"filter": {"$and": [{"Category" : "Anomaly.Traffic"}]}
Name Anomaly traffic Count >= 25739 

!!! 'Anomaly.Traffic:Fraud.UnauthorizedUsage:Test_+++_Relay_+++_*__+++_SMTP_anomaly': 413,
FILTER: {"$and": [{"Category" : "Anomaly.Traffic"}, {"Category" : "Fraud.UnauthorizedUsage"}]}
LABEL_CZ: Anomální provoz SMTP serveru 
LABEL_EN: SMTP traffic anomaly
SEVERITY: 2
URL: https://csirt.cesnet.cz/cs/services

!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_external_networks_to_internal_IPs,_packet_length>=1024,_targets_-_CONTINUING_traffic_anomaly': 38,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_external_networks_to_internal_IPs,_packet_length>=1024,_targets_-_DETECTED_traffic_anomaly': 9,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_internal_IPs_to_external_networks,_packet_length>=1024,_sources_-_CONTINUING_traffic_anomaly': 212,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_internal_IPs_to_external_networks,_packet_length>=1024,_sources_-_DETECTED_traffic_anomaly': 68,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges,_sources_-_CONTINUING_traffic_anomaly': 17110,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges,_sources_-_DETECTED_traffic_anomaly': 18201,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 312,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges_-_DETECTED_traffic_anomaly': 6,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_from_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 5921,
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_from_internal_IP_address_ranges_-_DETECTED_traffic_anomaly': 216,
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_incoming_attacks_-_CONTINUING_traffic_anomaly': 465,
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_incoming_attacks_-_DETECTED_traffic_anomaly': 144,
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_outgoing_attacks_-_CONTINUING_traffic_anomaly': 489,
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_outgoing_attacks_-_DETECTED_traffic_anomaly': 154,
!!! "Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_x_(source_IP)_-_found_1_08359806027173_flows_(limit_'Flow-Cnt>=5000_or_Flow-Cnt>=1_and_Pkts-estimated>=300000')_within_period_of_5_seconds_Next_message_not_before_16_02_25_x_CET_+0100_in_case_of_continuous_anomaly_Notes_-_detector_uses_extrapolated_values_(bytes,_packets)_in_case_of_sampled_flows;_detector_fragments_long_(duration)_flows_into_5s_intervals_for_evaluation_purposes_": 1,

FILTER: {"$and": [{"Category" : "Anomaly.Traffic"}, {"Source.Type": {"$eq": "Incomplete"}}]}
LABEL_CZ: Anomální provoz - nekompletní spojení 
LABEL_EN: Anomaly traffic - incomplete connections
SEVERITY: 1
URL: https://csirt.cesnet.cz/cs/services

NEVIM SI RADY!!! Ale klidne by to tak mohlo byt...:
!!! 'Anomaly.Traffic_+++_External:Policy_+++_*__+++_Unexpected_heavy_traffic': 269,
!!! 'Anomaly.Traffic_+++_External_+++_OriginSandbox_+++_Sandbox_URL': 3,
!!! 'Anomaly.Traffic:Test_+++_*__+++_*__+++_METACentre_-_possible_outgoing_attacks_-_CONTINUING_traffic_anomaly': 174,
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_Backbone_-_UDP_from_external_networks_to_internal_IPs,_packet_length>=1024,_targets_-_CONTINUING_traffic_anomaly': 3,
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_Backbone_-_UDP_from_internal_IPs_to_external_networks,_packet_length>=1024,_sources_-_CONTINUING_traffic_anomaly': 4,
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_against_internal_IP_address_ranges,_sources_-_CONTINUING_traffic_anomaly': 41,
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_against_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 4,
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_against_internal_IP_address_ranges_-_DETECTED_traffic_anomaly': 3,
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_from_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 18,
FILTER: {"$and": [{"Category" : "Anomaly.Traffic"}, {"Source.Type": {"$ne": "Incomplete"}}]}
LABEL_CZ: Anomální provoz
LABEL_EN: Anomaly traffic
SEVERITY: 1
URL: https://csirt.cesnet.cz/cs/services

Pod Anomaly.Connection je jedina udalost, proto by teoreticky stacil filtr s {"Category" : "Anomaly.Connection"} (testovaci dotazy to potvrdily):
!!! 'Anomaly.Connection_+++_Blacklist:Connection_+++_*__+++_Connection_to_blacklisted_host(s)': 514,
FILTER: {"Category" : "Anomaly.Connection"}, {"Node.Type" : "Connection"}, {"Node.Type" : "Blacklist"} 
LABEL_CZ: Anomomální provoz - komunikace s hostem na blacklistu
LABEL_EN: Host communicated with blacklisted host
SEVERITY: 2
URL: https://csirt.cesnet.cz/cs/services