Investigate traffic flows using Flow Explorer

You view the details of traffic flow on Flow Explorer to analyze the traffic logs for data transferred between Managed Assets, Discovered Assets, Workload Groups, Domain Groups, and Endpoint Groups, IP addresses and hostnames they use, tags and departments they are associated with, and the User IDs.

You can also create APIs to collect data from the Flow Explorer utility and visualize the flow of traffic, by using tools such as Splunk.

The Asset Filters you choose here will automatically apply to the HUD dashboard, Visualizer, and the Assets pages. The Advanced filters last across your logins to Xshield.

  • Go to Information Center > Flow Explorer.

  • Select a time duration from the TIME INTERVAL drop-down list.

    You can filter flows for the last 30 minutes, 1 hour, 24 hours, 7 days, 30 days. You can also specify a custom time duration.

Apply Asset filters

Asset filters provide the capabilities to filter inventory and telemetry data for the Xshield instance. Asset filters can help you filter the following data:

  • Asset inventory listed on the Assets page

  • Traffic flows for a subset of assets, on the Visualizer and Flow Explorer pages

  • Asset filters are located at the top of the Flow Explorer page.

Filter Description
Managed Groups

names of the Workload groups created in the instance

IPs

IP addresses of the workloads and User assets

Hostnames

hostnames of the workloads and User assets

Tags

values of tags assigned to the workloads

OS

OSes on the workloads and User assets that are registered with the instance. For example, CentOS Linux 7 (Core).

Hardware

architectures of the CPUs on the workloads and User assets. For example, 8-Core Intel Core 9 @ 2.4 GHz
Severity

severity levels of the alerts generated on the workloads and User assets - Critical, High, Medium, and Low
CVE ID

Common Vulnerabilities and Exposures (CVE) IDs of the vulnerabilities on the workloads. For example, CVE-2019-1053.

Apply Advanced filters

Filter traffic flows by the advanced filters located below the Asset filters.

The filters are Policy action (Authorized, Unauthorized, Blocked), Unsafe flows (low reputation and high-risk expected), Anomalous flows, protocol used, services used, processes used, source and destination assets or groups, users, departments to which users belong, services (port and protocol combinations) used by the flows, and the geographical location (country or city) of the flows (source or destination).

Filter Operands
POLICY ACTION

  • Authorized 

  • Unauthorized 

  • Block 
UNSAFE FLOWS

  • Low Reputed 

  • Vulnerable 
ANOMALY FLOWS

  • Inbound scan - generated when a workload receives Five or more inbound connection requests on the blocked ports, in the last One hour

    If additional ports are scanned on a workload, the original alert is updated to include the additional ports.

    Scans from public entities are titled 'Public inbound scan' and scans from private entities are titled 'Lateral inbound scan'.

PROTOCOL

protocols involved in the flows - TCP, UDP, ICMP, and IGMP

PROCESS

absolute paths of the processes involved in the flows. For example,  C:\Users\ctuser\AppData\Local\Microsoft\Teams\current\Teams.exe.

SOURCE

source workloads and User assets which generated the flows. Select an operand and enter the value of the operand in the Search box

  • Hostnames - hostnames of the destination workloads and User assets

  • IPs - IP addresses of the workloads and User assets

  • Managed Groups - Workload groups to which the workloads that received the flows belong       

  • Tags - values of the tags assigned to the workloads

  • Private Networks - what type of IPs

  • Internet - what type of IPs

DESTINATION

Destination workloads and User assets which received the flows. Select an operand and enter the value of the operand in the Search box

  • Hostnames - hostnames of the destination workloads and User assets

  • IPs - IP addresses of the workloads and User assets

  • Managed Groups - Workload groups to which the workloads that received the flows belong       

  • Tags - values of the tags assigned to the workloads

  • Private Networks - what type of IPs

  • Internet - what type of IPs

DEPARTMENTS

Departments in IDP/LDAP 
USERS

Usernames of users  

SERVICES

Combination of port and protocol
GEO LOCATION

Geolocation of source and destination involved in the flow

  • Click Search.

    You will see flows for the filters you applied. You will also see the number of assets for which you are seeing the flows.

 Investigate flows

Do this to interpret and investigate the details of the flows, efficiently.

  • Set Rows per page to 100 to go through the flows in less time.

  • By default, the flow records display only important parameters.

    If you want to see more or all parameters for the flows, click + and select the parameters.

    The additional parameters are Source Reputation, Source Threat Type, Source Geo Location, Source Port, Source Entities, Source Tags, Service, Destination Reputation, Destination Threat Type, Destination Geo Location, Destination Port, Destination Entities, Destination Tags, Process, User Id, Department, Policy Action, Session State, Updated Time, Duration And Session Id.

    For parameters that are not applicable to a flow, you will see a hi-fen (-) in the corresponding cell.

  • Click the Download icon at the top of the table to download the flows as a CSV file.

    You can use advanced Microsoft Excel features to analyze these flows offline.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles