IBM QRadar Network Threat Analytics network baseline

IBM® QRadar® Network Threat Analytics analyzes existing network flows to determine the type and frequency of normal flow traffic on your network. The result of this process is a network baseline that contains information about the flows and flow attributes that currently exist on the system. The app uses the network baseline as an indicator of the flow traffic that is considered typical in your network.

Baseline fields

The following table shows the attributes that are analyzed. The attributes are grouped into categories, which are used in the Analytics score by category chart on the Finding detail page.

The attributes that are analyzed to create the network baseline are different, depending on which software is installed. QRadar flow attributes are always analyzed, but when QRadar Network Insights is installed, even more data is available for analysis.

Table 1. Flow attributes that are analyzed by QRadar Network Threat Analytics, grouped by category
Category QRadar flow attributes QRadar Network Insights flow attributes


  • Source IP
  • Source network
  • Source sub network New in 1.2.0
  • TLS JA3 hash Changed in 1.2.0


  • Destination IP
  • Destination network name
  • Destination sub network New in 1.2.0
  • HTTP server New in 1.2.0

  • TLS JA3S hash Changed in 1.2.0

Source rate

  • Accumulated source bytes
  • Source bytes
  • Source packets
  • Flow duration New in 1.2.0

Not applicable

Destination rate

  • Accumulated destination bytes
  • Destination bytes
  • Destination packets

Not applicable

Source to destination ratio

  • Source bytes to destination bytes pairing
  • Source packets to destination packets pairing

Not applicable

Protocol & application

  • Application ID
  • Destination flags
  • Destination port
  • Protocol ID
  • Source flags
New in 1.2.0 (all attributes)
  • Application protocol name

  • Authentication mechanism

  • Content type

  • DNS domain name

  • DNS request type

  • DNS response code

  • FTP reply code

  • HTTP response code

  • Kerberos client principal name

  • Kerberos cipher suite

  • Kerberos realm

  • Kerberos server principal name

  • Last proxy IPv4

  • Last proxy IPv6

  • Protocol version

  • RDP encryption level

  • RDP encryption method

  • TFTP mode

  • TFTP status


Not applicable

  • x509 certificate version

  • x509 certificate signature algorithm

  • X509 certificate issuer common name New in 1.2.0

  • x509 certificate public key algorithm New in 1.2.0

  • X509 certificate public key size New in 1.2.0

  • X509 certificate to-be-signed signature algorithm New in 1.2.0

  • x509 certificate issuer name New in 1.2.0


Not applicable

  • SSL/TLS Cipher Suite
  • SSL/TLS Compression Method
  • SSL/TLS Version
  • TLS Application Layer


Not applicable

  • File entropy
  • File size


  • Flow direction

Not applicable