# Flow-Based Ingestion Astral supports **flow-based ingestion** to provide network-level visibility through the analysis of traffic flow data. This capability enables the collection of metadata generated by network devices such as routers, switches, bridges, access points, modems, hubs, and other infrastructure components that export flow information. Rather than inspecting payloads, flow-based ingestion focuses on communication patterns and traffic behavior across the network. By ingesting flow records such as NetFlow and sFlow, Astral gains insight into how systems communicate, including source and destination endpoints, protocols, ports, volumes, and timing characteristics. This information allows the platform to identify abnormal traffic patterns, unauthorized communication paths, lateral movement, and other behaviors that may indicate malicious activity or policy violations. All flow data ingested by Astral is processed through the same analysis pipeline used for other network and log-based sources. Flow records are analyzed, interpreted, normalized, and correlated with events from logs, identity systems, endpoint activity, and external risk signals. This correlation enables network flow activity to be evaluated in context, improving detection accuracy and reducing false positives. By incorporating flow-based network ingestion into Astral’s SIEM, network telemetry becomes an integral part of the broader security monitoring strategy. Flow-derived events can directly support identification and response activities through Inopli’s Response and RPA capabilities, ensuring that network-level visibility contributes effectively to detection, investigation, and coordinated incident response. **Note:**\ Flow-based data ingestion can generate a very high volume of events. As a result, enabling NetFlow or sFlow ingestion may lead to **increased disk consumption on Astral Indexers**. Storage capacity and retention policies should be carefully planned to accommodate the expected flow data volume. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.inopli.com/astral/data-ingestion/network-monitoring/flow-based-ingestion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.