Link Search Menu Expand Document

description: How to use the Flow page features. —

Flows

The Flow page has the normal three part layout of menu bar, facet and workspace.

There are two types of message (log) data stored in Fluency: the event (raw) data and the flow data. Flow data is merged data. Data in the last 90-days is kept in a warm state and the first time navigating to the Flow page will take longer than follow-up searches, which are hot.

Page Loading

Just below the “Pin this page” switch is the load icon. The page is waiting for a default response that the data is loaded. Once data is loaded the page is populated. The “Pin this Page” is seen throughout Fluency, and clicking it will force pages that normally would navigate away from the flow page to generate a new tab. In the v6.1 beta interface there is a lava switch. This switch allows users to switch between the LavaDB and Elastic. Elastic has a smaller window of data. Fluency is moving away from Elastic due to its inefficiencies, throughput limits, and lack of stability.

Getting Here

There are three common ways to navigate to this page:

  • From the Overlay Menu, choosing Global->Flow
  • From the RiskScore Page
  • From an Attribute dropdown selection

When navigating using the RiskScore or Attribute dropdown, the search fields and time range are pre-populated with the values from the event the attribute is related. When navigating from the menu, a default four (4) hour time window with an empty search is used.

Flow Table

Under the time selection is the Flow Table. This takes up the majority of the workspace and has a pagination widget above and below it. To the right of the pagination lists the number of pages in the result, current page showing, and the number of total flows. The pagination is set to a limit of 800. This is an arbitrary number. Searching and zooming will reduce the number of pages.

Basic Flow Elements

Network Addresses

The network address drop down was shown above. This field normally shows the source and destination addresses. It is common to see either IPv4 or IPv6 data here. To the rights, in parentheses, is the port assigned to that address in the flow. This, with the time window and protocol, creates a tuple used for correlation.

It is possible that a network communication uses something other than IP addresses. In this case, the source and destination identifier is used. Examples would be datalink level flows and cell data flows.

Hostname / Passive DNS / Referrer

This field is populated with the HTTP header host field. At times a passive field is presented on a flow too. The difference is the host field is the name the protocol is calling the destination, while the passive is what the network DNS is calling the destination. Also, a referer might show up. This is the value of the HTTP referer field that shows what page called this page.

Protocol

This is the transport layer protocol used for the communication. The three most common are UDP, TCP and ICMP. If the layer is uncommon, the numeric value will appear.

Here is a list of the protocols by number.

Time

Time will appear as a date and 24-hour time. The date is in US format of month-day, while the time is in 24-hour time. The time will appear, like the date range, as the time zone of the browser. To see the GMT time, use the </> icon to see the JSON. Time is in the field start_ms, and is the epoch time of the start of the flow.

Bandwidth

The bandwidth display is a combination of four values:

sent > Total < received : time duration

Risk Vectors

Any risk vector triggered during a session will appear as a red outlined tag with white background. The possible values are these tags are listed in the Risk Score section.

Product Alerts

Alerts and messages from products are shown with a gold border, gold lettering and white background. These are the messages produced by the alerting device.

Tags

Tags are broken into two categories: informational and issue (incident) tags.

Custom Fields

Devices and protocols that are parsed will add even more fields. All fields can be searched by using the dot notation. See searching for examples. Thought there are views for common devices, even fields that do not have views can be searched and added to the facet.

HTTP

Field Description
Hostname Hostname in the Host attribute of the header.
Request A direct Child to the host, provides the method, URI and response code.
Responded Files Files that were returned from a request.

Files

Field Description
Name The name of the file (or MD5 if not given).
Type The derived type (by examination) and not the announced type.
Size The size of the file.
Positives Number of Antivirus engines that triggered on this file.

DNS

Field Description
Name The DNS name requested. DNS names are terminated with a period (.).
TTL Time to live is the amount of time a system should cache the result. (answer only)
Type The type of DNS record.
Class The class of the DNS record.
CNAME Canonical Names are used as an alias to either another system name or to the address.