Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

Simple List

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 4 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

The Simple list offers a view of events in the form of a simple list (events table). It is primarily sorted by the time of the creation of an event. To display the Event details of an event with a known ID, use the search dialog which is available when you click the magnifying glass icon in the upper-right corner of the screen. The results of the query are divided into pages. One page contains a maximum of 500 items of the result. The result is a table that includes the following items:

  • Row number (#): Number of the table row.

  • ID: Unique identification number of the detected event. Clicking the icon on the right side of the ID opens a new browser tab with event details that can be shared using the URL.

  • Detection time: Date and time when a particular event was detected.

  • Priority: Priority of events according to selected Perspective.

  • Event type: The type of event - a reference to the detection method that recognized the event.

  • Event subtype: The name of the method subtype. The purpose of this column is to clarify the meaning of the detected event.

  • MITRE ATT&CK tactic: The name of the tactic the event belongs to.

  • MITRE ATT&CK techniques: The name of the technique the detected event belongs to.

  • Source: The event originator (IP address).

  • Detail: Detailed information about the event.

  • Targets: Event targets (a list of IP addresses). A maximum of 4 items are shown in the table. If more targets are associated with the event, they are available by clicking the ... more button.

  • Applications: Applications associated with source/target IP addresses of the event. A maximum of four items are shown in the table. If more applications are associated with the event, they are available by clicking ... more.

  • Data feed: Name of the data feed where the event has been generated.

  • Method Instance: Name of the detection method instance that generated the event.

  • Comments: Comma-separated user comments.

  • Categories: Comma-separated categories defined by the user.

It is possible to export all filtered events (up to 10,000 events) to the CSV file using the Export events to a CSV file button. This button is located under the search criteria section. You can open the current event list in a new browser tab by clicking the Open in a new tab button.

Data filtering

It is possible to filter data in the table according to corresponding search criteria. To enhance the clarity, the search criteria are divided into basic search criteria (which are always displayed) and the advanced (which are available after clicking More Filters). Search criteria can be shared using the URL after applying the specified criteria. The following search criteria are available:

  • Date: The relevant period for displaying the events in the Simple list. You can specify the period directly or chose it from an associated calendar (Custom time interval).

  • Perspective: Assigns the priority to the events according to the chosen perspective.

  • Source IP: Only displays events where the originator of the event is the IP address specified in this field. It is possible to enter IP addresses in the following formats:

    • Single IP address: for the IP version 4 and 6 (for example, 192.168.2.1, 2001:db8::beef) or a comma-separated list of single IP addresses

    • Network address or mask: for the IP version 4 and 6 (for example, 192.168.1.0/24, fc00::/7)

    • Range of IP addresses: for the IP version 4 and 6 (for example, 10.0.1.2-10.0.1.10, fe80::-fe80::ffff)

    • Wildcards notation of IPv4 addresses: (enumeration, range, all), only single wildcard can be used in one IP address. Examples:

      • 192.168.{1,3,20}.1: IP addresses 192.168.1.1, 192.168.3.1, and 192.168.20.1

      • 10.[1-3].0.0: IP addresses 10.1.0.0, 10.2.0.0, and 10.3.0.0

      • 172.16.*.1: Same as 172.16.[0-255].0

  • Targets: Only displays events whose targets are associated with the IP addresses specified in this field. It is possible to specify IP addresses in the same format that is described above for the Source IP field.

  • Data feeds: Only display events that were detected by inspecting the flows from the specified data feed.

  • Methods: Only displays specified events in the Simple list.

  • Filters: Specify the sources of events by choosing a defined filter.

  • Event categories: Only displays events that are part of selected categories.

  • MITRE ATT&CK techniques: Display only events that have selected MITRE ATT&CK techniques assigned. To filter according to MITRE ATT&CK tactics, you must select all techniques under the desired tactic. Note that the list of techniques does not contain all the MITRE ATT&CK techniques but only those that the Anomaly Detection System is able to detect.

  • Applications: Only displays events if their source/target IP addresses are associated with the selected applications.

TitleResults for “How to create a CRG?”Also Available inAlert