This glossary provides terms and definitions for the IBM® QRadar® Network Threat Analytics app.

The following cross-references are used in this glossary:
  • See refers you from a nonpreferred term to the preferred term or from an abbreviation to the spelled-out form.
  • See also refers you to a related or contrasting term.


anomalous behavior
A deviation from the expected baseline behaviors.
analytics score category
A grouping of similar flow characteristics. For example, the source category includes together source IP, source port, and source network.


baseline occurrence
The frequency of which the communication in the network is observed.
baseline traffic
The type of traffic that is normally observed in the network.
baseline process
A process that analyzes existing network flows and determines the type and frequency of normal flow traffic on your network. See also network baseline.
behavioral analytics score
A numerical representation of the significance of a finding, calculated based on the outlier scores of the contributing flows.


deviating category
A representation of a group of flow characteristics that deviates from the existing behavior in the baseline.
deviating flow attribute
A characteristic that distinguishes a flow that was marked as deviating from the baseline.
deviating group attributes
A representation of the group attributes that were marked as deviating from the baseline.


An aggregation of similar network communications that are anomalous and deviate from the baseline.
flow record
A record of the conversation between two hosts.
flow session
A collection of individual flow records that have the same flow ID.
flow session score
A numerical representation of how expected a flow session is in your network. A flow session that has a score of 100 was never before observed in the network.


in offense
Indicates whether the flow record is part of an offense. See offense.


network anomaly
A change in the established standard communication of a network.
network baseline
A model that contains information about the flows and flow attributes that currently exist on the system. The network baseline is the result of the baseline process.


A message that is sent or an event that is generated in response to a monitored condition. For example, an offense provides information on whether a policy was breached or the network is under attack.
outlier score
A numerical representation of how much the flow attribute values deviated from the network baseline.


The result of a computational analysis.