Flow
The flow category includes events that are related to flow actions.
The following table describes the low-level event categories and associated severity levels for the flow category.
| Low-level event category | Category ID | Description | Severity level (0 - 10) |
|---|---|---|---|
| Unidirectional Flow | 14001 | Indicates a unidirectional flow of events. | 5 |
| Low number of Unidirectional Flows | 14002 | Indicates a low number of unidirectional flows of events. | 5 |
| Medium number of Unidirectional Flows | 14003 | Indicates a medium number of unidirectional flows of events. | 5 |
| High number of Unidirectional Flows | 14004 | Indicates a high number of unidirectional flows of events. | 5 |
| Unidirectional TCP Flow | 14005 | Indicates a unidirectional TCP flow. | 5 |
| Low number of Unidirectional TCP Flows | 14006 | Indicates a low number of unidirectional TCP flows. | 5 |
| Medium number of Unidirectional TCP Flows | 14007 | Indicates a medium number of unidirectional TCP flows. | 5 |
| High number of Unidirectional TCP Flows | 14008 | Indicates a high number of unidirectional TCP flows. | 5 |
| Unidirectional ICMP Flow | 14009 | Indicates a unidirectional ICMP flow. | 5 |
| Low number of Unidirectional ICMP Flows | 14010 | Indicates a low number of unidirectional ICMP flows. | 5 |
| Medium number of Unidirectional ICMP Flows | 14011 | Indicates a medium number of unidirectional ICMP flows. | 5 |
| High number if Unidirectional ICMP Flows | 14012 | Indicates a high number of unidirectional ICMP flows. | 5 |
| Suspicious ICMP Flow | 14013 | Indicates a suspicious ICMP flow. | 5 |
| Suspicious UDP Flow | 14014 | Indicates a suspicious UDP flow. | 5 |
| Suspicious TCP Flow | 14015 | Indicates a suspicious TCP flow. | 5 |
| Suspicious Flow | 14016 | Indicates a suspicious flow. | 5 |
| Empty Packet Flows | 14017 | Indicates empty packet flows. | 5 |
| Low number of Empty Packet Flows | 14018 | Indicates a low number of empty packet flows. | 5 |
| Medium number of Empty Packet Flows | 14019 | Indicates a medium number of empty packet flows. | 5 |
| High number of Empty Packet Flows | 14020 | Indicates a high number of empty packet flows. | 5 |
| Large Payload Flows | 14021 | Indicates a large payload of flows. | 5 |
| Low number of Large Payload Flows | 14022 | Indicates a low number of large payload flows. | 5 |
| Medium number of Large Payload Flows | 14023 | Indicates a medium number of large payload flows. | 5 |
| High number of Large Payload Flows | 14024 | Indicates a high number of large payload flows. | 5 |
| One Attacker to Many Target Flows | 14025 | Indicates that one attacker is targeting many flows. | 5 |
| Many Attacker to one Target Flow | 14026 | Indicates that many attackers are targeting one flow. | 5 |
| Unknown Flow | 14027 | Indicates an unknown flow. | 5 |
| Netflow Record | 14028 | Indicates a Netflow record. | 5 |
| QFlow Record | 14029 | Indicates a QFlow record. | 5 |
| SFlow Record | 14030 | Indicates an SFlow record. | 5 |
| Packeteer Record | 14031 | Indicates a Packeteer record. | 5 |
| Misc Flow | 14032 | Indicates a misc flow. | 5 |
| Large Data Transfer | 14033 | Indicates a large transfer of data. | 5 |
| Large Data Transfer Outbound | 14034 | Indicates a large transfer of outbound data. | 5 |
| VoIP Flows | 14035 | Indicates VoIP Flows. | 5 |