Overview

Flow Analytics (i.e. FA) brings the following additional features to Scrutinizer:

  • Functions as a Network Behavior Analysis system by constantly monitoring all flows for behaviors that could be compromising the health of the network (networks scans, illegal applications, P2P, etc.). It interrogates every flow from every host from selected flow exporting devices for suspicious patterns and anomalies. All flows across selected flow sending devices are monitored at all times.
  • DNS resolution can be enabled to occur automatically to support Domain reporting. To enable DNS resolution, and to control how long the names are retained in a local cache, visit the Admin tab -> Settings -> System Preferences. Note that this feature places additional load on the system, so monitor the CPU use before and after enabling to ensure proper performance.
  • Performs threshold watches for saved reports. FA can monitor for nearly any combination of flow characteristics and export a syslog if a match or a high/low threshold is reached.

Navigation

The navigation for FA is via gadgets in the Dashboard tab. The primary gadget “Flow Analytics Configuration” should be added to Dashboard. It can also be reached by navigating to Admin tab > Settings > Flow Analytics Configuration. Below are the primary utilities for configuring and observing the performance of Flow Analytics.

  • Flow Analytics Configuration: Used to configure the algorithms and monitor their performance.
  • Flow Analytics Exclusions: Used to manage the Flow Analytics IP Group and hostname exclusions.
  • Flow Analytics Dashboard Gadgets: Used to visualize the results of the FA algorithms.
  • Flow Analytics Settings: are explained at Admin tab > Settings > Flow Analytics Settings.

Aggregated alarms

Aggregated alarms combine alarms from events that are continuous (may last several hours) into a single alarm, displaying the original alarm time, the most recent alarm time, and the number of times that the alarm has triggered while it was active. Aggregated alarms will continue to collect matching alarm events until the Aggregated Alarm Timeout has expired with no new alarms. The Aggregated Alarm Timeout defaults to two hours (120 minutes). This value is controlled on the Admin > Settings > Flow Analytics Configuration page and is also configurable per algorithm. A value of zero will disable the alarm aggregation.

Security event algorithms

The security event FA algorithms provide alarms that are focused on providing actionable information while significantly minimizing false positives. IP Addresses are classified in two ways:

  1. Internal IPs: are the IP addresses, or assets, that comprise your network.
  2. External IPs: are the public Internet and other IP address spaces that are not under your administration.

Alarm messages identify both the source and destination of suspect activity as “external to internal”, “internal to external”, or “internal to internal”, as well as providing additional details that are specific to the alarm type. Internal Addresses are defined as any addresses entered as your IP Groups plus the following list of IP Address blocks. These addresses are private, non-routable addresses per RFC 1918 and link-local addresses per RFC 3927:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16

All other addresses are treated as external IPs.