Difference between event detail and event evidence
Explanation of possible differences between event detail and event evidence in Flowmon ADS module.
Product: Flowmon ADS
The event is detected but flow data in the event evidence doesn't correspond to the information mentioned in the event detail.
|Steps to Reproduce:
The event evidence contains only flow data from the Monitoring Center by default. These flow data are often filtered only by source/target IP addresses so this flow listing usually contains more flows than only the ones causing the event detection. The flow listing is showing a broader context of the communication between detected IP addresses.
It is possible to enable a feature called "Attached flows" (ADS - Settings - System settings - Storage settings - Attach flow). This feature saves at most 20 flows to every event and these are flows that really caused the detection.
Note that enabling this feature consumes free space in the ADS database and can slow down ADS.
The difference between event detail and event evidence might be also caused by proxy correlation enabled on the ADS data feed. The monitoring center (used as a source of the flow data in event evidence) doesn't do the proxy correlation so the flows are not correlated but ADS detection is able to do the correlation and detection on the correlated flow data.
Uncorrelated flow data:
Correlated flow data: