Data collection matrix¶
Refer to the following matrix of data types used by Plixer Endpoint Analytics to configure your devices and/or firewalls.
Collection Method |
Function |
Notes |
|
Discovery |
Profiling |
||
SNMP Polling |
MAC-identity •••
IP-identity ••
Location •••
|
Identifying Attributes •• |
CDP and/or LLDP data can be collected via SNMP polling for endpoint types that
announce themselves using these protocols
|
SNMP Traps |
MAC-identity ••
Location ••
Real-Time ••
|
Allows for real-time discovery for MAC-change-notification traps, MAC-identity, and location |
|
SPAN DHCP |
MAC-identity ••
IP-identity ••
Real-Time •
|
Identifying Attributes ••
Operating System ••
|
Provides real-time discovery of MAC identities and rich information, including hostnames and OS details
If implemented via SPAN, it also provides IP identities
|
SPAN Other |
MAC-identity •
IP-identity •
|
Identifying Attributes •••/••
Behavioral Attributes ••
Operating System ••
|
Provides valuable information about identifying and behavioral attributes,
e.g. TCP open ports, traffic flows of interest, and TCP fingerprints
Caveat: Deploying this comprehensively can be unrealistic in many environments due to its resource
intensity (analyzing massive traffic flows) and the availability of network monitoring tools (SPANs, taps)
|
IP Helper |
MAC-identity ••
Real-Time •
|
Identifying Attributes ••
Operating System ••
|
|
Active Directory Queries |
Identifying Attributes ••
Operating System ••
|
Provides valuable information about endpoint domain membership status and for domain members,
additional attributes like AD domain, directory branch, and OS and service pack version
|
|
RADIUS Accounting |
MAC-identity ••
IP-identity ••
Location ••
Real-Time ••
|
Behavioral Attributes •• |
- Provides a superior real-time method for discovering MAC identities and locations
- Provides IP identities when supported/enabled (e.g., Cisco’s IP tracking feature)
Caveat: It is only available on network segments where network authentication (MAB and/or 802.1X)
is deployed
|
NetFlow, J-Flow, SFlow |
Identifying Attributes •
Behavioral Attributes •
|
Provides a scalable way to derive identity and behavior from network traffic (at layers 3 and 4)
by collecting data on TCP open ports and flows of interest
Caveat: Profile rules differ for ports detected via NetFlow versus SPAN.
Currently, there are limitations in profiling based on NetFlow data
|
|
DNS Transfers |
Identifying Attributes • |
Can be a useful source of hostnames, but data quality issues in many environments limit its effectiveness |
|
Classification:
Required: •••
Recommended: ••
Supplemental: •