Each instance of the Tenable Log Correlation Engine includes agents for many different platform technologies - including NetFlow. This enables collection of NetFlow traffic logs from routers, switches and other network devices.

The Tenable Log Correlation Engine normalizes NetFlow logs and performs the following types of correlations:

• Bandwidth tracking – each NetFlow is categorized by length of time and bandwidth allowing for identification of long sessions or high volume data transfers.
• Statistical network profiling – each system's NetFlow records are normalized and profiled so that changes in connectivity (how many systems a server is speaking with) or how many NetFlows occur are immediately identified as an anomaly
• User monitoring – each NetFlow record can be associated with network users so you can monitor and track which users are high network consumers, who may be connecting to suspicious sites and understand traffic from potential high-risk insiders.
• Reputation correlation – Each NetFlow record is compared against public lists of known hostile sites that transmit viruses, malware and hostile content.
• Situational Awareness – When NetFlow logs are collected alongside IDS, firewall, system log, process execution, web logs and other types of data, a more-complete picture of the real-time or historical situation can be made.