Managing dimensions¶
To ensure that only relevant network traffic data is used when modeling network behavior, the Plixer ML Engine only monitors communications/protocols that have been defined as dimensions. Once deployed, the engine defaults to a list of factory-configured dimensions that have been selected to suit most common enterprise environments.
To further adapt network models to an organization’s unique requirements, dimensions can be added, removed, or reconfigured from the Admin > Alarm Monitor > Manage ML Dimensions page of the Plixer Scrutinizer web interface.
Configuring Dimensions
When defining a dimension for the Plixer ML Engine, the following settings must be configured:
Inclusion type the dimension applies to (hosts/subnets or Exporters)
Template field to use for grouping (
sourceipaddress
ordestinationipaddress
, host dimensions only)Aggregation method to use (
octetdeltacount
orpacketdeltacount
)Port to monitor for the dimension
Range of communications to monitor (internal only or all)
The Enabled toggle is used to enable or disable monitoring of the dimension. Dimensions can be added in a disabled state and enabled at a later time.
After deploying the engine, it is highly recommended to review the Manage ML Dimensions page to verify that the default list includes the dimensions that are best suited for modeling typical or atypical activity in the current environment. Dimensions should be added or removed as necessary.