Flow overview

Axoflow uses flows to manage the routing and processing of security data. A flow applies to one or more AxoRouter instances. The Flows page lists the configured flows, and also highlights if any alerts apply to a flow.

Each flow consists of the following main elements:

• A Router selector that specifies the AxoRouter instances the flow applies to. Multiple flows can apply to a single AxoRouter instance.
• Processing steps that filter and select the messages to process, set/unset message fields, and perform different data transformation and data reduction.
• A Destination where the AxoRouter instances of the flow deliver the data. Destinations can be external destinations (for example, a SIEM), or other AxoRouter instances.

Based on the flows, Axoflow Console automatically generates and deploys the configuration of the AxoRouter instances. Click ⋮ or the name of the flow to display the details of the flow.

Filter flows

To find or display only specific flows, you can use the filter bar.

• Basic Search mode searches in the following fields of the flow: Name, Destination, Description.

  Basic Search is case insensitive. Adding multiple keywords searches for matches in any of the previous fields. This is equivalent to the @ANY =* keyword1 AND @ANY =* keyword2 AQL query.

• AQL Query Search mode allows you to search in specific fields of the flows.

  It also makes more complex filtering possible, using the Equals, Contains (partial match), and Match (regular expression match) operators. Note that:

  • To execute the search, click Search, or hit ESC then ENTER.
  • Axoflow Console autocompletes the built-in and custom labels and field names, as well as their most frequent values, but doesn’t autocomplete labels and variables created by data parsing and processing steps.
  • You can use the AND and OR operators to combine expressions, and also parenthesis if needed.

Disable flow

You can disable a flow without deleting it if needed by clicking the toggle on the right of the flow name.