NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow

Integrating your Netflow logs to the Hunters ecosystem will allow storing the data in a parsed format, as well as investigate threat scenarios over it and getting related Hunters' detections for your tenant.

Supported Data Types

  • Netflow Logs V9- Detailed Network activity logged by a commercial Netflow logs collector. For more details about the logs please check here.

Hunters Integration

In order to integrate your Netflow logs into Hunters, the logs need to be collected from your network to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

The expected format of the logs is the JSON format as exported by the logs collector. It is recommended to log the full schema, however any subset of the fields can be ingested given you are providing your specific schema to Hunters.

Netflow logs V9 data sample

{ "@timestamp": "2022-03-08T11:02:01.000Z", "@version": "1", "destination": { "as": {}, "geo": {}, "hostname": "brjoi01-2.tempdomain.com", "ip": "1.1.1.1", "port": 53 }, "event": { "action": "netflow_flow", "dataset": "netflow", "module": "logstash" }, "host": "2.2.2.2", "netflow": { "direction": 1, "first_switched": "2022-03-08T11:01:40.831Z", "flow_seq_num": 559079, "flowset_id": 1025, "input_snmp": 0, "ip_protocol_version": 4, "last_switched": "2022-03-08T11:01:40.831Z", "mpls_label_stack_octets": { "bottom_of_stack": 0, "experimental": 0, "label": 0, "ttl": 2 }, "output_snmp": 0, "protocol": 17, "src_tos": 0, "tcp_flags": 0, "version": 9 }, "network": { "community_id": "A1pUaI8cTo5o1wjChBQeIa7VCcI=", "direction": "inbound", "transport": "udp", "type": "ipv4" }, "source": { "as": {}, "bytes": 63, "geo": {}, "hostname": "temp.tempdomain.com", "ip": "10.2.5.6", "packets": 1, "port": 62160 }, "tags": [ "_geoip_lookup_failure" ]}