A well-defined and maintained network hierarchy can help prevent the generation of false
positive offenses. The network hierarchy is used to define which IP addresses and subnets are part
of your network. Ensure that all internal address spaces, both routable and non-routable, are
defined within your IBM®
QRadar®
network hierarchy. QRadar can
then distinguish your local network from the remote network. Event and flow context is based on
whether the source and destination IPs are local or remote. Event and flow context, and data from
your network hierarchy are used in rule tests.
Procedure
-
From the navigation menu, click Network Hierarchy.
- Optional:
Watch tuning videos to learn more about your network hierarchy and how to
keep it up to date.
-
Check the network hierarchy list to see which parts of your network hierarchy are not yet
updated.
-
Check for R2R (Remote to Remote) events. The report identifies events with R2R direction or
context. When an event has R2R direction, both its source and destination IPs are remote and aren’t
part of your local network. It means that there’s external traffic from a remote network to another
remote network, and indicates a possible network hierarchy misconfiguration.
-
Consider whether either one or both of the event IPs are local and add them to the network
hierarchy.
-
Use the Source IP, Source Company,
Destination IP, and Destination Company columns in the
report to identify IPs that are local to your network.
-
After you identify the local IP addresses, either add them from the Network
Hierarchy page from the Admin tab or select them in the report to
add them in the app.
-
On the Admin tab, click Deploy changes.
-
Explore the rules that use your network hierarchy either directly or indirectly. Review and
update any rules or building blocks that are out of date.
-
To review rules in detail, select one from the list and then zoom in on the diagram. Drag the
rule and BB icons on the pane.
-
In the right pane of the window, click List view and then toggle between
filtered BBs and non-filtered BBs to fine-tune the list. "Filtered BBs" displays the dependencies
for the selected rule that have network tests. "All BBs" displays all the BBs that are used by the
selected rule.
-
Click Show dependency tree to see the dependencies and the dependents of
the selected BB.
Dependencies are referenced by the selected building block either directly or
indirectly. If you update any of the dependencies, the building block is affected. Dependents
reference the selected BB either directly or indirectly. If you update the building block, its
dependents are affected.