- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Network page
editNetwork page
editThe Network page provides key network activity metrics in an interactive map, and network event tables that enable interaction with Timeline. You can drag and drop items of interest from the Network view to Timeline for further investigation.
Map
editThe map provides an interactive visual overview of your network traffic. Hover over source and destination points to show more information, such as host names and IP addresses.
To access the interactive map, you must have the appropriate user role. To learn more about map setup, refer to Configure network map data.
There are several ways to drill down:
- Click a point, hover over the host name or destination IP, then use the filter icon to add a field to the filter bar.
- Drag a field from the map to Timeline.
- Click a host name to go to the Hosts page.
- Click an IP address to open its details page.
You can start an investigation using the map, and the map refreshes to show related data when you run a query or update the time range.
To add and remove layers, click on the Options menu (…) in the top right corner of the map.
Widgets and data tables
editInteractive widgets let you drill down for deeper insights:
- Network events
- DNS queries
- Unique flow IDs
- TLS handshakes
- Unique private IPs
There are also tabs for viewing and investigating specific types of data:
- Events: All network events. To display alerts received from external monitoring tools, scroll down to the events table and select Show only external alerts on the right.
The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts.
- Flows: Source and destination IP addresses and countries.
- DNS: DNS network queries.
- HTTP: Received HTTP requests (HTTP requests for applications using Elastic APM are monitored by default).
- TLS: Handshake details.
- Anomalies: Anomalies discovered by machine learning jobs.
IP details page
editAn IP’s details page shows related network information for the selected IP address.
To view an IP’s details page, click its IP address link from the Source IPs or Destination IPs table.
The IP’s details page includes the following sections:
-
Summary: General details such as the location, when the IP address was first and last seen, the associated host ID and host name, and links to external sites for verifying the IP address’s reputation.
By default, the external sites are Talos and VirusTotal. Refer to Display reputation links on IP detail pages to learn how to configure IP reputation links.
-
Alert metrics: The total number of alerts by severity, rule, and status (
Open,Acknowledged, orClosed). - Data tables: The same data tables as on the main Network page, except with values for the selected IP address instead of all IP addresses.
On this page