In order to provide insightful Security Analytics and Monitoring, MOREAL backend engines prepare a set of metrics which are then presented in dashboards and IP profiles. They are also utilized by ThreatIQ components in order to extract significant conclusions on the behavior of monitored entities.
Currently, only syslog-based metrics are computed. Metrics and analytics for Netflow data are planned for inclusion in the next versions.
Here is the full table of metrics which are measured for incoming, outgoing and internal traffic. An extra category, named “unknown” is also reported when the direction of traffic cannot be determined by the available information.
Metric name | Description |
---|---|
connections_count_in | number of connections in incoming-traffic |
connections_count_out | number of connections in outgoing-traffic |
connections_count_prv | number of connections in internal-traffic |
connections_count_unknown | number of connections in non-internal-traffic |
firewallBlocks_count_in | number of firewall blocks in incoming-traffic |
firewallBlocks_count_out | number of firewall blocks in outgoing-traffic |
firewallBlocks_count_prv | number of firewall blocks in internal-traffic |
firewallBlocks_count_unknown | number of firewall blocks in non-internal-traffic |
threats_count_in | number of threats in incoming-traffic |
threats_count_out | number of threats in outgoing-traffic |
threats_count_prv | number of threats in internal-traffic |
threats_count_unknown | number of threats in non-internal-traffic |
logins_count_in | number of logins in incoming-traffic |
logins_count_prv | number of logins in internal-traffic |
failedLogins_count_in | number of failed logins in incoming-traffic |
failedLogins_count_prv | number of failed logins in internal-traffic |
accCtrl_count_out | number of access-control events in outgoing-traffic |
blockedAccCtrl_count_out | number of blocked access-control events in outgoing-traffic |
emails_count_in | number of emails in incoming-traffic |
emails_count_out | number of emails in outgoing-traffic |
emails_count_prv | number of emails in internal-traffic |
emails_count_unknown | number of emails in non-internal-traffic |
spam_count_in | number of spam in incoming-traffic |
spam_count_out | number of spam in outgoing-traffic |
spam_count_prv | number of spam in internal-traffic |
spam_count_unknown | number of spam in non-internal-traffic |
vpnRequests_count_out | number of vpn requests in outgoing-traffic |
failedVpnRequests_count_out | number of failed vpn requests in outgoing-traffic |
services_unique_out | number of unique services in outgoing-traffic |
services_unique_in | number of unique services in incoming-traffic |
services_unique_prv | number of unique services in internal-traffic |
services_unique_unknown | number of unique services in non-internal-traffic |
threats_unique_in | number of unique threats in incoming-traffic |
threats_unique_out | number of unique threats in outgoing-traffic |
threats_unique_prv | number of unique threats in internal-traffic |
threats_unique_unknown | number of unique threats in non-internal-traffic |
countries_unique_out | number of unique countries in outgoing-traffic |
countries_unique_in | number of unique countries in incoming-traffic |
countries_unique_unknown | number of unique countries in non-internal-traffic |
asns_unique_out | number of unique AS numbers in outgoing-traffic |
asns_unique_in | number of unique AS numbers in incoming-traffic |
asns_unique_unknown | number of unique AS numbers in non-internal-traffic |
externalIPs_unique_out | number of unique external IPs in outgoing-traffic |
externalIPs_unique_in | number of unique external IPs in incoming-traffic |
externalIPs_unique_unknown | number of unique external IPs in non-internal-traffic |