Flow pipeline

Flows that come into IBM QRadar go through an in-depth process to extract additional information about the network communication, looking for indicators that a security incident might have occurred.

Flows go through five stages of processing in QRadar: receiving, aggregating, analyzing, unification, and Custom Rule Engine. — Figure 1. Flow pipeline in QRadar

QFlow process

The QFlow process collects data from a variety of flow sources. It aggregates the data by parsing and normalizing the data, accruing information over a one minute period. It then analyzes the flow to extract additional information such as determining the application and flow direction, and creating superflows before handing it off to the ecs-ec process.

ecs-ec process

The ecs-ec process further parses the flow record and performs additional unification and processing, such as deduplication, asymmetric recombination, licensing, domain tagging, custom flow properties, and flow forwarding. The flow is then passed to the Custom Rule Engine (CRE) to determine if the flow triggers a rule, which might indicate that a security incident has occurred.