Settings#

The Admin > Settings page provides access to global settings for Scrutinizer’s core functions and behavior.

AI Settings#

Added in version 19.7.0: This feature requires Plixer One Core or Enterprise. Contact Plixer Technical Support to learn more about licensing options.

The Plixer AI Assistant can be enabled in the Admin > Settings > AI Settings tray, which also includes the following options:

Custom API provider

Configure a custom OpenAI API server to use instead of the Plixer server (follow this guide to set up Scrutinizer’s built-in MCP server)

AI write tools

Enable to allow the AI assistant to write/save changes within Scrutinizer (e.g., acknowledging alarms/events, tuning alarm policies, etc.)

NOC agent

Enable to run nightly AI-driven network alarm reviews

SOC agent

Enable to run nightly AI-driven security alarm reviews

AI usage tracking#

When the AI assistant is set to use the Plixer API server, the AI Settings tray also includes an AI Usage Status bar that shows the current AI request/action count against the usage quota (150 requests per day). Hovering over the bar will display the quota reset time as well as the last time the count was updated.

Important

An AI prompt may require multiple requests to complete. For example, to “run a top hosts report”, the assistant will need to discover what reports are available, run the top hosts report, and then return the results to complete the task.

Each request or distinct action taken by the AI assistant (including those executed by the nightly agents) will count toward the AI usage quota.


Alarm Notifications#

The Admin > Settings > Alarm Notifications tray contains the following settings:

Hostnames

Enable to display device, target, and violator hostnames (when available) instead of IP addresses in alarm messages

Flow Inactivity

Enables Flow Inactivity alarms for devices that have not received flows in the last 30 minutes

Alarm Many Crop

Maximum number of devices, targets, and violators to display in alarm messages

Interface Threshold Violations

Enables Interface Threshold Violation alarms when utilization (in or out) for any interface exceeds the Threshold - Utilization value specified under Admin > Settings > System Preferences tray

CEF Version

Sets the default CEF specification version for outbound CEF notifications

  • Individual CEF notification actions can override this global setting

  • If a specific notification action requires a different CEF version, configure the override at the action level rather than changing the global default

CEF Framing

Sets the default syslog envelope for outbound CEF notifications

  • Individual CEF notification actions can override this global setting

Syslog Framing

Sets the default syslog envelope for outbound Syslog notifications and accepts the same values as CEF Framing

  • Individual CEF notification actions can override this global setting

Hint

Notification profiles can be assigned to the Flow Inactivity and Interface Threshold Violation alarm policies to trigger custom notification actions for violations.

Important

If flow inactivity and interface threshold violation notifications are disabled from this tray, Flow Inactivity and Interface Threshold Violation alarm policy violations will not be reported or saved, even if the policies are set to the Active or Store state.


Collector Settings#

The Admin > Settings > Collector Settings tray contains the following settings:

Resolve Hosts at Collection Time

Forces DNS name resolution for every host seen when flows are collected (only necessary for Flow Analytics domain exclusions and Rev 2nd level domain reports)

Note: Enabling this feature may result in significant latency at high flow volumes. For assistance, contact Plixer Technical Support.

Auto SNMP Update

Enables re-discovery of SNMP devices at 1:00 am every day.

Low Resource Fallback Cooldown Period

Amount of time (in seconds) to wait between low resource fallback “stages” (to prevent unwarranted feature or exporter pausing)

Low Resource Fallback Exporter Chunk Size

Number of exporters to pause or resume as a group when required for low resource fallback or recovery

Allowed Flow Rate Multiplier Percent

Multiplier/percentage of maximum supported flow rate that will not immediately trigger low resource fallback to accommodate brief spikes in flow rates

Note: Sustained flow rates exceeding 100% of the rated limit may result in stability issues.

Low Resource Fallback Mode

Select one of three modes to define Scrutinizer’s low resource fallback behavior

Listener Port

Port(s) to listen on for NetFlow or sFlow traffic (separate by comma)

Scrutinizer Flows Port

Port to listen on for Scrutinizer vitals and other internal flows

Important

In distributed environments, these settings will be applied to all collectors in the cluster.


DNS#

The Admin > Settings > DNS tray contains the following settings:

Resolve Hosts at Collection Time

Forces DNS name resolution for every host seen when flows are collected (only necessary for Flow Analytics domain exclusions and Rev 2nd level domain reports)

Note: Enabling this feature may result in significant latency at high flow volumes. For assistance, contact Plixer Technical Support.

DNS Cache Retention

Number of days to retain DNS names (0-365, 0 = never retain)

DNS Timeout

Maximum time (in seconds) to wait for DNS name resolution


Data History#

The Admin > Settings > Data History view includes different views for monitoring database disk utilization and managing historical data retention settings.

Flows tab#

The Data History > Flows tab is used to view/manage the following historical flow data retention settings.

Custom data retention rules for specified collectors and/or exporters can also be defined in this view.

Cold storage#

If multi-tier storage is configured/enabled, 1-minute data older than a specified period of time can be moved to a “cold” storage tier.

This allows for subsample of 1-minute data (older data that may not need to be accessed as often) to be kept on more cost-effective storage solutions before being deleted.

The Cooling setting (see below) determines how long 1-minute data is kept in “hot” storage, after which it is moved to the cold storage tier.

Retention settings#

Clicking on a retention setting in the main view opens a tray where the following settings can be configured:

Cooling - 1-Minute Data

Number of hours, days, weeks, or months 1-minute data is kept “hot” before being moved to cold storage (default: 48 hours)

1-Minute Data

Total number of hours, days, weeks, or months (regardles of storage tier) to retain 1-minute data (default: 48 hours)

5-Minute Data

Number of hours, days, weeks, or months to retain 5-minute data (default: 168 hours)

30-Minute Data

Number of hours, days, weeks, or months to retain 30-minute data (default: 30 days)

2-Hour Data

Number of hours, days, weeks, or months to retain 2-hour data (default: 30 days)

12-Hour Data

Number of hours, days, weeks, or months to retain 12-hour data (default: 205 days)

Important

The 1-Minute Data retention setting applies to all 1-minute data, regardless of storage tier (“hot” or “cold”). If the cooling setting is equal to or higher/longer than the retention setting, 1-minute data will be purged before it can be moved to cold storage.

Note

Setting the value for a retention setting to 0 does not disable retention of that data interval.

Disk utilization calculator#

Clicking the calculator icon in the retention settings tray opens a disk calculator, which can be used to compare the current disk utilization against the predicted utilization for modified retention settings.

When changes are made in either the calculator or the retention settings tray, the utilization values and the total recommended disk size are updated in the Predicted HD utilization table. Changes made to the units of time used in the tray are also automatically synced to the calculator.

Click the check button (or the Save button in the tray) to save any updated settings.

Note

Disk usage for other elements/functions, such as system metadata, alarm/event data retention, and host indexing (plus a 10% buffer for the OS) are factored into the calculator’s predictions. The predictions will not account for any custom data retention rules (see below) currently enabled.

Custom data retention rules#

Custom data retention rules can be defined to supplement Scrutinizer’s basic retention settings. These rules override global settings and allow historical data associated with specified collector(s) and/or exporters(s) to have different retention settings.

Custom retention rules can also overlap, with more specific (i.e., narrower criteria) rules taking precedence.

Creating a new retention rule#

A new custom retention rule can be defined as follows:

  1. Click on the + button in the Admin > Settings > Data History > Flows tab/view.

  2. In the rule configuration tray, enter a name for the rule, and then select the data interval (1m, 2h, etc.) the rule applies to.

  3. Select at least one collector or exporter as the criteria for the rule.

  4. Configure the cooling and/or retention period (in hours, days, weeks, or months) to use for data matching the criteria.

  5. Click Save to save the new rule.

To edit an existing rule, click on the rule in the main view and make the necessary changes in the configuration tray. One or more rules can also be deleted by ticking their checkboxes and selecting the Delete option in the Bulk Actions menu.

Alarms tab#

The Data History > Alarms tab is used to view/manage retention settings related to alarm/event data, audit logs, and DNS request data. History trimming settings can also be managed from the same tray/menu.

Clicking on a setting in the main view opens a tray where the following settings can be configured:

Auto-Acknowledge Alarms

Number of days before alarms/events are automatically acknowledged

Alarm Retention Days

Maximum number of days that alarm/event data will be retained

Alarm Retention Size

Maximum amount of disk space (in MB) that can be used for alarm/event data before older records are deleted

Audit Log Keep Duration

Number of months audit logs will be retained

Auto History Trimming

Enables automatic trimming of older historical records based on the specified Minimum Percent Free Disk before Trimming setting (prioritized over time-based retention settings)

Days of DNS Request Data

Number of days (0 - 365) to retain DNS request data

Minimum Percent Free Disk before Trimming

Minimum amount of free storage to maintain when Auto History Trimming is enabled

Note

When Auto History Trimming is enabled, 1-minute and 5-minute historical tables are trimmed to maintain the value specified in Minimum Percent Free Disk Space before Trimming (while retaining as much data as possible). Automatic trimming is also used to retain a similar level of historical data for all configured exporters.


Email Server#

Configuring an email server allows Scrutinizer to send email notifications and reports using SMTP.

Once configured, Scrutinizer can forward reports to any email address. Email reports include a link to view the report in the Scrutinizer web interface and may also include PDF and/or CSV attachments of the report data.

Email servers are also required for sending automated email alerts triggered by alarm policies.

The following global email server settings must first be set up under Admin > Settings > Email Server to configure email notifications and email reports:

Email Client

Enter the hostname or IP address that Scrutinizer will use to identify itself when communicating with the SMTP Server.

Link Back Host

Enter the fully qualified URL for the Scrutinizer web interface (e.g. http://scrutinizer.mycompany.com:8282/, https://scrutinizer/). This URL is used in emailed reports to link back to the server.

SMTP Server

Enter the hostname or IP address of the mail server.

SMTP User

Enter the username used to authenticate with the SMTP server. Leave blank for anonymous access.

SMTP Password

Enter the password for the SMTP user account. Leave blank for anonymous access.

From Email

Enter the email address to appear as the sender of notifications and reports.

SMTP Port

Enter the TCP port the server will use to send emailed information over SMTP. Default is 25.

SMTP SSL Version

Select the SSL/TLS version used by your SMTP server.

SMTP Timeout

Specify the maximum time in seconds to wait for the SMTP server response.

Hint

Click the Defaults button to reset all the fields to their default values.


Endpoint Analytics#

The Admin > Settings > Endpoint Analytics page is used to configure and enable/disable Endpoint Analytics integration in Scrutinizer.

Hint

To learn more about Endpoint Analytics integration in Scrutinizer, see this section of this documentation.

The following details must be entered:

Host

IP address or configured hostname to connect to the Endpoint Analytics API

Password

Password to use for authentication to connect to the Endpoint Analytics API

Port

Port to use to communicate with the Endpoint Analytics API

Protocol

Protocol to use to communicate with the Endpoint Analytics API

Username

Username to use for authentication to connect to the Endpoint Analytics API

After the fields have been filled in with the required information, click Apply.

Hint

Click the Defaults button to revert to the default settings used by Endpoint Analytics deployments.


Flow Analytics Settings#

The following global settings for Flow Analytics can be modified from the Admin > Settings > Flow Analytics Settings tray:

Top Algorithm Devices

Sets whether Top X algorithms are automatically run against all devices or only manually defined inclusions

Auto Enable Defender

Enables automatic inclusion of FlowPro Defenders for the appropriate FA algorithms

Latency

Latency threshold (in ms) used for record highlighting in Status report

Share Violations

Share violation details for cyber attacks originating from Internet IP addresses with Plixer to continuously improve host reputation records

Hint

Configuration options for individual Flow Analytics Algorithms can be accessed from the Flow Analytics Configuration page.


Global Authentication Settings#

The Admin > Settings > Global Authentication Settings tray contains the following global settings related to user credentials and logins:

Failed Login Max

Maximum number of failed logins before a user account is locked (0 = disabled)

Failed Login Window

Length of time (in minutes) within which failed logins will count towards the maximum allowed

Minimum Unique Passwords

Number of previous passwords that a local Scrutinizer user cannot reuse when changing their password

Session Timeout

Maximum time (in minutes) a Scrutinizer web session can be idle before the user is forcibly logged out (0 = disabled)


Google Maps Proxy Server#

The Admin > Settings > Google Maps Proxy Server tray is used to configure a proxy server to allow Scrutinizer to access the Internet and make Google Maps geolocation requests.

The following details must be provided:

  • Proxy domain name

  • IP address or hostname (absolute URL) of the proxy server to use for geolocation requests

  • Port to use for communication with the proxy server

  • Username and password to use for authentication with the proxy server


Login Banner#

Text entered in the following fields of the Admin > Settings > Login Banner tray will be displayed at the specified location on the web interface login page:

  • Above the username input field

  • Below the Login button


ML AD Users#

The Admin > Settings > ML AD Users tray is used to add a Microsoft Azure account to enable AD Users UEBA (User and Entity Behavior Analytics) integration.

Note

The Azure account must be configured to store AD user sign-in logs.

Enter the Azure account name and key in the provided fields, and then click the Apply button to enable UEBA detections/alerts for the Plixer ML Engine.


ML Alerts#

The Admin > Settings > ML Alerts tray can be used to adjust the sensitivity settings for Office 365 detections as well as the alert thresholds for system vitals and Kafka latency.

SMB (Server Message Block) monitoring can also be enabled/disabled from this tray.

Note

See this section of the Plixer ML Engine configuration guide for details and recommendations for these settings.

Office 365 Logon Sensitivity

Sensitivity for logon count alerts

Office 365 Unique Source Sensitivity

Sensitivity for unique source alerts

Office 365 Unique Location Sensitivity

Sensitivity for unique location alerts

CPU Alert Threshold

Percentage threshold for high CPU utilization alerts (ML engine server only)

RAM Alert Threshold

Percentage threshold for high RAM utilization alerts (ML engine server only)

Disk Alert Threshold

Percentage threshold for high disk utilization alerts (ML engine server only)

Disk Reclaim Threshold

Disk utilization threshold before ML engine server attempts to reclaim disk space

Kafka Netflow Lag Threshold

Threshold (message count) for flow ingestion latency alerts

Kafka K-means Lag Threshold

Threshold (message count) for prediction latency alerts

Kafka Alerts Lag Threshold

Threshold (message count) for automated process reconnaissance latency alerts

Kafka Training Data Lag Threshold

Threshold (message count) for behavior modeling latency alerts

Kafka UEBA Lag Threshold

Threshold (message count) for UEBA data latency alerts

After making changes, click the Apply button to save and apply the new settings.


ML Data Limits#

The Admin > Settings > ML Data Limits tray can be used to adjust the maximum number of hosts, messages, or models used by the Plixer ML Engine for learning and predictions.

Note

See this section of the Plixer ML Engine configuration guide for further details and recommendations for these settings.

Training Data Maximum Models

Maximum number of models to be processed for training (training data service)

Training Data Maximum IPs

Maximum number of IP addresses (per dimension) to be processed for training (training data service)

Data Provider Maximum Messages

Maximum number of data messages to be processed per minute for prediction (data provider service)

Data Provider Maximum IPs

Maximum number of IP addresses (per dimension) to be processed for prediction (data provider service)

UEBA Maximum Messages

Maximum number of user data messages to be processed per minute for prediction (UEBA data provider service)

Kafka Log Retention Hours

Number of hours Kafka log data must be retained before it can be deleted

After making changes, click the Apply button to save and apply the new settings.


ML Training Schedule#

The Admin > Settings > ML Training Schedule tray is used to set the business hours used for seasonality in the network behavior being observed by the Plixer ML Engine.

Note

See this section of the Plixer ML Engine configuration guide for further details and recommendations for these settings.

Business Hours Start for ML Training

Business day ML training start time/hour as an integer (e.g., 8 = 8 am)

Business Hours End for ML Training

Business day ML training end time/hour as an integer (e.g., 17 = 5 pm)

Work Week Start

Starting day of the work week for ML training

Work Week End

Last day of the work week for ML training

Minutes to Delay Training

Number of minutes to wait before building training data models (to allow for schedule changes)

After entering the necessary details, click the Apply button to save and apply the new business hours.

Note

The business hours used for network behavior seasonality are configured separately from the business hours used to filter reports, which are defined under Admin > Settings > Reporting.


Mapping Groups#

The Admin > Settings > Mapping Groups page can be used to create, configure, and manage device groups for network maps.

To learn more about the this page’s functions, see this section on mapping group management.


Mapping Objects#

The Admin > Settings > Mapping Objects page can be used to manage mapping object properties and group membership. New custom objects can also be defined from this view.

To learn more about the this page’s functions, see this section on mapping object management.


Reporting#

The Reporting tray contains the following options/settings, which are used to control how reports are run, displayed, and managed:

Always Display Totals

Enable to always show totals in Status report results tables, even if the graph is set to show rates.

Business Hours Start

Starting hour of the business day (as an integer) to use in reports.

Business Hours End

Ending hour of the business day (as an integer, e.g., 5 pm -> 17) to use in reports.

CSV Include All Rows

Enable to include all rows in report CSVs (instead of only the selected top X).

CSV Repository

Path to use for saving exported CSVs.

Display Others on Top

Allow or prevent report graphs from displaying other traffic above or below the top 10 results.

Raw MAC Addresses

Enable to display raw MAC addresses in reports.

Full Interface Names

Enable to display full interface names instead of instance numbers in reports.

Limit All Device Report Results

Limits the number of results returned when running All Devices reports to this value (0 = no limit).

Hide All Interface Directions

Enable to hide the interface direction selector unless an interface filter is applied.

Max Aggregations from Data Source

Maximum number of aggregations from a single data source.

Max Report Processes

Maximum number of subprocesses (by time or by device) that a report will be divided into to reduce running time.

Maximum Raw Flow Exporters

Maximum number of exporters/devices allowed as filters for a raw flows report.

Max Reports per Interval

Maximum number of scheduled email reports that can be set to run within the same minute.

Max Reports per Email

Maximum number of reports that can be sent in a single scheduled email report.

Note: Including too many reports in the same scheduled email may result in timeouts.

Push Data Aggregation

Enable to automatically aggregate data when temp tables are pushed to the primary report (distributed environments only).

Report Caching Timeout

Number of minutes available reports will be kept cached.

Re-use Temp Tables

Enable to allow reports to re-use temp tables whenever possible.

Saved Report Threshold Processes

Number of processes to fork when running report threshold checks.

Target Graph Intervals

Maximum number of intervals that Scrutinizer will aim to plot in graphs.

TOS Family

Sets the family/configuration of the Quality of Service or Type of Service implemented for the environment.

Use Alternative Times

If the observationtimeseconds field is included in a flow template, Scrutinizer will use it in place of intervaltime for reporting.

Use Host Index

Enables the use of the host index to limit the number of exporters/devices checked for Group and All Devices reports.

Note

The times entered for Business Hours End and Business Hours Start do not affect the seasonality of the Plixer ML Engine’s behavior monitoring/modeling functions for Plixer One Enterprise.


System Preferences#

The Admin > Settings > System Preferences tray contains the following general settings:

Disable File Upload

When enabled, files cannot be uploaded to the Scrutinizer server

Maximum Uploaded File Size in Bytes

Sets the maximum size allowed for uploaded files

Inactivity Threshold

Sets the number of minutes that the Explore > Exporters > By Interface view will display inbound and outbound activity details for inactive interfaces

Threshold - Utilization

Sets the interface utilization percentage (in or out) that will trigger an Interface Threshold Violation alarm

Inactive Expiration

Sets the number of hours (1 to 168) before an inactive interface is removed from the Explore > Exporters > By Interface view

LDAP Group Membership

Sets the schedule for syncing users between local user groups and LDAP Security Groups with the same name (Options: On Login, Nightly, Both, Disabled)

Logout URL

Redirects users to the specified URL after logout instead of the default /ui/login page (for third-party authentication)

Version Checking

When enabled, Scrutinizer will automatically connect to the Internet and check for updates

Beta Features

Enables/disables UI for all available beta features for the current version

Note

Interfaces that have been inactive past the Inactivity Threshold setting but not longer than the Inactive Expiration setting will be displayed with 0.00 b/s in their inbound and outbound columns.

Important

A local user group and an LDAP Security Group must have the exact same name (including capitalization and punctuation) for users to be synced between them.


System/New User Defaults#

The Admin > Settings > System/New User Defaults tray can be used to define the default settings/options applied for new user accounts:

Disable Welcome Modal

When ticked/enabled, hides the “Welcome to Scrutinizer” model for new user logins

Language

Sets the default system language for new users

Theme

Sets the default system theme for new users

Hint

Users can set their own language and theme by navigating to Admin > Users & Groups > User Accounts page and editing the Preferences for their username/account.

Note

Technical support (including this documentation) is only available in English.


Thresholds#

The settings in the Admin > Settings > Thresholds tray can be used to adjust the percentage thresholds used to highlight interface utilization in different colors.

Default threshold values:

  • Yellow: 51%

  • Orange: 76%

  • Red: 90%

Note

These values are also used to highlight map connections representing interfaces. Connections representing saved reports can have their color thresholds defined separately.