Reviewing Your Network Hierarchy
A well-defined and maintained network hierarchy can help prevent the generation of false positive offenses. The network hierarchy is used to define which IP addresses and subnets are part of your network. Ensure that all internal address spaces, both routable and non-routable, are defined within your QRadar network hierarchy. QRadar can then distinguish your local network from the remote network. Event and flow context is based on whether the source and destination IPs are local or remote. Event and flow context, and data from your network hierarchy are used in rule tests.
- From the navigation menu, click Network Hierarchy.
- Optional: Watch tuning videos to learn more about your network hierarchy and how to keep it up to date.
- Check the network hierarchy list to see which parts of your network hierarchy are not yet updated.
- Check for R2R (Remote to Remote) events. The report identifies
events with R2R direction or context. When an event has R2R direction,
both its source and destination IPs are remote and aren’t part
of your local network. It means that there’s external traffic
from a remote network to another remote network, and indicates a possible
network hierarchy misconfiguration.
Consider whether either one or both of the event IPs are local and add them to the network hierarchy.
Use the Source IP, Source Company, Destination IP, and Destination Company columns in the report to identify IPs that are local to your network.
After you identify the local IP addresses, either add them from the Network Hierarchy page from the Admin tab or select them in the report to add them in the app.
On the Admin tab, click Deploy changes.
- Explore the rules that use your network hierarchy either
directly or indirectly. Review and update any rules or building blocks
that are out of date.
To review rules in detail, select one from the list and then zoom in on the diagram. Drag the rule and BB icons on the pane.
In the right pane of the window, click List view and then toggle between filtered BBs and non-filtered BBs to fine-tune the list. "Filtered BBs" displays the dependencies for the selected rule that have network tests. "All BBs" displays all the BBs that are used by the selected rule.
Click Show dependency tree to see the dependencies and the dependents of the selected BB.
Dependencies are referenced by the selected building block either directly or indirectly. If you update any of the dependencies, the building block is affected. Dependents reference the selected BB either directly or indirectly. If you update the building block, its dependents are affected.