Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS

Table of Contents

Aggregated View

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

The aggregated view presents events of a particular device in an intuitive graphical way relating to time.

Each type of event, in which the device takes part during a respective time period is represented by one line called a swimline. Event occurrences are represented by a colored rectangle in a particular swimline. According to the selected scale, the neighbor events are aggregated into one rectangle. The length of the rectangle corresponds with the time length of the event. Time is shown on the x-axis. The night and day alternation is also displayed.

Computing aggregated event details that consist of more than 25 events is accelerated by sampling. When sampling is used, the event shows information about the lower accuracy of data.

Example of the Aggregated event view
Example of the Aggregated event view

Data filtering

It is possible to filter data in the chart according to corresponding search criteria. To enhance the clarity, the search criteria is divided into basic search criteria (which is displayed always) and advanced (which is available after clicking on the More Filters button). The following search criteria are available:

  • Date: The relevant period for displaying the information in the Aggregated view, the period can be specified directly or can be chosen from an associated calendar (Custom time interval).

  • Perspective: The events are displayed according to the selected priority.

  • Source IP: Displays events only for the IP addresses specified in this field. It is possible to enter IP addresses in the following formats:

    • Single IP address, for the IP versions 4 and 6 (for example, 192.168.2.1, 2001:db8::beef) or a comma-separated list of single IP addresses

    • Network address or mask, for the IP version 4 and 6 (for example, 192.168.1.0/24, fc00::/7)

    • Range of IP addresses, for the IP versions 4 and 6 (for example, 10.0.1.2-10.0.1.10, fe80::-fe80::ffff)

    • Wildcards notation of IPv4 addresses (enumeration, range, all), only a single wildcard can be used in one IP address. Examples:

      • 192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1, and 192.168.20.1

      • 10.[1-3].0.0: IP addresses 10.1.0.0, 10.2.0.0, and 10.3.0.0

      • 172.16.*.1: Same as 172.16.[0-255].0

  • Data feeds: Allows you to display only events that were detected by inspecting the flows from the specified data feed.

  • Methods: Displays only specified events in the Aggregated view.

  • Filters: It is possible to specify the sources of events by choosing a defined filter.

  • Event categories: Displays only events that are part of the selected category.

  • MITRE ATT&CK techniques: Allows you to display only events that have selected MITRE ATT&CK techniques assigned. To filter according to MITRE ATT&CK tactics, you must select all techniques under the desired tactic. Note that the list of techniques does not contain all the MITRE ATT&CK techniques but only those that the Anomaly Detection System can detect.

  • Applications: Only displays events if their source/target IP addresses are associated with the selected applications.

Visualization interaction

Zoom

Users can zoom in on the visualization by using the left mouse button and selecting the requested time interval directly in the chart. There are Undo and Redo icons on the right side above the visualization to navigate through changes in the scale. Using the icons of the magnifier with Plus and Minus inside you can change the size of colored rectangles in the swimline.

TitleResults for “How to create a CRG?”Also Available inAlert