Settings

Settings#

The Admin > Settings page provides access to global settings for Scrutinizer’s core functions and behavior.

AI Settings#

The Admin > Settings > AI Settings tray can be used to enable the web interface’s embedded AI assistant, which can facilitate reporting and UI navigation.

Added in version 19.7.0: This feature requires Plixer One Core or Enterprise. Please contact Plixer Technical Support for a new license key.

Custom API providers#

To use a custom AI API provider (must be OpenAI-compatible) instead of the Plixer agent:

  1. Select the Custom API option.

  2. Enter the URL and API key for the AI server.

  3. Click the Load Models button, and then use the dropdowns to select the Model ID and Embedding Model ID for the LLM to use.

After the custom API details have been added, click the Save button to save and apply the new settings.

Reporting via AI#

The Plixer AI assistant can run the following report types by leveraging the Scrutinizer reporting API:

View list

  • Host-to-host conversation analysis​

  • Host-to-host traffic flows details

  • IP group to IP group conversations​

  • Top applications by traffic volume​

  • Country-to-country traffic analysis​

  • Top source hosts (traffic originators)​

  • Top destination hosts (traffic receivers)​

  • Traffic analysis by source country​

  • Traffic analysis by destination country​

  • Protocol usage

  • Interface utilization

  • Destination Autonomous System analysis​

  • Port usage analysis​

  • Client-server byte analysis​

For more information on Scrutinizer report types, see this appendix.

Supported filters#

The following filters (include/exclude) can also be applied when running the above reports:

View list

  • Source/destination filters:​

    • IPs​

    • Country code​

    • Domains​

    • IP Groups​

    • Subnets​

  • Device filters:​

    • Device IP/name

    • Device group​

    • Interface​

  • Application and protocol filters:​

    • App ID/name

    • App nbar ID/name​

    • Destination ports

    • Protocol ID/name

Alarm Notifications#

The Admin > Settings > Alarm Notifications tray contains the following settings:

Hostnames

Enable to display device, target, and violator hostnames (when available) instead of IP addresses in alarm messages

Flow Inactivity

Enables Flow Inactivity alarms for devices that have not received flows in the last 30 minutes

Alarm Many Crop

Maximum number of devices, targets, and violators to display in alarm messages

Interface Threshold Violations

Enables Interface Threshold Violation alarms when utilization (in or out) for any interface exceeds the Threshold - Utilization value specified under Admin > Settings > System Preferences tray

Hint

Notification profiles can be assigned to the Flow Inactivity and Interface Threshold Violation alarm policies to trigger custom notification actions for violations.

Important

If flow inactivity and interface threshold violation notifications are disabled from this tray, Flow Inactivity and Interface Threshold Violation alarm policy violations will not be reported or saved, even if the policies are set to the Active or Store state.

Collector Settings#

The Admin > Settings > Collector Settings tray contains the following settings:

Resolve Hosts at Collection Time
Forces DNS name resolution for every host seen when flows are collected (only necessary for Flow Analytics domain exclusions and Rev 2nd level domain reports)
*Note: Enabling this feature may result in significant latency at high flow volumes. For assistance, contact Plixer Technical Support.

Auto SNMP Update

Enables re-discovery of SNMP devices at 1:00 am every day.

Low Resource Fallback Cooldown Period

Amount of time (in seconds) to wait between low resource fallback “stages” (to prevent unwarranted feature or exporter pausing)

Low Resource Fallback Exporter Chunk Size

Number of exporters to pause or resume as a group when required for low resource fallback or recovery

Allowed Flow Rate Multiplier Percent
Multiplier/percentage of maximum supported flow rate that will not immediately trigger low resource fallback to accommodate brief spikes in flow rates
*Note: Sustained flow rates exceeding 100% of the rated limit may result in stability issues.

Low Resource Fallback Mode

Select one of three modes to define Scrutinizer’s low resource fallback behavior

Listener Port

Ports that will be used to listen for NetFlow or sFlow traffic (separate by comma)

Important

In distributed environments, these settings will be applied to all collectors in the cluster.

DNS#

The Admin > Settings > DNS tray contains the following settings:

DNS Cache Retention

Number of days to retain DNS names (0-365, 0 = never retain)

DNS Timeout

Maximum time (in seconds) to wait for DNS name resolution

Data History#

The Admin > Settings > Data History tray contains the following settings:

Auto-Acknowledge Alarms

Number of days before alarms/events are automatically acknowledged

Alarm Retention Days

Maximum number of days that alarm/event data will be retained

Alarm Retention Size

Maximum amount of disk space (in MB) that can be used for alarm/event data before older records are deleted

Audit Log Keep Duration

Number of months audit logs will be retained

Auto History Trimming
Enables automatic trimming of older historical records based on the specified Minimum Percent Free Disk before Trimming setting
(Overrides history retention settings)

Days of DNS Request Data

Number of days (0 - 365) to retain DNS request data

Minimum Percent Free Disk before Trimming

Minimum amount of free storage to maintain when Auto History Trimming is enabled

Flow Historical 1 Min Avg

Number of hours to retain 1-minute summary tables (totals) of conversation data, as well as alarm/event data

Flow Historical 5 Min Avg

Number of hours to retain 5-minute summary tables (averages) of conversation data

Flow Historical 30 Min Avg

Number of days to retain 30-minute summary tables (averages) of conversation data

Flow Historical 2 Hr Avg

Number of days to retain 2-hour summary tables (averages) of conversation data

Flow Historical 12 Hr Avg

Number of weeks to retain 12-hour summary tables (averages) of conversation data

Flow Maximum Conversations

Number of top conversations to save for busy devices

Note

  • When Auto History Trimming is enabled, 1m and 5m historical tables are trimmed to maintain the value specified in Minimum Percent Free Disk Space before Trimming. Automatic trimming is also used to retain a similar level of historical data for all configured exporters.

  • Assigning a value of 0 to historical flow data retention settings under Data History will not disable retention of the corresponding data table.

Disk calculator#

Clicking the calculator icon in the data history settings tray opens the database size calculator, which can be used to view current and predicted storage use based on a specified set of conversation history retention settings.

In the calculator, enter the desired retention time for each flow data history interval (1m, 5m, etc.), and then click the check button. Current and predicted disk usage for each interval will then be displayed by collector, along with the predicted total disk space required for the current retention settings.

Note

  • Disk usage for other elements/functions, such as system metadata, alarm/event data retention, and host indexing are factored into these calculations. A 10% buffer for the operating system is also included.

  • All calculations/predictions are based on the system’s current settings and collection parameters (flow volume/rate, templates, etc.).

Flow Analytics Settings#

The following global settings for Flow Analytics can be modified from the Admin > Settings > Flow Analytics Settings tray:

Auto Enable Defender

Enables automatic inclusion of FlowPro Defenders for the appropriate FA algorithms

Jitter by Interface

Packet delay variance (in ms) threshold used for record highlighting in Status reports

Latency

Latency threshold (in ms) used for record highlighting in Status report

Share Violations

Share violation details for cyber attacks originating from Internet IP addresses with Plixer to continuously improve host reputation records

Top Algorithm Devices

Sets whether Top X algorithms are automatically run against all devices or only manually defined inclusions

Hint

Configuration options for individual Flow Analytics algorithms can be accessed from the Flow Analytics Configuration page.

Global Authentication Settings#

The Admin > Settings > Global Authentication Settings tray contains the following global settings related to user credentials and logins:

Failed Login Max

Maximum number of failed logins before a user account is locked (0 = disabled)

Failed Login Window

Length of time (in minutes) within which failed logins will count towards the maximum allowed

Minimum Unique Passwords

Number of previous passwords that a local Scrutinizer user cannot reuse when changing their password

Session Timeout

Maximum time (in minutes) a Scrutinizer web session can be idle before the user is forcibly logged out (0 = disabled)

Google Maps Proxy Server#

The Admin > Settings > Google Maps Proxy Server tray is used to configure a proxy server to allow Scrutinizer to access the Internet and make Google Maps geolocation requests.

The following details must be provided:

  • Username and password for authentication with the proxy server

  • Proxy domain name

  • Port used by the proxy server

  • IP address or hostname (absolute URL) of the proxy server to use for geolocation requests

Login Banner#

Text entered in the following fields of the Admin > Settings > Login Banner tray will be displayed at the specified location on the web interface login page:

  • Above the username input field

  • Below the Login button

ML AD Users#

The Admin > Settings > ML AD Users tray is used to add a Microsoft Azure account to enable AD Users UEBA integration. The account must be configured to store Active Directory user sign-in logs.

After entering the account name and key, click the Apply button to save the details and enable UEBA detections/alerts.

ML Alerts#

The Admin > Settings > ML Alerts tray can be used to adjust the CPU/RAM/DISK utilization and Kafka streaming latency alarm thresholds for the Plixer ML Engine. Sensitivity settings for detections related to Office 365 activity can also be modified from this tray.

After making changes, click the Apply button to save and apply the new settings.

For further details, see this section of the ML Engine configuration guide.

ML Data Limits#

The Admin > Settings > ML Data Limits tray can be used to modify the limits for the number of models and the number of included hosts/subnets used by the Plixer ML Engine for learning network and user behavior patterns and making predictions.

After making changes, click the Apply button to save and apply the new settings.

For further details, see this section of the ML Engine configuration guide.

Note

Increasing any of the model or IP maximums in this tray may require allocating additional resources to the ML Engine appliance.

ML Training Schedule#

The Admin > Settings > ML Training Schedule tray is used to set the business hours used for seasonality in the network behavior being observed by the Plixer ML Engine.

After entering the necessary details, click the Apply button to save and apply the new business hours.

For further details, see this section of the ML Engine configuration guide.

Note

The business hours used for network behavior seasonality are separate from the business hours applied when running reports, which are defined under Admin > Settings > Reporting.

Mapping Groups#

The Admin > Mapping Groups page can be used to create, configure, and manage device groups for network maps.

To learn more about the this page’s functions, see this section on mapping group management.

Mapping Objects#

The Admin > Mapping Objects page can be used to manage mapping object properties and group membership. New custom objects can also be defined from this view.

To learn more about the this page’s functions, see this section on mapping object management.

Reporting#

The Reporting tray contains the following options/settings, which are used to control how reports are run, displayed, and managed:

Push Data Aggregation

Enable to automatically aggregate data when temp tables are pushed to the primary report (distributed environments only).

Business Hours End

Ending hour of the business day (as an integer, e.g., 5 pm -> 17) to use in reports.

Business Hours Start

Starting hour of the business day (as an integer) to use in reports.

CSV Include All Rows

Enable to include all rows in report CSVs (instead of only the selected top X).

CSV Repository

Path to use for saving exported CSVs.

Max Aggregations from Data Source

Maximum number of aggregations from a single data source.

Target Graph Intervals

Maximum number of intervals that Scrutinizer will aim to plot in graphs.

Limit All Device Report Results

Limits the number of results returned when running All Devices reports to this value (0 = no limit).

Maximum Raw Flow Exporters

Maximum number of exporters/devices allowed as filters for a raw flows report.

Max Reports per Interval

Maximum number of scheduled email reports that can be set to run within the same minute.

Max Reports per Email
Maximum number of reports that can be sent in a single scheduled email report.
Note: Including too many reports in the same scheduled email may result in timeouts.

Max Report Processes

Maximum number of subprocesses (by time or by device) that a report will be divided into to reduce running time.

Display Others on Top

Allow or prevent report graphs from displaying other traffic above or below the top 10 results.

Display Raw MAC Addresses in Reports

When enabled, raw MAC addresses are displayed alongside other details in report results.

Use Alternative Times

If the observationtimeseconds field is included in a flow template, Scrutinizer will use it in place of intervaltime for reporting.

Use Host Index

Enables the use of the host index to limit the number of exporters/devices checked for Group and All Devices reports.

Saved Report Threshold Processes

Number of processes to fork when running report threshold checks.

Re-use Temp Tables

When enabled, reports will use temp tables whenever possible.

Report Caching Timeout

Number of minutes available reports will be kept cached.

Always Display Totals

Enable to always show totals in Status report results tables, even if the graph is set to show rates.

TOS Family

Sets the family/configuration of the Quality of Service or Type of Service implemented for the environment.

Note

The times entered for Business Hours End and Business Hours Start do not affect the seasonality of the Plixer ML Engine’s behavior monitoring/modeling functions for Plixer One Enterprise.

System Preferences#

The Admin > Settings > System Preferences tray contains the following general settings:

Disable File Upload

When enabled, files cannot be uploaded to the Scrutinizer server

Maximum Uploaded File Size in Bytes

Sets the maximum size allowed for uploaded files

Inactivity Threshold

Sets the number of minutes that the Explore > Exporters > By Interface view will display inbound and outbound activity details for inactive interfaces

Threshold - Utilization

Sets the interface utilization percentage (in or out) that will trigger an Interface Threshold Violation alarm

Inactive Expiration

Sets the number of hours (1 to 168) before an inactive interface is removed from the Explore > Exporters > By Interface view

LDAP Group Membership

Sets the schedule for syncing users between local user groups and LDAP Security Groups with the same name (Options: On Login, Nightly, Both, Disabled)

Logout URL

Redirects users to the specified URL after logout instead of the default /ui/login page (for third-party authentication)

Version Checking

When enabled, Scrutinizer will automatically connect to the Internet and check for updates

Beta Features

Enables/disables UI for all available beta features for the current version

Note

Interfaces that have been inactive past the Inactivity Threshold setting but not longer than the Inactive Expiration setting will be displayed with 0.00 b/s in their inbound and outbound columns.

Important

For users to be synced between a local user group and an LDAP Security Group, the two groups must have the exact same name, including any capitalization and punctuation.

System/New User Defaults#

The settings/options Admin > Settings > System/New User Defaults tray can be used to define the default system preferences applied for new user accounts:

Disable Welcome Modal

When ticked/enabled, hides the “Welcome to Scrutinizer” model for new user logins

Language

Sets the default system language for new users

Theme

Sets the default system theme for new users

Slim Navigation

When ticked/enabled, uses a theme with slimmed-down containers and icons for navigation elements

Hint

Users can set their own language and theme by navigating to Admin > Users & Groups > User Accounts page and editing the Preferences for their username/account.

Note

Technical support (including this documentation) is only available in English.

Thresholds#

The settings in the Admin > Settings > Thresholds tray can be used to adjust the percentage thresholds used to highlight interface utilization in different colors.

The default threshold values are as follows:

  • Yellow: 51%

  • Orange: 76%

  • Red: 90%

Note

These values are also used to highlight map connections representing interfaces. Connections representing saved reports can have their color thresholds defined separately.

Contents