Network flow data

IBM QRadar Network Insights analyzes the network communication between a client and server. The communication is presented as data flows or content flows.

For example, consider a simple HTTP web connection. After the TCP handshake is negotiated, the client makes an HTTP request of the server. The server responds with an HTTP response. IBM QRadar SIEM represents the communication between the client and server as bidirectional flow sessions. In cases where the flow session spans several minutes, QRadar displays a summary flow record for each minute that the connection stays active. These flow records are linked by the Flow ID property, which provides a way to monitor all flow records that are part of the same session.

Image shows the bidirectional communication, represented as a series of data flows, between a client and server. The extracted content is represented as a content flow. Both data flows and content flows are linked by the Flow ID property.

If you filter on Flow Type, both standard data flows and content flows appear in the filter results. When you create rules, you cannot use the Flow Type field as a distinction between data flows and content flows.

Data flows

Data flows are traditional flow records. Also known as standard flows, they include payload samples, and show nonzero values in the byte and packet counters.

At the Basic inspection level, QRadar Network Insights creates only data flows. The data flow contains the same information as is collected by the QRadar QFlow process.

When you hover over the Flow Type column on the Network Activity tab, the tooltip for a data flow shows Standard Flow.

Content flows

Content flows contain information that QRadar Network Insights collects at deeper levels of analysis and metadata extraction. Content flows do not include payload samples, and all byte and packet counters appear as zero.

The content flow is linked to the corresponding data flow by the Flow ID field. QRadar Network Insights creates content flows only when the inspection level is set to Enriched or Advanced.

When you hover over the Flow Type column on the Network Activity tab, the tooltip for a content flow shows Standard Flow (Content Flow). Before 7.4.2, the only way to identify content flows is to look for flows that have 0 bytes, 0 packets, and no duration.