Analyze traffic flow data

The Traffic Flow Data page shows traffic flow observed in your network. This feature is included in the Managed Detection and Response (MDR) service.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Exploration > Traffic Flow Data.
  3. Optional: To change how traffic flow data is aggregated, select one of these tabs:
    • Device — View data for each device. The Traffic Flow Data page opens to the Device tab by default.
    • Protocol — Group data by the network protocol that the traffic used.
    • Location — Group data by the country that the traffic was observed in.
    • Site — Group data by the IP address or host where the traffic was observed.
    • Sensor — Group data by the sensor that observed the traffic.
  4. Optional: Apply one or more filters:
    • Date/Time Range — Limit flow data to traffic seen within the specified range, up to a maximum of 10 days.
    • Device — Limit data to traffic observed on specific endpoints.
    • Protocol — Limit data to one or more network protocols.
    • Location — Limit data to traffic associated with one or more countries. You can also include these options:
      • "Interesting" — Traffic from countries that may be unexpected or unusual.
      • "Unknown" — Traffic from a location that could not be determined.
    • Site — The IP address or host where the traffic was observed.
    • Sensor — Limit data to traffic observed on specific sensors.
    • Direction Initiated — Limit data to traffic flowing in a specific direction. Options include:
      • Inbound — Traffic that flows from an external host to an endpoint in your network.
      • Outbound — Traffic that flows from an endpoint in your network to an external host.
  5. Review traffic flow data.
    Traffic flow data is displayed in a table with these columns:
    • Devices — On the Device tab, the IP address of the device. On all other tabs, the number of devices.
    • Flows — The number of flows observed.
    • Bytes In — The number of incoming bytes observed.
    • Bytes Out — The number of outgoing bytes observed.
    • Total Bytes — The total number of bytes observed.
    • Bits/sec — A chart showing the speed of traffic during the specified time period.
    • Pivot — A function that lets you quickly change how flow data is aggregated, or apply a filter based on a data point.
  6. Apply a filter based on a data point:
    1. In the desired table row, in the Pivot column, click Pivot .
    2. Select an option.
      Filters are applied so that the table shows only the traffic flow data in the row that you pivoted on. If you select an aggregation option, the data is shown on the corresponding tab.