Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

Metrics

In order to provide insightful Security Analytics and Monitoring, MOREAL backend engines prepare a set of metrics which are then presented in dashboards and IP profiles. They are also utilized by ThreatIQ components in order to extract significant conclusions on the behavior of monitored entities.

Currently, only syslog-based metrics are computed. Metrics and analytics for Netflow data are planned for inclusion in the next versions.

Terminology

 

  • Entity: A monitored object or group of objects in the monitored network. For example a network/security device or a specific IP address.
  • Attribute: A variable (usually categorical) that dinguishes events from each other. For example, the direction of traffic or the protocol used in a network connection.
  • Metric : A (usually numerical) aggregate quantity which quantifies the behavior of a particular dimension (attribute) of an entity, in a given time period.

Measured events

  • connections : (count) The number of network connections as measured by counting closing syslog traffic events for a given entity
  • firewall blocks : (count) The number of firewall blocks as measured by counting denied syslog traffic events for a given entity
  • threats (count) : The number of threat events in the corresponding logs from security devices.
  • logins (count) : The number of login attempts at a network/security device
  • failed logins (count) : The number of failed login attemps at a network security device
  • access-control events (count) : The number of total events in access-control logs
  • blocked access-control events (count) : The number of denied application-level events as reported in access-control logs
  • emails (count) : The number of emails as reported in email logs (only selected devices)
  • spam (count) : The number of spam emails as reported in email logs (only selected devices)
  • VPN requests (count) : The number of vpn connection attempts (only selected devices)
  • failed VPN requests (count) : The number of failed vpn connection attempts (only selected devices)
  • services (unique count) : The number of unique services, as translated from IANA-registered destination ports
  • threat IDs (unique count) : The number of unique threat IDs in reported events from security devices
  • countries (unique count) : The number of unique countries a given entity communicates with (from GeoIP translation)
  • AS numbers (unique count) : The number of unique Autonomous Systems a given entity communicates with
  • External IPs (unique count) : The number of unique external IPs a given entity communicates with

Full Table of metrics

Here is the full table of metrics which are measured for incoming, outgoing and internal traffic. An extra category, named “unknown” is also reported when the direction of traffic cannot be determined by the available information.

Metric name Description
connections_count_in number of connections in incoming-traffic
connections_count_out number of connections in outgoing-traffic
connections_count_prv number of connections in internal-traffic
connections_count_unknown number of connections in non-internal-traffic
firewallBlocks_count_in number of firewall blocks in incoming-traffic
firewallBlocks_count_out number of firewall blocks in outgoing-traffic
firewallBlocks_count_prv number of firewall blocks in internal-traffic
firewallBlocks_count_unknown number of firewall blocks in non-internal-traffic
threats_count_in number of threats in incoming-traffic
threats_count_out number of threats in outgoing-traffic
threats_count_prv number of threats in internal-traffic
threats_count_unknown number of threats in non-internal-traffic
logins_count_in number of logins in incoming-traffic
logins_count_prv number of logins in internal-traffic
failedLogins_count_in number of failed logins in incoming-traffic
failedLogins_count_prv number of failed logins in internal-traffic
accCtrl_count_out number of access-control events in outgoing-traffic
blockedAccCtrl_count_out number of blocked access-control events in outgoing-traffic
emails_count_in number of emails in incoming-traffic
emails_count_out number of emails in outgoing-traffic
emails_count_prv number of emails in internal-traffic
emails_count_unknown number of emails in non-internal-traffic
spam_count_in number of spam in incoming-traffic
spam_count_out number of spam in outgoing-traffic
spam_count_prv number of spam in internal-traffic
spam_count_unknown number of spam in non-internal-traffic
vpnRequests_count_out number of vpn requests in outgoing-traffic
failedVpnRequests_count_out number of failed vpn requests in outgoing-traffic
services_unique_out number of unique services in outgoing-traffic
services_unique_in number of unique services in incoming-traffic
services_unique_prv number of unique services in internal-traffic
services_unique_unknown number of unique services in non-internal-traffic
threats_unique_in number of unique threats in incoming-traffic
threats_unique_out number of unique threats in outgoing-traffic
threats_unique_prv number of unique threats in internal-traffic
threats_unique_unknown number of unique threats in non-internal-traffic
countries_unique_out number of unique countries in outgoing-traffic
countries_unique_in number of unique countries in incoming-traffic
countries_unique_unknown number of unique countries in non-internal-traffic
asns_unique_out number of unique AS numbers in outgoing-traffic
asns_unique_in number of unique AS numbers in incoming-traffic
asns_unique_unknown number of unique AS numbers in non-internal-traffic
externalIPs_unique_out number of unique external IPs in outgoing-traffic
externalIPs_unique_in number of unique external IPs in incoming-traffic
externalIPs_unique_unknown number of unique external IPs in non-internal-traffic