Network activity monitoring

IBM® QRadar® collects information about the way that devices in your network communicate with each other. The record of the communication as it occurs across the network is called a flow.

In QRadar, flows appear on the Network activity tab, and you must have permissions to view it.

By default, the Network Activity tab displays flows in streaming mode. To analyze flows that were already received, you can pause streaming mode, and conduct searches and apply filters to the flows.

If you previously configured a saved search as the default, the results of that search are automatically displayed when you access the Network Activity tab.

Difference between events and flows

An event is a record of an activity that occurred on your network at a single point in time. It provides information about an activity that happened and which assets were implicated. For example, if a user tries to authenticate against your firewall and is unsuccessful, the firewall sends a system log to QRadar. The authentication attempt is recorded as an event. You view information about events on the Log Activity tab.

Unlike an event, a flow is network activity that occurs over time. The flow record shows the actual messages that were sent and received by devices as they communicated with each other over the network. For example, a flow might show when a user sends an email, goes to a web page, downloads a file, or uses social media. The web request might download files such as images and ads over a few seconds, or last a few hours if the user is watching a movie.

Compared to events, flow traffic provides a complete view of what is happening on your network. They show you what was happening before, during, and after the event occurred.