QRadar – Dynamic calculation of subnet from flow record fields

Hi all,
I would like to be able to use QRadar to report on traffic per subnet. Not a difficult sounding proposition, but what I would like to do is to have QRadar dynamically derive the subnet from the source IP and source mask in incoming flow records.

e.g. if I have the following two flow records:
IP_source:, IP_dest:, IP_Source_mask:, Bytes: 1000 Bytes
IP_source:, IP_dest:, IP_Source_mask:, Bytes: 1300 Byte

I would like to see the traffic aggregated dynamically as:

IP_source_network:, Bytes: 2300 Byte (and then report on stats grouped by IP_source_network)

I know that if I define networks under Network Hierarchy it will work, but in this deployment we have many, many networks and don’t want to create them manually – QRadar should calculate the subnet based on the sourceip and sourcemask properties. Now I guess this is technically possible using AQL functions in advanced search but I’m not sure if this is the right method – calculating the subnet correctly as the mask varies is a little more complex than anything I’ve done via AQL before. Is there a neat and easy way to do this that has completely passed me by?

Thanks in advance!



Leave a Reply