# Detection Models - [Detection Models Overview](https://docs.fusion.vectra.ai/detection-models/overview.md): Detection Models are designed to detect and alert you to potential threats, malicious activity, or unwanted traffic on a network. Detection Models use the Netography Query Language (NQL) within Netogr - [Detection Model Configuration](https://docs.fusion.vectra.ai/detection-models/detection-trackby-thresholds.md): ✋ Writing your own detection model? We are here to help.: Chat with Netography's Detection Engineers in the \\#fusion-detections channel in Netography's Discord community, or send your question to Supp - [Detection Model Quick Reference Guide](https://docs.fusion.vectra.ai/detection-models/detection-model-quick.md): Field Description Example General General configuration Name Unique name netbiosreflect Description Text description Netbios reflection attack Categories Detection categories t1498 Traffic Type Traffi - [Adding a Detection Model](https://docs.fusion.vectra.ai/detection-models/add-detection-models.md): Detection Models monitor network traffic and generate events when specific conditions are met. Context Creation Models assign context labels to IPs that match certain conditions. Each configuration wi - [Auto Thresholding](https://docs.fusion.vectra.ai/detection-models/detection-auto-thresholding.md): ✋ Writing your own detection model? We are here to help.: For help using auto thresholding, or any detection model questions, chat with Netography's Detection Engineers in the \\#fusion-detections chan - [Detection Model Library](https://docs.fusion.vectra.ai/detection-models/library.md): Detection Categories Categorizing Fusion detections (aka NDMs) helps you understand the type of event encountered by Fusion. Attack Attack detections within Netography Fusion's Netography Detection Mo - [Attack](https://docs.fusion.vectra.ai/detection-models/library/attack.md): Attack detections within Netography Fusion's Netography Detection Models (NDMs) are designed to identify and alert network administrators to attempts to break into their networks remotely. These detec - [external\_tcp\_4444](https://docs.fusion.vectra.ai/detection-models/library/attack/external_tcp_4444.md): Explanation The external\_tcp\_4444 NDM flags connections from outside the customer network to servers on the customer network listening on TCP port 4444. Metasploit uses port 4444 by default for shell - [interactive\_login\_bad\_rep](https://docs.fusion.vectra.ai/detection-models/library/attack/interactive_login_bad_rep.md): Explanation This security event is triggered by the Netography Fusion Portal when it detects traffic inbound to an Internet facing SSH or RDP endpoint from a source IP address with a bad reputation. W - [interactive\_login\_itar](https://docs.fusion.vectra.ai/detection-models/library/attack/interactive_login_itar.md): Explanation The NDM analyzes network traffic to detect interactive login connections to SSH or RDP from IP addresses originating in countries listed under US Code 22 CFR § 126.1 “Prohibited exports, i - [internal\_tcp\_4444](https://docs.fusion.vectra.ai/detection-models/library/attack/internal_tcp_4444.md): Explanation The internal\_tcp\_4444 NDM flags connections on TCP port 4444 inside your network. Metasploit uses port 4444 by default for shell listeners that are setup after exploitation, so the use of - [long\_inbound\_https\_bad\_rep](https://docs.fusion.vectra.ai/detection-models/library/attack/long_inbound_https_bad_rep.md): Explanation This security event is triggered by the Netography Fusion Portal when it detects inbound traffic to an internet facing HTTPS endpoint from a source IP address with a bad reputation, with s - [outbound\_tcp\_4444](https://docs.fusion.vectra.ai/detection-models/library/attack/outbound_tcp_4444.md): Explanation The outbound\_tcp\_4444 NDM flags connections leaving the customer network to hosts listening on TCP port 4444. Metasploit uses port 4444 by default for shell listeners that are setup after - [tor\_connection\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/attack/tor_connection_external_internal.md): Explanation This event is triggered by Netography’s Fusion Portal when it detects traffic originating from a TOR network exit node communicating with monitored hosts. Traffic from the TOR network is n - [Brute Force](https://docs.fusion.vectra.ai/detection-models/library/brute-force.md): Brute Force detections within Netography Fusion's Netography Detection Models (NDMs) are designed to identify and alert network administrators to activities associated with attempts at guessing userna - [dcerpc\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/dcerpc_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC - [dcerpc\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/dcerpc_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC - [dcerpc\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/dcerpc_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC - [ftp\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/ftp_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo - [ftp\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/ftp_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo - [ftp\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/ftp_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo - [imap\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/imap_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T - [imap\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/imap_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T - [imap\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/imap_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T - [kerberos\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/kerberos_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a large number of failed login attempts using the Kerberos service originating from a single internal host. This activ - [kerberos\_user\_enumeration](https://docs.fusion.vectra.ai/detection-models/library/brute-force/kerberos_user_enumeration.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a large number of failed pre-authentication attempts using the Kerberos service originating from a single internal hos - [mongodb\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mongodb_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity from the Internet t - [mongodb\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mongodb_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity emanating from your - [mongodb\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mongodb_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity between hosts insid - [mssql\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mssql_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an MSSQL server. This event specifically looks for activity from the In - [mssql\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mssql_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MSSQL server. This event specifically looks for activity emanating fr - [mssql\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mssql_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an MSSQL server. This event specifically looks for activity between hos - [mysql\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mysql_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity from the I - [mysql\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mysql_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity emanating - [mysql\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mysql_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity between ho - [pop3\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/pop3_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This - [pop3\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/pop3_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This - [pop3\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/pop3_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This - [postgres\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/postgres_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity from - [postgres\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/postgres_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity emana - [postgres\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/postgres_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity betwe - [rdpbrute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/rdpbrute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks - [rdpbrute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/rdpbrute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks - [rdpbrute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/rdpbrute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks - [redis\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/redis_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity from the Internet tow - [redis\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/redis_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity emanating from your n - [redis\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/redis_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity between hosts inside - [smb\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/smb_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as - [smb\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/smb_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as - [smb\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/smb_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as - [sshbrute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/sshbrute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall - [sshbrute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/sshbrute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall - [sshbrute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/sshbrute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall - [winrmbrute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/winrmbrute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac - [winrmbrute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/winrmbrute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac - [winrmbrute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/winrmbrute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac - [Denial of Service](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service.md): Denial of Service (DoS) attacks are a significant security risk where threat actors aim to make a network, service, or server unavailable by flooding it with excessive traffic, leading to potential op - [ackflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ackflood.md): Explanation The ackflood event is a detection for ACK Flood, a type of DDoS attack where the attacker floods the target with a high volume of ACK packets. This event is triggered when there is a signi - [chargenreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/chargenreflect.md): Explanation This security event in the Netography Fusion Portal is designed to detect Chargen reflection attacks. Chargen, short for Character Generator Protocol, is a legacy protocol that can be used - [cldapreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/cldapreflect.md): Explanation CLDAP (Connection-less Lightweight Directory Access Protocol) reflection attacks involve amplifying small requests into larger responses through open servers that have UDP port 389 open. A - [codreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/codreflection.md): Explanation This event is designed to detect CoD (Call of Duty) reflection attacks that can cause a significant disruption to your network. CoD reflection attacks occur when an attacker sends a packet - [dns\_amplification\_participation](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/dns_amplification_participation.md): Explanation The dns\_amplification\_participation event in the Netography Fusion Portal helps to find potential participants in DNS amplification attacks. DNS amplification attacks exploit the vulnerabi - [dnsattack](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/dnsattack.md): Explanation The dnsattack security event in the Netography Fusion Portal is designed to detect DNS flood attacks in your network. DNS flood happens when an attacker floods a DNS server with queries, m - [dnsreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/dnsreflection.md): Explanation The dnsreflection event is detection within the Netography Fusion Portal that detects DNS reflection attacks. These types of attacks use DNS servers to amplify the size of the incoming tra - [fin\_flood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/fin_flood.md): Explanation Fin Flood is a type of Denial-of-Service (DoS) attack that targets an open connection by bombarding it with numerous TCP packets with the "FIN" flag set. This excessive amount of packets o - [icmpflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/icmpflood.md): Explanation icmpflood is a type of DDoS attack that sends a large number of ICMP packets to a target network, which can result in network congestion, packet loss, and service disruption. The Netograph - [memcachereflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/memcachereflection.md): Explanation Memcached is an open source distributed memory caching system that is commonly used by web servers to speed up dynamic database-driven websites. Reflection attacks involve sending a reques - [mssqlreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/mssqlreflection.md): Explanation This event is triggered when the Netography Fusion Portal detects an MSSQL reflection attack. MSSQL reflection attacks are SQL injection attacks that target Microsoft SQL servers running o - [netbiosreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/netbiosreflect.md): Explanation The Netbios protocol is used by Microsoft operating systems for file sharing and printer sharing over a network. The reflection attack is when an attacker sends a falsified request to a ta - [ntpreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ntpreflect.md): Explanation The ntpreflect event in Netography Fusion Portal looks for an NTP reflection attack. This is a type of DDoS attack in which an attacker sends a request to an NTP server and spoofs the sour - [psh\_flood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/psh_flood.md): Explanation psh\_flood is a security event in the Netography Fusion Portal that detects potential PSH floods. A Psh flood is when the TCP Push flag is set in the header of a packet, a flood of these ty - [ripreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ripreflection.md): Explanation RIP reflection is a type of DDoS attack that exploits the Routing Information Protocol (RIP). The attacker sends malformed requests to a device that runs RIP, and the device responds with - [rstflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/rstflood.md): Explanation The rstflood security event is triggered when the Netography Fusion Portal detects an abnormal frequency of Reset (RST) packets on the network, signaling a potential denial of service (DoS - [slpreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/slpreflection.md): Explanation This security event in the Netography Fusion Portal is designed to detect SLP reflection attacks. SLP, short for Service Location Protocol, can be used by attackers to amplify DDoS attacks - [snmpreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/snmpreflection.md): Explanation An SNMP reflection attack is a type of DDoS attack that exploits vulnerable SNMP servers to amplify and reflect attack traffic to targeted systems. What to Look For To examine the results - [srcdsreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/srcdsreflection.md): Explanation SRCDS, or the Source Dedicated Server, is a tool used by video game developers for hosting and managing multiplayer games. However, if left unsecured, attackers can exploit the protocol an - [ssdpreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ssdpreflect.md): Explanation The ssdpreflect event is triggered when a Simple Service Discovery Protocol (SSDP) reflection attack is detected. An attacker can use SSDP reflection to amplify the amount of traffic sent - [sunrpcreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/sunrpcreflection.md): Explanation The sunrpcreflection event in Netography Fusion Portal is designed to detect attacks against the SunRPC protocol used to manage network communication between servers and clients. Attackers - [synflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/synflood.md): Explanation The synflood security event in the Netography Fusion Portal is designed to detect SYN flood attacks on a network. A SYN flood is a type of DDoS attack where the attacker sends a large numb - [tp240\_phone\_home\_reflection\_ddos](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/tp240_phone_home_reflection_ddos.md): Explanation This security event in the Netography Fusion Portal is designed to detect TP-240 reflection attacks. Voice-over-IP systems with TP-240 VoIP-processing interface cards can be used by attack - [urg\_flood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/urg_flood.md): Explanation The urg\_flood event is designed to detect potential Urg Flood attacks on a network. An Urg Flood is a type of Denial-of-Service (DoS) attack that uses the Urgent Pointer (URG) flag in the - [Informational](https://docs.fusion.vectra.ai/detection-models/library/informational.md): Informational detections are a category within Netography Fusion's Netography Detection Models (NDMs) that provide valuable insights about unusual but not necessarily malicious network behavior. These - [6in4tunnel](https://docs.fusion.vectra.ai/detection-models/library/informational/6in4tunnel.md): Explanation The 6in4 Tunnel Detection NDM is designed to detect when IPv6 traffic is encapsulated within IPv4 packets on the network. This technique, known as 6in4 tunneling, can be used for legitimat - [alltcpflags](https://docs.fusion.vectra.ai/detection-models/library/informational/alltcpflags.md): Explanation The alltcpflags security event is designed to trigger when all the TCP flags are set in a network packet. This can indicate a malicious attempt to evade detection by avoiding detection sig - [badprotocol](https://docs.fusion.vectra.ai/detection-models/library/informational/badprotocol.md): Explanation The badprotocol event is triggered when the Netography Fusion Portal identifies an invalid IP protocol being used on the network. IP packets encapsulate higher level protocols such as TCP - [communication\_to\_itar\_countries](https://docs.fusion.vectra.ai/detection-models/library/informational/communication_to_itar_countries.md): Explanation This Netography Fusion Portal event is designed to identify any connections made to countries listed under US Code 22 CFR § 126.1 “Prohibited exports, imports, and sales to or from certain - [ethoverip](https://docs.fusion.vectra.ai/detection-models/library/informational/ethoverip.md): Explanation The ethoverip NDM is designed to detect when Ethernet traffic is encapsulated within IP packets on the network. This technique, known as ethernet tunneling, can be used for legitimate comm - [ip\_options\_abuse](https://docs.fusion.vectra.ai/detection-models/library/informational/ip_options_abuse.md): Explanation This Netography Fusion Portal event looks for ICMP messages of type 12 (Parameter Problem). Routers will emit these messages when they receive a malformed packet that they cannot route. Th - [ipmi](https://docs.fusion.vectra.ai/detection-models/library/informational/ipmi.md): Explanation This event looks for IPMI Attack on the network. IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices. Attacke - [ipmi](https://docs.fusion.vectra.ai/detection-models/library/informational/ipmi-1.md): Explanation This event looks for IPMI Attack on the network. IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices. Attacke - [largeicmp](https://docs.fusion.vectra.ai/detection-models/library/informational/largeicmp.md): Explanation This Netography event is triggered when an ICMP packet with a large payload is detected on the network. This type of attack is often used to flood a network with a high volume of traffic, - [tcp\_dnstunneling](https://docs.fusion.vectra.ai/detection-models/library/informational/tcp_dnstunneling.md): Explanation This Netography Fusion Portal security event identifies DNS tunneling over TCP, a technique used to bypass traditional security measures by embedding data in DNS queries and responses. Thi - [tcpfrag](https://docs.fusion.vectra.ai/detection-models/library/informational/tcpfrag.md): Explanation This event is designed to detect a TCP fragmentation flood on the network. TCP fragmentation occurs when a large data packet is divided into smaller packets for transmission across the net - [tcpnull](https://docs.fusion.vectra.ai/detection-models/library/informational/tcpnull.md): Explanation The tcpnull event is designed to detect NULL TCP flows. NULL TCP flows are packets that have no flags set, and are often used by attackers to scan networks for potential vulnerabilities. T - [udpfrag](https://docs.fusion.vectra.ai/detection-models/library/informational/udpfrag.md): Explanation This Netography Fusion Portal security event detects a UDP fragmentation flood, which occurs when an attacker generates a large number of fragmented UDP packets towards a target system wit - [unusual\_protocol](https://docs.fusion.vectra.ai/detection-models/library/informational/unusual_protocol.md): Explanation The unusual\_protocol event is triggered when the Netography Fusion Portal identifies an uncommon IP protocol being used on the network. IP packets encapsulate higher level protocols such a - [Misconfiguration](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration.md): Misconfigurations detections are a crucial aspect of Netography Fusion's Netography Detection Models (NDMs) that identify potential vulnerabilities caused by incorrect network setup or security config - [9090\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/9090_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a server on your network listening on port 9090 that has received a connection from an external IP address. The NDM wo - [cups\_browsed\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/cups_browsed_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 entering your network. This traffic indicates that there are very likely one or more CUPS prin - [dns\_query\_returned\_loopback](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/dns_query_returned_loopback.md): Explanation The dns\_query\_returned\_loopback NDM will fire when an external DNS query returns the loopback IP address (127.0.0.1). External DNS names should not resolve to internal resources. Names tha - [external\_access\_of\_smb](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_access_of_smb.md): Explanation This security event is triggered by the Netography Fusion Portal when it detects non-customer network access to Windows Networking (Including DCE-RPC, Netbios, or SMB). What to Look For Ge - [external\_kerberos\_access](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_kerberos_access.md): Explanation This security event is triggered by Netography Fusion Portal when it detects non-customer network access of Kerberos resources. Kerberos is a network authentication protocol used by many e - [external\_ldap\_access](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_ldap_access.md): Explanation The external\_ldap\_access NDM is designed to search for instances of non-customer network access of LDAP resources. This type of access can leave a network vulnerable to attackers attemptin - [external\_printing\_connections](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_printing_connections.md): Explanation This event is designed to detect external connections to internal print servers. The event triggers when an external source tries to connect to a print server residing within the protected - [external\_snmp\_sweep](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_snmp_sweep.md): Explanation This security event is triggered when an SNMP sweep is detected entering the customer's network. SNMP, or Simple Network Management Protocol, is a protocol used for managing and monitoring - [fortinet\_management\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/fortinet_management_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on TCP port 541 leaving your network. This return traffic indicates that there may have been an external attac - [internal\_socks5\_proxy](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/internal_socks5_proxy.md): Explanation The internal\_socks5\_proxy NDM is designed to detect socks5 traffic on the local customer network. A SOCKS5 proxy is a protocol that routes internet traffic through a proxy server. It can b - [msrdp](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/msrdp.md): Explanation A Microsoft Remote Desktop Protocol (RDP) reflection attack is a type of DDoS attack where the attacker sends a forged packet to an open RDP server that causes it to send a large amount of - [outbound\_database\_exfil](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_database_exfil.md): Explanation The outbound\_database\_exfil event is triggered when outbound traffic is detected from common database ports, indicating a potential exfiltration attempt from a database. This event is desi - [outbound\_ftp\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_ftp_traffic.md): Explanation This event monitors outbound traffic for cleartext FTP connections. The use of non-encrypted protocols such as FTP can leave sensitive information vulnerable to interception and theft. Wha - [outbound\_imap\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_imap_traffic.md): Explanation This Netography Fusion Portal event monitors for cleartext outbound IMAP traffic, which should be discouraged due to security risks. IMAP is a protocol used for email retrieval and transfe - [outbound\_ldap\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_ldap_traffic.md): Explanation This Netography Fusion Portal event monitors for outbound LDAP traffic leaving the customer network. LDAP traffic to Internet destinations may be unexpected. What to Look For Investigation - [outbound\_pop3\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_pop3_traffic.md): Explanation The outbound\_pop3\_traffic event monitors for cleartext outbound POP3 traffic on the network. POP3 is a non-encrypted protocol used for email retrieval. Use of non-encrypted protocols such - [outbound\_printing](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_printing.md): Explanation This Netography Fusion Portal event monitors for outbound traffic to print servers on the Internet, specifically using the IPP or LDP protocols. What to Look For To examine the results of - [outbound\_rejected\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_rejected_traffic.md): Explanation This NDM detects traffic attempting to leave the network that has been blocked or denied by network security policies. This event helps to identify potential threats or policy violations t - [outbound\_smb\_spike](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_smb_spike.md): Explanation This security event monitors the amount of Windows Networking traffic leaving the network (including DCE-RPC, Netbios, or SMB). If there is high volume of this traffic leaving the network, - [outbound\_smb\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_smb_traffic.md): Explanation This Netography Fusion Portal security event is triggered when outbound Windows Networking traffic is detected (including DCE-RPC, Netbios, or SMB). What to Look For When well tuned, this - [outbound\_snmp\_sweep](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_snmp_sweep.md): Explanation outbound\_snmp\_sweep is a security event in the Netography Fusion Portal that is triggered when an SNMP sweep is detected leaving the customer network. SNMP, or Simple Network Management Pr - [outbound\_telnet\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_telnet_traffic.md): Explanation The outbound\_telnet\_traffic event detects outbound cleartext telnet traffic. The use of non-encrypted protocols such as telnet should be discouraged due to the inherent security risks. Thi - [rdp\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/rdp_external_internal.md): Explanation The rdp\_external\_internal NDM monitors successful RDP connections from external sources to the network. This event helps to identify potential unauthorized access and data theft through RD - [registered\_ports\_ext\_int](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/registered_ports_ext_int.md): Explanation The registered\_ports\_ext\_int NDM looks for any traffic accepted onto your network from the Internet on IANA registered ports. These ports are less commonly exposed to the Internet than wel - [ssh\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/ssh_external_internal.md): Explanation The ssh\_external\_internal event monitors for successful SSH connections from external sources to internal destinations. This is an important security event to monitor since successful exte - [Operational Governance](https://docs.fusion.vectra.ai/detection-models/library/operational-governance.md): Operational Governance detections are a part of Netography Fusion's Netography Detection Models (NDMs) and are designed to promote best practices in network hygiene and responsible use of network reso - [anydesk\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/anydesk_usage.md): Explanation The anydesk\_usage NDM is designed to detect any usage of the AnyDesk software within the network. AnyDesk is a remote desktop application that can be used to gain unauthorized access to sy - [bitcoin\_node\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bitcoin_node_internal_external.md): Explanation The bitcoin\_node\_internal\_external event monitors network traffic for possible Bitcoin mining activity. Bitcoin mining is a process of verifying transactions in the Bitcoin blockchain by s - [bittorrent](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent.md): Explanation The bittorrent NDM is designed to detect BitTorrent traffic on a network. BitTorrent is a type of peer-to-peer (P2P) file-sharing protocol that allows users to share large files, such as m - [bittorrent\_tracker\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_tracker_internal_external.md): Explanation The bittorrent\_tracker\_internal\_external NDM uses threat intelligence to detect traffic to external hosts running BitTorrent tracker servers. BitTorrent clients will almost always use BitT - [bittorrent\_transfer\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_transfer_external_internal.md): Explanation The bittorrent\_transfer\_external\_internal NDM is designed to detect file downloads over the BitTorrent protocol, and can be used in place of the bittorrent NDM to focus on downloads rather - [bittorrent\_transfer\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_transfer_internal_external.md): Explanation The bittorrent\_transfer\_internal\_external NDM is designed to detect file uploads over the BitTorrent protocol, and can be used in place of the bittorrent NDM to focus on uploads rather tha - [bittorrent\_user](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_user.md): Explanation The bittorrent\_user CCM creates a context label for any internal host that has been observed communicating with a host running BitTorrent tracker software on a TCP port commonly associated - [connectwise\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/connectwise_usage.md): Explanation The connectwise\_usage NDM is designed to detect any usage of the ConnectWise software, a popular remote management and monitoring tool used by IT service providers. This event is triggered - [external\_1801](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_1801.md): Explanation The external\_1801 NDM flags connections from outside the customer network to servers on the customer network listening with TCP or UDP on port 1801. Microsoft Message Queuing is a messagin - [external\_socks5\_proxy](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_socks5_proxy.md): Explanation This security event is triggered when the Netography Fusion Portal detects the use of a socks5 proxy on the internet by an internal customer IP address. This may indicate that security con - [external\_tcp\_44818](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_tcp_44818.md): Explanation The external\_tcp\_44818 NDM flags connections from outside the customer network to servers on the customer network listening on TCP port 44818. Rockwell Automation ICS systems use TCP port - [external\_udp\_2222](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_udp_2222.md): Explanation The external\_udp\_2222 NDM flags connections from outside the customer network to servers on the customer network listening on UDP port 2222. Rockwell Automation ICS systems use UDP port 22 - [file-sharing\_apple-icloud](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_apple-icloud.md): Explanation The file-sharing\_apple-icloud event detects the presence of file sharing using Apple iCloud on the network. What to Look For To examine the results of the file-sharing\_apple-icloud event, - [file-sharing\_dropbox\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_dropbox_detection.md): Explanation The file-sharing\_dropbox\_detection event is triggered when Netography Fusion Portal detects file sharing using Dropbox on the network. What to Look For When examining the results of this e - [file-sharing\_idrive\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_idrive_detection.md): Explanation The file-sharing\_idrive\_detection NDM scans for instances of file sharing on the network that use the iDrive service. When users connect to the iDrive servers, it could lead to potential d - [file-sharing\_mega-service](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_mega-service.md): Explanation This event detects the usage of file sharing Mega services by analyzing network traffic and endpoint data. What to Look For When examining the results of this event, look for any instances - [file-sharing\_microsoft-onedrive](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_microsoft-onedrive.md): Explanation This NDM detects file sharing on the network using Microsoft OneDrive. What to Look For When examining the results of this NDM Event, look for any unauthorized file-sharing activity using - [file-sharing\_wetransfer](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_wetransfer.md): Explanation This event is triggered when file sharing occurs using the Wetransfer application on the network. Wetransfer is a cloud-based file-sharing service that allows users to transfer large files - [gotoresolve\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/gotoresolve_usage.md): Explanation This NDM looks for the usage of GoToResolve, a remote support and screen-sharing tool. When any activity related to GoToResolve is detected on the network or endpoint, this event triggers - [internal\_tor\_relay](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/internal_tor_relay.md): Explanation This event is triggered by Netography’s Fusion Portal when it detects a Tor node on the customer network. Tor is a proxy protocol that is used to hide the origin of network traffic. An una - [ipfs\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/ipfs_usage.md): Explanation The ipfs\_usage NDM is designed to detect any IPFS related traffic on your network. IPFS (InterPlanetary File System) is a distributed protocol for sharing and storing files in a peer-to-pe - [irctraffic](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/irctraffic.md): Explanation The irctraffic NDM is a network event that scans network traffic for IRC chat messages, IRC server connections, and IRC file transfers. If it detects any of these activities, it triggers a - [messaging\_apple-push](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_apple-push.md): Explanation The messaging\_apple-push NDM is designed to detect the presence of messaging applications on a network. It detects network traffic associated with Apple's Push Notification Service (APNS), - [messaging\_discord](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_discord.md): Explanation The messaging\_discord NDM is designed to detect the use of the Discord messaging application on the network. When triggered, it alerts network administrators to the presence of this applic - [messaging\_disqus](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_disqus.md): Explanation The messaging\_disqus NDM is designed to detect the usage of Disqus on the network. Disqus is a third-party commenting and discussion platform used on many websites. This NDM can help secur - [messaging\_facebook-messenger](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_facebook-messenger.md): Explanation The messaging\_facebook-messenger NDM detects the presence and usage of the popular Facebook Messenger application on the network. When a user communicates through the application, the NDM - [messaging\_google-chat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_google-chat.md): Explanation The messaging\_google-chat NDM detects the presence of the Google Chat messaging application on the network. What to Look For To investigate this event, look for any instances of Google Cha - [messaging\_icq](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_icq.md): Explanation The messaging\_icq NDM scans the network for the presence of messaging applications, specifically targeting ICQ. What to Look For You should examine the results of this event for any indica - [messaging\_infobip](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_infobip.md): Explanation The messaging\_infobip NDM is designed to detect the presence of the InfoBip messaging application on the network. InfoBip is a cloud-based mobile communications platform that enables busin - [messaging\_jpush](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_jpush.md): Explanation The messaging\_jpush NDM is designed to detect the presence of messaging applications on the network, specifically those using the JPush messaging service. What to Look For To examine the r - [messaging\_kakaotalk](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_kakaotalk.md): Explanation The messaging\_kakaotalk NDM is designed to detect the Kakaotalk messaging application on the network. What to Look For To examine the results of the messaging\_kakaotalk NDM event, look for - [messaging\_kik](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_kik.md): Explanation The messaging\_kik NDM is designed to detect the use of the Kik messaging application on the network. What to Look For If the messaging\_kik event is triggered, you should examine the networ - [messaging\_messagebird](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_messagebird.md): Explanation The messaging\_messagebird event is triggered by the Netography Detection Module (NDM) when it detects activity from the messaging application called Messagebird on the network. What to Loo - [messaging\_meta-messaging](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_meta-messaging.md): Explanation This NDM is designed to detect the presence of any "Meta" messaging applications on a network. What to Look For To examine the results of the messaging\_meta-messaging event, customers shou - [messaging\_pushover](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_pushover.md): Explanation The messaging\_pushover NDM is designed to detect the presence of the messaging platform Pushover on the network. What to Look For Customers should examine their network traffic for any ind - [messaging\_rocket-chat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_rocket-chat.md): Explanation The messaging\_rocket-chat NDM monitors the network for the presence of the messaging application Rocket Chat. Rocket Chat is an open source messaging platform that allows for encrypted and - [messaging\_samsung-push](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_samsung-push.md): Explanation The messaging\_samsung-push NDM searches for the presence of messaging applications on the network, specifically on Samsung devices. What to Look For To analyze the results of the messaging - [messaging\_signal](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_signal.md): Explanation The messaging\_signal NDM is designed to detect the presence of the Signal messaging application on the network. Signal is an end to end encrypted messaging application that can be used for - [messaging\_sinch](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_sinch.md): Explanation The messaging\_sinch NDM is designed to detect the presence of the Sinch messaging application on a network. Sinch is a cloud-based communications platform that allows developers to integra - [messaging\_snapchat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_snapchat.md): Explanation The messaging\_snapchat NDM is designed to detect the presence of the Snapchat messaging application on the network. What to Look For If the messaging\_snapchat event is triggered, check for - [messaging\_stream-io](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_stream-io.md): Explanation The messaging\_stream-io NDM detects the presence of the Stream-IO messaging application on the network. Stream-IO is used for real-time message passing between clients and servers, making - [messaging\_telegram](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_telegram.md): Explanation The messaging\_telegram event is a security event in the Netography Fusion Portal that evaluates for the presence of Telegram messaging application on the network. What to Look For To analy - [messaging\_threema](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_threema.md): Explanation The messaging\_threema NDM is designed to detect the presence of Threema messaging application on the network. Threema is a secure messaging application that is commonly used by individuals - [messaging\_wechat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_wechat.md): Explanation The messaging\_wechat NDM (Network Detection Method) is designed to detect the presence of the WeChat messaging application on a network. It analyzes network traffic and looks for specific - [messaging\_whatsapp](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_whatsapp.md): Explanation The messaging\_whatsapp NDM detects the presence of messaging applications on the network, with a specific focus on WhatsApp. This NDM works by analyzing network traffic to determine the pr - [messaging\_zalo](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_zalo.md): Explanation The messaging\_zalo NDM is a network security event designed to detect the use of messaging applications on the network, with a particular focus on the Zalo messaging platform. What to Look - [outbound\_6in4tunnel](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_6in4tunnel.md): Explanation The Outbound 6in4 Tunnel Detection NDM is designed to detect when IPv6 traffic is encapsulated within IPv4 packets that are leaving the customer network to external destinations. This tech - [outbound\_ethoverip](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_ethoverip.md): Explanation The outbound ethoverip NDM is designed to detect when Ethernet traffic is encapsulated within IP packets that are leaving the customer network to external destinations. Ethernet tunneling - [outbound\_teredo](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_teredo.md): Explanation The outbound\_teredo NDM is designed to detect Teredo packets leaving the customer network. Teredo is a protocol for encapsulating IPv6 packets in IPv4 UDP packets. Teredo can be used for l - [outbound\_teredo\_spike](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_teredo_spike.md): Explanation The outbound\_teredo\_spike NDM is designed to detect high volumes of Teredo packets leaving the customer network. Teredo is a protocol for encapsulating IPv6 packets in IPv4 UDP packets. Te - [social\_discourse\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_discourse_detection.md): Explanation The social\_discourse\_detection Netography Detection Model (NDM) is utilized to detect the social media platform: Discourse on the network. What to Look For If the social\_discourse\_detectio - [social\_instagram\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_instagram_detection.md): Explanation The social\_instagram\_detection NDM was developed by the Netography Threat Research team to detect the use of Social Media: Instagram. What to Look For When examining the results of the soc - [social\_linkedin\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_linkedin_detection.md): Explanation The social\_linkedin\_detection NDM is a security event that detects the use of Social Media: LinkedIn on a network. It is designed to identify any attempts by users to access this networkin - [social\_meta\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_meta_detection.md): Explanation The social\_meta\_detection NDM is a security event within the Netography Fusion Portal that looks for the detection of the use of social media: Meta. What to Look For To examine the results - [social\_okcupid\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_okcupid_detection.md): Explanation The social\_okcupid\_detection NDM is designed to detect the use of the social media platform OKCupid on a network. What to Look For To examine the results of the social\_okcupid\_detection ND - [social\_reddit\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_reddit_detection.md): Explanation The social\_reddit\_detection NDM is designed to detect any suspicious activity related to the use of social media, specifically Reddit, on your network. The NDM analyzes network traffic and - [social\_tiktok\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_tiktok_detection.md): Explanation The social\_tiktok\_detection NDM is designed to detect the use of the social media app, TikTok. What to Look For When examining the results of the social\_tiktok\_detection event, users shoul - [social\_tinder\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_tinder_detection.md): Explanation The social\_tinder\_detection NDM is designed to detect usage of the social media app Tinder on network endpoints. What to Look For If the social\_tinder\_detection NDM is triggered, customers - [social\_twitter\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_twitter_detection.md): Explanation The social\_twitter\_detection NDM is designed to detect the use of social media platform Twitter on a network. It searches for any activity related to Twitter like login attempts, tweets, f - [teamviewer\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/teamviewer_usage.md): Explanation This NDM looks for the usage of the TeamViewer software, which may pose a security risk for organizations. The NDM is triggered when the software is detected on a network or endpoint, and - [third\_party\_vpn\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/third_party_vpn_usage.md): Explanation This NDM detects the usage of third-party (free or paid) VPNs. What to Look For To examine the results of this event, network administrators should monitor their network traffic for any co - [tor\_connection\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/tor_connection_internal_external.md): Explanation This event is triggered by Netography’s Fusion Portal when it detects a connection attempt to a known Tor entry node from an internal network device. Tor is often used to hide the origin o - [unusual\_open\_tcp\_ports](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/unusual_open_tcp_ports.md): Explanation The unusual\_open\_tcp\_ports Netography Detection Model (NDM) is designed to detect uncommon TCP ports open and receiving connections on the network. The NDM is triggered when inbound TCP tr - [vpn\_usage\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/vpn_usage_internal_external.md): Explanation vpn\_usage\_internal\_external is a Netography Fusion Portal security event designed to detect VPN usage exiting a customer's network. What to Look For When examining the results of the vpn\_u - [Post-Compromise](https://docs.fusion.vectra.ai/detection-models/library/post-compromise.md): Post-Compromise detections are a vital feature of Netography Fusion's Netography Detection Models (NDMs) designed to identify and alert about activities associated with already compromised systems. Th - [anomalous\_traffic\_dns](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_dns.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer over UDP port 53 or over TCP ports 53 or 853 that exceeds an automatically determined baseline thresho - [anomalous\_traffic\_itar](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_itar.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to IP addresses in countries listed under US Code 22 CFR § 126.1 (ITAR countries) “Prohibited exports, - [anomalous\_traffic\_mega](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_mega.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to the Mega file hosting service exceeds an automatically determined baseline threshold. Auto Threshol - [anomalous\_traffic\_s3](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_s3.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to Amazon S3 that exceeds an automatically determined baseline threshold. Auto Thresholding observes r - [anomalous\_traffic\_ssh](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_ssh.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer over TCP port 22 that exceeds an automatically determined baseline threshold. Auto Thresholding observ - [coinminer\_detection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/coinminer_detection.md): Explanation The coinminer\_detection NDM detects machines connecting to coinmining servers which could indicate a cryptocurrency mining attack. This is accomplished by monitoring network traffic for co - [comm\_with\_malware\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/comm_with_malware_external_internal.md): Explanation The comm\_with\_malware\_external\_internal NDM is designed to detect connections from identified malware command and control (C2) nodes to hosts on your network. Because flows occur in both d - [comm\_with\_malware\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/comm_with_malware_internal_external.md): Explanation The comm\_with\_malware\_internal\_external NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to a - [communication\_to\_bad\_rep](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/communication_to_bad_rep.md): Explanation The communication\_to\_bad\_rep NDM is designed to detect successful outbound connections to a known bad IP. The NDM triggers when a connection is made to an IP address that is on a deny list - [communication\_to\_malware](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/communication_to_malware.md): Explanation The communication\_to\_malware NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to an IP addres - [cups\_browsed\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/cups_browsed_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 exiting your network. UDP port 631 is usually associated with the CUPS-Browsed service and is - [dga\_suspected](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dga_suspected.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with malware using a Domain Generation Algorithm ( - [dlp-china](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dlp-china.md): Explanation The dlp-china NDM is designed to detect potential data loss to China. This NDM looks for large traffic transfers headed towards an IP identified as being in China. What to Look For When an - [dlp-russia](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dlp-russia.md): Explanation The dlp-russia NDM aims to detect potential data loss to Russia. The NDM works by looking for large data transfers headed towards an IP located in Russia. What to Look For When examining r - [dns\_lookup\_tunneling](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dns_lookup_tunneling.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with DNS being used as a tunnel for non-DNS traffi - [dnstunneling](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dnstunneling.md): Explanation The dnstunneling NDM is designed to detect DNS tunneling on your network. DNS tunneling is a technique used by malicious actors to bypass firewalls and security appliances to exfiltrate da - [external\_http\_beacon](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_http_beacon.md): Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external\_http\_beacon NDM detects network communications over ht - [external\_https\_beacon](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_https_beacon.md): Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external\_https\_beacon NDM detects network communications over h - [external\_nonhttp\_beacon](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_nonhttp_beacon.md): Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external\_nonhttp\_beacon NDM detects network communications over - [external\_tcp\_12345](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_tcp_12345.md): Explanation The external\_tcp\_12345 NDM flags connections on TCP port 12345 coming either inbound to your network from the Internet or outbound from your network to the Internet. Threat actors have bee - [fortinet\_management\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/fortinet_management_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic from TCP port 541 on your network. This return traffic indicates that there may have been an internal attacker - [ip\_lookup\_attempt](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/ip_lookup_attempt.md): Explanation The ip\_lookup\_attempt NDM is designed to detect when a customer network machine attempts to look itself up. This could be an indication of malicious activity on the network. What to Look F - [ipmi\_default\_dumphashes](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/ipmi_default_dumphashes.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System. - [kerberosting\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/kerberosting_internal_internal.md): Explanation Kerberos is a network authentication protocol used by many enterprises to securely authenticate users and services across a network. Kerberoasting is a post-compromise attack that can be u - [large\_internal\_smb\_download](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/large_internal_smb_dowbload.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an internal data transfer over SMB (Server Message Block) with a data volume that exceeds an automatically determined - [large\_internal\_smb\_download](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/large_internal_smb_download.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an internal data transfer over SMB (Server Message Block) with a data volume that exceeds an automatically determined - [long\_dns\_connection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/long_dns_connection.md): Explanation The long\_dns\_connection NDM flags sustained interactive connections leaving the customer's network to destinations on TCP port 53, which is used by DNS. Most DNS connections are short live - [outbound\_ping](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/outbound_ping.md): Explanation When threat actors first compromise a host, they often ping internet resources to verify connectivity. A spurious ping can be subtle and hard to detect because end users may make frequent - [rdp\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/rdp_internal_external.md): Explanation This NDM is designed to detect successful RDP connections that cross from the internal network to the external network. It triggers when an RDP connection is successfully established from - [sinkhole\_detection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/sinkhole_detection.md): Explanation The sinkhole\_detection NDM is designed to detect any Internal IP addresses reaching out to known sinkhole servers. When malicious botnet or other malware command and control infrastructure - [tcp\_123](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/tcp_123.md): Explanation The tcp\_123 NDM flags interactive connections leaving the customer's network to destinations on TCP port 123. The Network Time Protocol service uses UDP port 123, but does not use TCP. In - [torrent\_usage\_detection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/torrent_usage_detection.md): Explanation The torrent\_usage\_detection NDM was developed by the Netography Threat Research team to detect instances of torrent file sharing on a network. What to Look For To examine the results of th - [uncommon\_icmp\_reject](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/uncommon_icmp_reject.md): Explanation The uncommon\_icmp\_reject event is triggered when the Netography Detection Module (NDM) detects network flows for ICMP messages that indicate that there is traffic on the network that is be - [wkpsrcdst](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/wkpsrcdst.md): Explanation The wkpsrcdst event in the Netography Fusion Portal is designed to detect and alert security personnel when a connection is established between two privileged ports within the monitored ne - [Reconnaissance](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance.md): Reconnaissance detections are an essential component of Netography Fusion's Netography Detection Models (NDMs) that are designed to identify and alert network administrators to activities associated w - [3000\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/3000_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 3000 that is hitting the customer’s network from the Internet. Numerous technologies have used port 3000. One noteworthy example is Grafana - [3000\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/3000_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 3000 that is exiting the customer's network. Numerous technologies have used port 3000. One noteworthy example is Grafana, an open source d - [3000\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/3000_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 3000 inside the customer's network. Numerous technologies have used port 3000. One noteworthy example is Grafana, an o - [8000\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8000_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 8000 that is hitting the customer’s network from the Internet. Port 8000 has been used by numerous technologies as an alternative HTTP/HTTP - [8000\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8000_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 8000 that is exiting the customer's network. Port 8000 has been used by a variety of different products as an alternative HTTP/HTTPS port. - [8000\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8000_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 8000 inside the customer's network. Port 8000 has been used by numerous technologies as an alternative HTTP/HTTPS port - [8060\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8060_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 8060 that is hitting the customer’s network from the Internet. Port 8060 is used by a number of different software products, including Mana - [8060\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8060_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 8060 that is exiting the customer's network. Port 8060 is used by a number of different software products, including ManageEngine's OpManag - [8060\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8060_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for port 8060 inside the customer's network. Port 8060 is used by a number of different software products, including ManageEngine's OpManager. What - [8888\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8888_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 8888 that is hitting the customer’s network from the Internet. Port 8888 is used as an alternative HTTP port by many software products. It - [8888\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8888_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 8888 that is exiting the customer's network. Port 8888 is used as an alternative HTTP port by many software products. It is also used by Ma - [8888\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8888_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 8888 inside the customer's network. Port 8888 is used as an alternative HTTP port by many software products. It is als - [9090\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/9090_scan_external_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 9090 that is hitting the customer’s network from the Internet. Port 9090 is used for several purposes, including Linux - [9090\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/9090_scan_internal_external.md): Explanation This NDM is designed to detect scanning for servers listening on port 9090 that is exiting the customer's network. Port 9090 is used for several purposes, including Linux server administra - [9090\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/9090_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 9090 inside the customer's network. Port 9090 is used for several purposes, including Linux server administration as w - [backupexec\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/backupexec_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Veritas BackupExec that is hitting the customer’s network from the Internet. Veritas BackupExec is a network backup application. What to Look Fo - [backupexec\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/backupexec_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Veritas BackupExec systems that is exiting the customer's network. Veritas BackupExec is a network backup application. Outbound scanning may be - [backupexec\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/backupexec_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Veritas BackupExec inside the customer's network. Veritas BackupExec is a network backup application. What to Look For Unauthorized scanning act - [bamboo\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bamboo_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bamboo that is hitting the customer’s network from the Internet. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerabili - [bamboo\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bamboo_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Atlassian Bamboo that is exiting the customer's network. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerability disclosures in - [bamboo\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bamboo_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bamboo servers inside the customer's network. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerability disclosures in t - [bitbucket\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bitbucket_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bitbucket that is hitting the customer’s network from the Internet. Atlassian Bitbucket is a source code repository that has been subj - [bitbucket\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bitbucket_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Atlassian Bitbucket that is exiting the customer's network. Bitbucket is a source code repository that has been subject to vulnerability disclos - [bitbucket\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bitbucket_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bitbucket servers inside the customer's network. Atlassian Bitbucket is a source code repository that has been subject to vulnerabilit - [censys\_scanning](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/censys_scanning.md): Explanation The censys\_scanning NDM is designed to detect any activity on your network that is related to Censys scanning. What to Look For If the censys\_scanning NDM is triggered, you should examine - [cleo\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/cleo_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer that is hitting the customer’s network from the Internet. Cleo offers a family of file transfer products, including C - [cleo\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/cleo_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer that is exiting the customer's network. Cleo offers a family of file transfer products, including Cleo Harmony, Cleo - [cleo\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/cleo_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer servers inside the customer's network. Cleo offers a family of file transfer products, including Cleo Harmony, Cleo V - [connscan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan.md): Explanation The connscan NDM detects connection scanning attempts on the network. It does this by monitoring for a high rate of connection attempts, which may indicate an attacker attempting to discov - [connscan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan_external_internal.md): Explanation The connscan\_external\_internal NDM detects connection scanning attempts hitting the customer's network from the Internet. It does this by monitoring for a high rate of aborted successful T - [connscan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan_internal_external.md): Explanation The connscan\_internal\_external NDM detects connection scanning attempts exiting the customer's network. It does this by monitoring for a high rate of aborted successful TCP connections, wh - [connscan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan_internal_internal.md): Explanation The connscan\_internal\_internal NDM detects connection scanning attempts inside the customer's network. It does this by monitoring for a high rate of aborted successful TCP connections, whi - [esxi\_internal\_slp\_scan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/esxi_internal_slp_scan.md): Explanation The esxi\_internal\_slp\_scan NDM is designed to detect Port 427 internal scanning activities on ESXi servers. This is a common port used for service location protocol, and by scanning this p - [ftp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ftp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for FTP servers that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplace. R - [ftp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ftp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for FTP servers that is exiting the customer's network. Outbound FTP scanning may be indicative of an infection and an attacker using a compromised - [ftp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ftp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for FTP servers inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication tha - [http\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/http_scan_internal_external.md): Explanation This NDM is designed to detect scanning for web servers that is exiting the customer's network on port 80 or 443. Outbound web scanning may be indicative of an infection and an attacker us - [http\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/http_scan_internal_internal.md): Explanation This NDM is designed to detect web server scanning inside the customer's network on port 80 or 443. What to Look For Unauthorized scanning activity launched inside your network may be an i - [imap\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/imap_scan_external_internal.md): Explanation This NDM is designed to detect scanning for IMAP that is hitting the customer’s network from the Internet. IMAP is an internet standard protocol for email retrieval. What to Look For Scann - [imap\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/imap_scan_internal_external.md): Explanation This NDM is designed to detect scanning for IMAP that is exiting the customer's network. IMAP is an internet standard protocol for email retrieval. Outbound IMAP scanning may be indicative - [imap\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/imap_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for IMAP inside the customer's network. IMAP is an internet standard protocol for email retrieval. What to Look For Unauthorized scanning activity l - [internal\_snmp\_sweep](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/internal_snmp_sweep.md): Explanation The internal\_snmp\_sweep is a detection model that identifies an SNMP sweep occurring in the network. The model triggers anytime a large number of SNMP requests are sent to different device - [ipmi\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ipmi_scan_external_internal.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System. - [ipmi\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ipmi_scan_internal_external.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System. - [ipmi\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ipmi_scan_internal_internal.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System. - [ivantiava\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ivantiava_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Ivanti Avalanche that is hitting the customer’s network from the Internet. Ivanti Avalanche is an enterprise mobility management \& mobile de - [ivantiava\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ivantiava_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Ivanti Avalanche that is exiting the customer's network. Ivanti Avalanche is an enterprise mobility management \& mobile device management (M - [ivantiava\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ivantiava_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Ivanti Avalanche the customer's network. Ivanti Avalanche is an enterprise mobility management \& mobile device management (MDM) solution. Wh - [kerberos\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kerberos_scan_external_internal.md): Explanation This NDM is designed to detect Kerberos scanning that is hitting the customer’s network from the Internet. Kerberos is a protocol for authenticating requests between hosts on a network. Wh - [kerberos\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kerberos_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Kerberos that is exiting the customer's network. Kerberos is a protocol for authenticating requests between hosts on a network. Outbound Kerbero - [kerberos\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kerberos_scan_internal_internal.md): Explanation This NDM is designed to detect Kerberos scanning inside the customer's network. Kerberos is a protocol for authenticating requests between hosts on a network. What to Look For Unauthorized - [kibana\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kibana_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Kibana (port 5601) that is hitting the customer’s network from the Internet. Kibana is an open source data visualization platform that has been - [kibana\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kibana_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Kibana (port 5601) that is exiting the customer's network. Kibana is an open source data visualization platform that has been subject to critica - [kibana\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kibana_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Kibana servers (port 5601) inside the customer's network. Kibana is an open source data visualization platform that has been subject to critical - [ldap\_scanning\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_inside_to_outside.md): Explanation This NDM is designed to detect LDAP scanning that is exiting the customer's network. LDAP is an open protocol used for accessing and maintaining distributed directory information services - [ldap\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_internal.md): Explanation This NDM was written by the Netography Threat Research team to detect unauthorized LDAP scanning activity within a customer's network. What to Look For When examining the results of the ld - [ldap\_scanning\_outside\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_outside_to_inside.md): Explanation The ldap\_scanning\_outside\_to\_inside NDM is designed to detect LDAP scanning attempts originating from outside the network targeting LDAP servers residing inside the network. LDAP scanning - [local\_zone\_enumeration](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/local_zone_enumeration.md): Explanation The local\_zone\_enumeration NDM detects a pattern of DNS activity that is consistent with an attempt to enumerate valid hostnames within an internal domain. As part of their reconnaissance - [mesvcdesk\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mesvcdesk_scan_external_internal.md): Explanation This NDM is designed to detect scanning for an application service that ManageEngine ServiceDesk systems run on port 14003 that is hitting the customer’s network from the Internet. ManageE - [mesvcdesk\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mesvcdesk_scan_internal_external.md): Explanation This NDM is designed to detect scanning activity exiting the customer's network that is looking for an application service that ManageEngine ServiceDesk systems run on port 14003. ManageEn - [mesvcdesk\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mesvcdesk_scan_internal_internal.md): Explanation This NDM is designed to detect scanning inside the customer's network for an application service that ManageEngine ServiceDesk systems run on port 14003. ManageEngine ServiceDesk is an ent - [mongodb\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mongodb_scan_external_internal.md): Explanation This NDM is designed to detect scanning for MongoDB that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplace. Under - [mongodb\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mongodb_scan_internal_external.md): Explanation This NDM is designed to detect scanning for MongoDB that is exiting the customer's network. Outbound MongoDB scanning may be indicative of an infection and an attacker using a compromised - [mongodb\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mongodb_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for MongoDB inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that yo - [msmq\_tcp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_tcp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 that is hitting the customer's network from the internet. Microsoft Message Queuing is a messaging pr - [msmq\_tcp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_tcp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 that is exiting the customer's network. Microsoft Message Queuing is a messaging protocol that allows - [msmq\_tcp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_tcp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 inside a customer's network. Microsoft Message Queuing is a messaging protocol that allows applicatio - [msmq\_udp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_udp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 that is hitting the customer's network from the internet. Microsoft Message Queuing is a messaging pr - [msmq\_udp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_udp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 that is exiting the customer's network. Microsoft Message Queuing is a messaging protocol that allows - [msmq\_udp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_udp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 inside a customer's network. Microsoft Message Queuing is a messaging protocol that allows applicatio - [mssql\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mssql_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Microsoft SQL Server that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commo - [mssql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mssql_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Microsoft SQL Server that is exiting the customer's network. Outbound scanning may be indicative of an infection and an attacker using a comprom - [mssql\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mssql_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Microsoft SQL Server inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indic - [mysql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mysql_scan_external_internal.md): Explanation This NDM is designed to detect scanning for MySQL databases that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplac - [mysql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mysql_scan_internal_external.md): Explanation This NDM is designed to detect scanning for MySQL databases that is exiting the customer's network. Outbound scanning may be indicative of an infection and an attacker using a compromised - [mysql\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mysql_scan_internal_internal.md): Explanation This NDM is designed to detect MySQL database scanning inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that - [neo4j\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/neo4j_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Neo4j (port 7474) that is hitting the customer’s network from the Internet. Neo4j is a graph database. What to Look For Scanning activity on the - [neo4j\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/neo4j_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Neo4j (port 7474) that is exiting the customer's network. Neo4j is a graph database. Outbound scanning for Neo4j may be indicative of an infecti - [neo4j\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/neo4j_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Neo4j servers listening on port 7474 inside the customer's network. Neo4j is a graph database. What to Look For Unauthorized scanning activity l - [nmapfingerprint](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/nmapfingerprint.md): Explanation The nmapfingerprint NDM detects the presence of the NMAP fingerprint on the network. What to Look For To examine the results of the nmapfingerprint NDM Event, look for NMAP fingerprinting - [ping\_scan\_ext-int](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ping_scan_ext-int.md): Explanation The ping\_scan\_ext-int event monitors for external to internal ping scans on the network. It detects when an external entity is trying to map out the internal infrastructure by pinging vari - [ping\_scan\_int-ext](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ping_scan_int-ext.md): Explanation ping\_scan\_int-ext is a security event in the Netography Fusion Portal that looks for Internal to External Ping Scans. What to Look For If ping\_scan\_int-ext is triggered, it means that an i - [ping\_scan\_int-int](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ping_scan_int-int.md): Explanation The ping\_scan\_int-int is a security event that detects Internal to Internal Ping Scans on a network. What to Look For To examine the results of the ping\_scan\_int-int event, you should look - [pop3\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/pop3_scan_external_internal.md): Explanation This NDM is designed to detect scanning for POP3 that is hitting the customer’s network from the Internet. POP3 is an internet standard protocol for email retrieval. What to Look For Scann - [pop3\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/pop3_scan_internal_external.md): Explanation This NDM is designed to detect scanning for POP3 that is exiting the customer's network. POP3 is an internet standard protocol for email retrieval. Outbound POP3 scanning may be indicative - [pop3\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/pop3_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for POP3 inside the customer's network. POP3 is an internet standard protocol for email retrieval. What to Look For Unauthorized scanning activity l - [port\_1433\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_1433_scanning_internal.md): Explanation This NDM is triggered when there is an internal scanning activity on port 1433. This port is commonly associated with Microsoft's SQL server and is often targeted by attackers looking for - [port\_1433\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_1433_scanning_outbound.md): Explanation This NDM detects outbound traffic indicating scanning for open port 1433. This port is commonly used for Microsoft SQL Server and if left open can allow unauthorized access to sensitive da - [port\_445\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_445_scanning_internal.md): Explanation The port\_445\_scanning\_internal event is triggered when a source IP is scanning internal networks for port 445, which is commonly used by Windows for file and printer sharing. This type of - [port\_445\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_445_scanning_outbound.md): Explanation The port\_445\_scanning\_outbound NDM is designed to detect scanning for SMB that is exiting the customer's network. What to Look For To examine the results of the port\_445\_scanning\_outbound - [port\_62078\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_62078_scanning_outbound.md): Explanation This NDM detects scanning for open port 62078 outbound on the network. What to Look For To remediate or examine the problem, customers should look for any traffic attempting to scan outbou - [port\_8443\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_8443_scanning_internal.md): Explanation This NDM was created by the Netography Threat Research team to detect unauthorized scanning activities on port 8443 inside the network. What to Look For When reviewing the results of this - [port\_8443\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_8443_scanning_outbound.md): Explanation The port\_8443\_scanning\_outbound NDM detects outbound scans on port 8443 from the customer’s network. What to Look For To examine the results of the port\_8443\_scanning\_outbound NDM, check t - [portscan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/portscan.md): Explanation Port scanning is a common technique used by attackers to identify vulnerabilities in a network. What to Look For When analyzing the results of this NDM event, look for unusual traffic patt - [psql\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/psql_scan_external_internal.md): Explanation This NDM is designed to detect scanning for PostgreSQL databases that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commo - [psql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/psql_scan_internal_external.md): Explanation This NDM is designed to detect scanning for PostgreSQL databases that is exiting the customer's network. Outbound PostgreSQL scanning may be indicative of an infection and an attacker usin - [psql\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/psql_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for PostgreSQL databases inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indic - [qualys\_scanning](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/qualys_scanning.md): Explanation The qualys\_scanning NDM monitors your network for Qualys scanning activity. It identifies when Qualys attempts to scan a target host or network to determine the vulnerabilities present on - [rdp\_scanning\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rdp_scanning_inside_to_outside.md): Explanation The rdp\_scanning\_inside\_to\_outside NDM is designed to detect any Microsoft Remote Desktop Protocol (RDP) scanning that originates from inside a network and moves to outside the network. Wh - [rdp\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rdp_scanning_internal.md): Explanation The rdp\_scanning\_internal event is triggered when there are attempted RDP scans on the Microsoft network. This occurs when a large number of RDP requests are sent in a short period of time - [rdp\_scanning\_outside\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rdp_scanning_outside_to_inside.md): Explanation This NDM was created by the Netography Threat Research team to detect Microsoft RDP scanning. It triggers when an external IP address attempts to scan the network for open RDP ports in an - [redis\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/redis_scan_external_internal.md): Explanation This NDM is designed to detect Redis scanning that is hitting the customer’s network from the Internet. Redis is a memory based key/value store that is often used to support web services. - [redis\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/redis_scan_internal_external.md): Explanation This NDM is designed to detect Redis scanning that is exiting the customer's network. Redis is a memory based key/value store that is often used to support web services. Outbound Redis sca - [redis\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/redis_scan_internal_internal.md): Explanation This NDM is designed to detect Redis scanning inside the customer's network. Redis is a memory based key/value store that is often used to support web services. What to Look For Unauthoriz - [rockwellics\_tcp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_tcp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 that is hitting the customer's network from the internet. Rockwell Automation provides program - [rockwellics\_tcp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_tcp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 that is exiting the customer's network. Rockwell Automation provides programmable controllers - [rockwellics\_tcp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_tcp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 inside a customer's network. Rockwell Automation provides programmable controllers for industr - [rockwellics\_udp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_udp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 that is hitting the customer's network from the Internet. Rockwell Automation provides programm - [rockwellics\_udp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_udp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 that is exiting the customer's network. Rockwell Automation provides programmable controllers f - [rockwellics\_udp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_udp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 inside the customer's network. Rockwell Automation provides programmable controllers for indust - [rstscan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rstscan.md): Explanation rstscan is a detection model that identifies RST scanning activity on the network. RST scanning is a technique used by attackers to probe for open ports on a target system. This activity i - [scanner\_rwth\_aachen\_univ](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/scanner_rwth_aachen_univ.md): Explanation The scanner\_rwth\_aachen\_univ NDM is designed to detect unauthorized access attempts to the research scanning systems at RWTH Aachen University. The NDM creates an alert when an attempt is - [shadowserver\_scanning](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/shadowserver_scanning.md): Explanation The shadowserver\_scanning NDM is designed to detect when Shadowserver.org is scanning the network. This type of scanning is often associated with malicious activity and may indicate an att - [shodan\_scanners](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/shodan_scanners.md): Explanation The shodan\_scanners NDM is designed to detect instances of Shodan scanning your network. What to Look For To examine the results of the shodan\_scanners event, look for unusual network traf - [smartinst\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/smartinst_scan_external_internal.md): Explanation This NDM is designed to detect Cisco SmartInstall scanning that is hitting the customer’s network from the Internet. Cisco SmartInstall is a configuration and image-management feature for - [smartinst\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/smartinst_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Cisco SmartInstall that is exiting the customer's network. Cisco SmartInstall is a configuration and image-management feature for switches. Outb - [smartinst\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/smartinst_scan_internal_internal.md): Explanation This NDM is designed to detect Cisco SmartInstall scanning inside the customer's network. Cisco SmartInstall is a configuration and image-management feature for switches. What to Look For - [ssh\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ssh_scan_internal_external.md): Explanation This NDM is designed to detect scanning for SSH that is exiting the customer's network. Outbound SSH scanning may be indicative of an infection and an attacker using a compromised machine - [ssh\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ssh_scan_internal_internal.md): Explanation This NDM is designed to detect SSH scanning inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that your netwo - [synscan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/synscan_external_internal.md): Explanation The synscan\_external\_internal NDM looks for SYN scanning, an indication that an attacker is attempting to map out a network by sending multiple SYN requests to various endpoints to determi - [synscan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/synscan_internal_external.md): Explanation The synscan\_internal\_external NDM detects SYN scanning activity exiting the network. This event is triggered when an internal IP is found to be scanning external IPs via multiple SYN packe - [synscan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/synscan_internal_internal.md): Explanation The synscan\_internal\_internal NDM is designed to detect SYN scanning on internal networks. This NDM monitors for excessive SYN packets that can indicate malicious activity and flags any su - [teamviewer\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/teamviewer_inside_to_outside.md): Explanation This Netography Detection Model is designed to catch scans looking for instances of TeamViewer from a source inside your network to the outside. What to Look For When examining the results - [teamviewer\_out\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/teamviewer_out_to_inside.md): Explanation The teamviewer\_out\_to\_inside NDM is designed to detect TeamViewer scanning that is hitting the customer’s network from the Internet. TeamViewer is a remote access software application that - [teamviewer\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/teamviewer_scanning_internal.md): Explanation The teamviewer\_scanning\_internal NDM is designed to detect any unauthorized scans on your internal network looking for the TeamViewer software. What to Look For To identify teamviewer\_scan - [veeam\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/veeam_scan_external_internal.md): Explanation This NDM is designed to detect Veeam Backup scanning that is hitting the customer’s network from the Internet. Veeam Backup is a network backup application. What to Look For Scanning activ - [veeam\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/veeam_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Veeam Backup systems that is exiting the customer's network. Veeam Backup is a network backup application. Outbound Veeam Backup scanning may be - [veeam\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/veeam_scan_internal_internal.md): Explanation This NDM is designed to detect Veeam Backup scanning inside the customer's network. Veeam Backup is a network backup application. What to Look For Unauthorized scanning activity launched i - [vnc\_scanning\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/vnc_scanning_inside_to_outside.md): Explanation The vnc\_scanning\_inside\_to\_outside Netography detection model (NDM) is designed to identify any internal VNC scanning activity targeting external destination hosts. It works by monitoring - [vnc\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/vnc_scanning_internal.md): Explanation The vnc\_scanning\_internal Netography detection model (NDM) is designed to identify any internal VNC scanning activity taking place within a network. It works by monitoring traffic on the n - [vnc\_scanning\_outside\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/vnc_scanning_outside_to_inside.md): Explanation The vnc\_scanning\_outside\_to\_inside NDM is designed to detect VNC scanning activity on a network. This activity can occur when an attacker attempts to move from an outside network to an ins - [weblogic\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/weblogic_scan_external_internal.md): Explanation This NDM is designed to detect Weblogic scanning that is hitting the customer’s network from the Internet. Weblogic is an enterprise application server. What to Look For Scanning activity - [weblogic\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/weblogic_scan_internal_external.md): Explanation This NDM is designed to detect Weblogic scanning that is exiting the customer's network. Weblogic is an enterprise application server. Outbound Weblogic scanning may be indicative of an in - [weblogic\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/weblogic_scan_internal_internal.md): Explanation This NDM is designed to detect Weblogic scanning inside the customer's network. Weblogic is an enterprise application server. What to Look For Unauthorized scanning activity launched insid - [xmastree](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/xmastree.md): Explanation The xmastree NDM monitors network traffic for flows with XMAS Tree packets (FIN, PSH, and URG) which are typically associated with attackers attempting to evade detection or compromise the - [System](https://docs.fusion.vectra.ai/detection-models/library/system.md): System detections within Netography Fusion's Netography Detection Models (NDMs) identify conditions that relate to the overall health of Netography system and flow collection. System detections help n - [clocksync](https://docs.fusion.vectra.ai/detection-models/library/system/clocksync.md): Explanation The clocksync NDM is a system NDM designed to detect situations where a flow source is sending flows to Netography with timestamps that are out of sync with Netography’s clock. Bad timesta - [flowrate](https://docs.fusion.vectra.ai/detection-models/library/system/flowrate.md): Explanation The flowrate NDM is an opt-in system NDM designed to fire if the rate of flows received by Netography from a particular flow source exceeds a certain threshold within an hour. What to Look - [noflow](https://docs.fusion.vectra.ai/detection-models/library/system/noflow.md): Explanation The noflow NDM is a system NDM that fires when no flow is being received by Netography from a configured flow source. What to Look For This condition most likely means that the device that - [Threat Intelligence](https://docs.fusion.vectra.ai/detection-models/threat-intelligence.md): Summary As flows are ingested into the system, lookups are done on both source IP and destination IP so that their reputation is determined at the time the flow happened. Every flow record contains an - [Detection Categories](https://docs.fusion.vectra.ai/detection-models/detection-categories-1.md): Detection categories are similar to flow tags. They are used to group or ‘categorize’ detection models, after which rules - based on categories - can be crafted. System The system categories are based --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.