The Flow page has the normal three part layout of menu bar, facet and workspace.
There are two types of message (log) data stored in Fluency: the event (raw) data and the flow data. Flow data is merged data. Data in the last 90-days is kept in a warm state and the first time navigating to the Flow page will take longer than follow-up searches, which are hot.
Just below the "Pin this page" switch is the load icon. The page is waiting for a default response that the data is loaded. Once data is loaded the page is populated. The "Pin this Page" is seen throughout Fluency, and clicking it will force pages that normally would navigate away from the flow page to generate a new tab. In the v6.1 beta interface there is a lava switch. This switch allows users to switch between the LavaDB and Elastic. Elastic has a smaller window of data. Fluency is moving away from Elastic due to its inefficiencies, throughput limits, and lack of stability.
There are three common ways to navigate to this page:
From the Overlay Menu, choosing
From the RiskScore Page
From an Attribute dropdown selection
When navigating using the RiskScore or Attribute dropdown, the search fields and time range are pre-populated with the values from the event the attribute is related. When navigating from the menu, a default four (4) hour time window with an empty search is used.
Under the time selection is the Flow Table. This takes up the majority of the workspace and has a pagination widget above and below it. To the right of the pagination lists the number of pages in the result, current page showing, and the number of total flows. The pagination is set to a limit of 800. This is an arbitrary number. Searching and zooming will reduce the number of pages.
The network address drop down was shown above. This field normally shows the source and destination addresses. It is common to see either IPv4 or IPv6 data here. To the rights, in parentheses, is the port assigned to that address in the flow. This, with the time window and protocol, creates a tuple used for correlation.
It is possible that a network communication uses something other than IP addresses. In this case, the source and destination identifier is used. Examples would be datalink level flows and cell data flows.
This field is populated with the HTTP header host field. At times a passive field is presented on a flow too. The difference is the host field is the name the protocol is calling the destination, while the passive is what the network DNS is calling the destination. Also, a referer might show up. This is the value of the HTTP referer field that shows what page called this page.
This is the transport layer protocol used for the communication. The three most common are UDP, TCP and ICMP. If the layer is uncommon, the numeric value will appear.
Here is a list of the protocols by number.
Time will appear as a date and 24-hour time. The date is in US format of month-day, while the time is in 24-hour time. The time will appear, like the date range, as the time zone of the browser. To see the GMT time, use the </> icon to see the JSON. Time is in the field
start_ms, and is the epoch time of the start of the flow.
The bandwidth display is a combination of four values:
sent > Total < received : time duration
Any risk vector triggered during a session will appear as a red outlined tag with white background. The possible values are these tags are listed in the Risk Score section.
Alerts and messages from products are shown with a gold border, gold lettering and white background. These are the messages produced by the alerting device.
Tags are broken into two categories: informational and issue (incident) tags.
Devices and protocols that are parsed will add even more fields. All fields can be searched by using the dot notation. See searching for examples. Thought there are views for common devices, even fields that do not have views can be searched and added to the facet.
Hostname in the Host attribute of the header.
A direct Child to the host, provides the method, URI and response code.
Files that were returned from a request.
The name of the file (or MD5 if not given).
The derived type (by examination) and not the announced type.
The size of the file.
Number of Antivirus engines that triggered on this file.
The DNS name requested. DNS names are terminated with a period (.).
Time to live is the amount of time a system should cache the result. (answer only)
The type of DNS record.
The class of the DNS record.
Canonical Names are used as an alias to either another system name or to the address.