Blog :: Security Operations

Finding threats with host index


Imagine someone walks up to your desk and asks a very simple question: has this IP address been seen on our network? This could be a potentially difficult question to find an answer to, especially with any confidence. Plixer Scrutinizer allows you to provide a definitive answer to whomever is asking.

Host index

Scrutinizer’s host indexing allows for an administrator or engineer to quickly find out whether an IP address has been seen on their network. This is an enormously powerful tool to facilitate forensic investigations and proactive lookups of suspicious activity. Occasionally malware servers and IP addresses are released by security companies without the aid of signatures. This means you could potentially have bad traffic on your network that endpoint anti-virus programs can’t identify or alert you to. This is where the ability to search for single or multiple IP addresses comes into play, and host index provides a few helpful elements to assist in determining what type of conversations occurred.

Elements provided by a host index search:

  • Host (IP address)
  • Direction of conversation
  • First seen/last seen
  • Data source (exporter it was seen on)
  • Bytes in/bytes out
  • Packets in/packets out
  • Flows in/flows out
Plixer Scrutinizer host index search

Host index search also allows for a lookup of multiple hosts at once, which can be separated by commas or new lines. This makes it easy to search through lists provided in CSV format or lists in text files.

Host-to-host indexing

Host-to-host indexing helps you see if two hosts have had a conversation on your network. This is useful for determining if any hosts of interest have communicated with a single host or list of hosts that you need to check against. The direction and size of the conversations will also be included to provide some context.

Plixer Scrutinizer host-to-host index search

Host indexing settings

You can find the settings for host indexing under the Admin > Settings > Host Indexing page, which look like this by default:

Plixer Scrutinizer host indexing settings

The “Days of host index data retention” setting indicates the time to live for the host index data. Everything after this count will be trimmed from the database.

Host index database and host-to-host database both indicate where the respective data lives on disk. If host-to-host database is left blank, that service will be disabled so you can only run host indexing. This requires a service restart to implement the changes. Setting to blank will also delete data that exists in the host-to-host indexing.

The host indexing checkbox enables or disables the service from running and keeping data.

The “Host Index Max Disk Space” value allows sizing the threshold for trimming on disk size. Once the database reaches this value, host indexing will no longer update the database with new information, but will begin trimming and cleanup of your current data.

Both host index and host-to-host index searching can be gathered via API calls, which is useful for automating tasks around making these searches. It is also possible to backfill the host index service with your current 1-minute tables if you decide you want to turn on this feature after Plixer Scrutinizer has been running in your environment.

Reach out to our sales team for the latest version of Scrutinizer to find hosts communicating in your network.