Network Tab Overview
Using the Network Activity tab, you can monitor and investigate network activity (flows) in real time or conduct advanced searches.
You must have permission to view the Network Activity tab.
For more information about permissions and assigning roles, see the Juniper Secure Analytics Administration Guide.
Select the Network Activity tab to visually monitor and investigate flow data in real time, or conduct advanced searches to filter the displayed flows. A flow is a communication session between two hosts. You can view flow information to determine how the traffic is communicated, and what was communicated (if the content capture option is enabled). Flow information can also include such details as protocols, Autonomous System Number (ASN) values, or Interface Index (IFIndex) values.
Network Activity Tab Toolbar
You can access several options from the Network Activity tab toolbar.
You can access the following options from the Network Activity tab toolbar:
Table 1: Network Activity Tab Toolbar Options
Options | Description |
|---|---|
Search | Click Search to complete advanced searches on flows. Search options include:
For more information about the search feature, see Searches. |
Quick Searches | From this list box, you can run previously saved searches. Options are displayed in the Quick Searches list box only when you have saved search criteria that specifies the Include in my Quick Searches option. |
Add Filter | Click Add Filter to add a filter to the current search results. |
Save Criteria | Click Save Criteria to save the current search criteria. |
Save Results | Click Save Results to save the current search results. This option is only displayed after a search is complete. This option is disabled in streaming mode. |
Cancel | Click Cancel to cancel a search in progress. This option is disabled in streaming mode. |
False Positive | Click False Positive to open the False Positive Tuning window, to tune out flows that are known to be false positives from creating offenses. This option is disabled in streaming mode. See Exporting Flows. |
Rules | The Rules option is visible only if you have permission to view custom rules. Select one of the following options: Rules to view or create a rule. If you have the permission to view rules, the summary page of the Rules wizard is displayed. If you have the permission to maintain custom rules, you can edit the rule. Add Threshold Rule to create a threshold rule. A threshold rule tests flow traffic for activity that exceeds a configured threshold. Thresholds can be based on any data that is collected. For example, if you create a threshold rule indicating that no more than 220 clients can log in to the server between 8 am and 5 pm, the rules generate an alert when the 221st client attempts to log in. Add Behavioral Rule to create a behavioral rule. A behavior rule tests flow traffic for volume changes in behavior that occurs in regular seasonal patterns. For example, if a mail server typically communicates with 100 hosts per second in the middle of the night and then suddenly starts communicating with 1,000 hosts a second, a behavioral rule generates an alert. For more information, see the Juniper Secure Analytics Administration Guide. |
Actions | Click Actions to complete the following actions:
|
Search toolbar |
|
View | The default view on the Network Activity tab is a stream of real-time events. The View list contains options to also view events from specified time periods. After you choose a specified time period from the View list, you can then modify the displayed time period by changing the date and time values in the Start Time and End Time fields. |
Right-click Menu Options
On the Network Activity tab, you can right-click a flow to access more flow filter criteria.
The right-click menu options are:
Table 2: Right-click Menu Options
Option | Description |
|---|---|
Filter on | Select this option to filter on the selected flow, depending on the selected parameter in the flow. |
False Positive | Select this option to open the False Positive Tuning window, which allows you to tune out flows that are known to be false positives from creating offenses. This option is disabled in streaming mode. See Exporting Flows. |
More options: | Select this option to investigate an IP address. See Investigating IP addressesYou can use several methods to investigate information about IP addresses on the Dashboard, Log Activity, and Network Activity tabs.. Note: This option is not displayed in streaming mode. |
Quick Filter | Filter items that match, or do not match the selection. |
Status Bar
When streaming flows, the status bar displays the average number of results that are received per second.
This is the number of results the Console successfully received from the Event processors. If this number is greater than 40 results per second, only 40 results are displayed. The remainder is accumulated in the result buffer. To view more status information, move your mouse pointer over the status bar.
When flows are not streaming, the status bar displays the number of search results that are currently displayed and the amount of time that is required to process the search results.
OverFlow Records
With administrative permissions, you can specify the maximum number of flows you want to send from the JSA flow processor to the Event processors.
If you have administrative permissions, you can specify the maximum number of flows you want to send from the JSA flow processor to the Event processors. All data that is collected after the configured flow limit has been reached is grouped into one flow record. This flow record is then displayed on the Network Activity tab with a source IP address of 127.0.0.4 and a destination IP address of 127.0.0.5. This flow record specifies OverFlow on the Network Activity tab.