Additional options

FA-based functions and features in Plixer Scrutinizer can be further tuned and customized using these additional options.

Global and algorithm settings

The following global and algorithm settings can be used to modify the behavior of Flow Analytics in Plixer Scrutinizer:

Hint

Global FA settings can be changed in the Admin > Settings > Flow Analytics tray.

Setting

Scope

Description

Auto-Enable Defender

Global

When checked, allows FlowPro Defender to be automatically enabled for supported algorithms

Jitter by Interface

Global

Sets the variation in packet delay due to queueing, contention, and/or serialization (Default: 80 ms);
Also used for record highlighting in Status reports

Latency

Global

Sets the latency value used for record highlighting in Status reports (Default: 75 ms)

Share Violations

Global

When checked, allows the system to share details of cyber attacks coming from Internet IP addresses with the Plixer Security Team (May require firewall permissions);
This information is used to further improve the global host reputation list. No internal addresses will be shared.

Top Algorithm Devices

Global

Controls whether Top X FA algorithms are applied to all Exporters or need to be configured individually

Thresholds

Algorithm

Increases or decreases the tolerance of Alarm-generating FA algorithms to the corresponding behavior or traffic;
This setting should be adjusted if too many false positives are being reported under an algorithm’s associated Alarm Policy

Algorithm-specific settings

Algorithm

Additional configuration options that are specific to certain FA algorithms and can be used to fine-tune their behavior;
For certain algorithms, these settings must be configured before the algorithm can be enabled.

Custom reputation lists

The Host Reputation FA algorithm is capable of using custom lists in conjunction with Plixer Scrutinizer’s default host reputation lists. When a host in any reputation list becomes the target of traffic, the Event is reported under the Host Reputation Alarm Policy.

To import a list of IP addresses as a custom host reputation list, follow these steps:

  1. Add the hosts to a file, using one line for each IP address.

    Example:

    10.1.1.1
    10.1.1.2
    10.1.1.3
    
  2. Save the file with a .import extension. (e.g., custom_threats.import)

    Important

    The name of the file will be used for artifacts involving the included hosts on the Alarm Summary page.

  3. Move the file to the \scrutinizer\files\threats\ directory.

The file is imported hourly, at the same time that threat lists are updated.

Hint

To manually run the file import operation, use the command scrut_util --downloadhostreputationlists.