Plixer AI Assistant#

The Plixer AI Assistant can be used to navigate the UI, quickly access specified features/functions, and run customized traffic reports using natural language prompts.

Once enabled from the Admin > Settings > AI Settings menu, the AI assistant can be accessed from the left navigation bar (or using the AI shortcut button when it’s available).

Note

The Plixer API server has a daily limit of 150 requests/actions, with the current usage and reset date displayed in the Admin > Settings > AI Settings tray. The AI assistant can also be configured to use a custom OpenAI API server instead.

Supported actions#

Configure and run traffic reports

Example filters:

  • Source and destination IP

  • Port and protocol

  • Application

  • Country

  • Subnet

  • IP group

  • Domain

The assistant will also resolve common names (e.g., device names or locations) without requiring exact IP ranges.

Example prompts:

Display applications consuming the most bandwidth for <SUBNET_ADDRESS>
Show conversations between internal servers and external IPs
Break down traffic by country from <START_TIME> to <END_TIME>
Get information (traffic history, activity, etc.) for specific IPs or hosts

Example prompts:

Check traffic history for <IP_ADDRESS>
Identify alarms associated with <IP_ADDRESS>
Query alarm activity and view policy configurations

Example filters:

  • Severity

  • Time range

  • Alarm policy category

Example prompts:

Show critical alarms from <START_TIME> to <END_TIME>
View alarms triggered by <ALARM_POLICY>
List all alarm policies
Display alarm policies by category
Inspect/manage Flow Analytics configurations, including algorithm settings and exclusions

Example prompts:

List all enabled Flow Analytics algorithms
Show details for <FA_ALGORITHM>
Enable <FA_ALGORITHM> for <EXPORTER_IP>
Add <EXCLUSION_RULE> to <FA_ALGORITHM>

Hint

Create/populate security groups to quickly enable FA algorithms for groups of exporters.

Create exclusion rules to exempt known/trusted traffic from detections

Example detection types:

  • Brute force

  • Data exfiltration

  • Malware

  • Other machine learning–based detections

Example prompts:

Exclude <IP_ADDRESS> from <DETECTION_TYPE> detections
Create an exclusion rule for <DETECTION_TYPE> for <IP_ADDRESS_LIST>
Add investigation details to collections for further review

Collections can include:

  • Alarm policies

  • Hosts and targets

  • Reports

  • Events

  • Devices

  • Applications

  • Users

  • External tickets (e.g., ServiceNow)

Example prompts:

Create a new collection called <COLLECTION_NAME>
Add alarms associated with <IP_ADDRESS> to the <COLLECTION_NAME> collection
Save the <REPORT_NAME> report to the <COLLECTION_NAME> collection
Run and save custom report configurations

Example prompt:

Save the current report as <REPORT_NAME>

Note

See this section for further details on running repots via the AI assistant

Search documentation and policy manuals

The AI Assistant can return requested information from:

  • Product documentation

  • Operational playbooks

  • Security policies

Example prompts:

Search for the configuration steps for Flow Analytics exclusions
Retrieve response procedures for <INCIDENT_DESCRIPTION>
Navigate directly to specified pages or functions in the UI

Example Prompts:

Go to the alarm monitor hosts view
Open the global Flow Analytics settings
Turn natural language into structured queries

Example inputs:

  • IP addresses and subnets

  • Hostnames and devices

  • Applications and protocols

  • Ports and interfaces

  • IP groups and countries

  • Time ranges and date expressions

Record packet captures for deeper analysis (requires FlowPro)

Example prompt:

Create a packet capture for traffic to <IP_ADDRESS> over <PORT> from <START_TIME> to <END_TIME>.

Important

Certain actions above (e.g., creating security groups, editing policy/algorithm settings, defining exclusion rules, etc.) require AI Write Tools to be enabled under Admin > Settings > AI Settings.

Hint

To maintain optimal accuracy and performance, the following practices are recommended:

  • Clear chat context regularly to maintain performance ( icon/button in the AI assistant tray)

  • Specify time ranges when possible

  • Use known names (devices, IP groups, applications)

  • Refine results using follow-up queries

AI Deep Dive#

The AI Deep Dive (Deep Dive icon) button allows users to quickly prompt the Plixer AI Assistant to summarize, analyze, or investigate the information displayed in the following views/sections of the Scrutinizer UI:

After clicking the button, review the response/report in the AI assistant tray and request further details as needed.

NOC/SOC AI agents#

The Plixer AI Assistant includes AI background agents that are capable of autonomously running NOC and/or SOC workflows overnight.

Enabling the NOC and SOC agents#

The nightly NOC and SOC agents are disabled by default but can be enabled using the toggles in the Admin > Settings > AI settings menu/tray.

Either or both agents can be enabled at any time after the Plixer AI Assistant has been enabled. They can also be disabled if necessary.

NOC/SOC agent output#

The output of the nightly NOC/SOC agents can be accessed via the Alarm Monitor > AI Insights page and comprises the following:

  • An executive summary outlining the alarms investigated and the agent’s findings

  • An approximated risk score based on the agent’s findings (lower = lower risk)

  • Recommended remediation steps

  • A collection comprising all related information (alarms/events, hosts, etc.)

The nightly agent report and collection history can be accessed from the same page.

Reporting via AI#

The Plixer AI assistant can run the following report types by leveraging the Scrutinizer reporting API:

  • Host-to-host conversation analysis​

  • Host-to-host traffic flows details

  • IP group to IP group conversations​

  • Top applications by traffic volume​

  • Country-to-country traffic analysis​

  • Top source hosts (traffic originators)​

  • Top destination hosts (traffic receivers)​

  • Traffic analysis by source country​

  • Traffic analysis by destination country​

  • Protocol usage

  • Interface utilization

  • Destination Autonomous System analysis​

  • Port usage analysis​

  • Client-server byte analysis​

For more information on Scrutinizer report types, see this appendix.

Supported filters#

The following filters (include/exclude) can also be applied when running the above reports:

  • Source/destination filters:​

    • IPs​

    • Country code​

    • Domains​

    • IP Groups​

    • Subnets​

  • Device filters:​

    • Device IP/name

    • Device group​

    • Interface​

  • Application and protocol filters:​

    • App ID/name

    • App nbar ID/name​

    • Destination ports

    • Protocol ID/name

Custom API providers#

The Plixer AI Assistant uses the Plixer API server by default, but it can be configured to use a custom OpenAI API provider instead.

Follow these steps to set up a custom OpenAI API server after enabling the AI assistant in the Admin > Settings > AI settings tray:

  1. Select Custom as the API provider.

  2. Enter the URL and API key for the OpenAI LLM server.

  3. Click Load Models, and then use the dropdowns to select the Model ID and Embedding Model ID for the LLM to use.

  4. [Optional] Toggle on Enable AI Write Tools to give the AI assistant write access (required for editing settings, managing exclusion rules, etc.) .

  5. Click Save.

AI Embeddings#

To enable responses that are both accurate and grounded in information relevant to its users, the Plixer AI Assistant uses Retrieval-Augmented Generation (RAG) to collect relevant details from embedded content.

Embedded content is automatically updated at regular intervals, ensuring the most up-to-date details are always accessible to the AI assistant.

Note

Types of embedded content#

The Plixer AI Assistant uses the following types of embedded content to expand the pool of information it has access to:

Known objects

Known object embeddings cover configured network objects within a Plixer One/Scrutinizer deployment, including applications, IP groups, protocols, devices, and interfaces. These embeddings allow the AI assistant to respond to queries that reference such objects in the environment.

Embedded data by object type#

Object type

Details included

Applications

Name, ports, metadata

App NBAR

Network-based application recognition entries

Protocols

Names and protocol numbers

IP Groups

Group name and membership

Devices

Device name, IP address, description

Interfaces

Interface name, description, parent device

Device Groups

Group name and associated devices

Note

Known objects are updated incrementally through a work queue, with a scheduled task to process only changed items (new devices, IP group memberships, renamed applications, etc.) every five minutes.

Deleted objects are automatically removed.

Documentation

Documentation embeddings cover Plixer One/Scrutinizer documentation content and enable the following features:

  • AI-assisted help: Responses to product-related questions include the relevant documentation sections

  • UI navigation: Information in the documentation is used to direct users to a requested function or section in the UI

Policies

The Plixer AI Assistant’s default policy embeddings cover industry-standard cybersecurity compliance frameworks that the AI assistant can reference to align responses with established security standards.

Sample queries:

  • What does PCI-DSS require for monitoring network access?

  • How does flow data support NIST 800-171 compliance?

Included frameworks#

Framework

Description

CIS Controls v8.1.2

Prioritized set of cybersecurity best practices from the Center for Internet Security; organized into Implementation Groups (IG1, IG2, IG3)

NIST SP 800-171r3

Security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems; essential for government contractors and CMMC

NIST SP 800-66r2

Implementation guide for the HIPAA Security Rule. Maps HIPAA requirements to actionable security controls for healthcare organizations

PCI-DSS v4.0.1

Payment Card Industry Data Security Standard. Mandatory for any organization that stores, processes, or transmits payment card data

Playbooks

Playbook embeddings cover operational procedures and incident response steps that the AI assistant can reference to provide suitable guidance in the event of a security incident.

The default playbook embeddings include federal cybersecurity playbooks, which contain operational procedures for detecting, responding to, and recovering from cybersecurity incidents based on CISA guidance.

Custom embeddings#

The Plixer AI Assistant supports the use of custom embeddings to further expand the knowledge base it has access to.

Custom content can be embedded by adding the document(s) to the /opt/plixer/documentation/ directory and running the corresponding command (as indicated below):

Important

Documents to be embedded must be written in Markdown.

Embedding type

Save document(s) as/in

Command to run

Documentation

/opt/plixer/documentation/*-docs

scrut_util --ai_embeddings --documentation

Policies

/opt/plixer/documentation/policies/

scrut_util --ai_embeddings --policies

Playbooks

/opt/plixer/documentation/playbooks/

scrut_util --ai_embeddings --playbooks

MCP server#

The latest versions of all default and custom embeddings are also accessible through the Scrutinizer MCP server, allowing external AI assistants to reference the same content using the MCP server’s search and documentation tools.