Flow aggregation

IBM® QRadar® combines information together to give you more information about a single flow without sending more flow records. This process is known as aggregation.

The flow shows a communication session between two hosts by normalizing the packet attributes into a flow record that includes the following information:
  • Source IP address
  • Source port
  • Destination IP address
  • Destination port
  • Protocol
  • Flow ID (flow source dependent)
  • Flow source domain ID (New in 7.5.0 Update Package 7)
  • VLAN fields (flow source dependent)
  • VXLAN fields (flow source dependent)

As the hosts continue to communicate, information such as the byte and packet counters and the payload capture is aggregated into a single flow record. For communications that span more than 1 minute, QRadar reports on the current metrics for the flow at the end of each 1-minute interval. The entire communication session is represented by multiple flow records that have the same First Packet Time, but with incremental Last Packet Time values.

If the attributes are the same, the flow information is updated. When one or more attributes change, the flow is assumed to be unique, and a new flow record is created.