Flow Analytics algorithms

The Admin > Alarm Monitor > Flow Analytics Algorithms page can be used to enable/disable, inspect, or reconfigure individual FA algorithms.

The main view consists of a graph showing total duration of observations/detections and a table listing the following details and settings for each algorithm:

Status

Current state of the algorithm (green: Active, grey: Inactive)

Exporters

Number of exporters defined as inclusions for the algorithm

Groups

Number of security groups defined as inclusions for the algorithm

Exclusions

Number of exclusions (IP addresses, subnets, IP groups, etc.) defined for the algorithm

Policies

Number of alarm policies associated with the algorithm

Filters can be applied to quickly find specific algorithms, and the table can be exported for external use.

Algorithm configuration

To view or make changes to the current settings of an FA algorithm, open the configuration tray by clicking on the algorithm.

Inclusions

When defining inclusions for an algorithm, exporters can be added individually or through security groups:

  1. Expand the Exporters or Security Groups section of the tray and click the edit (pencil) button.

  2. In the secondary tray, use the checkboxes to select the exporters or security groups to add to the inclusion list.

    Hint

    Use the search box/field to quickly find specific exporters or security groups.

  3. Close the trays to return to the main view.

Algorithm inclusion lists can be edited at any time. Exporters or security groups can also be removed by clicking the delete (trash bin) icon after expanding the corresponding section in the configuration tray.

Exclusions

To define traffic to be exempted from monitoring using a specific FA algorithm, add exclusions as follows:

  1. Expand the Exclusions section of the configuration tray, and then click the + button.

  2. In the secondary tray, use the dropdown to select the type of exclusion to add.

  3. Enter the details/criteria (based on the type) for the exclusion.

  4. Click the Apply button to save the exclusion.

  5. Repeat the steps as necessary to add all necessary exclusions.

Exclusions can be added or removed at any time. To delete an exclusion, click the delete (trash bin) icon after expanding the Exclusions section of the configuration tray.

Hint

Assign devices with similar Flow Analytics requirements to an IP group to quickly add them to any algorithm’s exclusion list using the Child Group exclusion type. The default DNS Servers, Public WiFi, Network Scanners, and SNMP Pollers IP groups are already defined as exclusions where necessary and only need to be populated after Plixer Scrutinizer is deployed.

Algorithm settings

To modify how an algorithm is applied to collected flow data, click Settings to access additional settings for the algorithm. After making desired changes, click Apply to save the new settings or Defaults to revert to default values.

For a full list of additional settings by algorithm, see this table.

Enabling/disabling algorithms

To optimize performance and resource utilization, FA algorithms that are not applicable to the current Plixer Scrutinizer environment can be disabled.

This is done using the enable/disable toggle in the configuration tray. The Admin > Settings > System Preferences view can also be used to disable algorithms with similar applications as part of predefined feature sets.

Bulk actions

When one or more algorithms are selected using the checkboxes, the following batch configuration actions can be accessed via the Bulk Actions button:

  • Adding sources/inclusions (exporters and/or security groups) to all selected algorithms

  • Disable or enable all selected algorithms

For further details on FA algorithms and configuration recommendations, see the configuration guide for Flow Analytics.