Flow score contributors
Score contributors graph
The Score contributors graph displays the attributes that deviated from the network baseline. These deviating attributes are contributors to the outlier score for the flow record.
- A green status bar indicates that the value for the attributes falls within the normal range
when compared to the network baseline, but the attribute value contributed to the outlier
score.
Non-deviating attributes still contribute to the outlier score even though they fall within the normal range that is found in the network baseline.
- A purple status bar indicates that the value deviates from what was expected.
Sometimes, the score contributors widget might be empty, which indicates that all of the flow attribute values were within the expected values when compared to the network baseline. If the baseline occurrence is rare, a flow can still have a high outlier score even though all of its attributes are within the expected range.
Some flow attributes that appear in the Source Contributors widget do not appear in the Flow record properties list. For example, the Source and Destination packets attribute is a feature of the QRadar® Network Threat Analytics algorithms that combines and compares the source packets and destination packets together. In the Flow record properties list, each of these attributes appear as a separate entity.
Flow record properties table
The Flow record properties table displays information about each of the attributes that are used to analyze the flow.

The Value column shows the value of the attribute in the flow record, while the Baselined values column shows the values that are found in the network baseline. An empty Baselined values field might indicate that no common pattern for that field is found in the network baseline. It might also be empty if the field is not present in the flow traffic that was used to create the baseline.
The status indicates whether the attribute value falls within the normal range of what is expected, or if it deviates from the flow data in the network baseline. Click the column headers to change the sort order for the table.