Data collection matrix¶
The following tables show the different collection methods and data types used by Plixer Endpoint Analytics to configure your devices and/or firewalls.
Collection methods¶
Collection Method |
Function |
Notes |
|
Discovery |
Profiling |
||
SNMP Polling |
MAC-identity •••
IP-identity ••
Location •••
|
Identifying Attributes •• |
CDP and/or LLDP data can be collected via SNMP polling for endpoint types that
announce themselves using these protocols
|
SNMP Traps |
MAC-identity ••
Location ••
Real-Time ••
|
Allows for real-time discovery for MAC-change-notification traps, MAC-identity, and location |
|
SPAN DHCP |
MAC-identity ••
IP-identity ••
Real-Time •
|
Identifying Attributes ••
Operating System ••
|
Provides real-time discovery of MAC identities and rich information, including hostnames and OS details
If implemented via SPAN, it also provides IP identities
|
SPAN Other |
MAC-identity •
IP-identity •
|
Identifying Attributes •••/••
Behavioral Attributes ••
Operating System ••
|
Provides valuable information about identifying and behavioral attributes,
e.g. TCP open ports, traffic flows of interest, and TCP fingerprints
Caveat: Deploying this comprehensively can be unrealistic in many environments due to its resource
intensity (analyzing massive traffic flows) and the availability of network monitoring tools (SPANs, taps)
|
IP Helper |
MAC-identity ••
Real-Time •
|
Identifying Attributes ••
Operating System ••
|
|
Active Directory Queries |
Identifying Attributes ••
Operating System ••
|
Provides valuable information about endpoint domain membership status and for domain members,
additional attributes like AD domain, directory branch, and OS and service pack version
|
|
RADIUS Accounting |
MAC-identity ••
IP-identity ••
Location ••
Real-Time ••
|
Behavioral Attributes •• |
- Provides a superior real-time method for discovering MAC identities and locations
- Provides IP identities when supported/enabled (e.g., Cisco’s IP tracking feature)
Caveat: It is only available on network segments where network authentication (MAB and/or 802.1X)
is deployed
|
NetFlow, J-Flow, SFlow |
Identifying Attributes •
Behavioral Attributes •
|
Provides a scalable way to derive identity and behavior from network traffic (at layers 3 and 4)
by collecting data on TCP open ports and flows of interest
Caveat: Profile rules differ for ports detected via NetFlow versus SPAN.
Currently, there are limitations in profiling based on NetFlow data
|
|
DNS Transfers |
Identifying Attributes • |
Can be a useful source of hostnames, but data quality issues in many environments limit its effectiveness |
|
Classification:
Required: •••
Recommended: ••
Supplemental: •
Data types¶
The SPAN column in the following table indicates whether the data type is collected through receiving SPAN traffic.
SPAN |
Data Type |
Functionality |
Configuration |
No |
Active Directory |
Profile data (computer info, OS, SP, etc.) |
Active directory collection (EA) |
No |
DHCP Request Data |
Profile data (vendor, hostname, request options, options),
informative (FQDN), logistics (location), initial discovery
|
IP helper (external), subnet groups (EA) |
No |
DNS Names |
Informative (IP to DNS mapping) |
Zone transfers, DNS zones (EA) |
No |
CDP/LLDP |
Initial discovery, logistics (trunk ports, port status,
authentication status, location), profile data
|
SNMP collection (EA) |
No |
IP - ARP Cache |
Mac to IP binding |
SNMP collection (EA) |
No |
IP - RADIUS |
Mac to IP binding, logistics (location) |
RADIUS accounting forwarding (external) |
No |
MAC - SNMP Traps |
Initial discovery |
SNMP trap forwarding (external) |
No |
MAC - ARP Cache/SNMP General |
Initial discovery, profile data, logistics (location) |
SNMP collection (EA) |
No |
Location - Other |
Logistics (location) |
Internal algorithm, UI |
No |
RADIUS Usernames |
Informative (radius usernames to MAC) |
RADIUS accounting forwarding (external) |
No |
SNMP Description |
Profile data |
SNMP collection (EA) |
No |
Traffic - NetRelay |
Profile data |
Flow forwarding (external) |
Yes |
DICOM/Healthcare |
Profile data |
SPAN (external) |
Yes |
IP - ARP Transaction |
MAC to IP binding |
SPAN (external) |
Yes |
IP - DHCP Response |
MAC to IP binding |
SPAN (external) |
Yes |
MAC - Traffic |
Initial discovery, profile data |
SPAN (external) |
Yes |
Stack Info |
Profile data (TTL, window size, TCP options) |
SPAN (external) |
Yes |
Network Traffic |
Profile data (ports), informative (connections) |
SPAN (external) |
Yes |
URL |
Profile data |
SPAN (external) |
Yes |
Web User Agent |
Profile data |
SPAN (external) |
Note
NetWatch will still observe local traffic without SPAN.