Appendices#
This section contains additional references/guides for Scrutinizer’s functional elements.
On this page:
Alarm policy list#
The table below contains general information for all alarm policies available in Plixer Scrutinizer.
View table
Category |
Policy |
Technology |
License |
Description |
|---|---|---|---|---|
Collection > Data Staged > Local Data Staging |
Data Accumulation |
Plixer Machine Learning |
Plixer One Enterprise |
A host is accumulating data from various internal sources in preparation to exfiltrate |
Command and Control > Application Layer Protocol > DNS |
DNS Command and Control Detection |
Scrutinizer |
Plixer One Core |
This algorithm monitors the use of DNS TXT messages traversing the network perimeter as detected by FlowPro Defender. DNS TXT messages provide a means of sending information into and out of your protected network over DNS, even when you have blocked use of an external DNS server. This technique is used by malware as a method of controlling compromised assets within your network and to extract information back out. Additionally, some legitimate companies also use this method to communicate as a means to ‘phone home’ from their applications to the developer site. |
Command and Control > Application Layer Protocol > DNS |
DNS Hits |
Scrutinizer |
Plixer One Core |
Triggers an alarm when a host initiates an excessive number of DNS queries. This identifies hosts that perform an inordinate number DNS lookups. To do this, set the flow threshold to a large value that reflects normal behavior on your network. The default threshold is 2500 DNS flows in three minutes. Either the source or destination IP address can be excluded from triggering this alarm. |
Command and Control > Application Layer Protocol > DNS |
DNS Server Detection |
Scrutinizer |
Plixer One Core |
When used with FlowPro Defender, detects new DNS Servers being used on or by your network through analysis of the DNS packets being exchanged between the client and the server. Exclude DNS servers that are authorized for use on the network. |
Command and Control > Custom Command and Control Protocol |
Detection of a non-standard protocol or event |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects non-standard protocols or events (e.g. use of deprecated or rarely used protocols) |
Command and Control > Custom Command and Control Protocol |
Generic Protocol Command Decode |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects generic protocol command decodes (e.g. malformed DHCP options) |
Command and Control > Data Obfuscation > Protocol Impersonation |
Protocol Misdirection |
Scrutinizer |
Plixer One Enterprise |
Identifies when the type of traffic doesn’t match the port being used. |
Command and Control > Dynamic Resolution |
BotNet Detection |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of unique DNS name lookups have failed. When a DNS lookup fails, a reply commonly known as NXDOMAIN is returned. By monitoring the number of NXDOMAINs detected as well as the DNS name looked up, behavior normally associated with a class of malware that uses Domain Generation Algorithms (DGAs) can be detected. |
Command and Control > Dynamic Resolution |
Domain Observed Used for C2 Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects domains known to be used for malware command and control |
Command and Control > Encrypted Channel |
Encrypted traffic alert |
Plixer Machine Learning, Plixer FlowPro Defender |
Plixer One Enterprise |
Detects anomalous encrypted network traffic |
Command and Control > Non-Standard Port |
Malware Command and Control Activity Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects malware communicating with an external command and control server |
Command and Control > Non-Standard Port |
ML Engine command and control alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those of well known banking trojans (Dridex, Emotet, Quakbot, Trickbot) |
Command and Control > Proxy > External Proxy |
Tunneling through external DNS host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an external host is being used as a DNS proxy tunnel to another host |
Command and Control > Proxy > External Proxy |
Tunneling through external ICMP host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an external host is being used as an ICMP proxy tunnel to another host |
Command and Control > Proxy > External Proxy |
Tunneling through external SSH host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an external host is being used as an SSH proxy tunnel to another host |
Command and Control > Proxy > Internal Proxy |
Tunneling through internal DNS host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an internal host is being used as a DNS proxy tunnel to another host |
Command and Control > Proxy > Internal Proxy |
Tunneling through internal ICMP host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an internal host is being used as an ICMP proxy tunnel to another host |
Command and Control > Proxy > Internal Proxy |
Tunneling through internal SSH host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an internal host is being used as an SSH proxy tunnel to another host |
Command and Control > Remote Access Software |
ML Engine remote access trojan alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with remote access trojans |
Command and Control > Web Service > Bidirectional Communication |
Domain Reputation |
Scrutinizer |
Plixer One Core |
Domain reputation provides much more accurate alarming with a dramatic decrease in the number of false positive alarms as compared to IP based Host Reputation. The domain list is provided by Plixer and is updated each hour and currently contains over 400,000 known bad domains. |
Command and Control > Web Service > Bidirectional Communication |
Host Reputation |
Scrutinizer |
Plixer One Core |
This algorithm maintains a current list of active Tor nodes that you should monitor. Some malware families use Tor for Command and Control communications. White-list your users who are authorized to use Tor and regard other uses as suspicious. This algorithm will also monitor any IP address lists that you provide as a custom list as described in the ‘Custom List’ section that follows. |
Command and Control > Web Service > Bidirectional Communication |
Host Watchlist |
Scrutinizer |
Plixer One Enterprise |
Identifies hosts that have violated internal host watchlist |
Command and Control > Web Service > Bidirectional Communication |
NetFlow Domain Reputation |
Scrutinizer |
Plixer One Core |
A blacklisted domain has been detected in NetFlow traffic |
Credential Access > Adversary-in-the-Middle > DHCP Spoofing |
Rogue DHCP Service |
Plixer Machine Learning |
Plixer One Enterprise |
Find rogue DHCP services that may not be known or desired on a network |
Credential Access > Adversary-in-the-Middle > DHCP Spoofing |
Rogue LDAP Service |
Plixer Machine Learning |
Plixer One Enterprise |
Find rogue LDAP services that may not be known or desired on a network |
Credential Access > Brute Force |
Breach Attempt Detection |
Scrutinizer |
Plixer One Core |
This algorithm is examining flow behaviors that may indicate a brute force password attack on an internal IP address. This is accomplished by examining the flow, byte, and packet counts being exchanged in short-duration completed flows between one source and one destination, with specific behaviors observed for common attack vectors such as SSH, LDAP and RDP. If the number of flows that match these characteristics exceeds the alarm threshold, an alarm will be raised. The default flow count threshold is 100. Either IP address can be excluded from triggering this alarm. |
Credential Access > Brute Force > Password Cracking |
Zerologon |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with Zerologon malware |
Credential Access > Brute Force > Password Guessing |
Brute-force RDP (Client-side) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a client trying to gain access to RDP via brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force RDP (Server-side TCP) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a server experiencing an RDP (tcp) brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force RDP (Server-side UDP) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a server experiencing an RDP (udp) brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force SSH (Client-side) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a client trying to gain access to SSH via brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force SSH (Server-side) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a server experiencing a SSH brute force attack |
Credential Access > Brute Force > Password Guessing |
SMB Brute-force Attempt |
Plixer Machine Learning, Plixer FlowPro Defender |
Plixer One Enterprise |
Detects a client trying to gain access to an SMB server via brute force password guessing |
Credential Access > Credential Dumping |
Successful Credential Theft Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects successful attempts at stealing user credentials |
Defense Evasion > Non-Application Layer Protocol |
A client was using an unusual port |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a client is using an unusual port for a given well-known protocol (e.g. a client sending HTTP requests over a non-standard port) |
Defense Evasion > Obfuscated Files or Information |
A suspicious filename was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
A suspicious filename is detected that is often related to known malware families |
Discovery > Network Service Scanning |
Detection of a Network Scan |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects network scanning activities (e.g. a large number of requests to different ports on a single machine or multiple machines) |
Discovery > Network Service Scanning |
FIN Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a FIN scan is detected. FIN scans are often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
ICMP Port Unreachable (Internal) |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of ICMP destination unreachable messages have been sent to the suspect IP address. This may happen as a result of scanning activity, misconfiguration, or network errors. ICMP Destination Unreachable is a message that comes back from a destination host or the destination host gateway to indicate that the destination is unreachable for one reason or another. The default threshold is 100 destination unreachable messages. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
NULL Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a NULL scan is detected. NULL scans are a TCP scan with all TCP Flags cleared to zero. This scan is often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
Odd TCP Flags (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a scan is detected using unusual TCP Flag combinations. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
RST/ACK Detection (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a large number of TCP flows containing only RST and ACK flags have been detected being sent to a single destination. These flows indicate that a connection attempt was made on the host sending the RST/ACK flow, and was rejected. This algorithm may detect other scan types used by an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
SYN Port Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
TCP Half-Open (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
TCP Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a possible TCP scan is detected from an exporter that does not provide TCP Flag information. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
UDP Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a possible UDP scan is detected. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm.
|
Discovery > Network Service Scanning |
Xmas Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a XMAS scan is detected. XMAS scans are a TCP scan with the FIN, PSH, and URG TCP Flags set. This scan is often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Remote System Discovery |
Device Retrieving External IP Address Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects devices retrieving their external IP addresses (e.g. a device making a request to whatismyip services, commonly used in malware recon and exfiltration) |
Discovery > Remote System Discovery |
ICMP Destination Unreachable (Internal) |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of ICMP destination unreachable messages have been sent to the suspect IP address. This may happen as a result of scanning activity, misconfiguration, or network errors. ICMP Destination Unreachable is a message that comes back from a destination host or the destination host gateway to indicate that the destination is unreachable for one reason or another. The default threshold is 100 destination unreachable messages. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Remote System Discovery |
Lateral Movement Behavior |
Plixer Machine Learning |
Plixer One Enterprise |
Detect a host moving laterally inside a network during a Reconnisance phase |
Discovery > Remote System Discovery |
Ping Scan (Internal) |
Scrutinizer |
Plixer One Enterprise |
Alerts when a host is suspected of performing a ping scan. A ping scan uses ICMP Echo Requests (ping) to discover what IPs are in use on a network. The behavior is commonly demonstrated by attackers attempting to find targets for compromise or lateral movement. |
Discovery > Remote System Discovery |
SYN IP Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Remote System Discovery |
Worm Activity |
Plixer Machine Learning |
Plixer One Enterprise |
Network traffic patterns appear to indicate a worm malware propogating throughout the network |
Discovery > System Network Connections Discovery |
Lateral Movement Attempt |
Scrutinizer |
Plixer One Enterprise |
Identifies behavior from a host which could be attempted lateral movement. |
Endpoint Data |
Endpoint Analytics Info |
Endpoint Analytics |
Plixer One Enterprise |
Informational messages from Endpoint Analytics |
Execution > Command and Scripting Interpreter |
Reverse SSH Shell |
Scrutinizer |
Plixer One Enterprise |
Identifies posible reverse SSH tunnels to external destinations. A reverse SSH tunnel allows an external entity acces to internal, protected resources via use of an established outbound SSH connection. |
Execution > Exploitation for Client Execution |
Exploit Kit Activity Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects known exploit kit activities |
Execution > Exploitation for Client Execution |
SIGRed Exploit Attempt |
Plixer Machine Learning |
Plixer One Enterprise |
Detect malformed DNS query responses which could be used as an exploit via SigRED |
Execution > System Services |
A system call was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a potential system call was made (e.g. x86 shellcode found in a network payload) |
Execution > System Services |
Executable code was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when executable binary shellcode is detected in a network payload |
Execution > User Execution > Malicious File |
ML Engine exploit kit alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with RigEK + Ramnit exploit kit |
Execution > User Execution > Malicious Link |
Blocked Malicious Domains |
Plixer Machine Learning |
Plixer One Enterprise |
A known malicious domain has been blocked by Plixer DNS proxy |
Exfiltration > Exfiltration Over Alternative Protocol |
Data Exfiltration |
Plixer Machine Learning |
Plixer One Enterprise |
A host is exfiltrating large amounts of data to an external host |
Exfiltration > Exfiltration Over Alternative Protocol |
DNS Data Leak Detection |
Scrutinizer |
Plixer One Core |
This algorithm monitors the practice of encoding information into a DNS lookup message that has no intention of returning a valid IP address or making an actual connection to a remote device. When this happens, your local DNS server will fail to find the DNS name in it’s cache, and will pass the name out of your network to where it will eventually reach the authoritative server for the domain. At that point, the owner of the authoritative server can decode the information embedded in the name, and may respond with a ‘no existing domain’ response, or return a non-routable address. |
FlowPro Event Captured |
FlowPro Event Capture |
Plixer FlowPro Defender |
Plixer One Enterprise |
A user defined FlowPro capture rule. |
Forecast Events |
Forecast Anomaly |
Plixer Machine Learning |
Plixer One Enterprise |
An anomaly outside the range of a network forecast has been detected |
Impact > Data Encrypted for Impact |
Ransomware Behavior |
Plixer Machine Learning, Plixer FlowPro Defender |
Plixer One Enterprise |
Detects a client accessing an SMB share and potentially encrypting files |
Impact > Endpoint Denial of Service > Application or System Exploitation |
Detection of a Denial of Service Attack |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects Denial of Service (DoS) attacks |
Impact > Endpoint Denial of Service > Application or System Exploitation |
Large Ping |
Scrutinizer |
Plixer One Enterprise |
Alerts on the observance of unusually large ICMP Echo Request (ping) packets. This alert could indicate malicious activity within the network including possible Denial of Service (DoS) attempts. |
Impact > Network Denial of Service |
DDoS |
Scrutinizer |
Plixer One Core |
Identifies generic Distributed Denial of Service (DDoS) attacks targeted at your protected network space. Refer to the DRDoS algorithm for detection of the more common Distributed Reflection DoS attacks. Note that DDoS algorithm may take a lot of time depending on the exporters selected. There are four settings which are used to adjust the sensitivity of the DDoS detection algorithm: |
Impact > Network Denial of Service |
Denial of Service |
Plixer FlowPro Defender |
Plixer One Enterprise |
A known threat vector has been observed that indicated a DoS attempt has been successful |
Impact > Network Denial of Service |
DRDoS |
Scrutinizer |
Plixer One Core |
Identifies Distributed Reflection Denial of Service (DRDoS) attacks targeted at your protected network space. DRDoS attacks are often launched by a BotNet, and ‘reflection attacks’ have become the most common form of DoS attack. Scrutinizer may identify attacks against your network as ‘reflection attacks’ if they meet the criteria. DRDoS attacks are detected by an imbalance in the number of queries sent to external UDP services often used for DRDoS attacks and the number of replies observed. If the number of replies exceeds the number of requests by the threshold, then a DRDoS alarm is triggered. |
Impact > Network Denial of Service |
Packet Flood |
Scrutinizer |
Plixer One Enterprise |
Alerts when a packet flood is detected. A packet flood is characterized as a large volume of small sized packets intended to overwhelm the target’s ability to process legitimate traffic. |
Impact > Network Denial of Service |
Ping Flood |
Scrutinizer |
Plixer One Enterprise |
Alerts when a ping flood is detected. A ping flood is characterized as a large volume of ICMP Echo requests intended to overwhelm the target’s ability to process legitimate traffic. |
Impact > Resource Hijacking |
Crypto Currency Mining Activity Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects cryptocurrency mining activities (e.g. traffic to known mining pools) |
Impact > Resource Hijacking |
ML Engine coin miner alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with XMRig coin miner |
Indicators of Compromise |
Bogon Attempt |
Scrutinizer |
Plixer One Enterprise |
Alerts if traffic to or from unallocated public IP space is detected |
Indicators of Compromise |
Bogon Connection |
Scrutinizer |
Plixer One Enterprise |
Alerts if traffic to or from unallocated public IP space is detected |
Indicators of Compromise |
Denied Flows Firewall |
Scrutinizer |
Plixer One Core |
Triggers an alarm for internal IP addresses sending to external IP addresses that cause greater than the threshold of denied flows. The default threshold is set to 5 denied flows. Either the source or destination IP address can be excluded from triggering this alarm. |
Indicators of Compromise |
P2P Detection |
Scrutinizer |
Plixer One Core |
Peer to Peer (P2P) traffic such as BitTorrent are identified by this algorithm. The default threshold is a P2P session involving over 100 external hosts, which will detect most P2P applications. However, there are several P2P applications that are stealthier, so you may want to experiment with lower thresholds or periodically lower the threshold to about 20 to determine if other ‘low and slow’ P2P traffic is on your network. |
Initial Access > Drive-by Compromise |
Possibly Unwanted Program Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects potentially unwanted programs (e.g. various spyware applications) |
Initial Access > Exploit Public-Facing Application |
Access to a potentially vulnerable web application |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when there is access to a potentially vulnerable web application (e.g. an apache ?M=D directory list attempt) |
Initial Access > Exploit Public-Facing Application |
Web Application Attack |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a possible web application attack occurs (e.g. a SQL injection attack on a web application or shellcode found in URI) |
Initial Access > Phishing |
Targeted Malicious Activity was Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Fires when targeted malicious activity is detected (e.g. Advanced Persistent Threats (APTs) that try to remain undetected on a network) |
Initial Access > User Execution |
A Network Trojan was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects known network Trojans. Plixer default rules contain over 10,000 different trojan detections out of the box |
Initial Access > User Execution |
Possible Social Engineering Attempted |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects possible social engineering attempts (e.g. a phishing email, fake tech support landing pages, etc.) |
Initial Access > Valid Accounts |
An attempted login using a suspicious username was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when an attempted login using a suspicious username is detected (e.g. a user account that has been disabled, an account with non-standard naming, etc.) |
Event details#
The table below lists the default timeout settings and details reported for alarm policy violations/events in Scrutinizer.
View table
Name |
Criteria |
Alarm Keys |
Timeout (s) |
Message |
|---|---|---|---|---|
Access and Audit Events |
violators, message |
violators, message |
300.000000 |
|
Access to a potentially vulnerable web application |
violators |
violators, targets, devices, msg |
900.000000 |
|
A client was using an unusual port |
violators |
violators, targets, devices, msg |
900.000000 |
|
An attempted login using a suspicious username was detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
A Network Trojan was detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
A suspicious filename was detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
A system call was detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Attempted Denial of Service |
violators |
violators, targets, devices, msg |
900.000000 |
|
Attempted Information Leak |
violators |
violators, targets, devices, msg |
900.000000 |
|
Attempted User Privilege Gain |
violators |
violators, targets, devices, msg |
900.000000 |
|
Attempt to login by a default username and password |
violators |
violators, targets, devices, msg |
900.000000 |
|
Auto Investigate |
first_violator |
violators, targets, host_count, policy_count, chain_count, event_count, start_epoch, end_epoch |
86400.000000 |
The host %{FIRST_VIOLATOR} was seen in %{CHAIN_COUNT} event chains involving %{POLICY_COUNT} policies, %{HOST_COUNT} directly involved hosts, and %{EVENT_COUNT} events. |
AutoReplicate Error |
failure_type |
seed_profile, message |
300.000000 |
AutoReplicate on %{VIOLATORS} encountered %{FAILURE_TYPE} with %{SEED_PROFILE}. %{MESSAGE} |
AutoReplicate Exporter Added |
exporter |
exporter, port, profile_name |
300.000000 |
AutoReplicate on %{VIOLATORS} added %{EXPORTER} on %{PORT} to the %{PROFILE_NAME} profile. |
AutoReplicate Exporter Removed |
exporter |
exporter, port, profile_name |
300.000000 |
AutoReplicate on %{VIOLATORS} removed %{EXPORTER} on %{PORT} from the %{PROFILE_NAME} profile. |
AutoReplicate Ran |
seed_profile, type |
minutes, summary |
300.000000 |
AutoReplicate ran on: %{VIOLATORS} with a statistics lookback window %{MINUTES} minutes. %{SUMMARY} |
Azure user logged on from many hosts |
user_id |
user_id, total_hosts |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_HOSTS} hosts, which is more hosts than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Azure user logged on from many locations |
user_id |
user_id, total_locations |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_LOCATIONS} different locations, which is more than normal. Locations performing authentication(s) are %{VIOLATORS} |
Azure user logged on many times |
user_id |
user_id, total_auths |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted %{TOTAL_AUTHS} authentications, which is more authentications than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Bad Exporter Flow |
violators, reason_text |
reason_text, reason_num, repetition, sequence, set_id, source_id, violators, devices |
3600.000000 |
Exporter %{VIOLATORS} sent a bad flow (source %{SOURCE_ID}, sequence %{SEQUENCE}, set %{SET_ID}): %{REASON_TEXT} |
Bad Exporter Packet |
violators, reason_text |
reason_text, reason_num, repetition, violators, devices |
3600.000000 |
Exporter %{VIOLATORS} sent a bad packet: %{REASON_TEXT} |
Bad Exporter Template |
violators, reason_text |
reason_text, reason_num, repetition, sequence, source_id, template_id, violators, devices |
3600.000000 |
Exporter %{VIOLATORS} sent a bad template #%{TEMPLATE_ID} (source %{SOURCE_ID}, sequence %{SEQUENCE}): %{REASON_TEXT} |
Blocked Malicious Domains |
violators |
violators, targets, domain |
300.000000 |
|
Bogon Attempt |
violators |
violators, targets, devices |
3600.000000 |
Connections to a bogon network, %{TARGETS}, were seen on %{DEVICES} by %{VIOLATORS} |
Bogon Connection |
violators |
violators, targets, devices |
3600.000000 |
Inbound traffic from a bogon network was seen going to %{TARGETS} on %{DEVICES} by %{VIOLATORS} |
BotNet Detection |
violators |
violators, targets, devices, nxcount |
3600.000000 |
Internal IP %{VIOLATORS} performed %{NXCOUNT} unique DNS lookups using DNS server(s) %{TARGETS} that returned a No Existing Domain (NXDOMAIN) message as seen on %{DEVICES} exporter(s). This may indicate the presence of malware on %{VIOLATORS} that uses a domain generation algorithm (DGA) to communicate with malware C&C servers. |
Breach Attempt Detection |
violators, breachtype |
devices, violators, breachtype, targets |
900.000000 |
Detected %{BREACHTYPE} breach by: %{VIOLATORS} with targets: %{TARGETS} |
Brute-force RDP (Client-side) |
violators |
violators, targets |
300.000000 |
|
Brute-force RDP (Server-side TCP) |
targets |
violators, targets |
300.000000 |
|
Brute-force RDP (Server-side UDP) |
targets |
violators, targets |
300.000000 |
|
Brute-force SSH (Client-side) |
violators |
violators, targets |
300.000000 |
|
Brute-force SSH (Server-side) |
targets |
violators, targets |
300.000000 |
|
Collector Alert |
error |
process, process_id, devices, violators, error |
300.000000 |
|
Collector Message |
event_type, priority |
process, process_id, message, event_type, violators |
300.000000 |
|
Configuration Alert |
event_type, priority |
process, process_id, message, event_type, violators |
300.000000 |
|
Crypto Currency Mining Activity Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Cstore Strays |
devices |
count |
86400.000000 |
Found and removed: %{COUNT} stray cstore files on: %{DEVICES} |
Data Accumulation |
violators |
violators, targets, total_data |
300.000000 |
In the last 30 minutes, %{VIOLATORS} accumulated %{TOTAL_DATA} bytes from %{TARGETS} |
Data Exfiltration |
violators |
violators, targets, total_data |
300.000000 |
In the last 30 minutes, %{VIOLATORS} exfiltrated %{TOTAL_DATA} bytes to %{TARGETS} |
DDoS |
targets |
attacker_count, bytes_std_dev, duration, flow_count, packets_std_dev |
300.000000 |
Possible Inbound DDoS Attack: Within %{DURATION} seconds %{ATTACKER_COUNT} external hosts generated a combined total of %{FLOW_COUNT} flows having bytes within %{BYTES_STD_DEV} standard deviations and packets within %{PACKETS_STD_DEV} standard deviations. |
Decode of an RPC Query |
violators |
violators, targets, devices, msg |
900.000000 |
|
Denial of Service |
violators |
violators, targets, devices, msg |
900.000000 |
|
Denied Flows Firewall |
violators |
devices, violators, target_count, flowcount |
900.000000 |
IP %{VIOLATORS} had %{FLOWCOUNT} connection attempts to %{TARGET_COUNT} external IP addresses denied by the firewall as seen on %{DEVICES} exporter(s) |
Detection of a Denial of Service Attack |
violators |
violators, targets, devices, msg |
900.000000 |
|
Detection of a Network Scan |
violators |
violators, targets, devices, msg |
900.000000 |
|
Detection of a non-standard protocol or event |
violators |
violators, targets, devices, msg |
900.000000 |
|
Device Retrieving External IP Address Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Diskspace Alert |
disk_error, disk_partition, violators |
process, process_id, disk_error, disk_partition, message |
300.000000 |
|
DNS Command and Control Detection |
violators |
violators, targets, devices |
900.000000 |
Possible Command and Control (C&C) Activity. DNS TXT messages are being exchanged between asset %{VIOLATORS} and %{TARGETS} as seen on the %{DEVICES} exporter(s) |
DNS Data Leak Detection |
violators |
violators, totaltextlength, dnsname |
900.000000 |
DNS lookups initiated from asset: %{VIOLATORS} using complex domain name: %{DNSNAME} containing a high number of domain levels and a total of: %{TOTALTEXTLENGTH} characters. |
DNS Hits |
violators |
violators, flowcount, threshold |
900.000000 |
Internal IP %{VIOLATORS} performed %{FLOWCOUNT} DNS lookups in the last 5 minutes exceeding the treshold of %{THRESHOLD} |
DNS Server Detection |
violators |
violators, client_count, flowcount, devices |
900.000000 |
|
Domain Observed Used for C2 Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Domain Reputation |
violators, dnsname |
violators, dnsname, category |
900.000000 |
IP %{VIOLATORS} performed a DNS lookup on a black-listed domain: %{DNSNAME} in the %{CATEGORY} category |
DRDoS |
targets, port_name |
devices, attacker_count, duration, packet_in_count, packet_io_ratio, packet_out_count, port, port_name |
900.000000 |
Possible Inbound DRDoS Attack from common port %{PORT} (%{PORT_NAME}): Within %{DURATION} seconds %{ATTACKER_COUNT} violators generated a combined total of %{PACKET_IN_COUNT} inbound packets in response to %{PACKET_OUT_COUNT} outbound request packets, for a ratio of %{PACKET_IO_RATIO} inbound packets per outbound packet. |
Encrypted traffic alert |
violators |
violators, ja3, ja3s, reason, severity |
300.000000 |
ML generated an encrypted traffic alert for %{VIOLATORS}: %{REASON} |
Endpoint Analytics Info |
violators |
violators, macaddress, risk_score, location |
300.000000 |
Host %{VIOLATORS} has MAC address %{MACADDRESS}, has a risk score of %{RISK_SCORE}, and has location %{LOCATION}. |
Event Queue Alert |
violators, type |
threshold, value |
300.000000 |
Event queue on host: %{VIOLATORS} has breached %{TYPE} threshold: %{THRESHOLD} with value: %{VALUE} |
Executable code was detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Exploit Kit Activity Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Exporter Ignored |
devices, violators, reason_num |
reason_text, repetition, violators |
3600.000000 |
Discarding flows from exporter %{VIOLATORS}: %{REASON_TEXT} |
Exporter Paused |
violators, exporter_id |
1.000000 |
Exporter %{EXPORTER_ID} paused by reporter %{VIOLATORS} due to insufficient resources. See the feature sizing interface for more details. |
|
Exporter Resumed |
violators, exporter_id |
1.000000 |
Exporter %{EXPORTER_ID} resumed by reporter %{VIOLATORS} due to additional available resources. See the feature sizing interface for more details. |
|
Feature Set Paused |
violators, feature_set |
1.000000 |
Feature set %{FEATURE_SET} paused by reporter %{VIOLATORS} due to insufficient resources. See the feature sizing interface for more details. |
|
Feature Set Resumed |
violators, feature_set |
1.000000 |
Feature set %{FEATURE_SET} resumed by reporter %{VIOLATORS} due to additional available resources. See the feature sizing interface for more details. |
|
FIN Scan (External) |
violators |
devices, violators |
900.000000 |
A FIN Scan was seen on %{DEVICES} by %{VIOLATORS} |
FIN Scan (Internal) |
violators |
devices, violators |
900.000000 |
A FIN Scan was seen on %{DEVICES} by %{VIOLATORS} |
Flow Collection Paused |
violators |
60.000000 |
Flow collection paused on collector %{VIOLATORS} due to hardware and/or configuration change. See the feature sizing interface for more details. |
|
Flow Collection Resumed |
violators |
new_flow_rate |
60.000000 |
Flow collection resumed at %{NEW_FLOW_RATE} flows/sec on collector %{VIOLATORS}. |
Flow Inactivity |
violators, collector |
last_flow |
1200.000000 |
Exporter %{VIOLATORS} stopped sending flows to the %{COLLECTOR} collector. The last flow was received %{LAST_FLOW}. If this is expected, set the exporter to disabled or delete it in manage exporters to stop these alarms. |
FlowPro Event Capture |
devices, capture_name |
violators, targets, devices, capture_name, lookup |
900.000000 |
Traffic captured for %{CAPTURE_NAME} from %{VIOLATORS} to %{TARGETS} seen on %{DEVICES} |
FlowPro Event Capture |
violators |
violators, targets, devices, lookup |
900.000000 |
Traffic captured from %{VIOLATORS} to %{TARGETS} by %{DEVICES}, access via %{LOOKUP} |
Flow Rate Limit Changed |
violators |
new_flow_rate |
60.000000 |
Flow collection rate limit changed to %{NEW_FLOW_RATE} flows/sec on collector %{VIOLATORS} due to hardware and/or configuration change. See the feature sizing interface for more details. |
Flows Limited - Licensing |
devices, violators, reason_num |
reason_text |
60.000000 |
Collector %{VIOLATORS} license exceeded: %{REASON_TEXT} |
Forecast Anomaly |
devices, interfaces, applications, type, ts |
forecast_id, devices, interfaces, target_quantity, observed_value, mean, forecast_start_time, forecast_end_time |
300.000000 |
Forecast: %{FORECAST_ID} found %{INTERFACES} on %{DEVICES} observed value: %{OBSERVED_VALUE} %{TARGET_QUANTITY} is outside forecast for interval %{FORECAST_START_TIME}-%{FORECAST_END_TIME}, Expected Value: %{LOWER_CONF} <= %{MEAN} <= %{UPPER_CONF} |
Forecast Task Complete |
devices, interfaces, applications, type |
forecast_id |
60.000000 |
Forecast: %{FORECAST_ID} complete, results available |
Forecast Task Error |
devices, interfaces, applications, type |
forecast_id, error_stage, error |
60.000000 |
Forecast: %{FORECAST_ID} resulted in an error during %{ERROR_STAGE}. Message: %{ERROR} |
Forecast Task Starting |
devices, interfaces, applications, type |
forecast_id |
60.000000 |
Forecast: %{FORECAST_ID} received by forecasting module |
Generic Protocol Command Decode |
violators |
violators, targets, devices, msg |
900.000000 |
|
HA Exporter switchover event |
profile_name, reason |
profile_name, reason, source_ip |
30.000000 |
Replicator Profile (%{PROFILE_NAME}) has changed active exporter to %{SOURCE_IP} as %{REASON} |
Hardware Resources Exceeded |
violators |
drop_rate, flow_limit_period |
60.000000 |
Collector %{VIOLATORS} incoming flow rate exceeds hardware recommendations. %{DROP_RATE} flows per second dropped over the last %{FLOW_LIMIT_PERIOD} seconds. See the feature sizing interface for more details. |
Heartbeat Alert |
heartbeat_type, violators |
process, process_id, heartbeat_type, devices, violators |
300.000000 |
|
Host Index Disk Availability Error |
violators |
threshold, current |
300.000000 |
Host Indexing service has reached disk storage volume limit of %{THRESHOLD} percent in use, Currently %{CURRENT} percent in use. Stopping processing and starting garbage collection until under threshold. |
Host Index Disk Space Error |
violators |
threshold, current |
300.000000 |
Host Indexing service has reached disk space usage: %{CURRENT}MB, threshold: %{THRESHOLD}MB. Stopping processing and starting garbage collection until under threshold. |
Host Index Disk Space Warning |
violators |
threshold, current |
300.000000 |
Host Indexing service has reached disk space usage: %{CURRENT}MB, over 75% of threshold: %{THRESHOLD}MB |
Host Reputation |
violators, targets |
violators, targets, devices, category_note |
3600.000000 |
IP %{VIOLATORS} sent traffic to a suspect %{CATEGORY_NOTE} at IP address %{TARGETS} as seen on the %{DEVICES} exporter(s) |
Host Watchlist |
violators |
devices, violators, port, protocol |
900.000000 |
Host Watchlist - %{DEVICES} saw watchlisted host %{VIOLATORS} communicating from %{PROTOCOL} %{PORT} |
ICMP Destination Unreachable (External) |
violators |
flowcount, violators |
900.000000 |
External IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Destination Unreachable flows within 5 minutes |
ICMP Destination Unreachable (Internal) |
violators |
flowcount, violators |
900.000000 |
Internal IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Destination Unreachable flows within 5 minutes |
ICMP Port Unreachable (External) |
violators |
flowcount, violators |
900.000000 |
External IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Protocol Unreachable flows within 5 minutes |
ICMP Port Unreachable (Internal) |
violators |
flowcount, violators |
900.000000 |
Internal IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Protocol Unreachable flows within 5 minutes |
Information Leak |
violators |
violators, targets, devices, msg |
900.000000 |
|
Interface Threshold Violation |
violators, interface_name, instance |
exporter, interface_name, instance, threshold, violation, graphStart, graphEnd |
900.000000 |
Interface %{EXPORTER}: %{INTERFACE_NAME} exceeded the threshold of %{THRESHOLD} %{VIOLATION} |
IP Address Violations |
violators |
devices, violators, targets |
900.000000 |
Traffic on %{DEVICES} between %{VIOLATORS} and %{TARGETS} is outside of allowed subnets |
Kafka Lag |
topic_lagged |
topic_lagged, messages_behind |
660.000000 |
ML Kafka topic %{TOPIC_LAGGED} is lagging %{MESSAGES_BEHIND} messages behind |
Large Ping |
violators |
violators, targets, devices, threshold, avg_ping_size |
900.000000 |
Unexpected ICMP Echo traffic seen from violator %{VIOLATORS} to target %{TARGETS} on exporter %{DEVICES} with an average packet size of %{AVG_PING_SIZE} Bytes which violates the threshold of %{THRESHOLD} Bytes |
Large Scale Information Leak |
violators |
violators, targets, devices, msg |
900.000000 |
|
Lateral Movement |
violators, targets, worm_type |
devices, targets, violators |
1200.000000 |
|
Lateral Movement Attempt |
violators, worm_type |
devices, violators, targets, worm_type, dst_port |
1200.000000 |
|
Lateral Movement Behavior |
violators |
violators |
300.000000 |
|
Malware Command and Control Activity Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Medianet Jitter Violations |
violators |
targets, violators, jitter |
420.000000 |
Jitter values of %{JITTER}ms between %{VIOLATORS} and %{TARGETS} exceeds threshold |
ML Engine alert |
violators, source |
source, threshold |
300.000000 |
ML service %{SOURCE} has reached threshold %{THRESHOLD}, throttling until next run |
ML Engine coin miner alert |
violators |
violators, family, probability, threshold |
300.000000 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine command and control alert |
violators |
violators, family, probability, threshold |
300.000000 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine Down |
host |
host, violators |
300.000000 |
ML Engine %{HOST} is not responding to pings |
ML Engine exploit kit alert |
violators |
violators, family, probability, threshold |
300.000000 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine malware alert |
violators |
violators, family, probability, threshold |
300.000000 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine remote access trojan alert |
violators |
violators, family, probability, threshold |
300.000000 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML models still building |
violators |
violators, schedule |
300.000000 |
ML is still building models for schedule %{SCHEDULE}, but the next schedule is currently expected to start. Increase replica count values in the config. |
ML Service Alert |
service_name |
service_name, unavailable, expected |
300.000000 |
ML service %{SERVICE_NAME} has %{UNAVAILABLE}/%{EXPECTED} instances unavailable |
NetFlow Domain Reputation |
violators, domain |
violators, domain, category |
900.000000 |
Internal IP %{VIOLATORS} performed a lookup of %{DOMAIN}, categorized as %{CATEGORY} |
Network Anomaly |
violators, interface_id, anomaly_type |
violators, interface_id, anomaly_type |
300.000000 |
Exporter %{VIOLATORS} is generating anomalous %{ANOMALY_TYPE} traffic on interface %{INTERFACE_ID} |
New user using elevated logon |
user_id |
user_id |
300.000000 |
A new user, %{USER_ID}, is logging in with elevated privileges. Hosts performing login(s) are %{VIOLATORS} |
NULL Scan (External) |
violators |
devices, violators, flowcount, threshold |
900.000000 |
A NULL scan was seen on %{DEVICES} by %{VIOLATORS} in %{FLOWCOUNT} flows violating the threshold of %{THRESHOLD} |
NULL Scan (Internal) |
violators |
devices, violators, flowcount, threshold |
900.000000 |
A NULL scan was seen on %{DEVICES} by %{VIOLATORS} in %{FLOWCOUNT} flows violating the threshold of %{THRESHOLD} |
Odd TCP Flags (External) |
violators |
devices, violators, flags, flowcount |
900.000000 |
Odd TCP flags (%{FLAGS}) were seen in %{FLOWCOUNT} flows on %{DEVICES} by %{VIOLATORS} |
Odd TCP Flags (Internal) |
violators |
devices, violators, flags, flowcount |
900.000000 |
Odd TCP flags (%{FLAGS}) were seen in %{FLOWCOUNT} flows on %{DEVICES} by %{VIOLATORS} |
Office 365 user logged in many times |
user_id |
user_id, total_auths |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted %{TOTAL_AUTHS} authentications, which is more authentications than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Office 365 user logged on from many hosts |
user_id |
user_id, total_hosts |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_HOSTS} hosts, which is more hosts than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Office 365 users logged on from many locations |
user_id |
user_id, total_locations |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_LOCATIONS} different locations, which is more than normal. Locations performing authentication(s) are %{VIOLATORS} |
P2P Detection |
violators |
devices, violators, dst_host_count, dst_port_count |
900.000000 |
P2P traffic to %{DST_HOST_COUNT} destinations using %{DST_PORT_COUNT} distinct port(s) was seen on %{DEVICES} from %{VIOLATORS} |
Packet Flood |
violators |
devices, violators, targets, count |
3600.000000 |
Packet flood seen from %{VIOLATORS} to %{TARGETS} comprising of %{COUNT} small packets in a minute by devices: %{DEVICES} |
Ping Flood |
violators |
devices, violators, targets, count |
3600.000000 |
Ping flood seen from %{VIOLATORS} to %{TARGETS} comprising of %{COUNT} pings in a minute by devices: %{DEVICES} |
Ping Scan (External) |
violators |
devices, violators, count |
3600.000000 |
Ping scan seen from %{VIOLATORS} to %{COUNT} hosts by devices: %{DEVICES} |
Ping Scan (Internal) |
violators |
devices, violators, count |
3600.000000 |
Ping scan seen from %{VIOLATORS} to %{COUNT} hosts by devices: %{DEVICES} |
Possible Social Engineering Attempted |
violators |
violators, targets, devices, msg |
900.000000 |
|
Possibly Unwanted Program Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Privileged user logged on from many hosts |
user_id |
user_id, total_hosts |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_HOSTS} hosts, which is more hosts than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Privileged user logged on many times |
user_id |
user_id, total_auths |
300.000000 |
In the last 30 minutes, %{USER_ID} has attempted %{TOTAL_AUTHS} authentications, which is more authentications than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Protocol Misdirection |
violators |
violators, traffic_type, port, targets |
3600.000000 |
Mismatched traffic type of %{TRAFFIC_TYPE} to port %{PORT} from %{VIOLATORS} to %{TARGETS} |
Ransomware Behavior |
violators |
violators, targets, file_count, files |
900.000000 |
Observed a possible ransomware encryption attack from %{VIOLATORS} targeting SMB share %{TARGETS}. %{FILE_COUNT} files were both read and written to, including files: %{FILES} |
Replicator Exporter State Change |
replicator, exporter_ip, exporter_port, state |
replicator, exporter_ip, exporter_port, state |
30.000000 |
Replicator(%{REPLICATOR}) detected a state change for exporter %{EXPORTER_IP}:%{EXPORTER_PORT} state: %{STATE} |
Replicator Exporter State Change |
replicator, collector_ip, collector_port, state |
replicator, collector_ip, collector_port, state |
30.000000 |
Replicator(%{REPLICATOR}) detected a state change for collector %{COLLECTOR_IP}:%{COLLECTOR_PORT} state: %{STATE} |
Replicator Has Encountered An Error |
replicator |
replicator, errmsg |
300.000000 |
Replicator (%{REPLICATOR}) has encountered an error: %{ERRMSG} |
Replicator High Availability State Changed |
replicator |
replicator, message, state |
30.000000 |
Replicator (%{REPLICATOR}) has changed state to %{STATE}: %{MESSAGE} |
Report Threshold Violation |
saved_report, row_identifier |
saved_report, row_identifier, violation, graphStart, graphEnd, src_port, dst_port, violator, violator_username, target, target_username, protocol, app_proto, url |
420.000000 |
The report %{SAVED_REPORT} %{ROW_IDENTIFIER} has exceeded its threshold %{VIOLATION} |
Reverse SSH Shell |
violators |
origin_bytes, bytes_per_packet |
3600.000000 |
Possible reverse SSH tunnel from %{VIOLATORS} to %{TARGETS} seen by devices: %{DEVICES} based on %{ORIGIN_BYTES} origin bytes and %{BYTES_PER_PACKET} average origin bytes per packet |
Rogue DHCP Service |
violators |
violators, targets |
300.000000 |
|
Rogue DNS Service |
violators |
violators, targets |
300.000000 |
|
Rogue LDAP Service |
violators |
violators, targets |
300.000000 |
|
RST/ACK Detection (External) |
violators |
violators, flowcount, targets |
900.000000 |
Anomalous Behavior - Possible - RST/ACK Replies Observed Host %{TARGETS} received %{FLOWCOUNT} packets from %{VIOLATORS} without observing any other flags |
RST/ACK Detection (Internal) |
violators |
violators, flowcount, targets |
900.000000 |
Anomalous Behavior - Possible - RST/ACK Replies Observed Host %{TARGETS} received %{FLOWCOUNT} packets from %{VIOLATORS} without observing any other flags |
Runtime Overrun |
process |
process, process_id, threshold, duration, action |
300.000000 |
|
Scheduled Task Error |
violators, task_name |
task_id, command, error_code, start_time, run_time |
300.000000 |
A scheduled task on collector %{VIOLATORS}, %{TASK_NAME} (ID %{TASK_ID}) returned error code: %{ERROR_CODE} running: “%{COMMAND}”. It started at %{START_TIME} AND ran for %{RUN_TIME} seconds. View the collector log and/or run the task manually for more details. |
Security Anomaly |
violators, anomaly_type |
violators, anomaly_type |
300.000000 |
|
Setup Problem |
issue |
message |
900.000000 |
|
SIGRed Exploit Attempt |
violators |
violators, targets |
300.000000 |
|
SMB Brute-force Attempt |
violators |
violators, targets, failed_logins, usernames |
900.000000 |
Observed a possible SMB brute force attack from %{VIOLATORS} targeting SMB share %{TARGETS}. %{FAILED_LOGINS} failed logins observed including usernames: %{USERNAMES} |
Source Equals Destination |
violators |
devices, violators |
900.000000 |
Traffic with source and destination of %{VIOLATORS} was seen on %{DEVICES} |
Stream Deactivated |
stream |
size, threshold |
900.000000 |
The stream: %{STREAM} has breached its configured threshold: %{THRESHOLD} with total size: %{SIZE} and has been deactivated. |
Stream Reactivated |
stream |
minutes, size, threshold |
900.000000 |
The stream: %{STREAM} with total size: %{SIZE} below its configured threshold: %{THRESHOLD} has been reactivated after having been deactivated for: %{MINUTES} minutes. |
Successful Administrator Privilege Gain |
violators |
violators, targets, devices, msg |
900.000000 |
|
Successful Credential Theft Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
Successful User Privilege Gain |
violators |
violators, targets, devices, msg |
900.000000 |
|
Suspicious Host Communication |
violators |
violators, targets, protocol_name |
300.000000 |
Based on how these hosts and those around them normally communicate, the communication between %{VIOLATORS} and the host(s) %{TARGETS} on protocol %{PROTOCOL_NAME} is unexpected. Use the explore event traffic link to view these communications in detail. |
Suspicious Host Communication |
violators |
violators, targets, protocol |
300.000000 |
Based on how these hosts and those around them normally communicate, the communication between %{VIOLATORS} and the host(s) %{TARGETS} on protocol %{PROTOCOL} is unexpected. Use the explore event traffic link to view these communications in detail. |
SYN IP Scan (External) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900.000000 |
A SYN IP Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
SYN IP Scan (Internal) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900.000000 |
A SYN IP Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
SYN Port Scan (External) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900.000000 |
A SYN Port Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
SYN Port Scan (Internal) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900.000000 |
A SYN Port Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
System Capacity |
vital_type |
vital_type, value |
300.000000 |
ML is using %{VALUE} percent of its %{VITAL_TYPE} capacity |
Targeted Malicious Activity was Detected |
violators |
violators, targets, devices, msg |
900.000000 |
|
TCP Half-Open (External) |
violators |
devices, violators, targets, packets_per_port, scanned_port_count, pkt_thresh, port_thresh |
900.000000 |
A possible SYN Half Open Attack by %{VIOLATORS} seen targeting %{TARGETS}. Port count of %{SCANNED_PORT_COUNT} exceeded the threshold of %{PORT_THRESH} and flows per port of %{PACKETS_PER_PORT} exceed the threshold of %{PKT_THRESH}. |
TCP Half-Open (Internal) |
violators |
devices, violators, targets, packets_per_port, scanned_port_count, pkt_thresh, port_thresh |
900.000000 |
A possible SYN Half Open Attack by %{VIOLATORS} seen targeting %{TARGETS}. Port count of %{SCANNED_PORT_COUNT} exceeded the threshold of %{PORT_THRESH} and flows per port of %{PACKETS_PER_PORT} exceed the threshold of %{PKT_THRESH}. |
TCP Scan (External) |
violators |
devices, violators, port_count, dst_count |
900.000000 |
A TCP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
TCP Scan (Internal) |
violators |
devices, violators, port_count, dst_count |
900.000000 |
A TCP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
TLS Certificate Expiry |
violators |
days |
86400.000000 |
TLS certificates on nodes: %{VIOLATORS} will expire in %{DAYS} days. Contact Plixer Support or see |
Token Expiration |
username, expires_on |
username, expires_on, status |
86400.000000 |
An authentication token for %{USERNAME} %{STATUS} on %{EXPIRES_ON} |
Tunneling through external DNS host |
violators |
violators, targets, tunnel_type |
300.000000 |
|
Tunneling through external ICMP host |
violators |
violators, targets, tunnel_type |
300.000000 |
|
Tunneling through external SSH host |
violators |
violators, targets, tunnel_type |
300.000000 |
|
Tunneling through internal DNS host |
violators |
violators, targets, tunnel_type |
300.000000 |
|
Tunneling through internal ICMP host |
violators |
violators, targets, tunnel_type |
300.000000 |
|
Tunneling through internal SSH host |
violators |
violators, targets, tunnel_type |
300.000000 |
|
UDP Scan (External) |
violators |
devices, violators, dst_count, port_count |
900.000000 |
A UDP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
UDP Scan (Internal) |
violators |
devices, violators, dst_count, port_count |
900.000000 |
A UDP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
Unapproved Protocol |
protocol |
protocol_name, devices |
900.000000 |
Unapproved network transport: %{PROTOCOL_NAME} was seen on: %{DEVICES} |
Unsuccessful User Privilege Gain |
violators |
violators, targets, devices, msg |
900.000000 |
|
Web Application Attack |
violators |
violators, targets, devices, msg |
900.000000 |
|
Worm Activity |
violators |
violators |
300.000000 |
|
Xmas Scan (External) |
violators |
devices, violators |
900.000000 |
An Xmas Scan was seen on %{DEVICES} by %{VIOLATORS} |
Xmas Scan (Internal) |
violators |
devices, violators |
900.000000 |
An Xmas Scan was seen on %{DEVICES} by %{VIOLATORS} |
Zerologon |
violators |
violators, targets |
300.000000 |
FA algorithm list#
The table below contains general information and recommended applications for all flow analytics algorithms available in Scrutinizer.
View table
Algorithm |
Function |
Recommended Flow Sources |
Notes |
|---|---|---|---|
Bogon Traffic |
Alerts if traffic to or from an unallocated public IP space is detected |
Edge routers and public IP addresses defined in IP groups |
|
BotNet Detection |
Alerts when a large number of unique DNS name lookups have failed |
FlowPro |
Requires FlowPro |
Breach Attempt Detection |
Alerts when flow behaviors that may indicate a brute force password attack on an internal IP address are observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
DDoS Detection |
Alerts when a Distributed Denial of Service (DDoS) attack targeting the protected network space is identified |
Edge routers and public IP addresses defined in IP groups |
|
Denied Flows Firewall |
Alerts when the number of denied flows from an internal to an external IP address exceeds the configured threshold |
Internal/core routers |
|
DNS Command and Control Detection |
Alerts when the volume or size of DNS TXT messages at the network perimeter exceeds the configured threshold |
FlowPro |
Requires FlowPro |
DNS Data Leak Detection |
Alerts when the volume or size of messages with suspicious DNS names exceeds the configured threshold |
FlowPro |
Requires FlowPro |
DNS Hits |
Alerts when a host initiates an excessive number of DNS queries |
Internal/core routers |
|
DNS Server Detection |
Alerts when a new DNS is detected based on packet exchanges between clients and servers |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Requires FlowPro |
Domain Reputation |
Alerts when traffic associated with a suspicious domain (based on a list maintained by Plixer) is detected |
FlowPro |
Requires FlowPro |
DRDoS Detection |
Alerts when a Distributed Reflection Denial of Service attack targeting the protected network space is identified |
Edge routers and public IP addresses defined in IP groups |
|
FIN Scan |
Alerts when a FIN scan is detected |
Internal/core routers and edge routers |
|
Flow Reports Thresholds |
Alerts when a custom threshold configured for a saved report is exceeded |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Host Indexing |
Monitors traffic to maintain an index of hosts seen on the network that includes additional details, such as conversation direction, throughput, and source (Exporter) |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Host Reputation |
Monitors traffic to maintain a list of active, non-whitelisted Tor nodes |
Edge routers and public IP addresses defined in IP groups |
|
Host Watchlist |
Alerts when a host violating a user-defined IP address blacklist is detected |
Edge routers and public IP addresses defined in IP groups |
|
ICMP Destination Unreachable |
Alerts when a large number of ICMP Destination Unreachable messages are sent to a suspicious IP address |
Internal/core routers |
|
ICMP Port Unreachable |
Alerts when a large number of ICMP Port Unreachable messages are sent to a suspect IP address |
Internal/core routers |
|
Incident Correlation |
Alerts when multiple Indicator of Compromise (IOC) events for a single host are detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
IP Address Violations |
Alerts when a flow containing a non-authorized IP address as the source or destination is received |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Requires authorized subnets to be defined |
JA3 Fingerprinting |
Alerts when software sending suspicious encrypted traffic based on TLS handshake data and known signatures is identified |
FlowPro |
Requires FlowPro |
Large Ping |
Alerts when an unusually large ICMP Echo Request (ping) is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Lateral Movement |
Alerts when successful lateral movement is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Lateral Movement Attempt |
Alerts when behavior that may indicate attempted lateral movement is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Medianet Jitter Violations |
Alerts when jitter values reported by a Medianet flow exceed the configured threshold |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Multicast Violations |
Alerts when multicast traffic volume exceeds the configured threshold |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
NetFlow Domain Reputation |
Alerts when a DNS lookup from a blacklisted IP is reported via NetFlow |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Blacklist is maintained on nba.plixer.com but cached locally |
Network Transports |
Alerts when traffic over unapproved transport protocols is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
NULL Scan |
Alerts when a NULL scan is detected |
Internal/core routers and edge routers |
|
Odd TCP Flags Scan |
Alerts when a scan using unusual TCP flag combinations is detected |
Internal/core routers and edge routers |
|
P2P Detection |
Alerts when a P2P session with a host count exceeding the configured threshold is observed |
Internal/core routers and edge routers |
|
Packet Flood |
Alerts when a packet flood is detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Persistent Flow Risk |
Alerts when a persistent flow is detected |
Internal/core routers and edge routers |
|
Persistent Flow Risk - ASA |
Alerts when a persistent flow matching a specified 5-tuple is detected |
Internal/core routers and edge routers |
|
Ping Flood |
Alerts when a ping flood is detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Ping Scan |
Alerts when a host suspected of performing a ping scan is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Protocol Misdirection |
Alerts when traffic not matching the port being used is detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Reverse SSH Shell |
Alerts when potential reverse SSH tunnels to external destinations are detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
RST/ACK Detection |
Alerts when the system observes a large number of TCP flows containing only RST and ACK flags being sent to the same destination |
Internal/core routers and edge routers |
|
Source Equals Destination |
Alerts when traffic with the same host and destination is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
SYN Scan |
Alerts when a SYN scan is detected |
Internal/core routers and edge routers |
|
TCP Scan |
Alerts when a potential TCP scan is detected from an Exporter that does not provide TCP flag information |
Internal/core routers and edge routers |
|
Top Applications |
Monitors application traffic |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top Autonomous Systems |
Monitors traffic to and from autonomous systems |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top Countries |
Monitors traffic by country |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top Hosts |
Monitors traffic by host |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top IP groups |
Monitors traffic by IP group |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Requires at least one IP group to be defined |
UDP Scan |
Alerts when a potential UDP scan is detected |
Internal/core routers and edge routers |
|
XMAS Scan |
Alerts when a XMAS scan is detected |
Internal/core routers and edge routers |
Algorithm settings#
The table below lists the additional settings that can be used to tune behavior for individual FA algorithms.
View table
Algorithm Name |
Setting |
Description |
|---|---|---|
Auto Investigate |
Candidate Limit |
The maximum number of Violator->Policy->Target links to review for correlation. |
Auto Investigate |
Chain Max |
The maximum number of Violator->Policy->Target chains that will be considered for deduplication. |
Auto Investigate |
Length Limit |
The maximum length of any chain of Violator->Policy->Target links. |
BotNet Detection |
Threshold |
Number of unique No Existing Domain (NXDOMAIN) replies within a three-minute period to trigger alarm |
DDoS Detection |
DDoS Bytes Deviation |
Maximum number of bytes allowed in a single standard deviation to trigger (default 10) |
DDoS Detection |
DDoS Packet Deviation |
Maximum number of packets allowed in a single standard deviation to trigger (default 10) |
DDoS Detection |
DDoS Packets |
Number of packets each source must have sent to be counted |
DDoS Detection |
DDoS Unique hosts |
Minimum number of unique hosts participating in a DDoS attack |
Denied Flows Firewall |
Denied Threshold |
The number of denied flows from a single host within a three-minute period to trigger an event |
DNS Command and Control Detection |
DNS Command and Control attempts |
DNS Command and Control attempts within a three-minute period to trigger alarm |
DNS Command and Control Detection |
DNS Command and Control bytes |
DNS Command and Control bytes within a three-minute period to trigger alarm |
DNS Data Leak Detection |
DNS Data Leak attempts |
DNS Data Leak attempts within a three-minute period to trigger alarm |
DNS Data Leak Detection |
DNS Data Leak bytes |
DNS Data Leak bytes within a three-minute period to trigger alarm |
DNS Hits |
Flow Threshold |
The number of DNS requests within a three-minute period to trigger an event |
DNS Server Detection |
Flow threshold to trigger alarm |
Number of properly formatted DNS request packets sent to the specified IP address to trigger alarm |
DRDoS Detection |
CharGen (UDP 19) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
DNS (UDP 53) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Flow Imbalance Threshold |
How many inbound packets per outbound packet to trigger a DRDoS alarm |
DRDoS Detection |
LDAP (UDP 389) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Memcached (UDP 11211) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
NetBIOS Name Server (UDP 137) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
NTP (UDP 123) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Quote of the Day (UDP 17) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
RPC Portmap (UDP 111) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Sentinel (UDP 5093) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
SNMP (UDP 161,162) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
SSDP (UDP 1900) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
DRDoS Detection |
Trivial File Transfer Protocol (UDP 69) |
Enable/Disable Distributed Reflection DoS (DRDoS) Attack Detection |
FIN Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
FIN Scan |
Flow Threshold |
The number of FIN flows from a single host within a three-minute period to trigger an event |
FIN Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
FIN Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Host Indexing |
Days of host index data retention |
The host index entries last seen more than this many days ago will be trimmed. |
Host Indexing |
Host Index Database |
File path of Host Index. *Background service must be restart from CLI after update. Service will start clean in new location. |
Host Indexing |
Host Indexing Domain Socket |
File path of Host Indexing Domain Socket |
Host Indexing |
Host Index Max Disk Space |
Maximum combined disk space threshold for host indexing (in MB). Warning events sent at 75%, indexing temporarily suspended at 100% until record expiration frees space. |
Host Indexing |
Host Index Sync Interval Minutes |
The sync interval in minutes for each index update |
Host Indexing |
Host-to-Host Index |
Toggle Host-to-Host indexing |
Host Indexing |
Host-to-Host Index Database |
File path of Host-to-Host Index. Leave blank to disable Host-to-Host indexing. *Background service must be restart from CLI after update. Service will start clean in new location. |
Host Indexing |
Window Limit |
The maximum number of records considered on each index update |
Host Reputation |
Aggregate Timeout |
Aggregate similar alarms until there are no new alarms for over N minutes (default 2 hours = 120 minutes, zero to disable aggregation) |
Host Reputation |
Threshold |
Number of bytes (octets) within a three-minute period to trigger alarm |
ICMP Destination Unreachable |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Destination Unreachable |
Flow Threshold |
The number flows from a single host triggering an ICMP Destination Unreachable reponse within a three-minute period |
ICMP Destination Unreachable |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
ICMP Destination Unreachable |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
ICMP Port Unreachable |
Threshold |
The number flows from a single host triggering an ICMP Port Unreachable reponse within a three-minute period |
IP Address Violations |
Threshold |
Number of bytes (octets) within a three-minute period to trigger alarm |
Large Ping |
Size Threshold |
Average packet threshold for determining a large ping packet. |
Lateral Movement Attempt |
Backdoor Threshold |
Number of destination hosts on backdoor ports to trigger alert |
Lateral Movement Attempt |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
Lateral Movement Attempt |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
Lateral Movement Attempt |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Lateral Movement Attempt |
IOT Threshold |
Number of destination hosts on IOT ports to trigger alert |
Lateral Movement Attempt |
Remote Access Threshold |
Number of destination hosts on remote access ports to trigger alert |
Lateral Movement Attempt |
Windows Remote Access Threshold |
Number of destination hosts on Windows remote access ports to trigger alert |
Medianet Jitter Violations |
Jitter by Interface |
The millisecond variation in packet delay caused by queuing, contention and/or serialization effects on the path through the network. Default = 80 ms. This is also used for record highlighting in Status reports. |
Multicast Violations |
Threshold |
Number of bytes (octets) within a three-minute period to trigger alarm |
NULL Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
NULL Scan |
Flow Threshold |
The number of flows from a single host within a three-minute period to trigger an event |
NULL Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
NULL Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Odd TCP Flags Scan |
Threshold |
The number of flows from a single host with odd TCP flags within a three-minute period to trigger an event |
P2P Detection |
Threshold |
Number of distinct destination IPs in a three-minute period to trigger alarm |
Packet Flood |
Packet Size Threshold |
The Maximum average packet size to be considered a flood packet |
Packet Flood |
Packet threshold |
The number of packets that should be observed within a three-minute period to trigger an event |
Persistent Flow Risk |
Active Flow Threshold (hours) |
How long should a flow be active before an alarm is triggered |
Persistent Flow Risk |
Aggregate Timeout |
Aggregate similar alarms until there are no new alarms for over N minutes (default 2 hours = 120 minutes, zero to disable aggregation) |
Persistent Flow Risk |
Inactive Flow Threshold (hours) |
How long should a flow be inactive before it no longer is considered the same flow |
Persistent Flow Risk |
PCR Threshold |
The ratio of traffic where 1 is a pure upload and -1 is a pure download. Set to 0 to disable |
Persistent Flow Risk - ASA |
Active Flow Threshold (hours) |
How long should a flow be active before an alarm is triggered |
Persistent Flow Risk - ASA |
Aggregate Timeout |
Aggregate similar alarms until there are no new alarms for over N minutes (default 2 hours = 120 minutes, zero to disable aggregation) |
Persistent Flow Risk - ASA |
Inactive Flow Threshold (hours) |
How long should a flow be inactive before it no longer is considered the same flow |
Persistent Flow Risk - ASA |
PCR Threshold |
The ratio of traffic where 1 is a pure upload and -1 is a pure download. Set to 0 to disable |
Ping Flood |
Ping Flood Threshold |
Minimum number of pings from a host to a distinct destination in a minute that should triggeer |
Ping Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
Ping Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
Ping Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Ping Scan |
Ping Scan Host Threshold |
Minimum number of distinct hosts that a violator must ping to trigger |
Reverse SSH Shell |
Packet Size Threshold |
Maximum average packet size in the SSH session that should be considered for triggering the alert |
Reverse SSH Shell |
Reverse Shell Threshold |
The maximum number of outbound bytes on an SSH connection that should be considered for triggering the alert |
RST/ACK Detection |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
RST/ACK Detection |
Flow Threshold |
The number of flows from a single host within a three-minute period to trigger an event |
RST/ACK Detection |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
RST/ACK Detection |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
Half-Open packet per port |
The number of packets per dst port to be considered a half-open flood |
SYN Scan |
Half-Open port count |
The number of distinct destination ports to be considered a half-open flood |
SYN Scan |
Host Scan Hosts |
The number of distinct destination hosts to be considered a host scan |
SYN Scan |
Host Scan Ports |
The number of distinct destination ports to be considered a host scan |
SYN Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
SYN Scan |
Port Scan Hosts |
The number of distinct destination hosts to be considered a port scan |
SYN Scan |
Port Scan Ports |
The number of distinct destination ports to be considered a port scan |
TCP Scan |
Destination Host Threshold |
Number of distinct destination hosts to trigger alarm |
TCP Scan |
Destination Port Threshold |
Number of distinct destination ports to trigger alarm |
TCP Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
TCP Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
TCP Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
Host threshold |
The number of hosts scanned within a three-minute period that will trigger an event |
UDP Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
UDP Scan |
Port threshold |
The number of ports per host scanned within a three-minute period that will trigger an event |
XMAS Scan |
External to Internal |
Enable/Disable Scan Detection in the direction indicated |
XMAS Scan |
Flow Threshold |
The number of flows from a single host within a three-minute period to trigger an event |
XMAS Scan |
Internal to External |
Enable/Disable Scan Detection in the direction indicated |
XMAS Scan |
Internal to Internal |
Enable/Disable Scan Detection in the direction indicated |
Functional IDs#
The Scrutinizer system uses the following generic functional accounts/IDs to control access to the environment’s different components and their respective functions:
View details
System Component |
Account/ID |
Type |
Access Level |
Function |
|---|---|---|---|---|
Operating system |
|
Interactive |
Privileged |
Provides root access to the Scrutinizer OS, with unrestricted shell, SSH, and console access |
|
Interactive |
Privileged |
Primary user for the interactive |
|
|
Non-interactive |
Non-privileged |
Used to manage remote database access between nodes, e.g. user/role access, load balancing, etc. |
|
|
Non-interactive |
Non-privileged |
Used for database operations during deployment |
|
|
Non-interactive |
Non-privileged |
Primary HTTP services user |
|
Database |
|
Interactive |
Privileged |
Primary database role used by application processes for both local and remote access |
|
Non-interactive |
Non-privileged |
Used for local database access during deployment, upgrades, and scheduled |
|
Web interface |
|
Interactive |
Non-privileged |
Provides full access to web interface management functions |
- Interactive - can be used to grant a user all privileges inherent to the ID - Non-interactive - reserved for internal use by the system and cannot be assigned to users
Access levels
Feature |
Privileged Access |
Non-Privileged Access |
|---|---|---|
Permissions |
Elevated, can bypass security controls |
Limited, for routine tasks only |
Scope of Control |
System-wide or extensive |
Limited to user’s own files/space |
Examples |
System Administrator, Root User |
Standard User, Guest User |
Primary Goal |
Administration and system management |
Daily work and general use |
Security Implication |
High risk, prime target for attackers |
Low risk, restricts potential damage |
Best Practice |
Used sparingly and for specific tasks |
Default for most users |
User permissions#
The tables below list all features/permission sets and individual permissions that can be granted to users through user groups.
Alarms Administrator
Permission |
Description |
|---|---|
Acknowledge Bulletin Board Event |
Ability to acknowledge events on Alarms tab bulletin boards |
Delete Alarms |
Permission to permanently delete alarms |
Alarms User
Permission |
Description |
|---|---|
Alarms Tab |
Access the Alarms tab |
Dashboard Administrator
Permission |
Description |
|---|---|
Dashboard Administrator |
Manage all dashboards created by any user |
Dashboard User
Permission |
Description |
|---|---|
Create Dashboards |
Create new Dashboards |
Dashboards Tab |
Access the Dashboards tab |
Maps Administrator
Permission |
Description |
|---|---|
Mapping Groups Configuration |
Define and manage device groups for network mapping |
Mapping Objects Configuration |
Define custom map objects and manage object/group object properties |
Maps User
Permission |
Description |
|---|---|
Maps Tab |
Access the Maps tab |
Reporting Administrator
Permission |
Description |
|---|---|
Application Groups |
Define custom applications using IP address and port rules |
AS Names Configuration |
View autonomous system (AS) numbers/properties |
Delete Reports |
Ability to delete saved reports regardless of owner |
FlowPro Administrator |
Manage FlowPro configuration |
Host Names Configuration |
Define custom hostname-to-IP mappings and static subnet labels for reporting |
Replicator Administrator |
Manage Replicator configuration |
TOS Configuration |
Add custom labels for Type of Service (ToS) and Differentiated Services Code Point (DSCP) values in reports |
Well-known Ports Configuration |
Edit WKP Configuration |
Reporting Power User
Permission |
Description |
|---|---|
Add/Edit Report Filters |
Permission to update the filters used in Status Tab reports |
Report Designer |
Design custom report type configurations |
Report Folders |
Create and manage folders to organize saved reports |
Save Reports |
Ability to name and save flow reports |
Scheduled Report Administrator |
Set up and manage scheduled email report configurations |
Schedule Emailed Reports |
Schedule a saved report to be emailed on a regular basis |
Reporting User
Permission |
Description |
|---|---|
AI User |
Access Scrutinizer’s AI prompt |
Replicator User |
View Replicator summary data |
Run Reports |
Ability to run flow reports |
Status Tab |
Access the Status Tab |
System Administrator
Permission |
Description |
|---|---|
Admin |
Access Scrutinizer’s administrative functions |
AI Settings |
Configure AI Settings including AI server URL, API Key, and which model to use |
Alarm Notifications |
Configure alarm notifications |
Alarm Settings |
Configure global alarm message options and Flow Inactivity and Interface Threshold Violation alarm settings |
ASA ACL Descriptions |
Add/edit ASA firewall credentials for ACL description retrieval |
Authentication Tokens |
Add and manage user authentication tokens |
Authentication Types |
Manage external authentication types |
AWS Configuration |
AWS configuration |
Change User Passwords |
The ability to change the passwords of other users without needing their credentials |
Collectors |
Manage Scrutinizer collectors and ML Engines in the environment |
Configure SMTP server settings for email notifications and reports |
Configure the mailserver Scrutinizer will use to send reports and emails |
Create Users |
The ability to create new local Scrutinizer user accounts |
Data History Settings |
Set alarm and flow data history retention durations |
Delete Users |
The ability to delete local Scrutinizer user accounts |
Enable/disable and configure third-party integrations for Explore > Exporters view |
Create, edit, and delete third-party integration links |
Endpoint Analytics |
Configure and enable/disable Endpoint Analytics integration |
Enforce Session Timeout |
If the system preference for user activity timeout is set, members of user groups with this permission will be timed-out of the UI according to that setting |
Exporters |
Manage and add protocol exclusions to flow-exporting devices in the environment |
Flow Analytics Configuration |
Configure Flow Analytics thresholds and settings |
Flow Analytics Exclusions |
Configure Flow Analytics exclusions |
Flow Analytics Settings |
Configure global settings and enable/disable FlowPro Defender for FA algorithms |
Flow Log Ingestion |
Third-party Flow Log source configuration |
Google Maps Proxy Server Settings |
Configure proxy server settings for Google Maps requests |
Host Indexing |
Host Indexing settings |
Interface Details Configuration |
Edit device interface details |
IP Groups Configuration |
Define rule-based IP range/subnet groups for reporting |
LDAP Server Configuration |
Manage LDAP server configuration used for Scrutinizer authentication |
MAC Addresses Configuration |
Add and manage custom MAC address labels |
Notification Manager |
Create and manage profiles to assign notification actions by alarm policy |
Policy Manager |
Reconfigure, enable/disable, and assign notification profiles to alarm policies |
Protocol Exclusions |
Define protocol exclusion rules for reporting |
RADIUS Server Configuration |
Manage RADIUS server configuration used for Scrutinizer authentication |
Replicator |
Configure and enable/disable Replicator integration |
Reporting Configuration |
Customize Scrutinizer reporting engine functions |
Scrutinizer Audit Report |
View logs of Scrutinizer user actions |
Scrutinizer Language Configuration |
Create and edit language localization settings |
Scrutinizer Product Licensing |
Add a Scrutinizer license key and view license details |
Scrutinizer System Preferences |
Configure general Scrutinizer environment preferences/settings |
ServiceNow |
Configure and manage ServiceNow instances for incident/ticket generation via notifications and collections |
Single Sign-On Configuration |
Add, Delete, and Edit Identity Provider configuration for Scrutinizer’s Single Sign-On Integration |
SNMP Credentials |
Manage SNMP credential sets for polling exporters in the environment |
STIX-TAXII |
Add and manage STIX-TAXII threat intelligence feeds |
Syslog Server Settings |
Syslog server configuration |
TACACS+ Server Configuration |
Manage TACACS+ server configuration used for Scrutinizer authentication |
User Accounts |
Manage user accounts and preferences |
User Groups |
Set up local user groups and manage access to features and resources |
View User Identity Information |
View identity and access information relevant to GDPR restrictions |
Viptela Settings |
Viptela Settings |
Vitals Report |
View the Scrutinizer server vitals reports |
Required ports#
Refer to the tables below to configure firewall rules when deploying Scrutinizer and other Plixer One components.
Note
For more information on configuring/defining custom firewall rules, refer to these instructions.
Scrutinizer
Source Component |
Destination Component |
Protocol |
Port |
Reason |
|---|---|---|---|---|
All |
NTP |
UDP |
123 |
Time Sync |
All |
DNS Server(s) |
UDP |
53 |
DNS |
DNS Server(s) |
All |
UDP |
53 |
DNS |
Exporters |
Scrutinizer Collector |
UDP |
2055,2056,4432,4739,9995,9996,6343 |
Flow Telemetry |
Exporters |
Scrutinizer Collector |
UDP |
161 |
SNMP Polling |
AD Users Server |
Active Directory Server(s) |
TCP |
135 |
RPC Call for Username Collection |
AD Users Server |
Scrutinizer Collector |
UDP |
2055 |
Flow Telemetry |
NTP Server |
All |
UDP |
123 |
Time Sync |
Scrutinizer Collector |
Scrutinizer Reporter |
TCP |
22,80,443,5432,6432 |
Intraplatform Comms |
Scrutinizer Collector |
ML |
TCP |
22,30404,32000-32002,30323 |
Intraplatform Comms |
Scrutinizer Collector |
Exporters |
ICMP |
N/A |
Up/Down Status Checks |
Scrutinizer Collector |
AWS S3 Bucket |
TCP |
443 |
AWS VPC Flow Log Integration |
Scrutinizer Collector |
Azure Storage Account |
TCP |
443 |
Azure Flow Log Integration |
Scrutinizer Collector |
Viptela IP |
TCP |
8443 |
Viptela Integration |
Scrutinizer Collector |
Exporters |
UDP |
161 |
SNMP Polling |
Scrutinizer Reporter |
Scrutinizer Collector |
TCP |
22,80,443,5432,6432 |
Intraplatform Comms |
Scrutinizer Reporter |
ML |
TCP |
22,30404,32000-32002,30323,31111 |
Intraplatform Comms |
Scrutinizer Reporter |
Mail Server |
TCP |
25,587 |
Mail Notifications |
Scrutinizer Reporterr |
SIEM |
UDP |
514 |
Syslog/CEF Notifications |
Scrutinizer Reporter |
TCP |
443 |
Signature Updates |
|
Scrutinizer Reporter |
LDAP Server |
TCP |
636 |
User Authentication |
Scrutinizer Reporter |
RADIUS Server |
TCP |
1645,1812 |
User Authentication |
Scrutinizer Reporter |
TACACS+ Server |
TCP |
49 |
User Authentication |
User |
Scrutinizer Reporter |
TCP |
443 |
Web UI Access (Setup and Usage) |
User |
Scrutinizer Reporter |
TCP |
22 |
CLI Access (Setup and Administration) |
User |
Scrutinizer Collector |
TCP |
22 |
CLI Access (Setup and Administration) |
User |
ML Engine |
TCP |
22 |
CLI Access (Setup and Administration) |
User |
ML Engine |
TCP |
31112 |
Kibana Access (Optional for Admins) |
User |
ML Engine |
TCP |
30880 |
Grafana Access (Optional for Admins) |
User |
ML Engine |
TCP/UDP |
53 |
Advanced DNS Monitoring |
User |
ML Engine |
TCP |
80 |
Advanced DNS Monitoring Landing Page for Blocked Sites |
Plixer ML Engine
Source Component |
Destination Component |
Protocol |
Port |
Reason |
|---|---|---|---|---|
Plixer ML Engine |
Scrutinizer reporter |
TCP |
22 |
Kafka streaming configuration via SSH |
Plixer ML Engine |
Scrutinizer reporter |
TCP |
443 |
Scrutinizer reporting API access |
Plixer ML Engine |
Scrutinizer reporter |
TCP |
5432 |
PostgreSQL database access |
User |
Plixer ML Engine |
TCP |
22 |
SSH access |
All |
Plixer ML Engine |
TCP |
30888 |
ML engine API access |
All |
Plixer ML Engine |
TCP |
31111 |
Elasticsearch HTTPS endpoint access |
User |
Plixer ML Engine |
TCP |
31112 |
Kibana web interface (if enabled) access |
All |
Kafka bootstrap server |
TCP |
30323 |
Cluster layout discovery |
All |
Kafka brokers |
TCP |
32000, 32001, 32002, etc. (one port per replica; default: 3) |
Communication with broker endpoints |
All |
Plixer ML Engine |
UDP & TCP |
53 (forwarded to 30053 by cluster load balancer on AWS/Azure) |
Safe DNS service (if enabled) |
All |
Plixer ML Engine |
TCP |
443 (forwarded to 30443 by cluster load balancer on AWS/Azure) |
Safe DNS HTTPS landing page (if Safe DNS is enabled and HTTPS is configured) |
All |
Plixer ML Engine |
TCP |
80 (forwarded to 30080 by cluster load balancer on AWS/Azure) |
Safe DNS HTTP landing page for blocked domains (if Safe DNS is enabled) |
Replicator
Source Component |
Destination Component |
Protocol |
Port |
Reason |
|---|---|---|---|---|
Exporters |
Replicator |
UDP |
2055,2056,4432,4739,9995,9996,6343 |
Flow Telemetry |
AD Users Server |
Replicator |
UDP |
2055 |
Flow Telemetry |
Replicator |
LDAP Server |
TCP |
636 |
User Authentication |
Replicator |
Scrutinizer Collector |
UDP |
2055 |
Flow Telemetry |
Scrutinizer Reporter |
Replicator |
TCP |
22,443 |
Intraplatform Comms |
User |
Replicator |
TCP |
443 |
Web UI Access (Setup and Usage) |
User |
Replicator |
TCP |
22 |
CLI Access (Setup and Administration) |
FlowPro
Source Component |
Destination Component |
Protocol |
Port |
Reason |
|---|---|---|---|---|
FlowPro |
Flow Collector |
UDP |
2055 |
Flow Telemetry |
FlowPro |
Replicator |
UDP |
2055 |
Flow Telemetry |
FlowPro |
TCP |
443 |
Signature Updates |
|
User |
FlowPro Sensor |
TCP |
22 |
CLI Access (Setup and Administration) |
Endpoint Analytics
Source Component |
Destination Component |
Protocol |
Port |
Reason |
|---|---|---|---|---|
All Endpoints |
Endpoint Analytics |
UDP |
67 |
DHCP Helper |
Endpoint Analytics |
Exporters |
UDP |
161 |
SNMP Polling |
Endpoint Analytics |
SIEM |
UDP |
514 |
Syslog Event Notifications |
Endpoint Analytics |
Active Directory Server(s) |
TCP |
389,636 |
LDAP(S) query |
Endpoint Analytics |
TCP |
443 |
Signature Updates |
|
Endpoint Analytics |
Tenable IP |
TCP |
443 |
API Integration |
Endpoint Analytics |
MS Defender |
TCP |
443 |
API Integration |
Exporters |
Endpoint Analytics |
UDP |
162 |
SNMP Traps |
Exporters |
Endpoint Analytics |
UDP |
161 |
SNMP Polling |
RADIUS Server(s) |
Endpoint Analytics |
UDP |
1813 |
RADIUS Accounting |
Scrutinizer Reporter |
Endpoint Analytics |
TCP |
443 |
API Calls |
User |
Endpoint Analytics |
TCP |
443 |
Web UI Access (Setup and Usage) |
User |
Endpoint Analytics |
TCP |
22 |
CLI Access (Setup and Administration) |
Report types#
The tables below list all Scrutinizer report types and their data aggregation parameters by report type category.
Amazon AWS
Report |
Description |
|---|---|
Action |
A grouping of Action trending Flows, Packets, Bytes. Information Elements: aws_action, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Action with Interface |
A grouping of Action, Interface trending Flows, Packets, Bytes. Information Elements: aws_action, aws_interface, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Action with Interface and Dst |
A grouping of Destination, Action, Interface trending Flows, Packets, Bytes. Information Elements: destinationipaddress, aws_action, aws_interface, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Action with Interface and Src |
A grouping of Source, Action, Interface trending Flows, Packets, Bytes. Information Elements: sourceipaddress, aws_action, aws_interface, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Availablity Zones |
A grouping of Availability Zone trending Flows, Packets, Bytes. Information Elements: aws_az_id, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Dst Service |
A grouping of Destination Service trending Flows, Packets, Bytes. Information Elements: aws_pkt_destination_service, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Interface |
A grouping of Interface trending Flows, Packets, Bytes. Information Elements: aws_interface, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Pair Interface |
A grouping of Source, Interface, Destination trending Flows, Packets, Bytes. Information Elements: sourceipaddress, aws_interface, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Pair Interface Action |
A grouping of Source, Interface, Action, Destination trending Flows, Packets, Bytes. Information Elements: sourceipaddress, aws_interface, aws_action, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Src Service |
A grouping of Source Service trending Flows, Packets, Bytes. Information Elements: aws_pkt_source_service, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Src Service-Dst Service |
A grouping of Source Service, Destination Service trending Flows, Packets, Bytes. Information Elements: aws_pkt_source_service, aws_pkt_destination_service, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Traffic Path |
A grouping of Path trending Flows, Packets, Bytes. Information Elements: aws_traffic_path, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
VPCs |
A grouping of VPC trending Flows, Packets, Bytes. Information Elements: aws_vpc_id, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
AppFlow
Report |
Description |
|---|---|
Application |
A grouping of Application trending Count, Packets, Bytes. Information Elements: appflow_applicationid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Application RTT |
A grouping of Application, Destination trending Packets, Bytes, RTT. Information Elements: appflow_applicationid, destinationipaddress, octetdeltacount, packetdeltacount, tcprtt. |
Connections |
A grouping of Src Port, Source, Connection, Destination, Dst Port trending RTT, Count, Packets, Bytes. Information Elements: sourcetransportport, sourceipaddress, connectionid, destinationipaddress, destinationtransportport, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount, tcprtt. |
HTTP Request Cookie |
A grouping of Transaction ID, HTTP Request Cookie trending Flow Count, Bytes. Information Elements: transactionid, httprequestcookie, octetdeltacount, plixeraggregatedrecordcount. |
HTTP Response Length |
A grouping of Source, Src Port, Destination, Dst Port trending Count, Avg. Length. Information Elements: sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, httpresponselen, plixeraggregatedrecordcount. |
HTTP Response Time to First Byte |
A grouping of Source, Src Port, Destination, Dst Port trending Count, Avg. Time. Information Elements: sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, httpresponsetimetofirstbyte, plixeraggregatedrecordcount. |
HTTP Response Time to Last Byte |
A grouping of Source, Src Port, Destination, Dst Port trending Count, Avg. Time. Information Elements: sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, httpresponsetimetolastbyte, plixeraggregatedrecordcount. |
HTTP Status |
A grouping of HTTP Status Code, Source, Src Port, Destination, Dst Port trending Count, Bytes. Information Elements: httpresponsestatus, sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, octetdeltacount, plixeraggregatedrecordcount. |
Request Host |
A grouping of HTTP Request Host trending Count, Packets, Bytes. Information Elements: httprequesthost, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Request URL |
A grouping of Request URL trending Count, Packets, Bytes. Information Elements: httprequesturl, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Syslog Message Flow Count |
A grouping of syslogPriority, Syslog Message trending Flow Count. Information Elements: syslogpriority, syslogmessage, plixeraggregatedrecordcount. |
Astaro
Report |
Description |
|---|---|
afcprotocol Conversations |
A grouping of Source, afcprotocol, Destination trending Packets, Bytes. Information Elements: sourceipaddress, afcprotocol, destinationipaddress, octetdeltacount, packetdeltacount. |
Top afcprotocol |
A grouping of afcprotocol trending Packets, Bytes. Information Elements: afcprotocol, octetdeltacount, packetdeltacount. |
Azure
Report |
Description |
|---|---|
Azure NSG All Details |
A grouping of Rule Name, Application, Flow Decision, Flow State trending Packets, Bytes, Count. Information Elements: nsg_rulename, applicationid, nsg_flowdecision, nsg_flowstate, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure NSG Flow Decisions |
A grouping of Flow Decision, Application trending Packets, Bytes, Count. Information Elements: nsg_flowdecision, applicationid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure NSG Flow Decisions Count |
A grouping of Flow Decision trending Packets, Bytes, Count. Information Elements: nsg_flowdecision, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure NSG Flow States |
A grouping of Flow State, Application trending Packets, Bytes, Count. Information Elements: nsg_flowstate, applicationid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure NSG Flow States Count |
A grouping of Flow State trending Packets, Bytes, Count. Information Elements: nsg_flowstate, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure NSG Resource IDs |
A grouping of Resource ID, Rule Name trending Packets, Bytes, Count. Information Elements: nsg_resourceid, nsg_rulename, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure VNET All Details |
A grouping of Rule Name, Application, Flow State trending Packets, Bytes, Count. Information Elements: vnet_rulename, applicationid, vnet_flowstate, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure VNET Flow States |
A grouping of Flow State, Application trending Packets, Bytes, Count. Information Elements: vnet_flowstate, applicationid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure VNET Flow States Count |
A grouping of Flow State trending Packets, Bytes, Count. Information Elements: vnet_flowstate, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Azure VNET Resource IDs |
A grouping of Target Resource ID, Rule Name trending Packets, Bytes, Count. Information Elements: vnet_targetresourceid, vnet_rulename, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Barracuda
Report |
Description |
|---|---|
Bind and Conn |
A grouping of Bind IP , Bind Port, Conn IP, Conn Port trending Flows, Bytes. Information Elements: bindipv4address, bindtransportport, connipv4address, conntransportport, octetdeltacount, plixeraggregatedrecordcount. |
FW Rule |
A grouping of FW Rule trending Flows, Packets, Bytes. Information Elements: fwrule, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Logop |
A grouping of Logop trending Flows, Packets, Bytes. Information Elements: logop, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Pair with Rule and Reason |
A grouping of Source IP, Destination IP, FW Rule, Reason trending Flows, Bytes. Information Elements: sourceipaddress, destinationipaddress, fwrule, reasontext, octetdeltacount, plixeraggregatedrecordcount. |
Pair with Rule, Reason, Service & Traffic |
A grouping of Source IP, Destination IP, FW Rule, Reason, Service, Traffic Type trending Flows, Bytes. Information Elements: sourceipaddress, destinationipaddress, fwrule, reasontext, servicename, traffictype, octetdeltacount, plixeraggregatedrecordcount. |
Reason |
A grouping of Reason trending Flows, Packets, Bytes. Information Elements: reasontext, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Rule, Reason, Service, Traffic & Logop |
A grouping of FW Rule, Reason, Service, Traffic Type, Logop trending Flows, Bytes. Information Elements: fwrule, reasontext, servicename, traffictype, logop, octetdeltacount, plixeraggregatedrecordcount. |
Service |
A grouping of Service trending Flows, Packets, Bytes. Information Elements: servicename, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Source, Bind, Conn, & Destination |
A grouping of Source IP, Bind IP , Conn IP, Destination IP trending Flows, Bytes. Information Elements: sourceipaddress, bindipv4address, connipv4address, destinationipaddress, octetdeltacount, plixeraggregatedrecordcount. |
Traffic Type |
A grouping of Traffic Type trending Flows, Packets, Bytes. Information Elements: traffictype, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Chassis
Report |
Description |
|---|---|
Line Card |
A grouping of Line Card trending Pkts, Bytes. Information Elements: linecardid, octetdeltacount, packetdeltacount. |
Line Card Port |
A grouping of Interface, Line Card, Port trending Pkts, Bytes. Information Elements: exportinterface, linecardid, portid, octetdeltacount, packetdeltacount. |
Cisco AnyConnect
Report |
Description |
|---|---|
Dest Host IP & Name |
A grouping of Destination, Dst Host Name trending Flows, Bytes In. Information Elements: destinationipaddress, nvzflowdestinationhostname, octetdeltacount, plixeraggregatedrecordcount. |
DNS suffix |
A grouping of DNS Suffix trending Flows, Bytes In. Information Elements: nvzflowdnssuffix, octetdeltacount, plixeraggregatedrecordcount. |
Loggedin Source |
A grouping of Logged User, Source trending Bytes, Flows. Information Elements: nvzflowloggedinuser, sourceipaddress, octetdeltacount, plixeraggregatedrecordcount. |
Loggedin Source & DNS |
A grouping of Logged User, Source, DNS Suffix trending Flows, Bytes. Information Elements: nvzflowloggedinuser, sourceipaddress, nvzflowdnssuffix, octetdeltacount, plixeraggregatedrecordcount. |
Pair with Host Details |
A grouping of Logged User, Source, Destination, Dst Host Name trending Flows, Bytes. Information Elements: nvzflowloggedinuser, sourceipaddress, destinationipaddress, nvzflowdestinationhostname, octetdeltacount, plixeraggregatedrecordcount. |
Parent Process Details |
A grouping of Parent Proc. Acct., Parent Proc. Name, Parent Proc. Hash trending Flows, Bytes. Information Elements: nvzflowparentprocessaccount, nvzflowparentprocessname, nvzflowparentprocesshash, octetdeltacount, plixeraggregatedrecordcount. |
Process Details |
A grouping of Process Name, Process Hash trending Flows, Bytes. Information Elements: nvzflowprocessname, nvzflowprocesshash, octetdeltacount, plixeraggregatedrecordcount. |
Process to Host |
A grouping of Parent Proc. Acct., Destination trending Flows, Bytes In. Information Elements: nvzflowparentprocessaccount, nvzflowdestinationhostname, octetdeltacount, plixeraggregatedrecordcount. |
Source with Process |
A grouping of Source, Logged User, Process Name, System Type trending Flows, Bytes. Information Elements: sourceipaddress, nvzflowloggedinuser, nvzflowprocessname, nvzflowsystemtype, octetdeltacount, plixeraggregatedrecordcount. |
Station Name & Dst IP |
A grouping of STA Name, Destination trending Flows, Bytes In. Information Elements: nvz_manu_virtual_station_name, destinationipaddress, octetdeltacount, plixeraggregatedrecordcount. |
Station Name & Manufacturer |
A grouping of STA Name, Manufacturer trending Flows, Bytes. Information Elements: nvz_manu_virtual_station_name, nvz_manu_system_manufacturer, octetdeltacount, plixeraggregatedrecordcount. |
Station Name & Process |
A grouping of STA Name, Process Account trending Flows, Bytes In. Information Elements: nvz_manu_virtual_station_name, nvz_manu_process_account, octetdeltacount, plixeraggregatedrecordcount. |
Station Name & Src IP |
A grouping of STA Name, Source trending Flows, Bytes In. Information Elements: nvz_manu_virtual_station_name, sourceipaddress, octetdeltacount, plixeraggregatedrecordcount. |
Station Name & User |
A grouping of STA Name, User trending Flows, Bytes In. Information Elements: nvz_manu_virtual_station_name, nvzflowloggedinuser, octetdeltacount, plixeraggregatedrecordcount. |
Top Domains |
A grouping of Dst Host Name trending Flows, Bytes In. Information Elements: nvzflowdestinationhostname, octetdeltacount, plixeraggregatedrecordcount. |
Top Manufacturers |
A grouping of Manufacturers trending Flows, Bytes In. Information Elements: nvz_manu_system_manufacturer, octetdeltacount, plixeraggregatedrecordcount. |
Top OSs |
A grouping of OS Name trending Flows, Bytes In. Information Elements: nvz_manu_os_name, octetdeltacount, plixeraggregatedrecordcount. |
Top OS / Version |
A grouping of OS Name, OS Version trending Flows, Bytes In. Information Elements: nvz_manu_os_name, nvz_manu_os_version, octetdeltacount, plixeraggregatedrecordcount. |
Top Processes |
A grouping of Process trending Flows, Bytes In. Information Elements: nvzflowprocessname, octetdeltacount, plixeraggregatedrecordcount. |
Top Stations |
A grouping of STA Name trending Flows, Bytes In. Information Elements: nvz_manu_virtual_station_name, octetdeltacount, plixeraggregatedrecordcount. |
Top Users |
A grouping of User trending Flows, Bytes In. Information Elements: nvzflowloggedinuser, octetdeltacount, plixeraggregatedrecordcount. |
Cisco AVC
Report |
Description |
|---|---|
EzPM: Host Jitter by SSRC (Dst) |
A grouping of Destination, DSCP, SSRC trending % Pkt Loss, TEPL, Jitter. Information Elements: destinationipaddress, ipdiffservcodepoint, trans_rtp_ssrc, ciscopktlostpercent, rtp_jitter_mean_sum, trans_pkt_lost_count. |
EzPM: Host Jitter by SSRC (Src) |
A grouping of Source, DSCP, SSRC trending % Pkt Loss, TEPL, Jitter. Information Elements: sourceipaddress, ipdiffservcodepoint, trans_rtp_ssrc, ciscopktlostpercent, rtp_jitter_mean_sum, trans_pkt_lost_count. |
EzPM: Host Jitter (Dst) |
A grouping of Destination, DSCP trending % Pkt Loss, TEPL, Jitter. Information Elements: destinationipaddress, ipdiffservcodepoint, ciscopktlostpercent, rtp_jitter_mean_sum, trans_pkt_lost_count. |
EzPM: Host Jitter (Src) |
A grouping of Source, DSCP trending % Pkt Loss, TEPL, Jitter. Information Elements: sourceipaddress, ipdiffservcodepoint, ciscopktlostpercent, rtp_jitter_mean_sum, trans_pkt_lost_count. |
EzPM: Host to Host Jitter |
A grouping of Source, DSCP, Destination trending % Pkt Loss, TEPL, Max Jitter, Jitter. Information Elements: sourceipaddress, ipdiffservcodepoint, destinationipaddress, ciscopktlostpercent, rtp_jitter_mean_sum, trans_pkt_lost_count. |
EzPM: Host to Host Jitter by SSRC |
A grouping of Source, DSCP, Destination, SSRC trending % Pkt Loss, TEPL, Jitter. Information Elements: sourceipaddress, ipdiffservcodepoint, destinationipaddress, trans_rtp_ssrc, ciscopktlostpercent, rtp_jitter_mean_sum, trans_pkt_lost_count. |
EzPM: Jitter by Interface |
A grouping of Exporter, in Int trending % Pkt Loss, Jitter. Information Elements: plixerexporter, ingressinterface, ciscopktlostpercent, rtp_jitter_mean_sum. |
EzPM: Metadata Jitter |
A grouping of Application trending % Pkt Loss, TEPL, Jitter. Information Elements: applicationtag, ciscopktlostpercent, rtp_jitter_mean_sum, trans_pkt_lost_count. |
EzPM: Metadata Jitter by DSCP |
A grouping of Application, DSCP trending % |
Cisco CTS
Report |
Description |
|---|---|
ctsDestination Group |
A grouping of ctsdestinationgrouptag trending Packets, Bytes. Information Elements: ctsdestinationgrouptag, octetdeltacount, packetdeltacount. |
ctsGroups Connections |
A grouping of src Port, Group Tag, ctsdestinationgrouptag, dst Port trending Packets, Bytes. Information Elements: sourcetransportport, ctssourcegrouptag, ctsdestinationgrouptag, destinationtransportport, octetdeltacount, packetdeltacount. |
ctsGroups Conversations |
A grouping of Group Tag, Well Known, ctsdestinationgrouptag, Rate trending Packets, Bytes. Information Elements: ctssourcegrouptag, commonport, ctsdestinationgrouptag, rate, octetdeltacount, packetdeltacount. |
ctsGroups Grouped Flows |
A grouping of src Port, Group Tag, Type Of Service, ctsdestinationgrouptag, dst Port trending Packets, Bytes. Information Elements: sourcetransportport, ctssourcegrouptag, ipclassofservice, ctsdestinationgrouptag, destinationtransportport, octetdeltacount, packetdeltacount. |
ctsSource Group |
A grouping of Group Tag trending Packets, Bytes. Information Elements: ctssourcegrouptag, octetdeltacount, packetdeltacount. |
ctsSrcGrp to ctsDstGrp |
A grouping of Group Tag, ctsdestinationgrouptag trending Packets, Bytes. Information Elements: ctssourcegrouptag, ctsdestinationgrouptag, octetdeltacount, packetdeltacount. |
Cisco FW
Report |
Description |
|---|---|
ACL to ACL |
A grouping of Ingress ACL, Egress ACL trending Flows. Information Elements: nf_f_ingress_acl_id, nf_f_egress_acl_id, plixeraggregatedrecordcount. |
Egress ACL |
A grouping of Egress ACL trending Flows. Information Elements: nf_f_egress_acl_id, plixeraggregatedrecordcount. |
Ingress ACL |
A grouping of Ingress ACL trending Flows. Information Elements: nf_f_ingress_acl_id, plixeraggregatedrecordcount. |
Cisco HSL
Report |
Description |
|---|---|
Classes |
A grouping of Class, Packets trending Bytes. Information Elements: classid, packetdeltacount, octetdeltacount. |
Destination-Event |
A grouping of Destination, Firewall Event, Extended Event Code, Zone Pair trending Flows. Information Elements: destinationipaddress, firewallevent, fw_ext_event, zonepair_id, plixeraggregatedrecordcount. |
Host to Host Events |
A grouping of Source, Destination, Firewall Event, Extended Event Code, Zone Pair trending Flows. Information Elements: sourceipaddress, destinationipaddress, firewallevent, fw_ext_event, zonepair_id, plixeraggregatedrecordcount. |
Host to Host Events by VRF |
A grouping of In VRF, Source, Destination, Out VRF, Firewall Event, Extended Event Code trending Flows. Information Elements: ingressvrfid, sourceipaddress, destinationipaddress, egressvrfid, firewallevent, fw_ext_event, plixeraggregatedrecordcount. |
Host to Host with Zone and Class |
A grouping of Source, Class, Zone Pair, Destination trending Bytes. Information Elements: sourceipaddress, classid, zonepair_id, destinationipaddress, octetdeltacount. |
Source-Event |
A grouping of Source, Firewall Event, Extended Event Code, Zone Pair trending Flows. Information Elements: sourceipaddress, firewallevent, fw_ext_event, zonepair_id, plixeraggregatedrecordcount. |
Zone Pair |
A grouping of Zone Pair trending Bytes. Information Elements: zonepair_id, octetdeltacount. |
Zone Pair and Class |
A grouping of Zone Pair, Class trending Bytes. Information Elements: zonepair_id, classid, octetdeltacount. |
Zone Pair Volume |
A grouping of Zone Pair trending Flows. Information Elements: zonepair_id, plixeraggregatedrecordcount. |
Cisco IWAN
Report |
Description |
|---|---|
IWAN Bandwidth Usage |
A grouping of Source Site, Path Tag ID, Interface Description trending BW In, Speed In, BW Out, Speed Out. Information Elements: source_site_id, path_tag_id, interfacedescription, egress_bw, ingress_bw, maxof_egress_bw, maxof_ingress_bw. |
IWAN Route Changes |
A grouping of Site, BR, Path Tag ID, IWAN Circuit trending Routes Changed. Information Elements: source_site_id, ipv4_br_addr, path_tag_id, interfacedescription, plixeraggregatedrecordcount. |
IWAN Site to Site Bandwidth |
A grouping of BR Router, Src Site, Dst Site, Dst Prefix, Interface ID trending Packets, Avg Bits. Information Elements: ipv4_br_addr, source_site_id, destination_site_id, destination_site_prefix, egressinterface, octetdeltacount, packetdeltacount. |
IWAN Traffic Control Alerts |
A grouping of Source Site, Destination Site, Interface Description, Interface ID, BR Addr, Path Tag ID, Status trending One way delay, AVG Jitter, PKT Loss, Bytes Lost. Information Elements: source_site_id, destination_site_id, interfacedescription, egressinterface, ipv4_br_addr, path_tag_id, oer_unreach, one_way_delay, rtp_jitter_inter_arrival_mean, trans_pkt_lost_rate, trns_cnt_bytes_lost_rate. |
Cisco SLT
Report |
Description |
|---|---|
Event |
A grouping of l2l3switchevent trending Count, Packets, Bytes. Information Elements: l2l3switchevent, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Event-Extevent |
A grouping of l2l3switchevent, l2l3switchextevent trending Count, Packets, Bytes. Information Elements: l2l3switchevent, l2l3switchextevent, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Int |
A grouping of Exporter, ingressphysicalinterface trending Count, Packets, Bytes. Information Elements: plixerexporter, ingressphysicalinterface, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Int-Vlan-Event |
A grouping of Exporter, ingressphysicalinterface, vlanid, l2l3switchevent trending Count, Packets, Bytes. Information Elements: plixerexporter, ingressphysicalinterface, vlanid, l2l3switchevent, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Vlan |
A grouping of Exporter, vlanid trending Count, Packets, Bytes. Information Elements: plixerexporter, vlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Cisco VQM
Report |
Description |
|---|---|
Connections eMOS |
A grouping of Source, Src Port, Destination, Dest Port trending Frame Rate, eMOS Score. Information Elements: sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, videoemosscore, vqmframerate. |
Connections eMOS Detail |
A grouping of Source, Src Port, Destination, Dest Port trending Frame Rate, eMOS Pkt Lost, eMOS Compression, eMOS Score. Information Elements: sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, videoemosscore, vqmemoscompressionbitstream, vqmemospacketlostbitstream, vqmframerate. |
Destination eMOS |
A grouping of Destination trending Frame Rate, eMOS Score. Information Elements: destinationipaddress, videoemosscore, vqmframerate. |
Destination eMOS Detail |
A grouping of Destination trending Frame Rate, eMOS Pkt Lost, eMOS Compression, eMOS Score. Information Elements: destinationipaddress, videoemosscore, vqmemoscompressionbitstream, vqmemospacketlostbitstream, vqmframerate. |
Host to Host eMOS |
A grouping of Source, Destination trending Frame Rate, eMOS Score. Information Elements: sourceipaddress, destinationipaddress, videoemosscore, vqmframerate. |
Host to Host eMOS Detail |
A grouping of Source, Destination trending Frame Rate, eMOS Pkt Lost, eMOS Compression, eMOS Score. Information Elements: sourceipaddress, destinationipaddress, videoemosscore, vqmemoscompressionbitstream, vqmemospacketlostbitstream, vqmframerate. |
Source eMOS |
A grouping of Source trending Frame Rate, eMOS Score. Information Elements: sourceipaddress, videoemosscore, vqmframerate. |
Source eMOS Detail |
A grouping of Source trending Frame Rate, eMOS Pkt Lost, eMOS Compression, eMOS Score. Information Elements: sourceipaddress, videoemosscore, vqmemoscompressionbitstream, vqmemospacketlostbitstream, vqmframerate. |
Client Server
Report |
Description |
|---|---|
Client |
A grouping of Client IP trending sum_plxr_client_bytes, sum_plxr_server_bytes. Information Elements: plxr_client_ip, plxr_client_bytes, plxr_server_bytes. |
Client Apps |
A grouping of Client IP, Application ID trending sum_plxr_client_bytes, sum_plxr_server_bytes. Information Elements: plxr_client_ip, applicationid, plxr_client_bytes, plxr_server_bytes. |
Client Server |
A grouping of Client IP, Server IP trending sum_plxr_client_bytes, sum_plxr_server_bytes. Information Elements: plxr_client_ip, plxr_server_ip, plxr_client_bytes, plxr_server_bytes. |
Client Server Apps |
A grouping of Client IP, Application ID, Server IP trending Client, Server. Information Elements: plxr_client_ip, applicationid, plxr_server_ip, plxr_client_bytes, plxr_server_bytes. |
Client Server Apps Flags |
A grouping of Client IP, Application ID, Server IP trending TCP Flags, Client, Server. Information Elements: plxr_client_ip, applicationid, plxr_server_ip, plxr_client_bytes, plxr_server_bytes, tcpcontrolbits. |
Client Server Flags |
A grouping of Client IP, Server IP trending TCP Flags, sum_plxr_client_bytes, sum_plxr_server_bytes. Information Elements: plxr_client_ip, plxr_server_ip, plxr_client_bytes, plxr_server_bytes, tcpcontrolbits. |
Server |
A grouping of Server IP trending sum_plxr_client_bytes, sum_plxr_server_bytes. Information Elements: plxr_server_ip, plxr_client_bytes, plxr_server_bytes. |
Server Apps |
A grouping of Server IP, Application ID trending sum_plxr_client_bytes, sum_plxr_server_bytes. Information Elements: plxr_server_ip, applicationid, plxr_client_bytes, plxr_server_bytes. |
Counts
Report |
Description |
|---|---|
Clients |
A grouping of Client trending Flows. Information Elements: clientipv4address, plixeraggregatedrecordcount. |
Destination |
A grouping of Destination trending Flows. Information Elements: destinationipaddress, plixeraggregatedrecordcount. |
Initiator Group with Dst Port |
A grouping of Source IP Group, Well Known Port, Destination IP Group, Destination Port trending Packets, Bytes, Flows. Information Elements: srcipgroup, commonport, dstipgroup, destinationtransportport, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Internal External Destinations |
A grouping of Destination trending Unique Hosts. Information Elements: dstinternal, destinationipaddress. |
Internal External Pairs |
A grouping of Source, Destination trending Unique Srcs, Unique Dsts. Information Elements: srcinternal, dstinternal, destinationipaddress, sourceipaddress. |
Internal External Sources |
A grouping of Source trending Unique Hosts. Information Elements: srcinternal, sourceipaddress. |
Pairs |
A grouping of Source, Destination trending Flows. Information Elements: sourceipaddress, destinationipaddress, plixeraggregatedrecordcount. |
Pair Source post NAT |
A grouping of Source, Src Post NAT, Destination trending Flows. Information Elements: sourceipaddress, postnatsourceipv4address, destinationipaddress, plixeraggregatedrecordcount. |
Pair Source post NAT and NAP |
A grouping of Source, Src Post NAT, Src Port, Src NAP Port, Dst Port, Destination trending Flows. Information Elements: sourceipaddress, postnatsourceipv4address, sourcetransportport, postnaptsourcetransportport, destinationtransportport, destinationipaddress, plixeraggregatedrecordcount. |
Protocol |
A grouping of Protocol trending Flows. Information Elements: protocolidentifier, plixeraggregatedrecordcount. |
Servers |
A grouping of Server trending Flows. Information Elements: serveripv4address, plixeraggregatedrecordcount. |
Source |
A grouping of Source trending Flows. Information Elements: sourceipaddress, plixeraggregatedrecordcount. |
VRFID with NAT and Src |
A grouping of In VRFID, NAT Event, NAT Pool Name, Source trending Flows. Information Elements: ingressvrfid, natevent, natpoolname, sourceipaddress, plixeraggregatedrecordcount. |
Well Known Port |
A grouping of Well Known trending Flows. Information Elements: commonport, plixeraggregatedrecordcount. |
Destination Reports
Report |
Description |
|---|---|
Autonomous System by IP |
A grouping of Destination AS trending Packets, Bytes. Information Elements: dstipas, octetdeltacount, packetdeltacount. |
Autonomous System by Tag |
A grouping of Dst AS trending Packets, Bytes. Information Elements: bgpdestinationasnumber, octetdeltacount, packetdeltacount. |
Autonomous System by Tag (Peer) |
A grouping of bgpnextadjacentasnumber trending Packets, Bytes. Information Elements: bgpnextadjacentasnumber, octetdeltacount, packetdeltacount. |
Countries |
A grouping of Destination Country trending Packets, Bytes. Information Elements: dstcountry, octetdeltacount, packetdeltacount. |
Countries with AS |
A grouping of Dest Country, Dest AS, Hosts (Dst) trending Flows, Packets, Bytes. Information Elements: dstcountry, dstipas, sourceipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Customer VLAN |
A grouping of postdot1qcustomervlanid trending Flows, Packets, Bytes. Information Elements: postdot1qcustomervlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Destination w/Flags |
A grouping of Destination IP Address, tcpcontrolbits trending Packets, Bytes, Flows. Information Elements: destinationipaddress, tcpcontrolbits, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Dest. IP Groups |
A grouping of Destination IP Group trending Packets, Bytes. Information Elements: dstipgroup, octetdeltacount, packetdeltacount. |
dot1q VLAN |
A grouping of postdot1qvlanid trending Flows, Packets, Bytes. Information Elements: postdot1qvlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Dst IP - Src AS |
A grouping of Exporter, Destination IP Address, Src AS trending Packets, Bytes. Information Elements: plixerexporter, destinationipaddress, bgpsourceasnumber, octetdeltacount, packetdeltacount. |
Host Flows |
A grouping of Destination trending Hosts (Source), Packets, Flows. Information Elements: destinationipaddress, packetdeltacount, plixeraggregatedrecordcount, sourceipaddress. |
Hosts |
A grouping of Destination trending Packets, Bytes. Information Elements: destinationipaddress, octetdeltacount, packetdeltacount. |
ICMP |
A grouping of Destination, Code, Type trending Count. Information Elements: destinationipaddress, icmpcodeipv4, icmptypeipv4, plixeraggregatedrecordcount. |
L2 Octets |
A grouping of Destination trending Packets, L2 Octets. Information Elements: destinationipaddress, layer2octetdeltacount, packetdeltacount. |
MAC |
A grouping of Destination MAC trending Flows, Packets, Bytes. Information Elements: destinationmacaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
MAC L2 |
A grouping of Destination MAC trending Packets, L2 Octets. Information Elements: destinationmacaddress, layer2octetdeltacount, packetdeltacount. |
MAC Sum of Sq |
A grouping of Destination MAC trending Packets, Sum of Sq. Octets. Information Elements: destinationmacaddress, octetdeltasumofsquares, packetdeltacount. |
Post MAC |
A grouping of Post Dst Mac trending Count, Packets, Bytes. Information Elements: postdestinationmacaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Rev 2nd lvl Domains |
A grouping of Dst Rev 2nd lvl Domain trending Packets, Bytes. Information Elements: dstdomain, octetdeltacount, packetdeltacount. |
Subnets |
A grouping of Dst Subnet trending Packets, Bytes. Information Elements: dstnetwork, octetdeltacount, packetdeltacount. |
Sum Of Sq. Octets |
A grouping of Destination trending Packets, Sum of Sq. Octets. Information Elements: destinationipaddress, octetdeltasumofsquares, packetdeltacount. |
User Name by IP |
A grouping of Destination, User Name(s) trending Packets, Bytes. Information Elements: destinationipaddress, dstipname, octetdeltacount, packetdeltacount. |
Vendor By MAC |
A grouping of Destination Vendor trending Devices, Flows, Packets, Bytes. Information Elements: dst_vendor_by_mac, destinationmacaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
VLAN |
A grouping of postvlanid trending Flows, Packets, Bytes. Information Elements: postvlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Exinda
Report |
Description |
|---|---|
Application - App Group |
A grouping of Exporter, Application, GROUP, TRAFFIC_CLASS trending Avg Srv Del, RTT, NULL. Information Elements: plixerexporter, applicationtag, ex_app_group_name, ex_traffic_class, ex_rtt, ex_server_delay, octetdeltacount. |
Application Detail |
A grouping of Application trending Avg. AQS, Packets, NULL. Information Elements: applicationtag, ex_aqs, octetdeltacount, packetdeltacount. |
Application Group |
A grouping of Exporter, GROUP, TRAFFIC_CLASS trending Avg Srv Del, RTT, NULL. Information Elements: plixerexporter, ex_app_group_name, ex_traffic_class, ex_rtt, ex_server_delay, octetdeltacount. |
Application Performances |
A grouping of Application trending Avg. AQS, Bytes Lost, Nwk. Delay, Srv. Delay, RTT. Information Elements: applicationtag, ex_aqs, ex_bytes_lost, ex_net_delay, ex_rtt, ex_server_delay. |
Destination User |
A grouping of Exporter, dst_user trending Packets, NULL. Information Elements: plixerexporter, ex_user_id_dst, octetdeltacount, packetdeltacount. |
Extra Info |
A grouping of Exporter, EXTRA_INFO_ID, TRAFFIC_CLASS trending Bytes Lost, Avg Srv Del, RTT, NULL. Information Elements: plixerexporter, ex_extra_info_id, ex_traffic_class, ex_bytes_lost, ex_rtt, ex_server_delay, octetdeltacount. |
Pair by Policy |
A grouping of Exporter, Source, Destination, Policy trending Packets, NULL. Information Elements: plixerexporter, sourceipaddress, destinationipaddress, ex_policy_id, octetdeltacount, packetdeltacount. |
Pair Latency |
A grouping of Source, Destination, TRAFFIC_CLASS trending Avg Srv Del, RTT, NULL. Information Elements: sourceipaddress, destinationipaddress, ex_traffic_class, ex_rtt, ex_server_delay, octetdeltacount. |
Pair, Ports and Latency |
A grouping of Source, Src Port, Dst Port, Destination trending Avg Srv Del, RTT, NULL. Information Elements: sourceipaddress, sourcetransportport, destinationtransportport, destinationipaddress, ex_rtt, ex_server_delay, octetdeltacount. |
Pair VoIP Details |
A grouping of Source, Destination, TRAFFIC_CLASS trending Avg. mos, Avg. Refactor, Jitter, NULL. Information Elements: sourceipaddress, destinationipaddress, ex_traffic_class, ex_net_jitter, ex_voip_mos, ex_voip_rfactor, octetdeltacount. |
Policies |
A grouping of Exporter, ex_policy_id, TRAFFIC_CLASS trending Bytes Lost, Avg Srv Del, RTT, NULL. Information Elements: plixerexporter, ex_policy_id, ex_traffic_class, ex_bytes_lost, ex_rtt, ex_server_delay, octetdeltacount. |
Source Latency |
A grouping of Source, TRAFFIC_CLASS trending Bytes Lost, Avg Srv Del, RTT, NULL. Information Elements: sourceipaddress, ex_traffic_class, ex_bytes_lost, ex_rtt, ex_server_delay, octetdeltacount. |
Source User |
A grouping of Exporter, src_user trending Packets, NULL. Information Elements: plixerexporter, ex_user_id_src, octetdeltacount, packetdeltacount. |
Source User and Latency |
A grouping of Exporter, Source, Src. User, TRAFFIC_CLASS trending Avg Srv Del, RTT, NULL. Information Elements: plixerexporter, sourceipaddress, ex_user_id_src, ex_traffic_class, ex_rtt, ex_server_delay, octetdeltacount. |
Source VoIP Details |
A grouping of Source, TRAFFIC_CLASS trending Avg. mos, Avg. Refactor, Jitter, NULL. Information Elements: sourceipaddress, ex_traffic_class, ex_net_jitter, ex_voip_mos, ex_voip_rfactor, octetdeltacount. |
User to User |
A grouping of Exporter, src_user, dst_user trending Packets, NULL. Information Elements: plixerexporter, ex_user_id_src, ex_user_id_dst, octetdeltacount, packetdeltacount. |
VOIP Performances |
A grouping of Source, Destination trending Avg. mos, Avg. Refactor, Jitter. Information Elements: sourceipaddress, destinationipaddress, ex_net_jitter, ex_voip_mos, ex_voip_rfactor. |
FirePOWER
Report |
Description |
|---|---|
App Internet HTTP Host |
A grouping of Application, FS App, HTTP Host trending Flows, Bytes. Information Elements: applicationname, firesight_application, firesight_http_host, octetdeltacount, plixeraggregatedrecordcount. |
Application E-Zone & Sub Type |
A grouping of Application, FS App, Egress Zone, Event Subtype, Event Type trending Flows. Information Elements: applicationname, firesight_application, firesight_egress_zone, firesight_event_subtype, firesight_event_type, plixeraggregatedrecordcount. |
Application I-Zone & Sub Type |
A grouping of Application, FS App, Ingress Zone, Event Subtype, Event Type trending Flows. Information Elements: applicationname, firesight_application, firesight_ingress_zone, firesight_event_subtype, firesight_event_type, plixeraggregatedrecordcount. |
Firewall List |
A grouping of Firewall trending Flows, Packets, Bytes. Information Elements: firesight_sensor_ipv6, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Ingress and Egress Zones |
A grouping of Ingress Zone, Egress Zone, Event Type trending Flows. Information Elements: firesight_ingress_zone, firesight_egress_zone, firesight_event_type, plixeraggregatedrecordcount. |
User App HTTP Host |
A grouping of Source IP, Username, Application, FS App, HTTP Host trending Flows, Bytes. Information Elements: sourceipaddress, username, applicationname, firesight_application, firesight_http_host, octetdeltacount, plixeraggregatedrecordcount. |
User App HTTP URL |
A grouping of Source IP, Username, Application, FS App, FS URL trending Flows. Information Elements: sourceipaddress, username, applicationname, firesight_application, firesight_http_url, plixeraggregatedrecordcount. |
User Application |
A grouping of Source IP, Username, Application, FS App trending Flows, Bytes. Information Elements: sourceipaddress, username, applicationname, firesight_application, octetdeltacount, plixeraggregatedrecordcount. |
Web App and Source IP |
A grouping of Web Application, Application, Source IP trending Flows, Packets, Bytes. Information Elements: firesight_web_application, applicationname, sourceipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Web App & CoS |
A grouping of Web Application, CoS trending Flows, Packets, Bytes. Information Elements: firesight_web_application, ipclassofservice, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Web App Event & Rule Details |
A grouping of Web Application, Event Subtype, Event Type, Rule Action, Rule Reason trending Flows. Information Elements: firesight_web_application, firesight_event_subtype, firesight_event_type, firesight_rule_action, firesight_rule_reason, plixeraggregatedrecordcount. |
Firewall Events
Report |
Description |
|---|---|
Destination-Event |
A grouping of Destination, Firewall Event trending Flows. Information Elements: destinationipaddress, firewallevent, plixeraggregatedrecordcount. |
Destination-Event-Ext |
A grouping of Destination, Firewall Event, Extended Event trending Flows. Information Elements: destinationipaddress, firewallevent, nf_f_fw_ext_event, plixeraggregatedrecordcount. |
Event-Ext-ACL |
A grouping of Firewall Event, Extended Event, Ingress ACL, Egress ACL trending Flows. Information Elements: firewallevent, nf_f_fw_ext_event, nf_f_ingress_acl_id, nf_f_egress_acl_id, plixeraggregatedrecordcount. |
Firewall Events |
A grouping of Firewall Event trending Count. Information Elements: firewallevent, plixeraggregatedrecordcount. |
Firewall Events by Host |
A grouping of Source, Firewall Event trending Count. Information Elements: sourceipaddress, firewallevent, plixeraggregatedrecordcount. |
Firewall Events Ext |
A grouping of FW Event Ext trending Flows. Information Elements: fw_ext_event, plixeraggregatedrecordcount. |
Pairs-Event |
A grouping of Source, Destination, Firewall Event trending Flows. Information Elements: sourceipaddress, destinationipaddress, firewallevent, plixeraggregatedrecordcount. |
Pairs-Event Ext |
A grouping of Source, Destination, FW Event Ext trending Flows. Information Elements: sourceipaddress, destinationipaddress, fw_ext_event, plixeraggregatedrecordcount. |
Pairs-Event-Ext |
A grouping of Source, Destination, Firewall Event, Extended Event trending Flows. Information Elements: sourceipaddress, destinationipaddress, firewallevent, nf_f_fw_ext_event, plixeraggregatedrecordcount. |
Protocol-Event |
A grouping of Protocol, Firewall Event trending Flows. Information Elements: protocolidentifier, firewallevent, plixeraggregatedrecordcount. |
Protocol-Event-Ext |
A grouping of Protocol, Firewall Event, Extended Event trending Flows. Information Elements: protocolidentifier, firewallevent, nf_f_fw_ext_event, plixeraggregatedrecordcount. |
Source-Event |
A grouping of Source, Firewall Event trending Flows. Information Elements: sourceipaddress, firewallevent, plixeraggregatedrecordcount. |
Source-Event Ext |
A grouping of Source, FW Event Ext trending Flows. Information Elements: sourceipaddress, fw_ext_event, plixeraggregatedrecordcount. |
Source-Event-Ext |
A grouping of Source, Firewall Event, Extended Event trending Flows. Information Elements: sourceipaddress, firewallevent, nf_f_fw_ext_event, plixeraggregatedrecordcount. |
Users-Event |
A grouping of Username, Firewall Event trending Flows, Bytes. Information Elements: username, firewallevent, octetdeltacount, plixeraggregatedrecordcount. |
Users-Event-Ext |
A grouping of Username, Firewall Event, Extended Event trending Flows, Bytes. Information Elements: username, firewallevent, nf_f_fw_ext_event, octetdeltacount, plixeraggregatedrecordcount. |
WKP-Event |
A grouping of Well Known, Firewall Event trending Flows. Information Elements: commonport, firewallevent, plixeraggregatedrecordcount. |
WKP-Event-Ext |
A grouping of Well Known, Firewall Event, Extended Event trending Flows. Information Elements: commonport, firewallevent, nf_f_fw_ext_event, plixeraggregatedrecordcount. |
FlowPro APM Reports
Report |
Description |
|---|---|
Application Latency |
A grouping of L7 App trending Client, Server, Appl. Information Elements: l7_proto_name, appl_latency_ms, client_nw_delay_ms, server_nw_delay_ms. |
App Priority & Latency |
A grouping of L7 App, Priority trending Client, Server, Appl. Information Elements: l7_proto_name, ipclassofservice, appl_latency_ms, client_nw_delay_ms, server_nw_delay_ms. |
Defined Application Latency |
A grouping of Application trending Appl, Client, Server, Packets, Bytes. Information Elements: applicationid, appl_latency_ms, client_nw_delay_ms, octetdeltacount, packetdeltacount, server_nw_delay_ms. |
Host Jitter |
A grouping of Source trending Pkt Loss, Jitter, Packets, Bytes. Information Elements: sourceipaddress, octetdeltacount, packetdeltacount, rtp_in_jitter, rtp_in_pkt_lost. |
Host Jitter By SSRC (Dst) |
A grouping of Destination, SSRC, Codec trending Pkt Loss, Jitter, Packets, Bytes. Information Elements: destinationipaddress, rtp_ssrc, rtp_out_payload_type, octetdeltacount, packetdeltacount, rtp_out_jitter, rtp_out_pkt_lost. |
Host Jitter By SSRC (Src) |
A grouping of Source, SSRC, Codec trending Pkt Loss, Jitter, Packets, Bytes. Information Elements: sourceipaddress, rtp_ssrc, rtp_in_payload_type, octetdeltacount, packetdeltacount, rtp_in_jitter, rtp_in_pkt_lost. |
Hosts Latency (Dst) |
A grouping of Destination trending Appl, Client, Server, Packets, Bytes. Information Elements: destinationipaddress, appl_latency_ms, client_nw_delay_ms, octetdeltacount, packetdeltacount, server_nw_delay_ms. |
Hosts Latency (Src) |
A grouping of Source trending Appl, Client, Server, Packets, Bytes. Information Elements: sourceipaddress, appl_latency_ms, client_nw_delay_ms, octetdeltacount, packetdeltacount, server_nw_delay_ms. |
Host to Host Jitter All by SSRC |
A grouping of Source, Src Payload, SSRC, Destination, Dst Payload trending Src Pkt Loss, Src Jitter, Dst Pkt Loss, Dst Jitter, Packets, Bytes. Information Elements: sourceipaddress, rtp_in_payload_type, rtp_ssrc, destinationipaddress, rtp_out_payload_type, octetdeltacount, packetdeltacount, rtp_in_jitter, rtp_in_pkt_lost, rtp_out_jitter, rtp_out_pkt_lost. |
Host to Host Jitter By SSRC/Codec |
A grouping of Source, Destination, SSRC, Codec trending Pkt Loss, Jitter, Packets, Bytes. Information Elements: sourceipaddress, destinationipaddress, rtp_ssrc, rtp_in_payload_type, octetdeltacount, packetdeltacount, rtp_in_jitter, rtp_in_pkt_lost. |
Host to Host Jitter By SSRC/ToS |
A grouping of Source, Destination, SSRC, Type Of Service trending Pkt Loss, Jitter, Packets, Bytes. Information Elements: sourceipaddress, destinationipaddress, rtp_ssrc, ipclassofservice, octetdeltacount, packetdeltacount, rtp_in_jitter, rtp_in_pkt_lost. |
Host to Host Latency |
A grouping of Source, Destination trending Appl, Client, Server, Packets, Bytes. Information Elements: sourceipaddress, destinationipaddress, appl_latency_ms, client_nw_delay_ms, octetdeltacount, packetdeltacount, server_nw_delay_ms. |
Initiator to Responder |
A grouping of sip_calling_party, sip_called_party, Codec trending Jitter, Pkt Loss, Packets, Bytes. Information Elements: sip_calling_party, sip_called_party, rtp_in_payload_type, octetdeltacount, packetdeltacount, rtp_in_jitter, rtp_in_pkt_lost. |
OOO by Application |
A grouping of Application trending Out of Order, RTX, Packets, Octect. Information Elements: applicationid, octetdeltacount, ooorder_in_pkts, packetdeltacount, retransmitted_out_pkts. |
OOO Host to Host |
A grouping of Source, Destination trending Out of Order, Retransmitted, Packets, Octect. Information Elements: sourceipaddress, destinationipaddress, octetdeltacount, ooorder_in_pkts, packetdeltacount, retransmitted_out_pkts. |
Re-transmission By Application |
A grouping of Application trending RTX IN, RTX OUT, Packets, Octect. Information Elements: applicationid, octetdeltacount, packetdeltacount, retransmitted_in_pkts, retransmitted_out_pkts. |
Re-transmission Host to Host |
A grouping of Source, Destination trending RTX IN, RTX OUT, Packets, Octect. Information Elements: sourceipaddress, destinationipaddress, octetdeltacount, packetdeltacount, retransmitted_in_pkts, retransmitted_out_pkts. |
Subnet Latency (Dst) |
A grouping of Dst Subnet trending Appl, Client, Server, Packets, Bytes. Information Elements: dstnetwork, appl_latency_ms, client_nw_delay_ms, octetdeltacount, packetdeltacount, server_nw_delay_ms. |
Subnet Latency (Src) |
A grouping of Src Subnet trending Appl, Client, Server, Packets, Bytes. Information Elements: srcnetwork, appl_latency_ms, client_nw_delay_ms, octetdeltacount, packetdeltacount, server_nw_delay_ms. |
Subnet to Subnet Latency |
A grouping of Src Subnet, Dst Subnet trending Appl, Client, Server, Packets, Bytes. Information Elements: srcnetwork, dstnetwork, appl_latency_ms, client_nw_delay_ms, octetdeltacount, packetdeltacount, server_nw_delay_ms. |
Top Applications |
A grouping of L7 App trending Packets, Bytes. Information Elements: l7_proto_name, octetdeltacount, packetdeltacount. |
Top URLs |
A grouping of http_url trending Flows, Packets, Bytes. Information Elements: http_url, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
FlowPro Defender Reports
Report |
Description |
|---|---|
Alert > All Details |
A grouping of Category, Signature, Source, Destination trending Observation Count. Information Elements: nids_category, nids_signature, sourceipaddress, destinationipaddress, plixeraggregatedrecordcount. |
Alert > Category |
A grouping of Category trending Observation Count. Information Elements: nids_category, plixeraggregatedrecordcount. |
Alert > Category & Signature |
A grouping of Category, Signature trending Observation Count. Information Elements: nids_category, nids_signature, plixeraggregatedrecordcount. |
DNS > Auth |
A grouping of Auth Rname trending Observation Count. Information Elements: dns_soa_rname, plixeraggregatedrecordcount. |
DNS Client Latency |
A grouping of Client trending DNS Requests, Latency. Information Elements: dnsnxclientipv4address, dnsresolvetime, plixeraggregatedrecordcount. |
DNS Client / Server Latency |
A grouping of Client, Responding DNS Svr trending DNS Requests, Latency. Information Elements: dnsnxclientipv4address, dnsnxserveripv4address, dnsresolvetime, plixeraggregatedrecordcount. |
DNS Domain Reputation |
A grouping of Source, QName, Resolved Address, DNS Server, Threat Category trending Count. Information Elements: sourceipaddress, dnsname, dnsresolvedipv4address, dnsnxserveripv4address, reputationcategoryid, plixeraggregatedrecordcount. |
DNS Exfiltration |
A grouping of Source, Destination, QName, DNS Text trending Length, Count. Information Elements: sourceipaddress, destinationipaddress, dnsname, dnstext, dnstextlength, plixeraggregatedrecordcount. |
DNS Query Refused |
A grouping of Client, DNS Server, FQDN trending Lookup Time. Information Elements: dnsnxclientipv4address, dnsnxserveripv4address, dnsname, flowstartseconds. |
DNS > RCodes |
A grouping of Rcode trending Observation Count. Information Elements: dnsrcode, plixeraggregatedrecordcount. |
DNS Request Latency |
A grouping of Client, QName, Resolved to, Responding DNS Svr trending Latency. Information Elements: dnsnxclientipv4address, dnsname, dnsresolvedipv4address, dnsnxserveripv4address, dnsresolvetime. |
DNS > Requests |
A grouping of Request trending Observation Count. Information Elements: dns_rrname, plixeraggregatedrecordcount. |
DNS Request Timeout |
A grouping of Client, DNS Query Name trending Count. Information Elements: dnsnxclientipv4address, dnsname, plixeraggregatedrecordcount. |
DNS Server Failure |
A grouping of Client, DNS Server, FQDN trending Lookup Time. Information Elements: dnsnxclientipv4address, dnsnxserveripv4address, dnsname, flowstartseconds. |
DNS Server Latency |
A grouping of Responding DNS Svr trending DNS Requests, Latency. Information Elements: dnsnxserveripv4address, dnsresolvetime, plixeraggregatedrecordcount. |
DNS Server Responding Details |
A grouping of DNS Server, Client, FQDN, Resolved Address trending Resolve Count. Information Elements: dnsnxserveripv4address, dnsnxclientipv4address, dnsname, dnsresolvedipv4address, plixeraggregatedrecordcount. |
DNS Server Responding Summary |
A grouping of DNS Server trending Number of Clients, Unique Lookup Count, Minimum Resolution Time. Information Elements: dnsnxserveripv4address, dnsnxclientipv4address, dnsresolvetime, plixeraggregatedrecordcount. |
File Info > All File Details |
A grouping of Source, Destination, File Name, MD5 Checksum, SHA256 Checksum trending Bytes. Information Elements: sourceipaddress, destinationipaddress, filename, md5_file_checksum, sha256_file_checksum, file_size_octets. |
File Info > CheckSums |
A grouping of MD5 Checksum, SHA256 Checksum trending File Size. Information Elements: md5_file_checksum, sha256_file_checksum, file_size_octets. |
File Info > Filename & CheckSums |
A grouping of File Name, MD5 Checksum, SHA256 Checksum trending File Size. Information Elements: filename, md5_file_checksum, sha256_file_checksum, file_size_octets. |
HTTP > All Details |
A grouping of Source, Destination, Request Host, Request Target, User Agent, Content Type, Request Method, Status Code trending Total Payload. Information Elements: sourceipaddress, destinationipaddress, httprequesthost, httprequesttarget, httpuseragent, httpcontenttype, httprequestmethod, httpstatuscode, ippayloadlength. |
HTTP > Content Type |
A grouping of Content Type, Request Method, Status Code trending Total Payload. Information Elements: httpcontenttype, httprequestmethod, httpstatuscode, ippayloadlength. |
HTTP > Request Target |
A grouping of Request Target trending Total Payload. Information Elements: httprequesttarget, ippayloadlength. |
HTTP > User Agent |
A grouping of User Agent trending Observation Count. Information Elements: httpuseragent, plixeraggregatedrecordcount. |
NX-FQDN |
A grouping of FQDN trending DNS Clients, Resolve Count. Information Elements: dnsnxqname, dnsnxclientipv4address, plixeraggregatedrecordcount. |
SMB > File Details |
A grouping of Source, Destination, Command, Status, File Name, Operation, Permissions, Accessed, Modified, File Size trending Observed Count. Information Elements: sourceipaddress, destinationipaddress, smb_command, smb_status, smb_filename, smb_disposition, smb_access, smb_accessed_time, smb_modified_time, smb_file_size, plixeraggregatedrecordcount. |
SMB > NTLMSSP Authentication Details |
A grouping of Source, Destination, User, Host, Domain, Status, Version trending Observed Count. Information Elements: sourceipaddress, destinationipaddress, smb_ntlmssp_user, smb_ntlmssp_host, smb_ntlmssp_domain, smb_status, smb_ntlmssp_version, plixeraggregatedrecordcount. |
SNMP > All Details |
A grouping of Community, User, Vars, PDU Type trending Observation Count. Information Elements: mrtgsnmpcommunity, snmp_usm, snmp_var, snmp_pdu_type, plixeraggregatedrecordcount. |
SNMP > Community |
A grouping of Community trending Observation Count. Information Elements: mrtgsnmpcommunity, plixeraggregatedrecordcount. |
SNMP > PDU Type |
A grouping of PDU Type trending Observation Count. Information Elements: snmp_pdu_type, plixeraggregatedrecordcount. |
SNMP > User |
A grouping of User trending Observation Count. Information Elements: snmp_usm, plixeraggregatedrecordcount. |
SNMP > Version |
A grouping of Version trending Observation Count. Information Elements: mrtgsnmpversion, plixeraggregatedrecordcount. |
Src and # of DNS servers |
A grouping of Client, User Name(s) trending # of DNS servers. Information Elements: dnsnxclientipv4address, dnsclientname, dnsnxserveripv4address. |
Src and # of NX 2LD |
A grouping of Client, User Name(s), DNS Server trending NX Replies. Information Elements: dnsnxclientipv4address, dnsclientname, dnsnxserveripv4address, dnsqname2ld. |
Src and # of NX 3LD |
A grouping of Client, User Name(s), DNS Server trending NX Replies. Information Elements: dnsnxclientipv4address, dnsclientname, dnsnxserveripv4address, dnsqname3ld. |
Src and # of NX Replies |
A grouping of Client, User Name(s) trending NX Responses. Information Elements: dnsnxclientipv4address, dnsclientname, dnsnxqname. |
Src with NX 2LD |
A grouping of Client, User Name(s), 2nd Level Domain, DNS Server trending Count. Information Elements: dnsnxclientipv4address, dnsclientname, dnsqname2ld, dnsnxserveripv4address, plixeraggregatedrecordcount. |
Src with NX 3LD |
A grouping of Client, User Name(s), 3rd Level Domain, DNS Server trending Count. Information Elements: dnsnxclientipv4address, dnsclientname, dnsqname3ld, dnsnxserveripv4address, plixeraggregatedrecordcount. |
Src with NX FQDN |
A grouping of Client, User Name(s), DNS Query Name, DNS Server trending Count. Information Elements: dnsnxclientipv4address, dnsclientname, dnsnxqname, dnsnxserveripv4address, plixeraggregatedrecordcount. |
Top 2LD Requests |
A grouping of 2nd Level Domains trending Clients Requesting, Resolve Count. Information Elements: request2ld, dnsnxclientipv4address, dnsresolvedipv4address. |
Top 3LD Requests |
A grouping of 3rd Level Domains trending Clients Requesting, Resolve Count. Information Elements: request3ld, dnsnxclientipv4address, dnsresolvedipv4address. |
FQDN Reports
Report |
Description |
|---|---|
Destination FQDN |
A grouping of Destination, FQDN trending Lookups. Information Elements: destinationipaddress, dst_fqdn, fqdn_lookup_count. |
Host to Host with Dst FQDN |
A grouping of Source, Destination, Dst FQDN trending Lookup. Information Elements: sourceipaddress, destinationipaddress, dst_fqdn, fqdn_lookup_count. |
Gigamon
Report |
Description |
|---|---|
App Intel - DNS |
A grouping of App, Src IP, Dst IP, Query, Response, Query Type trending Count. Information Elements: applicationid, sourceipaddress, destinationipaddress, dnsqueryname, gigamondnsresponseipv4address, gm_dns_networkservice_host_type, plixeraggregatedrecordcount. |
App Intel - FTP |
A grouping of App, Src IP, Dst IP, Filename, User, Pass, File Size trending Bytes. Information Elements: applicationid, sourceipaddress, destinationipaddress, gm_ftp_fileserver_filename, gm_ftp_fileserver_login, gm_ftp_fileserver_password, gm_ftp_fileserver_filesize, octetdeltacount. |
App Intel - HTTP |
A grouping of App, Src IP, Dst IP, User Agent, HTTP Method, Host, URI, Referrer, User Agent trending Bytes. Information Elements: applicationid, sourceipaddress, destinationipaddress, httpuseragent, gm_http_web_method, gm_http_web_host, gm_http_web_uri, gm_http_web_referer, httpstatuscode, octetdeltacount. |
App Intel - SMB |
A grouping of App, Src IP, Dst IP, File, SMB Version, NTLM User, NTLM Workstation trending Bytes. Information Elements: applicationid, sourceipaddress, destinationipaddress, gm_smb_fileserver_filename, gm_smb_fileserver_version, gm_smb_fileserver_ntlm_user, gm_smb_fileserver_ntlm_workstation, octetdeltacount. |
App Intel - SMTP |
A grouping of App, Src IP, Dst IP, Recipient, Sender, Subject, Attachment trending Bytes. Information Elements: applicationid, sourceipaddress, destinationipaddress, gm_smtp_mail_receiver, gm_smtp_mail_sender, gm_smtp_mail_subject, gm_smtp_mail_attach_filename, octetdeltacount. |
Destination Name and URL |
A grouping of Destination, User Name(s), URL trending Count. Information Elements: destinationipaddress, dstipname, gigamonhttprequrl, plixeraggregatedrecordcount. |
DNS All Details |
A grouping of Src IP, Dst IP, DNS Request, IP Returned, Authority Name trending Count. Information Elements: sourceipaddress, destinationipaddress, dnsqueryname, gigamondnsresponseipv4address, gigamondnsauthorityname, plixeraggregatedrecordcount. |
Hosts with URL |
A grouping of Src IP, Destination, URL trending Count. Information Elements: sourceipaddress, destinationipaddress, gigamonhttprequrl, plixeraggregatedrecordcount. |
Pair Names and URL |
A grouping of Source, Source Username, Destination, Destination Username, URL trending Count. Information Elements: sourceipaddress, srcipname, destinationipaddress, dstipname, gigamonhttprequrl, plixeraggregatedrecordcount. |
Return Codes |
A grouping of Return Code trending Count. Information Elements: gigamonhttprspstatus, plixeraggregatedrecordcount. |
Source Name and URL |
A grouping of Source, User Name(s), URL trending Count. Information Elements: sourceipaddress, srcipname, gigamonhttprequrl, plixeraggregatedrecordcount. |
SSL All Details |
A grouping of Src IP, Dst IP, SSL Version, SSL Cipher, SSL Algorithm, SSL Key Size, SSL Cert Subject, Expiry Date trending Count. Information Elements: sourceipaddress, destinationipaddress, sslserverversion, sslservercipher, sslcertificatesubjectpubalgorithm, sslcertificatesubjectpubkeysize, sslcertificatesubject, sslcertificatevalidnotafter, plixeraggregatedrecordcount. |
SSL Version Count |
A grouping of SSL Version trending Server Count. Information Elements: sslserverversion, destinationipaddress. |
URL and Return Codes |
A grouping of URL, Return Code trending Count. Information Elements: gigamonhttprequrl, gigamonhttprspstatus, plixeraggregatedrecordcount. |
URL Count |
A grouping of URL trending Count. Information Elements: gigamonhttprequrl, plixeraggregatedrecordcount. |
Honeynet
Report |
Description |
|---|---|
Adversary and State |
A grouping of Adversary, State trending Count. Information Elements: sourceipaddress, connectionstate, plixeraggregatedrecordcount. |
Adversary and String |
A grouping of Adversary, String trending Count. Information Elements: sourceipaddress, comments, plixeraggregatedrecordcount. |
Adversary, String and State |
A grouping of Adversary, String, State trending Count. Information Elements: sourceipaddress, comments, connectionstate, plixeraggregatedrecordcount. |
Forensic with Start |
A grouping of Start Time, Source, String, State trending Count. Information Elements: flowstartmilliseconds, sourceipaddress, comments, connectionstate, plixeraggregatedrecordcount. |
State |
A grouping of State trending Count. Information Elements: connectionstate, plixeraggregatedrecordcount. |
Strings |
A grouping of String trending Count. Information Elements: comments, plixeraggregatedrecordcount. |
Strings and State |
A grouping of String, State trending Count. Information Elements: comments, connectionstate, plixeraggregatedrecordcount. |
HTTP
Report |
Description |
|---|---|
Host to Host Request Volume |
A grouping of Source, Destination trending Requests, Packets, Bytes. Information Elements: httprequesthost, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
HTTP User Agent |
A grouping of Source, User Agent trending Flow Count, Bytes. Information Elements: httprequesthost, httpuseragent, octetdeltacount, plixeraggregatedrecordcount. |
User Agent |
A grouping of pm_cisco_httpuseragent trending Count, Packets, Bytes. Information Elements: pm_cisco_httpuseragent, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Juniper
Report |
Description |
|---|---|
Application Performance |
A grouping of Application trending Uplink Pkts, Downlink Pkts, Retrans Uplink, Retrans Downlink, Smooth RTT Up, Smooth RTT Down. Information Elements: applicationname, downlinkpackets, retranstcppacketsdownlink, retranstcppacketsuplink, smoothrttdownlink, smoothrttuplink, uplinkpackets. |
Host and Num Inst |
A grouping of Host, Num Inst 1, Num Inst 2, Num Inst 3, Num Inst 4, Num Inst 5 trending Flows. Information Elements: host, numinstances_1, numinstances_2, numinstances_3, numinstances_4, numinstances_5, plixeraggregatedrecordcount. |
Host and Status Code |
A grouping of Host, Status Code 1, Status Code 2, Status Code 3, Status Code 4, Status Code 5 trending Flows. Information Elements: host, statuscode_1, statuscode_2, statuscode_3, statuscode_4, statuscode_5, plixeraggregatedrecordcount. |
Host DNS Response Time |
A grouping of Source trending Flows, Max DNS Resp., Avg DNS Resp.. Information Elements: host, dnsresponsetime, plixeraggregatedrecordcount. |
HTTP Details |
A grouping of Host, Method, Referrer, Response Code, URI trending Flows. Information Elements: host, http_method, http_referrer, http_responsecode, http_uri, plixeraggregatedrecordcount. |
HTTP Method |
A grouping of HTTP Method trending Uplink Pkts, Downlink Pkts, Uplink Octets, Downlink Octets, Flows. Information Elements: http_method, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
HTTP Referrer |
A grouping of HTTP Referrer trending Uplink Pkts, Downlink Pkts, Uplink Octets, Downlink Octets, Flows. Information Elements: http_referrer, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
HTTP Response Code |
A grouping of Response Code trending Uplink Pkts, Downlink Pkts, Uplink Octets, Downlink Octets, Flows. Information Elements: http_responsecode, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
HTTP URI |
A grouping of URI trending Uplink Pkts, Downlink Pkts, Uplink Octets, Downlink Octets, Flows. Information Elements: http_uri, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
IFL and Subscriber Details |
A grouping of IFL Name, IP Address, Name, Type, VRF trending Flows, UL Pkts, DL Pkts, UL Octets, DL Octets. Information Elements: iflname, subscriberipaddress, subscribername, subscribertype, subscribervrf, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
IFL Name and Counters |
A grouping of IFL Name trending Plixer Flows, Uplink Pkts, DL Pkts, Uplink Octets, DL Octets. Information Elements: iflname, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
NAS Details |
A grouping of IP Address, Port ID, Port Type trending UL Pkts, DL Pkts, UL Octets, DL Octets, Flows. Information Elements: nasipaddress, nasportid, nasporttype, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
Pair RTT IPv4 |
A grouping of Src IP, Dst IP trending Retrans UL, Retrans DL, Smooth RTT UL, Smooth RTT DL. Information Elements: sourceipaddress, destinationipaddress, retranstcppacketsdownlink, retranstcppacketsuplink, smoothrttdownlink, smoothrttuplink. |
Pair RTT IPv6 |
A grouping of Src IP, Dst IP trending Retrans UL, Retrans DL, Smooth RTT UL, Smooth RTT DL. Information Elements: sourceipv6address, destinationipv6address, retranstcppacketsdownlink, retranstcppacketsuplink, smoothrttdownlink, smoothrttuplink. |
Pair & User NameIPv4 |
A grouping of Src IP, Dst IP, User Name trending UL Pkts, DL Pkts, UL Octets, DL Octets, Flows. Information Elements: sourceipaddress, destinationipaddress, username, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
Pair & User NameIPv6 |
A grouping of Src IPv6, Dst IPv6, User Name trending UL Pkts, DL Pkts, UL Octets, DL Octets, Flows. Information Elements: sourceipv6address, destinationipv6address, username, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
Record Reason |
A grouping of Record Reason trending Uplink Pkts, Downlink Pkts, Uplink Octets, Downlink Octets. Information Elements: recordreason, downlinkoctets, downlinkpackets, uplinkoctets, uplinkpackets. |
SCGBND IP Address |
A grouping of SCG/BNG IP trending Uplink Pkts, Downlink Pkts, Uplink Octets, Downlink Octets. Information Elements: scgbngipaddress, downlinkoctets, downlinkpackets, uplinkoctets, uplinkpackets. |
Subscriber VRF and User Details |
A grouping of Subscriber, VRF, User Name trending UL Pkts, DL Pkts, UL Octets, DL Octets, Flows. Information Elements: subscribername, subscribervrf, username, downlinkoctets, downlinkpackets, plixeraggregatedrecordcount, uplinkoctets, uplinkpackets. |
Keysight Reports
Report |
Description |
|---|---|
App with Latency |
A grouping of Application trending RTT, Bytes. Information Elements: applicationid, latency, octetdeltacount. |
Browsers |
A grouping of Browser trending Packets, Bytes. Information Elements: browsername, octetdeltacount, packetdeltacount. |
Connections with Latency |
A grouping of Source IP, Source Port, Destination IP, Destination Port trending RTT. Information Elements: sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, latency. |
Conversation App Latency |
A grouping of Source IP, Application, Destination IP trending RTT, Bytes. Information Elements: sourceipaddress, applicationid, destinationipaddress, latency, octetdeltacount. |
Device and Location |
A grouping of OS Name, Source, City, Country trending Packets, Bytes. Information Elements: osdevicename, sourceipaddress, sourcecityname, sourcecountryname, octetdeltacount, packetdeltacount. |
Encryption |
A grouping of Source, Destination, connencrypttype, encryptioncipher, encryptionkeylength trending Packets, octets. Information Elements: sourceipaddress, destinationipaddress, connencrypttype, encryptioncipher, encryptionkeylength, octetdeltacount, packetdeltacount. |
L7 Application |
A grouping of L7 Application trending Packets, Flows, Bytes. Information Elements: l7applicationname, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
OS |
A grouping of OS Name trending Packets, Bytes. Information Elements: osdevicename, octetdeltacount, packetdeltacount. |
OS Device Name |
A grouping of OS Name, Source trending Packets, Bytes. Information Elements: osdevicename, sourceipaddress, octetdeltacount, packetdeltacount. |
Source City |
A grouping of City trending Packets, Bytes. Information Elements: sourcecityname, octetdeltacount, packetdeltacount. |
Source Country |
A grouping of Country trending Packets, Bytes. Information Elements: sourcecountryname, octetdeltacount, packetdeltacount. |
Kubernetes Reports
Report |
Description |
|---|---|
K8S Destination Pod Traffic |
A grouping of Pod Name trending Bytes, Packets. Information Elements: k8s_dst_pod_name, octetdeltacount, packetdeltacount. |
K8S Services |
A grouping of K8S Service trending Bytes, Packets. Information Elements: k8s_dst_service_name, octetdeltacount, packetdeltacount. |
K8S Source Pod Traffic |
A grouping of Pod Name trending Bytes, Packets. Information Elements: k8s_src_pod_name, octetdeltacount, packetdeltacount. |
K8S Vitals |
A grouping of Name, Type trending CPU, CPU (percent of node), Memory (percent of limit), Memory (percent of node). Information Elements: k8s_vitals_name, k8s_vitals_record_type, k8s_vitals_cpu_percent_of_node, k8s_vitals_cpu_usage, k8s_vitals_memory_percent_of_limit, k8s_vitals_memory_percent_of_node. |
NAT
Report |
Description |
|---|---|
All Details |
A grouping of Source, Src Port, NAT Src IP, NAT Src Port, NAT Dst Port, NAT Dst IP, Dst Port, Destination trending Flows, Bytes. Information Elements: sourceipaddress, sourcetransportport, postnatsourceipv4address, postnaptsourcetransportport, postnaptdestinationtransportport, postnatdestinationipv4address, destinationtransportport, destinationipaddress, octetdeltacount, plixeraggregatedrecordcount. |
Destination Details |
A grouping of Destination, Dst Port, NAT Dst IP, NAT Dst Port trending Flows, Bytes. Information Elements: destinationipaddress, destinationtransportport, postnatdestinationipv4address, postnaptdestinationtransportport, octetdeltacount, plixeraggregatedrecordcount. |
Dst Translations |
A grouping of Destination, Post Dst IP trending Packets, Bytes. Information Elements: destinationipaddress, postnatdestinationipv4address, octetdeltacount, packetdeltacount. |
Post Connections |
A grouping of in Int, Post Src Port, Post Src IP, Post Dst IP, post , out Int trending Packets, Bytes. Information Elements: ingressinterface, postnaptsourcetransportport, postnatsourceipv4address, postnatdestinationipv4address, postnaptdestinationtransportport, egressinterface, octetdeltacount, packetdeltacount. |
Post Host to Host |
A grouping of in Int, Post Src IP, Post Dst IP, out Int trending Packets, Bytes. Information Elements: ingressinterface, postnatsourceipv4address, postnatdestinationipv4address, egressinterface, octetdeltacount, packetdeltacount. |
Source Details |
A grouping of Source, Src Port, NAT Src Port, NAT Src IP trending Flows, Bytes. Information Elements: sourceipaddress, sourcetransportport, postnaptsourcetransportport, postnatsourceipv4address, octetdeltacount, plixeraggregatedrecordcount. |
Src Translations |
A grouping of Source, Post Src IP trending Packets, Bytes. Information Elements: sourceipaddress, postnatsourceipv4address, octetdeltacount, packetdeltacount. |
Translations |
A grouping of Source, Destination, Post Src IP, Post Dst IP trending Packets, Bytes. Information Elements: sourceipaddress, destinationipaddress, postnatsourceipv4address, postnatdestinationipv4address, octetdeltacount, packetdeltacount. |
NBAR Reports
Report |
Description |
|---|---|
Application Categories |
A grouping of Application Category trending Packets, Bytes. Information Elements: ciscoappcategoryname, octetdeltacount, packetdeltacount. |
Application Compression |
A grouping of Application trending % Pkt Comp, % Octet Comp. Information Elements: applicationtag, percentoctetcompression, percentpacketcompression. |
Application Groups |
A grouping of Application Group trending Packets, Bytes. Information Elements: ciscoappgroupname, octetdeltacount, packetdeltacount. |
Applications |
A grouping of Application trending Packets, Bytes. Information Elements: applicationtag, octetdeltacount, packetdeltacount. |
Application Sub Categories |
A grouping of Application Sub Category trending Packets, Bytes. Information Elements: ciscosubappcategoryname, octetdeltacount, packetdeltacount. |
Conversations |
A grouping of Source, Application, Destination trending Packets, Bytes. Information Elements: sourceipaddress, applicationtag, destinationipaddress, octetdeltacount, packetdeltacount. |
Overlay Network
Report |
Description |
|---|---|
Destination Hosts by Network |
A grouping of Network ID, Network Type, Destination trending Count, Packets, Bytes. Information Elements: overlay_net_id, overlay_net_type, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Network ID and Type |
A grouping of Network ID, Network Type trending Count, Packets, Bytes. Information Elements: overlay_net_id, overlay_net_type, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Source Hosts by Network |
A grouping of Network ID, Network Type, Source trending Count, Packets, Bytes. Information Elements: overlay_net_id, overlay_net_type, sourceipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Pair Reports
Report |
Description |
|---|---|
AS to AS by IP |
A grouping of Source AS, Destination AS trending Packets, Bytes. Information Elements: srcipas, dstipas, octetdeltacount, packetdeltacount. |
AS to AS by Tag |
A grouping of Src AS, Dst AS trending Packets, Bytes. Information Elements: bgpsourceasnumber, bgpdestinationasnumber, octetdeltacount, packetdeltacount. |
AS to AS by Tag (Peer) |
A grouping of bgpprevadjacentasnumber, bgpnextadjacentasnumber trending Packets, Bytes. Information Elements: bgpprevadjacentasnumber, bgpnextadjacentasnumber, octetdeltacount, packetdeltacount. |
Avg Pkt Size |
A grouping of Source, Destination trending Avg. Pkt. Size, Packets, NULL. Information Elements: sourceipaddress, destinationipaddress, avgpacketsize, octetdeltacount, packetdeltacount. |
Client to Server |
A grouping of Client, Server trending Packets, Bytes. Information Elements: clientipv4address, serveripv4address, octetdeltacount, packetdeltacount. |
Connections By Bytes |
A grouping of src Port, Source, Protocol, Destination, dst Port trending Packets, Bytes. Information Elements: sourcetransportport, sourceipaddress, protocolidentifier, destinationipaddress, destinationtransportport, octetdeltacount, packetdeltacount. |
Connections By Flows |
A grouping of src Port, Source, Protocol, Destination, dst Port trending Flows. Information Elements: sourcetransportport, sourceipaddress, protocolidentifier, destinationipaddress, destinationtransportport, plixeraggregatedrecordcount. |
Connections w/ Obsrv Pt. |
A grouping of Source, src Port, Destination, dst Port, Obsrv Pt trending Packets, Sum of Sq. Octets. Information Elements: sourceipaddress, sourcetransportport, destinationipaddress, destinationtransportport, observationpointid, octetdeltasumofsquares, packetdeltacount. |
Conversations App |
A grouping of Source, Application, Destination trending Packets, Bytes. Information Elements: sourceipaddress, applicationid, destinationipaddress, octetdeltacount, packetdeltacount. |
Conversations w/Flags |
A grouping of Source IP Address, Well Known Port, tcpcontrolbits, Destination IP Address trending Packets, Bytes, Flows. Information Elements: sourceipaddress, commonport, tcpcontrolbits, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Conversations WKP |
A grouping of Source, Well Known, Destination trending Packets, Bytes. Information Elements: sourceipaddress, commonport, destinationipaddress, octetdeltacount, packetdeltacount. |
Conv IP Groups |
A grouping of Source IP Group, Well Known, Destination IP Group trending Packets, Bytes. Information Elements: srcipgroup, commonport, dstipgroup, octetdeltacount, packetdeltacount. |
Country to Country |
A grouping of Source Country, Destination Country trending Packets, Bytes. Information Elements: srccountry, dstcountry, octetdeltacount, packetdeltacount. |
Customer VLAN to VLAN |
A grouping of postdot1qcustomervlanid, dot1qcustomervlanid trending Flows, Packets, Bytes. Information Elements: postdot1qcustomervlanid, dot1qcustomervlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
dot1q VLAN to VLAN |
A grouping of postdot1qvlanid, dot1qvlanid trending Flows, Packets, Bytes. Information Elements: postdot1qvlanid, dot1qvlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Flow End Reason |
A grouping of Source, Src Port, Dst Port, Destination, Flow End Reason trending Packets, Bytes. Information Elements: sourceipaddress, sourcetransportport, destinationtransportport, destinationipaddress, flowendreason, octetdeltacount, packetdeltacount. |
Forensic Audit |
A grouping of Flow Start, Source, Destination, Common Port, Protocol trending Pkts, Bytes. Information Elements: flowstartmilliseconds, sourceipaddress, destinationipaddress, commonport, protocolidentifier, octetdeltacount, packetdeltacount. |
Grouped Flows (DSCP) |
A grouping of src Port, Source, DSCP, Destination, dst Port trending Packets, Bytes. Information Elements: sourcetransportport, sourceipaddress, ipdiffservcodepoint, destinationipaddress, destinationtransportport, octetdeltacount, packetdeltacount. |
Grouped Flows (TOS) |
A grouping of src Port, Source, Type Of Service, Destination, dst Port trending Packets, Bytes. Information Elements: sourcetransportport, sourceipaddress, ipclassofservice, destinationipaddress, destinationtransportport, octetdeltacount, packetdeltacount. |
Host - AS by IP - Host |
A grouping of Source, Src AS, Dst AS, Destination trending Flows, Packets, Bytes. Information Elements: sourceipaddress, srcipas, dstipas, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Host - AS - Host |
A grouping of Source, Src AS, Dst AS, Destination trending Flows, Packets, Bytes. Information Elements: sourceipaddress, bgpsourceasnumber, bgpdestinationasnumber, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Hosts with Country |
A grouping of Source, Source Country, Destination, Destination Country trending Packets, Bytes. Information Elements: sourceipaddress, srccountry, destinationipaddress, dstcountry, octetdeltacount, packetdeltacount. |
Host to Host |
A grouping of Source, Destination trending Packets, Bytes. Information Elements: sourceipaddress, destinationipaddress, octetdeltacount, packetdeltacount. |
Host to Host ICMP |
A grouping of Source, Code, Type, Destination trending Count. Information Elements: sourceipaddress, icmpcodeipv4, icmptypeipv4, destinationipaddress, plixeraggregatedrecordcount. |
Host to Host L2 |
A grouping of Source, Destination trending Packets, L2 Octets. Information Elements: sourceipaddress, destinationipaddress, layer2octetdeltacount, packetdeltacount. |
Host to Host Sum of Sq. |
A grouping of Source, Destination trending Packets, Sum of Sq. Octets. Information Elements: sourceipaddress, destinationipaddress, octetdeltasumofsquares, packetdeltacount. |
Host to Host w/Flags |
A grouping of Source IP Address, tcpcontrolbits, Destination IP Address trending Packets, Bytes, Flows. Information Elements: sourceipaddress, tcpcontrolbits, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Host To Host With Next Hop |
A grouping of Source, Destination, Next Hop trending packet, octect. Information Elements: sourceipaddress, destinationipaddress, ipnexthopipv4address, octetdeltacount, packetdeltacount. |
IP Groups with Apps Defined |
A grouping of Src Group, Protocol, Application, Dst Group trending Packets, Bytes. Information Elements: srcipgroup, protocolidentifier, applicationid, dstipgroup, octetdeltacount, packetdeltacount. |
IP Group to IP Group |
A grouping of Source IP Group, Destination IP Group trending Packets, Bytes. Information Elements: srcipgroup, dstipgroup, octetdeltacount, packetdeltacount. |
MAC to MAC Routed |
A grouping of Source MAC, Post Source MAC, Destination MAC, Post Destination MAC trending Flows, Packets, Bytes. Information Elements: sourcemacaddress, postsourcemacaddress, destinationmacaddress, postdestinationmacaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
MAC to MAC Switched |
A grouping of Source MAC, Destination MAC trending Packets, Bytes. Information Elements: sourcemacaddress, destinationmacaddress, octetdeltacount, packetdeltacount. |
Rev 2nd lvl Domain pairs |
A grouping of Src Rev 2nd lvl Domain, Dst Rev 2nd lvl Domain trending Packets, Bytes. Information Elements: srcdomain, dstdomain, octetdeltacount, packetdeltacount. |
Subnet to Subnet |
A grouping of Src Subnet, Dst Subnet trending Packets, Bytes. Information Elements: srcnetwork, dstnetwork, octetdeltacount, packetdeltacount. |
TOS to TOS |
A grouping of Type of Service, Post Type of Services trending Packets, Bytes. Information Elements: ipclassofservice, postipclassofservice, octetdeltacount, packetdeltacount. |
VLAN to VLAN |
A grouping of postvlanid, vlanid trending Flows, Packets, Bytes. Information Elements: postvlanid, vlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Palo Alto Networks
Report |
Description |
|---|---|
Applications |
A grouping of appid_pa trending Packets, Bytes. Information Elements: appid_pa, octetdeltacount, packetdeltacount. |
CloudGenix Exporter Path Stats |
A grouping of Exporter, Path ID trending Down Jitter, Up Jitter, Down Loss, Up Loss, Down MOS, Up MOS, RTT Latency. Information Elements: plixerexporter, cgnxlqmpathidentifier, cgnxlqmdownlinkjittermilliseconds, cgnxlqmdownlinkmos, cgnxlqmdownlinkpacketloss, cgnxlqmrttlatencymilliseconds, cgnxlqmuplinkjittermilliseconds, cgnxlqmuplinkmos, cgnxlqmuplinkpacketloss. |
CloudGenix Path Stats |
A grouping of Path ID trending Down Jitter, Up Jitter, Down Loss, Up Loss, Down MOS, Up MOS, RTT Latency. Information Elements: cgnxlqmpathidentifier, cgnxlqmdownlinkjittermilliseconds, cgnxlqmdownlinkmos, cgnxlqmdownlinkpacketloss, cgnxlqmrttlatencymilliseconds, cgnxlqmuplinkjittermilliseconds, cgnxlqmuplinkmos, cgnxlqmuplinkpacketloss. |
Users |
A grouping of userid_pa trending Packets, Bytes. Information Elements: userid_pa, octetdeltacount, packetdeltacount. |
Procera Reports
Report |
Description |
|---|---|
APN and Base Service |
A grouping of Access Point Name, Base Service trending Bytes. Information Elements: proceraapn, procerabaseservice, octetdeltacount. |
Base Service RTT |
A grouping of Base Service trending Internal RTT, External RTT. Information Elements: procerabaseservice, proceraexternalrtt, procerainternalrtt. |
Content Categories |
A grouping of Content Categories trending External RTT, Bytes. Information Elements: proceracontentcategories, octetdeltacount, proceraexternalrtt. |
HTTP Content Type, Language, and Location |
A grouping of Content Type, Language, Location trending Bytes. Information Elements: procerahttpcontenttype, procerahttplanguage, procerahttplocation, octetdeltacount. |
HTTP Location, Referrer, and Request Method |
A grouping of Location, referer, Request Method trending Bytes. Information Elements: procerahttplocation, procerahttpreferer, procerahttprequestmethod, octetdeltacount. |
HTTP URL, Response Status, User Agent |
A grouping of procerahttpurl, Response Status, User Agent trending Bytes. Information Elements: procerahttpurl, procerahttpresponsestatus, procerahttpuseragent, octetdeltacount. |
Incoming Destination Details |
A grouping of Destination IP Address trending Drops, Latency, Packets, Bytes. Information Elements: destinationipaddress, proceraincomingoctets, proceraincomingpackets, proceraincomingshapingdrops, proceraincomingshapinglatency. |
Incoming Source Details |
A grouping of Source IP Address trending Drops, Latency, Packets, Bytes. Information Elements: sourceipaddress, proceraincomingoctets, proceraincomingpackets, proceraincomingshapingdrops, proceraincomingshapinglatency. |
Outgoing Destination Details |
A grouping of Destination IP Address trending Drops, Latency, Packets, Bytes. Information Elements: destinationipaddress, proceraoutgoingoctets, proceraoutgoingpackets, proceraoutgoingshapingdrops, proceraoutgoingshapinglatency. |
Outgoing Source Details |
A grouping of Source IP Address trending Drops, Latency, Packets, Bytes. Information Elements: sourceipaddress, proceraoutgoingoctets, proceraoutgoingpackets, proceraoutgoingshapingdrops, proceraoutgoingshapinglatency. |
Property and Service |
A grouping of property, service trending In Ext. Qoe, In Int. Qoe, Out Ext. Qoe, Out Int. Qoe, Bytes. Information Elements: proceraproperty, proceraservice, octetdeltacount, proceraqoeincomingexternal, proceraqoeincominginternal, proceraqoeoutgoingexternal, proceraqoeoutgoinginternal. |
Queue Drops
Report |
Description |
|---|---|
Queue Drops By Hierarchy |
A grouping of Policy Map Hierarchy, Policy QoS Queue Index trending Flows, Q Drops. Information Elements: policymaphierarchy, policyqosqueueindex, plixeraggregatedrecordcount, plixer_qos_queue_drops. |
Queue Drops By Index |
A grouping of Policy QoS Queue Index trending Flows, Q Drops. Information Elements: policyqosqueueindex, plixeraggregatedrecordcount, plixer_qos_queue_drops. |
Replicator
Report |
Description |
|---|---|
CPU |
A grouping of Replicator trending Min, Avg, Max. Information Elements: sourceipaddress, plixercpuutilizationpercent. |
Profile Statistics |
A grouping of Profile trending Pkts In, Pkts Out, Bytes In, Bytes Out. Information Elements: observationdomainname, octetdeltacount, packetdeltacount, postoctetdeltacount, postpacketdeltacount. |
Riverbed
Report |
Description |
|---|---|
Conversations RTT |
A grouping of in Int, Source, Application, Destination, out Int trending RTT. Information Elements: ingressinterface, sourceipaddress, applicationid, destinationipaddress, egressinterface, tcpconnectionrtt_rvbd. |
FE Type RTT |
A grouping of FE Type trending Retrans Bytes, Retrans Pkts, RTT, Packets, Bytes. Information Elements: fetype_rvbd, octetdeltacount, packetdeltacount, tcpconnectionrtt_rvbd, tcppacketretransmissioncount_rvbd, tcpretransmissionbytecount_rvbd. |
FE Type RTT and Source |
A grouping of Source, FE Type trending Retrans Pkts, RTT, Packets, Bytes. Information Elements: sourceipaddress, fetype_rvbd, octetdeltacount, packetdeltacount, tcpconnectionrtt_rvbd, tcppacketretransmissioncount_rvbd. |
FE Type RTT and Visibility |
A grouping of FE Type, Visibility trending Retrans Pkts, RTT, Packets, Bytes. Information Elements: fetype_rvbd, visibility_rvbd, octetdeltacount, packetdeltacount, tcpconnectionrtt_rvbd, tcppacketretransmissioncount_rvbd. |
Inner Connection IPs and RTT |
A grouping of Source, Destination, IC CFE IP, IC SFE IP trending RTT. Information Elements: sourceipaddress, destinationipaddress, innerconnectioncfeipv4address_rvbd, innerconnectionsfeipv4address_rvbd, tcpconnectionrtt_rvbd. |
Non Optimized Traffic |
A grouping of Source, Destination, Common Port, Destination trending Packets, Bytes. Information Elements: sourceipaddress, destinationipaddress, commonport, passthroughreason_rvbd, octetdeltacount, packetdeltacount. |
Pair RTT and Retrans |
A grouping of Source, Destination trending Retrans Pkts, Retrans Bytes, RTT, Packets, Bytes. Information Elements: sourceipaddress, destinationipaddress, octetdeltacount, packetdeltacount, tcpconnectionrtt_rvbd, tcppacketretransmissioncount_rvbd, tcpretransmissionbytecount_rvbd. |
Pair RTT with Ports |
A grouping of Source, Src Port, Dst Port, Destination trending Retrans Pkts, RTT, Packets, Bytes. Information Elements: sourceipaddress, sourcetransportport, destinationtransportport, destinationipaddress, octetdeltacount, packetdeltacount, tcpconnectionrtt_rvbd, tcppacketretransmissioncount_rvbd. |
Retransmissions |
A grouping of in Int, Source, Destination, out Int trending Pckt Retrans, Bytes Retrans. Information Elements: ingressinterface, sourceipaddress, destinationipaddress, egressinterface, tcppacketretransmissioncount_rvbd, tcpretransmissionbytecount_rvbd. |
Source RTT |
A grouping of Source trending Retrans Pkts, Retrans Bytes, RTT, Packets, Bytes. Information Elements: sourceipaddress, octetdeltacount, packetdeltacount, tcpconnectionrtt_rvbd, tcppacketretransmissioncount_rvbd, tcpretransmissionbytecount_rvbd. |
Wan Optimization |
A grouping of in Int, Source, Src SFE IP, SFE Port, CFE Port, Dst CFE IP, Destination, out Int, Common Port trending Packets, Bytes. Information Elements: ingressinterface, sourceipaddress, innerconnectionsfeipv4address_rvbd, innerconnectionsfeport_rvbd, innerconnectioncfeport_rvbd, innerconnectioncfeipv4address_rvbd, destinationipaddress, egressinterface, commonport, octetdeltacount, packetdeltacount. |
WRK RTT |
A grouping of in Int, Application, out Int trending RTT. Information Elements: ingressinterface, applicationid, egressinterface, tcpconnectionrtt_rvbd. |
Saisei
Report |
Description |
|---|---|
Dropped Pkts per Int |
A grouping of Ingress Int, Distress, Egress Class trending Dropped Octets, Octets, Dropped Packets, Packets. Information Elements: ingressinterface, distress, egressflowclass, droppedoctettotalcount, droppedpackettotalcount, octetdeltacount, packetdeltacount. |
Dropped Pkts per User |
A grouping of User, Distress, Egress Class trending Dropped Octets, Octets, Dropped Packets, Packets. Information Elements: username, distress, egressflowclass, droppedoctettotalcount, droppedpackettotalcount, octetdeltacount, packetdeltacount. |
Forensic Audit |
A grouping of User, Application, Egress Class, Flow Start, Flow End trending RTT. Information Elements: username, applicationname, egressflowclass, flowstartmilliseconds, flowendmilliseconds, rttestimate. |
Pair with Dropped Pkts |
A grouping of Source IP, Destination IP, Distress, Egress Class trending Dropped Octets, Octets, Dropped Packets, Packets. Information Elements: sourceipaddress, destinationipaddress, distress, egressflowclass, droppedoctettotalcount, droppedpackettotalcount, octetdeltacount, packetdeltacount. |
Pair with Retrans & RTT |
A grouping of Source IP, Destination IP, Distress, Egress Class trending Retransmits, Retransmit Events, RTT. Information Elements: sourceipaddress, destinationipaddress, distress, egressflowclass, retransmissiondeltacount, retransmissioneventdeltacount, rttestimate. |
Retransmits & RTT per Int |
A grouping of Ingress Int, Distress, Egress Class trending Retransmits, Retransmit Events, RTT. Information Elements: ingressinterface, distress, egressflowclass, retransmissiondeltacount, retransmissioneventdeltacount, rttestimate. |
SNMP
Report |
Description |
|---|---|
CPU |
A grouping of Device trending CPU 1 Min, CPU 5 Min. Information Elements: plixercomponentipaddress, cputotal1min, cputotal5min. |
Interface Details |
A grouping of Exporter, ingressinterface trending Discards, Errors, Unicast Pkts, Non-Unicast Pkts, sum_snmpoctets. Information Elements: plixerexporter, ingressinterface, snmpdiscards, snmperrors, snmpnucastpkts, snmpoctets, snmpucastpkts. |
Interface Stats (64bit) |
A grouping of Exporter, ingressinterface trending Broadcast Pkts, Multicast Pkts, Unicast Pkts, sum_snmpoctets. Information Elements: plixerexporter, ingressinterface, snmpbroadcastpkts, snmpmulticastpkts, snmpoctets, snmpucastpkts. |
Memory |
A grouping of Device trending avg_memoryused, avg_memoryfree. Information Elements: plixercomponentipaddress, memoryfree, memoryused. |
SonicWALL Reports
Report |
Description |
|---|---|
App Conv |
A grouping of Source, SonicWALL Application, Destination trending Packets, Bytes. Information Elements: sourceipaddress, swapp, destinationipaddress, octetdeltacount, packetdeltacount. |
Applications |
A grouping of SonicWALL Application trending Packets, Bytes. Information Elements: swapp, octetdeltacount, packetdeltacount. |
Available Memory |
A grouping of Exporter trending Available Memory. Information Elements: plixerexporter, mem_avail_ram. |
CPU Avg. Utilization |
A grouping of Core ID trending AVG Util. Information Elements: core_stat_core_id, core_stat_core_util. |
CPU Max. Utilization |
A grouping of Core ID trending MAX Util. Information Elements: core_stat_core_id, core_stat_core_util. |
Intrusions |
A grouping of SonicWALL Intrusion trending Packets, Bytes. Information Elements: flow_to_ips_id, octetdeltacount, packetdeltacount. |
Spyware |
A grouping of SonicWALL Spyware trending Packets, Bytes. Information Elements: flow_to_spyware_id, octetdeltacount, packetdeltacount. |
Urls |
A grouping of SonicWALL URL trending Packets, Bytes. Information Elements: swurl, octetdeltacount, packetdeltacount. |
User Details |
A grouping of SonicWALL User, swuserip, swuserauthtype, swuserdomain trending Packets, Bytes. Information Elements: swuser, swuserip, swuserauthtype, swuserdomain, octetdeltacount, packetdeltacount. |
Users |
A grouping of SonicWALL User trending Packets, Bytes. Information Elements: swuser, octetdeltacount, packetdeltacount. |
Virus |
A grouping of SonicWALL Virus trending Packets, Bytes. Information Elements: flow_to_virus_id, octetdeltacount, packetdeltacount. |
VoIP Conversations |
A grouping of swinitcallid, swrespcallid trending Jitter, Pkt Loss, Packets, Bytes. Information Elements: swinitcallid, swrespcallid, octetdeltacount, packetdeltacount, swvoipavglatency, swvoiplostpkts. |
VoIP Initiators |
A grouping of swinitcallid trending Jitter, Pkt Loss, Packets, Bytes. Information Elements: swinitcallid, octetdeltacount, packetdeltacount, swvoipavglatency, swvoiplostpkts. |
VoIP Responders |
A grouping of swrespcallid trending Jitter, Pkt Loss, Packets, Bytes. Information Elements: swrespcallid, octetdeltacount, packetdeltacount, swvoipavglatency, swvoiplostpkts. |
VPN Local Address |
A grouping of VPN Local IP trending Packets, Bytes. Information Elements: swvpnlocalip, octetdeltacount, packetdeltacount. |
VPN Name |
A grouping of VPN Tunnel Name trending Packets, Bytes. Information Elements: swvpntunnelname, octetdeltacount, packetdeltacount. |
VPN Name Local & Remote Address |
A grouping of VPN Tunnel Name, VPN Local IP, VPN Remote IP trending Packets, Bytes. Information Elements: swvpntunnelname, swvpnlocalip, swvpnremoteip, octetdeltacount, packetdeltacount. |
VPN Remote Address |
A grouping of VPN Remote IP trending Packets, Bytes. Information Elements: swvpnremoteip, octetdeltacount, packetdeltacount. |
Source Reports
Report |
Description |
|---|---|
Autonomous System by IP |
A grouping of Source AS trending Packets, Bytes. Information Elements: srcipas, octetdeltacount, packetdeltacount. |
Autonomous System by Tag |
A grouping of Src AS trending Packets, Bytes. Information Elements: bgpsourceasnumber, octetdeltacount, packetdeltacount. |
Autonomous System by Tag (Peer) |
A grouping of bgpprevadjacentasnumber trending Packets, Bytes. Information Elements: bgpprevadjacentasnumber, octetdeltacount, packetdeltacount. |
Countries |
A grouping of Source Country trending Packets, Bytes. Information Elements: srccountry, octetdeltacount, packetdeltacount. |
Countries with AS |
A grouping of Source Country, Source AS, Hosts (Dst) trending Flows, Packets, Bytes. Information Elements: srccountry, srcipas, destinationipaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Customer VLAN |
A grouping of dot1qcustomervlanid trending Flows, Packets, Bytes. Information Elements: dot1qcustomervlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
dot1q VLAN |
A grouping of dot1qvlanid trending Flows, Packets, Bytes. Information Elements: dot1qvlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Host Flows |
A grouping of Source trending Hosts (Destination), Packets, Flows. Information Elements: sourceipaddress, destinationipaddress, packetdeltacount, plixeraggregatedrecordcount. |
Host Pkt Length |
A grouping of Source trending Length MIN, Length MAX, Length AVG . Information Elements: sourceipaddress, iptotallength. |
Hosts |
A grouping of Source trending Packets, Bytes. Information Elements: sourceipaddress, octetdeltacount, packetdeltacount. |
ICMP |
A grouping of Source, Code, Type trending Count. Information Elements: sourceipaddress, icmpcodeipv4, icmptypeipv4, plixeraggregatedrecordcount. |
L2 Octets |
A grouping of Source trending Packets, L2 Octets. Information Elements: sourceipaddress, layer2octetdeltacount, packetdeltacount. |
MAC |
A grouping of Source MAC trending Flows, Packets, Bytes. Information Elements: sourcemacaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
MAC L2 |
A grouping of Source MAC trending Packets, L2 Octets. Information Elements: sourcemacaddress, layer2octetdeltacount, packetdeltacount. |
MAC Sum of Sq |
A grouping of Source MAC trending Packets, Sum of Sq. Octets. Information Elements: sourcemacaddress, octetdeltasumofsquares, packetdeltacount. |
Post MAC |
A grouping of Post Src Mac trending Count, Packets, Bytes. Information Elements: postsourcemacaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Rev 2nd lvl Domains |
A grouping of Src Rev 2nd lvl Domain trending Packets, Bytes. Information Elements: srcdomain, octetdeltacount, packetdeltacount. |
Source IP Groups |
A grouping of Source IP Group trending Packets, Bytes. Information Elements: srcipgroup, octetdeltacount, packetdeltacount. |
Source w/Flags |
A grouping of Source IP Address, tcpcontrolbits trending Packets, Bytes, Flows. Information Elements: sourceipaddress, tcpcontrolbits, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Src IP - Dst AS |
A grouping of Exporter, Source IP Address, Dst AS trending Packets, Bytes. Information Elements: plixerexporter, sourceipaddress, bgpdestinationasnumber, octetdeltacount, packetdeltacount. |
Subnets |
A grouping of Src Subnet trending Packets, Bytes. Information Elements: srcnetwork, octetdeltacount, packetdeltacount. |
Sum Of Sq. Octets |
A grouping of Source trending Packets, Sum of Sq. Octets. Information Elements: sourceipaddress, octetdeltasumofsquares, packetdeltacount. |
User Name by IP |
A grouping of Source, User Name(s) trending Packets, Bytes. Information Elements: sourceipaddress, srcipname, octetdeltacount, packetdeltacount. |
Vendor By MAC |
A grouping of Source Vendor trending Devices, Flows, Packets, Bytes. Information Elements: src_vendor_by_mac, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount, sourcemacaddress. |
VLAN |
A grouping of vlanid trending Flows, Packets, Bytes. Information Elements: vlanid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
VLAN Interfaces |
A grouping of Interface, VLAN trending Packets, Bytes. Information Elements: ingressinterface, dot1qcustomervlanid, octetdeltacount, packetdeltacount. |
Stormshield
Report |
Description |
|---|---|
Top Url Categories |
A grouping of Url Category trending Packets, Bytes. Information Elements: netasqurlcategory, octetdeltacount, packetdeltacount. |
Top Urls |
A grouping of Url trending Packets, Bytes. Information Elements: netasqurl, octetdeltacount, packetdeltacount. |
Top Users |
A grouping of User trending Packets, Bytes. Information Elements: username, octetdeltacount, packetdeltacount. |
Top Reports
Report |
Description |
|---|---|
Applications Defined |
A grouping of Application trending Packets, Bytes. Information Elements: applicationid, octetdeltacount, packetdeltacount. |
Availability By IP |
A grouping of Destination IP Address trending Availability. Information Elements: destinationipaddress, state. |
Clients |
A grouping of Client trending Packets, Bytes. Information Elements: clientipv4address, octetdeltacount, packetdeltacount. |
DSCP |
A grouping of DSCP trending Packets, Bytes. Information Elements: ipdiffservcodepoint, octetdeltacount, packetdeltacount. |
Exporters |
A grouping of Exporter trending Bytes. Information Elements: plixerexporter, octetdeltacount. |
ICMP Type IPv4 |
A grouping of ICMP Type Code trending Count, Packets, NULL. Information Elements: icmptypecodeipv4, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
ICMP Type IPv6 |
A grouping of ICMP Type Code trending Count, Packets, NULL. Information Elements: icmptypecodeipv6, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
IGMP Type |
A grouping of IGMP Type trending Count, Packets, NULL. Information Elements: igmptype, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Interface Compression |
A grouping of Exporter, Outbound Interface trending % Pkt Comp, % Octet Comp. Information Elements: plixerexporter, egressinterface, percentoctetcompression, percentpacketcompression. |
Interface-IP-MAC |
A grouping of in Int, Source, Source MAC trending Flows, Packets, Bytes. Information Elements: ingressinterface, sourceipaddress, sourcemacaddress, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Interfaces |
A grouping of Exporter, Inbound Interface, Interface Speed trending Bytes, % Util. Information Elements: plixerexporter, ingressinterface, inifspeed, interfacepercent, octetdeltacount. |
Multicast Destinations |
A grouping of Destination trending Pkts, Bytes. Information Elements: destinationipaddress, octetdeltacount, packetdeltacount. |
Multicast Pairs |
A grouping of Source, Destination trending Pkts, Bytes. Information Elements: sourceipaddress, destinationipaddress, octetdeltacount, packetdeltacount. |
Next Hop |
A grouping of Next Hop trending Packets, Bytes. Information Elements: ipnexthopipv4address, octetdeltacount, packetdeltacount. |
Obsrv Pt. Layer 2 |
A grouping of Obsrv Pt trending Count, Packets, L2 Octets. Information Elements: observationpointid, layer2octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Obsrv Pt. Octet Sum of Squares |
A grouping of Obsrv Pt trending Packets, Sum of Sq. Octets. Information Elements: observationpointid, octetdeltasumofsquares, packetdeltacount. |
Protocols |
A grouping of Protocol trending Packets, Bytes. Information Elements: protocolidentifier, octetdeltacount, packetdeltacount. |
Round Trip Time By IP |
A grouping of Destination IP Address trending RTT. Information Elements: destinationipaddress, latency_ms. |
Servers |
A grouping of Server trending Packets, Bytes. Information Elements: serveripv4address, octetdeltacount, packetdeltacount. |
Type of Service |
A grouping of Type Of Service trending Packets, Bytes. Information Elements: ipclassofservice, octetdeltacount, packetdeltacount. |
Users |
A grouping of User trending Flows, Bytes. Information Elements: username, octetdeltacount, plixeraggregatedrecordcount. |
VLAN with Priority, CoS & DSCP |
A grouping of VLAN, Priority, CoS, DSCP trending Packets, Sum of Sq. Octets. Information Elements: dot1qvlanid, dot1qpriority, ipclassofservice, ipdiffservcodepoint, octetdeltasumofsquares, packetdeltacount. |
Well Known Ports |
A grouping of Well Known trending Packets, Bytes. Information Elements: commonport, octetdeltacount, packetdeltacount. |
UEBA Reports
Report |
Description |
|---|---|
Azure User Logins |
A grouping of User, Source, Success, Location trending Count. Information Elements: username, sourceipaddress, ipfixifyloginstatename, ipfixifylogsource, plixeraggregatedrecordcount. |
LDAP User Logins |
A grouping of User, Source, Admin trending Count. Information Elements: username, sourceipaddress, ipfixifylogintypename, plixeraggregatedrecordcount. |
Office 365 User Logins |
A grouping of User, Source, Application, Success, Location trending Count. Information Elements: username, sourceipaddress, applicationname, ipfixifyloginstatename, ipfixifylogsource, plixeraggregatedrecordcount. |
VeloCloud Reports
Report |
Description |
|---|---|
Application Flow Path |
A grouping of Application, destinationuuid, vcflowpath trending Flows. Information Elements: applicationtag, destinationuuid, vcflowpath, plixeraggregatedrecordcount. |
Application Link Policy |
A grouping of Application, destinationuuid, vclinkpolicy trending Flows. Information Elements: applicationtag, destinationuuid, vclinkpolicy, plixeraggregatedrecordcount. |
Application Policies |
A grouping of Application, vclinkpolicy, vcroutetype, Traffic Type trending Packets, Bytes. Information Elements: applicationtag, vclinkpolicy, vcroutetype, vctraffictype, octetdeltacount, packetdeltacount. |
Application Priority |
A grouping of Application, destinationuuid, vcpriority trending Flows. Information Elements: applicationtag, destinationuuid, vcpriority, plixeraggregatedrecordcount. |
Application Route Type |
A grouping of Application, destinationuuid, vcroutetype trending Flows. Information Elements: applicationtag, destinationuuid, vcroutetype, plixeraggregatedrecordcount. |
Application Traffic Type |
A grouping of Application, destinationuuid, Traffic Type trending Flows. Information Elements: applicationtag, destinationuuid, vctraffictype, plixeraggregatedrecordcount. |
Conv Dst Edge |
A grouping of Source, Application, Destination, destinationuuid trending Flows, Bytes. Information Elements: sourceipaddress, applicationtag, destinationipaddress, destinationuuid, octetdeltacount, plixeraggregatedrecordcount. |
Dst Edge |
A grouping of destinationuuid trending Flows, Bytes. Information Elements: destinationuuid, octetdeltacount, plixeraggregatedrecordcount. |
Flow Path |
A grouping of vcflowpath trending Flows, Bytes. Information Elements: vcflowpath, octetdeltacount, plixeraggregatedrecordcount. |
Interface Jitter |
A grouping of ingressinterface trending countdistinct_destinationipaddress, avg_avgjittertxms. Information Elements: ingressinterface, avgjittertxms, destinationipaddress. |
Interface Latency |
A grouping of ingressinterface trending Unique Dsts, Avg Latency. Information Elements: ingressinterface, avglatencytxms, destinationipaddress. |
Interface Metrics |
A grouping of ingressinterface trending Avg Latency, avg_avgjittertxms, avg_avglosstxpct. Information Elements: ingressinterface, avgjittertxms, avglatencytxms, avglosstxpct. |
Interface Packet Loss |
A grouping of ingressinterface trending countdistinct_destinationipaddress, avg_avglosstxpct. Information Elements: ingressinterface, avglosstxpct, destinationipaddress. |
Link Utilization |
A grouping of linkuuid trending Packets, Bytes. Information Elements: linkuuid, octetdeltacount, packetdeltacount. |
Packet Loss Conv |
A grouping of Source, Application, Destination, destinationuuid trending Retransmission, Lost Packets. Information Elements: sourceipaddress, applicationtag, destinationipaddress, destinationuuid, lostpacketsrxdeltacount, retransmittedpacketstxdeltacount. |
Packet Loss Edge |
A grouping of destinationuuid trending Retransmission, Lost Packets. Information Elements: destinationuuid, lostpacketsrxdeltacount, retransmittedpacketstxdeltacount. |
Remediation Events |
A grouping of Application trending Replication Rx, Replication TX, Lost Packets, Retransmission. Information Elements: applicationtag, lostpacketsrxdeltacount, replicatedpacketsrxdeltacount, replicatedpacketstxdeltacount, retransmittedpacketstxdeltacount. |
Traffic Type |
A grouping of Traffic Type trending Flows, Bytes. Information Elements: vctraffictype, octetdeltacount, plixeraggregatedrecordcount. |
Viptela Reports
Report |
Description |
|---|---|
Health |
A grouping of Device Name, Device Model, System IP trending Memory Used, CPU System(%), Disk Used. Information Elements: vtla_host_name, vtla_device_model, vtla_system_ip, vtla_cpu_system, vtla_disk_used, vtla_mem_used. |
Local Color Performance |
A grouping of vEdge Host, Local Color trending Avg. Latency, Avg. Loss, Avg. Jitter. Information Elements: vtla_vdevice_host_name, vtla_local_color, vtla_mean_jitter, vtla_mean_latency, vtla_mean_loss. |
Policies Added |
A grouping of vEdge, Policies Added trending Record Count. Information Elements: vtla_host_name, vtla_policies_added, plixeraggregatedrecordcount. |
Policies Removed |
A grouping of vEdge, Policies Removed trending Record Count. Information Elements: vtla_host_name, vtla_policies_removed, plixeraggregatedrecordcount. |
Remote Color Performance |
A grouping of vEdge Host, Remote Color trending Avg. Latency, Avg. Loss, Avg. Jitter. Information Elements: vtla_vdevice_host_name, vtla_remote_color, vtla_mean_jitter, vtla_mean_latency, vtla_mean_loss. |
SLA Events |
A grouping of Event ID, vEdge, Policies Added, Policies Removed trending Event Count. Information Elements: vtla_id, vtla_host_name, vtla_policies_added, vtla_policies_removed, plixeraggregatedrecordcount. |
Tunnel Applications |
A grouping of vEdge Host, Local Color, Remote System, Remote Color, Application trending Packets, Bytes. Information Elements: vtla_host_name, vtla_local_color, vtla_remote_system_ip, vtla_remote_color, vtla_application, octetdeltacount, packetdeltacount. |
Tunnel Performance |
A grouping of vEdge Host, Local Color, Remote System, Remote Color trending Avg. Latency, Avg. Loss, Avg. Jitter. Information Elements: vtla_vdevice_host_name, vtla_local_color, vtla_remote_system_ip, vtla_remote_color, vtla_mean_jitter, vtla_mean_latency, vtla_mean_loss. |
vEdge Host Performance |
A grouping of vEdge Host trending Avg. Latency, Avg. Loss, Avg. Jitter. Information Elements: vtla_vdevice_host_name, vtla_mean_jitter, vtla_mean_latency, vtla_mean_loss. |
Vitals
Report |
Description |
|---|---|
CPU |
A grouping of Server trending CPU. Information Elements: plixercomponentipaddress, plixercpuutilizationpercent. |
CPU per Process |
A grouping of Process trending min, avg, max. Information Elements: processcommandline, processpercentcpu. |
Data Ages |
A grouping of Source IP Address, timingtest trending Sent. Information Elements: sourceipaddress, timingtest, dataageseconds. |
Database |
A grouping of Server trending Connections By Bytes, Read Req, Write Req, Cache Free, Queries, Threads, Buffers Used. Information Elements: plixercomponentipaddress, plixerdbconnections, plixerdbkeybufferused, plixerdbkeyreadreq, plixerdbkeywritereq, plixerdbqcachefreemem, plixerdbquestions, plixerdbthreadsconnected. |
Database |
A grouping of Server trending txid, Connections By Bytes, Queries, Timed Checkpoints, Requested Checkpoints, Shared Buffers, Buffers Written. Information Elements: plixercomponentipaddress, buffers_allocd, buffers_written, checkpoints_requested, checkpoints_timed, plixerdbconnections, plixerdbquestions, postgresql_txid. |
Dir Sizes |
A grouping of Server, Directory trending Bytes. Information Elements: plixercomponentipaddress, plixerstoragedrive, plixerstorageusedbytes. |
Disk Requests |
A grouping of Server, Drive trending Backlog, Request Wait, Read Merges/Sec, Read Requests/Sec, Request Sectors/Sec, Write Octets/Sec, Write Requests/Sec. Information Elements: plixercomponentipaddress, hddlabel, plixerdiskaveragerequestbacklog, plixerdiskaveragerequestwait, plixerdiskreadrequestmergesps, plixerdiskreadrequestsps, plixerdiskrequestsectorsps, plixerdiskwriterequestmergesps, plixerdiskwriterequestsps. |
Disk Utilization |
A grouping of Server, Drive trending % Utilization, Read Wait, Write Wait, Read Octets/Sec, Write Octets/Sec. Information Elements: plixercomponentipaddress, hddlabel, plixerdiskaveragepercentutilization, plixerdiskaveragereadwait, plixerdiskaveragewritewait, plixerdiskreadoctetsps, plixerdiskwriteoctetsps. |
Distributed Heartbeat |
A grouping of Server, Plixer Server, Type, Status trending Time. Information Elements: plixercomponentipaddress, ipv4polled, plixerheartbeattype, plixerheartbeatstatus, plixereventdurationmilliseconds. |
Distributed Synchronization |
A grouping of Source, Destination, Caller, DB Table trending Avg Time, Records. Information Elements: syncsourceipv4addr, syncdestinationipv4addr, plixersubroutine, plixertablename, plixereventdurationmilliseconds, plixerrowcount. |
Event Queue Statistics |
A grouping of Collector, DB Table trending Data Age, Total Rows, Disk Used. Information Elements: plixercomponentipaddress, plixertablename, plixerdataageseconds, plixerrowcount, plixerstorageusedbytes. |
FA Counts |
A grouping of Collector, algorithm trending Min, Avg, Max. Information Elements: plixercomponentipaddress, faalgorithmid, faviolationcount. |
FA Times |
A grouping of Collector, algorithm trending Min Dur., Avg Dur., Max Dur.. Information Elements: plixercomponentipaddress, faalgorithmid, plixereventdurationmilliseconds. |
Flow Metrics/Collector |
A grouping of Collector trending MFSN, Packets, Flows. Information Elements: plixercomponentipaddress, plixerflowcount, plixerflowpacketcount, plixermfsncount. |
Flow Metrics/Exporter |
A grouping of Collector, Exporter trending MFSN, Packets, Flows. Information Elements: plixercomponentipaddress, plixerexporterid, plixerflowcount, plixerflowpacketcount, plixermfsncount. |
Flow Metrics/Port |
A grouping of Collector, Port trending MFSN, Packets, Flows. Information Elements: plixercomponentipaddress, plixerlisteningport, plixerflowcount, plixerflowpacketcount, plixermfsncount. |
Frozen XIDs Age |
A grouping of plixercomponentipaddress trending max_postgresql_datfrozenxid_age. Information Elements: plixercomponentipaddress, postgresql_datfrozenxid_age. |
Frozen XIDs Age by DB |
A grouping of plixercomponentipaddress, postgresql_datname trending max_postgresql_datfrozenxid_age. Information Elements: plixercomponentipaddress, postgresql_datname, postgresql_datfrozenxid_age. |
Memory |
A grouping of Server trending Available. Information Elements: plixercomponentipaddress, plixermemavailablebytes. |
Memory per process |
A grouping of Process trending Shared, Resident, Virtual. Information Elements: processcommandline, processresidentmemorysize, processsharedmemorysize, processvirtualmemorysize. |
ML Engine Heartbeat |
A grouping of ML Engine, Plixer Server, Type, Status trending Response Time, Data Age. Information Elements: plixercomponentipaddress, plixerexporteripv6address, plixerheartbeattype, plixerheartbeatstatus, dataageseconds, plixereventdurationmilliseconds. |
ML Engine Index Document Count |
A grouping of ML Engine, Elasticsearch Index trending Avg Count. Information Elements: plixercomponentipaddress, plixermlelasticsearchindexname, plixermlelasticsearchindexcount. |
ML Engine Kafka Lag |
A grouping of ML Engine, Kafka Topic trending Avg Lag. Information Elements: plixercomponentipaddress, plixermlkafkatopicname, plixermlkafkalag. |
ML Engine Model Count |
A grouping of ML Engine trending Avg Model Count. Information Elements: plixercomponentipaddress, plixermlmodelfilecount. |
PG Lock Count |
A grouping of Collector trending Locks. Information Elements: exporteripv4address, postgresql_locks. |
Replicator Exporter Stats |
A grouping of Replicator, Exporter, Receiving Port trending Packets Received, Bytes Received. Information Elements: plixercomponentipaddress, replicator_exporteraddress, replicator_exporterreceivingport, replicator_exporteroctetdeltacount, replicator_exporterpktdeltacount. |
Replicator Exporter to Collectors |
A grouping of Replicator, Exporter, Exporter Port, Collector, Collector Port trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_exporteraddress, replicator_exporterreceivingport, replicator_collectoraddress, replicator_collectorport, replicator_collectoroctetdeltacount, replicator_collectorpktdeltacount. |
Replicator Input by Listening Port |
A grouping of Replicator, Listening Port trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_exporterreceivingport, replicator_exporteroctetdeltacount, replicator_exporterpktdeltacount. |
Replicator Input by Replicator |
A grouping of Replicator trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_exporteroctetdeltacount, replicator_exporterpktdeltacount. |
Replicator Output by Collector |
A grouping of Replicator, Collector, Collector Port trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_collectoraddress, replicator_collectorport, replicator_collectoroctetdeltacount, replicator_collectorpktdeltacount. |
Replicator Output by Listening Port |
A grouping of Replicator, Listening Port trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_exporterreceivingport, replicator_collectoroctetdeltacount, replicator_collectorpktdeltacount. |
Replicator Output by Profile |
A grouping of Replicator, Profile trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_profilename, replicator_collectoroctetdeltacount, replicator_collectorpktdeltacount. |
Replicator Output by Replicator |
A grouping of Replicator trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_collectoroctetdeltacount, replicator_collectorpktdeltacount. |
Replicator Profiles to Collectors |
A grouping of Replicator, Profile, Collector, Collector Port trending Packets, Bytes. Information Elements: plixercomponentipaddress, replicator_profilename, replicator_collectoraddress, replicator_collectorport, replicator_collectoroctetdeltacount, replicator_collectorpktdeltacount. |
Report Request Time |
A grouping of Server, reportrequestid, Report Type trending duration. Information Elements: plixercomponentipaddress, reportrequestid, reporttype, plixereventdurationmilliseconds. |
Report Type Data Time |
A grouping of Report Type trending Count, Min Dur., Avg Dur., Max Dur.. Information Elements: reporttype, plixeraggregatedrecordcount, plixereventdurationmilliseconds. |
Report Type Query Time |
A grouping of Report Type trending Count, Min Dur., Avg Dur., Max Dur.. Information Elements: reporttype, plixeraggregatedrecordcount, plixereventdurationmilliseconds. |
Rollup Counts |
A grouping of Exporter, Message Info trending Max Rows. Information Elements: plixerexporterid, message_info, plixerrowcount. |
Rollup Data Ages |
A grouping of Exporter, Template trending Min, Avg, Max. Information Elements: plixerexporterid, plixertemplateid, plixerdataageseconds. |
Spool Counts |
A grouping of Collector, Directory trending Spool Mins. Information Elements: exporteripv4address, plixerstoragedrive, plixerspoolcount. |
Storage |
A grouping of Server, Drive/Mount trending Avail Bytes. Information Elements: plixercomponentipaddress, plixerstoragedrive, plixerstorageavailablebytes. |
Stream Age |
A grouping of Collector, Stream trending Min Age, Avg Age, Max Age. Information Elements: plixercomponentipaddress, plixertablename, plixerdataageseconds. |
Stream Statistics |
A grouping of Collector, Stream trending Data Age, Total Rows, Disk Used. Information Elements: plixercomponentipaddress, plixertablename, plixerdataageseconds, plixerrowcount, plixerstorageusedbytes. |
Syslogs |
A grouping of Agent trending Processed, Received. Information Elements: exporteripv4address, plixersyslogsprocessed, plixersyslogsreceived. |
Task Runtime |
A grouping of Server, Task trending Count, Min Dur., Avg Dur., Max Dur.. Information Elements: plixercomponentipaddress, plixertaskname, plixeraggregatedrecordcount, plixereventdurationmilliseconds. |
Totals / Rollups Times |
A grouping of Exporter, Template, Event, Interval trending Min Rows, Avg Rows, Max Rows, Min Dur., Avg Dur., Max Dur.. Information Elements: plixerexporterid, plixertemplateid, plixereventid, plixerdstintervallength, plixereventdurationmilliseconds, plixerrowcount. |
VMware DFW
Report |
Description |
|---|---|
Destination IP, vNIC, FW Event |
A grouping of Destination, UUID, vNIC, FW Event, Rule ID trending Flow Count, Packets, Bytes. Information Elements: destinationipaddress, vmuuid, vnicindex, firewallevent, ruleid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
Source IP, vNIC, FW Event |
A grouping of Source, UUID, vNIC, FW Event, Rule ID trending Flow Count, Packets, Bytes. Information Elements: sourceipaddress, vmuuid, vnicindex, firewallevent, ruleid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
UUID, vNIC, FW Event |
A grouping of UUID, vNIC, FW Event, Rule ID trending Flow Count, Packets, Bytes. Information Elements: vmuuid, vnicindex, firewallevent, ruleid, octetdeltacount, packetdeltacount, plixeraggregatedrecordcount. |
VMware VDS
Report |
Description |
|---|---|
Pairs with Tenants |
A grouping of Source, Src Tenant, Dst Tenant, Destination, vxLan ID trending Packets, Bytes. Information Elements: sourceipaddress, tenantsourceipv4, tenantdestipv4, destinationipaddress, overlay_net_id, octetdeltacount, packetdeltacount. |
Tenant Conversations |
A grouping of Src Tenant, Src Tenant Port, Tenant Protocol, Dst Tenant Port, Dst Tenant, vxLan ID trending Packets, Bytes. Information Elements: tenantsourceipv4, tenantsourceport, tenantprotocol, tenantdestport, tenantdestipv4, overlay_net_id, octetdeltacount, packetdeltacount. |
Top Destination |
A grouping of Destination, Dst Tenant, Egress Attribute, vxLan ID trending Packets, Bytes. Information Elements: destinationipaddress, tenantdestipv4, egressinterfaceattr, overlay_net_id, octetdeltacount, packetdeltacount. |
Top Interfaces |
A grouping of Ingress Interface, vxLan ID trending Packets, Bytes. Information Elements: ingressinterfaceattr, overlay_net_id, octetdeltacount, packetdeltacount. |
Top Source |
A grouping of Source, Src Tenant, Ingress Attribute, vxLan ID trending Packets, Bytes. Information Elements: sourceipaddress, tenantsourceipv4, ingressinterfaceattr, overlay_net_id, octetdeltacount, packetdeltacount. |
Volume Reports
Report |
Description |
|---|---|
Availability |
A grouping of Time Stamp, Total trending . Information Elements: goodtime, total, . |
Flow Volume |
Flow rate. As a volume report, the table represents values per time bucket |
Host Count (dst) |
The number of distinct destination hosts. As a volume report, the table represents values per time bucket |
Host Count (src) |
The number of distinct source hosts. As a volume report, the table represents values per time bucket |
Pair Volume |
The number of distinct source/destination pairs. As a volume report, the table represents values per time bucket |
Round Trip Time |
A grouping of Time Stamp, Total trending . Information Elements: goodtime, total, . |
Traffic Volume |
Utilization in bits or bytes along with peak values and 95th percentile. As a volume report, the table represents values per time bucket |
Wireless Reports
Report |
Description |
|---|---|
Applications by Wireless Host |
A grouping of Host(s), Application trending Packets, octets. Information Elements: staipv4address, applicationtag, octetdeltacount, packetdeltacount. |
Applications by Wireless Host with DSCP |
A grouping of Host(s), Application, DSCP, Post DSCP trending Packets, octets. Information Elements: staipv4address, applicationtag, ipdiffservcodepoint, postipdiffservcodepoint, octetdeltacount, packetdeltacount. |
Applications Downstream |
A grouping of Application trending Avg. Pkt. Size, Packets, octets. Information Elements: applicationtag, avgpacketsize, octetdeltacount, packetdeltacount. |
Applications Upstream |
A grouping of Application trending Avg. Pkt. Size, Packets, octets. Information Elements: applicationtag, avgpacketsize, octetdeltacount, packetdeltacount. |
Clients per AP |
A grouping of AP trending Clients. Information Elements: wtpmacaddress, stamacaddress. |
Clients per SSID |
A grouping of WLAN SSID trending Clients. Information Elements: wlanssid, stamacaddress. |
Hosts by SSID |
A grouping of Host(s), WLAN SSID trending Packets, octets. Information Elements: staipv4address, wlanssid, octetdeltacount, packetdeltacount. |
Hosts with MAC |
A grouping of Host(s), STA Mac Addr, AP Mac Addr trending Packets, octets. Information Elements: staipv4address, stamacaddress, wtpmacaddress, octetdeltacount, packetdeltacount. |
Hosts with User Name |
A grouping of Source, User Name(s) trending Packets, Bytes. Information Elements: staipv4address, staipname, octetdeltacount, packetdeltacount. |
Host to Host with AP Mac |
A grouping of Source, Destination, AP Mac Addr trending Packets, octets. Information Elements: sourceipaddress, destinationipaddress, wtpmacaddress, octetdeltacount, packetdeltacount. |
Host to Host with SSID |
A grouping of Source, Destination, WLAN SSID trending Packets, octets. Information Elements: sourceipaddress, destinationipaddress, wlanssid, octetdeltacount, packetdeltacount. |
SSID List |
A grouping of WLAN SSID trending Packets, octets. Information Elements: wlanssid, octetdeltacount, packetdeltacount. |
Usage by SSID and AP |
A grouping of AP MAC, WLAN SSID trending Packets, octets, Clients. Information Elements: wtpmacaddress, wlanssid, octetdeltacount, packetdeltacount, staipv4address. |
Usage by SSID and AP (Src IP) |
A grouping of AP MAC, WLAN SSID trending Packets, octets, Clients. Information Elements: wtpmacaddress, wlanssid, octetdeltacount, packetdeltacount, sourceipaddress. |
User and Controller Details |
A grouping of AP MAC, Source, User Name(s), WLAN SSID trending Packets, octets. Information Elements: wtpmacaddress, staipv4address, staipname, wlanssid, octetdeltacount, packetdeltacount. |
Ziften
Report |
Description |
|---|---|
App Details |
A grouping of Application, Version, App Description, Internal Name, File Name, CMD, MD5 trending Flows, Bytes. Information Elements: zflowverproductname, zflowverproductversion, zflowverfiledescription, zflowverinternalname, zflowveroriginalfilename, zflowcommandline, zflowmd5, octetdeltacount, plixeraggregatedrecordcount. |
Base File and User |
A grouping of User Name, Base File, OS trending Flows, Bytes. Information Elements: username, zflowparentimagebasefilename, zflowosname, octetdeltacount, plixeraggregatedrecordcount. |
Command Line by Src |
A grouping of Source, Command Line, PID trending Flows, Bytes. Information Elements: sourceipaddress, zflowcommandline, zflowpid, octetdeltacount, plixeraggregatedrecordcount. |
Machine Details |
A grouping of Machine, User Name, MD5, OS Name, OS Version, Agent UUID trending Flows, Bytes. Information Elements: zflowmachinename, username, zflowmd5, zflowosname, zflowosversion, zflowagentguid, octetdeltacount, plixeraggregatedrecordcount. |
Machines |
A grouping of Machine trending Flows, Bytes. Information Elements: zflowmachinename, octetdeltacount, plixeraggregatedrecordcount. |
MD5 |
A grouping of Parent MD5, Parent Product Name, MD5, zflowverproductname trending Flows. Information Elements: zflowparentmd5, zflowparentverproductname, zflowmd5, zflowverproductname, plixeraggregatedrecordcount. |
Zscaler ZIA
Report |
Description |
|---|---|
Data Center |
A grouping of zsc_data_center, zsc_dns_app_cat trending sum_plixeraggregatedrecordcount. Information Elements: zsc_data_center, zsc_dns_app_cat, plixeraggregatedrecordcount. |
Pairs By Application |
A grouping of Client Tunnel IP, Client Hostname, Source Address, Application, Destination Address trending Ingress Octet Count, Egress Octet Count. Information Elements: zsc_client_tun_ip, zsc_cc_device_hostname, sourceipaddress, applicationid, destinationipaddress, egress_octetdeltacount, ingress_octetdeltacount. |
Rules |
A grouping of zsc_rule_name, zsc_rule_action trending Ingress, Egress. Information Elements: zsc_rule_name, zsc_rule_action, egress_octetdeltacount, ingress_octetdeltacount. |
Server Categories |
A grouping of zsc_server_ip_category, zsc_rule_name trending sum_plixeraggregatedrecordcount. Information Elements: zsc_server_ip_category, zsc_rule_name, plixeraggregatedrecordcount. |
Threats |
A grouping of zsc_cc_device_hostname, zsc_threat_name, zsc_threat_score, zsc_threat_severity trending Ingress Octet Count, Egress Octet Count. Information Elements: zsc_cc_device_hostname, zsc_threat_name, zsc_threat_score, zsc_threat_severity, egress_octetdeltacount, ingress_octetdeltacount. |
Traffic by Tunnel IP |
A grouping of zsc_client_tun_ip trending sum_egress_octetdeltacount, sum_ingress_octetdeltacount. Information Elements: zsc_client_tun_ip, egress_octetdeltacount, ingress_octetdeltacount. |
Zscaler ZPA
Report |
Description |
|---|---|
App Connector: Interfaces Received |
A grouping of App Connector, Interface Default Route, Num Interfaces trending Bytes Received, Packets Received, Discards Received, Errors Received, Total Bytes Received. Information Elements: zsc_app_connector_name, interfacename, zsc_app_connector_num_interfaces, zsc_bytes_received_interface, zsc_discards_received_interface, zsc_errors_received_interface, zsc_packets_received_interface, zsc_total_bytes_received. |
App Connector: Interfaces Transmitted |
A grouping of App Connector, Interface Default Route, Num Interfaces trending Bytes Transmitted, Packets Transmitted, Discards Transmitted, Errors Transmitted, Total Bytes Transmitted. Information Elements: zsc_app_connector_name, interfacename, zsc_app_connector_num_interfaces, zsc_bytes_transmitted_interface, zsc_discards_transmitted_interface, zsc_errors_transmitted_interface, zsc_packets_transmitted_interface, zsc_total_bytes_transmitted. |
App Connector Status |
A grouping of Name, Start Time, Private IP, ZEN, Group, Customer, Country, Session Status, Default Route GW, Primary DNS, CPU, Memory, Services Monitored trending Count. Information Elements: zsc_app_connector_name, zsc_app_connector_start_time, zsc_app_connector_private_ip, zsc_app_connector_zen, zsc_app_connector_group, zsc_app_connector_customer, zsc_app_connector_country, zsc_app_connector_session_status, zsc_app_connector_def_route_gw, zsc_app_connector_primary_dns_resolver, processpercentcpu, processpercentmemory, zsc_app_connector_service_count, plixeraggregatedrecordcount. |
Browser Access |
A grouping of Username, Client IP, Client port, Host, URL, Application port, Protocol, Status code, User Agent trending Count. Information Elements: username, zsc_client_ip, destinationtransportport, zsc_cc_device_hostname, urlpath, zsc_application_port, requestprotocol, httpstatuscode, useragent, plixeraggregatedrecordcount. |
Private Cloud Controller: Interfaces Received |
A grouping of Private Cloud Controller, Interface Default Route, Num Interfaces trending Bytes Received, Packets Received, Discards Received, Errors Received, Total Bytes Received. Information Elements: zsc_private_cc_name, interfacename, zsc_app_connector_num_interfaces, zsc_bytes_received_interface, zsc_discards_received_interface, zsc_errors_received_interface, zsc_packets_received_interface, zsc_total_bytes_received. |
Private Cloud Controller: Interfaces Transmitted |
A grouping of Private Cloud Controller, Interface Default Route, Num Interfaces trending Bytes Transmitted, Packets Transmitted, Discards Transmitted, Errors Transmitted, Total Bytes Transmitted. Information Elements: zsc_private_cc_name, interfacename, zsc_app_connector_num_interfaces, zsc_bytes_transmitted_interface, zsc_discards_transmitted_interface, zsc_errors_transmitted_interface, zsc_packets_transmitted_interface, zsc_total_bytes_transmitted. |
Private Cloud Controller Status |
A grouping of Name, Start Time, Private IP, ZEN, Group, Customer, Country, Session Status, Default Route GW, Primary DNS, CPU, Memory trending Count. Information Elements: zsc_private_cc_name, zsc_private_cc_start_time, zsc_app_connector_private_ip, zsc_app_connector_zen, zsc_private_cc_group, zsc_app_connector_customer, zsc_app_connector_country, zsc_app_connector_session_status, zsc_app_connector_def_route_gw, zsc_app_connector_primary_dns_resolver, processpercentcpu, processpercentmemory, plixeraggregatedrecordcount. |
Private Service Edge: Interfaces Received |
A grouping of Private Service Edge, Interface Default Route, Num Interfaces trending Bytes Received, Packets Received, Discards Received, Errors Received, Total Bytes Received. Information Elements: zsc_private_service_edge_name, interfacename, zsc_app_connector_num_interfaces, zsc_bytes_received_interface, zsc_discards_received_interface, zsc_errors_received_interface, zsc_packets_received_interface, zsc_total_bytes_received. |
Private Service Edge: Interfaces Transmitted |
A grouping of Private Service Edge, Interface Default Route, Num Interfaces trending Bytes Transmitted, Packets Transmitted, Discards Transmitted, Errors Transmitted, Total Bytes Transmitted. Information Elements: zsc_private_service_edge_name, interfacename, zsc_app_connector_num_interfaces, zsc_bytes_transmitted_interface, zsc_discards_transmitted_interface, zsc_errors_transmitted_interface, zsc_packets_transmitted_interface, zsc_total_bytes_transmitted. |
Private Service Edge Status |
A grouping of Name, Start Time, Private IP, ZEN, Group, Customer, Country, Session Status, Default Route GW, Primary DNS, CPU, Memory trending Count. Information Elements: zsc_private_service_edge_name, zsc_private_service_edge_start_time, zsc_app_connector_private_ip, zsc_app_connector_zen, zsc_private_service_edge_group, zsc_app_connector_customer, zsc_app_connector_country, zsc_app_connector_session_status, zsc_app_connector_def_route_gw, zsc_app_connector_primary_dns_resolver, processpercentcpu, processpercentmemory, plixeraggregatedrecordcount. |
User Activity |
A grouping of Username, Client IP, Country, City, Application, Application port, Destination, IP Protocol, Platform, Status trending Count. Information Elements: username, zsc_client_ip, zsc_app_connector_country, zsc_data_center_city, applicationname, zsc_application_port, destinationipaddress, protocolidentifier, zsc_app_connector_platform, zsc_connection_status, plixeraggregatedrecordcount. |