FlowControl XNS

The XNS module is an extension of the FlowControl XN system, used to detect and analyze security anomalies and threats in the context of the entire organisation. It uses rules and algorithms built on the basis of ATT&CK MITRE methodology and two independent threat detection engines - Threat Intelligence and Threat Detection. The Threat Intelligence engine generates alerts based on correlation with reputation lists of IP addresses and suspicious countries. The Threat Detection engine detects threats based on correlation and aggregation of connections between the values of various parameters and statistics of NetFlow and similar protocols.

The XNS module is installed on the same device as the XN module and uses the parameters it records an analyses — in particular TCP/IP parameters in layers 3 and 4 (source and target IP address, protocol, port), traffic attributes, as well as interface numbers by traffic direction (incoming/outgoing), including the IP addresses of NetFlow generating network devices. Due to the full integration of both solutions, the results of applying the security rules may be analysed rapidly and in detail from the network side.

Key features of FlowControl XNS solution:

  • A high-performance mechanism for network traffic monitoring and analysis – the basic device processes up to 250 000 flows per second.
  • Predefined dashboards, statistics and indicators.
  • Flexible analytical tools based on big data mechanism f.e. Google search.
  • Threats grouped according to the ATT&CK MITRE methodology.
  • Detection of malicious communications (e.g. malware, C2 or botnet).
  • Identification of incidents and security policy breaches.
  • Support for SOCs and CSIRTs teams.
  • A map of threats, providing a clear presentation of locations from which attacks originated.
  • Support for the management of security processes (Network Forensics, Incident Handling and Threat Hunting).
  • Maintaining time context and filters between views.


  • Views are generated without the need of constant data reloading.
  • Processing 250 000 flows per second, retrieved from a network of any architectural complexity.
  • Negligible load on the network and network devices 
  • scalable mass storage enables to flexibly manage data retention periods.


  • Alerts are generated on meeting pre-defined conditions, e.g. after exceeding the set limit for using a particular port or application traffic volume.
  • An alarm message is sent by email, Syslog or an SNMP trap.


  • Presentation of data relating to the entire network, groups of parameters or individual parameters (port, interface, host, IP) in any time window.
  • Easy top-down access – with just a single click, the drilldown mechanisms enable viewing of data for a specific port, interface or IP number.
  • Searching for data in the system using analysis tools like Google search.
  • Maintaining the time context and filters between views.
  • The possibility of saving complex search filters and time context (bookmarks).
  • The XND module uses data from the NetFlow protocol to detect DDoS attacks on specific services performed by a monitored group of hosts. The system analyses DDoS parameters within the defined time frames and enables to block a sevice via FlowSpec. 


  • Separate accounts for the system administrator and users allows their respective permissions to be determined with greater precision.
  • Possibility of authentication through the LDAP protocol or Radius service
  • Special views enable the diagnoses of FlowControl system performance, including CPU and RAM load levels and the state of mass storage.

Article: Network flow monitoring - a valuable source of data for SIEM systems

Jacek Grymuza explains the benefits of feeding data from the NetFlow protocol and its derivatives into popular SIEMs.

Poland Office:
Goraszewska 19
02-910 Warsaw


Ireland Office:
Alexandra House
The Sweepstakes
Ballsbridge, Dublin
D04 C7H2

Copyright 2021 Sycope Ltd. All rights reserved. Privacy policy