Security Analytics implements a full TCP state machine to identify and track network flows.   A new network flow consists of a unique 5-tuple: IP protocol, src IP, dest IP, src port, dst port bound by either a time span or tcp session termination.   Every TCP packet entering the system is then tracked and recorded based on a unique computed hashkey for its flow within the TCP state table.  Generally speaking, most TCP flows will start with a graceful 3-way hand shake to establish a connection.   In some cases, this may not happen due to the nature of the application e.g. a probe utility, N-map, etc.  and the first packet may simply be a PSH/ACK, RST, etc.   If there is a 3 way handshake in combination with a unique 5-tuple not previously seen in the flow table, SA will generate a hashkey for this unique flow and track its flow state throughout the duration of the flow.   For new TCP packets entering the system without a corresponding flow entry and without a 3-way handshake, the first packet in the new flow along with the 5-tuple is used to determine the TCP state of initiator, responder, and a unique flow hashkey.   This behavior is very akin to Wireshark when following a TCP stream.

A flow is considered expired when either the TCP session is gracefully torn down by the 2 end points or is RST.  In cases where the session simply remains open but no new packets are seen for the flow, a default 60-second timer expires the flow from the state machine.    Should new packets come in for that previous session past the 60-second timer, they are treated like a new flow.

UDP works in similar fashion except with UDP there isn't a graceful setup or tear down of communication.   Packets simply arrive and stop in the course of UDP communication.   A UDP flow consists of a unique 5-tuple: IP protocol, src IP, dest IP, src port, dst port bound by a time out.  For new UDP packets entering the system without a corresponding flow entry, the first packet in the new flow along with the 5-tuple are used to determine the UDP initiator, responder, and a unique flow hashkey is created.  Just like TCP, all UDP packets are checked to see if they match an existing flow in the system and if not a new flow is created.  Unlike the default 60-second timer for TCP, the UDP time out expiration is set to 5 seconds.