TTechclick ⚡ XP 0% All lessons
IBM · SIEM · QRadar Flows & QNIInteractive · L1 / L2 / L3

IBM QRadar Flows & QNI — QFlow, Superflows & Network Visibility

IBM QRadar does not just collect logs — it ingests full network flow records that reveal WHO talked to WHOM, WHEN and HOW MUCH, and, with QRadar Network Insights (QNI), WHAT was inside those conversations at the application layer. This lesson maps every piece: the QFlow collector, superflows, QNI content flows, Layer-7 extraction, flow vs event differences, and how flows feed the asset database so the SIEM understands your network.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live flow demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master IBM QRadar network flows in 2026: QFlow collectors, QRadar Network Insights (QNI), superflows, Layer-7 application visibility, flow vs event differences, and how flows enrich asset profiles for faster threat detection.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Flows vs events

Why network flows are a different data type from logs.

 2

QFlow collector

How raw packets become normalised flow records.

 3

QNI & content flows

Layer-7 extraction, artifacts, TLS fingerprinting.

 4

Asset enrichment

How flows build the IP profile that powers rules.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is a QRadar flow record the same thing as a log event?

Answered in Flows vs events.

2. What does QRadar Network Insights (QNI) add that a plain QFlow collector does not?

Answered in QNI & content flows.

3. Why does QRadar group some flows into a superflow?

Answered in QFlow collector.

Most engineers think…

Most people picture a SIEM as 'something that collects syslog'. That is true but only half the picture for QRadar.

IBM QRadar treats network flows as a first-class data type alongside events. A flow record captures a full conversation — source IP, destination IP, ports, protocol, byte and packet counts — so the SIEM can answer 'who talked to whom, for how long and how much data moved?' without ever seeing a log. Add QRadar Network Insights (QNI) and you also get application-layer visibility: URLs, DNS names, TLS certificates, file hashes and HTTP headers extracted from live traffic. Understanding the flow pipeline — QFlow collector → normalisation → superflows → QNI content flows → asset enrichment — is what separates a junior SOC analyst from one who can actually hunt on network data.

① Flows vs events — two data types, one SIEM

A log event is a message a device sends to tell you something happened: a login attempt, a firewall rule hit, a VPN session start. An event has a timestamp, a source and a message. A flow record is different — it describes a network conversation between two endpoints: source IP, destination IP, source port, destination port, protocol (the five-tuple) plus byte count, packet count and duration. The device does not send a flow voluntarily; QRadar's QFlow collector or an external flow exporter (NetFlow, IPFIX, sFlow) produces it.

The practical difference matters for investigation. Events tell you what happened on a device. Flows tell you what moved across the network. A malware beacon may never generate a log event on a misconfigured firewall, but it always generates a flow — same destination IP, same small byte count, same interval, every hour. QRadar correlates both in the same offense, so you need to read both tabs: Log Activity (events) and Network Activity (flows).

Figure 1 — Flow record vs log event — the two data types
Events describe device actions; flows describe network conversations. QRadar correlates both in the same offense.Flow record vs log event — the two data typesDevice eventsyslog / CEF / LEEFLog Activityparsed, normalisedFlow recordfive-tuple + bytesNetwork Activityflow DB, correlatedOffenseevents + flows merged
Events describe device actions; flows describe network conversations. QRadar correlates both in the same offense.
Always check both tabs in QRadar

In an investigation, never look only at Log Activity. Open Network Activity too — flows often reveal lateral movement, data exfiltration or beaconing that generates zero log events, especially when firewalls only log denied traffic.

Quick check · Q1 of 10 · Understand

A firewall is misconfigured and generates no log events for outbound connections. Which QRadar data source can still detect a malware beacon to an external IP?

Correct: b. A flow record is produced by the QFlow collector from raw packets regardless of device logging. Even if the firewall never sends a syslog event, the QFlow collector on the SPAN port captures the conversation and creates a flow record visible in Network Activity.
👉 So far: A flow record = five-tuple conversation (src/dst IP, ports, protocol) + bytes + packets. Not a log — produced by QFlow from packets, not by the device.

② The QFlow collector — from raw packets to flow records

The QFlow collector is the component that sits on a network tap or SPAN port, captures packets, assembles them into conversations and emits a normalised flow record to QRadar. It understands many flow export formats — NetFlow v5/v9, IPFIX, sFlow, J-Flow — so you can also point external routers and switches at it instead of needing a packet tap everywhere.

Superflows — handling high-volume traffic

In busy environments a single conversation can produce thousands of individual flow records per second. To keep storage manageable, QRadar creates superflows: aggregated bundles that roll up many similar flows into one record, preserving the key metrics (total bytes, packets, duration, ports) but not storing each conversation individually. You will see a superflow flag in the Network Activity tab. Superflows are normal — they mean the collector is healthy and managing volume correctly. The QFlow process also uses multi-threaded processing so it can keep up with high-throughput links.

Figure 2 — QFlow data pipeline — packets to flow records
The QFlow collector transforms raw packet streams into normalised flow records, grouping high-volume traffic into superflows.QFlow data pipeline — packets to flow recordsRaw packetsSPAN port or tap or NetFlow exportQFlow collectorassembles conversations, normalisesSuperflowshigh-volume aggregates (normal)Flow recordsstored in QRadar flow DB
The QFlow collector transforms raw packet streams into normalised flow records, grouping high-volume traffic into superflows.
🌊
QFlow Collector
tap to flip

Captures packets from a SPAN port or tap (or accepts NetFlow/IPFIX/sFlow) and emits normalised five-tuple flow records with byte and packet counts into QRadar.

🔬
QRadar Network Insights
tap to flip

A DPI appliance or VM that produces content flows with application-layer artifacts — TLS certs, DNS names, JA4 fingerprints, file hashes — in addition to standard flow metadata.

📦
Superflow
tap to flip

An aggregated flow record created by QRadar to bundle many similar conversations in high-volume traffic into one record, preserving key metrics without storing every individual flow.

🗂️
Asset Enrichment
tap to flip

The process by which QRadar uses incoming flow and event data to passively build a behaviour profile for each IP — open ports, applications, users, typical volume — without active scanning.

Quick check · Q2 of 10 · Remember

What is a QRadar superflow?

Correct: a. Superflows are created by QRadar to compress high-volume traffic: many similar conversations are rolled into one aggregated record preserving total bytes, packets and duration. Seeing a superflow flag is normal — it means the collector is managing volume correctly.
👉 So far: QFlow collector: SPAN/tap or NetFlow/IPFIX input → normalised flow records → superflows for high-volume traffic → stored in QRadar flow DB.

③ QRadar Network Insights (QNI) — application-layer visibility

QRadar Network Insights (QNI) is a dedicated appliance or virtual machine that performs deep packet inspection (DPI) and sends enriched content flows to QRadar alongside the standard flow records. Where a plain flow record only tells you '10.1.1.5 talked to 52.23.4.1 on port 443 for 30 seconds and sent 120 KB', a QNI content flow also extracts: the TLS certificate subject and issuer, the JA4 TLS fingerprint (supported in QRadar 7.5+), HTTP Host headers, DNS query names, User-Agent strings, and file hashes from transferred files.

QNI operates at two inspection levels. At Enriched level it adds metadata fields to flows. At Advanced level it also produces full content flows with extracted artifacts stored as QNI content flow records visible in the Network Activity tab. You enable the QNI flow source from the QRadar console; it is disabled by default. QNI also supports decoding ERSPAN-encapsulated traffic (from remote or cloud-based taps), extending visibility into hybrid environments.

The interview-critical point: QNI does not replace the correlation engine. It produces richer flow data that the Sense Analytics engine and your custom rules can act on — detecting beaconing, DNS tunnelling, certificate anomalies and data exfiltration that pure log analysis would miss.

Figure 3 — QNI content flow — artifacts extracted
QRadar Network Insights extracts application-layer artifacts from one content flow and feeds them into QRadar and the asset profile.QNI content flow — artifacts extractedQNI DPIcontent flowJA4 TLS printDNS query nameHTTP Host headerTLS cert subjectFile hashUser-Agent string
QRadar Network Insights extracts application-layer artifacts from one content flow and feeds them into QRadar and the asset profile.
Forgetting to enable the QNI flow source

QNI ships with its flow source disabled. If you deploy a QNI appliance and see no content flows in Network Activity, do not assume QNI is broken — check Admin ▸ Data Sources ▸ Flow Sources first and enable the source.

▶ Watch a suspicious beacon get caught by QNI

A compromised workstation calls home every hour. Press Play for the detection path, then Break it to see the classic gap.

① Beacon firesA compromised workstation sends a small HTTPS POST to an external C2 IP every 60 minutes. No firewall event is generated — the traffic is allowed outbound.
② QFlow capturesThe QFlow collector on the SPAN port captures the packet stream and emits a flow record: internal IP → external IP, port 443, 2 KB outbound, 60-second interval.
③ QNI inspectsQNI performs DPI on the TLS session and extracts: JA4 fingerprint (matches a known Cobalt Strike pattern), certificate subject (self-signed, suspicious CN), and DNS resolution for the C2 domain.
④ Offense raisedQRadar correlates the periodic flow pattern + JA4 match + suspicious certificate into an offense. The analyst pivots from the offense to the QNI content flow for full artifact evidence.
Press Play to step through the detection path. Then press Break it to see what happens without QNI.
Quick check · Q3 of 10 · Apply

An analyst suspects DNS tunnelling but sees only normal-looking DNS query events in Log Activity. Which QNI artifact should they pivot to?

Correct: c. QNI extracts DNS query names from network traffic as content-flow artifacts. Pivoting to the DNS names in Network Activity (QNI content flows) reveals the full query strings — including unusually long or encoded subdomains that signal DNS tunnelling — which may not appear clearly in log events alone.
👉 So far: QNI = DPI appliance producing content flows with Layer-7 artifacts (JA4 TLS fingerprint, DNS names, HTTP headers, file hashes). Enable the flow source — it ships disabled.

④ Asset enrichment — how flows build the IP profile

Every flow that QRadar processes is also used to update the asset database. When QRadar sees a new source IP, it creates an asset record. As flows arrive, the asset accumulates: which ports it listens on, which protocols it uses, what applications it runs (from QNI DPI), which users are associated with it (from event correlation) and its typical traffic volume. This is passive asset discovery — no active scanning needed.

The enriched asset profile is what makes QRadar rules more precise. A rule like 'outbound connection to a known bad IP from an internal host' is much stronger when the asset profile confirms that host is a developer workstation (high risk) rather than an automated build server (expected external calls). QNI artifacts — certificate subjects, DNS names, observed applications — flow directly into the asset profile so analysts see the full picture without pivoting between tools.

Deploy and tune

Enable QNI flow sources from Admin ▸ Data Sources ▸ Flow Sources, set inspection level to Enriched or Advanced, and confirm the flow source appears in Network Activity. For large environments, scale QNI capacity with additional appliances (QNI 6500 or virtual equivalents). If flows are not appearing after adding a new QNI, check that the flow source is enabled — it ships disabled by default.

Figure 4 — Plain QFlow vs QNI — what each sees
QFlow gives you who-talked-to-whom; QNI tells you what was inside the conversation at the application layer.Plain QFlow vs QNI — what each seesQFlow onlyFive-tuple (IP, port, proto)Byte & packet countsDuration, start/end timeSuperflow aggregationNo application detailQFlow + QNIAll QFlow fieldsJA4 TLS fingerprintDNS names & HTTP headersExtracted file hashesAsset app-layer profile
QFlow gives you who-talked-to-whom; QNI tells you what was inside the conversation at the application layer.

Arjun at a Mumbai fintech firm faces this

Arjun's SOC detects unusual data transfer volumes to an external IP late at night, but the perimeter firewall shows no blocked events and the SIEM offense queue is empty.

Likely cause

The firewall is logging only denied connections; allowed outbound traffic generates no log events. There are no flow-based correlation rules enabled on QRadar.

Diagnosis

Open Network Activity tab, filter by the suspicious external IP and time range — large outbound byte counts appear in flow records even though Log Activity is silent. The asset profile for the internal host shows this behaviour is new.

QRadar console ▸ Network Activity ▸ filter dst IP + time window ▸ asset profile of src IP
Fix

Enable flow-based correlation rules (e.g. 'Excessive outbound data transfer') and confirm the QNI flow source is set to Enriched inspection so application context is captured. Add a building block that flags first-seen external IPs for an asset.

Verify

Re-test with a simulated large upload: a flow offense fires within minutes and the QNI content flow shows the destination domain and transferred volume, giving Arjun the evidence to escalate.

Confirm asset enrichment is working

After enabling QNI, open an asset profile for an active internal IP (Assets ▸ select host). If QNI is feeding data correctly, you will see observed services, application names and, at Advanced inspection level, DNS names and TLS certificate subjects populated automatically — no active scan required.

Quick check · Q4 of 10 · Analyze

After enabling QNI on QRadar, flows are not appearing in the Network Activity tab. What is the most likely first thing to check?

Correct: d. IBM documentation states that when a QNI host is added a flow source is created but it is disabled by default. The first check is always: Admin ▸ Data Sources ▸ Flow Sources — find the QNI source and confirm it is enabled.
👉 So far: Every flow updates the asset database passively — open ports, apps, users, typical volume. Enriched assets make correlation rules far more precise without active scanning.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which QRadar tab shows network flow records rather than log events?

Correct: c. Network Activity is the QRadar tab that displays flow records captured by the QFlow collector and QNI content flows. Log Activity shows parsed log events. Both feed the correlation engine that raises offenses.
Q6 · Understand

What makes QNI content flows different from standard QFlow records?

Correct: a. QNI performs deep packet inspection to produce content flows enriched with application-layer artifacts: JA4 TLS fingerprints, certificate subjects, DNS query names, HTTP headers and file hashes. Standard QFlow records only carry the five-tuple plus byte/packet counts.
Q7 · Apply

A SOC analyst suspects a host is beaconing to a C2 server every hour. The firewall shows no denied events. Which first step gives the best evidence?

Correct: c. Beacons generate flows even when the firewall allows the traffic and generates no log event. Filtering Network Activity by source IP reveals the periodic conversation pattern — same dst IP, same small byte count, repeating every ~60 minutes — which is the textbook beacon signature in flow data.
Q8 · Analyze

An asset profile in QRadar suddenly shows a new application and open port that was not there yesterday. What most likely caused this change?

Correct: d. QRadar passively enriches asset records from incoming flow data and QNI content flows — no active scan is needed. A new application or port appearing in the asset profile means QRadar observed that traffic in recent flows and updated the profile automatically.
Q9 · Evaluate

A QNI appliance is deployed on QRadar but analysts report no application-layer data in content flows. What is the strongest corrective action?

Correct: a. IBM documentation is explicit: the QNI flow source is disabled by default and content flows are only generated at Enriched or Advanced inspection levels. Enabling the flow source and setting the correct inspection level is the direct fix before investigating hardware or licensing issues.
Q10 · Evaluate

Why are superflows considered normal and not an error in QRadar?

Correct: c. Superflows are deliberately created by QRadar to manage storage for high-throughput environments. They bundle many similar conversations into one aggregated record keeping total bytes, packets and duration. This is correct behaviour — seeing a superflow flag means the collector is handling volume correctly, not that something is broken.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: how does QNI differ from the QFlow collector, and why do you need both? Then compare with the expert version.

Expert version: The QFlow collector captures raw packets and produces five-tuple flow records — who talked to whom, for how long and how many bytes — but has no visibility into what was inside those conversations at the application layer. QRadar Network Insights (QNI) adds deep packet inspection on top of those same flows, extracting application-layer artifacts such as TLS certificate subjects, JA4 fingerprints, DNS query names and file hashes. You need both because flow records alone can detect beaconing patterns and large data transfers, while QNI content flows provide the evidence — 'this session used a JA4 fingerprint matching Cobalt Strike and a self-signed certificate' — that turns a suspicious pattern into a confirmed threat indicator and feeds the asset profile with real application context.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Flow record
A network conversation record: five-tuple (src/dst IP, src/dst port, protocol) plus byte count, packet count, start and end time. Produced by the QFlow collector from raw packets or NetFlow/IPFIX exports.
QFlow collector
The QRadar component that captures packets from a SPAN port or tap (or accepts NetFlow/IPFIX/sFlow) and emits normalised flow records to QRadar.
Superflow
An aggregated flow record that bundles many similar conversations in high-volume traffic into one record, preserving total byte/packet counts. Normal and expected in busy environments.
QRadar Network Insights (QNI)
A DPI appliance or VM that produces content flows enriched with application-layer artifacts: JA4 TLS fingerprints, DNS query names, certificate subjects, file hashes and HTTP headers.
Content flow
A QNI-enriched flow record containing application-layer artifacts extracted from deep packet inspection, visible in the Network Activity tab at Enriched or Advanced inspection level.
JA4 fingerprint
A TLS client fingerprint (based on ClientHello fields) supported in QRadar 7.5+ that identifies TLS clients — including known malware families — even when IPs and domains change.
Passive asset discovery
The process by which QRadar automatically builds and updates asset profiles (open ports, applications, users, traffic patterns) from incoming flow and event data without active scanning.
Five-tuple
The identifying key of a network flow: source IP, destination IP, source port, destination port and protocol (e.g. TCP/UDP).

📚 Sources

  1. IBM — QRadar Network Insights overview (QRadar 7.5.0). ibm.com/docs/en/qsip/7.5.0?topic=insights-qradar-network-overview
  2. IBM Support — Flows and QRadar Network Insights: enhancing visibility into network traffic (Open Mic). ibm.com/support/pages/lets-talk-about-how-flows-and-qradar-network-insights-can-enhance-visibility-your-network-traffic-open-mic
  3. IBM — What's new in QRadar 7.5.0 — JA4 TLS fingerprinting, multi-threaded QFlow, ERSPAN support. ibm.com/docs/en/qsip/7.5.0?topic=users-whats-new-in-qradar-750
  4. IBM Support — QRadar Network Insights: how to view QNI content flows from the Network Activity tab. ibm.com/support/pages/qradar-network-insights-how-view-qni-content-flows-network-activity-tab
  5. IBM Support — QRadar QNI — NPCAP — QIForensics deployment explanation. ibm.com/support/pages/qradar-qni-npcap-qiforensics-deployment-explanation
  6. IBM — IBM QRadar Fundamentals of Flows (Open Mic presentation). ibm.com/support/pages/sites/default/files/inline-files/$FILE/Open%20Mic%20-%20QRadar%20Fundamentals%20of%20Flows.pdf

What's next?

Understand flows? Next, go deep on QRadar offenses — how the correlation engine assembles events, flows and anomalies into a single scored offense and what makes a good offense-closing workflow.

Next · All interview lessons → Practice on exam.techclick.in →