menu
FlowTraq > Blog > FlowTraq Product Updates > FlowTraq Policies and Alerts in Action

FlowTraq Policies and Alerts in Action

Gurdev Sethi
By | January 26, 2016


Facebooktwitterlinkedin

The latest release of FlowTraq offers a ton of new and upgraded features – including fast visualization of long-term trends, lightning-fast DDoS detection, and scalability that allows users to detect threats on a site-by-site basis, or give end customers a view into their own traffic data.

And then there’s our new policies and alerts functionality – the ultimate in detection capabilities with no performance impact concerns. What’s new?

  • Accept no anomalies: FlowTraq’s anomaly detection is even stronger – and capable of alerting on many new types of anomalies. And the improved interface provides more visibility and confidence in configuration.
  • Leverage live data: Detection and policy set up are simplified when you’re able to use live data to determine and set accurate thresholds.
  • Get granular: With more than 20 traffic pattern policies that can be configured, you have the power to create a detection system that matches your deployment needs. Set policies for traffic groups, logical groupings, exporter interfaces or network-level groupings. Make them global or very specific for each traffic group or exporter interface. Policies are grouped by detection type for easy reference and at-a-glance insight.

For a real-world look at what’s new in policies and alerts, check out the use case below – and see how easy it was for our user to set up custom alerts to flag increases in the number of new connections on a specific traffic group or an exporter.

A policy for an alert on new connections can use a learned baseline, where FlowTraq is continually learning the hourly average – and can be set to graphically display by hour or day of the week.

This makes setting a threshold as a percent of the baseline more effective, as it follows your daily traffic patterns to the hour.

An example of this is setting a threshold of 120% of baseline for new connections, where if the number of new connections were to increase 20% over your learned average, an alert is triggered.

 

  Click to Zoom - Policy Page
The policy page: for this example, we added “new connections, workstations,” which has 2.7 connections per second in the box

Multiple thresholds can be set, each with its own severity level and action. In this case:

  1. An alert with severity 3 could be set to provide an alert within FlowTraq;
  2. A threshold of 150% above baseline could be set with a severity of 5 and trigger a send to syslog action; and
  3. 200% above baseline could have a severity of 9 and trigger a send email action.

The policy page provides an overview of all policies that can be set – and when they are added, users can see in the overview if the policy has been met and if the alert was triggered within the past hour. A red exclamation mark in the specific policy box indicates that a user’s threshold has been exceeded, while a green check box means that no alerts have been triggered in the past hour.

 

  Click to Zoom - Policy Page Detail
Policy detail: multiple thresholds

This provides powerful and easy customization to leverage NetFlow data to integrate into your operational workflow.

 

  Click to Zoom - FlowTraq Alert
The alert within FlowTraq