Viewing Network Traffic in VMDR OT

The Network tab gives a complete view of network traffic in the industrial network. Multiple Qualys Network Passive Sensors can be deployed across the network. Each Qualys Network Passive Sensor has access to traffic with source and destination details in the flows. The Network tab shows all sources and destinations of the given port and protocol. The network list view displays the different protocols used in the network and how the assets communicate.

network tab showing network assets.

The network table contains the list of network traffic with the following details:

- Source asset

- Source asset type

- When the asset was first and last seen communicating on the network

- Destination asset

- Destination asset type

- Protocol/Transport protocol used for communication

- Port on which they are communicating

- Total traffic volume for the network

- Ingress traffic volume for the network

- Egress traffic for the network

In the search bar, you can build QQL queries to narrow down the scope of your network traffic search by using the supported search tokens. For more information, see Search Tokens for VMDR OT.

Use the left pane filters to search for network traffic grouped into various categories. After clicking a category in this list, your selection gets translated into a QQL query in the search bar. The network traffic that fits your selected category is displayed in the network traffic table.

QQl on the search bar.

View External IPs

An External IP is defined as any IP that is outside the organization's network or not configured in the organization's internal asset group. Monitoring external IP communications with internal IPs helps you to detect suspicious connections and identify potential security threats.

The Network > List View tab displays the list of all external IPs that are communicating with your internal IPs. The total number of external IPs is displayed below the External indication.

For external IPs to be listed in the VMDR OT > Network > List View tab, the required version of the NPS appliance should be 2.0 and above.

network tab showing external IPs.

You can also view this information about a particular asset on Asset Details > Network > Network Map.

Assets Details page showing External IPs.

To view the list of all external IPs, click the number of IPs displayed below the External indication. The following data is displayed related to the external IPs:

Data	Description
IP Address	Displays the external IP address that has been detected.
Last Seen	Displays the date and time of the most recent communication between the external and internal IP addresses.
Count	Displays the number of times the external IP has interacted with your internal IP.

External IPs details page.