Definitions

Definitions#

The Admin > Definitions page contains management views for the various user-defined elements and groupings used by the Scrutinizer system.

Autonomous Systems (AS)#

The Admin > Definitions > Autonomous Systems (AS) page lists all defined autonomous systems along with their autonomous system numbers (ASN) and any provided descriptions.

Clicking on an AS name opens an activity summary view with the following visualized information (split into source and destination tabs):

  • Activity over time

  • Top applications

  • Top source hosts

  • Top destination hosts

Hint

  • The period of time covered by the summary (default: last 15 minutes) can be adjusted by clicking the time range (calendar) button.

  • Clicking the graph button/shortcut in the top application or host charts will run the corresponding report type with the appropriate filters applied.

Host Names#

The Definitions > Host Names page can be used to assign static names to non-expiring host IP addresses or create subnet labels for use in reports.

The main view lists the following details for all current name definitions:

  • Host name

  • Domain

  • IP address

  • Description (if provided)

  • DNS resolution status (see below)

Clicking on a host name opens the settings tray, where the name, domain, description or DNS status can be edited.

Adding a host name assignment

To add a new host name definition, follow these steps:

  1. Click the add (+) button to open the configuration tray.

  2. Configure the following details:

    • IP address

    • Name to assign

    • Domain

    • Description (optional)

  3. Select one of the following DNS resolution statuses from the dropdown:

    • Current: Resolution or resolution attempt completed, and the name will expire as specified by the retention setting under Admin > Settings > DNS

    • Queued: Ready for resolution; can be set to force DNS resolution again

    • Never: DNS resolution will never be attempted, and the name will not expire; used for assignments that are manually added and should be permanent

  4. Click Save.

After the definition has been saved, it will be added to the list in the main view and can be further modified at any time.

Note

Host name definitions can also be imported using the scrut_util import command.

Deleting definitions

To delete a host name definition, select one or more items using the checkboxes in the main view, and then use the Delete option in the Bulk Actions menu.

IP Groups#

The Definitions > IP Groups page can be used to create and manage IP group definitions, which can be leveraged when running reports, applying filters, or defining inclusions/exclusions for various functions.

The main view lists the following details for all IP groups currently defined:

  • Group type/locality (internal or external)

  • Group name

  • Child groups

  • Inclusion rules

Clicking on a group name opens the settings tray, where the group’s name, type, and rules can be edited. If the group is or includes child groups, its hierarchy tree can also be viewed in this tray.

Adding a new IP group

To add/create a new IP group, follow these steps:

  1. Click the add (+) button to open the Add IP Group tray.

  2. Enter a name for the group.

  3. Select whether the group is internal or external from the IP Group Type dropdown.

  4. Click Save.

  5. In the main view, click the newly created IP group to open the configuration tray.

  6. Expand the Rules section of the tray, and then click the (+) button to add a new rule.

  7. In the secondary tray, select the rule type (IP address, subnet, etc.) to add.

  8. Enter the details required for the rule in the additional fields.

  9. Click Add to save the rule.

Repeat steps 6 - 9 to define additional membership rules for the group. Settings for existing IP groups can be further modified at any time.

Note

  • IP group definitions can also be imported using the scrut_util import command.

  • If there are overlapping host sets between IP groups, a host will automatically be assigned to the group whose rules define the narrowest range of addresses.

  • The locality (internal or external) of an IP group has multiple uses, including determining traffic directionality (e.g., internal->internal, external->internal, etc.) for FA detections and defining inclusion and exclusion filters for report data sources. The designation also allows addresses to be quickly identified as being internal or external when viewing host details.

Bulk actions

When one or more IP groups are selected using the checkboxes, the following batch operations become available via the Bulk Actions button:

  • Adding new rules to all selected IP groups

  • Deleting all selected IP groups

Well-Known Ports#

The Definitions > Well-Known Ports page can be used to create and manage well-known port definitions for Scrutinizer.

The main view lists the following details for all current definitions:

  • Name assigned to the well-known port

  • Port

  • IP protocol

  • Description (if provided)

Clicking on a well-known port name opens the settings tray, where the name or optional description can be edited.

Adding a well-known port

To define a new well-known port, follow these steps:

  1. Click the add (+) button to open the configuration tray.

  2. Configure the following details for the well-known port:

    • Name

    • Port

    • IP protocol

    • Description (optional)

  3. Click Save to save the definition.

After the well-known port definition has been saved, it will be added to the list in the main view and can be further modified at any time.

Deleting well-known ports

To delete a well-known port definition, select one or more items using the checkboxes in the main view, and then use the Delete option in the Bulk Actions menu.

Contents