Superflows
IBM QRadar analyzes individual flows to look for indicators that common attack vectors are being used on your network. When the number of flows that match the criteria reaches a specified number, QRadar groups the individual flows into a superflow. Each superflow counts as only one flow against the flows per minute (FPM) license, regardless of how many flow records are bundled within it.
You can configure the flow threshold to control the number of unique flows that must match the criteria before a superflow is created. Given a threshold of 100, the first 99 flows are sent as normal flow records. The 100th flow and subsequent matching flows are included in the superflow record. QRadar continues to report on the superflow every minute until one full interval passes with no matching traffic. Because a superflow is kept alive even if only one flow record matches, some superflows might appear to be small.
Superflow Type A: Network scan
A network scan attempts to discover all of the active hosts on your network and map the hosts to an IP address.
- Protocol
- Source bytes-to-packets ratio
- Source IP address
- Destination port (TCP and UDP flows only)
- TCP flags (TCP flows only)
- ICMP type and code (ICMP flows only)

Superflow Type B: Distributed denial of service (DDoS)
A DDoS attack occurs when multiple systems flood the bandwidth or resources of a targeted system.
- Protocol
- Source bytes-to-packets ratio
- Destination IP address
- Destination port (TCP and UDP flows only)
- TCP flags (TCP flows only)
- ICMP type and code (ICMP flows only)

Superflow Type C: Port scan
A port scan attempts to identify the ports that are in use by a specific host on your network.
- Protocol
- Source IP address
- Destination IP address
- Source bytes-to-packets ratio
- TCP flags (TCP flows only)
