Caveats
◦ Reporting is based on 1 minute bins that average the data where as alerts are on individual flow records. This means that even though a high value is detected and alerted on, the report may never see the same peak due to the average binning.
◦ It is recommended to use a “for at least” of at least 5 minutes to ensure bursty traffic does not cause alerts. By having a “for at least” of several minutes it ensures traffic is staying above the targeted threshold for a lengthy period of time which will be more visible in reporting.