Flow direction

Some widgets in IBM® QRadar® Network Threat Analytics display statistics about the direction of the network communication that was observed.

The flow direction can help you prioritize your area of focus when you are threat hunting on your network. Depending on the time period that is selected, spikes and dips in the traffic volume and direction might indicate significant changes in the amount of flow data that was sent or received.

Flow direction falls into one of the following categories:
Internal
The traffic direction is local to local (L2L).

It originates and terminates within your own network.

Egress
The traffic direction is local to remote (L2R).

The traffic originates in your own network, but is destined for a device that is outside your network.

Ingress
The traffic direction is remote to local (R2L).

The traffic originates from an external network, but is destined for a device that is inside your network.

External
The traffic direction is remote to remote (R2R).

The traffic originates and terminates outside your network.

Important:

All networks that are defined in the network hierarchy in QRadar are considered local. It is important that your network hierarchy is defined correctly before you install the QRadar Network Threat Analytics app. For more information, see Network hierarchy in the IBM QRadar Administration Guide.