Managing dimensions¶
The Plixer ML Engine’s feature dimension list defines the protocols and ports to be observed on the network assets defined by its inclusion/exclusion rules. These dimensions are used by the engine to build its behavior models, which are used to report asset behavior insights, as well as deliver anomaly and threat alerts via the Plixer Scrutinizer alarm monitor.
Dimensions are managed from the Admin > Alarm Monitor > ML Dimensions view of the Plixer Scrutinizer web interface.
Dimension configuration
An ML dimension is defined by the following parameters:
Inclusion/asset type the dimension applies to (host/subnet or exporter interface)
Template field to use for grouping (
sourceipaddress
ordestinationipaddress
, host/subnet dimensions only)Aggregation method to use (
octetdeltacount
orpacketdeltacount
)Traffic port used
Note
A feature dimension is only observed for traffic associated with the type of inclusion (host/subnet or exporter interface) it was defined for.
Dimensions can be configured to apply to all or only internal traffic matching the definition. They can also be disabled and re-enabled as necessary.
Recommendations
Once deployed, the Plixer ML Engine defaults to Plixer’s recommended dimension definitions, which are based on the traffic in typical enterprise environments.
These default definitions should be reviewed and, if necessary, additional dimensions should be defined to monitor critical network services that are most often the target of attacks, such as:
Authentication - Kerberos, NTLM
Domain services - LDAP, DNS, DHCP
File sharing services - SMB, NFS, CIFS
Remote connectivity - SSH, Telnet, RDP, VNC, FTP
Email protocols - SMTP, POP3
Inter-process communication - ICMP
Application protocols - HTTP, HTTPS
Others - DB services, third-party APIs (especially those that connect to the Internet)