The Xmas Tree Violation in Flow Analytics is actually looking for a packet known as Christmas Tree Packet. The Christmas Tree Packet is set for any protocol that is being used and it is commonly known as “Kamikaze” packets, lamp test segment or nastygrams.
When a Christmas Tree Packet is sent for scanning purposes the TCP flags are set as FIN, URG and PSH. Some firewall security policies only check packets with the SYN flags set and since SYN flags are not used in a Christmas Tree Packet, the firewall will not detect it and the packet will slide right through without any detection and reach its targeted host. Christmas Tree packet can be used for Dos attacks as well because the packets require more processing time from router and host than a regular packet.
Xmas Tree Violation in Flow Analytics helps prevent Dos attacks, network scanning and other reconnaissance on your network. When you receive Xmas Tree Violations I would look into it because it likely that some sort of reconnaissance activity is on your network.