Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

By Hosts

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

The By Hosts page provides a table view of the events grouped as per the sources and targets of events. The result table is sorted by the IP addresses. Information about each IP address consists of the number of events where the IP address is the source or the target of the event. Consequently, it is possible to view a list of event types related to the respective IP address. Specific events can be displayed in the form of a separate table for each event type. This table includes the same data as the event table Events → Simple list.

When any Perspective is selected, the IP addresses in the result table will be augmented and sorted by the Threat score. The Threat score is an abstract number used to rank hosts according to the threat they might pose to the network. The score is calculated from various aspects such as the number and priority of events, number of targets, MITRE tactics used, and number of different methods.

Data filtering

It is possible to filter data in the By host view according to corresponding search criteria. To enhance clarity, the search criteria are divided into basic search criteria (which are displayed always) and advanced (which are available after clicking on More Filters). The following search criteria are available:

  • Date: The relevant period for displaying the events in the Simple list. You can specify the period directly or choose it from an associated calendar (Custom time interval).

  • Perspective: Assigns the priority to the events according to the chosen perspective.

  • IP addresses: Displays only IP addresses that are specified in this field. It is possible to specify the IP addresses in the following formats:

    • Single IP address: for the IP versions 4 and 6 (for example, 192.168.2.1, 2001:db8::beef) or a comma-separated list of single IP addresses

    • Network address or mask: for the IP version 4 and 6 (for example, 192.168.1.0/24, fc00::/7)

    • Range of IP addresses: for the IP versions 4 and 6 (for example, 10.0.1.2-10.0.1.10, fe80::-fe80::ffff)

    • Wildcards notation of IPv4 addresses: (enumeration, range, all), only a single wildcard can be used in one IP address. Examples:

      • 192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1, and 192.168.20.1

      • 10.[1-3].0.0: IP addresses 10.1.0.0, 10.2.0.0, and 10.3.0.0

      • 172.16.*.1: Same as 172.16.[0-255].0

  • IP role: Specifies whether the IP addresses from the field above should be searched in the event sources, event targets, or in both of them. The default option is to search in both of them.

  • Number of events: Allows you to filter IP addresses by the number of related events.

  • Data feeds: Allows you to display only IP addresses that are related to events that were detected by inspecting the flows from the specified data feed.

  • Methods: Displays only the events that match the selected detection methods.

  • Filters: Allows you to specify IP addresses by choosing a filter (this criterion can be used together with the IP addresses field).

  • Event categories: Displays only events that are part of selected categories.

  • MITRE ATT&CK techniques: Allows you to display only events that have selected MITRE ATT&CK techniques assigned. To filter according to MITRE ATT&CK tactics, you must select all techniques under the desired tactic. Note that the list of techniques does not contain all the MITRE ATT&CK techniques but only those that the Anomaly Detection System can detect.

  • Applications: Only displays events if their source/target IP addresses are associated with the selected applications.

TitleResults for “How to create a CRG?”Also Available inAlert