Flow Policy
Overview
The flow policy functionality in Motadata AIOps empowers you to monitor and analyze network traffic flow data, such as NetFlow or sFlow, and generate alerts based on defined conditions. By leveraging flow policies, you can gain valuable insights into network performance, detect anomalies, and take appropriate actions to optimize your network.
Use-Case
Network Performance Monitoring: Set up flow policies to trigger alerts on network traffic metrics such as bandwidth utilization, packet loss, or latency. This helps you identify and resolve performance issues, ensuring optimal network operation.
Security Incident Detection: Configure flow policies to detect and alert on suspicious network traffic patterns, potentially indicating network-based attacks, malware infections, or unauthorized access attempts.
Capacity Planning: Utilize flow policies to monitor network traffic trends and patterns, allowing you to make informed decisions regarding network capacity upgrades, bandwidth allocation, or traffic shaping.
Application Dependency Mapping: Use flow policies to analyze communication flows between applications and services, facilitating the understanding of dependencies and improving troubleshooting and optimization processes.
By effectively utilizing flow policies in Motadata AIOps, you can proactively monitor and manage both log data and network traffic, ensuring the stability, security, and optimal performance of your IT infrastructure. Remember to tailor the instructions and details to match the specific features and options available in your Motadata AIOps product.
Default Flow Alert Policies
Motadata AIOps simplifies flow network monitoring with Default Flow Alert Policies, offering users a predefined set of alerts designed to proactively notify specific issues related to their flow network. These default flow alerts, including High BPS for TCP and UDP, ICMP Flood Attack, Malicious Activity with Black IP (Threat Feed Integration), and Very Low or No Flow, aim to promptly alert users to potential network issues.
Create Flow Policy
Navigation
Go to Menu, Select Settings 
. After that, Go to Policy Settings 
. Select Metric/Log/Flow policy. The list of the created policies is now displayed.
Click on 
to start creating a policy. From the panel on the left side of the screen, click on the Flow tab to start creating a metric policy. The screen to create a Flow Policy is now displayed.
Enter the details of the following parameters to create a Flow Policy:
| Field | Description |
|---|---|
| Policy Name | Enter a unique name of the policy you want to create. |
| Tag | Enter a name to logically categorize the policy. You can quickly and easily identify a policy based on the tag assigned to it. |
Set Conditions
| Field | Description |
|---|---|
| Counter | Choose the specific counter you wish to create a policy for by selecting from the available options in the dropdown menu. This counter will be the basis for monitoring and generating alerts. |
| Aggregation | Determine the aggregation function that best suits your monitoring needs for the selected counter. This function allows you to consolidate and analyze the metric data over a defined period. |
| Operator | Select the operator that will be applied to the aggregated counter values to define the triggering condition for the alert. Different operators such as greater than, less than, equal to, and more are available to provide flexibility in defining your alert conditions. |
| Value | Specify the threshold value against which the aggregated counter values will be compared. Once the counter value meets the specified condition, an alert will be triggered, notifying you of the issue. |
| Source Filter | - Select Source Host if you want to create the policy for specific flow source(s). - Select Group if you want to create the policy for flow sources that belong to specific groups. - Select Everywhere if you want to create the policy for all the flow sources in the system. This option is selected by default. |
| Source | Select the specific Source Host or Group for which you want to create the policy. This dropdown will show results based on the option you have selected in the previous option. You can leave this field blank if you have selected 'Everywhere' in the previous option. |
| Result By | Specify the grouping criteria for the aggregated values. This field allows you to define how the flow data will be grouped and aggregated for analysis. |
Scenario
Suppose we want to create a flow policy to trigger an alert whenever there is no flow data or very low flow data detected from any particular source.
In this way, we can configure a flow policy to raise an alert.
We will discuss the other conditions for the alert to be triggered now.
| Field | Description |
|---|---|
| Alert Type | - Select Scheduled if you wish to schedule the alert evaluation at specified time(s) in the future. - Select Real Time if you wish to schedule the alert evaluation in real-time as soon as you create the policy |
| Scheduler Type | This option is available only when you select Scheduled as the Alert Type - Select Once if you want the policy evaluation to occur only once. In this case, the policy will evaluate the data from the past hour at the time of evaluation. - Select Daily if you want the policy evaluation to occur daily. The policy will evaluate the data from the past 24 hours at the time of evaluation. - Select Weekly if you want the policy evaluation to occur weekly. The policy will evaluate the data from the past 7 days at the time of evaluation. - Select Monthly if you want the policy evaluation to occur monthly. The policy will evaluate the data from the past 30 days at the time of evaluation.. |
| Start Date | This option is available only when you select Scheduled as the Alert Type. Select the date at which you want to start the policy evaluation. |
| Hours | This option is available only when you select Scheduled as the Alert Type. Select the time(s) at which you want to start the policy evaluation. |
| Days | This option is available only when you select Scheduled as the Alert Type and Weekly as the Scheduler Type. Select the day(s) at which you want to start the policy evaluation. |
| Months | This option is available only when you select Scheduled as the Alert Type and Monthly as the Scheduler Type. Select the month(s) in which you want to start the policy evaluation. |
| Dates | This option is available only when you select Scheduled as the Alert Type and Monthly as the Scheduler Type. Select the date(s) at which you want to start the policy evaluation. |
| Critical/Major/Warning | Kindly use these fields to set the severity under which the alert will be triggered. |
| Supress Action | Switch this Toggle button ON to supress the actions and notifications mapped to the policy. Once you switch this button ON and the alert is triggered, the action will be executed once and you will receive a single notification before the actions and notifications configured in the policy are supressed for the time-period specified in the field Supress Window. |
| Supress Window | Specify the time-period for which you do not wish to execute the actions and receive the notifications mapped to policy. |
Notify Team
| Field | Description |
|---|---|
| Notify | There are two ways you can populate this field: |
| Play Sound | Activate this toggle to enable sound notifications when an alert is triggered. |
| If Severity is | Choose the severity level at which the sound notification should be triggered. This option becomes visible only when the Play Sound toggle is switched ON. |
Take Action
| Field | Description |
|---|---|
| Action to be taken | Select a runbook from the dropdown to be executed when the alert is triggered. |
| Create New | Select this button to start creating a new runbook which you might want to assign to the policy you are creating. |
Select the Create Policy button to create the policy based on the details entered.
Select the Reset button to erase all the current field values, if required.