Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Application Identification

The Flow Processor process uses algorithms to determine the flow application. Each algorithm relies on different types of information to determine the application.

The application determination algorithms are shown in the following table:

Table 1: Application Determination Algorithms

Numeric value

Algorithm name

Description

2

Application signatures

A payload-based algorithm that looks at the way that the payload is structured.

This algorithm uses information from the signatures.xml file.

3

State-based decoding

A payload-based algorithm that uses complex internal logic.

4

JSA port-based mapping

A port-based algorithm that uses a pre-defined list of application mappings.

This algorithm uses information from the /opt/qradar/conf/appid_map.conf file.

5

User port-based mapping

A port-based algorithm that uses a customizable list of application mappings.

Use this algorithm to add new port-based mappings or reclassify existing mappings that come with JSA.

This algorithm uses information from the /opt/qradar/conf/user_application_mapping.conf file.

6

ICMP protocol mapping

A protocol-based algorithm that looks at the protocol type and code.

7

Flow exporter

An algorithm that relies on the Flow Exporter to determine the application.

You can see which type of application detection algorithm that JSA used in the Application Determination Algorithm field on the Flow Information window.

Custom Applications

If your organization has non-standard or customized applications, you can add them to the /opt/qradar/conf/user_application_mapping.conf or signatures.xml files.

You can use the Application Determination Algorithm field to check that the correct algorithm was used to identify your customized applications. For example, you might define a custom application based on the port usage. Flows from that application are identified by algorithm 5, which is User Port Based Mapping. By verifying the algorithm that is used to identify the application, you can assign a level of confidence to the application mapping.

Displaying the Application Determination Algorithm Field in Search Results

Use the search feature to add the application determination algorithm to the Flow Details window. You can use the application identification algorithm to identify the criteria that JSA used to identify which application the flow originated from.

  1. Click the Network Activity tab.

  2. From the Search list, select New Search.

  3. In the Column Definition section, scroll down the list of available columns and add Application Determination Algorithm to the list of columns to display.

  4. Click Filter.

    The Application Determination Algorithm column appears on the Network Activity tab, displaying a value that represents the algorithm that was used.

  5. Pause the event streaming and click a flow to investigate further in the Flow Details window.

The Application Determination Algorithm now appears in the Flow Details window for all flows.