Hosts

The Monitor > Policies tab can be used to investigate alarms within the specified time period based on a target or violating host.

The overview table can be set to include any of the following columns via the Available Columns button:

  • Severity: Distribution of individual events under the policy based on severity

  • Behavior: Host behavior information (Click the icon to view behavior summary or drill into the host behavior subview.)

  • Risk: Endpoint risk level (Click the icon to view endpoint details.)

  • Country/Group: IP group or country associated with the host

  • As Target: Total number of events with the host as a target

  • As Violator: Total number of events with the host as a violator

  • Policies: Total number of policy violations involving the host as a target or violator

  • First Observed: Timestamp of the first violating event involving the host within the specified time period

  • Last Observed: Timestamp of the most recent violating event involving the host within the specified time period

The three-dot icon/menu can be used to access the host information summary tray or pivot to any report supported by the host.

Note

  • Behavior information requires a Plixer One Enterprise license.

  • Risk information requires Plixer Endpoint Analytics integration to be enabled. To learn more about Plixer Endpoint Analytics integration in Plixer Scrutinizer, see this section of this documentation.

  • The Country/Group column will display IP groups for internal hosts and countries for external addresses. Addresses can be designated as internal or external as part of IP group definitions.

Host details

Clicking on a hostname/address in the main list opens the host details page, which includes an overview pane and three (four if the host is an exporter) subviews with detailed insights related to the host’s activity.

Note

If Plixer Endpoint Analytics integration is enabled, the overview pane will include a section with additional endpoint information and a link to the corresponding Plixer Endpoint Analytics view.

Traffic

The host traffic subview can be used to inspect a host’s activity based on its communications with other hosts and/or IP groups.

This subview visualizes activity data for the host using the following charts:

  • An activity timeline showing the inbound (green) and outbound (blue) rates over the specified time period in an activity timeline

  • A traffic distribution chart of source IP groups where this host is the destination

  • A traffic distribution chart representing the host’s activity by defined application used

  • A traffic distribution chart of destination IP groups where this host is the source

Each chart also includes a shortcut button to run a filtered report to break down the host’s activity in greater detail.

Behavior

The host behavior subview can be used to investigate a host that has been observed by the Plixer ML Engine to be exhibiting anomalous behavior.

Host behavior insights for the selected ML dimension are summarized in the following:

  • A timeline showing the deviation criteria (e.g., bytes, IP address count, etc.), magnitude (based on the host’s typical activity patterns), and threshold for the selected dimension

  • A table/list of timestamps and details for individual behavior deviations

To see behavior information for a different feature dimension, use the dropdown and select another dimension with an anomalous behavior count.

Further investigation is recommended for hosts with deviation magnitudes exceeding the indicated threshold.

Note

  • Behavior data will only be available for hosts that are covered by the Plixer ML Engine’s inclusion rules and have exhibited anomalous behavior.

  • Behavior modeling and other Plixer ML Engine functions require a Plixer One Enterprise license. Contact Plixer Technical Support to learn more.

Alarms

The host alarms subview can be used to investigate alarms in which the host was involved as a target and/or violator.

This subview includes two overviews of all unacknowledged alarms associated with the host:

  • A timeline showing individual events by alarm policy violated

  • A summary table (similar to the main Alarm Monitor policies view) with details for all policies with violations involving the host

Drilling in from the summary table opens the alarm details view for the policy, where event artifacts can be inspected individually.

Interfaces

The host interfaces subview consists of a table listing all interfaces on a flow-exporting device along with their inbound and outbound activity details.

Note

Inbound and outbound activity details use rates by default. If custom interface speed has been assigned to an interface, utilization will be used instead.

To show highwater activity (inbound or outbound) details for an interface, hover over the corresponding information (i) icon in the table. Shortcuts to run reports or drill into interface traffic/behavior can be accessed from the three-dot menu.

Additional options

To support workflow efficiency, the host details page header includes buttons to access the following functions:

  • Changing the time period/range covered

  • Pivoting to any supported report type filtered on the current host

  • Viewing additional details and information from integrated sources (Learn more button)

  • Applying filters (alarms and interfaces subviews only)