9.0 Visualizing and Analyzing IP Flow Communications

IP Flow data helps you identify and analyze suspicious activities in your network. You can view the IP flow data for a tenant, an specific event, an IP address, or a time range.

IP Flow data help you analyze the following:

  • Monitor network activities in near real time and those that occurred at the time of a security event for a given IP address.

  • Analyze the change in network activity before and after a security event.

  • Determine the impact of a security event on the resources of an affected system. For example, whether the network traffic into or out of a host changed after the security event.

  • Track network propagation behavior for attacks such as viruses, bots, and DDOS.

  • Remediate issues and verify the solution by network flow inspection. For example, you can verify whether you need to create a firewall rule to prevent such security issues.

To view and analyze IP Flow data, you must first configure Sentinel for IP Flow data collection. For more information about configuring IP Flow data collection, see Visualizing IP Flow Communications in the Sentinel Administration Guide.

You can view the IP Flow data in any of the following ways:

  • In Real-time Views: By default, you can view the IP Flow data in Sentinel Main > Real-time Views > IP Flow Events. IP Flow Events view provides a high-level overview of the IP Flow data in your environment.

  • From the search results for a specific event: In Sentinel Main, perform a search to view the desired events. In the search results, click the IP Flow icon for the Source IP address or the Destination IP address of the event.

  • IP Flow dashboards: You can view IP Flow dashboards in My Sentinel > Manage Dashboards.

    The IP Flow Overview dashboard helps you to perform a detailed analysis of your network traffic at a much granular level. The dashboard helps you analyze details such as communication between source and target computers, the top hosts and top ports sending data to a specific IP address, and geographical analysis of IP Flow events.

    NOTE:To view geographical locations of IP Flow events, ensure that the IpToCountry.csv file is populated by using the IP2Location Feed plug-in. For more information, see the IP2Location Feed documentation on the Sentinel Plug-ins Website.

    The IP Flow Real-time dashboard provides a graphical representation of the IP Flow data in real-time, which automatically refreshes at the specified time period. You can monitor the incoming and outgoing number of bytes, packets, and flows for the specified IP address.

    To view IP Flow dashboards, you must enable Event Visualization. For more information, see Configuring Elasticsearch for Event Visualization in the Sentinel Installation and Configuration Guide.

The IP Flow Events view and dashboards display IP Flow data for the default event criteria. You can update the default event criteria as required. For example, you can edit the criteria to view IP Flow events only for a specific tenant.