Network hierarchy is a description of the internal model of organization’s network. The network model allows you to describe all internal segments of the network including server segment, DMZ, user segment, Wi-Fi and so on. This data is necessary to enrich the data of registered Offenses; you can use the network model data in rules, searches, filters and reports, and also it is required for accurate resources identification.
To set up network hierarchy in QRadar, you need to open WEB console and go to Admin – Network Hierarchy.
You can use default groups and just fill them or create custom groups.
After adding a group, you need to perform ‘Deploy Changes.’
Then you can use those networks in writing analytics, creating searches or filters.
Also, network information is displayed in the registered Offense, which allows you to determine the source of events.
How to use this in rules
Go to Offenses – Rules tab. Choose Actions – New Rule. Next, in the graphical rule editor, select the condition (for example, ‘when the local network is one of the following networks’) and go to the network selection by clicking on the link:
You need to select a network. Here you can also select any network that you added to the network hierarchy.
Usage of a network hierarchy allows you to write more flexible analytic to detect anomalies and information security incidents in organization’s infrastructure.
If group content is changed, you do not need to edit the rules, because the condition will be applied automatically to new sources in the group.
How to use this in Search
Go to Log Activity – Search – New Search tab.
You can use conditions that describe networks in the search parameters.
Also, you can add in Search grouping or simply display by networks.
The search results will display the networks described in the network hierarchy.
Using Networks in Filters
Go to Log Activity – Add Filter tab.
Event filtering for specific networks will allow you to prioritize responses to events related to these networks.
Network Hierarchy in Offenses
Go to Offenses – All Offenses tab.
Open the offense for detailed information.
The ‘Network’ field will display information on all networks that affected by selected offense. This will allow you to make quick decisions about registered offenses.