In QRadar, Q1 Labs has added a threats view, which shows rate-based activity, including DoS (denial of service) attacks and scans, stealth activity and protocol misuse; an alert console and creation wizards, which give you easy access to defined Sentry alerts and a simpler way to create your own Sentries; a new report generator and scheduler, so you can define your own reports; system-monitoring features; and small but useful interface improvements.
I used a beta version of QRadar in our Syracuse University Real-World Labs® for more than two months to monitor NETWORK COMPUTING's network traffic. I like the changes, but be prepared to spend time customizing the product.
What You See
QRadar presents network traffic data graphically. You could ask for a view of all the traffic going to or coming from the local network, showing the server ports used, or a view of mostly one-sided traffic. In addition QRadar has some preconfigured views, such as flow types, ("mostly in," "mostly out," "nearly the same"), and a view that presents the flows from a collector.
The most interesting new view, though, is the threats view, which shows network-based attacks--DoS, network scans, worm activity and protocol misuse. With QRadar, I found that a number of hosts on our internal network were infected by various worms, sometimes multiple worms simultaneously. I detected Sasser by a rapid uptick in connection attempts to Port 445, which was shown in the threats view as a high-intensity scan.