Content extension V1.4.0.......................................................................................................................... 23

Notices................................................................................................................27Trademarks................................................................................................................................................ 28Terms and conditions for product documentation................................................................................... 28IBM Online Privacy Statement.................................................................................................................. 29General Data Protection Regulation..........................................................................................................29

iii

Introduction to installing QRadar Network Insights

This guide contains information about analyzing network data in real-time by using IBM QRadar NetworkInsights.

Intended audience

Investigators extract information from the network traffic and focus on security incidents, and threatindicators.

Technical documentation

To find IBM QRadar product documentation on the web, including all translated documentation, accessthe IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).

For information about how to access more technical documentation in the QRadar products library, seeQRadar Support – Assistance 101 (https://ibm.biz/qradarsupport).

Contacting customer support

For information about contacting customer support, see QRadar Support – Assistance 101 (https://ibm.biz/qradarsupport).

Statement of good security practices

IT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or product should be consideredcompletely secure and no single product, service or security measure can be completely effective inpreventing improper use or access. IBM systems, products and services are designed to be part of alawful comprehensive security approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be most effective. IBM DOES NOTWARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOURENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Note:

Use of this Program may implicate various laws or regulations, including those related to privacy, dataprotection, employment, and electronic communications and storage. IBM QRadar may be used only forlawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumesall responsibility for complying with, applicable laws, regulations and policies. Licensee represents that itwill obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBMQRadar.

© Copyright IBM Corp. 2017, 2019 v

http://www.ibm.com/support/knowledgecenter/SS42VS/welcome

https://ibm.biz/qradarsupport

https://ibm.biz/qradarsupport

vi IBM QRadar Network Insights: QRadar Network Insights User Guide

Chapter 1. QRadar Network InsightsIBM QRadar Network Insights provides in-depth visibility into network communications on a real-timebasis to extend the capabilities of your IBM QRadar deployment.

Through the deep analysis of network activity and application content, QRadar Network Insightsempowers QRadar Sense Analytics to detect threat activity that would otherwise go unnoticed.

QRadar Network Insights provides in-depth analysis of both network metadata and application content todetect suspicious activity that is hidden among normal traffic and extract content to provide QRadar withvisibility into network threat activity. The intelligence that is provided by QRadar Network Insightsintegrates seamlessly with traditional data sources and threat intelligence to extend QRadar detection,analysis, and threat detection capabilities.

QRadar Network Insights provides visibility across a range of use cases, including:

• Malware detection and analysis• Phishing email and campaign detection• Insider threats• Lateral movement attack detection• Data exfiltration protection• Identify compliance gaps

Benefits of QRadar Network Insights

The following list highlights some of the benefits of using QRadar Network Insights:

• Uses in-depth packet inspection to identify advanced threats and malicious content.• Extends the capabilities of QRadar to detect phishing attacks, malware intrusions, lateral movement,

and data exfiltration.• Records application activities, captures key artifacts, and identifies assets, applications, and users that

participate in network communications.• Applies Layer 7 content analysis for advanced security insights.• File analytics analyzes and enables tracking of files.

What's new in QRadar Network Insights V7.3.2 Patch 3QRadar Network Insights V7.3.2 Patch 3 extracts more data for analysis and provides increased visibilityinto network threat activity.

New content at the Basic inspection levelVXLAN encapsulated flow information

When the flow contains VXLAN header data, the content extraction now includes the VXLANNetwork Identifier.

New content at the Enriched inspection level

When the inspection level is set to Enriched, the following content is extracted:File Hashes

The File Hash attribute that was previously extracted at the Enriched inspection level isdeprecated. It is replaced with the following attributes:

• SHA256 File Hash

© Copyright IBM Corp. 2017, 2019 1

• SHA1 File Hash• MD5 File Hash

SSL / TLS Connections

The following attributes provide more context about encrypted communications:

• SSL/TLS Cipher Suite• SSL/TLS Compression Method• SSL/TLS Session ID• TLS Server Name Indication• TLS Application Layer Protocol

X.509 certificate information

The following attributes can help you assess potential issues with your X.509 certificates.

• X509 Certificate Version• X509 Certificate Serial Number• X509 Certificate Not-Before Validity Timestamp• X509 Certificate Not-After Validity Timestamp• X509 Certificate Issuer Name• X509 Certificate Issuer Common Name• X509 Certificate Subject Name• X509 Certificate Subject Common Name• X509 Certificate Subject Alternative Names• X509 Certificate Extensions• X509 Certificate Public Key Algorithm• X509 Certificate Public Key Size• X509 Certificate Signature Algorithm• X509 Certificate To-Be-Signed Signature Algorithm• X509 Certificate Fingerprint Hash

For example, the new attributes provide additional context about a flow that previously would haveshown only SSL or TLS. They can also help you determine why QRadar generated a Certificateinvalid suspicious content alert.

Learn more about QRadar Network Insights inspection levels...

What's new in QRadar Network Insights V7.3.2The following features and enhancements are new in QRadar Network Insights V7.3.2.

Basic inspection level now includes application detection

IBM QRadar Network Insights V7.3.2 now detects applications at the basic flow inspection level. Inearlier versions, application detection was only available with enriched or advanced inspection levels.

Learn more about QRadar Network Insights inspection levels...

More data available for analysis

IBM QRadar Network Insights now extracts more data to provide QRadar with increased visibility intonetwork threat activity.

2 IBM QRadar Network Insights: QRadar Network Insights User Guide

The following content is new in this release:

• HTTP method• SSL/TLS version• Last Proxy Basis• Last Proxy Source• Last Proxy IPv4• Last ProxyIPv6• FTP commands• TCP flags• More VLAN tags• ICMP type field• IP type of service

Learn more about the QRadar Network Insights content that is extracted at each inspection level...

More granular DNS data extraction

In QRadar Network Insights V7.3.2, the DNS Response is parsed and separated into multiple DNS datafields for more granular analysis. In earlier releases, the DNS Response field was a single stringcomposed of many different parameters.

The following new DNS data fields are captured at the Enriched inspection level:

• DNS Query ID• DNS Domain Name• DNS Request Type• DNS Response Code• DNS Flags• DNS Answers (formatted list of strings)

In a future release, the DNS Response field might be removed, but the response data will still beavailable in the new DNS data fields. You should plan to discontinue using the DNS Response field.

Learn more about the enriched inspection level content...

Support for raw payloads

Now you can use IBM QRadar Network Insights to extract raw payload data.

For example, you can extract data from the beginning of the packet payload, and then use regexexpressions or custom properties to look for patterns. For QFlow users that are migrating to QRadarNetwork Insights, this capability enables the same raw payload analysis that you used in the past whilealso giving you QRadar Network Insights network analysis and data extraction capabilities.

Your system administrator can configure the size of the raw payload capture.

Chapter 1. QRadar Network Insights 3

Chapter 2. QRadar Network Insights use casesQRadar Network Insights provides in-depth visibility into network communications and applicationcontent to empower QRadar Sense Analytics to detect threat activity. You can use QRadar NetworkInsights to detect and analyze malware, phishing, insider threats, lateral movement attacks, dataexfiltration, and compliance gaps.

Malware detection and analysis

Malware frequently morphs to avoid detection. You can use QRadar Network Insights to detect malwarebased on file hashes and file activity, and observe and analyze artifacts such as:

• Names• Properties• Movement• Suspicious content

Phishing email and campaign detection

Phishing can hide in plain sight by disguising its activity within the volumes of normal emails. You canprepare for and react to malicious emails by using QRadar Network Insights to analyze:

• Sources• Targets• Subject• Content

Insider threats

You can integrate QRadar Network Insights with the User Behavior Analytics app to improve threatdetection. Use the QRadar Network Insights analytics to recognize:

• High-risk users• Potential targets of phishing• Negative sentiment• Suspicious behaviors

Lateral movement attack detection

QRadar Network Insights can trace anomalous communications:

• Reconnaissance• Data transfers• Rogue and malicious actors

Data exfiltration protection

Data can be exfiltrated through many methods. Use QRadar Network Insights to identify and tracksuspicious files such as:

• DNS abnormalities• Sensitive content• Aberrant connections• Aliases


Identify compliance gaps

QRadar Network Insights allows for continuous monitoring of enterprise, industry, and regulatorycompliance.


Chapter 3. QRadar Network Insights contentThe QRadar Network Insights content that is populated depends on the inspection level that is configured(basic, enriched, or advanced) and whether the data is available in the source system.

For example, some content is populated by the X-Force® Threat Intelligence feed, but the field mayappear empty in QRadar if the information is not available in X-Force.

Basic inspectionThe following table shows the fields that are populated when IBM QRadar Network Insights is configuredto use the Basic inspection level.

Table 1. Content that is populated with the Basic inspection level

Query builder name Advanced search name Data source

Application applicationid Multiple sources, such as Inspectors andX-Force.

The attribute is populated by default.

Customer VLAN ID "customer vlan id" Populated only when the flow source ordestination address came from 802.1qVLAN header data.

Destination DSCP destinationdscp IP quality of service derived from theIPv4 or IPv6 header of the flow packet.

Destination Flags destinationflags TCP header of the flow packet.

Destination IP address destinationip IPv4 or IPv6 header of the flow packet.

Destination Port destinationport TCP or UDP header of the flow packet.

Enterprise VLAN ID "enterprise vlan id" Populated only when the flow source ordestination address came from 802.1qVLAN header data.

First Packet Time firstpackettime Assigned by QRadar Network Insights.

Flow ID flowid Assigned by QRadar Network Insights.

IP protocol protocolid IPv4 or IPv6 header of the flow .

Last Packet Time lastpackettime Assigned by QRadar Network Insights.

Source DSCP sourcedscp IP quality of service derived from theIPv4 or IPv6 header of the flow packet.

Source Flags sourceflags TCP header of the flow packet.

Source IP address sourceip IPv4 or IPv6 header of the flow packet.

Source port sourceport TCP or UDP header of the flow packet.

Total bytes per packet sourcebytes,destinationbytes

Assigned and maintained by QRadarNetwork Insights*.

Total Packets sourcepackets,destinationpackets

Assigned and maintained by QRadarNetwork Insights*.


Table 1. Content that is populated with the Basic inspection level (continued)

Query builder name Advanced search name Data source

VLAN Tag "vlan tag" Populated only when the flow source ordestination address came from 802.1qVLAN header data.

VXLAN Network Identifier "vxlan networkindentifier"

Populated only when the flow containsVXLAN header data.

Enriched inspectionThe following table shows the fields that are populated when IBM QRadar Network Insights is configuredto use the Enriched inspection level.

Table 2. Content that is populated with the Enriched inspection level

Query Builder name Advanced Search name Data source

Action action Populated when the flow analysis indicates anaction on a HTTP flow. Possible values for theaction are:

• Write/Post/Chat• Stream/Download• Share• Start App• Audio Chat/Video Chat• Software/AV Updates

The flow analysis is based on X-Force data, andthe field is populated only when the X-Force datais available.

Content subject "content subject" If populated, extracted from the Subject field ofthe flow content.

For example, the subject might come from anemail or it could be embedded in the metadata.

Content Type "content type" HTTP, Content Inspector

Populated only when the file type is notrecognized.

DNS Query "dns query" Populated only if the flow has data on a DNSquery.

DNS Response "dns response" Populated only if the flow has data on a DNSresponse.

DNS Query ID "dns query id" Populated only if the flow contains informationabout a DNS request or response.

DNS Domain Name "dns domain name" Populated only if the flow contains informationabout a DNS request.

DNS Request Type "dns request type" Populated only if the flow contains informationabout a DNS request.


Table 2. Content that is populated with the Enriched inspection level (continued)


DNS ResponseCode

"dns response code" Populated only if the flow contains informationabout a DNS response.

DNS Flags "dns flags" Populated only if the flow contains informationabout a DNS request.

DNS Answers "dns answers" All DNS fields (formatted list).

Populated only if the flow contains informationabout a DNS response.

DNS Raw Answer "dns raw answer" All DNS fields (binary format).

Populated only if the flow contains informationabout a DNS response.

File Entropy "file entropy" Populated only when a complete file is foundembedded in the flow data.

File Hash

(Deprecated)

"file hash" Populated only when a complete file is foundembedded in the flow data.

As of QRadar Network Insights V7.3.2 Patch 3,the File Hash attribute is replaced by theSHA256 File Hash , SHA1 File Hash, andMD5 File Hash attributes.

File Name "file name" Populated only when a named file is foundembedded in the flow data.

File Size "file size" Populated only when a complete file is foundembedded in the flow data.

FTP Command "ftp command" FTP command that was used.

FTP ReplyCode "ftp reply code" Numerical code that is issued by the FTP server inresponse to the FTP command.

FTP Response "ftp response" Description for the numerical reply code that isissued by the FTP server.

HTTP Host "http host" Host field in the HTTP request.

Populated only if HTTP protocol is used.

HTTP Method "http method" Method in the HTTP request, indicating thedesired action to be performed.

Populated only if the HTTP protocol is used.

HTTP Referrer "http referrer" Referrer field in the HTTP request.


HTTP ResponseCode

"http response code" Response from the HTTP request.


HTTP Server "http server" Server field in the HTTP request.


Chapter 3. QRadar Network Insights content 9



HTTP User Agent "http user agent" User Agent field in the HTTP request.


HTTP Version "http version" Version field in the HTTP request.


Last Proxy Basis "last proxy basis" Where an HTTP request was found to be explicitlyforwarded, the type of HTTP header whichdirected the forwarding.

The Last Proxy Basis attribute may include oneof the following values:

• RFC 7239 forwarding header• X-Forwarded-For header• Akamai True-Client-IP header

Last Proxy IPv4 "last proxy ipv4" The final forwarded destination shown as an IPv4address.

Populated only if HTTP protocol is used andforwarding was detected.

Last Proxy IPv6 "last proxy ipv6" The final forwarded destination shown as an IPv6address.

Populated only if HTTP protocol is used andforwarding was detected.

MD5 File Hash "md5 file hash" Populated with the MD5 hash of the original filewhen a file is extracted from the flow data.

Originating User "originating user" Populated from multiple sources when the originuser can be detected, such as flow data for emailor chat messages.

Password password Populated only when a cleartext passwordexchange is detected in the flow. For example, acleartext password exchange in an FTP flow.

Recipient Users "recipient users" Populated if one or more destination users aredetected in the flow.

Request URL "request url" Populated only when a URL string is detected inHTTP flow data.

Search Arguments "search arguments" Populated only when the pattern of a searchrequest is detected in HTTP flow data.

SHA1 File Hash "sha1 file hash" Populated with the SHA1 hash of the original filewhen a file is extracted from the flow data.

SHA256 File Hash "sha256 file hash" Populated with the SHA256 hash of the originalfile when a file is extracted from the flow data.




SMTP Hello "smtp hello" Populated for flows that initiate an SMTP request.

Captures the data that follows the HELOcommand. For more information, see Request forComments (RFC) 2821 and 1651.

SSL/TLS CipherSuite

"ssl/tls cipher suite" The cipher suite specification that is agreed uponby the client and server to use for the session.

SSL/TLSCompressionMethod

"ssl/tls compressionmethod"

The compression method that is agreed upon bythe client and server to use for the session.

This will typically be null, as most clients do notsupport TLS compression due to thesusceptibility to protocol level attacks.

SSL/TLS Session ID "ssl/tls session id" The session identifier.

SSL/TLS Version "ssl/tls version" The version of SSL / TLS.

The following versions are detected:

• SSLv3• TLSv1.0• TLSv1.1• TLSv1.2

Suspect ContentDescriptions

"suspect contentdescriptions"

Populated from multiple sources when asuspicious entity is detected. For example, thesuspect content might come from the websitecategory, embedded links, or Yara rules.

TLS ApplicationLayer Protocol

"tls application layerprotocol"

The value of the application layer protocol that isagreed upon by the client and server, via theApplication Layer Protocol Negotiation TLSextension.

TLS Server NameIndication

"tls server nameindication"

The value of the TLS Server Name Indication(SNI) extension.

The client sends the SNI extension at the start ofthe handshake process to identify the server thatthey want to communicate with.

Web Categories "web categories" Populated only when the HTTP URL / endpointmatches a known X-Force web category.

X509 CertificateExtensions

"x509 certificateextensions"

Shows additional information about how thecertificate can be used, identified, and verified.

The X509 certificate extensions are shown as acomma-separated list.




X509 CertificateFingerprint Hash

"x509 certificatefingerprint hash"

A hash of various fields in the certificate that canbe used to fingerprint the certificate.

This value can be useful in threat hunting andanomaly detection scenarios. For example, if validcertificates for the same subject with differentfingerprint hashes are seen concurrently ondifferent flows, then it could indicate a man-in-the-middle attack is being performed on one setof flows.

X509 CertificateIssuer CommonName

"x509 certificateissuer common name"

The common name of the entity that issued thecertificate.

This is the last 'CN = ' segment of the IssuerName. For example, the value might look similarto this: GeoTrust RSA CA 2018.

X509 CertificateIssuer Name

"x509 certificateissuer name"

The full name of the entity that issued thecertificate.

For example, the issuer name might look similarto this: C=US, O=DigiCert Inc,OU=www.digicert.com, CN=GeoTrust RSACA 2018.

X509 CertificateNot-After ValidityTimestamp

"x509 certificate not-after validitytimestamp"

The timestamp of the latest time at which thecertificate is valid.

The value is the number of seconds since theepoch (1970-01-01 00:00:00 UTC). This valuemay be useful in understanding why theCertificate invalid suspicious content alertwas generated.

X509 CertificateNot-Before ValidityTimestamp

"x509 certificate not-before validitytimestamp"

The timestamp of the earliest time at which thecertificate is valid.

The value is the number of seconds since theepoch (1970-01-01 00:00:00 UTC). This valuemay be useful in understanding why theCertificate invalid suspicious content alertwas generated.

X509 CertificatePublic KeyAlgorithm

"x509 certificatepublic key algorithm"

Identifies the algorithm used for the public key inthe certificate; For example, rsaEncryption.

X509 CertificatePublic Key Size

"x509 certificatepublic key size"

The size of the public key in the certificate. Forexample, the size of the key might be 2048 bits.

This value can be useful in understanding why aWeak public key length suspicious contentalert was generated.




X509 CertificateSerial Number

"x509 certificateserial number"

The serial number of the certificate.

This is a number that uniquely identifies thecertificate at the certificate authority. This valuemay be useful when cross referencing against acertificate revocation list.

X509 CertificateSignatureAlgorithm

"x509 certificatesignature algorithm"

Identifies the algorithm that was used to sign thecertificate. For example, the algorithm might besha256WithRSAEncryption.

If this value doesn't match the To-Be-SignedSignature Algorithm, then a SignatureAlgorithm does not match To-Be-SignedSignature Algorithm suspicious content alertis generated.

X509 CertificateSubject AlternativeNames

"x509 certificatesubject alternativenames"

Names that the certificate can also be used for.

The names are displayed as a comma-separatedlist; For example, www.ibm.com, ibm.com,1.dam.s81c.com, 1.wwwstage.s81c.com,www-01.ibm.com, www-112.ibm.com.

X509 CertificateSubject CommonName

"x509 certificatesubject common name"

The common name of the entity that thecertificate belongs to.

This is the last 'CN = ' segment of the SubjectName; for example, www.ibm.com.

X509 CertificateSubject Name

"x509 certificatesubject name"

The full name of the entity that the certificatebelongs to; For example, C=US, ST=New York,L=Armonk, O=IBM, CN=www.ibm.com.

The Subject Name, Subject Common Name, andSubject Alternative Names fields are useful inproviding context about a flow that wouldotherwise appear as SSL/TLS.

X509 CertificateTo-Be-SignedSignatureAlgorithm

"x509 certificate to-be-signed signaturealgorithm"

Identifies the algorithm that should have beenused to sign the certificate.

If this value doesn't match the SignatureAlgorithm, then a Signature Algorithmdoes not match To-Be-Signed SignatureAlgorithm suspicious content alert isgenerated.

X509 CertificateVersion

"x509 certificateversion"

The version of the X509 protocol that thecertificate conforms to.

For most certificates, this value will be 3.

Parsing DNS query and response fieldsThe following information can help you parse the data in the DNS Query and DNS Response fields.

Note: The DNS Query and DNS Response fields are populated only if the flow has data on a DNS query orDNS response, and the inspection level is set to Enriched.


DNS query

The DNS Query field uses this format, which is described in the following table:

<transaction ID>,<flags>,<query domain>,<request type>

Table 3. Format for DNS query field

Field Description

Transaction ID Used by the DNS client and server to identify the transaction when matching arequest to a response.

Flags A value of R indicates that recursion was requested; otherwise, the field isempty.

When recursion is requested and enabled, the DNS server makes queries onbehalf of the client to resolve the domain name.

Query domain The domain name that was requested to be resolved.

Request type Identifies the type of resource information that was requested, as defined bythe Internet Assigned Numbers Authority (IANA).

Some of the most common requests types include IPv4 host address (A),IPv6 address (AAAA), canonical domain name for the alias (CNAME), theauthoritative name server for the domain (NS), and name of the mailexchange server (MX).

For example, this DNS query is parsed like this:

51736,R,<domain name>,A

where

• The transaction ID is 51736.• Recursion was requested.• The bracketed location shows the domain name to be resolved.• The resource information requested is the IPv4 host address.

DNS response

The DNS Response field uses this format, which is described in the following table:

<transaction id>,<flags>,<query domain>,<response code>,<num answers>,<num authority>,<num additional>,<answers>

Table 4. Format for DNS Response field

Field Description

Transaction ID Used by the DNS client and server to identify the transaction when matching arequest to a response.

Flags May be empty, or some combination of A,R, and T where

• A means the response is authoritative.• R means that recursion is available.• T means that the response was truncated.

Query domain The domain name that was requested to be resolved.


Table 4. Format for DNS Response field (continued)

Field Description

Response code A response code of 0 means that no errors were encountered. All other responsecode values indicate some type of error. For example, the query may have beenformatted improperly or the domain name might not exist.

Num answers The number of regular answer records that were returned by the query.

Num authority The number of authority answer records that were returned by the query.

Num additional The number of additional answer records that were returned by the query.

Answers The list of answer responses that were returned by the query.

Each answer is separated by the "|" symbol. Authority and additional answers havethe same format as regular answers, and are denoted as authority and additionalanswers based on their location in the answers list.

In QRadar Network Insights V7.3.1.4 and earlier, the answer responses follow thisformat:

<domain name>,<answer type>,<time to live>,<answer fields>

where

• Domain name is the name of the domain that the answer applies to.• Answer type is the type of answer that is supplied. It is the same as the request

type that is specified in the DNS query.• Time to live is the number of seconds that the client can cache the information. A

value of 0 indicates that the information cannot be cached.• Answer fields contain the answer information. Typically, this is only one value, but

some answers may contain multiple comma-separated values. For example, if therequest type is MX, the answer field might have multiple values if the domain is setup with both primary and secondary mail servers.

In QRadar Network Insights V7.3.1.5 and later, the answers include the responsetype and follow this format:

<domain name>,<response type>,<answer type>,<time tolive>,<answer fields>

The response type field indicates whether the answer is a standard answer (ANS), anauthoritative answer (AUTH), or an additional answer (ADD).

For example, in QRadar Network Insights V7.3.1.4, the DNS response to the DNS query above might looklike this:

51736,R,<domain name>,0,1,2,2|<domain name>,A,246,145.72.70.20|<domain name>,NS,1359,<auth_name_server1>|<domain name>,NS,1359,<auth_name_server2>|<auth_name_server1>,A,72008,<IPv4 address>|<auth_name_server2>,A,2074,<IPv4 address>

where

• The transaction ID is 51736, which is the same ID that was assigned to the query.• The "R" indicates that recursion was available and is part of the response.• The bracketed location shows the domain name to be resolved.• Response code 0 indicates that no errors were encountered.• The 1,2,2 sequence indicates that there is 1 standard answer, 2 authority answers, and 2 additional

answers.• The "|" symbol shows the beginning of the answer fields.


• In the first answer, type A correlates to an IPv4 address, which indicates that the <domain name> canbe found at <IPv4 address>, and it can be cached for 246 seconds.

• The 2nd and 3rd answers specify the authoritative name servers (NS) for the domain.• The 4th and 5th answers specify the IPv4 addresses for the two authoritative name servers.

In QRadar Network Insights V7.3.1.5 or later, the answer fields include the response type, so the sameDNS response might look like this:

51736,R,<domain name>,0,1,2,2|<domain name>,ANS,A,246,145.72.70.20|<domain name>,AUTH,NS,1359,<auth_name_server1>|<domain name>,AUTH,NS,1359,<auth_name_server2>|<auth_name_server1>,ADD,A,72008,<IPv4 address>|<auth_name_server2>,ADD,A,2074,<IPv4 address>

Advanced inspectionThrough comprehensive analysis of the application content, the Advanced inspection level addsadditional information to the flow attributes that are extracted at the enriched inspection level.

Additional suspect content can also be detected through the content analysis that occurs at Advancedinspection level. For example, when set to the Advanced inspection level, QRadar Network Insights looksdeep within files to identify suspect content such as embedded scripts in PDF or Microsoft documents.

Suspicious content in network flowsIBM QRadar Network Insights checks for suspicious content in network flows at all three inspection levels(basic, enriched, and advanced).

The Suspect Content Descriptions field is populated by multiple data sources, such as websitecategories, embedded links, and Yara rules, and contains data only when a suspicious entity is detected.

The following list shows examples of the types of suspicious content that are detected at each inspectionlevel:Basic inspection

• Detected suspicious IP address reputation in one of the flow's endpoints.

Enriched inspection

• Detected an identified protocol that runs on a non-standard port.• Detected an SSL/TLS certificate that is used outside of its valid dates.• Detected the use of a self-signed certificate in SSL/TLS.• Detected the use of a weak public key length in SSL/TLS.• Detected suspicious content via scanning with user provided Yara rules.• Detected that the category of a website is one of several suspicious entries.

Advanced inspection

• Detected suspicious content in the transferred information.• Detected excessive numbers of items that were discovered through regular expression matching.• Detected credit card numbers, social security numbers, IP addresses, and email addresses.• Detected user-defined items that are discovered through regular expression matching that is

marked as suspicious.• Detected scripts in Office or PDF files.• Detected embedded links in PDF files.


Including QRadar Network Insights data in searchesYou can include QRadar Network Insights content in your data searches by including the content fields inthe search criteria.

About this task

To find the name of the QRadar Network Insights content fields that you can search for, refer to the basicinspection level and the enriched inspection level content tables.

The name of the content field that you want to search for might differ depending on whether you searchusing a regular search or an advanced search. If you want to do a regular search, use the Querybuilder name from the content tables. To run an advanced search, use the Advanced Search name.

Procedure

1. To include the data fields in a regular search, select the fields from the Column definition section:a) On the Network Activity tab, click Search > New search.b) Select the fields in the Search parameters and the Column definition sections.

For more information about searching by using the query builder, see Creating searches.2. To include the data in an advanced search, follow these steps:

a) On the Network Activity tab, click Advanced Search.b) In the Advanced Search box, type the Ariel Query Language (AQL) query that specifies the fields

that you want and how you want to group them.

For more information about creating advanced searches, see Advanced search options.


https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_ug_search_bar.html

Chapter 4. QRadar Network Insights contentextensions

The IBM QRadar Network Insights content extension provides more QRadar rules, reports, searches, andcustom properties for administrators. This custom rule engine content focuses on providing analysis,alerts, and reports for QRadar Network Insights deployments.

Note: As of content extension V1.3.0, the QRadar Network Insights content extension is only supportedby QRadar V7.3.0 or later.

Content extension V1.1.0The IBM QRadar Network Insights content extension V1.1.0 adds rules, searches, reports, and customproperty extractions focus on providing analysis, alerts, and reports for QRadar Network Insights.

This extension is intended to add content for administrators who have QRadar Network Insightsappliances in their deployment (appliance type = 1901 or 1920). When an administrator installs thiscontent pack, they are prompted to overwrite existing content because some custom properties are beingupdated as part of this content pack.

Custom event properties added by content extension V1.1.0

The QRadar Network Insights content extension V1.1.0 includes new and updated custom eventproperties for capturing network content from events and flows, such as recipient users, file hash, filenames, content subject, and reject code.

Table 5. Custom event properties in content extension V1.1.0

Name PropertyType

Regular expression

Action Flow IBM\(APP_ACTION\)=([^;]+);

Content Subject Flow IBM\(SUBJECT\)=([^;]+);

Content_Type Flow IBM\(HTTP_CONT_TYPE\)=([^;]+);

DNS_Query_String Flow IBM\(DNS_QUERY_SDATA\)=\(([^)]+)\);

DNS_Response_String Flow IBM\(DNS_RESP_SDATA\)=\(([^)]+)\);

File Hash Flow IBM\(HTTP_FILES_CKSUM\)=0x([^;]+);

File Name Flow IBM\(CONTENT_FILE_NAME\)=([^;]+);

File_Size Flow IBM\(HTTP_FILES_SIZE\)=([^;]+);

HTTP Host Flow IBM\(HTTP_HOST\)=([^;]+);

HTTP Referrer Flow IBM\(HTTP_REFER\)=([^;]+);

HTTP Response Code Flow IBM\(HTTP_RETURN_CODE\)=([^;]+);

HTTP Server Flow IBM\(HTTP_SRV\)=([^;]+);


Table 5. Custom event properties in content extension V1.1.0 (continued)

Name PropertyType

Regular expression

HTTP User-Agent Flow IBM\(HTTP_UA\)=([A-Za-z0-9\s\-_.,:;()/\\]+);

HTTP Version Flow IBM\(HTTP_VRS\)=HTTP/([^;]+);

IP_Dest_Reputation Flow IBM\(IP_DST_REP\)=([^;]+);

Originating_User Flow IBM\(ORIG_USER\)=([^;]+);

Password Flow IBM\(ACTPASSWD\)=([^;]+);

Recipient User Event Multiple Regex expressions for Microsoft Exchange, LinuxOS, Solaris OS, and the Barracuda Spam and VirusFirewall.

Recipient Users Flow IBM\(DEST_USER_LIST\)=\(([^)]+)\);

Reject Code Event Multiple Regex expressions for Microsoft Exchange, LinuxOS, Solaris OS, and Barracuda Spam and Virus Firewall.

Request_URL Flow IBM\(REQ_URL\)=([^;]+);

Search_Arguments Flow IBM\(HTTP_SEARCH_ARGS\)=([^;]+);

SMTP HELO Flow IBM\(SMTPHELO\)=([^;]+);

Suspect_Content Flow IBM\(SUSPECT_CONT_LIST\)=\(([^)]+)\);

Web_Categories Flow IBM\(HTTP_CONT_CATEGORY_LIST\)=\(([^)]+)\);

Rules added by content extension V1.1.0

The QRadar Network Insights content extension V1.1.0 includes four new rules that trigger on file hashand potential spam/phishing attempts.

Table 6. Rules added in content extension V1.1.0

Rule Name Description

Observed File HashAssociated with MalwareThreat

This rule triggers when flow content includes a file hash that matchesknown bad file hashes included in a Threat Intelligence data feed.Indicates that someone transferred malware over the network.

Observed File Hash SeenAcross Multiple Hosts

This rule triggers when the same file hash that is associated withmalware is seen being transferred to multiple destinations.


Table 6. Rules added in content extension V1.1.0 (continued)

Rule Name Description

Potential Spam/PhishingAttempt Detected onRejected Email Recipient

This rule triggers when rejected email events sent to a non-existingrecipient address are seen in the system. This might indicate a spam orphishing attempt.

Configure the BB:CategoryDefinition: Rejected Email Recipient buildingblock to include QRadar IDs (QID) relevant to your organization. It is pre-populated with QIDs for monitoring Microsoft Exchange, Linux OS[running sendmail], Solaris Operating System Sendmail Logs, and theBarracuda Spam & Virus Firewall.

Potential Spam/PhishingSubject Detected fromMultiple Sending Servers

This rule triggers when multiple servers send the same email subject in aperiod, which might indicate spam or phishing.

Searches added by content extension V1.1.0

The QRadar Network Insights content extension V1.1.0 includes four new searches. These searches aredesigned to help users sort malware and phishing content from flow data that uses file and hashinformation or content subject information from emails.

The following searches were added in content extension V1.1.0:

• Malware Distribution by File and Hash• Malware by Hash and Source Asset• Malware Traffic Summary• Phishing Subjects by Recipient User

Reports added by content extension V1.1.0

The QRadar Network Insights content extension V1.1.0 includes three new reports for security teams.These three new reports run searches that identify email phishing by subject content and malware thatuses file and hash information from flow data. These new reports run either weekly or daily.

Table 7. Reports added in content extension V1.1.0

Report Name Report Schedule

Top Phishing Subjects byRecipient User (QNI)

Weekly

Top Malware by Asset (QNI) Daily

Malware Distribution by File(QNI)

Daily

Custom functions added by content extension V1.1.0

A custom AQL function EMAIL::ISREPLY for Content Subjects can be called that uses an Advanced Searchfrom the Network Activity tab. The purpose of this custom function is to identify email subjects that arereplies versus original emails. For example, an AQL query might allow administrators to search flow dataand return results for email subjects that are not null (no email subject) and email content subjects thatare not replies RE: [email subject content]. This allows users to sort for original phishing emails or locateemail responses that are replies (RE:) to phishing emails within your organization as the functionspecifically looks for when subject contains RE: as part of the email subject that is extracted from the flowdata.

Chapter 4. QRadar Network Insights content extensions 21

Table 8. Custom functions added in content extension V1.1.0

Content Subject functionname

Description

Custom Function isReply()

Usage EMAIL::ISREPLY(Content_Subject)

Namespace Email

Name/Execute FunctionName

isReply

Description This function checks if the property, Content_Subject, contains Re:

Other reference content required by content extension V1.1.0

In most cases, these building blocks and reference data sets exist within QRadar, so no updates arerequired. However, this content is required for the rules, searches, reports, and custom propertiesincluded in the QRadar Network Insights content pack. If the content below does not exist in QRadar, it iscreated by this content pack.

Building blocks that are required by the QRadar Network Insights content extension:

• BB:HostDefinition: Mail Servers• BB:HostReference: Mail Servers• BB:PortDefinition: Mail Ports

Reference data that is required by the QRadar Network Insights content extension:

• Malware Hashes SHA• Malware Hashes MD5• Phishing Subjects• Mail Servers

Content extension V1.2.0The IBM QRadar Network Insights content extension V1.2.0 adds rules and custom property extractionsthat focus on providing analysis, alerts, and reports for QRadar Network Insights.

This extension is intended to add content for administrators who have QRadar Network Insightsappliances in their deployment (appliance type = 1901 or 1920).

Note: Some custom properties are updated in this content pack; existing content might need to beoverwritten.

When an administrator installs this content pack, they are prompted to overwrite existing content assome custom properties are being updated as part of this content pack.


Custom event properties and rules added by content extension V1.2.0

Table 9. Custom event properties and rules

Type Content updated Change description

Custom property File_Size (flows) Updated the ruleaction to select "Ensure thedetected event is part of anoffense". In V1.1.0, this check boxwas not selected and V1.2.0corrects this to ensure that offensesare created.

Updated the File_Size (flows) customproperty to change the field type fromalphanumeric to numeric. This update alsooptimizes the custom property for bothSource Payloads and Destination Payloads.

Rule Potential Spam/Phishing AttemptDetected on Rejected EmailRecipient

Updated the rule action to select "Ensurethe detected event is part of an offense". InV1.1.0, this check box was not selectedand V1.2.0 corrects this to ensure offensesare created.

Rule Access to Improperly SecuredService - Certificate Invalid

New rule added for QRadar NetworkInsights to detect a SSL/TLS session whichuses invalid certificates.

Rule Access to Improperly SecuredService - Weak Public Key Length

New rule added for QRadar NetworkInsights to detect a SSL/TLS session whichuses weak public key lengths.

Rule Access to Improperly SecuredService - Certificate Expired

New rule added for QRadar NetworkInsights to detect a SSL/TLS session whichuses expired certificates.

Rule Access to Improperly SecuredService - Self Signed Certificate

New rule added for QRadar NetworkInsights to detect a SSL/TLS session whichuses a self-signed certificate.

Content extension V1.3.0The IBM QRadar Network Insights content extension V1.3.0 adds support for QRadar versions 7.3.0 andlater.

This extension is intended to support for administrators who have QRadar Network Insights appliances intheir deployment (appliance type = 1901 or 1920). Custom properties from previous versions of theQRadar Network Insights content extension are now type-length-value (TLV) fields.

Note: Some custom properties are updates in this content pack; existing content might need to beoverwritten.

Content extension V1.4.0The IBM QRadar Network Insights content extension V1.4.0 adds rules, reports, saved searches, andbuilding blocks that focus on providing analysis, alerts, and reports for QRadar Network Insights.

The QRadar Network Insights content extension V1.4.0 adds new saved searches, reports, rules, andbuilding blocks, and adds integration between QRadar Network Insights and User Behavior Analyticsrules. The User Behavior Analytics rules are enabled by default, but if you are not using the User BehaviorAnalytics app, you can disable them.

The following table shows the custom AQL functions in IBM QRadar Network Insights Content ExtensionV1.4.0.


Table 10. Custom AQL functions in IBM QRadar Network Insights Content Extension V1.4.0

Name Description

isReply Returns true or false if a string is the typical subjectline of a response email.

The following table shows the rules and building blocks in IBM QRadar Network Insights ContentExtension V1.4.0.

Table 11. Rules and Building Blocks inIBM QRadar Network Insights Content Extension V1.4.0

Type Name Description

Building Block BB: Category Definition:Countries/Regions withRestricted Access

Edit this building block to include any geographiclocation that typically would not be allowed to accessthe enterprise. After it is configured, you can enable theConfidential Content Being Transferred to ForeignGeography rule.

Rule QNI: Confidential ContentBeing Transferred toForeign Geography

Detects confidential content that is being transferred tocountries/regions with restricted access.

Rule UBA : QNI - ConfidentialContent BeingTransferred to ForeignGeography

Sends events to the User Behavior Analytics app basedon the QNI: Confidential Content Being Transferred toForeign Geography rule, with a senseValue assigned toit. This senseValue is used when the User BehaviorAnalytics app calculates a risk score for a user.

Rule UBA : QNI - PotentialSpam/Phishing SubjectDetected from MultipleSending Servers

Sends events to the User Behavior Analytics app basedon the QNI: Potential Spam/Phishing SubjectDetected from Multiple Sending Servers rule, with asenseValue assigned to it. This senseValue is usedwhen the User Behavior Analytics app calculates a riskscore for a user.

Rule UBA : QNI - PotentialSpam/Phishing AttemptDetected on RejectedEmail Recipient

Sends events to User Behavior Analytics app based onthe QNI: Potential Spam/Phishing Attempt Detectedon Rejected Email Recipient rule, with a senseValueassigned to it. This senseValue is used when the UserBehavior Analytics app calculates a risk score for a user.

Rule UBA : QNI - Observed FileHash Associated withMalware Threat

Sends events to the User Behavior Analytics app basedon the QNI: Observed File Hash Associated withMalware Threat rule, with a senseValue assigned to it.This senseValue is used when the User BehaviorAnalytics app calculates a risk score for a user.

Rule UBA : QNI - Observed FileHash Seen AcrossMultiple Hosts

Sends events to the User Behavior Analytics app basedon the QNI: Observed File Hash Seen Across MultipleHosts rule, with a senseValue assigned to it. ThissenseValue is used when the User Behavior Analyticsapp calculates a risk score for a user.

Rule UBA : QNI - Access toImproperly SecuredService - Weak PublicKey Length

Sends events to the User Behavior Analytics app basedon the QNI: Access to Improperly Secured Service -Weak Public Key Length rule, with a senseValueassigned to it. This senseValue is used when the UserBehavior Analytics app calculates a risk score for a user.


Table 11. Rules and Building Blocks inIBM QRadar Network Insights Content Extension V1.4.0(continued)

Type Name Description

Rule UBA : QNI - Access toImproperly SecuredService - CertificateInvalid

Sends events to the User Behavior Analytics app basedon the QNI: Access to Improperly Secured Service -Certificate Invalid rule, with a senseValue assigned toit. This senseValue is used when the User BehaviorAnalytics app calculates a risk score for a user.

Rule UBA : QNI - Access toImproperly SecuredService - CertificateExpired

Sends events to the User Behavior Analytics app basedon the QNI: Access to Improperly Secured Service -Certificate Expired rule, with a senseValue assigned toit. This senseValue is used when the User BehaviorAnalytics app calculates a risk score for a user.

Rule UBA : QNI - Access toImproperly SecuredService - Self SignedCertificate

Sends events to the User Behavior Analytics app basedon the QNI: Access to Improperly Secured Service -Self Signed Certificate rule, with a senseValueassigned to it. This senseValue is used when the UserBehavior Analytics app calculates a risk score for a user.

The following table shows the report in IBM QRadar Network Insights Content Extension V1.4.0.

Table 12. Report in IBM QRadar Network Insights Content Extension V1.4.0

Report Name Search Name and Dependencies

User File Transfer by ContentType

Saved Searches: File Transfer by Originating User and ContentType And File Transfer by Source IP and Content Type

The following table shows the saved searches in IBM QRadar Network Insights Content Extension V1.4.0.

Table 13. Saved Searches in IBM QRadar Network Insights Content Extension V1.4.0

Name Description

File Transfer by OriginatingUser and Content Type

This log and network activity search matches file transfers by theiroriginating users and content types.

File Transfer by Source IP andContent Type

This log and network activity search matches file transfers by theirsource IP addresses and content types.


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply that onlythat IBM product, program, or service may be used. Any functionally equivalent product, program, orservice that does not infringe any IBM intellectual property right may be used instead. However, it is theuser's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.


The licensed program described in this document and all licensed material available for it are provided byIBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or anyequivalent agreement between us.

The performance data and client examples cited are presented for illustrative purposes only. Actualperformance results may vary depending on specific configurations and operating conditions..

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to actual people or business enterprises isentirely coincidental.

TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBM website.

Personal use

You may reproduce these publications for your personal, noncommercial use provided that all proprietarynotices are preserved. You may not distribute, display or make derivative work of these publications, orany portion thereof, without the express consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within your enterprise provided thatall proprietary notices are preserved. You may not make derivative works of these publications, orreproduce, distribute or display these publications or any portion thereof outside your enterprise, withoutthe express consent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses or rights are granted, eitherexpress or implied, to the publications or any information, data, software or other intellectual propertycontained therein.

28 Notices

http://www.ibm.com/legal/copytrade.shtml

IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use ofthe publications is detrimental to its interest or, as determined by IBM, the above instructions are notbeing properly followed.

You may not download, export or re-export this information except in full compliance with all applicablelaws and regulations, including all United States export laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS AREPROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“Software Offerings”) may use cookiesor other technologies to collect product usage information, to help improve the end user experience, totailor interactions with the end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offerings can help enable you tocollect personally identifiable information. If this Software Offering uses cookies to collect personallyidentifiable information, specific information about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use session cookies that collecteach user’s session id for purposes of session management and authentication. These cookies can bedisabled, but disabling them will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer the ability to collectpersonally identifiable information from end users via cookies and other technologies, you should seekyour own legal advice about any laws applicable to such data collection, including any requirements fornotice and consent.

For more information about the use of various technologies, including cookies, for these purposes, SeeIBM’s Privacy Policy at http://www.ibm.com/privacy and IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details the section entitled “Cookies, Web Beacons and Other Technologies” andthe “IBM Software Products and Software-as-a-Service Privacy Statement” at http://www.ibm.com/software/info/product-privacy.

General Data Protection RegulationClients are responsible for ensuring their own compliance with various laws and regulations, including theEuropean Union General Data Protection Regulation. Clients are solely responsible for obtaining advice ofcompetent legal counsel as to the identification and interpretation of any relevant laws and regulationsthat may affect the clients’ business and any actions the clients may need to take to comply with suchlaws and regulations. The products, services, and other capabilities described herein are not suitable forall client situations and may have restricted availability. IBM does not provide legal, accounting orauditing advice or represent or warrant that its services or products will ensure that clients are incompliance with any law or regulation.

Learn more about the IBM GDPR readiness journey and our GDPR capabilities and Offerings here: https://ibm.com/gdpr

Notices 29

http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/software/info/product-privacy

http://www.ibm.com/software/info/product-privacy

https://ibm.com/gdpr

https://ibm.com/gdpr

Version 7.3.2 IBM QRadar Network Insights...• Uses in-depth packet inspection to identify advanced...

Documents

Transcript of Version 7.3.2 IBM QRadar Network Insights...• Uses in-depth packet inspection to identify advanced...