What does IBM QRadar use to establish baselines for normal behavior in a network?

IBM QRadar utilizes anomaly detection algorithms to establish baselines for normal behavior in a network. These algorithms analyze historical data and identify patterns or trends that represent typical behavior for users, systems, and network traffic. By understanding what constitutes "normal," QRadar can effectively detect deviations from these established baselines, which may indicate potential security incidents or anomalies that require attention.

Anomaly detection relies on statistical analysis and machine learning techniques to differentiate between normal and abnormal behavior. This ability to recognize deviations helps organizations respond proactively to threats, improving the overall security posture.

The other options, while related to aspects of monitoring or performance, do not provide the same mechanism or capability that anomaly detection algorithms offer in the context of behavioral analysis. Performance reviews are typically associated with human resource evaluations rather than network behavior. User-defined metrics can be beneficial but are subject to biases and limitations inherent in manual configuration. External data feeds can provide additional context or threat intelligence, but they do not directly establish baselines for network behavior on their own. Thus, anomaly detection algorithms stand out as the key component in this process.