Flow-Based Ingestion

Astral supports flow-based ingestion to provide network-level visibility through the analysis of traffic flow data. This capability enables the collection of metadata generated by network devices such as routers, switches, bridges, access points, modems, hubs, and other infrastructure components that export flow information. Rather than inspecting payloads, flow-based ingestion focuses on communication patterns and traffic behavior across the network.

By ingesting flow records such as NetFlow and sFlow, Astral gains insight into how systems communicate, including source and destination endpoints, protocols, ports, volumes, and timing characteristics. This information allows the platform to identify abnormal traffic patterns, unauthorized communication paths, lateral movement, and other behaviors that may indicate malicious activity or policy violations.

All flow data ingested by Astral is processed through the same analysis pipeline used for other network and log-based sources. Flow records are analyzed, interpreted, normalized, and correlated with events from logs, identity systems, endpoint activity, and external risk signals. This correlation enables network flow activity to be evaluated in context, improving detection accuracy and reducing false positives.

By incorporating flow-based network ingestion into Astral’s SIEM, network telemetry becomes an integral part of the broader security monitoring strategy. Flow-derived events can directly support identification and response activities through Inopli’s Response and RPA capabilities, ensuring that network-level visibility contributes effectively to detection, investigation, and coordinated incident response.

Note: Flow-based data ingestion can generate a very high volume of events. As a result, enabling NetFlow or sFlow ingestion may lead to increased disk consumption on Astral Indexers. Storage capacity and retention policies should be carefully planned to accommodate the expected flow data volume.