Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS

Table of Contents

Event Detail

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 5 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

The Event detail view is available through the context menu that you activate by clicking the three dots icon at the end of the row of a detected event. Another way to open the Event detail view is to click the ID of a detected event. Event details include all available information related to an event (for detailed descriptions, see the section below).

Event-related actions

The buttons that can perform the following actions can be found in the header of the Event detail window.

  • Copy event ID: Copies the event ID into the clipboard.

  • Dock window: Opens the event detail in a new ADS tab.

  • Three dots: Open the context menu for the event. The context menu is only available for events detected by the Anomaly Detection System.

Information in an Event detail

The information available in Event detail differs based on whether an event is detected by the Anomaly Detection System or received by the IDS collector. Both types of events share the following information:

  • Type: Type of event - a reference to the detection method that detected the event or the name of the IDS category to which the signature (based on which the detection was performed) belongs.

  • Detail: Detailed information on the event.

  • Detection time: Date and time when a particular event was detected.

  • Last update: Date and time when a particular event was updated for the last time.

  • First Flow: Timestamp of the first flow on which the event detection was based.

  • Event source: Originator of an event (IP address).

  • User identity: User ID obtained from a domain controller (for more information see the Flowmon collector documentation).

The following information is only available for events detected by the Anomaly Detection System:

  • Subtype: Name of the subtype of the method that detected the event. This field also contains a description of the subtype which explains the meaning of the detected event.

  • MITRE ATT&CK: Provides information about MITRE ATT&CK tactics and techniques that are assigned to the detected event (for more information see the chapter MITRE ATT&CK framework). The names of the MITRE ATT&CK tactics/techniques are clickable. Upon clicking on them, the prompt is displayed and you are warned that you are being redirected to an external page. The redirect leads to the official MITRE ATT&CK framework pages with the description of the selected tactic/technique. It is possible to disable the prompt for future redirects (it can be enabled again in Settings System Settings User preferences, see the User Preferences chapter).

  • Captured source hostname: DNS name assigned to the IP address at the time of event detection.

  • MAC address: MAC address (the most used) detected in relation to the event source IP.

  • Probability: Probability of event detection.

  • False positive: Indicates whether the event is a false positive (according to the rules for marking events as false positives currently in effect). An event can be marked as a false positive by using the Mark as false positive option in the context menu. When marking an event, you must enter the expiration time of the false positive rule (individual days of the week, time tolerance). Marking an event as a false positive means that an event of the same type and originator will not be generated if the false positive rule is in effect.

  • Detected by instance: Name of the instance of detection method that generated the event.

  • Data feed: Flow data source on which the event was generated.

The following information is available only for events received by the IDS collector:

  • Source port: A source port of communication on which the detection was performed.

  • Destination port: A destination port of communication on which the detection was performed.

  • Log source interface: Name of the interface where the event was detected.

  • Log source IP: The IP address of the source where the event was detected.

Some information is also structured in tabs. Similarly (as above) some of them are available for both event types (those detected by the Anomaly Detection System and those received by the IDS collector). These are the following:

  • Targets: Event targets (a list of IP addresses). The targets can be grouped by individual countries, address prefixes, or applications.

  • Attributes: Each event consists of attributes that provide additional information about the detected event. The attributes may vary depending on the event method and the event type (detected by the Anomaly Detection System or received by the IDS collector). The values of the most important attributes in ADS events are also included in the text string displayed in the Detail field.

  • Related IDS events: Shows events from the IDS Collector module which may be related to ADS events. By default, the source IP of an event in the ADS module (Search by source IP option) is used for searching IDS events. If the source IP of the ADS event is equal to the source or destination IP of the IDS event, the IDS event is selected. Similarly, the IDS events can be searched by ADS event target IPs (Search by destination IPs option). If one of the targets of the ADS event is equal to the source or destination IP of the IDS event, the IDS event is selected. If both options are unchecked, an IDS event with any source or destination IP is selected. IDS events are searched in time interval Detection time +/- 10 minutes.

Tabs available only for events detected by the Anomaly Detection System:

  • Comments: It is possible to attach a comment to every event. These comments are then ordered chronologically. A comment always includes the author (User) and timestamp of comment insertion (Time). Comments can be change (pencil icon) or deleted (dustbin icon), depending on the author and the currently logged-on user. It is always possible to add a new comment (New comment).

  • Categories: Event details also include event categories. The category always includes the author (User) and the timestamp (Time). Individual categorization can be removed or added (using the Manage categories button). Note that the management of event categories is also available through the Manage event categories option of a context menu.

  • Event evidence: Displays flows from which the event has been detected. For more info see the Event evidence chapter.

Tabs available only for events received by the IDS collector:

  • Related flows: Events that are received by the IDS collector are detected based on the Full Packet Capture approach (in contrast to the Anomaly Detection System that uses flow data). The section Related flows, therefore, displays flows that correspond to the packets, on which the detection was performed.
TitleResults for “How to create a CRG?”Also Available inAlert