Explore

The Explore views of the web interface can be used to quickly look up information on exporters, hosts, and other entities (users, applications, etc.) in the Scrutinizer environment.

This section covers the different functions and types of information that can be accessed via Explore views of the web interface.

Exporters

The Explore > Exporters tab can be used to look up information for all devices sending flows to Scrutinizer collectors.

The main view lists device status, traffic information, and other details either by interface (default) or by exporter and provides access to a summary tray for drilling into the corresponding alarm and host views. The left-hand mapping/device group pane can be used to apply filters and manage mapping group settings, membership and connections.

Interfaces view

The By Interface view lists the associated exporter as well as inbound and outbound activity details for each interface. A status icon indicates whether the exporter is available (green) or offline (red).

The following options can be accessed by clicking the exporter address/hostname, interface name, or three-dot menu in the table:

• Reports: Run any report supported by the exporter

• Information: Shows general interface information and links to the Admin > Interfaces management view filtered on the interface

• Exporter: Opens the Alarms subtab of the host details view for the exporter

• View Interface: Opens to the host details view for the interface

• View Exporter Alarms: Opens the Alarm Monitor > Hosts view filtered on the exporter

• Reset Highwater Inbound: Resets highwater mark data for inbound traffic

• Reset Highwater Outbound: Resets highwater mark data for outbound traffic

• Reset Highwater Both: Resets highwater mark data for both inbound and outbound traffic

Note

• The Inbound and Outbound columns will display utilization percentage for any interfaces whose speeds are known (via SNMP or a custom setting). Otherwise, actual rates (in b/s) will be shown instead. Visualization options can also be manually set in the Options tray.

• The bulk actions tray, which contains options to run applicable reports and reset highwater values, can be accessed after one or more exporters or interfaces are selected using the checkboxes.

Exporters view

The By Exporter view lists exporter hostnames/addresses alongside the following details:

• Current status of the exporter (green: available, red: offline)

• Number of mapping groups the exporter is assigned to

• Number of interfaces associated with the exporter

• Average packets per second over the last 12 hours

• Average flows per second over the last 12 hours

• Timestamp of the most recent flow received from the exporter

In this view, the following options can be accessed by clicking the exporter address/hostname or three-dot menu in the table:

• Reports: Run any report supported by the exporter

• Information: Shows general exporter information and links to the Admin > Exporters management view filtered on the exporter

• Exporter: Opens the Alarms subtab of the host details view for the exporter

• Interfaces: Switches to the By Interface view filtered on the exporter

• Tags: View/manage custom tags for the device

• Mapping: Edit object icon properties, mapping group membership, or location details for the exporter

• Admin: Opens the Admin > Exporters management view (no filters applied)

• View Exporter Alarms: Opens the Alarm Monitor > Hosts view filtered on the exporter

Note

• Click the details in the Groups and Interfaces columns of the table to quickly access the corresponding options in the tray.

• In the By Exporter view, the bulk actions tray contains options to run reports, add custom tags, and edit mapping details for all selected exporters.

Mapping group pane

The mapping group pane lists all current mapping/device groups and provides quick access to the following functions:

• Run any report supported by the group’s devices/exporters

• View the network map for the group

• Apply a filter for the group’s exporters or interfaces to the main list/table (click the filters button for additional options)

• Create a duplicate of the selected network map

In addition, the Modify option opens a tray where the settings, membership, connections or settings for the network map can be modified.

Entities

The Explore > Entities tab can be used to look up and inspect the individual data entities–both user-defined and discovered–monitored by Scrutinizer as part of network activity.

The page is divided into separate subtabs displaying the following details for each entity type:

Usernames

• Host associated with the observation

• Data source

• Machine name (if available)

• Timestamp when the username was first seen on the host

• Timestamp when the username was last seen on the host

Applications Defined

• Number of exporters the application was observed on

• Total number of flows with data associated with the application

• Average packet rate for activity involving the application

• Average data transfer rate for activity involving the application

Hosts - Sources/Destinations/Pairs

• Source and/or destination IP address(es)/hostname(s)

• Number of exporters the source, destination, or pair was observed on

• Total number of flows with data associated with the host(s)

• Average packet rate for activity involving the host(s)

• Average data transfer rate for activity involving the host(s)

Autonomous Systems - Sources/Destinations/Pairs

• Source and/or destination autonomous system(s)

• Number of exporters the source, destination, or pair was observed on

• Total number of flows with data associated with the autonomous system(s)

• Average packet rate for activity involving the autonomous system(s)

• Average data transfer rate for activity involving the autonomous system(s)

IP Groups - Sources/Destinations/Pairs

• Source and/or destination IP group(s)

• Number of exporters the source, destination, or pair was observed on

• Total number of flows with data associated with IP group(s)

• Average packet rate for activity involving the IP group(s)

• Average data transfer rate for activity involving the IP group(s)

Countries - Sources/Destinations/Pairs

• Source and/or destination country/countries

• Number of exporters the source, destination, or pair was observed on

• Total number of flows with data associated with the country/countries

• Average packet rate for activity involving the country/countries

• Average data transfer rate for activity involving the country/countries

Protocols

• Number of exporters the protocol was observed on

• Total number of flows with data associated with the protocol

• Average packet rate for activity involving the protocol

• Average data transfer rate for activity involving the protocol

Clicking on an entity in any subtab opens a summary page (similar to the host traffic subview) that contains visualizations of the entity’s activity as well as report shortcuts for deeper investigations.

Note

Shortcut links to manage application definitions, protocol exclusions, and FA algorithm exclusion rules are included in the corresponding subtabs.

Search

The Explore > Search tab allows users to search the Scrutinizer host index to quickly verify whether or not a host has been seen on the network. Searches can be performed for either individual hosts or pairs (host to host). Simultaneous lookups for multiple hosts or pairs are also supported.

Important

To be able to search for hosts and host pairs, the corresponding indexing feature must be enabled.

The following are the available details displayed in the search results:

• Host

• Traffic direction (inbound, outbound, A > B, B > A, bidirectional)

• First and last seen timestamps

• Exporter/source of collected data

• Bytes in and out

• Packets in and out

• Flows in and out

To show fewer details in search results, click the table button and untick the checkboxes for the columns to be hidden.

In the search results, drilling into a host will display a summary of its activity on the network. Clicking on a data source opens a tray that allows the user to quickly pivot to any supported report type.

Enabling host indexing

When host indexing is enabled, Scrutinizer will store records for all hosts that pass traffic on the network. Records for host pairs can also be stored (and searched through) by enabling host to host indexing as indicated below.

To enable host indexing:

1. Navigate to Admin > Alarm Monitor > Flow Analytics Algorithms.

2. Open the configuration tray for the Host Indexing algorithm.

3. Add sources/inclusions for the algorithm either indvidually or using security groups.

   Hint

   Recommended inclusions for host indexing are internal/core routers, edge routers, and public IP addresses that have been assigned to IP groups.

4. If there are sources (IP addresses/ranges, domains (by reverse DNS), IP groups, etc.) that should not be indexed, add them as exclusions.

5. Expand the Settings secondary tray to configure the following:

   • Days of Host Index Data Retention

   • Host Index Database

   • Host Indexing Domain Socket

   • Host Index Max Disk Space

   • Host Index Sync Interval Minutes

   • Host to Host Database

   • Window Limit

6. (Optional) Enter a database path in the Host to Host Database field to enable host pair indexing. To disable the feature, leave it blank.

7. Use the toggle to enable the algorithm and close the tray.

Once the algorithm has been configured and enabled, users can use the Explore > Search view to search the host or host pair (if enabled) index.

Hint

If the Use Host Index option (Admin > Settings > Reporting) is enabled, only exporters that a host has been seen on will be searched when data is aggregated for a report. This can significantly reduce the time it takes to run reports.

Resource requirements

When host indexing is enabled, additional resources may need to be allocated to the Scrutinizer collectors as described here.

Host index population from historical data

If host indexing is not immediately enabled after Scrutinizer is deployed, the database can be backfilled at a later date using historical data.

To populate the host index database from historical tables, follow these steps:

1. SSH to the Scrutinizer server as the plixer user.

2. Stop the host index service:

   sudo systemctl stop scrutinizer-host-index
   

3. Run the following to populate the database using the specified historical data tables and time range/window:

   host_index --db_config --verbose --populate_from_history --table_interval=INTERVAL_TABLE --date_start="<START_DATE_TIME>" --date_end="<END_DATE_TIME>"
   

   where:

   • START_DATE_TIME and END_DATE_TIME must be formatted as YYYY-MM-DD HH:MM, with the time in 24-hour format (leading zeroes should be omitted).

   • INTERVAL_TABLE is an integer that specifies the aggregation interval tables and should be set to 1, 5, or 30.

Note

• If the time element is omitted from END_DATE_TIME, data from the end date specified will be excluded from the operation.

• The utility can also be used to repopulate the host index database in case of data corruption. However, it is highly recommended to contact Plixer Technical Support for assistance with restoring data.