# Vectra Fusion

## Docs

- [Welcome to Vectra Fusion](https://docs.fusion.vectra.ai/readme.md): Start here to log in, onboard data, and navigate Vectra Fusion.
- [Fusion Onboarding for Cloud Engineers](https://docs.fusion.vectra.ai/cloud-onboarding/fusion-onboarding-for-cloud-engineers.md): A guide to Vectra Fusion for cloud engineers who have been asked by the security team to assist with onboarding.
- [AWS Cloud Onboarding](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding.md)
- [AWS Custom IAC Onboarding for Cloud Automation Engineers](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/aws-configuration-automation-for-multiple-vpcs.md): AWS onboarding details for cloud automation engineers using Vectra Fusion.
- [AWS VPC CloudFormation Stack Automation](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/netography-aws-cloudformation-automation.md): Use CloudFormation to onboard AWS VPC resources into Vectra Fusion.
- [Vectra Terraform / CloudFormation StackSet Cloud Onboarding Automation for AWS Organizations](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/neto-onboarding-aws.md)
- [Quickstart: AWS](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws.md): Getting started with Amazon AWS
- [Video Guides](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/video-guides-1.md): Below is a video series based on the steps in the Quickstart: AWS guide for Flow Log Ingestion , Context Enrichment , and DNS Ingestion . These videos augment the written guides but can't replace them
- [Create S3 bucket](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/create-s3-bucket.md): Navigate to S3 in the AWS console Create a bucket. Note: You'll want to create the S3 bucket in same region as your VPC. Give your bucket a name. Leave all settings as default, or follow the policies
- [Create the SNS topic](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/create-the-sns-topic.md): Navigate to SNS in the AWS console Create a topic Leave all settings as default and click Create Topic Save the SNS topic ARN in a text file. This will come in handy later.
- [Create the SQS queue](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/create-the-sqs-queue.md): Navigate to SQS in the AWS console Create a queue Give the queue a name Under Configuration , Set Message retention to 1 day Under Access policy , click Advanced . Delete the default JSON in the Advan
- [Subscribe to Amazon SNS topic](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/subscribe-to-amazon-sns-topic.md): After you've completed the previous step of creating the SQS queue, you'll find the Subscribe to Amazon SNS topic button on the lower half of the Amazon SQS page. Click Subscribe to Amazon SNS topic S
- [Create IAM policy](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/create-iam-policy.md): Navigate to IAM in the AWS console Under Access management in the sidebar menu click Policies Click Create policy Select the JSON tab and delete the default text. Copy and paste in the JSON below. Rep
- [Create custom role](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/create-custom-role.md): On the IAM page under Access management in the sidebar menu click Roles Click Create role Select AWS account You're going to need Vectra's Account ID and the custom External ID created in your Fus
- [Create an event notification](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/create-an-event-notification.md): Navigate to S3 in the AWS console Click on your S3 bucket created in a previous step Click the Properties tab Scroll down to event notifications and click Create event notification Give this event a n
- [Enable VPC flow logs](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/enable-vpc-flow-logs-1.md): Navigate to VPC in the AWS console Under Resources by Region Select VPCs The next step will use the CloudShell, where you'll copy and paste a CLI command to more efficiently and accurately enable work
- [Add AWS as a new traffic source in Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/add-aws-as-a-new-flow-source-in-fusion.md): Add AWS as a traffic source in Vectra Fusion.
- [Add context integration to Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/add-context-integration-to-fusion.md): Context permissions were already granted via the Custom role created in a previous step. This document is all that is needed to enable context enrichment for AWS in Vectra Fusion. Navigate to Setti
- [Enable DNS query logging in AWS](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/enable-dns-query-logging-in-aws.md): 📘 It is recommended to create a new S3 bucket to be used only for DNS query log storage See our Create S3 bucket steps. Navigate to Route53 in the AWS console Under Resolver in the sidebar, click Que
- [Add DNS as a traffic source in Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/aws-cloud-onboarding/quickstart-aws/add-dns-as-a-traffic-source-in-fusion.md): Navigate to Settings -\> Traffic Sources -\> Add Traffic Source Under DNS select AWS S3 VPC Fill out the AWS S3 VPC Traffic Source form: VPC ID: The VPC ID you enabled query logs for Account ID: Y
- [Azure Cloud Onboarding](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding.md)
- [Vectra Terraform Cloud Onboarding for Azure Tenants](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/neto-onboarding-azure.md)
- [Quickstart: Azure](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/quickstart-azure.md): Getting started with Microsoft Azure
- [Set working subscription](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/quickstart-azure/set-working-subscription.md): Access Azure Cloud Shell to run CLI commands from your web browser using az. List our Subscription IDs. az account list --output table Name CloudName SubscriptionId TenantId State IsDefault ----------
- [Register Microsoft Insights Provider](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/quickstart-azure/register-microsoft-insights-provider.md): Access Azure Cloud Shell to run CLI commands from your web browser using az. Check if Microsoft.Insights is not yet registered. az provider show --namespace Microsoft.Insights --query "registrationSta
- [Create a storage account](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/quickstart-azure/create-a-storage-account.md): Access Azure Cloud Shell to run CLI commands from your web browser using az. Create a Storage account in the same region as your Virtual Network . List your Virtual Networks , their Resource groups ,
- [Create a flow log](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/quickstart-azure/create-a-flow-log.md): Access Azure Cloud Shell to run CLI commands from your web browser using az. Create a Flow Log to be read by Vectra Fusion. az network watcher flow-log create \\\ --location \\$REGION\> \\\ --name \<
- [Add Azure VNet as a new flow source in Vectra Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/quickstart-azure/add-azure-vnet-as-a-new-flow-source-in-netography-fusion.md): In Vectra Fusion navigate to Settings -\> Traffic Sources -\> Add Traffic Source Select Azure VNet Fill out the Azure traffic source flow form: Name: This will be the Name of your configuration in
- [Add Context Integration to Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/azure-cloud-onboarding/quickstart-azure/add-context-integration.md): Access Azure Cloud Shell to run CLI commands from your web browser using az. Create a new App Registration with 'accounts in this organizational directory only' preselected. You can use any Display Na
- [GCP Cloud Onboarding](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding.md)
- [Vectra Terraform Cloud Onboarding for GCP Organizations](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/neto-onboarding-gcp.md)
- [Quickstart: GCP](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp.md): Getting started with GCP
- [Diagram: GCP Integration to Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/diagram-gcp.md)
- [Video Guides](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/video-guides.md): Below is a video series based on steps in the Quickstart: GCP for Flow Log Ingestion , Context Enrichment , and DNS Ingestion . These videos are meant to augment the written guides but can't replace t
- [Enable VPC Flow Logs (Network Management API)](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/enable-network-management-api-flow-logs.md): The Network Management API lets you configure VPC Flow Logs for organizations, Virtual Private Cloud (VPC) networks, subnets, VLAN attachments for Cloud Interconnect, and Cloud VPN tunnels. 📘 Before
- [Create a Pub/Sub topic](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/create-a-pubsub-topic.md): Create a Cloud Pub/Sub topic 📘 Onboarding multiple projects at an organization or folder level: You can create a single topic in a designated project that you will use for centralized logging resourc
- [Logging sink design patterns](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/logging-sink-design-patterns.md): 📘 Choosing the right design pattern for GCP logging sinks: There is no single design for GCP logging sinks that is right for all organizations. Reach out to Vectra Support if you would like further
- [Create a Logging Sink Pub/Sub for the topic](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/create-a-logging-sink-pubsub-for-the-topic.md): Create a Cloud Logging Sink Pub/Sub Go to the Log Router page in the Google Cloud console. Select the project to create the sink in. If you are using an aggregated sink, you will want to select a fold
- [Create a Pub/Sub pull subscription](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/create-a-pubsub-pull-subscription.md): Create a Pub/Sub Pull Subscription to a topic Go to the Topics page in the Google Cloud console. Click ⋮ next to the topic you created in a previous step and select Create Subscription . Fill out the
- [GCP service account permissions](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/gcp-service-account-permissions.md): Prepare GCP so Vectra can be added as a Pub/Sub principal.
- [Add Vectra as a principal](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/add-netography-as-a-principal.md): Add Vectra's GCP service account as a principal to the Pub/Sub subscription Go to the Subscriptions page in the Google Cloud console. Select the subscription you created in the previous step to brin
- [Add GCP as a new flow source in Vectra Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/add-gcp-as-a-new-flow-source-in-netography-fusion.md): Add a new GCP flow source to Fusion In the Fusion portal, click the ⚙️ -\> Settings -\> Traffic Sources -\> Add Traffic Source -\> Flow GCP Add the GCP Project ID containing the Pub/Sub subscr
- [Add context integration to Fusion](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/context-integration.md): 📘 You need a GCP service account to setup a context integration.: Follow the initial steps below to create one. 1. Create a GCP service account Go to the Service Accounts page Click Create Service Ac
- [Adding DNS as a Traffic Source](https://docs.fusion.vectra.ai/cloud-onboarding/gcp-cloud-onboarding/quickstart-gcp/adding-dns-as-a-traffic-source.md): Enable DNS logging Before you can start, you need to use DNS policies to enable logging for your networks. When you enable query logging, every DNS query to a Cloud DNS private managed zone is logged,
- [IBM Cloud Onboarding](https://docs.fusion.vectra.ai/cloud-onboarding/ibm-cloud-onboarding.md)
- [OCI Cloud Onboarding](https://docs.fusion.vectra.ai/cloud-onboarding/oci-cloud-onboarding.md)
- [Ingest Flow Logs](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs.md): Configure network flow logs to be ingested by Fusion by following the instructions below. If this is your first time configuring Fusion, the Quick Start Guides for AWS, Azure, \& GCP are the best p
- [Azure Virtual network (VNet) Flow Log Setup](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/azure-vnet-flow-log-configuration.md): Vectra Fusion ingests Virtual network (VNet) flow logs from Azure via an Azure Storage account. The steps to integrate with Azure are: Register Microsoft Insights provider (in each Azure subscription
- [Azure NSG Flow Logs Setup](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/azure-network-security-group-flow-logs-azure-console-setup-method.md): Microsoft Azure Console method
- [Azure NSG Setup (Resource Manager method)](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/azure-network-security-group-flow-logs-azure-resource-manager-setup-method.md): This document provides instructions for configuring the collection of Azure NSG Flow Logs. There are three methods shown. The first being in the Azure Portal, second Azure CLI, and third Azure Resourc
- [AWS VPC via S3 Setup (CloudFormation method)](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/aws-vpc-flow-logs-via-s3-aws-cloudformation-setup-method-recommended.md): This document provides instructions for configuring the collection of AWS VPC Flow Logs with an S3 bucket and configure log notification with SNS and SQS using AWS CloudFormation. 🚧 It is recommended
- [AWS VPC via S3 Setup (AWS Console method)](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/aws-vpc-flow-logs-via-s3-aws-console-setup-method.md): This document provides instructions for configuring the collection of AWS VPC Flow Logs with an S3 bucket and configure log notification with SNS and SQS using the AWS Console. 🚧 It is recommended th
- [AWS Transit Gateway Flow Logs via S3](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/aws-transit-gateway-flow-logs.md): This document provides instructions for configuring the collection of AWS Transit Gateway Flow Logs with an S3 bucket and configure log notification with SNS and SQS using the AWS Console. 🚧 It is re
- [AWS VPC via Kinesis Setup](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/aws-vpc-flow-logs-via-kinesis.md): This document provides instructions for configuring the collection of AWS VPC Flow Logs with AWS Kinesis. Limitations/Notes This is for provisioning(create/delete) only. Edits must be done manually bu
- [GCP VPC Flow Logs via Pub/Sub Setup](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/gcp-flow-logs-via-pubsub.md): Vectra Fusion ingests VPC flow logs from Google Cloud Platform (GCP) via a GCP Pub/Sub subscription. The steps to integrate with GCP are: Enable VPC flow logs Create a Pub/Sub topic Create a Cloud
- [IBM Cloud VPC Flow Logs via Cloud Object Storage Setup](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/ibm-cloud-flow-logs-via-cloud-object-storage.md): This document provides instructions for configuring the collection of IBM Cloud VPC Flow Logs with IBM Cloud Object Storage.Note: VPC Flow Logs are only available on VPC Infrastructure Gen 2 Console S
- [Oracle Cloud VCN Flow Logs via Cloud Object Storage Setup](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/flow-logs/oracle-cloud-infrastructure-flow-logs-via-cloud-object-storage.md): Console Steps Create User Group Using the search bar type "identity" and click "Groups" under Services to be brought to the configuration page. Click "Create Group" Fill in the name and description. Y
- [Ingest DNS Logs](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/dns-logs.md): See DNS in Fusion for more information about how to use DNS resolver logs in Fusion. If you are setting up AWS or GCP for the first time, the Quick Start Guides for AWS and GCP have end-to-end steps f
- [Use DNS in Fusion](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/dns-logs/dns-in-fusion-copy.md): Recursive DNS request and response logs are a valuable data source for network forensics. Fusion supports DNS log ingestion from Amazon Web Services (AWS) Route 53 and Google Cloud Platform (GCP) . Su
- [AWS Route 53 DNS Logs via S3 Setup (Console)](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/dns-logs/dns-source-aws.md): If you have already configured your AWS account to ingest VPC flow logs to Fusion using an S3 bucket and IAM role, the additional steps required to ingest DNS resolver query logs are: Configure Resolv
- [Cisco Umbrella DNS Logs via S3 Setup (Console)](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/dns-logs/cisco-umbrella-dns-logs-via-s3-setup-console.md): If you have already configured your Cisco Umbrella DNS Logs be stored in an AWS S3 bucket these steps can have them ingested into Fusion: Enable Cisco Umbrella DNS Log Export to S3: Configure Cisco Um
- [GCP Cloud DNS Logs via Pub/Sub Setup](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/dns-logs/dns-source-gcp.md): Vectra Fusion ingests Google Cloud Platform (GCP) Cloud DNS logs via a GCP Pub/Sub subscription. The steps to integrate with GCP are: Prerequisite: If you have a Domain Restricted Sharing Organiza
- [Infoblox NIOS DNS Logs via NetoDNS syslog](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/dns-logs/infoblox-nios-dns-logs-via-netodns-syslog.md)
- [Ingest NetFlow & sFlow](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/netflow-sflow.md): Vectra Fusion collects NetFlow, sFlow, and IPFIX from network devices.
- [Ingest NetFlow/sFlow from network devices via direct UDP](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/netflow-sflow/ingesting-netflow-direct.md): Send NetFlow or sFlow directly to your Vectra Fusion ingest IP and port.
- [Ingest NetFlow/sFlow via the NetoFlow Connector](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/netflow-sflow/traffic-source-netoflow.md): Add NetFlow or sFlow to Vectra Fusion through the NetoFlow Connector.
- [NetFlow and sFlow](https://docs.fusion.vectra.ai/ingest-network-traffic-logs/netflow-sflow/netflow-and-sflow.md): NetFlow About NetFlow NetFlow is a telemetry protocol that allows for the collection of IP statistics on interfaces where it is enabled. a "flow" is a unidirectional data set. That is to say, it's one
- [Configure Context Integrations](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations.md): Context integrations add third-party asset context to Vectra Fusion.
- [AWS](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/aws.md): Enrich asset context with asset information from AWS
- [Axonius](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/axonius-context.md): The Axonius integration adds enriched asset context to Vectra Fusion.
- [Azure](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/azure.md): Ernich asset context with asset information from Azure
- [Claroty](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/claroty-context.md): The Claroty integration adds enriched asset context to Vectra Fusion.
- [CrowdStrike Falcon Discover](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/crowdstrike-falcon-discover.md): Configure CrowdStrike Falcon Discover for the Vectra context integration.
- [CrowdStrike Falcon Protect](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/crowdstrike-falcon-protect.md): Configure CrowdStrike Falcon Protect for the Vectra context integration.
- [CSV via S3](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/csv-via-s3.md): The CSV via S3 context Integration method allows you to import Context Labels from a CSV format file stored in an AWS S3 storage bucket. This integration can be set to run manually or to auto-update a
- [Device42](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/device42-context.md): The Device42 integration adds enriched asset context to Vectra Fusion.
- [GCP](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/gcp.md): Configure GCP for the Vectra context integration.
- [IBM Cloud](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/ibm.md): Configure IBM Cloud for the Vectra context integration.
- [Microsoft Defender](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/microsoft-defender-context.md): Supported Products Microsoft Defender For Endpoint Microsoft Defender XDR ⚖️ Choosing which context integration to use: Both Microsoft Defender context integrations can be used to provide enriched ass
- [Oracle Cloud Infrastructure](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/oracle-cloud.md): This document provides instructions for configuring Oracle Cloud Infrastructure (OCI) in order for the Vectra Context Integration to have the correct access to pull label contexts. Prerequisites B
- [RunZero](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/runzero-context.md): The RunZero integration adds enriched asset context to Vectra Fusion.
- [SentinelOne](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/sentinelone.md): This document provides instructions for configuring SentinelOne in order for the Vectra Context Integration to have the correct access to pull label contexts. Prerequisites Configure API token Bef
- [Tanium](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/tanium-context.md): The Tanium integration adds enriched asset context to Vectra Fusion.
- [Tenable](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/tenable-context.md): The Tenable integration adds enriched asset context to Vectra Fusion.
- [Wiz](https://docs.fusion.vectra.ai/enrich-traffic-with-context/configure-context-integrations/wiz.md): Wiz context integration for Vectra Fusion.
- [Understand Context Labels](https://docs.fusion.vectra.ai/enrich-traffic-with-context/labels.md): About Context Labels Context labels are strings that are associated with an IP address in Fusion to help provide context about network activity. Context labels can be used for: Visually differentiatin
- [Automating Response in Fusion](https://docs.fusion.vectra.ai/automate-responses/response.md): Fusion allows you to create a set of automated responses to events. A response can be a notification sent to a third-party system or a blocking action provided by a third-party system. To automate a r
- [Configuring Response Integrations](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations.md): Configure response integrations in Vectra Fusion.
- [AWS Route 53 (Response Integration)](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/route-53.md): DNS Type Response Integration
- [Big Panda](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/big-panda.md): Configure the BigPanda response integration in Vectra Fusion.
- [BGP](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/bgp.md): Traffic Type Response Integration
- [Blocklist](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/blocklist.md): Block Type Response Integration
- [CrowdStrike](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/crowdstrike.md): Block Type Response Integration
- [Email](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/email.md): Notification Type Response Integration
- [Flowspec](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/flowspec-1.md): Block Type Response Integration
- [Flowspec (Custom)](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/flowspec-traffic.md): Traffic Type Response Integration
- [Microsoft Teams](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/microsoft-teams.md): Notification Type Response Integration
- [NS1](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/ns1.md): DNS Type Response Integration
- [Pagerduty](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/pagerduty.md): Notification Type Response Integration
- [Panther](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/panther.md): Prerequisites Before configuring in the Fusion portal, the http source webhook and shared secret authentication method must be setup in Panther. For more details, follow the HTTP log source setup inst
- [Slack](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/slack.md): Notification Type Response Integration
- [Splunk](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/splunk.md): Send Fusion events to Splunk for alerting, monitoring, and analysis.
- [Sumo Logic](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/sumo-logic.md): Send Fusion events to Sumo Logic for syslog-based monitoring and analytics.
- [Twilio](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/twilio.md): Notification Type Response Integration
- [RTBH](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/rtbh.md): Block Type Response Integration
- [Webhook](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/webhook.md): Notification Type Response Integration
- [Syslog](https://docs.fusion.vectra.ai/automate-responses/configuring-response-integrations/syslog.md): Usage By integrating Syslog, users can consolidate logs from various devices or applications within their network into a centralized repository. This centralized logging enhances security, compliance,
- [Configuring Response Policies](https://docs.fusion.vectra.ai/automate-responses/response-policies.md): Response Policies allow you to define automated actions in response to events generated by Detection Models. By creating and configuring these policies, teams can streamline their incident response pr
- [Response Integration Blocks Dashboard](https://docs.fusion.vectra.ai/automate-responses/traffic-manager.md): The Response Integration Blocks dashboard is a system dashboard available in the All section of the Dashboards page. If you use a block-type response integration to restrict traffic based on events in
- [Detection Models Overview](https://docs.fusion.vectra.ai/detection-models/overview.md): Detection Models identify threats and unwanted traffic. They use the Network Query Language (NQL) in Vectra Fusion to analyze traffic and trigger events.
- [Detection Model Configuration](https://docs.fusion.vectra.ai/detection-models/detection-trackby-thresholds.md): ✋ Writing your own detection model? We are here to help.: Chat with Vectra's Detection Engineers in the \\#fusion-detections channel in Vectra's Discord community, or send your question to Supp
- [Detection Model Quick Reference Guide](https://docs.fusion.vectra.ai/detection-models/detection-model-quick.md): Field Description Example General General configuration Name Unique name netbiosreflect Description Text description Netbios reflection attack Categories Detection categories t1498 Traffic Type Traffi
- [Adding a Detection Model](https://docs.fusion.vectra.ai/detection-models/add-detection-models.md): Detection Models monitor network traffic and generate events when specific conditions are met. Context Creation Models assign context labels to IPs that match certain conditions. Each configuration wi
- [Auto Thresholding](https://docs.fusion.vectra.ai/detection-models/detection-auto-thresholding.md): ✋ Writing your own detection model? We are here to help.: For help using auto thresholding, or any detection model questions, chat with Vectra's Detection Engineers in the \\#fusion-detections chan
- [Detection Model Library](https://docs.fusion.vectra.ai/detection-models/library.md): Detection Categories Categorizing Fusion detections (aka NDMs) helps you understand the type of event encountered by Fusion. Attack Attack detections within Netography Fusion's Netography Detection Mo
- [Attack](https://docs.fusion.vectra.ai/detection-models/library/attack.md): Attack detections within Vectra Fusion's Vectra Detection Models (NDMs) are designed to identify and alert network administrators to attempts to break into their networks remotely. These detections l
- [external\_tcp\_4444](https://docs.fusion.vectra.ai/detection-models/library/attack/external_tcp_4444.md): Explanation The external\_tcp\_4444 NDM flags connections from outside the customer network to servers on the customer network listening on TCP port 4444. Metasploit uses port 4444 by default for shell
- [interactive\_login\_bad\_rep](https://docs.fusion.vectra.ai/detection-models/library/attack/interactive_login_bad_rep.md): Explanation This security event is triggered by the Netography Fusion Portal when it detects traffic inbound to an Internet facing SSH or RDP endpoint from a source IP address with a bad reputation. W
- [interactive\_login\_itar](https://docs.fusion.vectra.ai/detection-models/library/attack/interactive_login_itar.md): Explanation The NDM analyzes network traffic to detect interactive login connections to SSH or RDP from IP addresses originating in countries listed under US Code 22 CFR § 126.1 “Prohibited exports, i
- [internal\_tcp\_4444](https://docs.fusion.vectra.ai/detection-models/library/attack/internal_tcp_4444.md): Explanation The internal\_tcp\_4444 NDM flags connections on TCP port 4444 inside your network. Metasploit uses port 4444 by default for shell listeners that are setup after exploitation, so the use of
- [long\_inbound\_https\_bad\_rep](https://docs.fusion.vectra.ai/detection-models/library/attack/long_inbound_https_bad_rep.md): Explanation This security event is triggered by the Netography Fusion Portal when it detects inbound traffic to an internet facing HTTPS endpoint from a source IP address with a bad reputation, with s
- [outbound\_tcp\_4444](https://docs.fusion.vectra.ai/detection-models/library/attack/outbound_tcp_4444.md): Explanation The outbound\_tcp\_4444 NDM flags connections leaving the customer network to hosts listening on TCP port 4444. Metasploit uses port 4444 by default for shell listeners that are setup after
- [tor\_connection\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/attack/tor_connection_external_internal.md): Explanation This event is triggered by Netography’s Fusion Portal when it detects traffic originating from a TOR network exit node communicating with monitored hosts. Traffic from the TOR network is n
- [Brute Force](https://docs.fusion.vectra.ai/detection-models/library/brute-force.md): Brute Force detections within Netography Fusion's Netography Detection Models (NDMs) are designed to identify and alert network administrators to activities associated with attempts at guessing userna
- [dcerpc\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/dcerpc_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC
- [dcerpc\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/dcerpc_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC
- [dcerpc\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/dcerpc_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC
- [ftp\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/ftp_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo
- [ftp\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/ftp_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo
- [ftp\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/ftp_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo
- [imap\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/imap_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T
- [imap\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/imap_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T
- [imap\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/imap_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T
- [kerberos\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/kerberos_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a large number of failed login attempts using the Kerberos service originating from a single internal host. This activ
- [kerberos\_user\_enumeration](https://docs.fusion.vectra.ai/detection-models/library/brute-force/kerberos_user_enumeration.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a large number of failed pre-authentication attempts using the Kerberos service originating from a single internal hos
- [mongodb\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mongodb_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity from the Internet t
- [mongodb\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mongodb_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity emanating from your
- [mongodb\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mongodb_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity between hosts insid
- [mssql\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mssql_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an MSSQL server. This event specifically looks for activity from the In
- [mssql\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mssql_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MSSQL server. This event specifically looks for activity emanating fr
- [mssql\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mssql_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an MSSQL server. This event specifically looks for activity between hos
- [mysql\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mysql_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity from the I
- [mysql\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mysql_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity emanating
- [mysql\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/mysql_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity between ho
- [pop3\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/pop3_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This
- [pop3\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/pop3_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This
- [pop3\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/pop3_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This
- [postgres\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/postgres_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity from
- [postgres\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/postgres_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity emana
- [postgres\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/postgres_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity betwe
- [rdpbrute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/rdpbrute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks
- [rdpbrute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/rdpbrute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks
- [rdpbrute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/rdpbrute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks
- [redis\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/redis_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity from the Internet tow
- [redis\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/redis_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity emanating from your n
- [redis\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/redis_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity between hosts inside
- [smb\_brute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/smb_brute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as
- [smb\_brute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/smb_brute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as
- [smb\_brute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/smb_brute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as
- [sshbrute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/sshbrute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall
- [sshbrute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/sshbrute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall
- [sshbrute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/sshbrute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall
- [winrmbrute\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/winrmbrute_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac
- [winrmbrute\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/brute-force/winrmbrute_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac
- [winrmbrute\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/brute-force/winrmbrute_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac
- [Denial of Service](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service.md): Denial of Service (DoS) attacks are a significant security risk where threat actors aim to make a network, service, or server unavailable by flooding it with excessive traffic, leading to potential op
- [ackflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ackflood.md): Explanation The ackflood event is a detection for ACK Flood, a type of DDoS attack where the attacker floods the target with a high volume of ACK packets. This event is triggered when there is a signi
- [chargenreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/chargenreflect.md): Explanation This security event in the Netography Fusion Portal is designed to detect Chargen reflection attacks. Chargen, short for Character Generator Protocol, is a legacy protocol that can be used
- [cldapreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/cldapreflect.md): Explanation CLDAP (Connection-less Lightweight Directory Access Protocol) reflection attacks involve amplifying small requests into larger responses through open servers that have UDP port 389 open. A
- [codreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/codreflection.md): Explanation This event is designed to detect CoD (Call of Duty) reflection attacks that can cause a significant disruption to your network. CoD reflection attacks occur when an attacker sends a packet
- [dns\_amplification\_participation](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/dns_amplification_participation.md): Explanation The dns\_amplification\_participation event in the Netography Fusion Portal helps to find potential participants in DNS amplification attacks. DNS amplification attacks exploit the vulnerabi
- [dnsattack](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/dnsattack.md): Explanation The dnsattack security event in the Netography Fusion Portal is designed to detect DNS flood attacks in your network. DNS flood happens when an attacker floods a DNS server with queries, m
- [dnsreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/dnsreflection.md): Explanation The dnsreflection event is detection within the Netography Fusion Portal that detects DNS reflection attacks. These types of attacks use DNS servers to amplify the size of the incoming tra
- [fin\_flood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/fin_flood.md): Explanation Fin Flood is a type of Denial-of-Service (DoS) attack that targets an open connection by bombarding it with numerous TCP packets with the "FIN" flag set. This excessive amount of packets o
- [icmpflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/icmpflood.md): Explanation icmpflood is a type of DDoS attack that sends a large number of ICMP packets to a target network, which can result in network congestion, packet loss, and service disruption. The Netograph
- [memcachereflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/memcachereflection.md): Explanation Memcached is an open source distributed memory caching system that is commonly used by web servers to speed up dynamic database-driven websites. Reflection attacks involve sending a reques
- [mssqlreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/mssqlreflection.md): Explanation This event is triggered when the Netography Fusion Portal detects an MSSQL reflection attack. MSSQL reflection attacks are SQL injection attacks that target Microsoft SQL servers running o
- [netbiosreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/netbiosreflect.md): Explanation The Netbios protocol is used by Microsoft operating systems for file sharing and printer sharing over a network. The reflection attack is when an attacker sends a falsified request to a ta
- [ntpreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ntpreflect.md): Explanation The ntpreflect event in Netography Fusion Portal looks for an NTP reflection attack. This is a type of DDoS attack in which an attacker sends a request to an NTP server and spoofs the sour
- [psh\_flood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/psh_flood.md): Explanation psh\_flood is a security event in the Netography Fusion Portal that detects potential PSH floods. A Psh flood is when the TCP Push flag is set in the header of a packet, a flood of these ty
- [ripreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ripreflection.md): Explanation RIP reflection is a type of DDoS attack that exploits the Routing Information Protocol (RIP). The attacker sends malformed requests to a device that runs RIP, and the device responds with
- [rstflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/rstflood.md): Explanation The rstflood security event is triggered when the Netography Fusion Portal detects an abnormal frequency of Reset (RST) packets on the network, signaling a potential denial of service (DoS
- [slpreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/slpreflection.md): Explanation This security event in the Netography Fusion Portal is designed to detect SLP reflection attacks. SLP, short for Service Location Protocol, can be used by attackers to amplify DDoS attacks
- [snmpreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/snmpreflection.md): Explanation An SNMP reflection attack is a type of DDoS attack that exploits vulnerable SNMP servers to amplify and reflect attack traffic to targeted systems. What to Look For To examine the results
- [srcdsreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/srcdsreflection.md): Explanation SRCDS, or the Source Dedicated Server, is a tool used by video game developers for hosting and managing multiplayer games. However, if left unsecured, attackers can exploit the protocol an
- [ssdpreflect](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/ssdpreflect.md): Explanation The ssdpreflect event is triggered when a Simple Service Discovery Protocol (SSDP) reflection attack is detected. An attacker can use SSDP reflection to amplify the amount of traffic sent
- [sunrpcreflection](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/sunrpcreflection.md): Explanation The sunrpcreflection event in Netography Fusion Portal is designed to detect attacks against the SunRPC protocol used to manage network communication between servers and clients. Attackers
- [synflood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/synflood.md): Explanation The synflood security event in the Netography Fusion Portal is designed to detect SYN flood attacks on a network. A SYN flood is a type of DDoS attack where the attacker sends a large numb
- [tp240\_phone\_home\_reflection\_ddos](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/tp240_phone_home_reflection_ddos.md): Explanation This security event in the Netography Fusion Portal is designed to detect TP-240 reflection attacks. Voice-over-IP systems with TP-240 VoIP-processing interface cards can be used by attack
- [urg\_flood](https://docs.fusion.vectra.ai/detection-models/library/denial-of-service/urg_flood.md): Explanation The urg\_flood event is designed to detect potential Urg Flood attacks on a network. An Urg Flood is a type of Denial-of-Service (DoS) attack that uses the Urgent Pointer (URG) flag in the
- [Informational](https://docs.fusion.vectra.ai/detection-models/library/informational.md): Informational detections are a category within Vectra Fusion's Vectra Detection Models (NDMs) that provide valuable insights about unusual but not necessarily malicious network behavior. These detect
- [6in4tunnel](https://docs.fusion.vectra.ai/detection-models/library/informational/6in4tunnel.md): Explanation The 6in4 Tunnel Detection NDM is designed to detect when IPv6 traffic is encapsulated within IPv4 packets on the network. This technique, known as 6in4 tunneling, can be used for legitimat
- [alltcpflags](https://docs.fusion.vectra.ai/detection-models/library/informational/alltcpflags.md): Explanation The alltcpflags security event is designed to trigger when all the TCP flags are set in a network packet. This can indicate a malicious attempt to evade detection by avoiding detection sig
- [badprotocol](https://docs.fusion.vectra.ai/detection-models/library/informational/badprotocol.md): Explanation The badprotocol event is triggered when the Netography Fusion Portal identifies an invalid IP protocol being used on the network. IP packets encapsulate higher level protocols such as TCP
- [communication\_to\_itar\_countries](https://docs.fusion.vectra.ai/detection-models/library/informational/communication_to_itar_countries.md): Explanation This Netography Fusion Portal event is designed to identify any connections made to countries listed under US Code 22 CFR § 126.1 “Prohibited exports, imports, and sales to or from certain
- [ethoverip](https://docs.fusion.vectra.ai/detection-models/library/informational/ethoverip.md): Explanation The ethoverip NDM is designed to detect when Ethernet traffic is encapsulated within IP packets on the network. This technique, known as ethernet tunneling, can be used for legitimate comm
- [ip\_options\_abuse](https://docs.fusion.vectra.ai/detection-models/library/informational/ip_options_abuse.md): Explanation This Netography Fusion Portal event looks for ICMP messages of type 12 (Parameter Problem). Routers will emit these messages when they receive a malformed packet that they cannot route. Th
- [ipmi](https://docs.fusion.vectra.ai/detection-models/library/informational/ipmi.md): Explanation This event looks for IPMI Attack on the network. IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices. Attacke
- [ipmi](https://docs.fusion.vectra.ai/detection-models/library/informational/ipmi-1.md): Explanation This event looks for IPMI Attack on the network. IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices. Attacke
- [largeicmp](https://docs.fusion.vectra.ai/detection-models/library/informational/largeicmp.md): Explanation This Netography event is triggered when an ICMP packet with a large payload is detected on the network. This type of attack is often used to flood a network with a high volume of traffic,
- [tcp\_dnstunneling](https://docs.fusion.vectra.ai/detection-models/library/informational/tcp_dnstunneling.md): Explanation This Netography Fusion Portal security event identifies DNS tunneling over TCP, a technique used to bypass traditional security measures by embedding data in DNS queries and responses. Thi
- [tcpfrag](https://docs.fusion.vectra.ai/detection-models/library/informational/tcpfrag.md): Explanation This event is designed to detect a TCP fragmentation flood on the network. TCP fragmentation occurs when a large data packet is divided into smaller packets for transmission across the net
- [tcpnull](https://docs.fusion.vectra.ai/detection-models/library/informational/tcpnull.md): Explanation The tcpnull event is designed to detect NULL TCP flows. NULL TCP flows are packets that have no flags set, and are often used by attackers to scan networks for potential vulnerabilities. T
- [udpfrag](https://docs.fusion.vectra.ai/detection-models/library/informational/udpfrag.md): Explanation This Netography Fusion Portal security event detects a UDP fragmentation flood, which occurs when an attacker generates a large number of fragmented UDP packets towards a target system wit
- [unusual\_protocol](https://docs.fusion.vectra.ai/detection-models/library/informational/unusual_protocol.md): Explanation The unusual\_protocol event is triggered when the Netography Fusion Portal identifies an uncommon IP protocol being used on the network. IP packets encapsulate higher level protocols such a
- [Misconfiguration](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration.md): Misconfigurations detections are a crucial aspect of Vectra Fusion's Vectra Detection Models (NDMs) that identify potential vulnerabilities caused by incorrect network setup or security configuration
- [9090\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/9090_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a server on your network listening on port 9090 that has received a connection from an external IP address. The NDM wo
- [cups\_browsed\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/cups_browsed_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 entering your network. This traffic indicates that there are very likely one or more CUPS prin
- [dns\_query\_returned\_loopback](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/dns_query_returned_loopback.md): Explanation The dns\_query\_returned\_loopback NDM will fire when an external DNS query returns the loopback IP address (127.0.0.1). External DNS names should not resolve to internal resources. Names tha
- [external\_access\_of\_smb](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_access_of_smb.md): Explanation This security event is triggered by the Netography Fusion Portal when it detects non-customer network access to Windows Networking (Including DCE-RPC, Netbios, or SMB). What to Look For Ge
- [external\_kerberos\_access](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_kerberos_access.md): Explanation This security event is triggered by Netography Fusion Portal when it detects non-customer network access of Kerberos resources. Kerberos is a network authentication protocol used by many e
- [external\_ldap\_access](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_ldap_access.md): Explanation The external\_ldap\_access NDM is designed to search for instances of non-customer network access of LDAP resources. This type of access can leave a network vulnerable to attackers attemptin
- [external\_printing\_connections](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_printing_connections.md): Explanation This event is designed to detect external connections to internal print servers. The event triggers when an external source tries to connect to a print server residing within the protected
- [external\_snmp\_sweep](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/external_snmp_sweep.md): Explanation This security event is triggered when an SNMP sweep is detected entering the customer's network. SNMP, or Simple Network Management Protocol, is a protocol used for managing and monitoring
- [fortinet\_management\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/fortinet_management_external_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on TCP port 541 leaving your network. This return traffic indicates that there may have been an external attac
- [internal\_socks5\_proxy](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/internal_socks5_proxy.md): Explanation The internal\_socks5\_proxy NDM is designed to detect socks5 traffic on the local customer network. A SOCKS5 proxy is a protocol that routes internet traffic through a proxy server. It can b
- [msrdp](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/msrdp.md): Explanation A Microsoft Remote Desktop Protocol (RDP) reflection attack is a type of DDoS attack where the attacker sends a forged packet to an open RDP server that causes it to send a large amount of
- [outbound\_database\_exfil](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_database_exfil.md): Explanation The outbound\_database\_exfil event is triggered when outbound traffic is detected from common database ports, indicating a potential exfiltration attempt from a database. This event is desi
- [outbound\_ftp\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_ftp_traffic.md): Explanation This event monitors outbound traffic for cleartext FTP connections. The use of non-encrypted protocols such as FTP can leave sensitive information vulnerable to interception and theft. Wha
- [outbound\_imap\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_imap_traffic.md): Explanation This Netography Fusion Portal event monitors for cleartext outbound IMAP traffic, which should be discouraged due to security risks. IMAP is a protocol used for email retrieval and transfe
- [outbound\_ldap\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_ldap_traffic.md): Explanation This Netography Fusion Portal event monitors for outbound LDAP traffic leaving the customer network. LDAP traffic to Internet destinations may be unexpected. What to Look For Investigation
- [outbound\_pop3\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_pop3_traffic.md): Explanation The outbound\_pop3\_traffic event monitors for cleartext outbound POP3 traffic on the network. POP3 is a non-encrypted protocol used for email retrieval. Use of non-encrypted protocols such
- [outbound\_printing](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_printing.md): Explanation This Netography Fusion Portal event monitors for outbound traffic to print servers on the Internet, specifically using the IPP or LDP protocols. What to Look For To examine the results of
- [outbound\_rejected\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_rejected_traffic.md): Explanation This NDM detects traffic attempting to leave the network that has been blocked or denied by network security policies. This event helps to identify potential threats or policy violations t
- [outbound\_smb\_spike](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_smb_spike.md): Explanation This security event monitors the amount of Windows Networking traffic leaving the network (including DCE-RPC, Netbios, or SMB). If there is high volume of this traffic leaving the network,
- [outbound\_smb\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_smb_traffic.md): Explanation This Netography Fusion Portal security event is triggered when outbound Windows Networking traffic is detected (including DCE-RPC, Netbios, or SMB). What to Look For When well tuned, this
- [outbound\_snmp\_sweep](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_snmp_sweep.md): Explanation outbound\_snmp\_sweep is a security event in the Netography Fusion Portal that is triggered when an SNMP sweep is detected leaving the customer network. SNMP, or Simple Network Management Pr
- [outbound\_telnet\_traffic](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_telnet_traffic.md): Explanation The outbound\_telnet\_traffic event detects outbound cleartext telnet traffic. The use of non-encrypted protocols such as telnet should be discouraged due to the inherent security risks. Thi
- [rdp\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/rdp_external_internal.md): Explanation The rdp\_external\_internal NDM monitors successful RDP connections from external sources to the network. This event helps to identify potential unauthorized access and data theft through RD
- [registered\_ports\_ext\_int](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/registered_ports_ext_int.md): Explanation The registered\_ports\_ext\_int NDM looks for any traffic accepted onto your network from the Internet on IANA registered ports. These ports are less commonly exposed to the Internet than wel
- [ssh\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/ssh_external_internal.md): Explanation The ssh\_external\_internal event monitors for successful SSH connections from external sources to internal destinations. This is an important security event to monitor since successful exte
- [Operational Governance](https://docs.fusion.vectra.ai/detection-models/library/operational-governance.md): Operational Governance detections are a part of Vectra Fusion's Vectra Detection Models (NDMs) and are designed to promote best practices in network hygiene and responsible use of network resources.
- [anydesk\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/anydesk_usage.md): Explanation The anydesk\_usage NDM is designed to detect any usage of the AnyDesk software within the network. AnyDesk is a remote desktop application that can be used to gain unauthorized access to sy
- [bitcoin\_node\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bitcoin_node_internal_external.md): Explanation The bitcoin\_node\_internal\_external event monitors network traffic for possible Bitcoin mining activity. Bitcoin mining is a process of verifying transactions in the Bitcoin blockchain by s
- [bittorrent](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent.md): Explanation The bittorrent NDM is designed to detect BitTorrent traffic on a network. BitTorrent is a type of peer-to-peer (P2P) file-sharing protocol that allows users to share large files, such as m
- [bittorrent\_tracker\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_tracker_internal_external.md): Explanation The bittorrent\_tracker\_internal\_external NDM uses threat intelligence to detect traffic to external hosts running BitTorrent tracker servers. BitTorrent clients will almost always use BitT
- [bittorrent\_transfer\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_transfer_external_internal.md): Explanation The bittorrent\_transfer\_external\_internal NDM is designed to detect file downloads over the BitTorrent protocol, and can be used in place of the bittorrent NDM to focus on downloads rather
- [bittorrent\_transfer\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_transfer_internal_external.md): Explanation The bittorrent\_transfer\_internal\_external NDM is designed to detect file uploads over the BitTorrent protocol, and can be used in place of the bittorrent NDM to focus on uploads rather tha
- [bittorrent\_user](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/bittorrent_user.md): Explanation The bittorrent\_user CCM creates a context label for any internal host that has been observed communicating with a host running BitTorrent tracker software on a TCP port commonly associated
- [connectwise\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/connectwise_usage.md): Explanation The connectwise\_usage NDM is designed to detect any usage of the ConnectWise software, a popular remote management and monitoring tool used by IT service providers. This event is triggered
- [external\_1801](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_1801.md): Explanation The external\_1801 NDM flags connections from outside the customer network to servers on the customer network listening with TCP or UDP on port 1801. Microsoft Message Queuing is a messagin
- [external\_socks5\_proxy](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_socks5_proxy.md): Explanation This security event is triggered when the Netography Fusion Portal detects the use of a socks5 proxy on the internet by an internal customer IP address. This may indicate that security con
- [external\_tcp\_44818](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_tcp_44818.md): Explanation The external\_tcp\_44818 NDM flags connections from outside the customer network to servers on the customer network listening on TCP port 44818. Rockwell Automation ICS systems use TCP port
- [external\_udp\_2222](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/external_udp_2222.md): Explanation The external\_udp\_2222 NDM flags connections from outside the customer network to servers on the customer network listening on UDP port 2222. Rockwell Automation ICS systems use UDP port 22
- [file-sharing\_apple-icloud](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_apple-icloud.md): Explanation The file-sharing\_apple-icloud event detects the presence of file sharing using Apple iCloud on the network. What to Look For To examine the results of the file-sharing\_apple-icloud event,
- [file-sharing\_dropbox\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_dropbox_detection.md): Explanation The file-sharing\_dropbox\_detection event is triggered when Netography Fusion Portal detects file sharing using Dropbox on the network. What to Look For When examining the results of this e
- [file-sharing\_idrive\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_idrive_detection.md): Explanation The file-sharing\_idrive\_detection NDM scans for instances of file sharing on the network that use the iDrive service. When users connect to the iDrive servers, it could lead to potential d
- [file-sharing\_mega-service](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_mega-service.md): Explanation This event detects the usage of file sharing Mega services by analyzing network traffic and endpoint data. What to Look For When examining the results of this event, look for any instances
- [file-sharing\_microsoft-onedrive](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_microsoft-onedrive.md): Explanation This NDM detects file sharing on the network using Microsoft OneDrive. What to Look For When examining the results of this NDM Event, look for any unauthorized file-sharing activity using
- [file-sharing\_wetransfer](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/file-sharing_wetransfer.md): Explanation This event is triggered when file sharing occurs using the Wetransfer application on the network. Wetransfer is a cloud-based file-sharing service that allows users to transfer large files
- [gotoresolve\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/gotoresolve_usage.md): Explanation This NDM looks for the usage of GoToResolve, a remote support and screen-sharing tool. When any activity related to GoToResolve is detected on the network or endpoint, this event triggers
- [internal\_tor\_relay](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/internal_tor_relay.md): Explanation This event is triggered by Netography’s Fusion Portal when it detects a Tor node on the customer network. Tor is a proxy protocol that is used to hide the origin of network traffic. An una
- [ipfs\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/ipfs_usage.md): Explanation The ipfs\_usage NDM is designed to detect any IPFS related traffic on your network. IPFS (InterPlanetary File System) is a distributed protocol for sharing and storing files in a peer-to-pe
- [irctraffic](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/irctraffic.md): Explanation The irctraffic NDM is a network event that scans network traffic for IRC chat messages, IRC server connections, and IRC file transfers. If it detects any of these activities, it triggers a
- [messaging\_apple-push](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_apple-push.md): Explanation The messaging\_apple-push NDM is designed to detect the presence of messaging applications on a network. It detects network traffic associated with Apple's Push Notification Service (APNS),
- [messaging\_discord](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_discord.md): Explanation The messaging\_discord NDM is designed to detect the use of the Discord messaging application on the network. When triggered, it alerts network administrators to the presence of this applic
- [messaging\_disqus](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_disqus.md): Explanation The messaging\_disqus NDM is designed to detect the usage of Disqus on the network. Disqus is a third-party commenting and discussion platform used on many websites. This NDM can help secur
- [messaging\_facebook-messenger](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_facebook-messenger.md): Explanation The messaging\_facebook-messenger NDM detects the presence and usage of the popular Facebook Messenger application on the network. When a user communicates through the application, the NDM
- [messaging\_google-chat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_google-chat.md): Explanation The messaging\_google-chat NDM detects the presence of the Google Chat messaging application on the network. What to Look For To investigate this event, look for any instances of Google Cha
- [messaging\_icq](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_icq.md): Explanation The messaging\_icq NDM scans the network for the presence of messaging applications, specifically targeting ICQ. What to Look For You should examine the results of this event for any indica
- [messaging\_infobip](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_infobip.md): Explanation The messaging\_infobip NDM is designed to detect the presence of the InfoBip messaging application on the network. InfoBip is a cloud-based mobile communications platform that enables busin
- [messaging\_jpush](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_jpush.md): Explanation The messaging\_jpush NDM is designed to detect the presence of messaging applications on the network, specifically those using the JPush messaging service. What to Look For To examine the r
- [messaging\_kakaotalk](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_kakaotalk.md): Explanation The messaging\_kakaotalk NDM is designed to detect the Kakaotalk messaging application on the network. What to Look For To examine the results of the messaging\_kakaotalk NDM event, look for
- [messaging\_kik](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_kik.md): Explanation The messaging\_kik NDM is designed to detect the use of the Kik messaging application on the network. What to Look For If the messaging\_kik event is triggered, you should examine the networ
- [messaging\_messagebird](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_messagebird.md): Explanation The messaging\_messagebird event is triggered by the Netography Detection Module (NDM) when it detects activity from the messaging application called Messagebird on the network. What to Loo
- [messaging\_meta-messaging](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_meta-messaging.md): Explanation This NDM is designed to detect the presence of any "Meta" messaging applications on a network. What to Look For To examine the results of the messaging\_meta-messaging event, customers shou
- [messaging\_pushover](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_pushover.md): Explanation The messaging\_pushover NDM is designed to detect the presence of the messaging platform Pushover on the network. What to Look For Customers should examine their network traffic for any ind
- [messaging\_rocket-chat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_rocket-chat.md): Explanation The messaging\_rocket-chat NDM monitors the network for the presence of the messaging application Rocket Chat. Rocket Chat is an open source messaging platform that allows for encrypted and
- [messaging\_samsung-push](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_samsung-push.md): Explanation The messaging\_samsung-push NDM searches for the presence of messaging applications on the network, specifically on Samsung devices. What to Look For To analyze the results of the messaging
- [messaging\_signal](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_signal.md): Explanation The messaging\_signal NDM is designed to detect the presence of the Signal messaging application on the network. Signal is an end to end encrypted messaging application that can be used for
- [messaging\_sinch](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_sinch.md): Explanation The messaging\_sinch NDM is designed to detect the presence of the Sinch messaging application on a network. Sinch is a cloud-based communications platform that allows developers to integra
- [messaging\_snapchat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_snapchat.md): Explanation The messaging\_snapchat NDM is designed to detect the presence of the Snapchat messaging application on the network. What to Look For If the messaging\_snapchat event is triggered, check for
- [messaging\_stream-io](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_stream-io.md): Explanation The messaging\_stream-io NDM detects the presence of the Stream-IO messaging application on the network. Stream-IO is used for real-time message passing between clients and servers, making
- [messaging\_telegram](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_telegram.md): Explanation The messaging\_telegram event is a security event in the Netography Fusion Portal that evaluates for the presence of Telegram messaging application on the network. What to Look For To analy
- [messaging\_threema](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_threema.md): Explanation The messaging\_threema NDM is designed to detect the presence of Threema messaging application on the network. Threema is a secure messaging application that is commonly used by individuals
- [messaging\_wechat](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_wechat.md): Explanation The messaging\_wechat NDM (Network Detection Method) is designed to detect the presence of the WeChat messaging application on a network. It analyzes network traffic and looks for specific
- [messaging\_whatsapp](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_whatsapp.md): Explanation The messaging\_whatsapp NDM detects the presence of messaging applications on the network, with a specific focus on WhatsApp. This NDM works by analyzing network traffic to determine the pr
- [messaging\_zalo](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/messaging_zalo.md): Explanation The messaging\_zalo NDM is a network security event designed to detect the use of messaging applications on the network, with a particular focus on the Zalo messaging platform. What to Look
- [outbound\_6in4tunnel](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_6in4tunnel.md): Explanation The Outbound 6in4 Tunnel Detection NDM is designed to detect when IPv6 traffic is encapsulated within IPv4 packets that are leaving the customer network to external destinations. This tech
- [outbound\_ethoverip](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_ethoverip.md): Explanation The outbound ethoverip NDM is designed to detect when Ethernet traffic is encapsulated within IP packets that are leaving the customer network to external destinations. Ethernet tunneling
- [outbound\_teredo](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_teredo.md): Explanation The outbound\_teredo NDM is designed to detect Teredo packets leaving the customer network. Teredo is a protocol for encapsulating IPv6 packets in IPv4 UDP packets. Teredo can be used for l
- [outbound\_teredo\_spike](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/outbound_teredo_spike.md): Explanation The outbound\_teredo\_spike NDM is designed to detect high volumes of Teredo packets leaving the customer network. Teredo is a protocol for encapsulating IPv6 packets in IPv4 UDP packets. Te
- [social\_discourse\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_discourse_detection.md): Explanation The social\_discourse\_detection Vectra Detection Model (NDM) is used to detect the social media platform: Discourse on the network. What to Look For If the social\_discourse\_detection event
- [social\_instagram\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_instagram_detection.md): Explanation The social\_instagram\_detection NDM was developed by the Netography Threat Research team to detect the use of Social Media: Instagram. What to Look For When examining the results of the soc
- [social\_linkedin\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_linkedin_detection.md): Explanation The social\_linkedin\_detection NDM is a security event that detects the use of Social Media: LinkedIn on a network. It is designed to identify any attempts by users to access this networkin
- [social\_meta\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_meta_detection.md): Explanation The social\_meta\_detection NDM is a security event within the Netography Fusion Portal that looks for the detection of the use of social media: Meta. What to Look For To examine the results
- [social\_okcupid\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_okcupid_detection.md): Explanation The social\_okcupid\_detection NDM is designed to detect the use of the social media platform OKCupid on a network. What to Look For To examine the results of the social\_okcupid\_detection ND
- [social\_reddit\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_reddit_detection.md): Explanation The social\_reddit\_detection NDM is designed to detect any suspicious activity related to the use of social media, specifically Reddit, on your network. The NDM analyzes network traffic and
- [social\_tiktok\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_tiktok_detection.md): Explanation The social\_tiktok\_detection NDM is designed to detect the use of the social media app, TikTok. What to Look For When examining the results of the social\_tiktok\_detection event, users shoul
- [social\_tinder\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_tinder_detection.md): Explanation The social\_tinder\_detection NDM is designed to detect usage of the social media app Tinder on network endpoints. What to Look For If the social\_tinder\_detection NDM is triggered, customers
- [social\_twitter\_detection](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/social_twitter_detection.md): Explanation The social\_twitter\_detection NDM is designed to detect the use of social media platform Twitter on a network. It searches for any activity related to Twitter like login attempts, tweets, f
- [teamviewer\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/teamviewer_usage.md): Explanation This NDM looks for the usage of the TeamViewer software, which may pose a security risk for organizations. The NDM is triggered when the software is detected on a network or endpoint, and
- [third\_party\_vpn\_usage](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/third_party_vpn_usage.md): Explanation This NDM detects the usage of third-party (free or paid) VPNs. What to Look For To examine the results of this event, network administrators should monitor their network traffic for any co
- [tor\_connection\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/tor_connection_internal_external.md): Explanation This event is triggered by Netography’s Fusion Portal when it detects a connection attempt to a known Tor entry node from an internal network device. Tor is often used to hide the origin o
- [unusual\_open\_tcp\_ports](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/unusual_open_tcp_ports.md): Explanation The unusual\_open\_tcp\_ports Netography Detection Model (NDM) is designed to detect uncommon TCP ports open and receiving connections on the network. The NDM is triggered when inbound TCP tr
- [vpn\_usage\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/operational-governance/vpn_usage_internal_external.md): Explanation vpn\_usage\_internal\_external is a Netography Fusion Portal security event designed to detect VPN usage exiting a customer's network. What to Look For When examining the results of the vpn\_u
- [Post-Compromise](https://docs.fusion.vectra.ai/detection-models/library/post-compromise.md): Post-Compromise detections are a vital feature of Vectra Fusion's Vectra Detection Models (NDMs) designed to identify and alert about activities associated with already compromised systems. These det
- [anomalous\_traffic\_dns](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_dns.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer over UDP port 53 or over TCP ports 53 or 853 that exceeds an automatically determined baseline thresho
- [anomalous\_traffic\_itar](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_itar.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to IP addresses in countries listed under US Code 22 CFR § 126.1 (ITAR countries) “Prohibited exports,
- [anomalous\_traffic\_mega](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_mega.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to the Mega file hosting service exceeds an automatically determined baseline threshold. Auto Threshol
- [anomalous\_traffic\_s3](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_s3.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to Amazon S3 that exceeds an automatically determined baseline threshold. Auto Thresholding observes r
- [anomalous\_traffic\_ssh](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_ssh.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer over TCP port 22 that exceeds an automatically determined baseline threshold. Auto Thresholding observ
- [coinminer\_detection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/coinminer_detection.md): Explanation The coinminer\_detection NDM detects machines connecting to coinmining servers which could indicate a cryptocurrency mining attack. This is accomplished by monitoring network traffic for co
- [comm\_with\_malware\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/comm_with_malware_external_internal.md): Explanation The comm\_with\_malware\_external\_internal NDM is designed to detect connections from identified malware command and control (C2) nodes to hosts on your network. Because flows occur in both d
- [comm\_with\_malware\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/comm_with_malware_internal_external.md): Explanation The comm\_with\_malware\_internal\_external NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to a
- [communication\_to\_bad\_rep](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/communication_to_bad_rep.md): Explanation The communication\_to\_bad\_rep NDM is designed to detect successful outbound connections to a known bad IP. The NDM triggers when a connection is made to an IP address that is on a deny list
- [communication\_to\_malware](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/communication_to_malware.md): Explanation The communication\_to\_malware NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to an IP addres
- [cups\_browsed\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/cups_browsed_internal_external.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 exiting your network. UDP port 631 is usually associated with the CUPS-Browsed service and is
- [dga\_suspected](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dga_suspected.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with malware using a Domain Generation Algorithm (
- [dlp-china](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dlp-china.md): Explanation The dlp-china NDM is designed to detect potential data loss to China. This NDM looks for large traffic transfers headed towards an IP identified as being in China. What to Look For When an
- [dlp-russia](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dlp-russia.md): Explanation The dlp-russia NDM aims to detect potential data loss to Russia. The NDM works by looking for large data transfers headed towards an IP located in Russia. What to Look For When examining r
- [dns\_lookup\_tunneling](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dns_lookup_tunneling.md): Explanation This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with DNS being used as a tunnel for non-DNS traffi
- [dnstunneling](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dnstunneling.md): Explanation The dnstunneling NDM is designed to detect DNS tunneling on your network. DNS tunneling is a technique used by malicious actors to bypass firewalls and security appliances to exfiltrate da
- [external\_http\_beacon](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_http_beacon.md): Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external\_http\_beacon NDM detects network communications over ht
- [external\_https\_beacon](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_https_beacon.md): Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external\_https\_beacon NDM detects network communications over h
- [external\_nonhttp\_beacon](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_nonhttp_beacon.md): Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external\_nonhttp\_beacon NDM detects network communications over
- [external\_tcp\_12345](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/external_tcp_12345.md): Explanation The external\_tcp\_12345 NDM flags connections on TCP port 12345 coming either inbound to your network from the Internet or outbound from your network to the Internet. Threat actors have bee
- [fortinet\_management\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/fortinet_management_internal_internal.md): Explanation This event is triggered by Netography's Fusion Portal when it detects traffic from TCP port 541 on your network. This return traffic indicates that there may have been an internal attacker
- [ip\_lookup\_attempt](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/ip_lookup_attempt.md): Explanation The ip\_lookup\_attempt NDM is designed to detect when a customer network machine attempts to look itself up. This could be an indication of malicious activity on the network. What to Look F
- [ipmi\_default\_dumphashes](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/ipmi_default_dumphashes.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.
- [kerberosting\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/kerberosting_internal_internal.md): Explanation Kerberos is a network authentication protocol used by many enterprises to securely authenticate users and services across a network. Kerberoasting is a post-compromise attack that can be u
- [large\_internal\_smb\_download](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/large_internal_smb_dowbload.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an internal data transfer over SMB (Server Message Block) with a data volume that exceeds an automatically determined
- [large\_internal\_smb\_download](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/large_internal_smb_download.md): Explanation This event is triggered by Netography's Fusion Portal when it detects an internal data transfer over SMB (Server Message Block) with a data volume that exceeds an automatically determined
- [long\_dns\_connection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/long_dns_connection.md): Explanation The long\_dns\_connection NDM flags sustained interactive connections leaving the customer's network to destinations on TCP port 53, which is used by DNS. Most DNS connections are short live
- [outbound\_ping](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/outbound_ping.md): Explanation When threat actors first compromise a host, they often ping internet resources to verify connectivity. A spurious ping can be subtle and hard to detect because end users may make frequent
- [rdp\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/rdp_internal_external.md): Explanation This NDM is designed to detect successful RDP connections that cross from the internal network to the external network. It triggers when an RDP connection is successfully established from
- [sinkhole\_detection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/sinkhole_detection.md): Explanation The sinkhole\_detection NDM is designed to detect any Internal IP addresses reaching out to known sinkhole servers. When malicious botnet or other malware command and control infrastructure
- [tcp\_123](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/tcp_123.md): Explanation The tcp\_123 NDM flags interactive connections leaving the customer's network to destinations on TCP port 123. The Network Time Protocol service uses UDP port 123, but does not use TCP. In
- [torrent\_usage\_detection](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/torrent_usage_detection.md): Explanation The torrent\_usage\_detection NDM was developed by the Netography Threat Research team to detect instances of torrent file sharing on a network. What to Look For To examine the results of th
- [uncommon\_icmp\_reject](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/uncommon_icmp_reject.md): Explanation The uncommon\_icmp\_reject event is triggered when the Netography Detection Module (NDM) detects network flows for ICMP messages that indicate that there is traffic on the network that is be
- [wkpsrcdst](https://docs.fusion.vectra.ai/detection-models/library/post-compromise/wkpsrcdst.md): Explanation The wkpsrcdst event in the Netography Fusion Portal is designed to detect and alert security personnel when a connection is established between two privileged ports within the monitored ne
- [Reconnaissance](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance.md): Reconnaissance detections are an essential component of Vectra Fusion's Vectra Detection Models (NDMs) that are designed to identify and alert network administrators to activities associated with scan
- [3000\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/3000_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 3000 that is hitting the customer’s network from the Internet. Numerous technologies have used port 3000. One noteworthy example is Grafana
- [3000\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/3000_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 3000 that is exiting the customer's network. Numerous technologies have used port 3000. One noteworthy example is Grafana, an open source d
- [3000\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/3000_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 3000 inside the customer's network. Numerous technologies have used port 3000. One noteworthy example is Grafana, an o
- [8000\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8000_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 8000 that is hitting the customer’s network from the Internet. Port 8000 has been used by numerous technologies as an alternative HTTP/HTTP
- [8000\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8000_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 8000 that is exiting the customer's network. Port 8000 has been used by a variety of different products as an alternative HTTP/HTTPS port.
- [8000\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8000_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 8000 inside the customer's network. Port 8000 has been used by numerous technologies as an alternative HTTP/HTTPS port
- [8060\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8060_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 8060 that is hitting the customer’s network from the Internet. Port 8060 is used by a number of different software products, including Mana
- [8060\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8060_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 8060 that is exiting the customer's network. Port 8060 is used by a number of different software products, including ManageEngine's OpManag
- [8060\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8060_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for port 8060 inside the customer's network. Port 8060 is used by a number of different software products, including ManageEngine's OpManager. What
- [8888\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8888_scan_external_internal.md): Explanation This NDM is designed to detect scanning for port 8888 that is hitting the customer’s network from the Internet. Port 8888 is used as an alternative HTTP port by many software products. It
- [8888\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8888_scan_internal_external.md): Explanation This NDM is designed to detect scanning for port 8888 that is exiting the customer's network. Port 8888 is used as an alternative HTTP port by many software products. It is also used by Ma
- [8888\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/8888_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 8888 inside the customer's network. Port 8888 is used as an alternative HTTP port by many software products. It is als
- [9090\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/9090_scan_external_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 9090 that is hitting the customer’s network from the Internet. Port 9090 is used for several purposes, including Linux
- [9090\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/9090_scan_internal_external.md): Explanation This NDM is designed to detect scanning for servers listening on port 9090 that is exiting the customer's network. Port 9090 is used for several purposes, including Linux server administra
- [9090\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/9090_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for servers listening on port 9090 inside the customer's network. Port 9090 is used for several purposes, including Linux server administration as w
- [backupexec\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/backupexec_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Veritas BackupExec that is hitting the customer’s network from the Internet. Veritas BackupExec is a network backup application. What to Look Fo
- [backupexec\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/backupexec_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Veritas BackupExec systems that is exiting the customer's network. Veritas BackupExec is a network backup application. Outbound scanning may be
- [backupexec\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/backupexec_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Veritas BackupExec inside the customer's network. Veritas BackupExec is a network backup application. What to Look For Unauthorized scanning act
- [bamboo\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bamboo_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bamboo that is hitting the customer’s network from the Internet. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerabili
- [bamboo\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bamboo_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Atlassian Bamboo that is exiting the customer's network. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerability disclosures in
- [bamboo\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bamboo_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bamboo servers inside the customer's network. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerability disclosures in t
- [bitbucket\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bitbucket_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bitbucket that is hitting the customer’s network from the Internet. Atlassian Bitbucket is a source code repository that has been subj
- [bitbucket\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bitbucket_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Atlassian Bitbucket that is exiting the customer's network. Bitbucket is a source code repository that has been subject to vulnerability disclos
- [bitbucket\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/bitbucket_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Atlassian Bitbucket servers inside the customer's network. Atlassian Bitbucket is a source code repository that has been subject to vulnerabilit
- [censys\_scanning](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/censys_scanning.md): Explanation The censys\_scanning NDM is designed to detect any activity on your network that is related to Censys scanning. What to Look For If the censys\_scanning NDM is triggered, you should examine
- [cleo\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/cleo_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer that is hitting the customer’s network from the Internet. Cleo offers a family of file transfer products, including C
- [cleo\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/cleo_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer that is exiting the customer's network. Cleo offers a family of file transfer products, including Cleo Harmony, Cleo
- [cleo\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/cleo_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer servers inside the customer's network. Cleo offers a family of file transfer products, including Cleo Harmony, Cleo V
- [connscan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan.md): Explanation The connscan NDM detects connection scanning attempts on the network. It does this by monitoring for a high rate of connection attempts, which may indicate an attacker attempting to discov
- [connscan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan_external_internal.md): Explanation The connscan\_external\_internal NDM detects connection scanning attempts hitting the customer's network from the Internet. It does this by monitoring for a high rate of aborted successful T
- [connscan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan_internal_external.md): Explanation The connscan\_internal\_external NDM detects connection scanning attempts exiting the customer's network. It does this by monitoring for a high rate of aborted successful TCP connections, wh
- [connscan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/connscan_internal_internal.md): Explanation The connscan\_internal\_internal NDM detects connection scanning attempts inside the customer's network. It does this by monitoring for a high rate of aborted successful TCP connections, whi
- [esxi\_internal\_slp\_scan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/esxi_internal_slp_scan.md): Explanation The esxi\_internal\_slp\_scan NDM is designed to detect Port 427 internal scanning activities on ESXi servers. This is a common port used for service location protocol, and by scanning this p
- [ftp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ftp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for FTP servers that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplace. R
- [ftp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ftp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for FTP servers that is exiting the customer's network. Outbound FTP scanning may be indicative of an infection and an attacker using a compromised
- [ftp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ftp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for FTP servers inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication tha
- [http\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/http_scan_internal_external.md): Explanation This NDM is designed to detect scanning for web servers that is exiting the customer's network on port 80 or 443. Outbound web scanning may be indicative of an infection and an attacker us
- [http\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/http_scan_internal_internal.md): Explanation This NDM is designed to detect web server scanning inside the customer's network on port 80 or 443. What to Look For Unauthorized scanning activity launched inside your network may be an i
- [imap\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/imap_scan_external_internal.md): Explanation This NDM is designed to detect scanning for IMAP that is hitting the customer’s network from the Internet. IMAP is an internet standard protocol for email retrieval. What to Look For Scann
- [imap\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/imap_scan_internal_external.md): Explanation This NDM is designed to detect scanning for IMAP that is exiting the customer's network. IMAP is an internet standard protocol for email retrieval. Outbound IMAP scanning may be indicative
- [imap\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/imap_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for IMAP inside the customer's network. IMAP is an internet standard protocol for email retrieval. What to Look For Unauthorized scanning activity l
- [internal\_snmp\_sweep](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/internal_snmp_sweep.md): Explanation The internal\_snmp\_sweep is a detection model that identifies an SNMP sweep occurring in the network. The model triggers anytime a large number of SNMP requests are sent to different device
- [ipmi\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ipmi_scan_external_internal.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.
- [ipmi\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ipmi_scan_internal_external.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.
- [ipmi\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ipmi_scan_internal_internal.md): Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.
- [ivantiava\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ivantiava_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Ivanti Avalanche that is hitting the customer’s network from the Internet. Ivanti Avalanche is an enterprise mobility management \& mobile de
- [ivantiava\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ivantiava_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Ivanti Avalanche that is exiting the customer's network. Ivanti Avalanche is an enterprise mobility management \& mobile device management (M
- [ivantiava\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ivantiava_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Ivanti Avalanche the customer's network. Ivanti Avalanche is an enterprise mobility management \& mobile device management (MDM) solution. Wh
- [kerberos\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kerberos_scan_external_internal.md): Explanation This NDM is designed to detect Kerberos scanning that is hitting the customer’s network from the Internet. Kerberos is a protocol for authenticating requests between hosts on a network. Wh
- [kerberos\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kerberos_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Kerberos that is exiting the customer's network. Kerberos is a protocol for authenticating requests between hosts on a network. Outbound Kerbero
- [kerberos\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kerberos_scan_internal_internal.md): Explanation This NDM is designed to detect Kerberos scanning inside the customer's network. Kerberos is a protocol for authenticating requests between hosts on a network. What to Look For Unauthorized
- [kibana\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kibana_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Kibana (port 5601) that is hitting the customer’s network from the Internet. Kibana is an open source data visualization platform that has been
- [kibana\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kibana_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Kibana (port 5601) that is exiting the customer's network. Kibana is an open source data visualization platform that has been subject to critica
- [kibana\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/kibana_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Kibana servers (port 5601) inside the customer's network. Kibana is an open source data visualization platform that has been subject to critical
- [ldap\_scanning\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_inside_to_outside.md): Explanation This NDM is designed to detect LDAP scanning that is exiting the customer's network. LDAP is an open protocol used for accessing and maintaining distributed directory information services
- [ldap\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_internal.md): Explanation This NDM was written by the Netography Threat Research team to detect unauthorized LDAP scanning activity within a customer's network. What to Look For When examining the results of the ld
- [ldap\_scanning\_outside\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_outside_to_inside.md): Explanation The ldap\_scanning\_outside\_to\_inside NDM is designed to detect LDAP scanning attempts originating from outside the network targeting LDAP servers residing inside the network. LDAP scanning
- [local\_zone\_enumeration](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/local_zone_enumeration.md): Explanation The local\_zone\_enumeration NDM detects a pattern of DNS activity that is consistent with an attempt to enumerate valid hostnames within an internal domain. As part of their reconnaissance
- [mesvcdesk\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mesvcdesk_scan_external_internal.md): Explanation This NDM is designed to detect scanning for an application service that ManageEngine ServiceDesk systems run on port 14003 that is hitting the customer’s network from the Internet. ManageE
- [mesvcdesk\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mesvcdesk_scan_internal_external.md): Explanation This NDM is designed to detect scanning activity exiting the customer's network that is looking for an application service that ManageEngine ServiceDesk systems run on port 14003. ManageEn
- [mesvcdesk\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mesvcdesk_scan_internal_internal.md): Explanation This NDM is designed to detect scanning inside the customer's network for an application service that ManageEngine ServiceDesk systems run on port 14003. ManageEngine ServiceDesk is an ent
- [mongodb\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mongodb_scan_external_internal.md): Explanation This NDM is designed to detect scanning for MongoDB that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplace. Under
- [mongodb\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mongodb_scan_internal_external.md): Explanation This NDM is designed to detect scanning for MongoDB that is exiting the customer's network. Outbound MongoDB scanning may be indicative of an infection and an attacker using a compromised
- [mongodb\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mongodb_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for MongoDB inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that yo
- [msmq\_tcp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_tcp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 that is hitting the customer's network from the internet. Microsoft Message Queuing is a messaging pr
- [msmq\_tcp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_tcp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 that is exiting the customer's network. Microsoft Message Queuing is a messaging protocol that allows
- [msmq\_tcp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_tcp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 inside a customer's network. Microsoft Message Queuing is a messaging protocol that allows applicatio
- [msmq\_udp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_udp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 that is hitting the customer's network from the internet. Microsoft Message Queuing is a messaging pr
- [msmq\_udp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_udp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 that is exiting the customer's network. Microsoft Message Queuing is a messaging protocol that allows
- [msmq\_udp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/msmq_udp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 inside a customer's network. Microsoft Message Queuing is a messaging protocol that allows applicatio
- [mssql\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mssql_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Microsoft SQL Server that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commo
- [mssql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mssql_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Microsoft SQL Server that is exiting the customer's network. Outbound scanning may be indicative of an infection and an attacker using a comprom
- [mssql\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mssql_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Microsoft SQL Server inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indic
- [mysql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mysql_scan_external_internal.md): Explanation This NDM is designed to detect scanning for MySQL databases that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplac
- [mysql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mysql_scan_internal_external.md): Explanation This NDM is designed to detect scanning for MySQL databases that is exiting the customer's network. Outbound scanning may be indicative of an infection and an attacker using a compromised
- [mysql\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/mysql_scan_internal_internal.md): Explanation This NDM is designed to detect MySQL database scanning inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that
- [neo4j\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/neo4j_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Neo4j (port 7474) that is hitting the customer’s network from the Internet. Neo4j is a graph database. What to Look For Scanning activity on the
- [neo4j\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/neo4j_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Neo4j (port 7474) that is exiting the customer's network. Neo4j is a graph database. Outbound scanning for Neo4j may be indicative of an infecti
- [neo4j\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/neo4j_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Neo4j servers listening on port 7474 inside the customer's network. Neo4j is a graph database. What to Look For Unauthorized scanning activity l
- [nmapfingerprint](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/nmapfingerprint.md): Explanation The nmapfingerprint NDM detects the presence of the NMAP fingerprint on the network. What to Look For To examine the results of the nmapfingerprint NDM Event, look for NMAP fingerprinting
- [ping\_scan\_ext-int](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ping_scan_ext-int.md): Explanation The ping\_scan\_ext-int event monitors for external to internal ping scans on the network. It detects when an external entity is trying to map out the internal infrastructure by pinging vari
- [ping\_scan\_int-ext](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ping_scan_int-ext.md): Explanation ping\_scan\_int-ext is a security event in the Netography Fusion Portal that looks for Internal to External Ping Scans. What to Look For If ping\_scan\_int-ext is triggered, it means that an i
- [ping\_scan\_int-int](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ping_scan_int-int.md): Explanation The ping\_scan\_int-int is a security event that detects Internal to Internal Ping Scans on a network. What to Look For To examine the results of the ping\_scan\_int-int event, you should look
- [pop3\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/pop3_scan_external_internal.md): Explanation This NDM is designed to detect scanning for POP3 that is hitting the customer’s network from the Internet. POP3 is an internet standard protocol for email retrieval. What to Look For Scann
- [pop3\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/pop3_scan_internal_external.md): Explanation This NDM is designed to detect scanning for POP3 that is exiting the customer's network. POP3 is an internet standard protocol for email retrieval. Outbound POP3 scanning may be indicative
- [pop3\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/pop3_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for POP3 inside the customer's network. POP3 is an internet standard protocol for email retrieval. What to Look For Unauthorized scanning activity l
- [port\_1433\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_1433_scanning_internal.md): Explanation This NDM is triggered when there is an internal scanning activity on port 1433. This port is commonly associated with Microsoft's SQL server and is often targeted by attackers looking for
- [port\_1433\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_1433_scanning_outbound.md): Explanation This NDM detects outbound traffic indicating scanning for open port 1433. This port is commonly used for Microsoft SQL Server and if left open can allow unauthorized access to sensitive da
- [port\_445\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_445_scanning_internal.md): Explanation The port\_445\_scanning\_internal event is triggered when a source IP is scanning internal networks for port 445, which is commonly used by Windows for file and printer sharing. This type of
- [port\_445\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_445_scanning_outbound.md): Explanation The port\_445\_scanning\_outbound NDM is designed to detect scanning for SMB that is exiting the customer's network. What to Look For To examine the results of the port\_445\_scanning\_outbound
- [port\_62078\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_62078_scanning_outbound.md): Explanation This NDM detects scanning for open port 62078 outbound on the network. What to Look For To remediate or examine the problem, customers should look for any traffic attempting to scan outbou
- [port\_8443\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_8443_scanning_internal.md): Explanation This NDM was created by the Netography Threat Research team to detect unauthorized scanning activities on port 8443 inside the network. What to Look For When reviewing the results of this
- [port\_8443\_scanning\_outbound](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_8443_scanning_outbound.md): Explanation The port\_8443\_scanning\_outbound NDM detects outbound scans on port 8443 from the customer’s network. What to Look For To examine the results of the port\_8443\_scanning\_outbound NDM, check t
- [portscan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/portscan.md): Explanation Port scanning is a common technique used by attackers to identify vulnerabilities in a network. What to Look For When analyzing the results of this NDM event, look for unusual traffic patt
- [psql\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/psql_scan_external_internal.md): Explanation This NDM is designed to detect scanning for PostgreSQL databases that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commo
- [psql\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/psql_scan_internal_external.md): Explanation This NDM is designed to detect scanning for PostgreSQL databases that is exiting the customer's network. Outbound PostgreSQL scanning may be indicative of an infection and an attacker usin
- [psql\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/psql_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for PostgreSQL databases inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indic
- [qualys\_scanning](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/qualys_scanning.md): Explanation The qualys\_scanning NDM monitors your network for Qualys scanning activity. It identifies when Qualys attempts to scan a target host or network to determine the vulnerabilities present on
- [rdp\_scanning\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rdp_scanning_inside_to_outside.md): Explanation The rdp\_scanning\_inside\_to\_outside NDM is designed to detect any Microsoft Remote Desktop Protocol (RDP) scanning that originates from inside a network and moves to outside the network. Wh
- [rdp\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rdp_scanning_internal.md): Explanation The rdp\_scanning\_internal event is triggered when there are attempted RDP scans on the Microsoft network. This occurs when a large number of RDP requests are sent in a short period of time
- [rdp\_scanning\_outside\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rdp_scanning_outside_to_inside.md): Explanation This NDM was created by the Netography Threat Research team to detect Microsoft RDP scanning. It triggers when an external IP address attempts to scan the network for open RDP ports in an
- [redis\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/redis_scan_external_internal.md): Explanation This NDM is designed to detect Redis scanning that is hitting the customer’s network from the Internet. Redis is a memory based key/value store that is often used to support web services.
- [redis\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/redis_scan_internal_external.md): Explanation This NDM is designed to detect Redis scanning that is exiting the customer's network. Redis is a memory based key/value store that is often used to support web services. Outbound Redis sca
- [redis\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/redis_scan_internal_internal.md): Explanation This NDM is designed to detect Redis scanning inside the customer's network. Redis is a memory based key/value store that is often used to support web services. What to Look For Unauthoriz
- [rockwellics\_tcp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_tcp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 that is hitting the customer's network from the internet. Rockwell Automation provides program
- [rockwellics\_tcp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_tcp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 that is exiting the customer's network. Rockwell Automation provides programmable controllers
- [rockwellics\_tcp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_tcp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 inside a customer's network. Rockwell Automation provides programmable controllers for industr
- [rockwellics\_udp\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_udp_scan_external_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 that is hitting the customer's network from the Internet. Rockwell Automation provides programm
- [rockwellics\_udp\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_udp_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 that is exiting the customer's network. Rockwell Automation provides programmable controllers f
- [rockwellics\_udp\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rockwellics_udp_scan_internal_internal.md): Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 inside the customer's network. Rockwell Automation provides programmable controllers for indust
- [rstscan](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rstscan.md): Explanation rstscan is a detection model that identifies RST scanning activity on the network. RST scanning is a technique used by attackers to probe for open ports on a target system. This activity i
- [scanner\_rwth\_aachen\_univ](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/scanner_rwth_aachen_univ.md): Explanation The scanner\_rwth\_aachen\_univ NDM is designed to detect unauthorized access attempts to the research scanning systems at RWTH Aachen University. The NDM creates an alert when an attempt is
- [shadowserver\_scanning](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/shadowserver_scanning.md): Explanation The shadowserver\_scanning NDM is designed to detect when Shadowserver.org is scanning the network. This type of scanning is often associated with malicious activity and may indicate an att
- [shodan\_scanners](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/shodan_scanners.md): Explanation The shodan\_scanners NDM is designed to detect instances of Shodan scanning your network. What to Look For To examine the results of the shodan\_scanners event, look for unusual network traf
- [smartinst\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/smartinst_scan_external_internal.md): Explanation This NDM is designed to detect Cisco SmartInstall scanning that is hitting the customer’s network from the Internet. Cisco SmartInstall is a configuration and image-management feature for
- [smartinst\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/smartinst_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Cisco SmartInstall that is exiting the customer's network. Cisco SmartInstall is a configuration and image-management feature for switches. Outb
- [smartinst\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/smartinst_scan_internal_internal.md): Explanation This NDM is designed to detect Cisco SmartInstall scanning inside the customer's network. Cisco SmartInstall is a configuration and image-management feature for switches. What to Look For
- [ssh\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ssh_scan_internal_external.md): Explanation This NDM is designed to detect scanning for SSH that is exiting the customer's network. Outbound SSH scanning may be indicative of an infection and an attacker using a compromised machine
- [ssh\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ssh_scan_internal_internal.md): Explanation This NDM is designed to detect SSH scanning inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that your netwo
- [synscan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/synscan_external_internal.md): Explanation The synscan\_external\_internal NDM looks for SYN scanning, an indication that an attacker is attempting to map out a network by sending multiple SYN requests to various endpoints to determi
- [synscan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/synscan_internal_external.md): Explanation The synscan\_internal\_external NDM detects SYN scanning activity exiting the network. This event is triggered when an internal IP is found to be scanning external IPs via multiple SYN packe
- [synscan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/synscan_internal_internal.md): Explanation The synscan\_internal\_internal NDM is designed to detect SYN scanning on internal networks. This NDM monitors for excessive SYN packets that can indicate malicious activity and flags any su
- [teamviewer\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/teamviewer_inside_to_outside.md): Explanation This Netography Detection Model is designed to catch scans looking for instances of TeamViewer from a source inside your network to the outside. What to Look For When examining the results
- [teamviewer\_out\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/teamviewer_out_to_inside.md): Explanation The teamviewer\_out\_to\_inside NDM is designed to detect TeamViewer scanning that is hitting the customer’s network from the Internet. TeamViewer is a remote access software application that
- [teamviewer\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/teamviewer_scanning_internal.md): Explanation The teamviewer\_scanning\_internal NDM is designed to detect any unauthorized scans on your internal network looking for the TeamViewer software. What to Look For To identify teamviewer\_scan
- [veeam\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/veeam_scan_external_internal.md): Explanation This NDM is designed to detect Veeam Backup scanning that is hitting the customer’s network from the Internet. Veeam Backup is a network backup application. What to Look For Scanning activ
- [veeam\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/veeam_scan_internal_external.md): Explanation This NDM is designed to detect scanning for Veeam Backup systems that is exiting the customer's network. Veeam Backup is a network backup application. Outbound Veeam Backup scanning may be
- [veeam\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/veeam_scan_internal_internal.md): Explanation This NDM is designed to detect Veeam Backup scanning inside the customer's network. Veeam Backup is a network backup application. What to Look For Unauthorized scanning activity launched i
- [vnc\_scanning\_inside\_to\_outside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/vnc_scanning_inside_to_outside.md): Explanation The vnc\_scanning\_inside\_to\_outside Netography detection model (NDM) is designed to identify any internal VNC scanning activity targeting external destination hosts. It works by monitoring
- [vnc\_scanning\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/vnc_scanning_internal.md): Explanation The vnc\_scanning\_internal Netography detection model (NDM) is designed to identify any internal VNC scanning activity taking place within a network. It works by monitoring traffic on the n
- [vnc\_scanning\_outside\_to\_inside](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/vnc_scanning_outside_to_inside.md): Explanation The vnc\_scanning\_outside\_to\_inside NDM is designed to detect VNC scanning activity on a network. This activity can occur when an attacker attempts to move from an outside network to an ins
- [weblogic\_scan\_external\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/weblogic_scan_external_internal.md): Explanation This NDM is designed to detect Weblogic scanning that is hitting the customer’s network from the Internet. Weblogic is an enterprise application server. What to Look For Scanning activity
- [weblogic\_scan\_internal\_external](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/weblogic_scan_internal_external.md): Explanation This NDM is designed to detect Weblogic scanning that is exiting the customer's network. Weblogic is an enterprise application server. Outbound Weblogic scanning may be indicative of an in
- [weblogic\_scan\_internal\_internal](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/weblogic_scan_internal_internal.md): Explanation This NDM is designed to detect Weblogic scanning inside the customer's network. Weblogic is an enterprise application server. What to Look For Unauthorized scanning activity launched insid
- [xmastree](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/xmastree.md): Explanation The xmastree NDM monitors network traffic for flows with XMAS Tree packets (FIN, PSH, and URG) which are typically associated with attackers attempting to evade detection or compromise the
- [System](https://docs.fusion.vectra.ai/detection-models/library/system.md): System detections within Vectra Fusion's Vectra Detection Models (NDMs) identify conditions that relate to the overall health of the Vectra system and flow collection. System detections help network
- [clocksync](https://docs.fusion.vectra.ai/detection-models/library/system/clocksync.md): Explanation The clocksync NDM is a system NDM designed to detect situations where a flow source is sending flows to Netography with timestamps that are out of sync with Netography’s clock. Bad timesta
- [flowrate](https://docs.fusion.vectra.ai/detection-models/library/system/flowrate.md): Explanation The flowrate NDM is an opt-in system NDM designed to fire if the rate of flows received by Netography from a particular flow source exceeds a certain threshold within an hour. What to Look
- [noflow](https://docs.fusion.vectra.ai/detection-models/library/system/noflow.md): Explanation The noflow NDM is a system NDM that fires when no flow is being received by Netography from a configured flow source. What to Look For This condition most likely means that the device that
- [Threat Intelligence](https://docs.fusion.vectra.ai/detection-models/threat-intelligence.md): Summary As flows are ingested into the system, lookups are done on both source IP and destination IP so that their reputation is determined at the time the flow happened. Every flow record contains an
- [Detection Categories](https://docs.fusion.vectra.ai/detection-models/detection-categories-1.md): Detection categories are similar to flow tags. They are used to group or ‘categorize’ detection models, after which rules - based on categories - can be crafted. System The system categories are based
- [About Dashboards](https://docs.fusion.vectra.ai/dashboards/about.md): Overview Quickstart: Dashboards A dashboard is a visual interface that consolidates and displays data from various sources in a single view, making it easy to monitor, analyze, and interpret key metri
- [System Dashboards](https://docs.fusion.vectra.ai/dashboards/system.md): About System Dashboards System Dashboards provides a comprehensive suite of tools and visualizations designed to help administrators monitor, analyze, and secure network infrastructure. Through a vari
- [Bandwidth Management](https://docs.fusion.vectra.ai/dashboards/system/bandwidth-management.md): Preview Overview Purpose : The Bandwidth Management dashboard provides a detailed view of network bandwidth usage, enabling users to monitor traffic by interface and external sources (ASNs). This dash
- [Flow Outages](https://docs.fusion.vectra.ai/dashboards/system/flow-outages.md): Preview Overview Purpose : The Flow Outages dashboard provides insights into network flow disruptions, enabling users to monitor the flow rate and detect any outages in real time. This dashboard is de
- [Peering Analytics](https://docs.fusion.vectra.ai/dashboards/system/peering-analytics.md): Preview Peering Analytics Purpose : The Peering Analytics dashboard provides a comprehensive view of traffic flows between Autonomous System Numbers (ASNs), IP addresses, ports, and geographic locatio
- [Audit Log Activity](https://docs.fusion.vectra.ai/dashboards/system/audit-log-activity.md): Preview Overview Purpose : The Audit Log Activity dashboard provides detailed tracking of user actions, classes of activity, and audit logs within the system. This dashboard helps administrators monit
- [DNS Overview](https://docs.fusion.vectra.ai/dashboards/system/dns-overview.md): Preview Overview Purpose : The DNS Overview dashboard provides insights into DNS query patterns, failures, and domain usage. This dashboard is essential for network administrators to monitor DNS traff
- [Initial Home](https://docs.fusion.vectra.ai/dashboards/system/initial-home.md): Preview Overview Purpose : The Initial Home dashboard provides a high-level overview of network activity, flow analysis, DNS queries, and detection alerts. It helps network administrators monitor esse
- [Network Overview](https://docs.fusion.vectra.ai/dashboards/system/network-overview.md): Preview Overview Purpose : The Network Overview dashboard offers a summary of network activity, providing insights into protocols, source regions, Autonomous Systems (ASNs), alert trends, and traffic
- [Response Integration Blocks](https://docs.fusion.vectra.ai/dashboards/system/response-integration-blocks.md): Preview Overview Purpose : The Response Integration Blocks dashboard provides visibility into the block rates and block history associated with security policies. It is designed to help administrators
- [Security Overview](https://docs.fusion.vectra.ai/dashboards/system/security-overview.md): Preview Overview Purpose : The Security Overview dashboard provides a comprehensive view of security events, top threat-related activities, and internal and external traffic flows. It is designed to h
- [Traffic Overview](https://docs.fusion.vectra.ai/dashboards/system/traffic-overview.md): Preview Overview Purpose : The Traffic Overview dashboard provides insights into network traffic patterns, including bitrate, packet rate, flow rate, protocol and port distributions, and TCP flag usag
- [Manage Dashboards](https://docs.fusion.vectra.ai/dashboards/manage.md): Overview You view and manage dashboards, dashboard features, and dashboard settings in Fusion on different pages in the interface. Once a dashboard is in Open or in Edit mode, Fusion displays addition
- [Custom Dashboards](https://docs.fusion.vectra.ai/dashboards/manage/your-dashboards.md): Overview “Custom dashboards are created by users in your organization, and can be edited and customized to fit your needs.” “System Dashboards are created by Vectra and cannot be edited.” Getting
- [Add a Dashboard](https://docs.fusion.vectra.ai/dashboards/manage/add-dashboard.md): Overview When you create a new dashboard, the system generates an empty container that serves as the foundation for your data visualizations. This container is designed to hold widgets, which are indi
- [Edit Dashboard Settings](https://docs.fusion.vectra.ai/dashboards/manage/settings.md): Overview Dashboard Settings allows you to customize, edit, and delete dashboards. Getting Here To access an existing dashboard's Settings page, you must Edit the dashboad by using the following steps.
- [Edit a Dashboard](https://docs.fusion.vectra.ai/dashboards/manage/edit-a-dashboard.md): Overview This page provides guidance on how to modify existing dashboards. Whether you need to adjust the layout, update visualizations, change data sources, or customize settings, the editing tools a
- [Schedule Dashboard](https://docs.fusion.vectra.ai/dashboards/manage/schedule.md): Overview The Schedule page allows you to automate the delivery of dashboards at specified intervals. Use this form to configure the scheduling, recipients, and dashboard display settings for regularly
- [About Widgets](https://docs.fusion.vectra.ai/dashboards/widgets.md): Overview Fusion's dashboard provide data visualization using widgets. Widgets are individual components or elements that display specific types of data or perform particular functions within the dashb
- [About Widget Containers](https://docs.fusion.vectra.ai/dashboards/widgets/widget-container.md): Overview You can interact with widgets using their widget container options. Some option do not appear unless the dashboard is unlocked and in edit mode. See Edit a Dashboard for more information. Get
- [Manage Widgets](https://docs.fusion.vectra.ai/dashboards/widgets/index.md): Overview You can interact and change the layout of the Dashboard by rearranging, moving, or deleting its widgets. Icon ID Action Description 1 Identifies customized values This icon indicates the widg
- [Add a Widget](https://docs.fusion.vectra.ai/dashboards/widgets/index/add-a-widget.md): Overview This guide explains how to add widgets in Fusion to enhance your dashboards with visualizations and insights tailored to your needs. Adding widgets allows you to introduce new metrics, charts
- [Edit a Widget](https://docs.fusion.vectra.ai/dashboards/widgets/index/edit-widget.md): Overview This guide explains how to edit widgets in Fusion to better align with your data visualization needs. Editing a widget allows you to customize its appearance, data source, and settings, ensur
- [Copy a Widget](https://docs.fusion.vectra.ai/dashboards/widgets/index/copy-widget.md): Overview This guide explains how to copy widgets within Fusion to either the current dashboard or another dashboard. Copying widgets is a quick and efficient way to replicate useful visualizations, me
- [Delete Widget](https://docs.fusion.vectra.ai/dashboards/widgets/index/delete-widget.md): Getting Here To delete a widget embedded in a dashboard, use must first Edit the dashboard. Delete a Widget To delete a widget, hover over the right corner of the widget container; a menu of icons app
- [Widget Categories & Widget Types](https://docs.fusion.vectra.ai/dashboards/widgets/widget-glossary.md): Overview This page provides an overview of the widget types available in Fusion for building dashboards. Each widget supports specific data categories—Flow, DNS, Traffic, Events, Blocks, and Audit Log
- [Dashboards Training Video](https://docs.fusion.vectra.ai/dashboards/introduction-to-dashboards.md): Getting Started with Dashboards
- [Portal Layout](https://docs.fusion.vectra.ai/dashboards/layout.md): ID Area Description 1 Top Dynamic Page Title, Page Tabs, Stationary Elements, Settings Icon 2 Left User ID and Menu and Main Navigation 3 Center-Top Controller (Global Filter) 4 Center Page Content 5
- [Viewing Events](https://docs.fusion.vectra.ai/events/viewing.md): The Events page is a crucial hub within the Fusion Portal, offering an organized and insightful view of key activities and trends. To get started understanding Events in Fusion, see: Quickstart: Event
- [Events by MITRE ATT\&CK](https://docs.fusion.vectra.ai/events/mitre.md): The Events by MITRE page provides a heat map and table that organizes events into MITRE ATT\&CK® Framework tactics and techniques. Each column represents a Tactic , with the Techniques related to t
- [About Settings](https://docs.fusion.vectra.ai/settings/about.md): Getting Here Left main navigation \> ( ) Settings link. or In the upper right corner of the Fusion UI, the gear ( ) icon links to the Settings page and displays the following sections and sub-page:
- [Account](https://docs.fusion.vectra.ai/settings/account.md): In Fusion Settings, the Account category covers the following feature settings: Overview Billing Audit Logs Customers
- [Overview](https://docs.fusion.vectra.ai/settings/account/account-overview.md): Getting Here Settings \> Account Accounts Overview Page The Accounts Overview page displays and allows you to manage the general settings of your company's account. The following sections and settin
- [Billing](https://docs.fusion.vectra.ai/settings/account/billing.md): Overview The Billing page displays subscription details, data usage and allows users to manage subscription. The page is available and visible only to PLG customers that's user role has the ability to
- [Audit Logs](https://docs.fusion.vectra.ai/settings/account/audit-logs.md): Getting Here Settings \> Audit Logs Audit Logs Page The Audit Logs page provides detailed records of account activity, including user authentication, account usage, and system events. The page enabl
- [Customers](https://docs.fusion.vectra.ai/settings/account/index.md): Getting Here Settings \> Customers Customers Page The Customers Page provides an overview of accounts with their respective details, including sub-accounts or resellers. The table includes essential
- [Manage Customers](https://docs.fusion.vectra.ai/settings/account/index/manage-customers.md): This page details information on how to: Add a customer Edit a customer Login-to another Customer (Masquerade) Delete a customer Add Customer Getting Here Settings \> Customers \> Add Customer The
- [My Profile](https://docs.fusion.vectra.ai/settings/profile.md): Getting Here Settings \> My Profile \> Details The Details page under the "My Profile" category displays and allows editing of user-specific information, including contact details, account role, a
- [Details](https://docs.fusion.vectra.ai/settings/profile/details.md): Getting Here Settings \> My Profile \> Details The Details page under the "My Profile" category displays and allows editing of user-specific information, including contact details, account role, a
- [Personalization](https://docs.fusion.vectra.ai/settings/profile/personalization.md): Getting Here Settings \> My Profile \> Personalization My Profile - Personalization The Personalization page under "My Profile" allows users to customize their interface preferences, including the
- [Activity](https://docs.fusion.vectra.ai/settings/profile/activity.md): Getting Here Settings \> My Profile \> Activity My Profile - Activity The Activity page under "My Profile" provides a detailed history of the user's active sessions, including IP addresses, sessio
- [Security](https://docs.fusion.vectra.ai/settings/profile/security.md): Getting Here Settings \> My Profile \> Security My Profile - Security The Security page under "My Profile" allows users to manage their password and multi-factor authentication (MFA) settings for
- [User Management](https://docs.fusion.vectra.ai/settings/user-management.md)
- [API Keys](https://docs.fusion.vectra.ai/settings/user-management/index.md): Getting Here Settings \> User Management \> API Keys User Management - API Keys The API Keys page under User Management allows you to view, manage, and create API keys for system integrations, acc
- [Add API Key](https://docs.fusion.vectra.ai/settings/user-management/index/add-api-key.md): Getting Here Settings \> User Management \> API Keys \> Add API Key button Add New API Key Form The Add New API Key form allows users to create and configure API keys for accessing system integr
- [API Shared Secret](https://docs.fusion.vectra.ai/settings/user-management/index/api-shared-secret.md): Getting Here Settings \> API Keys API Shared Secret Button The API Shared Secret button allows administrators to view, regenerate, and manage the shared secret used for encoding and validating API k
- [Roles](https://docs.fusion.vectra.ai/settings/user-management/index-1.md): Getting Here Settings \> User Management \> Roles Page User Management - Roles Page The Roles Page under User Management allows administrators to manage user roles, their associated permissions, a
- [Add Role](https://docs.fusion.vectra.ai/settings/user-management/index-1/add-role.md): Getting Here Settings \> Roles \> Add Role button. Fusion has built-in system roles identified by the gear icon. However, the Add Role Form allows administrators to create and configure new roles
- [Edit Role](https://docs.fusion.vectra.ai/settings/user-management/index-1/edit-role.md): Getting Here Click the ellipse (3 dots) icon at the beginning of the row customer row you want to masquerade. Click Edit . The edit page allows you to: Modify available settings Delete the Role
- [Password & Security](https://docs.fusion.vectra.ai/settings/user-management/password-security.md): Getting Here Settings \> User Management \> Password \& Security User Management - Password \& Security The Password \& Security Page allows administrators to configure password policies,
- [SSO](https://docs.fusion.vectra.ai/settings/user-management/index-2.md): Getting Here Settings \> User Management \> SSO User Management - SSO Page The SSO Page allows administrators to configure Single Sign-On (SSO) using SAML. Additional password configuration option
- [SSO with GSuite (Google Workspace)](https://docs.fusion.vectra.ai/settings/user-management/index-2/configuring-sso-with-gsuite.md): Vectra configuration Vectra’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Vectra account as an administrator. Navigate to Settings
- [SSO with Auth0](https://docs.fusion.vectra.ai/settings/user-management/index-2/configuring-sso-with-auth0.md): Vectra’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Vectra account as an administrator. Navigate to Settings \> SSO and enable SAML
- [SSO with Okta](https://docs.fusion.vectra.ai/settings/user-management/index-2/configuring-sso-with-okta.md): Vectra configuration Vectra’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Vectra account as an administrator. Navigate to Settings
- [SSO with PingOne](https://docs.fusion.vectra.ai/settings/user-management/index-2/configuring-sso-with-pingone.md): Vectra Fusion configuration Vectra’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Vectra account as an administrator. Navigate to Set
- [Data Management](https://docs.fusion.vectra.ai/settings/data-management.md)
- [Traffic Sources](https://docs.fusion.vectra.ai/settings/data-management/traffic-sources.md)
- [Context Integrations](https://docs.fusion.vectra.ai/settings/data-management/context-integrations.md)
- [Context Labels](https://docs.fusion.vectra.ai/settings/data-management/context-labels.md)
- [Flow Tags](https://docs.fusion.vectra.ai/settings/data-management/flow-tags.md): Flow tags are labels that are applied to flow data, based on user-defined criteria and are activated as Netography ingests the data into the platform. The required fields are the Rule Name for specify
- [Traffic Classification](https://docs.fusion.vectra.ai/settings/data-management/traffic-classifications.md): Traffic Classifications define the internal IP address blocks and domain names for your organization. This is an important configuration step for Fusion, as understanding internal vs external communic
- [NQL Overview and Syntax](https://docs.fusion.vectra.ai/network-query-language/nql-overview-and-basics.md): The Network Query Language Explained
- [NQL Quick Reference Guide](https://docs.fusion.vectra.ai/network-query-language/nql-quick.md)
- [NQL Keywords](https://docs.fusion.vectra.ai/network-query-language/nql-value-suggestions.md): Looking up NQL Keywords in Fusion When constructing NQL queries in the Fusion Portal, the list of both the available fields and values (when applicable) will automatically appear in a dropdown below t
- [NQL Presets](https://docs.fusion.vectra.ai/network-query-language/nql-presets.md): Using NQL Presets If you click the text box in the Global Filter ((the bar at the top of the Portal), it brings up a list of Keywords (see: How to find available NQL fields , Recent Queries, and Prese
- [NQL Examples](https://docs.fusion.vectra.ai/network-query-language/nql-examples.md): We have categorized these examples and provided a base query that you can customize to your own infrastructure and network topography: Search for and alert on specific traffic For example, East/West o
- [How to find available NQL fields](https://docs.fusion.vectra.ai/network-query-language/how-to-find-available-nql-fields.md): The list of available fields for use in NQL conditions can be found in the following manners: Throughout the fusion portal, table column headers are the same fields used in NQL For flow, event (alert)
- [About NetoFlow](https://docs.fusion.vectra.ai/netoflow-connector/about.md): Overview The NetoFlow Connector is software you can run in your environment to collect NetFlow, sFlow, and IPFIX from your network devices and deliver those flow records to Vectra Fusion. Its purpose
- [Quickstart: Run NetoFlow](https://docs.fusion.vectra.ai/netoflow-connector/quickstart.md): Installing and running NetoFlow is part of the steps to Ingest NetFlow/sFlow via the NetoFlow Connector . If you have a Docker host, you can run NetoFlow in only a few seconds. Create a new API key in
- [Install NetoFlow (container)](https://docs.fusion.vectra.ai/netoflow-connector/install-container.md): Installing NetoFlow is part of the steps to Ingest NetFlow/sFlow via the NetoFlow Connector . If you want to run the container without going through all the details and options, see: 🏁 Quickstart: Ru
- [Install NetoFlow (Linux package)](https://docs.fusion.vectra.ai/netoflow-connector/install-linux.md): Installing NetoFlow is part of the steps to Ingest NetFlow/sFlow via the NetoFlow Connector . Deployment Options NetoFlow is available as a Docker-compatible container or a Linux software package. To
- [Configure NetoFlow](https://docs.fusion.vectra.ai/netoflow-connector/configure.md): You can run NetoFlow with the default configuration, which should be sufficient for most deployments. Modifying the configuration NetoFlow uses a layered configuration that will read configuration fro
- [Reading statistics from NetoFlow API](https://docs.fusion.vectra.ai/netoflow-connector/reading-statistics.md): About the NetoFlow API The NetoFlow API is a very simple API endpoint that provides client-side statistics from a running NetoFlow instance. By default, the API listens on TCP port 8080. The API is un
- [Security Considerations](https://docs.fusion.vectra.ai/netoflow-connector/security-considerations.md): Overview NetoFlow has API access to Vectra Fusion to upload NetFlow and sFlow records. A threat actor that gains access to the system you deploy NetoFlow on in your environment could read these creden
- [About NetoFuse](https://docs.fusion.vectra.ai/netofuse/about.md): About NetoFuse is software you can run in your environment or can be hosted by Vectra in the cloud to provide enriched asset context to Vectra Fusion from 3rd party products. This is done by reading a
- [Get Started](https://docs.fusion.vectra.ai/netofuse/get-started.md): ☁️ To use NetoFuse modules deployed in the cloud as part of the Vectra Fusion SaaS, add and configure them as Context Integrations. These instructions are only necessary if you want to deploy NetoFuse
- [Install](https://docs.fusion.vectra.ai/netofuse/get-started/install.md): ☁️ To use NetoFuse modules deployed in the cloud as part of the Netography Fusion SaaS, add and configure them as Context Integrations. These instructions are only necessary if you want to deploy Neto
- [Run NetoFuse](https://docs.fusion.vectra.ai/netofuse/get-started/launch.md): After Install is complete, perform the following steps to run the desired NetoFuse module(s): 1. Set Vectra Fusion API Credentials NetoFuse requires a Vectra Fusion API key to upload context labels to
- [Scheduling NetoFuse](https://docs.fusion.vectra.ai/netofuse/get-started/run.md): 📘 File locations: These instructions assume files are in the following locations, but you can change this by adjusting the scripts and commands accordingly: /etc/netofuse/netofuse.yml Configuration f
- [NetoFuse Modules](https://docs.fusion.vectra.ai/netofuse/modules.md): NetoFuse modules are software components of NetoFuse that integrate a 3rd party product or provide a mechanism for integration to products. NetoFuse ships with a library of modules, and you can also d
- [Axonius](https://docs.fusion.vectra.ai/netofuse/modules/axonius.md): About The Axonius NetoFuse module provides enriched asset context to Netography Fusion from Axonius. It connects to the Axonius Platform API to retrieve asset information and then uploads it as Contex
- [Claroty](https://docs.fusion.vectra.ai/netofuse/modules/claroty.md): About The Claroty context integration provides enriched asset context to Netography Fusion from Claroty Industrial Cybersecurity appliances. It connects to the Claroty CTD/EMC API to retrieve asset in
- [Device42](https://docs.fusion.vectra.ai/netofuse/modules/device42.md): About The Device42 NetoFuse module provides enriched asset context to Netography Fusion from the Device42 asset management platform. It connects to the Device42 API to retrieve asset information from
- [Local File](https://docs.fusion.vectra.ai/netofuse/modules/local-file.md): About The Local File NetoFuse module provides enriched asset context to Netography Fusion from a CSV or JSON file read from the local filesystem. It reads, transforms, and uploads Context Labels to th
- [Microsoft](https://docs.fusion.vectra.ai/netofuse/modules/microsoft.md): Supported Products Microsoft Defender For Endpoint The Microsoft Defender for Endpoint NetoFuse module provides enriched asset context to Netography Fusion from Microsoft Defender for Endpoint. It con
- [RunZero](https://docs.fusion.vectra.ai/netofuse/modules/runzero.md): About The RunZero NetoFuse module provides enriched asset context to Netography Fusion from the RunZero Cyber Asset Attack Surface Management platform. It connects to the RunZero API to retrieve asset
- [Tanium](https://docs.fusion.vectra.ai/netofuse/modules/tanium.md): About The Tanium NetoFuse module provides enriched asset context to Netography Fusion from Tanium. It connects to the Tanium GraphQL API to retrieve asset information and then uploads it as Context La
- [Tenable](https://docs.fusion.vectra.ai/netofuse/modules/tenable.md): About The Tenable Vulnerability Management NetoFuse module provides enriched asset context to Netography Fusion from Tenable Vulnerability Management. It connects to the Tenable API to retrieve asset,
- [Wiz](https://docs.fusion.vectra.ai/netofuse/modules/wiz2.md): Enrich asset context with vulnerability, network exposure, and issue data from the Wiz cloud security platform
- [Custom Modules](https://docs.fusion.vectra.ai/netofuse/modules/custom-modules.md): If you can get a file into a CSV or JSON format to disk from a data source, then using the Local File Module is the easiest way to integrate it with NetoFuse. To connect directly to APIs and more adva
- [Configure NetoFuse](https://docs.fusion.vectra.ai/netofuse/configure.md): Using the default configuration The Getting Started \> Launch section provides the basic configuration steps to run a NetoFuse module. Where configuration is set NetoFuse reads configurations in the
- [NetoFuse CLI](https://docs.fusion.vectra.ai/netofuse/shell-commands.md): Using the CLI netofuse is a shell script that constructs a docker run command to execute commands in the container image if you are using the container deployment and have run the Docker host setup sc
- [NetoFuse Context Transforms](https://docs.fusion.vectra.ai/netofuse/context-transforms.md): About Context transform configurations define how the field names and values from a NetoFuse module are modified before being sent to Vectra Fusion as context label names and values. Default values ar
- [Security Considerations](https://docs.fusion.vectra.ai/netofuse/security-considerations.md): Overview NetoFuse has API access to Vectra Fusion to upload context labels and to the 3rd party product modules you are using to retrieve asset information. A threat actor that gains access to the sys
- [About NetoDNS](https://docs.fusion.vectra.ai/netodns/about-netodns.md)
- [Configure NetoDNS](https://docs.fusion.vectra.ai/netodns/configure-netodns.md)
- [Install NetoDNS (container)](https://docs.fusion.vectra.ai/netodns/install-netodns-container.md)
- [Install NetoDNS (Linux package)](https://docs.fusion.vectra.ai/netodns/install-netodns-linux-package.md)
- [Reading statistics from NetoDNS API](https://docs.fusion.vectra.ai/netodns/reading-statistics-from-netodns-api.md)
- [Security Considerations](https://docs.fusion.vectra.ai/netodns/security-considerations.md)

## API Recipes

- [API Recipes](https://docs.fusion.vectra.ai/api-recipes/readme.md)
- [curl: Authenticate to API using NETOSECRET](https://docs.fusion.vectra.ai/api-recipes/recipes/curl-authenticate-to-api-using-netosecret.md): Shell script that takes a NETOSECRET API key, builds a JWT request token, authenticates to the Fusion API, and output the bearer token to use in subsequent API calls.
- [NetoAPI Python class to create traffic sources in Fusion](https://docs.fusion.vectra.ai/api-recipes/recipes/netoapi-python-class-to-create-traffic-sources-in-fusion.md)
- [Retrieve a list of source IP addresses from the blocklist with the API](https://docs.fusion.vectra.ai/api-recipes/recipes/retrieve-a-list-of-source-ip-addresses-from-the-blocklist-with-the-api.md): An example of how to authenticate and then use the API to retrieve values from the blocklist.
- [Bulk add IP labels (php)](https://docs.fusion.vectra.ai/api-recipes/recipes/bulk-add-ip-labels-php.md)
- [Authenticate to the API](https://docs.fusion.vectra.ai/api-recipes/recipes/authenticate-to-the-api.md): Create a JWT request token and authenticate to the API with it, returning a JWT bearer token. Store the bearer token to a file.
- [Create a JWT request token](https://docs.fusion.vectra.ai/api-recipes/recipes/create-a-jwt-request-token.md): This simple recipe demonstrates how to encode a JWT request token and output it. The output can be used as the string to pass in the jwt params in the HTTP POST to /auth/token
- [Sanitize context label values](https://docs.fusion.vectra.ai/api-recipes/recipes/sanitize-context-label-values.md): Python code example of how to ensure invalid characters are not part of a context label value being sent to the context labels API.
- [netosecret.py - Python class and CLI](https://docs.fusion.vectra.ai/api-recipes/recipes/netosecret.py-python-class-and-cli.md): Python containing the NetoSecret class to encode and decode a netosecret string and a CLI to interact with the secret on command line.
- [netosecret.sh - bash script CLI](https://docs.fusion.vectra.ai/api-recipes/recipes/netosecret.sh-bash-script-cli.md): Bash shell script to encode and decode netosecret
- [Create a Traffic Source in Python](https://docs.fusion.vectra.ai/api-recipes/recipes/create-a-traffic-source-in-python.md)

## API Reference

- [API Overview](https://docs.fusion.vectra.ai/api-reference/readme.md)
- [API Recipes](https://docs.fusion.vectra.ai/api-reference/api-recipes.md)
- [Create a Netography API Key](https://docs.fusion.vectra.ai/api-reference/create-a-netography-api-key.md)
- [Authentication](https://docs.fusion.vectra.ai/api-reference/netography-apis/authentication.md)
- [Analytics](https://docs.fusion.vectra.ai/api-reference/netography-apis/analytics.md)
- [Raw Records Search](https://docs.fusion.vectra.ai/api-reference/netography-apis/raw-records-search.md)
- [Raw Records Fetch](https://docs.fusion.vectra.ai/api-reference/netography-apis/raw-records-fetch.md)
- [Block List](https://docs.fusion.vectra.ai/api-reference/netography-apis/block-list.md)
- [Intelligence](https://docs.fusion.vectra.ai/api-reference/netography-apis/intelligence.md)
- [Labels IPs](https://docs.fusion.vectra.ai/api-reference/netography-apis/labels-ips.md)
- [Labels Ports](https://docs.fusion.vectra.ai/api-reference/netography-apis/labels-ports.md)
- [Configuration](https://docs.fusion.vectra.ai/api-reference/netography-apis/configuration.md)
- [Detect And Respond Detection Categories](https://docs.fusion.vectra.ai/api-reference/netography-apis/detect-and-respond-detection-categories.md)
- [Detect And Respond Traffic Detection Models](https://docs.fusion.vectra.ai/api-reference/netography-apis/detect-and-respond-traffic-detection-models.md)
- [Detect And Respond Context Creation Models](https://docs.fusion.vectra.ai/api-reference/netography-apis/detect-and-respond-context-creation-models.md)
- [Detect And Respond Response Policies](https://docs.fusion.vectra.ai/api-reference/netography-apis/detect-and-respond-response-policies.md)
- [Detect And Respond Threshold Overrides](https://docs.fusion.vectra.ai/api-reference/netography-apis/detect-and-respond-threshold-overrides.md)
- [Traffic Sources Devices](https://docs.fusion.vectra.ai/api-reference/netography-apis/traffic-sources-devices.md)
- [Traffic Sources DNS Devices](https://docs.fusion.vectra.ai/api-reference/netography-apis/traffic-sources-dns-devices.md)
- [Traffic Sources VPCs](https://docs.fusion.vectra.ai/api-reference/netography-apis/traffic-sources-vpcs.md)
- [Integrations Context](https://docs.fusion.vectra.ai/api-reference/netography-apis/integrations-context.md)
- [Integrations Response](https://docs.fusion.vectra.ai/api-reference/netography-apis/integrations-response.md)
- [Tags](https://docs.fusion.vectra.ai/api-reference/netography-apis/tags.md)
- [Roles](https://docs.fusion.vectra.ai/api-reference/netography-apis/roles.md)
- [Users](https://docs.fusion.vectra.ai/api-reference/netography-apis/users.md)
- [API Keys](https://docs.fusion.vectra.ai/api-reference/netography-apis/api-keys.md)
- [Resellers](https://docs.fusion.vectra.ai/api-reference/netography-apis/resellers.md)
- [Settings Traffic Classification](https://docs.fusion.vectra.ai/api-reference/netography-apis/settings-traffic-classification.md)
- [Settings Security](https://docs.fusion.vectra.ai/api-reference/netography-apis/settings-security.md)
- [Auto Thresholds](https://docs.fusion.vectra.ai/api-reference/netography-apis/auto-thresholds.md)
- [MITRE ATT\&CK](https://docs.fusion.vectra.ai/api-reference/netography-apis/mitre-att-and-ck.md)
- [Models](https://docs.fusion.vectra.ai/api-reference/netography-apis/models.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on a page URL with the `ask` query parameter:
```
GET https://docs.fusion.vectra.ai/readme.md?ask=<question>
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.