Blog :: Security Operations

How to streamline your network monitoring workflows with API integrations

jake

In this industry, I’ve seen a common trend of buying best-in-breed solutions that are built for one or a few things instead of the jack-of-all trade solutions. While I believe this idea is generally a good one, it often leaves end users with the task of learning multiple interfaces and leaves you with only using a fraction of the product you purchased.  As a sales engineer at Plixer, part of my role is working with customers to streamline their workflows using not just our solution, but others they have purchased as well. This blog will go over a couple types of integrations that we have and will hopefully spark something that you can use on your network.

Integrations with IPAM solutions

IPAM (IP Address Management) systems can be a very easy and powerful integration to help clear up confusion on which business group a particular IP is a part of. It allows you to easily import DHCP/subnet definitions to logically group IPs on your network. Then you can use them in alarms or even as filters on reports. Some common IPAMs we tie into are below, but any IPAM with an API integration or export options should be easy to tie into.

  • Infoblox
  • phpIPAM
  • SolarWinds IPAM
  • Bluecat
Scrutinizer: IP groups

PCAP/packet brokers

I’ve lumped these two together for the sake of brevity, but we have seen great success with NOC and SOC teams who have invested in a PCAP solution like Endace, which allows you to store full packet details for forensic investigations. Using Scrutinizer, you can easily sift through the metadata to find the problem host and timeframe, then quickly pivot to the full packet capture to get payload analysis.

Packet brokers like Ixia and Gigamon allow you to generate metadata off the taps/SPANs that are set up. This allows you to get additional metadata elements such as latency, URLs, SSL, and DNS information. This is a smart integration, since the routing/switching vendors often won’t (easily) export this information, and you get to leverage an existing investment.

Scrutinizer: additional metadata elements

SIEM/syslog API integrations

Often part of my role is educating different teams on how they can leverage metadata and existing investments for faster issue resolutions. Before, SOC teams always used log data (and PCAP, if it was available), so most didn’t realize how much easier metadata is to sift through and trend on. An easy way to expose this data to those teams is through running behavioral algorithms against your data to look for any suspicious network events and have these events forwarded to your SIEM such as Splunk, ArcSight, QRadar and LogRhythm. This allows them to continue with their standard workflow, but helps add further context and event correlation.

Other API integrations

Is there another tool that you would like to see integrated with our products? Let us know—with the power of REST APIs, almost anything is possible. Reach out to the Plixer team if there is anything we can help with or if you want to learn more about how we can hook into other solutions!