topic Re: NVM Telemetry – Flow to Process Correlation in Security Analytics

NVM Telemetry – Flow to Process Correlation

jitendrac — Sun, 07 Sep 2025 06:35:01 GMT

Hello Community,

In a scenario where NVM telemetry is enabled from user endpoint, is it possible to directly correlate a network flow with the associated user endpoint process name and process ID from the SNA console (7.5.2)?

If not, is there any manual method or workaround to achieve this correlation between flow data and process details?

Appreciate any insights, best practices, or tools that could help with this mapping.

I really appreciate any help you can provide.

Re: NVM Telemetry – Flow to Process Correlation

David Salter — Mon, 08 Sep 2025 08:00:27 GMT

The advanced Subject / Peer Options includes the ability to filter for both Process Name and File Hash associated with the flow.

To get visibility in the Flow Table, use Manage Columns to add the required fields, for example:

Re: NVM Telemetry – Flow to Process Correlation

jitendrac — Tue, 16 Sep 2025 07:19:04 GMT

Hi David,
Great to see you here after such a long time!
Thanks for the detailed pointers. Thanks for sharing your expertise here.
Your pointers help, but my goal is to automate the step that will get process names for flows tied to an alarm. Manual filtering works but doesn’t scale.

Re: NVM Telemetry – Flow to Process Correlation

David Salter — Tue, 16 Sep 2025 10:14:30 GMT

Thanks! I'm still here, 19 years and counting.🙂
It is possible to automate the query via the Manager API. The documentation for the nvm-flows API call you need is the under https://developer.cisco.com/docs/stealthwatch/enterprise/reporting-api-version-1/.