Home / NetFlow Analyzer / Blog / How to leverage NetFlow Analyzer's Security Analytics: Best practices

How to leverage NetFlow Analyzer's Security Analytics: Best practices

Network threats hide in plain sight, disguised as routine traffic, moving slowly and deliberately to avoid detection. Security Analytics in ManageEngine NetFlow Analyzer is built to spot threats that rarely announce themselves. This advanced security feature is well-equipped with,

ML-based behavioral analysis helps build a baseline of normal device behavior and flags deviations that signal potential threats.
Asset-based tracking for persistent device identity across IP changes and granular visibility into every conversation on your network.
MITRE ATT&CK techniques and tactics to map detected anomalies to known real-world attack patterns, giving your team immediate context on what they are dealing with.

This helps to filter anomalies before they snowball into incidents. But like any security tool, Security Analytics is only as good as the data it receives. The way you configure your network to feed data into it determines whether the feature delivers its full potential or operates with critical blind spots.

These best practices cover the foundational setup decisions that directly impact the quality of threat detection.

1. Configure flow export at the right switch layer

In a typical enterprise network, traffic flows through three layers: access switches (where end devices connect), distribution switches (aggregation layer), and core switches (high-speed backbone). Most teams export flows from the core switch by default since it is the central point and convenient. However, core switches only see LAN to WAN traffic, which is traffic leaving or entering the network. What they miss entirely is East-West traffic, the lateral communication happening between devices within your own network. This is a critical blind spot, because most attacks such as lateral movement, insider threats, and compromised endpoints communicating with each other live entirely within the LAN and never touch the core switch.

Export flows from access switches: Access switch-level flow data gives Security Analytics' ML model the granular context needed to build accurate behavioral baselines and detect anomalies early. Core switch exports can still serve general bandwidth monitoring, but security analysis demands access-layer data.

2. Choose the right flow protocol

Imagine a compromised endpoint in your network quietly sending out sensitive data, a few megabytes every hour, always during off-peak times, never enough to spike any bandwidth alert. This is data exfiltration by design. This technique is slow, deliberate, and calculated to blend in. Now add sFlow to the picture. Since sFlow only samples 1 in every N packets, there is a very real chance that the packets carrying that stolen data are never captured at all. No record, and no alert. The breach continues undetected for days, weeks, or longer, not because your security tool failed to analyze the data, but because it never even collected it in the first place.

Use NetFlow, IPFIX, or JFlow instead: These protocols export metadata for every flow without sampling. Ensure the sampling rate is set to 1 so every flow is captured. Any higher rate introduces blind spots; for threat detection, completeness of flow data is non-negotiable. That said, not all switches and routers support a sampling rate of 1. In such cases, NetFlow Generator (NFG) agent can be utilized as an alternative. By mirroring raw network packets to the NFG server, it generates flow records from the mirrored traffic, ensuring complete flow visibility even when the network device itself cannot support full flow export. This way, hardware limitations never become a reason for incomplete security data.

3. Enable DHCP syslog integration

Picture this: a network security tool has spent two weeks learning the behavior of a device at 192.168.1.45, a finance team laptop with predictable patterns, modest data transfers, and consistent logoff times. Then the DHCP lease renews. That IP now belongs to a different machine, and the finance laptop resurfaces at 192.168.1.112. From the security tool's perspective, a trusted device has gone quiet and an unknown one has appeared in its place, stripped of all behavioral history. The ML model that was close to flagging a pattern of unusual after-hours access has now reset, and the investigation derailed before it even started.

Configure your DHCP server to forward syslogs to NetFlow Analyzer: Security Analytics solves this by tracking devices by hostname and MAC address rather than IP address. But this only works when your DHCP server is forwarding syslogs to NetFlow Analyzer, enabling real-time IP-to-hostname mapping. Even as a device's IP changes, its behavioral history stays intact and anomalies are correctly attributed to the right asset.

Getting the foundation right

Security Analytics is a powerful feature, but its effectiveness is built on the quality and completeness of the data flowing into it. Exporting from the right switch layer, choosing the right flow protocol, and maintaining accurate asset identity through DHCP syslog integration are not optional fine-tuning steps, they are the foundation. Get these right, and Security Analytics can do what it was built to do: catch the threats that would otherwise go unnoticed.

To learn more about how Security Analytics works, visit the ManageEngine NetFlow Analyzer Security Analytics page.