I would like to be able to use QRadar to report on traffic per subnet. Not a difficult sounding proposition, but what I would like to do is to have QRadar dynamically derive the subnet from the source IP and source mask in incoming flow records.
e.g. if I have the following two flow records:
IP_source: 188.8.131.52, IP_dest: 184.108.40.206, IP_Source_mask:255.255.255.0, Bytes: 1000 Bytes
IP_source: 220.127.116.11, IP_dest: 18.104.22.168, IP_Source_mask:255.255.255.0, Bytes: 1300 Byte
I would like to see the traffic aggregated dynamically as:
IP_source_network: 22.214.171.124/24, Bytes: 2300 Byte (and then report on stats grouped by IP_source_network)
I know that if I define networks under Network Hierarchy it will work, but in this deployment we have many, many networks and don’t want to create them manually – QRadar should calculate the subnet based on the sourceip and sourcemask properties. Now I guess this is technically possible using AQL functions in advanced search but I’m not sure if this is the right method – calculating the subnet correctly as the mask varies is a little more complex than anything I’ve done via AQL before. Is there a neat and easy way to do this that has completely passed me by?
Thanks in advance!