Plixer AI Assistant#
The Plixer AI Assistant can be used to navigate the UI, quickly access specified features/functions, and run customized traffic reports using natural language prompts.
Once enabled from the Admin > Settings > AI Settings menu, the AI assistant can be accessed from the left navigation bar (or using the AI shortcut button when it’s available).
Note
The Plixer API server has a daily limit of 150 requests/actions, with the current usage and reset date displayed in the Admin > Settings > AI Settings tray. The AI assistant can also be configured to use a custom OpenAI API server instead.
Supported actions#
Configure and run traffic reports
Example filters:
Source and destination IP
Port and protocol
Application
Country
Subnet
IP group
Domain
The assistant will also resolve common names (e.g., device names or locations) without requiring exact IP ranges.
Example prompts:
Display applications consuming the most bandwidth for <SUBNET_ADDRESS>
Show conversations between internal servers and external IPs
Break down traffic by country from <START_TIME> to <END_TIME>
Get information (traffic history, activity, etc.) for specific IPs or hosts
Example prompts:
Check traffic history for <IP_ADDRESS>
Identify alarms associated with <IP_ADDRESS>
Query alarm activity and view policy configurations
Example filters:
Severity
Time range
Alarm policy category
Example prompts:
Show critical alarms from <START_TIME> to <END_TIME>
View alarms triggered by <ALARM_POLICY>
List all alarm policies
Display alarm policies by category
Inspect/manage Flow Analytics configurations, including algorithm settings and exclusions
Example prompts:
List all enabled Flow Analytics algorithms
Show details for <FA_ALGORITHM>
Enable <FA_ALGORITHM> for <EXPORTER_IP>
Add <EXCLUSION_RULE> to <FA_ALGORITHM>
Hint
Create/populate security groups to quickly enable FA algorithms for groups of exporters.
Create exclusion rules to exempt known/trusted traffic from detections
Example detection types:
Brute force
Data exfiltration
Malware
Other machine learning–based detections
Example prompts:
Exclude <IP_ADDRESS> from <DETECTION_TYPE> detections
Create an exclusion rule for <DETECTION_TYPE> for <IP_ADDRESS_LIST>
Add investigation details to collections for further review
Collections can include:
Alarm policies
Hosts and targets
Reports
Events
Devices
Applications
Users
External tickets (e.g., ServiceNow)
Example prompts:
Create a new collection called <COLLECTION_NAME>
Add alarms associated with <IP_ADDRESS> to the <COLLECTION_NAME> collection
Save the <REPORT_NAME> report to the <COLLECTION_NAME> collection
Run and save custom report configurations
Example prompt:
Save the current report as <REPORT_NAME>
Note
See this section for further details on running repots via the AI assistant
Search documentation and policy manuals
The AI Assistant can return requested information from:
Product documentation
Operational playbooks
Security policies
Example prompts:
Search for the configuration steps for Flow Analytics exclusions
Retrieve response procedures for <INCIDENT_DESCRIPTION>
Navigate directly to specified pages or functions in the UI
Example Prompts:
Go to the alarm monitor hosts view
Open the global Flow Analytics settings
Turn natural language into structured queries
Example inputs:
IP addresses and subnets
Hostnames and devices
Applications and protocols
Ports and interfaces
IP groups and countries
Time ranges and date expressions
Record packet captures for deeper analysis (requires FlowPro)
Example prompt:
Create a packet capture for traffic to <IP_ADDRESS> over <PORT> from <START_TIME> to <END_TIME>.
Important
Certain actions above (e.g., creating security groups, editing policy/algorithm settings, defining exclusion rules, etc.) require AI Write Tools to be enabled under Admin > Settings > AI Settings.
Hint
To maintain optimal accuracy and performance, the following practices are recommended:
Clear chat context regularly to maintain performance (∅ icon/button in the AI assistant tray)
Specify time ranges when possible
Use known names (devices, IP groups, applications)
Refine results using follow-up queries
AI Deep Dive#
The AI Deep Dive (
) button allows users to quickly prompt the Plixer AI Assistant to summarize, analyze, or investigate the information displayed in the following views/sections of the Scrutinizer UI:
Monitor > Alarm Monitor (including policy, host, and AI insight subviews)
Auto-Investigate alarm policy investigations
After clicking the button, review the response/report in the AI assistant tray and request further details as needed.
NOC/SOC AI agents#
The Plixer AI Assistant includes AI background agents that are capable of autonomously running NOC and/or SOC workflows overnight.
Enabling the NOC and SOC agents#
The nightly NOC and SOC agents are disabled by default but can be enabled using the toggles in the Admin > Settings > AI settings menu/tray.
Either or both agents can be enabled at any time after the Plixer AI Assistant has been enabled. They can also be disabled if necessary.
NOC/SOC agent output#
The output of the nightly NOC/SOC agents can be accessed via the Alarm Monitor > AI Insights page and comprises the following:
An executive summary outlining the alarms investigated and the agent’s findings
An approximated risk score based on the agent’s findings (lower = lower risk)
Recommended remediation steps
A collection comprising all related information (alarms/events, hosts, etc.)
The nightly agent report and collection history can be accessed from the same page.
Reporting via AI#
The Plixer AI assistant can run the following report types by leveraging the Scrutinizer reporting API:
Host-to-host conversation analysis
Host-to-host traffic flows details
IP group to IP group conversations
Top applications by traffic volume
Country-to-country traffic analysis
Top source hosts (traffic originators)
Top destination hosts (traffic receivers)
Traffic analysis by source country
Traffic analysis by destination country
Protocol usage
Interface utilization
Destination Autonomous System analysis
Port usage analysis
Client-server byte analysis
For more information on Scrutinizer report types, see this appendix.
Supported filters#
The following filters (include/exclude) can also be applied when running the above reports:
Source/destination filters:
IPs
Country code
Domains
IP Groups
Subnets
Device filters:
Device IP/name
Device group
Interface
Application and protocol filters:
App ID/name
App nbar ID/name
Destination ports
Protocol ID/name
Custom API providers#
The Plixer AI Assistant uses the Plixer API server by default, but it can be configured to use a custom OpenAI API provider instead.
Follow these steps to set up a custom OpenAI API server after enabling the AI assistant in the Admin > Settings > AI settings tray:
Select Custom as the API provider.
Enter the URL and API key for the OpenAI LLM server.
Click Load Models, and then use the dropdowns to select the Model ID and Embedding Model ID for the LLM to use.
[Optional] Toggle on Enable AI Write Tools to give the AI assistant write access (required for editing settings, managing exclusion rules, etc.) .
Click Save.
AI Embeddings#
To enable responses that are both accurate and grounded in information relevant to its users, the Plixer AI Assistant uses Retrieval-Augmented Generation (RAG) to collect relevant details from embedded content.
Embedded content is automatically updated at regular intervals, ensuring the most up-to-date details are always accessible to the AI assistant.
Note
Use these commands to manually update or re-embed content (e.g., after custom embeddings are added/updated).
All default and custom embeddings can be made available to external AI assistants through the Scrutinizer MCP server.
Types of embedded content#
The Plixer AI Assistant uses the following types of embedded content to expand the pool of information it has access to:
Known objects
Known object embeddings cover configured network objects within a Plixer One/Scrutinizer deployment, including applications, IP groups, protocols, devices, and interfaces. These embeddings allow the AI assistant to respond to queries that reference such objects in the environment.
Object type |
Details included |
|---|---|
Applications |
Name, ports, metadata |
App NBAR |
Network-based application recognition entries |
Protocols |
Names and protocol numbers |
IP Groups |
Group name and membership |
Devices |
Device name, IP address, description |
Interfaces |
Interface name, description, parent device |
Device Groups |
Group name and associated devices |
Note
Known objects are updated incrementally through a work queue, with a scheduled task to process only changed items (new devices, IP group memberships, renamed applications, etc.) every five minutes.
Deleted objects are automatically removed.
Documentation
Documentation embeddings cover Plixer One/Scrutinizer documentation content and enable the following features:
AI-assisted help: Responses to product-related questions include the relevant documentation sections
UI navigation: Information in the documentation is used to direct users to a requested function or section in the UI
Policies
The Plixer AI Assistant’s default policy embeddings cover industry-standard cybersecurity compliance frameworks that the AI assistant can reference to align responses with established security standards.
Sample queries:
What does PCI-DSS require for monitoring network access?
How does flow data support NIST 800-171 compliance?
Framework |
Description |
|---|---|
CIS Controls v8.1.2 |
Prioritized set of cybersecurity best practices from the Center for Internet Security; organized into Implementation Groups (IG1, IG2, IG3) |
NIST SP 800-171r3 |
Security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems; essential for government contractors and CMMC |
NIST SP 800-66r2 |
Implementation guide for the HIPAA Security Rule. Maps HIPAA requirements to actionable security controls for healthcare organizations |
PCI-DSS v4.0.1 |
Payment Card Industry Data Security Standard. Mandatory for any organization that stores, processes, or transmits payment card data |
Playbooks
Playbook embeddings cover operational procedures and incident response steps that the AI assistant can reference to provide suitable guidance in the event of a security incident.
The default playbook embeddings include federal cybersecurity playbooks, which contain operational procedures for detecting, responding to, and recovering from cybersecurity incidents based on CISA guidance.
Custom embeddings#
The Plixer AI Assistant supports the use of custom embeddings to further expand the knowledge base it has access to.
Custom content can be embedded by adding the document(s) to the /opt/plixer/documentation/ directory and running the corresponding command (as indicated below):
Important
Documents to be embedded must be written in Markdown.
Embedding type |
Save document(s) as/in |
Command to run |
|---|---|---|
Documentation |
|
scrut_util --ai_embeddings --documentation
|
Policies |
|
scrut_util --ai_embeddings --policies
|
Playbooks |
|
scrut_util --ai_embeddings --playbooks
|
MCP server#
The latest versions of all default and custom embeddings are also accessible through the Scrutinizer MCP server, allowing external AI assistants to reference the same content using the MCP server’s search and documentation tools.