- 02 Apr 2025
- 8 Minutes to read
- Print
- DarkLight
Network Monitoring Powered by BluVector
- Updated on 02 Apr 2025
- 8 Minutes to read
- Print
- DarkLight
Network Monitoring Powered by BluVector
The BluVector Network Monitoring Console is a centralized visualization and analysis tool that processes and displays log data from Suricata, a signature-based intrusion detection system (IDS), and Zeek, a network behavior analysis platform. It empowers security professionals to detect, investigate, and respond to network security threats through a unified interface. The console serves both primary users—Security Operations Center (SOC) analysts and IT administrators—and secondary users, such as compliance officers and auditors, who need high-level visibility into an organization’s security posture. Its key purposes include enabling near real-time monitoring of malicious network activity, satisfying Payment Card Industry Data Security Standard (PCI DSS) compliance controls, and providing actionable insights for security operations teams.
The console integrates data from multiple sources to deliver a comprehensive view of network security. From Suricata, it processes signature-based detections of malware, exploits, and policy violations. Meanwhile, Zeek contributes detailed network behavior insights through files like conn.log for connection summaries, dns.log for DNS activity, http.log for HTTP traffic, notice.log for anomalies, and files.log for file transfers. This combination of signature-based and behavioral data ensures a robust toolset for identifying and addressing security threats effectively.
Below are summaries of our supported Network Monitoring Powered by BluVector widgets.
Threat Overview with Severity Breakdown
The Threat Overview with Severity Breakdown widget provides a comprehensive visualization of security events categorized by severity levels over a specified time period. This dual-component dashboard displays both aggregate metrics and daily trends, enabling security teams to quickly assess the current threat landscape and identify patterns requiring attention. The widget also includes a detailed findings table that shows individual security events with timestamps and contextual information.
Data Source
This widget aggregates and displays security alerts generated by Suricata, an open-source intrusion detection and prevention system. The data is collected, categorized by severity, and presented in both summary and detailed formats.
Use Cases
Obtain a rapid assessment of the overall security posture through severity distribution
Monitor day-to-day changes in threat volumes to identify unusual spikes or patterns
Investigate specific security events through the detailed findings table
Prioritize security response efforts based on severity classifications
Generate reports for management showing security event trends and volumes
Validate the effectiveness of security controls by monitoring event categories
PCI DSS 4.0 Compliance Support
This widget supports the following PCI DSS 4.0 requirements:
Requirement 10.2.1.1: Assists with implementing automated audit trails for all system components by aggregating and displaying security events, enabling verification that logging mechanisms are functioning properly.
Requirement 10.4.1: Supports the review of security event logs by providing a consolidated view of events, facilitating the timely identification of anomalies or suspicious activities.
Requirement 10.4.2: Helps fulfill the requirement to follow up on exceptions and anomalies identified during the review process by categorizing events by severity.
Requirement 11.3.1.1: Supports the requirement to maintain processes to identify and assign risk rankings to vulnerabilities through its severity classification system.
Requirement 11.6.1: Facilitates continuous monitoring by providing real-time visibility into detected security events, supporting the requirement to monitor for critical security control failures.
Requirement 12.10.5: Assists with incident response preparations by enabling the team to identify and classify potential security incidents according to their severity levels.
Top Threat Categories
The Top Threat Categories widget provides a visual breakdown of security threats detected in your environment, displayed as an intuitive pie chart. This at-a-glance visualization helps security teams quickly identify the most prevalent threat types requiring attention.
Data Source
This widget aggregates and categorizes alerts generated from Suricata signatures. The system analyzes signature data and classifies each alert into the appropriate threat category.
Use Cases
Quickly identify the most common threat types targeting your environment
Prioritize security resources based on prevalent attack vectors
Track changes in threat patterns over time to adjust security strategies
Support reporting to management and stakeholders on security posture
PCI DSS 4.0 Compliance Support
This widget directly supports the following PCI DSS 4.0 requirements:
Requirement 11.3.1: Supports detection of vulnerabilities and potential threats by categorizing security events, helping to identify high-priority threats that could compromise payment card data.
Requirement 10.4.1: Aids in the review of security events by providing visual representations of security alerts, facilitating detection of suspicious activity patterns related to cardholder data access.
Requirement 12.10.4: Assists security personnel in responding to detected security alerts by prioritizing incidents based on threat category and prevalence.
Requirement 9.4.5: Helps identify potential unauthorized access attempts targeting systems containing cardholder data.
Requirement 11.6.1: Supports continuous monitoring and detection of security control failures by visualizing threat trends that may indicate protection gaps.
Rare Ports
The Rare Ports widget is a scatter plot visualization designed to highlight network traffic occurring on non-standard TCP/UDP ports. The widget distinguishes between ports that have triggered security alerts (Alerted Ports) and those that haven't yet raised concerns (Non-Alerted Ports). By focusing on uncommon port usage, security teams can quickly identify potential security issues such as covert communication channels, unauthorized services, or malware command and control infrastructure.
Data Source
This widget correlates data from two primary sources:
Zeek Network connection logs capturing details about TCP/UDP sessions, including source/destination ports, IP addresses, and connection metadata
Suricata Detection Findings: Alert data from the Suricata IDS/IPS system, used to identify which rare ports have associated security alerts
The visualization specifically filters for connections on non-standard ports, excluding common services like HTTP (80/443), DNS (53), SSH (22), etc., to focus security analysis on potentially suspicious communication channels.
Use Cases
Detecting Command & Control (C2) Infrastructure: Identify malware using uncommon ports for communication
Discovering Shadow IT: Locate unauthorized services running within the network
Identifying Policy Violations: Detect applications bypassing standard ports to evade security controls
Threat Hunting: Investigate unusual network behavior patterns on rare ports
Incident Response: Rapidly assess the scope of potentially malicious communications
Security Baseline Development: Establish normal port usage patterns specific to the environment
PCI DSS 4.0 Compliance Support
This widget supports several key PCI DSS 4.0 requirements:
Requirement 1.4.1: Helps identify and restrict unauthorized network traffic by highlighting communications on non-standard ports that may bypass intended network security controls.
Requirement 1.5.1: Supports documentation of business justification for use of all services, protocols, and ports by revealing unusual port usage that requires verification or remediation.
Requirement 11.4.5: Assists with detecting changes to critical system files, ports, and configurations by identifying new or changed services communicating on previously unused ports.
Requirement 11.6.1: Facilitates continuous monitoring of critical security control systems by visualizing potential security control failures that allow suspicious port usage.
Requirement 12.5.2: Supports the monitoring and alerting on anomalies or suspicious activities occurring on uncommon ports that could indicate security incidents.
Requirement 11.3.1.1: Helps identify vulnerabilities through the discovery of services running on non-standard ports that may represent unpatched or misconfigured systems.
Protocol Breakdown
The Protocol Breakdown widget provides a comprehensive visualization of network traffic categorized by protocol type across a specified time period. This stacked bar chart displays the distribution and volume of connections for different protocols, enabling security teams to understand normal traffic patterns, identify anomalies, and monitor network usage trends throughout the day. When users hover over specific time periods, a detailed tooltip displays the exact connection counts for each protocol, providing deeper insight into network activity.
Data Source
This widget aggregates and analyzes data from Zeek network monitoring logs. Zeek's protocol analyzers identify and categorize network traffic by protocol type, providing rich metadata about each connection. The visualization specifically leverages Zeek connection log files:
Use Cases
Baseline Establishment: Understand normal protocol distribution patterns throughout the day
Anomaly Detection: Identify unusual spikes or drops in specific protocol usage
Security Monitoring: Detect unexpected protocol activity during off-hours
Capacity Planning: Track network usage patterns to plan for infrastructure needs
Incident Investigation: Analyze protocol usage during specific timeframes related to security events
Policy Compliance: Ensure protocols in use align with organizational security policies
Attack Surface Reduction: Identify unnecessary protocols that could be disabled
PCI DSS 4.0 Compliance Support
This widget supports several key PCI DSS 4.0 requirements:
Requirement 1.4.1: Helps identify network connections that might indicate unauthorized traffic by highlighting protocol usage patterns and potential anomalies.
Requirement 1.5.1: Supports documentation of business justification for protocols in use by providing visibility into all active protocols within the cardholder data environment.
Requirement 2.2.7: Assists with implementing only necessary protocols by identifying which protocols are actively being used and when, supporting the principle of least functionality.
Requirement 11.3.1.3: Helps with vulnerability management by identifying potentially insecure or unnecessary protocols that could represent security vulnerabilities.
Requirement 11.6.1: Facilitates continuous monitoring of critical security control systems by visualizing protocol usage patterns that might indicate security control failures.
Requirement 12.4.1: Supports security policy enforcement by providing evidence of adherence to protocol usage policies throughout the network.
Requirement 12.10.5: Assists with incident response by enabling rapid analysis of protocol activity during suspected security incidents.
Top Files Transferred
The Top Files Transferred widget displays a comprehensive table of files being transmitted across your network, with enhanced security context. This widget focuses on potentially high-risk file transfers by presenting file metadata alongside malware detection results. Security teams can quickly identify malicious files moving through the network, track file transfer patterns, and prioritize investigation of suspicious content. The table format enables efficient scanning and sorting to identify the most critical file-based threats.
Data Source
Suricata Alerts: Security detection engine data that identifies known malicious files by:
Matching file hashes against threat intelligence feeds
Detecting suspicious file characteristics
Identifying malware signatures and patterns
Classifying malware by type (Trojan, Ransomware, etc.)
Use Cases
Threat Detection: Quickly identify malicious files traversing the network
Incident Response: Investigate file-based attacks by examining file details and context
Data Loss Prevention: Monitor sensitive files leaving the organization
File Transfer Audit: Track what types of files are being transferred and their sizes
Malware Analysis: Identify patterns in malicious file distributions
Policy Enforcement: Verify compliance with acceptable file transfer policies
Evidence Collection: Gather forensic data about file-based attacks for investigations
PCI DSS 4.0 Compliance Support
This widget directly supports several key PCI DSS 4.0 requirements:
Requirement 5.2.3: Assists with detecting malicious software by identifying and flagging known malware files traversing the network, supporting anti-malware mechanisms.
Requirement 10.2.1.5: Helps track and monitor all access to network resources by showing file transfers across the network, supporting audit trail implementation.
Requirement 11.3.2: Supports identifying high-risk vulnerabilities by highlighting potentially malicious files that could compromise system security.
Requirement 11.6.1: Facilitates continuous monitoring of critical security control systems by providing visibility into file-based threats that could indicate security control failures.
Requirement 12.10.1: Assists with incident response procedures by providing detailed information about malicious files for security incident identification and handling.
Requirement 12.10.4: Supports detection and alerting of critical security control failures by prominently highlighting files identified as malware.
Requirement 12.10.5: Aids in preparing personnel to respond to suspicious events by showing clear malware classifications that can guide appropriate response actions.