QRadar – Dynamic calculation of subnet from flow record fields

Hi all,
I would like to be able to use QRadar to report on traffic per subnet. Not a difficult sounding proposition, but what I would like to do is to have QRadar dynamically derive the subnet from the source IP and source mask in incoming flow records.

e.g. if I have the following two flow records:
IP_source: 1.1.1.1, IP_dest: 2.2.2.2, IP_Source_mask:255.255.255.0, Bytes: 1000 Bytes
IP_source: 1.1.1.2, IP_dest: 2.2.2.5, IP_Source_mask:255.255.255.0, Bytes: 1300 Byte

I would like to see the traffic aggregated dynamically as:

IP_source_network: 1.1.1.0/24, Bytes: 2300 Byte (and then report on stats grouped by IP_source_network)

I know that if I define networks under Network Hierarchy it will work, but in this deployment we have many, many networks and don’t want to create them manually – QRadar should calculate the subnet based on the sourceip and sourcemask properties. Now I guess this is technically possible using AQL functions in advanced search but I’m not sure if this is the right method – calculating the subnet correctly as the mask varies is a little more complex than anything I’ve done via AQL before. Is there a neat and easy way to do this that has completely passed me by?

Thanks in advance!

-Steve

Related:

Leave a Reply