Additional options¶
FA-based functions and features in Plixer Scrutinizer can be further tuned and customized using these additional options.
Global and algorithm settings
The following global and algorithm settings can be used to modify the behavior of Flow Analytics in Plixer Scrutinizer:
Hint
Global FA settings can be changed in the Admin > Settings > Flow Analytics tray.
Setting |
Scope |
Description |
Auto-Enable Defender |
Global |
When checked, allows FlowPro Defender to be automatically enabled for supported algorithms |
Jitter by Interface |
Global |
Sets the variation in packet delay due to queueing, contention, and/or serialization (Default: 80 ms);
Also used for record highlighting in Status reports
|
Latency |
Global |
Sets the latency value used for record highlighting in Status reports (Default: 75 ms) |
Share Violations |
Global |
When checked, allows the system to share details of cyber attacks coming from Internet IP addresses with the Plixer Security Team (May require firewall permissions);
This information is used to further improve the global host reputation list. No internal addresses will be shared.
|
Top Algorithm Devices |
Global |
Controls whether Top X FA algorithms are applied to all Exporters or need to be configured individually |
Thresholds |
Algorithm |
Increases or decreases the tolerance of Alarm-generating FA algorithms to the corresponding behavior or traffic;
This setting should be adjusted if too many false positives are being reported under an algorithm’s associated Alarm Policy
|
Algorithm-specific settings |
Algorithm |
Additional configuration options that are specific to certain FA algorithms and can be used to fine-tune their behavior;
For certain algorithms, these settings must be configured before the algorithm can be enabled.
|
Custom reputation lists
The Host Reputation FA algorithm is capable of using custom lists in conjunction with Plixer Scrutinizer’s default host reputation lists. When a host in any reputation list becomes the target of traffic, the Event is reported under the Host Reputation Alarm Policy.
To import a list of IP addresses as a custom host reputation list, follow these steps:
Add the hosts to a file, using one line for each IP address.
Example:
10.1.1.1 10.1.1.2 10.1.1.3
Save the file with a
.importextension. (e.g., custom_threats.import)Important
The name of the file will be used for artifacts involving the included hosts on the Alarm Summary page.
Move the file to the
\scrutinizer\files\threats\directory.
The file is imported hourly, at the same time that threat lists are updated.
Hint
To manually run the file import operation, use the command scrut_util --downloadhostreputationlists.