NetFlow App for Sumo Logic

The NetFlow App for Sumo Logic provides visibility into your network infrastructure on prem or in the cloud.

This App provides dashboards to address many use cases such as network bandwidth monitoring, capacity planning, detailed traffic activities, troubleshooting and cyber threat detection.

Dashboards

NetFlow - Traffic Overview

See a high-level view of your network traffic, whether it is in your data center or in the cloud. This dashboard shows top inbound, outbound, and internal traffic. View network traffic by protocol, users, and applications.

NetFlow - Security Monitoring - Communications with Malicious Hosts

This dashboard enables your organization to analyze and prioritize network security event traffic. It shows blocked and allowed communications with malicious hosts, breaking them by inbound and outbound direction.

NetFlow - Security Monitoring - Traffic Using Critical Ports

See your network conversations over critical ports, such as 21(ftp), 22(ssh), 23(telnet), 25(smtp), 50(re-mail-ck), 51(la-maint), etc.

NetFlow - Flows Allowed and Rejected

This dashboard provides a high-level view on your organization’s allowed (Accepted) and blocked (Rejected) network traffic. See this traffic by direction (inbound/outbound) as well as by protocol (TCP/UDP) and ports.

Lookup Files

NetFlow App relies on the following lookup files (you can download them by clicking on links below):

• critical_ports
• netflow_protocols

You can modify the content of these files to match your needs, and upload them into your Sumo Logic environment by following these steps.

1. Create a new directory in SumoLogic portal, for example named netflow_lookups
2. Upload both lookup files to this directory as new lookups
3. Based on this tutorial add the two csv lookup files
   • critical_ports - select dest_port as the primary key
   • netflow_protocols - select protocol as the primary key
4. Note the path to both lookup files
5. Change the following queries in these dashboards to reference the created lookups

   • Dashboard "NetFlow - Security Monitoring - Traffic Using Critical Port" Query "Top Inboound Traffic Accepted"

     replace https://sumologicnetflow.s3.eu-central-1.amazonaws.com/critical_ports.csv with the path to the critical_ports lookup

   • Dashboard "NetFlow - Security Monitoring - Traffic Using Critical Port" Query "Top Outboound Traffic Accepted"

     replace https://sumologicnetflow.s3.eu-central-1.amazonaws.com/critical_ports.csv with the path to the critical_ports lookup

   • Dashboard "NetFlow - Security Monitoring - Traffic Using Critical Port" Query "Top Internal Traffic Accepted"

     replace https://sumologicnetflow.s3.eu-central-1.amazonaws.com/critical_ports.csv with the path to the critical_ports lookup

   • Dashboard "NetFlow - Traffic Overview" Query "Top Traffic Protocols"

     replace https://sumologicnetflow.s3.eu-central-1.amazonaws.com/netflow_protocols.csv with the path to the netflow_protocols lookup

Support

This application has been developed and is supported by NetFlow Logic. Support email: team_sumo_logic@netflowlogic.com