After reflecting on the last month here in tech support, I’ve noticed that some of our customers are not utilizing the NetFlow threats overview gadget in our product. Conveniently located under the MyView tab, this table comes ready to alarm on 37 different thresholds right outta’ the box. To me this is exciting stuff, but you’ve probably noticed at first glance it can seem like an overwhelming list. I will assure you that once properly configured it can be one of the best tools in your arsenal.

Threats Overview
Overview of Threats

The MyView tab is NetFlow dashboard and is an integral part of Scrutinizer that I get positive feedback about every single day.  In this series of blogs we will cover all aspects of the threat overview, including settings, customization, detailed explanations of each threat and even how they can be avoided in the future.

Configuration

One of the best parts of our NetFlow threats overview is that it comes pre-loaded and ready to report on a bunch of thresholds. We can enable it by jumping into the “flow analytics configuration” under the MyView tab. Expand the “flow analytics overall status” row, and uncheck “Disable All”. We understand that some of these may not apply to you specifically, so you won’t need to monitor them moment to moment. But instead of discarding the entire table from MyView and risk having it not report when it may be important, you can simply change the size of the table by shortening its length in the lower right hand corner. Click and drag to show only the top 10 threats, this will cut down the size by over 75% while still being able to navigate using the scroll bar.

The tool bar at the top of the monitor often goes un-noticed to even advanced users. While small and relatively hidden, this area allows you to manually refresh the table and even set custom intervals for the refresh rate. Particularly handy if you are doing testing or waiting for a specific NetFlow alarm to be triggered.

Reporting

Now that we can be sure you know how to utilize the window itself, let’s take a moment and review a couple of the more common alarms I get asked about.

Internet Threats It will alarm when a system on your network has communicated with a confirmed malicious host. This type of alarm will require extra attention to determine “what” and “where” the threat is. Simply click the “internet threats” title to bring up a detailed view of the alarm. You will now see the offender column. The default threshold minimum that can be set is 1.

Unfinished Flows Violation– This alarm helps identify hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host. The default threshold is 100 and a minimum threshold can also be configured. Visit Admin -> Settings -> Flow Analytics to set the threshold to your liking.

Low Disk Space– Indicates the hard drive storing the Scrutinizer database is running low on storage space. Although seemingly obvious, I have seen instances where a user has gotten this alarm, verified their disk has plenty of free space and still can’t understand what’s going on. It is important to note that your setup may use two hard drives to enable greater storage. This particular alarm would be for the “second” hard drive, the one with the mysql database. If your database hard drive is in fact full, you will need to change one or more settings in Admin -> Settings -> Data History. You can test these numbers without making actual changes using our consumption calculator.

Well folks, it seems like this is all the time we have for today. Check back for my future blogs where we will discuss how to interpret the rest of the threats overview alarms. If you have any questions about the threats overview, please leave a comment below and I will answer them as quickly as possible.

 

Jake Bergeron author pic

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply