How to view original flows related to a given alert in Sycope?
To view the original flows related to a given alert, go to the alerts table tab and select the alert for which you want to obtain raw flows. Then right click on the selected alert and select alert reason details. Raw data. As a result of this operation, a view appeared with a new filter identical to the one defined by the given rule.
That is data stream NetFlow. Query server port 53 and a time range of five minutes. Thanks to this, we can trace the source data that contributed to the triggering of a given rule.
