{"version":1,"pages":[{"id":"wjcAotT1cBcxsEtDcGoS","title":"Welcome to Vectra Fusion","pathname":"/","siteSpaceId":"sitesp_pz8oP","description":"🏁 Quick Start Guides The quick start guides walk you through setting up and starting to use Fusion. The first step is to integrate with a cloud provider. Getting started with AWS Getting started with","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"CazrzXM25crcEpmEygdm","title":"Home","pathname":"/quick-start/home","siteSpaceId":"sitesp_pz8oP","description":"Before you have added a traffic source to Fusion, the home page will display a screen with instructions on how to add your first traffic source. Once you have added a traffic source, it will change to","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"X65kX4cMzkG1PSbfB8aS","title":"Fusion Portal Layout","pathname":"/quick-start/layout","siteSpaceId":"sitesp_pz8oP","description":"ID Area Description 1 Top Dynamic Page Title, Page Tabs, Stationary Elements, Settings Icon 2 Left User ID and Menu and Main Navigation 3 Center-Top Controller (Global Filter) 4 Center Page Content 5","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"gOKJnnMFUUV1WKB1HYTO","title":"Need More Help?","pathname":"/quick-start/support","siteSpaceId":"sitesp_pz8oP","emoji":"270b","description":"We are happy to help you configure or troubleshoot any issues you run into using Fusion or integrating it with other systems. If you have additional questions or need assistance, you can reach us at:","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"EjS3P7fGxLxWIomQtoqp","title":"Quickstart: AWS","pathname":"/quick-start/quickstart-aws","siteSpaceId":"sitesp_pz8oP","description":"Getting started with Amazon AWS","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"XQwyP8qQUQ6G3KVf0LLL","title":"Video Guides","pathname":"/quick-start/quickstart-aws/video-guides-1","siteSpaceId":"sitesp_pz8oP","emoji":"1f3a5","description":"Below is a video series based on the steps in the Quickstart: AWS guide for Flow Log Ingestion , Context Enrichment , and DNS Ingestion . These videos augment the written guides but can't replace them","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"p6EoxW31y4s6kuVz1WoX","title":"Create S3 bucket","pathname":"/quick-start/quickstart-aws/create-s3-bucket","siteSpaceId":"sitesp_pz8oP","description":"Navigate to S3 in the AWS console Create a bucket. Note: You'll want to create the S3 bucket in same region as your VPC. Give your bucket a name. Leave all settings as default, or follow the policies","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"p9kXTssPhPfeL827DHVc","title":"Create the SNS topic","pathname":"/quick-start/quickstart-aws/create-the-sns-topic","siteSpaceId":"sitesp_pz8oP","description":"Navigate to SNS in the AWS console Create a topic Leave all settings as default and click Create Topic Save the SNS topic ARN in a text file. This will come in handy later.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"Yaf3tfSOJeBXGovZZcrS","title":"Create the SQS queue","pathname":"/quick-start/quickstart-aws/create-the-sqs-queue","siteSpaceId":"sitesp_pz8oP","description":"Navigate to SQS in the AWS console Create a queue Give the queue a name Under Configuration , Set Message retention to 1 day Under Access policy , click Advanced . Delete the default JSON in the Advan","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"r0VKXidqEhBjdyyLI2Op","title":"Subscribe to Amazon SNS topic","pathname":"/quick-start/quickstart-aws/subscribe-to-amazon-sns-topic","siteSpaceId":"sitesp_pz8oP","description":"After you've completed the previous step of creating the SQS queue, you'll find the Subscribe to Amazon SNS topic button on the lower half of the Amazon SQS page. Click Subscribe to Amazon SNS topic S","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"s73I4pRTgE4tB0T4LIUm","title":"Create IAM policy","pathname":"/quick-start/quickstart-aws/create-iam-policy","siteSpaceId":"sitesp_pz8oP","description":"Navigate to IAM in the AWS console Under Access management in the sidebar menu click Policies Click Create policy Select the JSON tab and delete the default text. Copy and paste in the JSON below. Rep","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"xVQoswfQlgYSM6uqVIK8","title":"Create custom role","pathname":"/quick-start/quickstart-aws/create-custom-role","siteSpaceId":"sitesp_pz8oP","description":"On the IAM page under Access management in the sidebar menu click Roles Click Create role Select AWS account You're going to need Netography's Account ID and the custom External ID created in your Fus","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"AYCtzLEGY7LOv92e36ZH","title":"Create an event notification","pathname":"/quick-start/quickstart-aws/create-an-event-notification","siteSpaceId":"sitesp_pz8oP","description":"Navigate to S3 in the AWS console Click on your S3 bucket created in a previous step Click the Properties tab Scroll down to event notifications and click Create event notification Give this event a n","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"vrdzoJYDuAEqganrNjLv","title":"Enable VPC flow logs","pathname":"/quick-start/quickstart-aws/enable-vpc-flow-logs-1","siteSpaceId":"sitesp_pz8oP","description":"Navigate to VPC in the AWS console Under Resources by Region Select VPCs The next step will use the CloudShell, where you'll copy and paste a CLI command to more efficiently and accurately enable work","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"CEz7yyxb0QyDwM01giwz","title":"Add AWS as a new traffic source in Fusion","pathname":"/quick-start/quickstart-aws/add-aws-as-a-new-flow-source-in-fusion","siteSpaceId":"sitesp_pz8oP","description":"In Netography Fusion navigate to Settings -> Traffic Sources -> Add Traffic Source Select AWS S3 VPC Fill out the AWS S3 VPC Traffic Source flow form: Name: This will be the Name of your configu","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"nR7MVrKZIoLPdP6sbEtm","title":"Add context integration to Fusion","pathname":"/quick-start/quickstart-aws/add-context-integration-to-fusion","siteSpaceId":"sitesp_pz8oP","description":"Context permissions were already granted via the Custom role created in a previous step. This document is all that is needed to enable context enrichment for AWS in Netography Fusion. Navigate to Sett","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"OftLLPCZAMKld9YJKpmk","title":"Enable DNS query logging in AWS","pathname":"/quick-start/quickstart-aws/enable-dns-query-logging-in-aws","siteSpaceId":"sitesp_pz8oP","description":"📘 It is recommended to create a new S3 bucket to be used only for DNS query log storage See our Create S3 bucket steps. Navigate to Route53 in the AWS console Under Resolver in the sidebar, click Que","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"xcBw7ruexPUtMZZyH4Dn","title":"Add DNS as a traffic source in Fusion","pathname":"/quick-start/quickstart-aws/add-dns-as-a-traffic-source-in-fusion","siteSpaceId":"sitesp_pz8oP","description":"Navigate to Settings -> Traffic Sources -> Add Traffic Source Under DNS select AWS S3 VPC Fill out the AWS S3 VPC Traffic Source form: VPC ID: The VPC ID you enabled query logs for Account ID: Y","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: AWS"}]},{"id":"AQSSltzLsj21cbxo0BK5","title":"Quickstart: GCP","pathname":"/quick-start/quickstart-gcp","siteSpaceId":"sitesp_pz8oP","description":"Getting started with GCP","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"jZSIgzoIgx2Ho4ejAJsy","title":"Diagram: GCP Integration to Fusion","pathname":"/quick-start/quickstart-gcp/diagram-gcp","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"DDmdZadxE6ZWZ2Bs2mpm","title":"Video Guides","pathname":"/quick-start/quickstart-gcp/video-guides","siteSpaceId":"sitesp_pz8oP","emoji":"1f3a5","description":"Below is a video series based on steps in the Quickstart: GCP for Flow Log Ingestion , Context Enrichment , and DNS Ingestion . These videos are meant to augment the written guides but can't replace t","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"Dvpsp1yghmhezSPA7nFF","title":"Enable VPC Flow Logs (Network Management API)","pathname":"/quick-start/quickstart-gcp/enable-network-management-api-flow-logs","siteSpaceId":"sitesp_pz8oP","description":"The Network Management API lets you configure VPC Flow Logs for organizations, Virtual Private Cloud (VPC) networks, subnets, VLAN attachments for Cloud Interconnect, and Cloud VPN tunnels. 📘 Before","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"8M5kpXQGbfoCEw00fTG9","title":"Create a Pub/Sub topic","pathname":"/quick-start/quickstart-gcp/create-a-pubsub-topic","siteSpaceId":"sitesp_pz8oP","description":"Create a Cloud Pub/Sub topic 📘 Onboarding multiple projects at an organization or folder level: You can create a single topic in a designated project that you will use for centralized logging resourc","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"a7RHz50sbAf4nZx8JF1D","title":"Logging sink design patterns","pathname":"/quick-start/quickstart-gcp/logging-sink-design-patterns","siteSpaceId":"sitesp_pz8oP","description":"📘 Choosing the right design pattern for GCP logging sinks: There is no single design for GCP logging sinks that is right for all organizations. Reach out to Netography Support if you would like furth","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"nBBP2AqZL6UHbyILRQw0","title":"Create a Logging Sink Pub/Sub for the topic","pathname":"/quick-start/quickstart-gcp/create-a-logging-sink-pubsub-for-the-topic","siteSpaceId":"sitesp_pz8oP","description":"Create a Cloud Logging Sink Pub/Sub Go to the Log Router page in the Google Cloud console. Select the project to create the sink in. If you are using an aggregated sink, you will want to select a fold","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"02PpDEagKUp1y8aj3JH2","title":"Create a Pub/Sub pull subscription","pathname":"/quick-start/quickstart-gcp/create-a-pubsub-pull-subscription","siteSpaceId":"sitesp_pz8oP","description":"Create a Pub/Sub Pull Subscription to a topic Go to the Topics page in the Google Cloud console. Click ⋮ next to the topic you created in a previous step and select Create Subscription . Fill out the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"Jt29pN8F9GoC6kMlGsoR","title":"GCP service account permissions","pathname":"/quick-start/quickstart-gcp/gcp-service-account-permissions","siteSpaceId":"sitesp_pz8oP","description":"Give Netography's GCP service account permission to be added as a principal to the Pub/Sub subscription 📘 The following steps are a prerequisite for adding Netography as a principal to the Pub/Sub su","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"9QWUevsw55mEWs6cf7P1","title":"Add Netography as a principal","pathname":"/quick-start/quickstart-gcp/add-netography-as-a-principal","siteSpaceId":"sitesp_pz8oP","description":"Add Netography's GCP service account as a principal to the Pub/Sub subscription Go to the Subscriptions page in the Google Cloud console. Select the subscription you created in the previous step to br","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"ItGak0UVIVxjIbR3fpV7","title":"Add GCP as a new flow source in Netography Fusion","pathname":"/quick-start/quickstart-gcp/add-gcp-as-a-new-flow-source-in-netography-fusion","siteSpaceId":"sitesp_pz8oP","description":"Add a new GCP flow source to Fusion In the Fusion portal, click the ⚙️ -> Settings -> Traffic Sources -> Add Traffic Source -> Flow GCP Add the GCP Project ID containing the Pub/Sub subscr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"K45w85Jzh2xJTj4EsV8F","title":"Add context integration to Fusion","pathname":"/quick-start/quickstart-gcp/context-integration","siteSpaceId":"sitesp_pz8oP","description":"📘 You need a GCP service account to setup a context integration.: Follow the initial steps below to create one. 1. Create a GCP service account Go to the Service Accounts page Click Create Service Ac","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"OEA0rDWlMBQkyBfOqeAJ","title":"Adding DNS as a Traffic Source","pathname":"/quick-start/quickstart-gcp/adding-dns-as-a-traffic-source","siteSpaceId":"sitesp_pz8oP","description":"Enable DNS logging Before you can start, you need to use DNS policies to enable logging for your networks. When you enable query logging, every DNS query to a Cloud DNS private managed zone is logged,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: GCP"}]},{"id":"P85NhoWk0H7cblZjZ3yh","title":"Quickstart: Azure","pathname":"/quick-start/quickstart-azure","siteSpaceId":"sitesp_pz8oP","description":"Getting started with Microsoft Azure","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"VSQnhvj23Fi1IFSzC38O","title":"Set working subscription","pathname":"/quick-start/quickstart-azure/set-working-subscription","siteSpaceId":"sitesp_pz8oP","description":"Access Azure Cloud Shell to run CLI commands from your web browser using az. List our Subscription IDs. az account list --output table Name CloudName SubscriptionId TenantId State IsDefault ----------","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: Azure"}]},{"id":"IvFzQGlfSAz9ak53xAKV","title":"Register Microsoft Insights Provider","pathname":"/quick-start/quickstart-azure/register-microsoft-insights-provider","siteSpaceId":"sitesp_pz8oP","description":"Access Azure Cloud Shell to run CLI commands from your web browser using az. Check if Microsoft.Insights is not yet registered. az provider show --namespace Microsoft.Insights --query \"registrationSta","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: Azure"}]},{"id":"pgtQA6raanUdJkgmUgAg","title":"Create a storage account","pathname":"/quick-start/quickstart-azure/create-a-storage-account","siteSpaceId":"sitesp_pz8oP","description":"Access Azure Cloud Shell to run CLI commands from your web browser using az. Create a Storage account in the same region as your Virtual Network . List your Virtual Networks , their Resource groups ,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: Azure"}]},{"id":"JqopfCYOUuAZdqinifgM","title":"Create a flow log","pathname":"/quick-start/quickstart-azure/create-a-flow-log","siteSpaceId":"sitesp_pz8oP","description":"Access Azure Cloud Shell to run CLI commands from your web browser using az. Create a Flow Log to be read by Netography Fusion. az network watcher flow-log create \\\\ --location \\$REGION> \\\\ --name","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: Azure"}]},{"id":"mAqB9Nz6kKGIgKosK1Ow","title":"Add Azure VNet as a new flow source in Netography Fusion","pathname":"/quick-start/quickstart-azure/add-azure-vnet-as-a-new-flow-source-in-netography-fusion","siteSpaceId":"sitesp_pz8oP","description":"In Netography Fusion navigate to Settings -> Traffic Sources -> Add Traffic Source Select Azure VNet Fill out the Azure traffic source flow form: Name: This will be the Name of your configuratio","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: Azure"}]},{"id":"sxIcBN7colIqjJmqcMwT","title":"Add Context Integration to Fusion","pathname":"/quick-start/quickstart-azure/add-context-integration","siteSpaceId":"sitesp_pz8oP","description":"Access Azure Cloud Shell to run CLI commands from your web browser using az. Create a new App Registration with 'accounts in this organizational directory only' preselected. You can use any Display Na","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"},{"label":"Quickstart: Azure"}]},{"id":"atQjl8rsgguRzqr46yVn","title":"Quickstart: Events","pathname":"/quick-start/introduction-to-events","siteSpaceId":"sitesp_pz8oP","emoji":"1f3a5","description":"Getting started with events","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"FJucPTkIkPnfTtyrmIKq","title":"Quickstart: Dashboards","pathname":"/quick-start/introduction-to-dashboards","siteSpaceId":"sitesp_pz8oP","emoji":"1f3a5","description":"Getting Started with Dashboards","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Quick Start","emoji":"1f3c1"}]},{"id":"AZGKYOQQjUyyTbjEwOAO","title":"Ingest Flow Logs","pathname":"/ingest-network-traffic-logs/flow-logs","siteSpaceId":"sitesp_pz8oP","description":"Configure network flow logs to be ingested by Fusion by following the instructions below. If this is your first time configuring Fusion, the Quick Start Guides for AWS, Azure, & GCP are the best p","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"}]},{"id":"rd8pfhQ1yIhVjEHmi10e","title":"Azure NSG Flow Logs Setup","pathname":"/ingest-network-traffic-logs/flow-logs/azure-network-security-group-flow-logs-azure-console-setup-method","siteSpaceId":"sitesp_pz8oP","description":"Microsoft Azure Console method","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"j7NBPUulVlYaTZVzLRqI","title":"Azure NSG Setup (Resource Manager method)","pathname":"/ingest-network-traffic-logs/flow-logs/azure-network-security-group-flow-logs-azure-resource-manager-setup-method","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring the collection of Azure NSG Flow Logs. There are three methods shown. The first being in the Azure Portal, second Azure CLI, and third Azure Resourc","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"gfur1VbK5gl7Yj586d9U","title":"Azure Virtual network (VNet) Flow Log Setup","pathname":"/ingest-network-traffic-logs/flow-logs/azure-vnet-flow-log-configuration","siteSpaceId":"sitesp_pz8oP","description":"Netography Fusion ingests Virtual network (VNet) flow logs from Azure via an Azure Storage account. The steps to integrate with Azure are: Register Microsoft Insights provider (in each Azure subscript","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"ilYEdW0a9J0GfCheXafH","title":"AWS VPC via S3 Setup (CloudFormation method)","pathname":"/ingest-network-traffic-logs/flow-logs/aws-vpc-flow-logs-via-s3-aws-cloudformation-setup-method-recommended","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring the collection of AWS VPC Flow Logs with an S3 bucket and configure log notification with SNS and SQS using AWS CloudFormation. 🚧 It is recommended","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"ejCyzENGqTSkAodWDA6c","title":"AWS VPC via S3 Setup (AWS Console method)","pathname":"/ingest-network-traffic-logs/flow-logs/aws-vpc-flow-logs-via-s3-aws-console-setup-method","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring the collection of AWS VPC Flow Logs with an S3 bucket and configure log notification with SNS and SQS using the AWS Console. 🚧 It is recommended th","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"t5DLEF8W2Ax7EIJX1jYT","title":"AWS S3 Transit Gateway Flow Logs","pathname":"/ingest-network-traffic-logs/flow-logs/aws-transit-gateway-flow-logs","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring the collection of AWS Transit Gateway Flow Logs with an S3 bucket and configure log notification with SNS and SQS using the AWS Console. 🚧 It is re","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"jhl5YakER8dLvFVI1I0O","title":"AWS VPC via Kinesis Setup","pathname":"/ingest-network-traffic-logs/flow-logs/aws-vpc-flow-logs-via-kinesis","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring the collection of AWS VPC Flow Logs with AWS Kinesis. Limitations/Notes This is for provisioning(create/delete) only. Edits must be done manually bu","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"gVZNLVQKZjm46G2hne30","title":"GCP VPC Flow Logs via Pub/Sub Setup","pathname":"/ingest-network-traffic-logs/flow-logs/gcp-flow-logs-via-pubsub","siteSpaceId":"sitesp_pz8oP","description":"Netography Fusion ingests VPC flow logs from Google Cloud Platform (GCP) via a GCP Pub/Sub subscription. The steps to integrate with GCP are: Enable VPC flow logs Create a Pub/Sub topic Create a Cloud","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"t0atYxhDmpkF9k6ZxfPO","title":"IBM Cloud VPC Flow Logs via Cloud Object Storage Setup","pathname":"/ingest-network-traffic-logs/flow-logs/ibm-cloud-flow-logs-via-cloud-object-storage","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring the collection of IBM Cloud VPC Flow Logs with IBM Cloud Object Storage.Note: VPC Flow Logs are only available on VPC Infrastructure Gen 2 Console S","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"kn9yb0WbIKvLWPzH2yH8","title":"Oracle Cloud VCN Flow Logs via Cloud Object Storage Setup","pathname":"/ingest-network-traffic-logs/flow-logs/oracle-cloud-infrastructure-flow-logs-via-cloud-object-storage","siteSpaceId":"sitesp_pz8oP","description":"Console Steps Create User Group Using the search bar type \"identity\" and click \"Groups\" under Services to be brought to the configuration page. Click \"Create Group\" Fill in the name and description. Y","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest Flow Logs"}]},{"id":"uDKcbCxUNUFezAFzAcAR","title":"Ingest DNS Logs","pathname":"/ingest-network-traffic-logs/dns-logs","siteSpaceId":"sitesp_pz8oP","description":"See DNS in Fusion for more information about how to use DNS resolver logs in Fusion. If you are setting up AWS or GCP for the first time, the Quick Start Guides for AWS and GCP have end-to-end steps f","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"}]},{"id":"S5M4iEds8xcT3Gabih7K","title":"Use DNS in Fusion","pathname":"/ingest-network-traffic-logs/dns-logs/dns-in-fusion-copy","siteSpaceId":"sitesp_pz8oP","description":"Recursive DNS request and response logs are a valuable data source for network forensics. Fusion supports DNS log ingestion from Amazon Web Services (AWS) Route 53 and Google Cloud Platform (GCP) . Su","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest DNS Logs"}]},{"id":"3H9U6dBTwLPZbJ7jx93F","title":"AWS Route 53 DNS Logs via S3 Setup (Console)","pathname":"/ingest-network-traffic-logs/dns-logs/dns-source-aws","siteSpaceId":"sitesp_pz8oP","description":"If you have already configured your AWS account to ingest VPC flow logs to Fusion using an S3 bucket and IAM role, the additional steps required to ingest DNS resolver query logs are: Configure Resolv","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest DNS Logs"}]},{"id":"ddKw9RVzt5N37AOr5wt7","title":"Cisco Umbrella DNS Logs via S3 Setup (Console)","pathname":"/ingest-network-traffic-logs/dns-logs/cisco-umbrella-dns-logs-via-s3-setup-console","siteSpaceId":"sitesp_pz8oP","description":"If you have already configured your Cisco Umbrella DNS Logs be stored in an AWS S3 bucket these steps can have them ingested into Fusion: Enable Cisco Umbrella DNS Log Export to S3: Configure Cisco Um","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest DNS Logs"}]},{"id":"ttz5Og0DdwC6bsFhGKPN","title":"GCP Cloud DNS Logs via Pub/Sub Setup","pathname":"/ingest-network-traffic-logs/dns-logs/dns-source-gcp","siteSpaceId":"sitesp_pz8oP","description":"Netography Fusion ingests Google Cloud Platform (GCP) Cloud DNS logs via a GCP Pub/Sub subscription. The steps to integrate with GCP are: Prerequisite: If you have a Domain Restricted Sharing Organiza","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest DNS Logs"}]},{"id":"t5qkxjKiNDlTdoER76hg","title":"Infoblox NIOS DNS Logs via NetoDNS syslog","pathname":"/ingest-network-traffic-logs/dns-logs/infoblox-nios-dns-logs-via-netodns-syslog","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest DNS Logs"}]},{"id":"3NnNiRksxUEvsUBfBd1C","title":"Ingest NetFlow & sFlow","pathname":"/ingest-network-traffic-logs/netflow-sflow","siteSpaceId":"sitesp_pz8oP","description":"Netography Fusion collects flow records from network devices, including routers, switches, firewalls, and any other device that can output NetFlow, sFlow, or IPFIX. There are two methods for ingesting","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"}]},{"id":"PfVuJHaTq8LZcQkkCDxB","title":"Ingest NetFlow/sFlow from network devices via direct UDP","pathname":"/ingest-network-traffic-logs/netflow-sflow/ingesting-netflow-direct","siteSpaceId":"sitesp_pz8oP","description":"Netography Fusion collects flow records from network devices, including routers, switches, firewalls, and any other device that can output NetFlow, sFlow, or IPFIX. This page documents how to directly","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest NetFlow & sFlow"}]},{"id":"yqyFhvZIbsCBDMKja6DB","title":"Ingest NetFlow/sFlow via the NetoFlow Connector","pathname":"/ingest-network-traffic-logs/netflow-sflow/traffic-source-netoflow","siteSpaceId":"sitesp_pz8oP","description":"Netography Fusion collects flow records from network devices, including routers, switches, firewalls, and any other device that can output NetFlow, sFlow, or IPFIX. This page documents how to add NetF","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest NetFlow & sFlow"}]},{"id":"m4nlFvW9m5MffQmHIKoE","title":"NetFlow and sFlow","pathname":"/ingest-network-traffic-logs/netflow-sflow/netflow-and-sflow","siteSpaceId":"sitesp_pz8oP","description":"NetFlow About NetFlow NetFlow is a telemetry protocol that allows for the collection of IP statistics on interfaces where it is enabled. a \"flow\" is a unidirectional data set. That is to say, it's one","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Ingest NetFlow & sFlow"}]},{"id":"i5CkN3pqehJljMNQQSUQ","title":"Automating AWS Cloud Onboarding","pathname":"/ingest-network-traffic-logs/automating-aws-cloud-onboarding","siteSpaceId":"sitesp_pz8oP","description":"Overview Consider these three options for configuring AWS VPC flow logs and onboarding them to Fusion as traffic sources: 1. Manual Onboarding (AWS Console and Fusion Console, aws CLI, and/or Single-S","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"}]},{"id":"U2W7gRjEy8PhHompUCeB","title":"Netography AWS Onboarding Guide for Cloud Automation Engineers","pathname":"/ingest-network-traffic-logs/automating-aws-cloud-onboarding/aws-configuration-automation-for-multiple-vpcs","siteSpaceId":"sitesp_pz8oP","description":"Introduction If you have not yet reviewed the options for how to onboard AWS VPC flow logs to Fusion, see: Automating AWS Cloud Onboarding . If you have done so and determined that you will be integra","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Automating AWS Cloud Onboarding"}]},{"id":"vLhJQb392OreXJlyVLp3","title":"Netography AWS VPC CloudFormation Stack Automation","pathname":"/ingest-network-traffic-logs/automating-aws-cloud-onboarding/netography-aws-cloudformation-automation","siteSpaceId":"sitesp_pz8oP","description":"If your company is using CloudFormation Stacks to manage and deploy VPC resources across your AWS organization, this guide should serve as a starting point for onboarding new devices to Netography Fus","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Ingest Network Traffic Logs"},{"label":"Automating AWS Cloud Onboarding"}]},{"id":"Rs3N26rfbL1q5wCk6jpG","title":"Configure Context Integrations","pathname":"/enrich-traffic-with-context/configure-context-integrations","siteSpaceId":"sitesp_pz8oP","description":"About Context Integrations Context integrations provide enriched asset context to Netography Fusion from third-party products. This is done by reading asset information from the external product (gene","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"}]},{"id":"4Cu470niJONlHxTyUFqO","title":"AWS","pathname":"/enrich-traffic-with-context/configure-context-integrations/aws","siteSpaceId":"sitesp_pz8oP","description":"Enrich asset context with asset information from AWS","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"KNlWh5iUqW6AdKLZMe99","title":"Axonius","pathname":"/enrich-traffic-with-context/configure-context-integrations/axonius-context","siteSpaceId":"sitesp_pz8oP","description":"About The Axonius context integration provides enriched asset context to Netography Fusion from Axonius. It connects to the Axonius Platform API to retrieve asset information and then adds Context Lab","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"z629nDUfcywGtqJg7k3r","title":"Azure","pathname":"/enrich-traffic-with-context/configure-context-integrations/azure","siteSpaceId":"sitesp_pz8oP","description":"Ernich asset context with asset information from Azure","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"EN3kh28JpzD6h00mEqHl","title":"Claroty","pathname":"/enrich-traffic-with-context/configure-context-integrations/claroty-context","siteSpaceId":"sitesp_pz8oP","description":"About The Claroty NetoFuse module provides enriched asset context to Netography Fusion from Claroty Industrial Cybersecurity appliances. It connects to the Claroty CTD/EMC API to retrieve asset inform","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"2Umu8eYdCmHObKdBMU7N","title":"CrowdStrike Falcon Discover","pathname":"/enrich-traffic-with-context/configure-context-integrations/crowdstrike-falcon-discover","siteSpaceId":"sitesp_pz8oP","description":"🚧 The CrowdStrike Falcon Discover module is required for this integration. This document provides instructions for configuring CrowdStrike in order for the Netography Context Integration to have the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"kKRDHEVQ1webnTCKcRel","title":"CrowdStrike Falcon Protect","pathname":"/enrich-traffic-with-context/configure-context-integrations/crowdstrike-falcon-protect","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring CrowdStrike in order for the Netography Context Integration to have the correct access to pull label contexts. Prerequisites Before configuring the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"W9IEco93EZJK1PbkvYp5","title":"CSV via S3","pathname":"/enrich-traffic-with-context/configure-context-integrations/csv-via-s3","siteSpaceId":"sitesp_pz8oP","description":"The CSV via S3 context Integration method allows you to import Context Labels from a CSV format file stored in an AWS S3 storage bucket. This integration can be set to run manually or to auto-update a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"n60bdb7AchtHsHhRGGlG","title":"Device42","pathname":"/enrich-traffic-with-context/configure-context-integrations/device42-context","siteSpaceId":"sitesp_pz8oP","description":"About The Device42 context integration provides enriched asset context to Netography Fusion from the Device42 asset management platform. It connects to the Device42 API to retrieve asset information f","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"4Q9tCNKcAq6BPYec7QQe","title":"GCP","pathname":"/enrich-traffic-with-context/configure-context-integrations/gcp","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring Google Cloud Provider (GCP) in order for the Netography Context Integration to have the correct access to pull label contexts. GCP Configuration 1.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"GkO6o1mgZPta1vaO6YKJ","title":"IBM Cloud","pathname":"/enrich-traffic-with-context/configure-context-integrations/ibm","siteSpaceId":"sitesp_pz8oP","description":"Prerequisites Configure API Key Before configuring the IBM Cloud Context Integration in Netography, you will need to have an API key already configured or set up. To set up an IBM Cloud API key, follo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"iszA09e59QW6UW3Rwxap","title":"Microsoft Defender","pathname":"/enrich-traffic-with-context/configure-context-integrations/microsoft-defender-context","siteSpaceId":"sitesp_pz8oP","description":"Supported Products Microsoft Defender For Endpoint Microsoft Defender XDR ⚖️ Choosing which context integration to use: Both Microsoft Defender context integrations can be used to provide enriched ass","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"JKFYqq1ghL8lLzAIVmq5","title":"Oracle Cloud Infrastructure","pathname":"/enrich-traffic-with-context/configure-context-integrations/oracle-cloud","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring Oracle Cloud Infrastructure (OCI) in order for the Netography Context Integration to have the correct access to pull label contexts. Prerequisites B","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"GVpuGTHdYMdeTeMucZUU","title":"RunZero","pathname":"/enrich-traffic-with-context/configure-context-integrations/runzero-context","siteSpaceId":"sitesp_pz8oP","description":"About The RunZero NetoFuse module provides enriched asset context to Netography Fusion from the RunZero Cyber Asset Attack Surface Management platform. It connects to the RunZero API to retrieve asset","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"eVQ4OkHqw9yqymfKlrYA","title":"SentinelOne","pathname":"/enrich-traffic-with-context/configure-context-integrations/sentinelone","siteSpaceId":"sitesp_pz8oP","description":"This document provides instructions for configuring SentinelOne in order for the Netography Context Integration to have the correct access to pull label contexts. Prerequisites Configure API token Bef","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"3H7hC9cvEIiI5SUyZG7P","title":"Tanium","pathname":"/enrich-traffic-with-context/configure-context-integrations/tanium-context","siteSpaceId":"sitesp_pz8oP","description":"About The Tanium context integration provides enriched asset context to Netography Fusion from Tanium. It connects to the Tanium GraphQL API to retrieve asset information and then adds Context Labels","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"t3zNAvBT0uQE9A9pZwxs","title":"Tenable","pathname":"/enrich-traffic-with-context/configure-context-integrations/tenable-context","siteSpaceId":"sitesp_pz8oP","description":"About The Tenable Vulnerability Management context integration provides enriched asset context to Netography Fusion from Tenable Vulnerability Management. It connects to the Tenable API to retrieve as","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"VRvxu8Qq7Ossc9tDjf1w","title":"Wiz","pathname":"/enrich-traffic-with-context/configure-context-integrations/wiz","siteSpaceId":"sitesp_pz8oP","description":"Wiz context integration for Netography Fusion, offering vulnerability data, enhanced issue and network exposure handling, and customizable context fields using NetoFuse transforms.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"},{"label":"Configure Context Integrations"}]},{"id":"CB9EP1pIXENgdwrIDaxR","title":"Understand Context Labels","pathname":"/enrich-traffic-with-context/labels","siteSpaceId":"sitesp_pz8oP","description":"About Context Labels Context labels are strings that are associated with an IP address in Fusion to help provide context about network activity. Context labels can be used for: Visually differentiatin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Enrich Traffic with Context"}]},{"id":"Ysz7qDeaGOYQ9ZD4lwBg","title":"Automating Response in Fusion","pathname":"/automate-responses/response","siteSpaceId":"sitesp_pz8oP","description":"Fusion allows you to create a set of automated responses to events. A response can be a notification sent to a third-party system or a blocking action provided by a third-party system. To automate a r","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"}]},{"id":"tilRfPpWy1q1TNy9MoUZ","title":"Configuring Response Integrations","pathname":"/automate-responses/configuring-response-integrations","siteSpaceId":"sitesp_pz8oP","description":"There are four types of response integrations offered by Netography: BLOCK DNS Blocklist CrowdStrike Flowspec RTBH AWS Route 53 NS1 NOTIFICATION TRAFFIC BigPanda Email Microsoft Teams Pagerduty Panthe","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"}]},{"id":"sZyl1UaH6EfES63R5al9","title":"AWS Route 53 (Response Integration)","pathname":"/automate-responses/configuring-response-integrations/route-53","siteSpaceId":"sitesp_pz8oP","description":"DNS Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"oZL0rdHfTP0qRpKrROVA","title":"Big Panda","pathname":"/automate-responses/configuring-response-integrations/big-panda","siteSpaceId":"sitesp_pz8oP","description":"Prerequisites Before configuring in the Fusion portal, the Callback URL must be setup in Panther. For more details, follow the custom headers instructions from Big Panda. Netography Portal Steps In Se","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"g1k1akWjwVpXz0wZN986","title":"BGP","pathname":"/automate-responses/configuring-response-integrations/bgp","siteSpaceId":"sitesp_pz8oP","description":"Traffic Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"g1m50IJVtRnijdYtJd6T","title":"Blocklist","pathname":"/automate-responses/configuring-response-integrations/blocklist","siteSpaceId":"sitesp_pz8oP","description":"Block Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"ivrLk85vYrRoDhjskESS","title":"CrowdStrike","pathname":"/automate-responses/configuring-response-integrations/crowdstrike","siteSpaceId":"sitesp_pz8oP","description":"Block Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"kGzLzKcDkdcXKxq01UGU","title":"Email","pathname":"/automate-responses/configuring-response-integrations/email","siteSpaceId":"sitesp_pz8oP","description":"Notification Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"ma3iwRlZbGl6I3sLSj31","title":"Flowspec","pathname":"/automate-responses/configuring-response-integrations/flowspec-1","siteSpaceId":"sitesp_pz8oP","description":"Block Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"4yVLpq6SCdDnzYol2lkV","title":"Flowspec (Custom)","pathname":"/automate-responses/configuring-response-integrations/flowspec-traffic","siteSpaceId":"sitesp_pz8oP","description":"Traffic Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"Gn20dxQPpGxLYO3xSdqu","title":"Microsoft Teams","pathname":"/automate-responses/configuring-response-integrations/microsoft-teams","siteSpaceId":"sitesp_pz8oP","description":"Notification Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"qObak4kjQ13yKF7zi97R","title":"NS1","pathname":"/automate-responses/configuring-response-integrations/ns1","siteSpaceId":"sitesp_pz8oP","description":"DNS Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"N0HY7ajgK25G9b3p9gzF","title":"Pagerduty","pathname":"/automate-responses/configuring-response-integrations/pagerduty","siteSpaceId":"sitesp_pz8oP","description":"Notification Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"PeHgBxP9eps9gIC7tz0v","title":"Panther","pathname":"/automate-responses/configuring-response-integrations/panther","siteSpaceId":"sitesp_pz8oP","description":"Prerequisites Before configuring in the Fusion portal, the http source webhook and shared secret authentication method must be setup in Panther. For more details, follow the HTTP log source setup inst","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"fHEgvFw7ARNaxklIkuvy","title":"Slack","pathname":"/automate-responses/configuring-response-integrations/slack","siteSpaceId":"sitesp_pz8oP","description":"Notification Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"xCnhWGDQmKicljm6OjPq","title":"Splunk","pathname":"/automate-responses/configuring-response-integrations/splunk","siteSpaceId":"sitesp_pz8oP","description":"Usage By connecting Splunk's robust data analysis capabilities with Netography's network insights, organizations gain real-time alerting, monitoring, and comprehensive views of their security landscap","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"vQ11vqfEcO6Qmcn27P4i","title":"Sumo Logic","pathname":"/automate-responses/configuring-response-integrations/sumo-logic","siteSpaceId":"sitesp_pz8oP","description":"Usage The Sumo Logic syslog-based integration with the Netography product provides powerful log management and analytics capabilities tailored for modern applications. This integration offers streamli","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"hhrUu6F1P5m9QfR55N0z","title":"Twilio","pathname":"/automate-responses/configuring-response-integrations/twilio","siteSpaceId":"sitesp_pz8oP","description":"Notification Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"rx1MCZrv5TjKb2gSKbjV","title":"RTBH","pathname":"/automate-responses/configuring-response-integrations/rtbh","siteSpaceId":"sitesp_pz8oP","description":"Block Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"afcuWasWbeh0Q77RsFuy","title":"Webhook","pathname":"/automate-responses/configuring-response-integrations/webhook","siteSpaceId":"sitesp_pz8oP","description":"Notification Type Response Integration","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"CZcKRProxfzecVREfh23","title":"Syslog","pathname":"/automate-responses/configuring-response-integrations/syslog","siteSpaceId":"sitesp_pz8oP","description":"Usage By integrating Syslog, users can consolidate logs from various devices or applications within their network into a centralized repository. This centralized logging enhances security, compliance,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"},{"label":"Configuring Response Integrations"}]},{"id":"kDFMPcmBm2zgfrZ2bbM8","title":"Configuring Response Policies","pathname":"/automate-responses/response-policies","siteSpaceId":"sitesp_pz8oP","description":"Response Policies allow you to define automated actions in response to events generated by Detection Models. By creating and configuring these policies, teams can streamline their incident response pr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"}]},{"id":"4XK2ZfnDo47Yx8JcrCCl","title":"Response Integration Blocks Dashboard","pathname":"/automate-responses/traffic-manager","siteSpaceId":"sitesp_pz8oP","description":"The Response Integration Blocks dashboard is a system dashboard available in the All section of the Dashboards page. If you use a block-type response integration to restrict traffic based on events in","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Automate Responses"}]},{"id":"goQ8Ev0GuiG86GK313vR","title":"Detection Models Overview","pathname":"/detection-models/overview","siteSpaceId":"sitesp_pz8oP","description":"Detection Models are designed to detect and alert you to potential threats, malicious activity, or unwanted traffic on a network. Detection Models use the Netography Query Language (NQL) within Netogr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"rr0ZOWygXEd6wVYb2u1Z","title":"Detection Model Configuration","pathname":"/detection-models/detection-trackby-thresholds","siteSpaceId":"sitesp_pz8oP","description":"✋ Writing your own detection model? We are here to help.: Chat with Netography's Detection Engineers in the \\#fusion-detections channel in Netography's Discord community, or send your question to Supp","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"ASghKOgbfw4fhtj9xDLG","title":"Detection Model Quick Reference Guide","pathname":"/detection-models/detection-model-quick","siteSpaceId":"sitesp_pz8oP","description":"Field Description Example General General configuration Name Unique name netbiosreflect Description Text description Netbios reflection attack Categories Detection categories t1498 Traffic Type Traffi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"UN6GWjw5hlWXEvgQEII1","title":"Adding a Detection Model","pathname":"/detection-models/add-detection-models","siteSpaceId":"sitesp_pz8oP","description":"Detection Models monitor network traffic and generate events when specific conditions are met. Context Creation Models assign context labels to IPs that match certain conditions. Each configuration wi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"LbaQ19Hh8d8JereVMuT0","title":"Auto Thresholding","pathname":"/detection-models/detection-auto-thresholding","siteSpaceId":"sitesp_pz8oP","description":"✋ Writing your own detection model? We are here to help.: For help using auto thresholding, or any detection model questions, chat with Netography's Detection Engineers in the \\#fusion-detections chan","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"jEdMEUseKvMNIYoKctJB","title":"Detection Model Library","pathname":"/detection-models/library","siteSpaceId":"sitesp_pz8oP","description":"Detection Categories Categorizing Fusion detections (aka NDMs) helps you understand the type of event encountered by Fusion. Attack Attack detections within Netography Fusion's Netography Detection Mo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"XRDpWwY9SUNjhoEYubZL","title":"Attack","pathname":"/detection-models/library/attack","siteSpaceId":"sitesp_pz8oP","description":"Attack detections within Netography Fusion's Netography Detection Models (NDMs) are designed to identify and alert network administrators to attempts to break into their networks remotely. These detec","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"gARrZ9JWdPsGKoTdoQi8","title":"external_tcp_4444","pathname":"/detection-models/library/attack/external_tcp_4444","siteSpaceId":"sitesp_pz8oP","description":"Explanation The external_tcp_4444 NDM flags connections from outside the customer network to servers on the customer network listening on TCP port 4444. Metasploit uses port 4444 by default for shell","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Attack"}]},{"id":"4nZpCHfzhq4efE4OwAAE","title":"interactive_login_bad_rep","pathname":"/detection-models/library/attack/interactive_login_bad_rep","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event is triggered by the Netography Fusion Portal when it detects traffic inbound to an Internet facing SSH or RDP endpoint from a source IP address with a bad reputation. W","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Attack"}]},{"id":"O3yRqs7Y9ZMgjOhzi9S6","title":"interactive_login_itar","pathname":"/detection-models/library/attack/interactive_login_itar","siteSpaceId":"sitesp_pz8oP","description":"Explanation The NDM analyzes network traffic to detect interactive login connections to SSH or RDP from IP addresses originating in countries listed under US Code 22 CFR § 126.1 “Prohibited exports, i","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Attack"}]},{"id":"9nnm9ziLkhBcHjXHgsCq","title":"internal_tcp_4444","pathname":"/detection-models/library/attack/internal_tcp_4444","siteSpaceId":"sitesp_pz8oP","description":"Explanation The internal_tcp_4444 NDM flags connections on TCP port 4444 inside your network. Metasploit uses port 4444 by default for shell listeners that are setup after exploitation, so the use of","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Attack"}]},{"id":"yoTs6lMxgEQvlZ31ZbIa","title":"long_inbound_https_bad_rep","pathname":"/detection-models/library/attack/long_inbound_https_bad_rep","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event is triggered by the Netography Fusion Portal when it detects inbound traffic to an internet facing HTTPS endpoint from a source IP address with a bad reputation, with s","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Attack"}]},{"id":"rUBVNBEYzgoxScXLDpQd","title":"outbound_tcp_4444","pathname":"/detection-models/library/attack/outbound_tcp_4444","siteSpaceId":"sitesp_pz8oP","description":"Explanation The outbound_tcp_4444 NDM flags connections leaving the customer network to hosts listening on TCP port 4444. Metasploit uses port 4444 by default for shell listeners that are setup after","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Attack"}]},{"id":"CwmQSX8LnT6B3Tsf0gzs","title":"tor_connection_external_internal","pathname":"/detection-models/library/attack/tor_connection_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography’s Fusion Portal when it detects traffic originating from a TOR network exit node communicating with monitored hosts. Traffic from the TOR network is n","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Attack"}]},{"id":"samMAUkI4T34T9xz6ehB","title":"Brute Force","pathname":"/detection-models/library/brute-force","siteSpaceId":"sitesp_pz8oP","description":"Brute Force detections within Netography Fusion's Netography Detection Models (NDMs) are designed to identify and alert network administrators to activities associated with attempts at guessing userna","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"Buizj9wiTdRlYCBQZ7PH","title":"dcerpc_brute_external_internal","pathname":"/detection-models/library/brute-force/dcerpc_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"SxIe70yS6piJmv9DZAlX","title":"dcerpc_brute_internal_external","pathname":"/detection-models/library/brute-force/dcerpc_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"LottB4Qu0d0yMl27qmP4","title":"dcerpc_brute_internal_internal","pathname":"/detection-models/library/brute-force/dcerpc_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against the Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"JpxlYDKLtUeZ1kCjbOWN","title":"ftp_brute_external_internal","pathname":"/detection-models/library/brute-force/ftp_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"9XHaLrlXfANVX89TYMlN","title":"ftp_brute_internal_external","pathname":"/detection-models/library/brute-force/ftp_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"4RhEsoW62DwBIr9f46Bj","title":"ftp_brute_internal_internal","pathname":"/detection-models/library/brute-force/ftp_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a File Transfer Protocol (FTP) server. This event specifically looks fo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"VOfhfTd8HNpIfBh8J9e1","title":"imap_brute_external_internal","pathname":"/detection-models/library/brute-force/imap_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"ag3vmHI2B8Oo1yHob8CL","title":"imap_brute_internal_external","pathname":"/detection-models/library/brute-force/imap_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"5hngRgiJvS1ZvhTm6ruZ","title":"imap_brute_internal_internal","pathname":"/detection-models/library/brute-force/imap_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an Internet Message Access Protocol (IMAP) mail client access server. T","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"kzMGGj9Ja0prT3rDkOcA","title":"kerberos_brute_internal_internal","pathname":"/detection-models/library/brute-force/kerberos_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a large number of failed login attempts using the Kerberos service originating from a single internal host. This activ","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"kDurXK5i7F85B5kIXn6R","title":"kerberos_user_enumeration","pathname":"/detection-models/library/brute-force/kerberos_user_enumeration","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a large number of failed pre-authentication attempts using the Kerberos service originating from a single internal hos","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"RsXRgbgjEZYFuS01L02Z","title":"mongodb_brute_external_internal","pathname":"/detection-models/library/brute-force/mongodb_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity from the Internet t","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"R1gx2E1kTPHCvlbgJyuM","title":"mongodb_brute_internal_external","pathname":"/detection-models/library/brute-force/mongodb_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity emanating from your","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"jJJvWXXT5bUsHhej2vix","title":"mongodb_brute_internal_internal","pathname":"/detection-models/library/brute-force/mongodb_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against MongoDB. This event specifically looks for activity between hosts insid","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"20ORKaOrnmWIlsJ7Ihnd","title":"mssql_brute_external_internal","pathname":"/detection-models/library/brute-force/mssql_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an MSSQL server. This event specifically looks for activity from the In","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"zRuTyCtvKh0t9Pave7KO","title":"mssql_brute_internal_external","pathname":"/detection-models/library/brute-force/mssql_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MSSQL server. This event specifically looks for activity emanating fr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"4J53a4T2OFKtfO1RtJOu","title":"mssql_brute_internal_internal","pathname":"/detection-models/library/brute-force/mssql_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against an MSSQL server. This event specifically looks for activity between hos","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"dx2e2A6E0OvFqoK2GRYn","title":"mysql_brute_external_internal","pathname":"/detection-models/library/brute-force/mysql_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity from the I","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"9jUfqlAQQfmmR1xt9Bkh","title":"mysql_brute_internal_external","pathname":"/detection-models/library/brute-force/mysql_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity emanating","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"UY33imAfPVUMNs9Ps6OH","title":"mysql_brute_internal_internal","pathname":"/detection-models/library/brute-force/mysql_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a MySQL database. This event specifically looks for activity between ho","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"TSXuw0fos7pTyD8OrSYF","title":"pop3_brute_external_internal","pathname":"/detection-models/library/brute-force/pop3_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"7u3ruSNUGzMG22JZtwgq","title":"pop3_brute_internal_external","pathname":"/detection-models/library/brute-force/pop3_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"mJKjcTP8Gzp82Vuahbhp","title":"pop3_brute_internal_internal","pathname":"/detection-models/library/brute-force/pop3_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a Post Office Protocol version 3 (POP3) mail client access server. This","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"nM8kAj7iIiiuinCqRVko","title":"postgres_brute_external_internal","pathname":"/detection-models/library/brute-force/postgres_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity from","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"k9HXkJOaaIK5syFErL4v","title":"postgres_brute_internal_external","pathname":"/detection-models/library/brute-force/postgres_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity emana","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"Eej2EfpTd6rdHGYR5viS","title":"postgres_brute_internal_internal","pathname":"/detection-models/library/brute-force/postgres_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against a PostgreSQL database. This event specifically looks for activity betwe","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"e9svrbfGzAkm42YvqU1M","title":"rdpbrute_external_internal","pathname":"/detection-models/library/brute-force/rdpbrute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"NFJH1HQWvlWi9aj9HXkD","title":"rdpbrute_internal_external","pathname":"/detection-models/library/brute-force/rdpbrute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"jCVmUAIgoPLeKCaYOuBD","title":"rdpbrute_internal_internal","pathname":"/detection-models/library/brute-force/rdpbrute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Microsoft Remote Desktop Protocol (RDP). This event specifically looks","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"RVzVwOonDEMrH0m9DMX5","title":"redis_brute_external_internal","pathname":"/detection-models/library/brute-force/redis_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity from the Internet tow","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"uBWypaUGPtp0iMBRXuPj","title":"redis_brute_internal_external","pathname":"/detection-models/library/brute-force/redis_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity emanating from your n","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"K4QYc9JHiUALboxDTp4N","title":"redis_brute_internal_internal","pathname":"/detection-models/library/brute-force/redis_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Redis. This event specifically looks for activity between hosts inside","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"v5wUH6w8rubTCG0ckeN5","title":"smb_brute_external_internal","pathname":"/detection-models/library/brute-force/smb_brute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"IyKcZS3hcBilRyfbUhxv","title":"smb_brute_internal_external","pathname":"/detection-models/library/brute-force/smb_brute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"UTmMgSNeogFrosgU0wfi","title":"smb_brute_internal_internal","pathname":"/detection-models/library/brute-force/smb_brute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against SMB. SMB is the Microsoft Windows File Sharing protocol, also known as","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"EibrbWeDdSinn78u0WI7","title":"sshbrute_external_internal","pathname":"/detection-models/library/brute-force/sshbrute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"GqRSVZwT1Sf8SLm9GDJN","title":"sshbrute_internal_external","pathname":"/detection-models/library/brute-force/sshbrute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"GpPwsqkWk6XaARoljyCu","title":"sshbrute_internal_internal","pathname":"/detection-models/library/brute-force/sshbrute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects an SSH brute force attack, which is an attempt to guess a valid password against an SSH server. This event specificall","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"uiqHj1uuqnb54qOgdyls","title":"winrmbrute_external_internal","pathname":"/detection-models/library/brute-force/winrmbrute_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"COFne9XIU1TGeBV3aS8q","title":"winrmbrute_internal_external","pathname":"/detection-models/library/brute-force/winrmbrute_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"RJo3GZIi41NscYWE5YaN","title":"winrmbrute_internal_internal","pathname":"/detection-models/library/brute-force/winrmbrute_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a brute force password guessing attack against Windows Remote Management (WinRM). This event specifically looks for ac","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Brute Force"}]},{"id":"S1PxUsAbj25CAsobUQIT","title":"Denial of Service","pathname":"/detection-models/library/denial-of-service","siteSpaceId":"sitesp_pz8oP","description":"Denial of Service (DoS) attacks are a significant security risk where threat actors aim to make a network, service, or server unavailable by flooding it with excessive traffic, leading to potential op","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"Cp6wt4cle2jTJkfFUAF8","title":"ackflood","pathname":"/detection-models/library/denial-of-service/ackflood","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ackflood event is a detection for ACK Flood, a type of DDoS attack where the attacker floods the target with a high volume of ACK packets. This event is triggered when there is a signi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"hfAZgBUSEssHC7fwjnPP","title":"chargenreflect","pathname":"/detection-models/library/denial-of-service/chargenreflect","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event in the Netography Fusion Portal is designed to detect Chargen reflection attacks. Chargen, short for Character Generator Protocol, is a legacy protocol that can be used","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"AQ20qv0Cn6sy0JW2XOOm","title":"cldapreflect","pathname":"/detection-models/library/denial-of-service/cldapreflect","siteSpaceId":"sitesp_pz8oP","description":"Explanation CLDAP (Connection-less Lightweight Directory Access Protocol) reflection attacks involve amplifying small requests into larger responses through open servers that have UDP port 389 open. A","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"td4tFZWxCeWCipsnv7gA","title":"codreflection","pathname":"/detection-models/library/denial-of-service/codreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is designed to detect CoD (Call of Duty) reflection attacks that can cause a significant disruption to your network. CoD reflection attacks occur when an attacker sends a packet","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"SFnY4HTZwE9vg1e6ranM","title":"dns_amplification_participation","pathname":"/detection-models/library/denial-of-service/dns_amplification_participation","siteSpaceId":"sitesp_pz8oP","description":"Explanation The dns_amplification_participation event in the Netography Fusion Portal helps to find potential participants in DNS amplification attacks. DNS amplification attacks exploit the vulnerabi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"peGhJmzeOyLEa1HoRsUJ","title":"dnsattack","pathname":"/detection-models/library/denial-of-service/dnsattack","siteSpaceId":"sitesp_pz8oP","description":"Explanation The dnsattack security event in the Netography Fusion Portal is designed to detect DNS flood attacks in your network. DNS flood happens when an attacker floods a DNS server with queries, m","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"BLl2nLCEuD7KpYDnJcAW","title":"dnsreflection","pathname":"/detection-models/library/denial-of-service/dnsreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The dnsreflection event is detection within the Netography Fusion Portal that detects DNS reflection attacks. These types of attacks use DNS servers to amplify the size of the incoming tra","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"5IVwSq00ONtGNfEunlm3","title":"fin_flood","pathname":"/detection-models/library/denial-of-service/fin_flood","siteSpaceId":"sitesp_pz8oP","description":"Explanation Fin Flood is a type of Denial-of-Service (DoS) attack that targets an open connection by bombarding it with numerous TCP packets with the \"FIN\" flag set. This excessive amount of packets o","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"QFjM7DytdE5DyvndGmV1","title":"icmpflood","pathname":"/detection-models/library/denial-of-service/icmpflood","siteSpaceId":"sitesp_pz8oP","description":"Explanation icmpflood is a type of DDoS attack that sends a large number of ICMP packets to a target network, which can result in network congestion, packet loss, and service disruption. The Netograph","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"M156ifaL55Jd8GGDUYqy","title":"memcachereflection","pathname":"/detection-models/library/denial-of-service/memcachereflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation Memcached is an open source distributed memory caching system that is commonly used by web servers to speed up dynamic database-driven websites. Reflection attacks involve sending a reques","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"EbT0YZRfFEpW3xrrNXpx","title":"mssqlreflection","pathname":"/detection-models/library/denial-of-service/mssqlreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered when the Netography Fusion Portal detects an MSSQL reflection attack. MSSQL reflection attacks are SQL injection attacks that target Microsoft SQL servers running o","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"CtjHm2wJyD9qQYNUWrQ2","title":"netbiosreflect","pathname":"/detection-models/library/denial-of-service/netbiosreflect","siteSpaceId":"sitesp_pz8oP","description":"Explanation The Netbios protocol is used by Microsoft operating systems for file sharing and printer sharing over a network. The reflection attack is when an attacker sends a falsified request to a ta","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"BheyDDJcqraF0KCCCiBj","title":"ntpreflect","pathname":"/detection-models/library/denial-of-service/ntpreflect","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ntpreflect event in Netography Fusion Portal looks for an NTP reflection attack. This is a type of DDoS attack in which an attacker sends a request to an NTP server and spoofs the sour","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"s7fIKlDUBfgIR26VqeaW","title":"psh_flood","pathname":"/detection-models/library/denial-of-service/psh_flood","siteSpaceId":"sitesp_pz8oP","description":"Explanation psh_flood is a security event in the Netography Fusion Portal that detects potential PSH floods. A Psh flood is when the TCP Push flag is set in the header of a packet, a flood of these ty","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"E94VmpJ96q8ySOIm0yNl","title":"ripreflection","pathname":"/detection-models/library/denial-of-service/ripreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation RIP reflection is a type of DDoS attack that exploits the Routing Information Protocol (RIP). The attacker sends malformed requests to a device that runs RIP, and the device responds with","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"DEqJg8Y89UATzlCc5uZ9","title":"rstflood","pathname":"/detection-models/library/denial-of-service/rstflood","siteSpaceId":"sitesp_pz8oP","description":"Explanation The rstflood security event is triggered when the Netography Fusion Portal detects an abnormal frequency of Reset (RST) packets on the network, signaling a potential denial of service (DoS","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"AhZNCePr3ia11cLA6YGc","title":"slpreflection","pathname":"/detection-models/library/denial-of-service/slpreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event in the Netography Fusion Portal is designed to detect SLP reflection attacks. SLP, short for Service Location Protocol, can be used by attackers to amplify DDoS attacks","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"djN84liqOH1JI0vHfjxf","title":"snmpreflection","pathname":"/detection-models/library/denial-of-service/snmpreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation An SNMP reflection attack is a type of DDoS attack that exploits vulnerable SNMP servers to amplify and reflect attack traffic to targeted systems. What to Look For To examine the results","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"COzX9umwLC5E4YtXh3NG","title":"srcdsreflection","pathname":"/detection-models/library/denial-of-service/srcdsreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation SRCDS, or the Source Dedicated Server, is a tool used by video game developers for hosting and managing multiplayer games. However, if left unsecured, attackers can exploit the protocol an","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"VaS2upXRN7lVHaPuazwy","title":"ssdpreflect","pathname":"/detection-models/library/denial-of-service/ssdpreflect","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ssdpreflect event is triggered when a Simple Service Discovery Protocol (SSDP) reflection attack is detected. An attacker can use SSDP reflection to amplify the amount of traffic sent","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"QMf1w4gSkLH64xm0eSgQ","title":"sunrpcreflection","pathname":"/detection-models/library/denial-of-service/sunrpcreflection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The sunrpcreflection event in Netography Fusion Portal is designed to detect attacks against the SunRPC protocol used to manage network communication between servers and clients. Attackers","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"QPvvBCzVjnxTF1GXdP1w","title":"synflood","pathname":"/detection-models/library/denial-of-service/synflood","siteSpaceId":"sitesp_pz8oP","description":"Explanation The synflood security event in the Netography Fusion Portal is designed to detect SYN flood attacks on a network. A SYN flood is a type of DDoS attack where the attacker sends a large numb","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"Vq7S3gUngQIaEAMYPg1f","title":"tp240_phone_home_reflection_ddos","pathname":"/detection-models/library/denial-of-service/tp240_phone_home_reflection_ddos","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event in the Netography Fusion Portal is designed to detect TP-240 reflection attacks. Voice-over-IP systems with TP-240 VoIP-processing interface cards can be used by attack","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"mBrokyWjH1LcluHV6ozs","title":"urg_flood","pathname":"/detection-models/library/denial-of-service/urg_flood","siteSpaceId":"sitesp_pz8oP","description":"Explanation The urg_flood event is designed to detect potential Urg Flood attacks on a network. An Urg Flood is a type of Denial-of-Service (DoS) attack that uses the Urgent Pointer (URG) flag in the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Denial of Service"}]},{"id":"xKaJTyTRgKiwl2JGu9zQ","title":"Informational","pathname":"/detection-models/library/informational","siteSpaceId":"sitesp_pz8oP","description":"Informational detections are a category within Netography Fusion's Netography Detection Models (NDMs) that provide valuable insights about unusual but not necessarily malicious network behavior. These","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"MhsCm8mCWGCvPXLAbJon","title":"6in4tunnel","pathname":"/detection-models/library/informational/6in4tunnel","siteSpaceId":"sitesp_pz8oP","description":"Explanation The 6in4 Tunnel Detection NDM is designed to detect when IPv6 traffic is encapsulated within IPv4 packets on the network. This technique, known as 6in4 tunneling, can be used for legitimat","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"rwWJZvyuqpw8x8ShG8WL","title":"alltcpflags","pathname":"/detection-models/library/informational/alltcpflags","siteSpaceId":"sitesp_pz8oP","description":"Explanation The alltcpflags security event is designed to trigger when all the TCP flags are set in a network packet. This can indicate a malicious attempt to evade detection by avoiding detection sig","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"yclQW72R3fRmcceRmpJY","title":"badprotocol","pathname":"/detection-models/library/informational/badprotocol","siteSpaceId":"sitesp_pz8oP","description":"Explanation The badprotocol event is triggered when the Netography Fusion Portal identifies an invalid IP protocol being used on the network. IP packets encapsulate higher level protocols such as TCP","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"KtDqC1gU0pwGQlDUHlCx","title":"communication_to_itar_countries","pathname":"/detection-models/library/informational/communication_to_itar_countries","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal event is designed to identify any connections made to countries listed under US Code 22 CFR § 126.1 “Prohibited exports, imports, and sales to or from certain","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"YaJet2EXwJDIZzMSzXSJ","title":"ethoverip","pathname":"/detection-models/library/informational/ethoverip","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ethoverip NDM is designed to detect when Ethernet traffic is encapsulated within IP packets on the network. This technique, known as ethernet tunneling, can be used for legitimate comm","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"yt12Nv2PFPGeOCqDGRPq","title":"ip_options_abuse","pathname":"/detection-models/library/informational/ip_options_abuse","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal event looks for ICMP messages of type 12 (Parameter Problem). Routers will emit these messages when they receive a malformed packet that they cannot route. Th","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"f7AJRMc36ZJij3d7bbFj","title":"ipmi","pathname":"/detection-models/library/informational/ipmi","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event looks for IPMI Attack on the network. IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices. Attacke","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"xaV7Zhs6hopna90miurl","title":"ipmi","pathname":"/detection-models/library/informational/ipmi-1","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event looks for IPMI Attack on the network. IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices. Attacke","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"yp8dMSKx8YLqATHU18w7","title":"largeicmp","pathname":"/detection-models/library/informational/largeicmp","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography event is triggered when an ICMP packet with a large payload is detected on the network. This type of attack is often used to flood a network with a high volume of traffic,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"V2M3C3Qj7f13i33zvKtE","title":"tcp_dnstunneling","pathname":"/detection-models/library/informational/tcp_dnstunneling","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal security event identifies DNS tunneling over TCP, a technique used to bypass traditional security measures by embedding data in DNS queries and responses. Thi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"3zVIGQU4NshgNLp4NGb3","title":"tcpfrag","pathname":"/detection-models/library/informational/tcpfrag","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is designed to detect a TCP fragmentation flood on the network. TCP fragmentation occurs when a large data packet is divided into smaller packets for transmission across the net","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"pb0GCDoTg20hA9VD9FlE","title":"tcpnull","pathname":"/detection-models/library/informational/tcpnull","siteSpaceId":"sitesp_pz8oP","description":"Explanation The tcpnull event is designed to detect NULL TCP flows. NULL TCP flows are packets that have no flags set, and are often used by attackers to scan networks for potential vulnerabilities. T","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"eEb52CwoU2vQCz5h2jAI","title":"udpfrag","pathname":"/detection-models/library/informational/udpfrag","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal security event detects a UDP fragmentation flood, which occurs when an attacker generates a large number of fragmented UDP packets towards a target system wit","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"0Gc6obNurWpZdyzPiKwB","title":"unusual_protocol","pathname":"/detection-models/library/informational/unusual_protocol","siteSpaceId":"sitesp_pz8oP","description":"Explanation The unusual_protocol event is triggered when the Netography Fusion Portal identifies an uncommon IP protocol being used on the network. IP packets encapsulate higher level protocols such a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Informational"}]},{"id":"RA524vQwkBD44YtcT0Mb","title":"Misconfiguration","pathname":"/detection-models/library/misconfiguration","siteSpaceId":"sitesp_pz8oP","description":"Misconfigurations detections are a crucial aspect of Netography Fusion's Netography Detection Models (NDMs) that identify potential vulnerabilities caused by incorrect network setup or security config","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"1R1Lvj59WD9y6LzUaRfT","title":"9090_external_internal","pathname":"/detection-models/library/misconfiguration/9090_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a server on your network listening on port 9090 that has received a connection from an external IP address. The NDM wo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"Ml87T9tL4ircKK7jnDRS","title":"cups_browsed_external_internal","pathname":"/detection-models/library/misconfiguration/cups_browsed_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 entering your network. This traffic indicates that there are very likely one or more CUPS prin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"YDqrGKj6yQRFChNWy3gB","title":"dns_query_returned_loopback","pathname":"/detection-models/library/misconfiguration/dns_query_returned_loopback","siteSpaceId":"sitesp_pz8oP","description":"Explanation The dns_query_returned_loopback NDM will fire when an external DNS query returns the loopback IP address (127.0.0.1). External DNS names should not resolve to internal resources. Names tha","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"tsgkQtz0M1UPmGcoiRQd","title":"external_access_of_smb","pathname":"/detection-models/library/misconfiguration/external_access_of_smb","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event is triggered by the Netography Fusion Portal when it detects non-customer network access to Windows Networking (Including DCE-RPC, Netbios, or SMB). What to Look For Ge","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"mLxzbU6jgyHUQo43ErnL","title":"external_kerberos_access","pathname":"/detection-models/library/misconfiguration/external_kerberos_access","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event is triggered by Netography Fusion Portal when it detects non-customer network access of Kerberos resources. Kerberos is a network authentication protocol used by many e","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"juP4TMzvUavWFmGzAwPT","title":"external_ldap_access","pathname":"/detection-models/library/misconfiguration/external_ldap_access","siteSpaceId":"sitesp_pz8oP","description":"Explanation The external_ldap_access NDM is designed to search for instances of non-customer network access of LDAP resources. This type of access can leave a network vulnerable to attackers attemptin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"DdBuqBjrEU3JYM2QsseS","title":"external_printing_connections","pathname":"/detection-models/library/misconfiguration/external_printing_connections","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is designed to detect external connections to internal print servers. The event triggers when an external source tries to connect to a print server residing within the protected","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"ULw20xAdxT2qlqKhnVa2","title":"external_snmp_sweep","pathname":"/detection-models/library/misconfiguration/external_snmp_sweep","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event is triggered when an SNMP sweep is detected entering the customer's network. SNMP, or Simple Network Management Protocol, is a protocol used for managing and monitoring","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"dR5z132cx0arEE56kuLQ","title":"fortinet_management_external_internal","pathname":"/detection-models/library/misconfiguration/fortinet_management_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on TCP port 541 leaving your network. This return traffic indicates that there may have been an external attac","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"lSBg549QlvRvHaP28cy6","title":"internal_socks5_proxy","pathname":"/detection-models/library/misconfiguration/internal_socks5_proxy","siteSpaceId":"sitesp_pz8oP","description":"Explanation The internal_socks5_proxy NDM is designed to detect socks5 traffic on the local customer network. A SOCKS5 proxy is a protocol that routes internet traffic through a proxy server. It can b","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"IP5bHnt2KpvunJAzZ474","title":"msrdp","pathname":"/detection-models/library/misconfiguration/msrdp","siteSpaceId":"sitesp_pz8oP","description":"Explanation A Microsoft Remote Desktop Protocol (RDP) reflection attack is a type of DDoS attack where the attacker sends a forged packet to an open RDP server that causes it to send a large amount of","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"PCQeGxgvPGR6ljLQUugu","title":"outbound_database_exfil","pathname":"/detection-models/library/misconfiguration/outbound_database_exfil","siteSpaceId":"sitesp_pz8oP","description":"Explanation The outbound_database_exfil event is triggered when outbound traffic is detected from common database ports, indicating a potential exfiltration attempt from a database. This event is desi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"seiNbwxqEzeLl4GSXGk8","title":"outbound_ftp_traffic","pathname":"/detection-models/library/misconfiguration/outbound_ftp_traffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event monitors outbound traffic for cleartext FTP connections. The use of non-encrypted protocols such as FTP can leave sensitive information vulnerable to interception and theft. Wha","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"qOccf8hfvnizfP0fLuiO","title":"outbound_imap_traffic","pathname":"/detection-models/library/misconfiguration/outbound_imap_traffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal event monitors for cleartext outbound IMAP traffic, which should be discouraged due to security risks. IMAP is a protocol used for email retrieval and transfe","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"nSjOUm1MXL2sQjPFJI66","title":"outbound_ldap_traffic","pathname":"/detection-models/library/misconfiguration/outbound_ldap_traffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal event monitors for outbound LDAP traffic leaving the customer network. LDAP traffic to Internet destinations may be unexpected. What to Look For Investigation","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"36f1fy8MJOJTtttyIFWa","title":"outbound_pop3_traffic","pathname":"/detection-models/library/misconfiguration/outbound_pop3_traffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation The outbound_pop3_traffic event monitors for cleartext outbound POP3 traffic on the network. POP3 is a non-encrypted protocol used for email retrieval. Use of non-encrypted protocols such","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"zWmU2y9BjBrA5quw4JV6","title":"outbound_printing","pathname":"/detection-models/library/misconfiguration/outbound_printing","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal event monitors for outbound traffic to print servers on the Internet, specifically using the IPP or LDP protocols. What to Look For To examine the results of","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"2oAYwn0c2YL1v6ih5i9y","title":"outbound_rejected_traffic","pathname":"/detection-models/library/misconfiguration/outbound_rejected_traffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM detects traffic attempting to leave the network that has been blocked or denied by network security policies. This event helps to identify potential threats or policy violations t","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"HyZNEfMFqhZ4Ju1tqtgI","title":"outbound_smb_spike","pathname":"/detection-models/library/misconfiguration/outbound_smb_spike","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event monitors the amount of Windows Networking traffic leaving the network (including DCE-RPC, Netbios, or SMB). If there is high volume of this traffic leaving the network,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"dgGvTTp8kPnXjpYRSAJD","title":"outbound_smb_traffic","pathname":"/detection-models/library/misconfiguration/outbound_smb_traffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Fusion Portal security event is triggered when outbound Windows Networking traffic is detected (including DCE-RPC, Netbios, or SMB). What to Look For When well tuned, this","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"KszSEcNaqPtzIRl1Djri","title":"outbound_snmp_sweep","pathname":"/detection-models/library/misconfiguration/outbound_snmp_sweep","siteSpaceId":"sitesp_pz8oP","description":"Explanation outbound_snmp_sweep is a security event in the Netography Fusion Portal that is triggered when an SNMP sweep is detected leaving the customer network. SNMP, or Simple Network Management Pr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"lVsIVwbvuA6V6OqkDLjd","title":"outbound_telnet_traffic","pathname":"/detection-models/library/misconfiguration/outbound_telnet_traffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation The outbound_telnet_traffic event detects outbound cleartext telnet traffic. The use of non-encrypted protocols such as telnet should be discouraged due to the inherent security risks. Thi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"NLMIOJ8rGW08JF8M93DU","title":"rdp_external_internal","pathname":"/detection-models/library/misconfiguration/rdp_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The rdp_external_internal NDM monitors successful RDP connections from external sources to the network. This event helps to identify potential unauthorized access and data theft through RD","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"kZobGnhkUtF3yf6rV8tA","title":"registered_ports_ext_int","pathname":"/detection-models/library/misconfiguration/registered_ports_ext_int","siteSpaceId":"sitesp_pz8oP","description":"Explanation The registered_ports_ext_int NDM looks for any traffic accepted onto your network from the Internet on IANA registered ports. These ports are less commonly exposed to the Internet than wel","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"zm4rmnsStnjwSsJCqN6o","title":"ssh_external_internal","pathname":"/detection-models/library/misconfiguration/ssh_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ssh_external_internal event monitors for successful SSH connections from external sources to internal destinations. This is an important security event to monitor since successful exte","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Misconfiguration"}]},{"id":"Gti6MFOmGStNka4lndk6","title":"Operational Governance","pathname":"/detection-models/library/operational-governance","siteSpaceId":"sitesp_pz8oP","description":"Operational Governance detections are a part of Netography Fusion's Netography Detection Models (NDMs) and are designed to promote best practices in network hygiene and responsible use of network reso","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"KAf91rDMlGuSwY89U1vc","title":"anydesk_usage","pathname":"/detection-models/library/operational-governance/anydesk_usage","siteSpaceId":"sitesp_pz8oP","description":"Explanation The anydesk_usage NDM is designed to detect any usage of the AnyDesk software within the network. AnyDesk is a remote desktop application that can be used to gain unauthorized access to sy","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"efK1W5y88AFog0nHPalN","title":"bitcoin_node_internal_external","pathname":"/detection-models/library/operational-governance/bitcoin_node_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation The bitcoin_node_internal_external event monitors network traffic for possible Bitcoin mining activity. Bitcoin mining is a process of verifying transactions in the Bitcoin blockchain by s","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"DcZMF99VJI42BScCxFfG","title":"bittorrent","pathname":"/detection-models/library/operational-governance/bittorrent","siteSpaceId":"sitesp_pz8oP","description":"Explanation The bittorrent NDM is designed to detect BitTorrent traffic on a network. BitTorrent is a type of peer-to-peer (P2P) file-sharing protocol that allows users to share large files, such as m","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"fFGlnYlS60haKBhxWmvz","title":"bittorrent_tracker_internal_external","pathname":"/detection-models/library/operational-governance/bittorrent_tracker_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation The bittorrent_tracker_internal_external NDM uses threat intelligence to detect traffic to external hosts running BitTorrent tracker servers. BitTorrent clients will almost always use BitT","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"5KcqNaJdp9vCGYsUihOX","title":"bittorrent_transfer_external_internal","pathname":"/detection-models/library/operational-governance/bittorrent_transfer_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The bittorrent_transfer_external_internal NDM is designed to detect file downloads over the BitTorrent protocol, and can be used in place of the bittorrent NDM to focus on downloads rather","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"Q7t5O88jRfIDqvveFXXw","title":"bittorrent_transfer_internal_external","pathname":"/detection-models/library/operational-governance/bittorrent_transfer_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation The bittorrent_transfer_internal_external NDM is designed to detect file uploads over the BitTorrent protocol, and can be used in place of the bittorrent NDM to focus on uploads rather tha","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"BqYFypNPwha1TZF154Y1","title":"bittorrent_user","pathname":"/detection-models/library/operational-governance/bittorrent_user","siteSpaceId":"sitesp_pz8oP","description":"Explanation The bittorrent_user CCM creates a context label for any internal host that has been observed communicating with a host running BitTorrent tracker software on a TCP port commonly associated","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"2ceMs4RcWN7OIbkOjwZE","title":"connectwise_usage","pathname":"/detection-models/library/operational-governance/connectwise_usage","siteSpaceId":"sitesp_pz8oP","description":"Explanation The connectwise_usage NDM is designed to detect any usage of the ConnectWise software, a popular remote management and monitoring tool used by IT service providers. This event is triggered","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"YMCXNfVmzeWBqq7hokfw","title":"external_1801","pathname":"/detection-models/library/operational-governance/external_1801","siteSpaceId":"sitesp_pz8oP","description":"Explanation The external_1801 NDM flags connections from outside the customer network to servers on the customer network listening with TCP or UDP on port 1801. Microsoft Message Queuing is a messagin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"c43Zr89EnIr3aAxHITx9","title":"external_socks5_proxy","pathname":"/detection-models/library/operational-governance/external_socks5_proxy","siteSpaceId":"sitesp_pz8oP","description":"Explanation This security event is triggered when the Netography Fusion Portal detects the use of a socks5 proxy on the internet by an internal customer IP address. This may indicate that security con","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"llsDclAhdDOAQ9B6Fl7a","title":"external_tcp_44818","pathname":"/detection-models/library/operational-governance/external_tcp_44818","siteSpaceId":"sitesp_pz8oP","description":"Explanation The external_tcp_44818 NDM flags connections from outside the customer network to servers on the customer network listening on TCP port 44818. Rockwell Automation ICS systems use TCP port","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"wZL5J685qywnFwa4Vru8","title":"external_udp_2222","pathname":"/detection-models/library/operational-governance/external_udp_2222","siteSpaceId":"sitesp_pz8oP","description":"Explanation The external_udp_2222 NDM flags connections from outside the customer network to servers on the customer network listening on UDP port 2222. Rockwell Automation ICS systems use UDP port 22","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"PBgNctuKO7MEqlXjP1av","title":"file-sharing_apple-icloud","pathname":"/detection-models/library/operational-governance/file-sharing_apple-icloud","siteSpaceId":"sitesp_pz8oP","description":"Explanation The file-sharing_apple-icloud event detects the presence of file sharing using Apple iCloud on the network. What to Look For To examine the results of the file-sharing_apple-icloud event,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"n2FcPWlVBJietoHNOSfi","title":"file-sharing_dropbox_detection","pathname":"/detection-models/library/operational-governance/file-sharing_dropbox_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The file-sharing_dropbox_detection event is triggered when Netography Fusion Portal detects file sharing using Dropbox on the network. What to Look For When examining the results of this e","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"9AkxnHDBlrBdvsnwxwfP","title":"file-sharing_idrive_detection","pathname":"/detection-models/library/operational-governance/file-sharing_idrive_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The file-sharing_idrive_detection NDM scans for instances of file sharing on the network that use the iDrive service. When users connect to the iDrive servers, it could lead to potential d","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"J3Xkl29dRQGs7JTHlOvL","title":"file-sharing_mega-service","pathname":"/detection-models/library/operational-governance/file-sharing_mega-service","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event detects the usage of file sharing Mega services by analyzing network traffic and endpoint data. What to Look For When examining the results of this event, look for any instances","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"vCAQEXLvaqjf2IcwC8ls","title":"file-sharing_microsoft-onedrive","pathname":"/detection-models/library/operational-governance/file-sharing_microsoft-onedrive","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM detects file sharing on the network using Microsoft OneDrive. What to Look For When examining the results of this NDM Event, look for any unauthorized file-sharing activity using","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"jD8wbwfW9zkniO57IOjm","title":"file-sharing_wetransfer","pathname":"/detection-models/library/operational-governance/file-sharing_wetransfer","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered when file sharing occurs using the Wetransfer application on the network. Wetransfer is a cloud-based file-sharing service that allows users to transfer large files","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"CxAQCP1Z8qU8E3fl3IHf","title":"gotoresolve_usage","pathname":"/detection-models/library/operational-governance/gotoresolve_usage","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM looks for the usage of GoToResolve, a remote support and screen-sharing tool. When any activity related to GoToResolve is detected on the network or endpoint, this event triggers","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"cwwIxikykFvWpBBCo4QH","title":"internal_tor_relay","pathname":"/detection-models/library/operational-governance/internal_tor_relay","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography’s Fusion Portal when it detects a Tor node on the customer network. Tor is a proxy protocol that is used to hide the origin of network traffic. An una","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"ePln9b8l2CQ8lEGN2jr0","title":"ipfs_usage","pathname":"/detection-models/library/operational-governance/ipfs_usage","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ipfs_usage NDM is designed to detect any IPFS related traffic on your network. IPFS (InterPlanetary File System) is a distributed protocol for sharing and storing files in a peer-to-pe","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"51afKRI74QfyAMX8tq5t","title":"irctraffic","pathname":"/detection-models/library/operational-governance/irctraffic","siteSpaceId":"sitesp_pz8oP","description":"Explanation The irctraffic NDM is a network event that scans network traffic for IRC chat messages, IRC server connections, and IRC file transfers. If it detects any of these activities, it triggers a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"qrusJJgckEw8MLCwi5by","title":"messaging_apple-push","pathname":"/detection-models/library/operational-governance/messaging_apple-push","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_apple-push NDM is designed to detect the presence of messaging applications on a network. It detects network traffic associated with Apple's Push Notification Service (APNS),","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"NkM8U3VxkFvVvuRYGsXy","title":"messaging_discord","pathname":"/detection-models/library/operational-governance/messaging_discord","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_discord NDM is designed to detect the use of the Discord messaging application on the network. When triggered, it alerts network administrators to the presence of this applic","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"2WWOOOvk3ntshdj1I5uC","title":"messaging_disqus","pathname":"/detection-models/library/operational-governance/messaging_disqus","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_disqus NDM is designed to detect the usage of Disqus on the network. Disqus is a third-party commenting and discussion platform used on many websites. This NDM can help secur","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"yAIaiRhbFirNJGeIKQXv","title":"messaging_facebook-messenger","pathname":"/detection-models/library/operational-governance/messaging_facebook-messenger","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_facebook-messenger NDM detects the presence and usage of the popular Facebook Messenger application on the network. When a user communicates through the application, the NDM","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"GEGejQeqbwUoqonhdO10","title":"messaging_google-chat","pathname":"/detection-models/library/operational-governance/messaging_google-chat","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_google-chat NDM detects the presence of the Google Chat messaging application on the network. What to Look For To investigate this event, look for any instances of Google Cha","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"b3EY3EUb9BP1qlw2iixn","title":"messaging_icq","pathname":"/detection-models/library/operational-governance/messaging_icq","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_icq NDM scans the network for the presence of messaging applications, specifically targeting ICQ. What to Look For You should examine the results of this event for any indica","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"7AalwaBmQRjOvPEj6BxY","title":"messaging_infobip","pathname":"/detection-models/library/operational-governance/messaging_infobip","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_infobip NDM is designed to detect the presence of the InfoBip messaging application on the network. InfoBip is a cloud-based mobile communications platform that enables busin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"plEqM3aUF7pQLW2efhXn","title":"messaging_jpush","pathname":"/detection-models/library/operational-governance/messaging_jpush","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_jpush NDM is designed to detect the presence of messaging applications on the network, specifically those using the JPush messaging service. What to Look For To examine the r","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"e6sU5puIoAhrzPcleRVf","title":"messaging_kakaotalk","pathname":"/detection-models/library/operational-governance/messaging_kakaotalk","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_kakaotalk NDM is designed to detect the Kakaotalk messaging application on the network. What to Look For To examine the results of the messaging_kakaotalk NDM event, look for","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"fGc2HWXV7eZXsYQAm4Yi","title":"messaging_kik","pathname":"/detection-models/library/operational-governance/messaging_kik","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_kik NDM is designed to detect the use of the Kik messaging application on the network. What to Look For If the messaging_kik event is triggered, you should examine the networ","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"t7GYQmZ0KIG6dYb1Me1x","title":"messaging_messagebird","pathname":"/detection-models/library/operational-governance/messaging_messagebird","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_messagebird event is triggered by the Netography Detection Module (NDM) when it detects activity from the messaging application called Messagebird on the network. What to Loo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"2heYKItpKRN4hcXlJjB5","title":"messaging_meta-messaging","pathname":"/detection-models/library/operational-governance/messaging_meta-messaging","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect the presence of any \"Meta\" messaging applications on a network. What to Look For To examine the results of the messaging_meta-messaging event, customers shou","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"fCPq43tkMxH1zVbCYKHi","title":"messaging_pushover","pathname":"/detection-models/library/operational-governance/messaging_pushover","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_pushover NDM is designed to detect the presence of the messaging platform Pushover on the network. What to Look For Customers should examine their network traffic for any ind","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"hGO8QsUlVCPd4C6EZgRd","title":"messaging_rocket-chat","pathname":"/detection-models/library/operational-governance/messaging_rocket-chat","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_rocket-chat NDM monitors the network for the presence of the messaging application Rocket Chat. Rocket Chat is an open source messaging platform that allows for encrypted and","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"t5RI4DaPVLXwos5ecJ26","title":"messaging_samsung-push","pathname":"/detection-models/library/operational-governance/messaging_samsung-push","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_samsung-push NDM searches for the presence of messaging applications on the network, specifically on Samsung devices. What to Look For To analyze the results of the messaging","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"b61C5ypxMbSqjoa3Mt0c","title":"messaging_signal","pathname":"/detection-models/library/operational-governance/messaging_signal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_signal NDM is designed to detect the presence of the Signal messaging application on the network. Signal is an end to end encrypted messaging application that can be used for","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"J1BsX79UTi7CduyAelV3","title":"messaging_sinch","pathname":"/detection-models/library/operational-governance/messaging_sinch","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_sinch NDM is designed to detect the presence of the Sinch messaging application on a network. Sinch is a cloud-based communications platform that allows developers to integra","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"r768LFSUwp4LKof9LA72","title":"messaging_snapchat","pathname":"/detection-models/library/operational-governance/messaging_snapchat","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_snapchat NDM is designed to detect the presence of the Snapchat messaging application on the network. What to Look For If the messaging_snapchat event is triggered, check for","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"zpGkZm9Pf4Y1TwbZ1YI5","title":"messaging_stream-io","pathname":"/detection-models/library/operational-governance/messaging_stream-io","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_stream-io NDM detects the presence of the Stream-IO messaging application on the network. Stream-IO is used for real-time message passing between clients and servers, making","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"Zhqpg0XK56RDBPeGWAzc","title":"messaging_telegram","pathname":"/detection-models/library/operational-governance/messaging_telegram","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_telegram event is a security event in the Netography Fusion Portal that evaluates for the presence of Telegram messaging application on the network. What to Look For To analy","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"mUNrJcPW7pL3qOMBl3H8","title":"messaging_threema","pathname":"/detection-models/library/operational-governance/messaging_threema","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_threema NDM is designed to detect the presence of Threema messaging application on the network. Threema is a secure messaging application that is commonly used by individuals","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"oRAGWAVWBYQweNmrvvo6","title":"messaging_wechat","pathname":"/detection-models/library/operational-governance/messaging_wechat","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_wechat NDM (Network Detection Method) is designed to detect the presence of the WeChat messaging application on a network. It analyzes network traffic and looks for specific","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"qDlb9PtlcAafCaprksIM","title":"messaging_whatsapp","pathname":"/detection-models/library/operational-governance/messaging_whatsapp","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_whatsapp NDM detects the presence of messaging applications on the network, with a specific focus on WhatsApp. This NDM works by analyzing network traffic to determine the pr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"LrbdHGIFhcAbqxoE2PYp","title":"messaging_zalo","pathname":"/detection-models/library/operational-governance/messaging_zalo","siteSpaceId":"sitesp_pz8oP","description":"Explanation The messaging_zalo NDM is a network security event designed to detect the use of messaging applications on the network, with a particular focus on the Zalo messaging platform. What to Look","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"4VwsKVYxNMOqBwifNfsJ","title":"outbound_6in4tunnel","pathname":"/detection-models/library/operational-governance/outbound_6in4tunnel","siteSpaceId":"sitesp_pz8oP","description":"Explanation The Outbound 6in4 Tunnel Detection NDM is designed to detect when IPv6 traffic is encapsulated within IPv4 packets that are leaving the customer network to external destinations. This tech","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"aKdQ0pUy78nSFoPnBVVW","title":"outbound_ethoverip","pathname":"/detection-models/library/operational-governance/outbound_ethoverip","siteSpaceId":"sitesp_pz8oP","description":"Explanation The outbound ethoverip NDM is designed to detect when Ethernet traffic is encapsulated within IP packets that are leaving the customer network to external destinations. Ethernet tunneling","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"jRdH8hu8F47mQRy11TI1","title":"outbound_teredo","pathname":"/detection-models/library/operational-governance/outbound_teredo","siteSpaceId":"sitesp_pz8oP","description":"Explanation The outbound_teredo NDM is designed to detect Teredo packets leaving the customer network. Teredo is a protocol for encapsulating IPv6 packets in IPv4 UDP packets. Teredo can be used for l","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"npfzezbstRrVAFDhGuN3","title":"outbound_teredo_spike","pathname":"/detection-models/library/operational-governance/outbound_teredo_spike","siteSpaceId":"sitesp_pz8oP","description":"Explanation The outbound_teredo_spike NDM is designed to detect high volumes of Teredo packets leaving the customer network. Teredo is a protocol for encapsulating IPv6 packets in IPv4 UDP packets. Te","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"9anYNuV8ts9GohwrcRhc","title":"social_discourse_detection","pathname":"/detection-models/library/operational-governance/social_discourse_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_discourse_detection Netography Detection Model (NDM) is utilized to detect the social media platform: Discourse on the network. What to Look For If the social_discourse_detectio","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"NKT9YqkuIssHq5IxES11","title":"social_instagram_detection","pathname":"/detection-models/library/operational-governance/social_instagram_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_instagram_detection NDM was developed by the Netography Threat Research team to detect the use of Social Media: Instagram. What to Look For When examining the results of the soc","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"kVJwCuPORHT0a4sjw3Ya","title":"social_linkedin_detection","pathname":"/detection-models/library/operational-governance/social_linkedin_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_linkedin_detection NDM is a security event that detects the use of Social Media: LinkedIn on a network. It is designed to identify any attempts by users to access this networkin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"pYE33TBpIo8aj1S7YxAG","title":"social_meta_detection","pathname":"/detection-models/library/operational-governance/social_meta_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_meta_detection NDM is a security event within the Netography Fusion Portal that looks for the detection of the use of social media: Meta. What to Look For To examine the results","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"ZHXWfeM8qGyDeyup8aok","title":"social_okcupid_detection","pathname":"/detection-models/library/operational-governance/social_okcupid_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_okcupid_detection NDM is designed to detect the use of the social media platform OKCupid on a network. What to Look For To examine the results of the social_okcupid_detection ND","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"OkfvrWvOxZNrRcBRNXF5","title":"social_reddit_detection","pathname":"/detection-models/library/operational-governance/social_reddit_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_reddit_detection NDM is designed to detect any suspicious activity related to the use of social media, specifically Reddit, on your network. The NDM analyzes network traffic and","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"d2CLLnwNv5LaQpnmKzA3","title":"social_tiktok_detection","pathname":"/detection-models/library/operational-governance/social_tiktok_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_tiktok_detection NDM is designed to detect the use of the social media app, TikTok. What to Look For When examining the results of the social_tiktok_detection event, users shoul","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"AQM3pxXdfCVIjLczLt5D","title":"social_tinder_detection","pathname":"/detection-models/library/operational-governance/social_tinder_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_tinder_detection NDM is designed to detect usage of the social media app Tinder on network endpoints. What to Look For If the social_tinder_detection NDM is triggered, customers","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"nGOiISecADWNmsmfUkXK","title":"social_twitter_detection","pathname":"/detection-models/library/operational-governance/social_twitter_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The social_twitter_detection NDM is designed to detect the use of social media platform Twitter on a network. It searches for any activity related to Twitter like login attempts, tweets, f","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"07E47a62NovyCaJMXrRP","title":"teamviewer_usage","pathname":"/detection-models/library/operational-governance/teamviewer_usage","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM looks for the usage of the TeamViewer software, which may pose a security risk for organizations. The NDM is triggered when the software is detected on a network or endpoint, and","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"co5j30ZA5Z6KIMJN7hrp","title":"third_party_vpn_usage","pathname":"/detection-models/library/operational-governance/third_party_vpn_usage","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM detects the usage of third-party (free or paid) VPNs. What to Look For To examine the results of this event, network administrators should monitor their network traffic for any co","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"PI94CTfsJzMu1xhNfpSP","title":"tor_connection_internal_external","pathname":"/detection-models/library/operational-governance/tor_connection_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography’s Fusion Portal when it detects a connection attempt to a known Tor entry node from an internal network device. Tor is often used to hide the origin o","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"KTBlJkTZRFpniZ8MCbIG","title":"unusual_open_tcp_ports","pathname":"/detection-models/library/operational-governance/unusual_open_tcp_ports","siteSpaceId":"sitesp_pz8oP","description":"Explanation The unusual_open_tcp_ports Netography Detection Model (NDM) is designed to detect uncommon TCP ports open and receiving connections on the network. The NDM is triggered when inbound TCP tr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"ViJR7V0JN2EHdQ1KJL7h","title":"vpn_usage_internal_external","pathname":"/detection-models/library/operational-governance/vpn_usage_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation vpn_usage_internal_external is a Netography Fusion Portal security event designed to detect VPN usage exiting a customer's network. What to Look For When examining the results of the vpn_u","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Operational Governance"}]},{"id":"mAlQgTJNqPyhgkExgfwf","title":"Post-Compromise","pathname":"/detection-models/library/post-compromise","siteSpaceId":"sitesp_pz8oP","description":"Post-Compromise detections are a vital feature of Netography Fusion's Netography Detection Models (NDMs) designed to identify and alert about activities associated with already compromised systems. Th","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"kS6tJVGCc7DWw7RBU4OB","title":"anomalous_traffic_dns","pathname":"/detection-models/library/post-compromise/anomalous_traffic_dns","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer over UDP port 53 or over TCP ports 53 or 853 that exceeds an automatically determined baseline thresho","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"x5Y1jUKqensebkTx1Lkv","title":"anomalous_traffic_itar","pathname":"/detection-models/library/post-compromise/anomalous_traffic_itar","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to IP addresses in countries listed under US Code 22 CFR § 126.1 (ITAR countries) “Prohibited exports,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"g6hHJPu8Xs85g5T6LDce","title":"anomalous_traffic_mega","pathname":"/detection-models/library/post-compromise/anomalous_traffic_mega","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to the Mega file hosting service exceeds an automatically determined baseline threshold. Auto Threshol","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"6GTWTjySe3npF5h5yPf4","title":"anomalous_traffic_s3","pathname":"/detection-models/library/post-compromise/anomalous_traffic_s3","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer to Amazon S3 that exceeds an automatically determined baseline threshold. Auto Thresholding observes r","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"quQQ6jpPoRfurJVef5IH","title":"anomalous_traffic_ssh","pathname":"/detection-models/library/post-compromise/anomalous_traffic_ssh","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a data transfer over TCP port 22 that exceeds an automatically determined baseline threshold. Auto Thresholding observ","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"vyhwxp0fJhkD995qstG3","title":"coinminer_detection","pathname":"/detection-models/library/post-compromise/coinminer_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The coinminer_detection NDM detects machines connecting to coinmining servers which could indicate a cryptocurrency mining attack. This is accomplished by monitoring network traffic for co","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"EmX5Tna6LRjeHrmv2dGy","title":"comm_with_malware_external_internal","pathname":"/detection-models/library/post-compromise/comm_with_malware_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The comm_with_malware_external_internal NDM is designed to detect connections from identified malware command and control (C2) nodes to hosts on your network. Because flows occur in both d","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"ZdxagLV0oyuybDx4Vgdz","title":"comm_with_malware_internal_external","pathname":"/detection-models/library/post-compromise/comm_with_malware_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation The comm_with_malware_internal_external NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"MevGBXFb1FW612JOltdI","title":"communication_to_bad_rep","pathname":"/detection-models/library/post-compromise/communication_to_bad_rep","siteSpaceId":"sitesp_pz8oP","description":"Explanation The communication_to_bad_rep NDM is designed to detect successful outbound connections to a known bad IP. The NDM triggers when a connection is made to an IP address that is on a deny list","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"UbdSjNUOVZEQfZM5PLRe","title":"communication_to_malware","pathname":"/detection-models/library/post-compromise/communication_to_malware","siteSpaceId":"sitesp_pz8oP","description":"Explanation The communication_to_malware NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to an IP addres","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"MM6P4UNqyuaYkfZq3zOR","title":"cups_browsed_internal_external","pathname":"/detection-models/library/post-compromise/cups_browsed_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects traffic on UDP port 631 exiting your network. UDP port 631 is usually associated with the CUPS-Browsed service and is","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"PZUivUIiVCjdRLNBhg7m","title":"dga_suspected","pathname":"/detection-models/library/post-compromise/dga_suspected","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with malware using a Domain Generation Algorithm (","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"8MSnb4I6SCZFe5nLmShK","title":"dlp-china","pathname":"/detection-models/library/post-compromise/dlp-china","siteSpaceId":"sitesp_pz8oP","description":"Explanation The dlp-china NDM is designed to detect potential data loss to China. This NDM looks for large traffic transfers headed towards an IP identified as being in China. What to Look For When an","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"CPssQoyR9fkJDGVLa9Af","title":"dlp-russia","pathname":"/detection-models/library/post-compromise/dlp-russia","siteSpaceId":"sitesp_pz8oP","description":"Explanation The dlp-russia NDM aims to detect potential data loss to Russia. The NDM works by looking for large data transfers headed towards an IP located in Russia. What to Look For When examining r","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"3inrUIVedIGvcMwp4ZDg","title":"dns_lookup_tunneling","pathname":"/detection-models/library/post-compromise/dns_lookup_tunneling","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with DNS being used as a tunnel for non-DNS traffi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"ezzkKwx3QoL3fEVy9fS4","title":"dnstunneling","pathname":"/detection-models/library/post-compromise/dnstunneling","siteSpaceId":"sitesp_pz8oP","description":"Explanation The dnstunneling NDM is designed to detect DNS tunneling on your network. DNS tunneling is a technique used by malicious actors to bypass firewalls and security appliances to exfiltrate da","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"6R625avUWV7EscrpAFcH","title":"external_http_beacon","pathname":"/detection-models/library/post-compromise/external_http_beacon","siteSpaceId":"sitesp_pz8oP","description":"Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external_http_beacon NDM detects network communications over ht","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"0RWNh616LnHkxM2bx4WF","title":"external_https_beacon","pathname":"/detection-models/library/post-compromise/external_https_beacon","siteSpaceId":"sitesp_pz8oP","description":"Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external_https_beacon NDM detects network communications over h","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"7oTuJ9HV9fK7vStLL8PH","title":"external_nonhttp_beacon","pathname":"/detection-models/library/post-compromise/external_nonhttp_beacon","siteSpaceId":"sitesp_pz8oP","description":"Explanation Malware often engages in repeated communications with command and control systems, to check for instructions or updates. The external_nonhttp_beacon NDM detects network communications over","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"EyRxS5dZSqeU7PXVnJkF","title":"external_tcp_12345","pathname":"/detection-models/library/post-compromise/external_tcp_12345","siteSpaceId":"sitesp_pz8oP","description":"Explanation The external_tcp_12345 NDM flags connections on TCP port 12345 coming either inbound to your network from the Internet or outbound from your network to the Internet. Threat actors have bee","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"F3JeHCXxXH0HzMqbkTuO","title":"fortinet_management_internal_internal","pathname":"/detection-models/library/post-compromise/fortinet_management_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects traffic from TCP port 541 on your network. This return traffic indicates that there may have been an internal attacker","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"zByE5RX158GOMjrTcPFm","title":"ip_lookup_attempt","pathname":"/detection-models/library/post-compromise/ip_lookup_attempt","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ip_lookup_attempt NDM is designed to detect when a customer network machine attempts to look itself up. This could be an indication of malicious activity on the network. What to Look F","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"tehnaen9AX19UOgRv1z5","title":"ipmi_default_dumphashes","pathname":"/detection-models/library/post-compromise/ipmi_default_dumphashes","siteSpaceId":"sitesp_pz8oP","description":"Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"C55klmpuDt7dqFOrzCoi","title":"kerberosting_internal_internal","pathname":"/detection-models/library/post-compromise/kerberosting_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation Kerberos is a network authentication protocol used by many enterprises to securely authenticate users and services across a network. Kerberoasting is a post-compromise attack that can be u","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"nNRxmjyi7VrXQiCWwTzq","title":"large_internal_smb_download","pathname":"/detection-models/library/post-compromise/large_internal_smb_dowbload","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects an internal data transfer over SMB (Server Message Block) with a data volume that exceeds an automatically determined","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"83IvqM56plLp2iu4DNrL","title":"large_internal_smb_download","pathname":"/detection-models/library/post-compromise/large_internal_smb_download","siteSpaceId":"sitesp_pz8oP","description":"Explanation This event is triggered by Netography's Fusion Portal when it detects an internal data transfer over SMB (Server Message Block) with a data volume that exceeds an automatically determined","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"OYrcChokUfUnGT12YGQh","title":"long_dns_connection","pathname":"/detection-models/library/post-compromise/long_dns_connection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The long_dns_connection NDM flags sustained interactive connections leaving the customer's network to destinations on TCP port 53, which is used by DNS. Most DNS connections are short live","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"ihhbK7iRtigB2qUKLDdm","title":"outbound_ping","pathname":"/detection-models/library/post-compromise/outbound_ping","siteSpaceId":"sitesp_pz8oP","description":"Explanation When threat actors first compromise a host, they often ping internet resources to verify connectivity. A spurious ping can be subtle and hard to detect because end users may make frequent","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"NvRbOjfmLKrciOrsb1gE","title":"rdp_internal_external","pathname":"/detection-models/library/post-compromise/rdp_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect successful RDP connections that cross from the internal network to the external network. It triggers when an RDP connection is successfully established from","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"IITukQWbw7xcRzsNFmju","title":"sinkhole_detection","pathname":"/detection-models/library/post-compromise/sinkhole_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The sinkhole_detection NDM is designed to detect any Internal IP addresses reaching out to known sinkhole servers. When malicious botnet or other malware command and control infrastructure","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"V3z0ER27ofDd1zCQANb7","title":"tcp_123","pathname":"/detection-models/library/post-compromise/tcp_123","siteSpaceId":"sitesp_pz8oP","description":"Explanation The tcp_123 NDM flags interactive connections leaving the customer's network to destinations on TCP port 123. The Network Time Protocol service uses UDP port 123, but does not use TCP. In","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"Z0nwT1QXErqPxVQKNHR9","title":"torrent_usage_detection","pathname":"/detection-models/library/post-compromise/torrent_usage_detection","siteSpaceId":"sitesp_pz8oP","description":"Explanation The torrent_usage_detection NDM was developed by the Netography Threat Research team to detect instances of torrent file sharing on a network. What to Look For To examine the results of th","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"4uLTeI1nVQ5WSt809WHe","title":"uncommon_icmp_reject","pathname":"/detection-models/library/post-compromise/uncommon_icmp_reject","siteSpaceId":"sitesp_pz8oP","description":"Explanation The uncommon_icmp_reject event is triggered when the Netography Detection Module (NDM) detects network flows for ICMP messages that indicate that there is traffic on the network that is be","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"0TjWZDtiPGVmMx0BdeZJ","title":"wkpsrcdst","pathname":"/detection-models/library/post-compromise/wkpsrcdst","siteSpaceId":"sitesp_pz8oP","description":"Explanation The wkpsrcdst event in the Netography Fusion Portal is designed to detect and alert security personnel when a connection is established between two privileged ports within the monitored ne","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Post-Compromise"}]},{"id":"H3xkAgRrSnyfrFiQLqJa","title":"Reconnaissance","pathname":"/detection-models/library/reconnaissance","siteSpaceId":"sitesp_pz8oP","description":"Reconnaissance detections are an essential component of Netography Fusion's Netography Detection Models (NDMs) that are designed to identify and alert network administrators to activities associated w","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"lwaPf07exGW6BDaJgpZH","title":"3000_scan_external_internal","pathname":"/detection-models/library/reconnaissance/3000_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 3000 that is hitting the customer’s network from the Internet. Numerous technologies have used port 3000. One noteworthy example is Grafana","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"A45yycJMpUtoRLVRGCVC","title":"3000_scan_internal_external","pathname":"/detection-models/library/reconnaissance/3000_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 3000 that is exiting the customer's network. Numerous technologies have used port 3000. One noteworthy example is Grafana, an open source d","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"UJicSmAFEf9CYMiIusym","title":"3000_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/3000_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for servers listening on port 3000 inside the customer's network. Numerous technologies have used port 3000. One noteworthy example is Grafana, an o","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"AvThMzMUlrV9dhbcolzY","title":"8000_scan_external_internal","pathname":"/detection-models/library/reconnaissance/8000_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 8000 that is hitting the customer’s network from the Internet. Port 8000 has been used by numerous technologies as an alternative HTTP/HTTP","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"CPDyLMDzLDThJOjBJyQF","title":"8000_scan_internal_external","pathname":"/detection-models/library/reconnaissance/8000_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 8000 that is exiting the customer's network. Port 8000 has been used by a variety of different products as an alternative HTTP/HTTPS port.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"q8AFEapaKAw0y2kI6W0W","title":"8000_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/8000_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for servers listening on port 8000 inside the customer's network. Port 8000 has been used by numerous technologies as an alternative HTTP/HTTPS port","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"XIZPEJRWIbBGo40T6LJC","title":"8060_scan_external_internal","pathname":"/detection-models/library/reconnaissance/8060_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 8060 that is hitting the customer’s network from the Internet. Port 8060 is used by a number of different software products, including Mana","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"19gcgAQ2R1OScZqgI3CT","title":"8060_scan_internal_external","pathname":"/detection-models/library/reconnaissance/8060_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 8060 that is exiting the customer's network. Port 8060 is used by a number of different software products, including ManageEngine's OpManag","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"UitIi0LvDtU68AFik04y","title":"8060_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/8060_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 8060 inside the customer's network. Port 8060 is used by a number of different software products, including ManageEngine's OpManager. What","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"nYvfAyno5UPGwYcANvju","title":"8888_scan_external_internal","pathname":"/detection-models/library/reconnaissance/8888_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 8888 that is hitting the customer’s network from the Internet. Port 8888 is used as an alternative HTTP port by many software products. It","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"IQmg4Jpg5SC5idWLusKf","title":"8888_scan_internal_external","pathname":"/detection-models/library/reconnaissance/8888_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for port 8888 that is exiting the customer's network. Port 8888 is used as an alternative HTTP port by many software products. It is also used by Ma","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"7XFf2xSmvpNgGLE632Jj","title":"8888_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/8888_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for servers listening on port 8888 inside the customer's network. Port 8888 is used as an alternative HTTP port by many software products. It is als","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"PYOfj247gnHLhrALiFnL","title":"9090_scan_external_internal","pathname":"/detection-models/library/reconnaissance/9090_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for servers listening on port 9090 that is hitting the customer’s network from the Internet. Port 9090 is used for several purposes, including Linux","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Yl3Bp30MIC2Ihjr94rBs","title":"9090_scan_internal_external","pathname":"/detection-models/library/reconnaissance/9090_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for servers listening on port 9090 that is exiting the customer's network. Port 9090 is used for several purposes, including Linux server administra","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"j440xyUiKub8twMMTOXS","title":"9090_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/9090_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for servers listening on port 9090 inside the customer's network. Port 9090 is used for several purposes, including Linux server administration as w","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"W1fcq7y0Yz4dp18Xuouk","title":"backupexec_scan_external_internal","pathname":"/detection-models/library/reconnaissance/backupexec_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Veritas BackupExec that is hitting the customer’s network from the Internet. Veritas BackupExec is a network backup application. What to Look Fo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"4G1z1Vzzu4fPa1UCjgs2","title":"backupexec_scan_internal_external","pathname":"/detection-models/library/reconnaissance/backupexec_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Veritas BackupExec systems that is exiting the customer's network. Veritas BackupExec is a network backup application. Outbound scanning may be","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"F5sBZ5PZarQqF6VPbGQv","title":"backupexec_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/backupexec_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Veritas BackupExec inside the customer's network. Veritas BackupExec is a network backup application. What to Look For Unauthorized scanning act","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"zzioIhKJhNgQtt0V3NDJ","title":"bamboo_scan_external_internal","pathname":"/detection-models/library/reconnaissance/bamboo_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Atlassian Bamboo that is hitting the customer’s network from the Internet. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerabili","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"2574Khx9FeYhYRtkkTb7","title":"bamboo_scan_internal_external","pathname":"/detection-models/library/reconnaissance/bamboo_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Atlassian Bamboo that is exiting the customer's network. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerability disclosures in","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Hmx1H9op6o83YGrvTVaB","title":"bamboo_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/bamboo_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Atlassian Bamboo servers inside the customer's network. Atlassian Bamboo is a CI/CD tool that has been subject to vulnerability disclosures in t","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Bnc7nRkaruOcc1gJofh9","title":"bitbucket_scan_external_internal","pathname":"/detection-models/library/reconnaissance/bitbucket_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Atlassian Bitbucket that is hitting the customer’s network from the Internet. Atlassian Bitbucket is a source code repository that has been subj","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"3Nh2UyW2YJhtQBMgDhS4","title":"bitbucket_scan_internal_external","pathname":"/detection-models/library/reconnaissance/bitbucket_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Atlassian Bitbucket that is exiting the customer's network. Bitbucket is a source code repository that has been subject to vulnerability disclos","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Haqzi5GHjbRhKHTQDjyR","title":"bitbucket_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/bitbucket_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Atlassian Bitbucket servers inside the customer's network. Atlassian Bitbucket is a source code repository that has been subject to vulnerabilit","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"IVmn1PjeSlTOimVO7eYT","title":"censys_scanning","pathname":"/detection-models/library/reconnaissance/censys_scanning","siteSpaceId":"sitesp_pz8oP","description":"Explanation The censys_scanning NDM is designed to detect any activity on your network that is related to Censys scanning. What to Look For If the censys_scanning NDM is triggered, you should examine","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Ku7xd2pXt3PUc4f58tGz","title":"cleo_scan_external_internal","pathname":"/detection-models/library/reconnaissance/cleo_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer that is hitting the customer’s network from the Internet. Cleo offers a family of file transfer products, including C","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"VUfkMok2zMT1MQTcZCan","title":"cleo_scan_internal_external","pathname":"/detection-models/library/reconnaissance/cleo_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer that is exiting the customer's network. Cleo offers a family of file transfer products, including Cleo Harmony, Cleo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"axHmwq6Q4ZzQVDZ2hGJX","title":"cleo_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/cleo_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Cleo Managed File Transfer servers inside the customer's network. Cleo offers a family of file transfer products, including Cleo Harmony, Cleo V","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"bX2fpn5UnJ00FGl1QG5c","title":"connscan","pathname":"/detection-models/library/reconnaissance/connscan","siteSpaceId":"sitesp_pz8oP","description":"Explanation The connscan NDM detects connection scanning attempts on the network. It does this by monitoring for a high rate of connection attempts, which may indicate an attacker attempting to discov","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"FLMF3GD802w64D06rqGo","title":"connscan_external_internal","pathname":"/detection-models/library/reconnaissance/connscan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The connscan_external_internal NDM detects connection scanning attempts hitting the customer's network from the Internet. It does this by monitoring for a high rate of aborted successful T","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"W34oT6tTcIJbVbj5bk3t","title":"connscan_internal_external","pathname":"/detection-models/library/reconnaissance/connscan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation The connscan_internal_external NDM detects connection scanning attempts exiting the customer's network. It does this by monitoring for a high rate of aborted successful TCP connections, wh","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"CX2hVL2qWx0RgPo2skQt","title":"connscan_internal_internal","pathname":"/detection-models/library/reconnaissance/connscan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The connscan_internal_internal NDM detects connection scanning attempts inside the customer's network. It does this by monitoring for a high rate of aborted successful TCP connections, whi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"K6FpP33ycwXdPbHoU31v","title":"esxi_internal_slp_scan","pathname":"/detection-models/library/reconnaissance/esxi_internal_slp_scan","siteSpaceId":"sitesp_pz8oP","description":"Explanation The esxi_internal_slp_scan NDM is designed to detect Port 427 internal scanning activities on ESXi servers. This is a common port used for service location protocol, and by scanning this p","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"lHWon6BxrtKsQP6eJCDU","title":"ftp_scan_external_internal","pathname":"/detection-models/library/reconnaissance/ftp_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for FTP servers that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplace. R","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"52sGuYGqhqFS6pab5SiO","title":"ftp_scan_internal_external","pathname":"/detection-models/library/reconnaissance/ftp_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for FTP servers that is exiting the customer's network. Outbound FTP scanning may be indicative of an infection and an attacker using a compromised","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"RSZp1S8LCmux2CCnDYf9","title":"ftp_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/ftp_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for FTP servers inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication tha","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"t2sWWYuiGoBPHh7w54Z3","title":"http_scan_internal_external","pathname":"/detection-models/library/reconnaissance/http_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for web servers that is exiting the customer's network on port 80 or 443. Outbound web scanning may be indicative of an infection and an attacker us","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"r42gtVjih8C3ifQuGcZ9","title":"http_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/http_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect web server scanning inside the customer's network on port 80 or 443. What to Look For Unauthorized scanning activity launched inside your network may be an i","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Yg0f093drIrWVcADzCck","title":"imap_scan_external_internal","pathname":"/detection-models/library/reconnaissance/imap_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for IMAP that is hitting the customer’s network from the Internet. IMAP is an internet standard protocol for email retrieval. What to Look For Scann","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"btCK4O94BNJIAGhkKarj","title":"imap_scan_internal_external","pathname":"/detection-models/library/reconnaissance/imap_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for IMAP that is exiting the customer's network. IMAP is an internet standard protocol for email retrieval. Outbound IMAP scanning may be indicative","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"EiGPQJVEqH3QqUEU980D","title":"imap_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/imap_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for IMAP inside the customer's network. IMAP is an internet standard protocol for email retrieval. What to Look For Unauthorized scanning activity l","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"BRkcElMlCgQ56cEJClUx","title":"internal_snmp_sweep","pathname":"/detection-models/library/reconnaissance/internal_snmp_sweep","siteSpaceId":"sitesp_pz8oP","description":"Explanation The internal_snmp_sweep is a detection model that identifies an SNMP sweep occurring in the network. The model triggers anytime a large number of SNMP requests are sent to different device","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"hvhmyYWbhp4fCWF9Fda4","title":"ipmi_scan_external_internal","pathname":"/detection-models/library/reconnaissance/ipmi_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"YIX0QZ8poZ8caglbhtZc","title":"ipmi_scan_internal_external","pathname":"/detection-models/library/reconnaissance/ipmi_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"ERAWUxRHlODgtAWrSnbC","title":"ipmi_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/ipmi_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation IPMI (Intelligent Platform Management Interface) is a protocol that enables remote management of servers and other network devices without relying on the device's CPU or Operating System.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"otd7G6bRvc8zge2297Zj","title":"ivantiava_scan_external_internal","pathname":"/detection-models/library/reconnaissance/ivantiava_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Ivanti Avalanche that is hitting the customer’s network from the Internet. Ivanti Avalanche is an enterprise mobility management & mobile de","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"ePJ6xvgiFPAtnrKP8F7T","title":"ivantiava_scan_internal_external","pathname":"/detection-models/library/reconnaissance/ivantiava_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Ivanti Avalanche that is exiting the customer's network. Ivanti Avalanche is an enterprise mobility management & mobile device management (M","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"BzSoUlrTLj3XKvWv5ZPV","title":"ivantiava_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/ivantiava_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Ivanti Avalanche the customer's network. Ivanti Avalanche is an enterprise mobility management & mobile device management (MDM) solution. Wh","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"tGfW5MDWiJ9ERMjp0E0i","title":"kerberos_scan_external_internal","pathname":"/detection-models/library/reconnaissance/kerberos_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Kerberos scanning that is hitting the customer’s network from the Internet. Kerberos is a protocol for authenticating requests between hosts on a network. Wh","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"hQnGcdQbX12yCsYMLqXX","title":"kerberos_scan_internal_external","pathname":"/detection-models/library/reconnaissance/kerberos_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Kerberos that is exiting the customer's network. Kerberos is a protocol for authenticating requests between hosts on a network. Outbound Kerbero","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"D57xGU7wDPx9ofcqbUFs","title":"kerberos_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/kerberos_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Kerberos scanning inside the customer's network. Kerberos is a protocol for authenticating requests between hosts on a network. What to Look For Unauthorized","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"pSg154eVqk8MTnmOPiSj","title":"kibana_scan_external_internal","pathname":"/detection-models/library/reconnaissance/kibana_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Kibana (port 5601) that is hitting the customer’s network from the Internet. Kibana is an open source data visualization platform that has been","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"LnzCsTaRFpyYgkZzGHkl","title":"kibana_scan_internal_external","pathname":"/detection-models/library/reconnaissance/kibana_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Kibana (port 5601) that is exiting the customer's network. Kibana is an open source data visualization platform that has been subject to critica","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"MyyO5T4yqHby8sfv4JjO","title":"kibana_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/kibana_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Kibana servers (port 5601) inside the customer's network. Kibana is an open source data visualization platform that has been subject to critical","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"xWnefVQxBXs3je8aoas7","title":"ldap_scanning_inside_to_outside","pathname":"/detection-models/library/reconnaissance/ldap_scanning_inside_to_outside","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect LDAP scanning that is exiting the customer's network. LDAP is an open protocol used for accessing and maintaining distributed directory information services","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"TEfhb8aqb5w6javGQkET","title":"ldap_scanning_internal","pathname":"/detection-models/library/reconnaissance/ldap_scanning_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM was written by the Netography Threat Research team to detect unauthorized LDAP scanning activity within a customer's network. What to Look For When examining the results of the ld","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"fgTc0d7Z3tae6UzVGezF","title":"ldap_scanning_outside_to_inside","pathname":"/detection-models/library/reconnaissance/ldap_scanning_outside_to_inside","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ldap_scanning_outside_to_inside NDM is designed to detect LDAP scanning attempts originating from outside the network targeting LDAP servers residing inside the network. LDAP scanning","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"JliVHwvYZiVJ1SSvlIH2","title":"local_zone_enumeration","pathname":"/detection-models/library/reconnaissance/local_zone_enumeration","siteSpaceId":"sitesp_pz8oP","description":"Explanation The local_zone_enumeration NDM detects a pattern of DNS activity that is consistent with an attempt to enumerate valid hostnames within an internal domain. As part of their reconnaissance","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"YtrF5WcCs29vKfAA1eqb","title":"mesvcdesk_scan_external_internal","pathname":"/detection-models/library/reconnaissance/mesvcdesk_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for an application service that ManageEngine ServiceDesk systems run on port 14003 that is hitting the customer’s network from the Internet. ManageE","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"6ksXh0uYPAwPaQrzRfYl","title":"mesvcdesk_scan_internal_external","pathname":"/detection-models/library/reconnaissance/mesvcdesk_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning activity exiting the customer's network that is looking for an application service that ManageEngine ServiceDesk systems run on port 14003. ManageEn","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"t9DKMlUmbnJL0LTjty59","title":"mesvcdesk_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/mesvcdesk_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning inside the customer's network for an application service that ManageEngine ServiceDesk systems run on port 14003. ManageEngine ServiceDesk is an ent","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"TRmGywALZVEmmXRCXe8P","title":"mongodb_scan_external_internal","pathname":"/detection-models/library/reconnaissance/mongodb_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for MongoDB that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplace. Under","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"UU6VbSXUPTb887Cmn0UV","title":"mongodb_scan_internal_external","pathname":"/detection-models/library/reconnaissance/mongodb_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for MongoDB that is exiting the customer's network. Outbound MongoDB scanning may be indicative of an infection and an attacker using a compromised","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"LS4asI5gyQtrjHAHOxAS","title":"mongodb_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/mongodb_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for MongoDB inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that yo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"W0FMzpmaZpH2SAkBq12R","title":"msmq_tcp_scan_external_internal","pathname":"/detection-models/library/reconnaissance/msmq_tcp_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 that is hitting the customer's network from the internet. Microsoft Message Queuing is a messaging pr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"uaHKxMyHk99fgwgmPlWo","title":"msmq_tcp_scan_internal_external","pathname":"/detection-models/library/reconnaissance/msmq_tcp_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 that is exiting the customer's network. Microsoft Message Queuing is a messaging protocol that allows","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"5zvDlCsJJaG4GDMXgS3g","title":"msmq_tcp_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/msmq_tcp_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on TCP port 1801 inside a customer's network. Microsoft Message Queuing is a messaging protocol that allows applicatio","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"DIuCmbpC8RnHN1hF4ocE","title":"msmq_udp_scan_external_internal","pathname":"/detection-models/library/reconnaissance/msmq_udp_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 that is hitting the customer's network from the internet. Microsoft Message Queuing is a messaging pr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"ZRz0Yr8Cme0RJvMZjnWo","title":"msmq_udp_scan_internal_external","pathname":"/detection-models/library/reconnaissance/msmq_udp_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 that is exiting the customer's network. Microsoft Message Queuing is a messaging protocol that allows","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"2EefWz3CZ6AlpYJe94l3","title":"msmq_udp_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/msmq_udp_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft Message Queuing on UDP port 1801 inside a customer's network. Microsoft Message Queuing is a messaging protocol that allows applicatio","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"egNNx5wl3hJQiBdjqiT3","title":"mssql_scan_external_internal","pathname":"/detection-models/library/reconnaissance/mssql_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft SQL Server that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"q4TNbQmenq91z6XXuZmf","title":"mssql_scan_internal_external","pathname":"/detection-models/library/reconnaissance/mssql_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft SQL Server that is exiting the customer's network. Outbound scanning may be indicative of an infection and an attacker using a comprom","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"a9n79f9k0mhfNVNF84qJ","title":"mssql_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/mssql_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Microsoft SQL Server inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indic","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"HSFsPRwm1QtVfAofTBve","title":"mysql_scan_internal_external","pathname":"/detection-models/library/reconnaissance/mysql_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for MySQL databases that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commonplac","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"1pYHkD8F6IVGwQ2OddTp","title":"mysql_scan_internal_external","pathname":"/detection-models/library/reconnaissance/mysql_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for MySQL databases that is exiting the customer's network. Outbound scanning may be indicative of an infection and an attacker using a compromised","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"vMFvzqTT85iCxEtNKPen","title":"mysql_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/mysql_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect MySQL database scanning inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"sFvl0CIewUKzZFXfcdVC","title":"neo4j_scan_external_internal","pathname":"/detection-models/library/reconnaissance/neo4j_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Neo4j (port 7474) that is hitting the customer’s network from the Internet. Neo4j is a graph database. What to Look For Scanning activity on the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"AOCKhWIOS639ZB7Tvhxc","title":"neo4j_scan_internal_external","pathname":"/detection-models/library/reconnaissance/neo4j_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Neo4j (port 7474) that is exiting the customer's network. Neo4j is a graph database. Outbound scanning for Neo4j may be indicative of an infecti","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"SHhs9PebbwAEvZtY2JJB","title":"neo4j_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/neo4j_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Neo4j servers listening on port 7474 inside the customer's network. Neo4j is a graph database. What to Look For Unauthorized scanning activity l","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"sxtTU318X2Rms6Z7xH59","title":"nmapfingerprint","pathname":"/detection-models/library/reconnaissance/nmapfingerprint","siteSpaceId":"sitesp_pz8oP","description":"Explanation The nmapfingerprint NDM detects the presence of the NMAP fingerprint on the network. What to Look For To examine the results of the nmapfingerprint NDM Event, look for NMAP fingerprinting","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Z8NsT9c3qnTM3oxD7evR","title":"ping_scan_ext-int","pathname":"/detection-models/library/reconnaissance/ping_scan_ext-int","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ping_scan_ext-int event monitors for external to internal ping scans on the network. It detects when an external entity is trying to map out the internal infrastructure by pinging vari","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"6UnGOsXo3dXvEhiQLlIl","title":"ping_scan_int-ext","pathname":"/detection-models/library/reconnaissance/ping_scan_int-ext","siteSpaceId":"sitesp_pz8oP","description":"Explanation ping_scan_int-ext is a security event in the Netography Fusion Portal that looks for Internal to External Ping Scans. What to Look For If ping_scan_int-ext is triggered, it means that an i","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"yZNzHhXh816np24trDiD","title":"ping_scan_int-int","pathname":"/detection-models/library/reconnaissance/ping_scan_int-int","siteSpaceId":"sitesp_pz8oP","description":"Explanation The ping_scan_int-int is a security event that detects Internal to Internal Ping Scans on a network. What to Look For To examine the results of the ping_scan_int-int event, you should look","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"JY9qf0xlv2qYb92lh0gq","title":"pop3_scan_external_internal","pathname":"/detection-models/library/reconnaissance/pop3_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for POP3 that is hitting the customer’s network from the Internet. POP3 is an internet standard protocol for email retrieval. What to Look For Scann","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"55x7UGLr0SYCvQkqtfwi","title":"pop3_scan_internal_external","pathname":"/detection-models/library/reconnaissance/pop3_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for POP3 that is exiting the customer's network. POP3 is an internet standard protocol for email retrieval. Outbound POP3 scanning may be indicative","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Z9ZA4s4hTgwyF6UTC6Ud","title":"pop3_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/pop3_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for POP3 inside the customer's network. POP3 is an internet standard protocol for email retrieval. What to Look For Unauthorized scanning activity l","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Jcosu33nmlg6RFBBd5tX","title":"port_1433_scanning_internal","pathname":"/detection-models/library/reconnaissance/port_1433_scanning_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is triggered when there is an internal scanning activity on port 1433. This port is commonly associated with Microsoft's SQL server and is often targeted by attackers looking for","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"ll6HawZzYCtDqleQN7kr","title":"port_1433_scanning_outbound","pathname":"/detection-models/library/reconnaissance/port_1433_scanning_outbound","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM detects outbound traffic indicating scanning for open port 1433. This port is commonly used for Microsoft SQL Server and if left open can allow unauthorized access to sensitive da","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"0L6dzmJS54ZCDUU5YmLY","title":"port_445_scanning_internal","pathname":"/detection-models/library/reconnaissance/port_445_scanning_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The port_445_scanning_internal event is triggered when a source IP is scanning internal networks for port 445, which is commonly used by Windows for file and printer sharing. This type of","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Iwmyz7pv6AB3ZLPomqsQ","title":"port_445_scanning_outbound","pathname":"/detection-models/library/reconnaissance/port_445_scanning_outbound","siteSpaceId":"sitesp_pz8oP","description":"Explanation The port_445_scanning_outbound NDM is designed to detect scanning for SMB that is exiting the customer's network. What to Look For To examine the results of the port_445_scanning_outbound","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"LMYu2PJ978VYhyJTnLQk","title":"port_62078_scanning_outbound","pathname":"/detection-models/library/reconnaissance/port_62078_scanning_outbound","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM detects scanning for open port 62078 outbound on the network. What to Look For To remediate or examine the problem, customers should look for any traffic attempting to scan outbou","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"vYASfjoX2a00p2fFbQ4k","title":"port_8443_scanning_internal","pathname":"/detection-models/library/reconnaissance/port_8443_scanning_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM was created by the Netography Threat Research team to detect unauthorized scanning activities on port 8443 inside the network. What to Look For When reviewing the results of this","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"bqEWGZC341Fl3wG1Z3re","title":"port_8443_scanning_outbound","pathname":"/detection-models/library/reconnaissance/port_8443_scanning_outbound","siteSpaceId":"sitesp_pz8oP","description":"Explanation The port_8443_scanning_outbound NDM detects outbound scans on port 8443 from the customer’s network. What to Look For To examine the results of the port_8443_scanning_outbound NDM, check t","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"KC9nkvMw2G2NsdZWpTRa","title":"portscan","pathname":"/detection-models/library/reconnaissance/portscan","siteSpaceId":"sitesp_pz8oP","description":"Explanation Port scanning is a common technique used by attackers to identify vulnerabilities in a network. What to Look For When analyzing the results of this NDM event, look for unusual traffic patt","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"3bPczs2cZWMJa3osRI6h","title":"psql_scan_external_internal","pathname":"/detection-models/library/reconnaissance/psql_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for PostgreSQL databases that is hitting the customer’s network from the Internet. What to Look For Scanning activity on the Internet is quite commo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"xBNNl5lrjI350Dd2oVOc","title":"psql_scan_internal_external","pathname":"/detection-models/library/reconnaissance/psql_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for PostgreSQL databases that is exiting the customer's network. Outbound PostgreSQL scanning may be indicative of an infection and an attacker usin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"sIKJHbQRrOZl3Gk9oBly","title":"psql_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/psql_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for PostgreSQL databases inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indic","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"lwDgMp7NQ4aQApBzcqDk","title":"qualys_scanning","pathname":"/detection-models/library/reconnaissance/qualys_scanning","siteSpaceId":"sitesp_pz8oP","description":"Explanation The qualys_scanning NDM monitors your network for Qualys scanning activity. It identifies when Qualys attempts to scan a target host or network to determine the vulnerabilities present on","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"VLyu73pznkL3RtGlczVQ","title":"rdp_scanning_inside_to_outside","pathname":"/detection-models/library/reconnaissance/rdp_scanning_inside_to_outside","siteSpaceId":"sitesp_pz8oP","description":"Explanation The rdp_scanning_inside_to_outside NDM is designed to detect any Microsoft Remote Desktop Protocol (RDP) scanning that originates from inside a network and moves to outside the network. Wh","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"TuNFLMIVRfm8mPRL9l3K","title":"rdp_scanning_internal","pathname":"/detection-models/library/reconnaissance/rdp_scanning_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The rdp_scanning_internal event is triggered when there are attempted RDP scans on the Microsoft network. This occurs when a large number of RDP requests are sent in a short period of time","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"fUMHrwyE1OcRHWKcgQl7","title":"rdp_scanning_outside_to_inside","pathname":"/detection-models/library/reconnaissance/rdp_scanning_outside_to_inside","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM was created by the Netography Threat Research team to detect Microsoft RDP scanning. It triggers when an external IP address attempts to scan the network for open RDP ports in an","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"FeqmP8LFO5Tv6KX92NrK","title":"redis_scan_external_internal","pathname":"/detection-models/library/reconnaissance/redis_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Redis scanning that is hitting the customer’s network from the Internet. Redis is a memory based key/value store that is often used to support web services.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"530LtewoPZRCoZ3eKD9h","title":"redis_scan_internal_external","pathname":"/detection-models/library/reconnaissance/redis_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Redis scanning that is exiting the customer's network. Redis is a memory based key/value store that is often used to support web services. Outbound Redis sca","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"lcqktnjkKhAX41ii0Teq","title":"redis_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/redis_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Redis scanning inside the customer's network. Redis is a memory based key/value store that is often used to support web services. What to Look For Unauthoriz","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"YEmUe2E6nLIZjLuC1hzs","title":"rockwellics_tcp_scan_external_internal","pathname":"/detection-models/library/reconnaissance/rockwellics_tcp_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 that is hitting the customer's network from the internet. Rockwell Automation provides program","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"w2XgtF7wUeEMpbQy250C","title":"rockwellics_tcp_scan_internal_external","pathname":"/detection-models/library/reconnaissance/rockwellics_tcp_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 that is exiting the customer's network. Rockwell Automation provides programmable controllers","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"bGxLGPlZNUQU5YYB52Wl","title":"rockwellics_tcp_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/rockwellics_tcp_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on TCP port 44818 inside a customer's network. Rockwell Automation provides programmable controllers for industr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"qmYyqPR325lSVZQfISf1","title":"rockwellics_udp_scan_external_internal","pathname":"/detection-models/library/reconnaissance/rockwellics_udp_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 that is hitting the customer's network from the Internet. Rockwell Automation provides programm","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"V95LuVc9wPADsP12SwnC","title":"rockwellics_udp_scan_internal_external","pathname":"/detection-models/library/reconnaissance/rockwellics_udp_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 that is exiting the customer's network. Rockwell Automation provides programmable controllers f","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"niIhFxWxPxpb0E5N4NmU","title":"rockwellics_udp_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/rockwellics_udp_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Rockwell Automation ICS systems on UDP port 2222 inside the customer's network. Rockwell Automation provides programmable controllers for indust","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"kI9rJ4xy1ioIc7rwvDP0","title":"rstscan","pathname":"/detection-models/library/reconnaissance/rstscan","siteSpaceId":"sitesp_pz8oP","description":"Explanation rstscan is a detection model that identifies RST scanning activity on the network. RST scanning is a technique used by attackers to probe for open ports on a target system. This activity i","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"hpuTnlpGAn0MgonviRlr","title":"scanner_rwth_aachen_univ","pathname":"/detection-models/library/reconnaissance/scanner_rwth_aachen_univ","siteSpaceId":"sitesp_pz8oP","description":"Explanation The scanner_rwth_aachen_univ NDM is designed to detect unauthorized access attempts to the research scanning systems at RWTH Aachen University. The NDM creates an alert when an attempt is","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"a57Um6oQkPnoqvkh0Hnu","title":"shadowserver_scanning","pathname":"/detection-models/library/reconnaissance/shadowserver_scanning","siteSpaceId":"sitesp_pz8oP","description":"Explanation The shadowserver_scanning NDM is designed to detect when Shadowserver.org is scanning the network. This type of scanning is often associated with malicious activity and may indicate an att","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"LxBLBl3FRBCVuW8SxIuH","title":"shodan_scanners","pathname":"/detection-models/library/reconnaissance/shodan_scanners","siteSpaceId":"sitesp_pz8oP","description":"Explanation The shodan_scanners NDM is designed to detect instances of Shodan scanning your network. What to Look For To examine the results of the shodan_scanners event, look for unusual network traf","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"8PllTT3f13xvNnLpBGlH","title":"smartinst_scan_external_internal","pathname":"/detection-models/library/reconnaissance/smartinst_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Cisco SmartInstall scanning that is hitting the customer’s network from the Internet. Cisco SmartInstall is a configuration and image-management feature for","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"wbAg2eknKHKyd4j77evp","title":"smartinst_scan_internal_external","pathname":"/detection-models/library/reconnaissance/smartinst_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Cisco SmartInstall that is exiting the customer's network. Cisco SmartInstall is a configuration and image-management feature for switches. Outb","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"pXRkicYudjVwxpkfN07C","title":"smartinst_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/smartinst_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Cisco SmartInstall scanning inside the customer's network. Cisco SmartInstall is a configuration and image-management feature for switches. What to Look For","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"S9DhgQst25ltrwiul5ca","title":"ssh_scan_internal_external","pathname":"/detection-models/library/reconnaissance/ssh_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for SSH that is exiting the customer's network. Outbound SSH scanning may be indicative of an infection and an attacker using a compromised machine","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"4Z31lJrasq18ae6dvwhC","title":"ssh_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/ssh_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect SSH scanning inside the customer's network. What to Look For Unauthorized scanning activity launched inside your network may be an indication that your netwo","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"zreMKqwD3Pc9NwbLgFEl","title":"synscan_external_internal","pathname":"/detection-models/library/reconnaissance/synscan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The synscan_external_internal NDM looks for SYN scanning, an indication that an attacker is attempting to map out a network by sending multiple SYN requests to various endpoints to determi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"U9Ndd0xtTG6sn0gpZwir","title":"synscan_internal_external","pathname":"/detection-models/library/reconnaissance/synscan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation The synscan_internal_external NDM detects SYN scanning activity exiting the network. This event is triggered when an internal IP is found to be scanning external IPs via multiple SYN packe","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"did9QrUfoeUz59fsQHAp","title":"synscan_internal_internal","pathname":"/detection-models/library/reconnaissance/synscan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The synscan_internal_internal NDM is designed to detect SYN scanning on internal networks. This NDM monitors for excessive SYN packets that can indicate malicious activity and flags any su","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"m2mFkcgxSKLSVfr3gE6u","title":"teamviewer_inside_to_outside","pathname":"/detection-models/library/reconnaissance/teamviewer_inside_to_outside","siteSpaceId":"sitesp_pz8oP","description":"Explanation This Netography Detection Model is designed to catch scans looking for instances of TeamViewer from a source inside your network to the outside. What to Look For When examining the results","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"lqT5qOhUT9hseBmgF215","title":"teamviewer_out_to_inside","pathname":"/detection-models/library/reconnaissance/teamviewer_out_to_inside","siteSpaceId":"sitesp_pz8oP","description":"Explanation The teamviewer_out_to_inside NDM is designed to detect TeamViewer scanning that is hitting the customer’s network from the Internet. TeamViewer is a remote access software application that","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"vfH6ANqSh0WdkO45AMTD","title":"teamviewer_scanning_internal","pathname":"/detection-models/library/reconnaissance/teamviewer_scanning_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The teamviewer_scanning_internal NDM is designed to detect any unauthorized scans on your internal network looking for the TeamViewer software. What to Look For To identify teamviewer_scan","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"u743pAcNlqKACHJJ50iU","title":"veeam_scan_external_internal","pathname":"/detection-models/library/reconnaissance/veeam_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Veeam Backup scanning that is hitting the customer’s network from the Internet. Veeam Backup is a network backup application. What to Look For Scanning activ","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"7cN9nzjFxs5zSwerIOjo","title":"veeam_scan_internal_external","pathname":"/detection-models/library/reconnaissance/veeam_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect scanning for Veeam Backup systems that is exiting the customer's network. Veeam Backup is a network backup application. Outbound Veeam Backup scanning may be","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"zMuZrUacdcasbSERU61J","title":"veeam_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/veeam_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Veeam Backup scanning inside the customer's network. Veeam Backup is a network backup application. What to Look For Unauthorized scanning activity launched i","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"r3UwK07M9JJKW1VWpi8b","title":"vnc_scanning_inside_to_outside","pathname":"/detection-models/library/reconnaissance/vnc_scanning_inside_to_outside","siteSpaceId":"sitesp_pz8oP","description":"Explanation The vnc_scanning_inside_to_outside Netography detection model (NDM) is designed to identify any internal VNC scanning activity targeting external destination hosts. It works by monitoring","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"vEzKcaKk2GEsEwuvXhiJ","title":"vnc_scanning_internal","pathname":"/detection-models/library/reconnaissance/vnc_scanning_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation The vnc_scanning_internal Netography detection model (NDM) is designed to identify any internal VNC scanning activity taking place within a network. It works by monitoring traffic on the n","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"2NA8LYAKoRmBdX3OJb0n","title":"vnc_scanning_outside_to_inside","pathname":"/detection-models/library/reconnaissance/vnc_scanning_outside_to_inside","siteSpaceId":"sitesp_pz8oP","description":"Explanation The vnc_scanning_outside_to_inside NDM is designed to detect VNC scanning activity on a network. This activity can occur when an attacker attempts to move from an outside network to an ins","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"MU4nPCwjXx3X8q6onJKg","title":"weblogic_scan_external_internal","pathname":"/detection-models/library/reconnaissance/weblogic_scan_external_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Weblogic scanning that is hitting the customer’s network from the Internet. Weblogic is an enterprise application server. What to Look For Scanning activity","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"s6ThVJBHgTIkxJpjxy5C","title":"weblogic_scan_internal_external","pathname":"/detection-models/library/reconnaissance/weblogic_scan_internal_external","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Weblogic scanning that is exiting the customer's network. Weblogic is an enterprise application server. Outbound Weblogic scanning may be indicative of an in","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"UqU51oS8PsIkIMPiDf1D","title":"weblogic_scan_internal_internal","pathname":"/detection-models/library/reconnaissance/weblogic_scan_internal_internal","siteSpaceId":"sitesp_pz8oP","description":"Explanation This NDM is designed to detect Weblogic scanning inside the customer's network. Weblogic is an enterprise application server. What to Look For Unauthorized scanning activity launched insid","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"Ix1u8UxXaaFxMskiQv15","title":"xmastree","pathname":"/detection-models/library/reconnaissance/xmastree","siteSpaceId":"sitesp_pz8oP","description":"Explanation The xmastree NDM monitors network traffic for flows with XMAS Tree packets (FIN, PSH, and URG) which are typically associated with attackers attempting to evade detection or compromise the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"Reconnaissance"}]},{"id":"tapbSFEzWSF24pts7158","title":"System","pathname":"/detection-models/library/system","siteSpaceId":"sitesp_pz8oP","description":"System detections within Netography Fusion's Netography Detection Models (NDMs) identify conditions that relate to the overall health of Netography system and flow collection. System detections help n","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"}]},{"id":"z9m17U1LqiwDu4sOmrQo","title":"clocksync","pathname":"/detection-models/library/system/clocksync","siteSpaceId":"sitesp_pz8oP","description":"Explanation The clocksync NDM is a system NDM designed to detect situations where a flow source is sending flows to Netography with timestamps that are out of sync with Netography’s clock. Bad timesta","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"System"}]},{"id":"ezs0VsYVlwNFDmGrDPRy","title":"flowrate","pathname":"/detection-models/library/system/flowrate","siteSpaceId":"sitesp_pz8oP","description":"Explanation The flowrate NDM is an opt-in system NDM designed to fire if the rate of flows received by Netography from a particular flow source exceeds a certain threshold within an hour. What to Look","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"System"}]},{"id":"XkKRg1LUOs5fmae1XnnP","title":"noflow","pathname":"/detection-models/library/system/noflow","siteSpaceId":"sitesp_pz8oP","description":"Explanation The noflow NDM is a system NDM that fires when no flow is being received by Netography from a configured flow source. What to Look For This condition most likely means that the device that","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"},{"label":"Detection Model Library"},{"label":"System"}]},{"id":"j0BrG9cZKLGreexCsX3v","title":"Threat Intelligence","pathname":"/detection-models/threat-intelligence","siteSpaceId":"sitesp_pz8oP","description":"Summary As flows are ingested into the system, lookups are done on both source IP and destination IP so that their reputation is determined at the time the flow happened. Every flow record contains an","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"8sKIKHooiZA2R0DHBOom","title":"Detection Categories","pathname":"/detection-models/detection-categories-1","siteSpaceId":"sitesp_pz8oP","description":"Detection categories are similar to flow tags. They are used to group or ‘categorize’ detection models, after which rules - based on categories - can be crafted. System The system categories are based","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Detection Models"}]},{"id":"jVs8cqSKRCeGX0Aqtc3U","title":"About Dashboards","pathname":"/dashboards/about","siteSpaceId":"sitesp_pz8oP","description":"Overview Quickstart: Dashboards A dashboard is a visual interface that consolidates and displays data from various sources in a single view, making it easy to monitor, analyze, and interpret key metri","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"}]},{"id":"Dy7dRDeKESdBjAvsjl1I","title":"System Dashboards","pathname":"/dashboards/system","siteSpaceId":"sitesp_pz8oP","description":"About System Dashboards System Dashboards provides a comprehensive suite of tools and visualizations designed to help administrators monitor, analyze, and secure network infrastructure. Through a vari","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"}]},{"id":"rp55uGuK9alyoPRA73WV","title":"Bandwidth Management","pathname":"/dashboards/system/bandwidth-management","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Bandwidth Management dashboard provides a detailed view of network bandwidth usage, enabling users to monitor traffic by interface and external sources (ASNs). This dash","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"owL3NUSUFXBTE70TapFL","title":"Flow Outages","pathname":"/dashboards/system/flow-outages","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Flow Outages dashboard provides insights into network flow disruptions, enabling users to monitor the flow rate and detect any outages in real time. This dashboard is de","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"UmQkA4ia9MOsPfMX4sv7","title":"Peering Analytics","pathname":"/dashboards/system/peering-analytics","siteSpaceId":"sitesp_pz8oP","description":"Preview Peering Analytics Purpose : The Peering Analytics dashboard provides a comprehensive view of traffic flows between Autonomous System Numbers (ASNs), IP addresses, ports, and geographic locatio","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"shWVrZJ9eqhsVnvTOm40","title":"Audit Log Activity","pathname":"/dashboards/system/audit-log-activity","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Audit Log Activity dashboard provides detailed tracking of user actions, classes of activity, and audit logs within the system. This dashboard helps administrators monit","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"4cSrhd68t0Wntv6KfAcl","title":"DNS Overview","pathname":"/dashboards/system/dns-overview","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The DNS Overview dashboard provides insights into DNS query patterns, failures, and domain usage. This dashboard is essential for network administrators to monitor DNS traff","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"vzOPudVDWKb6BqiGrXfD","title":"Initial Home","pathname":"/dashboards/system/initial-home","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Initial Home dashboard provides a high-level overview of network activity, flow analysis, DNS queries, and detection alerts. It helps network administrators monitor esse","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"ttYtIhbRmBXvYoqwgmFb","title":"Network Overview","pathname":"/dashboards/system/network-overview","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Network Overview dashboard offers a summary of network activity, providing insights into protocols, source regions, Autonomous Systems (ASNs), alert trends, and traffic","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"r6P5lqxOLocgUiUaIPxN","title":"Response Integration Blocks","pathname":"/dashboards/system/response-integration-blocks","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Response Integration Blocks dashboard provides visibility into the block rates and block history associated with security policies. It is designed to help administrators","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"5uSOqYL5VJT6FLbug24u","title":"Security Overview","pathname":"/dashboards/system/security-overview","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Security Overview dashboard provides a comprehensive view of security events, top threat-related activities, and internal and external traffic flows. It is designed to h","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"xgpP1t0LBVEfL1AzHqU8","title":"Traffic Overview","pathname":"/dashboards/system/traffic-overview","siteSpaceId":"sitesp_pz8oP","description":"Preview Overview Purpose : The Traffic Overview dashboard provides insights into network traffic patterns, including bitrate, packet rate, flow rate, protocol and port distributions, and TCP flag usag","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"System Dashboards"}]},{"id":"1znzytcKuyeJYLeM4iHL","title":"Manage Dashboards","pathname":"/dashboards/manage","siteSpaceId":"sitesp_pz8oP","description":"Overview You view and manage dashboards, dashboard features, and dashboard settings in Fusion on different pages in the interface. Once a dashboard is in Open or in Edit mode, Fusion displays addition","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"}]},{"id":"l5aPSe26iZWEg3RwA0qu","title":"Custom Dashboards","pathname":"/dashboards/manage/your-dashboards","siteSpaceId":"sitesp_pz8oP","description":"Overview “Custom dashboards are created by users in your organization, and can be edited and customized to fit your needs.” “System Dashboards are created by Netography and cannot be edited.” Getting","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"Manage Dashboards"}]},{"id":"wTMqJcmJjgr39N6IacNi","title":"Add a Dashboard","pathname":"/dashboards/manage/add-dashboard","siteSpaceId":"sitesp_pz8oP","description":"Overview When you create a new dashboard, the system generates an empty container that serves as the foundation for your data visualizations. This container is designed to hold widgets, which are indi","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"Manage Dashboards"}]},{"id":"fjiyXJPXFDEgmYxBJ0JD","title":"Edit Dashboard Settings","pathname":"/dashboards/manage/settings","siteSpaceId":"sitesp_pz8oP","description":"Overview Dashboard Settings allows you to customize, edit, and delete dashboards. Getting Here To access an existing dashboard's Settings page, you must Edit the dashboad by using the following steps.","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"Manage Dashboards"}]},{"id":"mDmyzFO6WWfaHBgJX2pv","title":"Edit a Dashboard","pathname":"/dashboards/manage/edit-a-dashboard","siteSpaceId":"sitesp_pz8oP","description":"Overview This page provides guidance on how to modify existing dashboards. Whether you need to adjust the layout, update visualizations, change data sources, or customize settings, the editing tools a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"Manage Dashboards"}]},{"id":"i8q10lwjaBVpMWbgQWbH","title":"Schedule Dashboard","pathname":"/dashboards/manage/schedule","siteSpaceId":"sitesp_pz8oP","description":"Overview The Schedule page allows you to automate the delivery of dashboards at specified intervals. Use this form to configure the scheduling, recipients, and dashboard display settings for regularly","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"Manage Dashboards"}]},{"id":"wP3uIkowN8wZFtXg0YlC","title":"About Widgets","pathname":"/dashboards/widgets","siteSpaceId":"sitesp_pz8oP","description":"Overview Fusion's dashboard provide data visualization using widgets. Widgets are individual components or elements that display specific types of data or perform particular functions within the dashb","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"}]},{"id":"y2JiDJ3XhzWtHOLDtvpZ","title":"About Widget Containers","pathname":"/dashboards/widgets/widget-container","siteSpaceId":"sitesp_pz8oP","description":"Overview You can interact with widgets using their widget container options. Some option do not appear unless the dashboard is unlocked and in edit mode. See Edit a Dashboard for more information. Get","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"About Widgets"}]},{"id":"irOjwAC57zmOyqkuRDpm","title":"Manage Widgets","pathname":"/dashboards/widgets/index","siteSpaceId":"sitesp_pz8oP","description":"Overview You can interact and change the layout of the Dashboard by rearranging, moving, or deleting its widgets. Icon ID Action Description 1 Identifies customized values This icon indicates the widg","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"About Widgets"}]},{"id":"u3hEWZcWyR25jVzrwLhf","title":"Add a Widget","pathname":"/dashboards/widgets/index/add-a-widget","siteSpaceId":"sitesp_pz8oP","description":"Overview This guide explains how to add widgets in Fusion to enhance your dashboards with visualizations and insights tailored to your needs. Adding widgets allows you to introduce new metrics, charts","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"About Widgets"},{"label":"Manage Widgets"}]},{"id":"fjQMbOWznuhUEtcZMQQW","title":"Edit a Widget","pathname":"/dashboards/widgets/index/edit-widget","siteSpaceId":"sitesp_pz8oP","description":"Overview This guide explains how to edit widgets in Fusion to better align with your data visualization needs. Editing a widget allows you to customize its appearance, data source, and settings, ensur","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"About Widgets"},{"label":"Manage Widgets"}]},{"id":"ZQo9x2stlmLSfvjumUrM","title":"Copy a Widget","pathname":"/dashboards/widgets/index/copy-widget","siteSpaceId":"sitesp_pz8oP","description":"Overview This guide explains how to copy widgets within Fusion to either the current dashboard or another dashboard. Copying widgets is a quick and efficient way to replicate useful visualizations, me","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"About Widgets"},{"label":"Manage Widgets"}]},{"id":"Ng3AO9JpPVkEMr3ITtya","title":"Delete Widget","pathname":"/dashboards/widgets/index/delete-widget","siteSpaceId":"sitesp_pz8oP","description":"Getting Here To delete a widget embedded in a dashboard, use must first Edit the dashboard. Delete a Widget To delete a widget, hover over the right corner of the widget container; a menu of icons app","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"About Widgets"},{"label":"Manage Widgets"}]},{"id":"Xg1EtQyZ1tOhCdembb1E","title":"Widget Categories & Widget Types","pathname":"/dashboards/widgets/widget-glossary","siteSpaceId":"sitesp_pz8oP","description":"Overview This page provides an overview of the widget types available in Fusion for building dashboards. Each widget supports specific data categories—Flow, DNS, Traffic, Events, Blocks, and Audit Log","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Dashboards"},{"label":"About Widgets"}]},{"id":"otvopQ9geI8AMwIoUxY1","title":"Viewing Events","pathname":"/events/viewing","siteSpaceId":"sitesp_pz8oP","description":"The Events page is a crucial hub within the Fusion Portal, offering an organized and insightful view of key activities and trends. To get started understanding Events in Fusion, see: Quickstart: Event","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"EVENTS"}]},{"id":"g0SgMsngwSK1RMcW9hLx","title":"Events by MITRE ATT&CK","pathname":"/events/mitre","siteSpaceId":"sitesp_pz8oP","description":"The Events by MITRE page provides a heat map and table that organizes events into MITRE ATT&CK® Framework tactics and techniques. Each column represents a Tactic , with the Techniques related to t","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"EVENTS"}]},{"id":"uGIJShYWJvsKalWOcAdZ","title":"About Settings","pathname":"/settings/about","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Left main navigation > ( ) Settings link. or In the upper right corner of the Fusion UI, the gear ( ) icon links to the Settings page and displays the following sections and sub-page:","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"}]},{"id":"lFtGbDifLxWOcAmuDLH5","title":"Account","pathname":"/settings/account","siteSpaceId":"sitesp_pz8oP","description":"In Fusion Settings, the Account category covers the following feature settings: Overview Billing Audit Logs Customers","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"}]},{"id":"pSyHFJC0yJTJ1pjDrjlA","title":"Overview","pathname":"/settings/account/account-overview","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > Account Accounts Overview Page The Accounts Overview page displays and allows you to manage the general settings of your company's account. The following sections and settin","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Account"}]},{"id":"sLtJBb57IsX1ZLLYXk9V","title":"Billing","pathname":"/settings/account/billing","siteSpaceId":"sitesp_pz8oP","description":"Overview The Billing page displays subscription details, data usage and allows users to manage subscription. The page is available and visible only to PLG customers that's user role has the ability to","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Account"}]},{"id":"IchjeO6NDe997JRe38aZ","title":"Audit Logs","pathname":"/settings/account/audit-logs","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > Audit Logs Audit Logs Page The Audit Logs page provides detailed records of account activity, including user authentication, account usage, and system events. The page enabl","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Account"}]},{"id":"7mbsvenlJ0XDXnO2i5zW","title":"Customers","pathname":"/settings/account/index","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > Customers Customers Page The Customers Page provides an overview of accounts with their respective details, including sub-accounts or resellers. The table includes essential","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Account"}]},{"id":"wu58Bv7pdDtoT8YSORgi","title":"Manage Customers","pathname":"/settings/account/index/manage-customers","siteSpaceId":"sitesp_pz8oP","description":"This page details information on how to: Add a customer Edit a customer Login-to another Customer (Masquerade) Delete a customer Add Customer Getting Here Settings > Customers > Add Customer The","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Account"},{"label":"Customers"}]},{"id":"Jg8LceMuIR3JNGwjqki5","title":"My Profile","pathname":"/settings/profile","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > My Profile > Details The Details page under the \"My Profile\" category displays and allows editing of user-specific information, including contact details, account role, a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"}]},{"id":"wTq0Kw3VgorNk9ePLzzQ","title":"Details","pathname":"/settings/profile/details","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > My Profile > Details The Details page under the \"My Profile\" category displays and allows editing of user-specific information, including contact details, account role, a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"My Profile"}]},{"id":"ey7ZfvevdMxeTTgq4UIf","title":"Personalization","pathname":"/settings/profile/personalization","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > My Profile > Personalization My Profile - Personalization The Personalization page under \"My Profile\" allows users to customize their interface preferences, including the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"My Profile"}]},{"id":"nYbDTmbt1hFHWfFTaYEJ","title":"Activity","pathname":"/settings/profile/activity","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > My Profile > Activity My Profile - Activity The Activity page under \"My Profile\" provides a detailed history of the user's active sessions, including IP addresses, sessio","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"My Profile"}]},{"id":"3kUwpSUxpckbHLpseekZ","title":"Security","pathname":"/settings/profile/security","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > My Profile > Security My Profile - Security The Security page under \"My Profile\" allows users to manage their password and multi-factor authentication (MFA) settings for","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"My Profile"}]},{"id":"cwQn4vnxt9QY9XeXZSs3","title":"User Management","pathname":"/settings/user-management","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"}]},{"id":"SV636zkA6VbaAVMQsO56","title":"API Keys","pathname":"/settings/user-management/index","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > User Management > API Keys User Management - API Keys The API Keys page under User Management allows you to view, manage, and create API keys for system integrations, acc","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"}]},{"id":"Ybsk6KzlQGWYjihas0D9","title":"Add API Key","pathname":"/settings/user-management/index/add-api-key","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > User Management > API Keys > Add API Key button Add New API Key Form The Add New API Key form allows users to create and configure API keys for accessing system integr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"API Keys"}]},{"id":"AbZcJNNbgrmKhJRVcFbU","title":"API Shared Secret","pathname":"/settings/user-management/index/api-shared-secret","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > API Keys API Shared Secret Button The API Shared Secret button allows administrators to view, regenerate, and manage the shared secret used for encoding and validating API k","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"API Keys"}]},{"id":"hzMjO2Vdp2zX0DQN7z39","title":"Roles","pathname":"/settings/user-management/index-1","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > User Management > Roles Page User Management - Roles Page The Roles Page under User Management allows administrators to manage user roles, their associated permissions, a","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"}]},{"id":"pUIgQCWODG87mW5M7BKu","title":"Add Role","pathname":"/settings/user-management/index-1/add-role","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > Roles > Add Role button. Fusion has built-in system roles identified by the gear icon. However, the Add Role Form allows administrators to create and configure new roles","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"Roles"}]},{"id":"afZl53fCgGSXxkr85oOz","title":"Edit Role","pathname":"/settings/user-management/index-1/edit-role","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Click the ellipse (3 dots) icon at the beginning of the row customer row you want to masquerade. Click Edit . The edit page allows you to: Modify available settings Delete the Role","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"Roles"}]},{"id":"szDka6VLY52xMdvRfdbO","title":"Password & Security","pathname":"/settings/user-management/password-security","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > User Management > Password & Security User Management - Password & Security The Password & Security Page allows administrators to configure password policies,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"}]},{"id":"cfXmN1wy92qnKfgZTdjv","title":"SSO","pathname":"/settings/user-management/index-2","siteSpaceId":"sitesp_pz8oP","description":"Getting Here Settings > User Management > SSO User Management - SSO Page The SSO Page allows administrators to configure Single Sign-On (SSO) using SAML. Additional password configuration option","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"}]},{"id":"uhhgGjmEkr7wlppwbT7h","title":"SSO with GSuite (Google Workspace)","pathname":"/settings/user-management/index-2/configuring-sso-with-gsuite","siteSpaceId":"sitesp_pz8oP","description":"Netography Configuration Netography’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Netography account as an administrator. Navigate to Settings","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"SSO"}]},{"id":"EeJMchdqPMuoW7zj9FAP","title":"SSO with Auth0","pathname":"/settings/user-management/index-2/configuring-sso-with-auth0","siteSpaceId":"sitesp_pz8oP","description":"Netography’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Netography account as an administrator. Navigate to Settings > SSO and enable SAML","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"SSO"}]},{"id":"pEpV6gyZni6TsNCQ97s8","title":"SSO with Okta","pathname":"/settings/user-management/index-2/configuring-sso-with-okta","siteSpaceId":"sitesp_pz8oP","description":"Netography Configuration Netography’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Netography account as an administrator. Navigate to Settings","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"SSO"}]},{"id":"FTNJauOrWH0y5wp11vBz","title":"SSO with PingOne","pathname":"/settings/user-management/index-2/configuring-sso-with-pingone","siteSpaceId":"sitesp_pz8oP","description":"Netography Fusion Configuration Netography’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Netography account as an administrator. Navigate to Se","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"User Management"},{"label":"SSO"}]},{"id":"eEDd5cB4kUbTZZXcQGCv","title":"Data Management","pathname":"/settings/data-management","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"}]},{"id":"doj8ymXrtLuN9JbQCp9o","title":"Traffic Sources","pathname":"/settings/data-management/traffic-sources","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Data Management"}]},{"id":"xx9AbrAmJnk2B9i2mWqF","title":"Context Integrations","pathname":"/settings/data-management/context-integrations","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Data Management"}]},{"id":"l34yXM70tuTRLgnOcJSd","title":"Context Labels","pathname":"/settings/data-management/context-labels","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Data Management"}]},{"id":"snuxgKi4ZTHcAsWjQLEr","title":"Flow Tags","pathname":"/settings/data-management/flow-tags","siteSpaceId":"sitesp_pz8oP","description":"Flow tags are labels that are applied to flow data, based on user-defined criteria and are activated as Netography ingests the data into the platform. The required fields are the Rule Name for specify","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Data Management"}]},{"id":"DudD5J5DHgZ59GdTFq4S","title":"Traffic Classification","pathname":"/settings/data-management/traffic-classifications","siteSpaceId":"sitesp_pz8oP","description":"Traffic Classifications define the internal IP address blocks and domain names for your organization. This is an important configuration step for Fusion, as understanding internal vs external communic","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Settings"},{"label":"Data Management"}]},{"id":"3VwpxgaK3QaWot5UIDAl","title":"NQL Overview and Syntax","pathname":"/netography-query-language/nql-overview-and-basics","siteSpaceId":"sitesp_pz8oP","description":"The Netography Query Language Explained","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netography Query Language"}]},{"id":"0fdJdhpsuO1004SnxLtu","title":"NQL Quick Reference Guide","pathname":"/netography-query-language/nql-quick","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netography Query Language"}]},{"id":"gE9q8DbM5WQcCnf2SJY4","title":"NQL Keywords","pathname":"/netography-query-language/nql-value-suggestions","siteSpaceId":"sitesp_pz8oP","description":"Looking up NQL Keywords in Fusion When constructing NQL queries in the Fusion Portal, the list of both the available fields and values (when applicable) will automatically appear in a dropdown below t","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netography Query Language"}]},{"id":"OFVYaHx3sGTKa8xuRD5o","title":"NQL Presets","pathname":"/netography-query-language/nql-presets","siteSpaceId":"sitesp_pz8oP","description":"Using NQL Presets If you click the text box in the Global Filter ((the bar at the top of the Portal), it brings up a list of Keywords (see: How to find available NQL fields , Recent Queries, and Prese","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netography Query Language"}]},{"id":"aFGU27h4SfeECGGlDj23","title":"NQL Examples","pathname":"/netography-query-language/nql-examples","siteSpaceId":"sitesp_pz8oP","description":"We have categorized these examples and provided a base query that you can customize to your own infrastructure and network topography: Search for and alert on specific traffic For example, East/West o","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netography Query Language"}]},{"id":"irChkIGkad53GsHsYfth","title":"How to find available NQL fields","pathname":"/netography-query-language/how-to-find-available-nql-fields","siteSpaceId":"sitesp_pz8oP","description":"The list of available fields for use in NQL conditions can be found in the following manners: Throughout the fusion portal, table column headers are the same fields used in NQL For flow, event (alert)","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netography Query Language"}]},{"id":"luEOlIw0ac9JgnMIZuaj","title":"About NetoFlow","pathname":"/netoflow-connector/about","siteSpaceId":"sitesp_pz8oP","description":"Overview The NetoFlow Connector is software you can run in your environment to collect NetFlow, sFlow, and IPFIX from your network devices and deliver those flow records to Netography Fusion. Its purp","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netoflow connector"}]},{"id":"Z3C4z4RbBsISVnSFLbaJ","title":"Quickstart: Run NetoFlow","pathname":"/netoflow-connector/quickstart","siteSpaceId":"sitesp_pz8oP","emoji":"1f3c1","description":"Installing and running NetoFlow is part of the steps to Ingest NetFlow/sFlow via the NetoFlow Connector . If you have a Docker host, you can run NetoFlow in only a few seconds. Create a new API key in","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netoflow connector"}]},{"id":"hrAv0BQI66jyaD7qhcIf","title":"Install NetoFlow (container)","pathname":"/netoflow-connector/install-container","siteSpaceId":"sitesp_pz8oP","description":"Installing NetoFlow is part of the steps to Ingest NetFlow/sFlow via the NetoFlow Connector . If you want to run the container without going through all the details and options, see: 🏁 Quickstart: Ru","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netoflow connector"}]},{"id":"vBAMoGFrJ7B59I8Ygyx3","title":"Install NetoFlow (Linux package)","pathname":"/netoflow-connector/install-linux","siteSpaceId":"sitesp_pz8oP","description":"Installing NetoFlow is part of the steps to Ingest NetFlow/sFlow via the NetoFlow Connector . Deployment Options NetoFlow is available as a Docker-compatible container or a Linux software package. To","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netoflow connector"}]},{"id":"gfc63ZHCU1ILEsau22zs","title":"Configure NetoFlow","pathname":"/netoflow-connector/configure","siteSpaceId":"sitesp_pz8oP","description":"You can run NetoFlow with the default configuration, which should be sufficient for most deployments. Modifying the configuration NetoFlow uses a layered configuration that will read configuration fro","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netoflow connector"}]},{"id":"D9fWENRSAlSC2jJWlz0A","title":"Reading statistics from NetoFlow API","pathname":"/netoflow-connector/reading-statistics","siteSpaceId":"sitesp_pz8oP","description":"About the NetoFlow API The NetoFlow API is a very simple API endpoint that provides client-side statistics from a running NetoFlow instance. By default, the API listens on TCP port 8080. The API is un","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netoflow connector"}]},{"id":"eGAW11asiZnDQzwJNddd","title":"Security Considerations","pathname":"/netoflow-connector/security-considerations","siteSpaceId":"sitesp_pz8oP","description":"Overview NetoFlow has API access to Netography Fusion to upload NetFlow and sFlow records. A threat actor that gains access to the system you deploy NetoFlow on in your environment could read these cr","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netoflow connector"}]},{"id":"IoeNxSy5XUTgiMCNRkAe","title":"About NetoFuse","pathname":"/netofuse/about","siteSpaceId":"sitesp_pz8oP","description":"About NetoFuse is software you can run in your environment or can be hosted by Netography in the cloud to provide enriched asset context to Netography Fusion from 3rd party products. This is done by r","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"}]},{"id":"S7hhlRqXpThbhe5UsFsD","title":"Get Started","pathname":"/netofuse/get-started","siteSpaceId":"sitesp_pz8oP","description":"☁️ To use NetoFuse modules deployed in the cloud as part of the Netography Fusion SaaS, add and configure them as Context Integrations. These instructions are only necessary if you want to deploy Neto","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"}]},{"id":"FdcehJcip24AUHhM0h4V","title":"Install","pathname":"/netofuse/get-started/install","siteSpaceId":"sitesp_pz8oP","description":"☁️ To use NetoFuse modules deployed in the cloud as part of the Netography Fusion SaaS, add and configure them as Context Integrations. These instructions are only necessary if you want to deploy Neto","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"Get Started"}]},{"id":"SrluJFYL4s4xc6TDd5KA","title":"Run NetoFuse","pathname":"/netofuse/get-started/launch","siteSpaceId":"sitesp_pz8oP","description":"After Install is complete, perform the following steps to run the desired NetoFuse module(s): 1. Set Netography Fusion API Credentials NetoFuse requires a Netography Fusion API key to upload context l","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"Get Started"}]},{"id":"QogjpzMNboY0S4GeWsN8","title":"Scheduling NetoFuse","pathname":"/netofuse/get-started/run","siteSpaceId":"sitesp_pz8oP","description":"📘 File locations: These instructions assume files are in the following locations, but you can change this by adjusting the scripts and commands accordingly: /etc/netofuse/netofuse.yml Configuration f","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"Get Started"}]},{"id":"dKHNarUOpeKwTNzcjA7h","title":"NetoFuse Modules","pathname":"/netofuse/modules","siteSpaceId":"sitesp_pz8oP","description":"NetoFuse modules are software components of NetoFuse that integrate a 3rd party product or provide a mechanism for integration to products. NetoFuse ships with a library of modules, and you can also d","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"}]},{"id":"q3dZ9bdpI3gSEfWs6KcD","title":"Axonius","pathname":"/netofuse/modules/axonius","siteSpaceId":"sitesp_pz8oP","description":"About The Axonius NetoFuse module provides enriched asset context to Netography Fusion from Axonius. It connects to the Axonius Platform API to retrieve asset information and then uploads it as Contex","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"K8UEjGkJkycAqSc8ogI7","title":"Claroty","pathname":"/netofuse/modules/claroty","siteSpaceId":"sitesp_pz8oP","description":"About The Claroty context integration provides enriched asset context to Netography Fusion from Claroty Industrial Cybersecurity appliances. It connects to the Claroty CTD/EMC API to retrieve asset in","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"NxEwzl9NG22RhLqOcl76","title":"Device42","pathname":"/netofuse/modules/device42","siteSpaceId":"sitesp_pz8oP","description":"About The Device42 NetoFuse module provides enriched asset context to Netography Fusion from the Device42 asset management platform. It connects to the Device42 API to retrieve asset information from","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"aa5Jnhqe3NRuYYb72hAe","title":"Local File","pathname":"/netofuse/modules/local-file","siteSpaceId":"sitesp_pz8oP","description":"About The Local File NetoFuse module provides enriched asset context to Netography Fusion from a CSV or JSON file read from the local filesystem. It reads, transforms, and uploads Context Labels to th","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"yFHnMN8c9HoaMvRxSYaf","title":"Microsoft","pathname":"/netofuse/modules/microsoft","siteSpaceId":"sitesp_pz8oP","description":"Supported Products Microsoft Defender For Endpoint The Microsoft Defender for Endpoint NetoFuse module provides enriched asset context to Netography Fusion from Microsoft Defender for Endpoint. It con","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"68EojtA8reh0cAe7hgRi","title":"RunZero","pathname":"/netofuse/modules/runzero","siteSpaceId":"sitesp_pz8oP","description":"About The RunZero NetoFuse module provides enriched asset context to Netography Fusion from the RunZero Cyber Asset Attack Surface Management platform. It connects to the RunZero API to retrieve asset","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"6gSDNLbeDVDmMXKHk07N","title":"Tanium","pathname":"/netofuse/modules/tanium","siteSpaceId":"sitesp_pz8oP","description":"About The Tanium NetoFuse module provides enriched asset context to Netography Fusion from Tanium. It connects to the Tanium GraphQL API to retrieve asset information and then uploads it as Context La","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"bQPpzj4fsv5GaxGlc0Kn","title":"Tenable","pathname":"/netofuse/modules/tenable","siteSpaceId":"sitesp_pz8oP","description":"About The Tenable Vulnerability Management NetoFuse module provides enriched asset context to Netography Fusion from Tenable Vulnerability Management. It connects to the Tenable API to retrieve asset,","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"ipNaAGUJfX4oeqPd6Ips","title":"Wiz","pathname":"/netofuse/modules/wiz2","siteSpaceId":"sitesp_pz8oP","description":"Enrich asset context with vulnerability, network exposure, and issue data from the Wiz cloud security platform","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"ci19T75sg914mBgYAkS0","title":"Custom Modules","pathname":"/netofuse/modules/custom-modules","siteSpaceId":"sitesp_pz8oP","description":"If you can get a file into a CSV or JSON format to disk from a data source, then using the Local File Module is the easiest way to integrate it with NetoFuse. To connect directly to APIs and more adva","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"},{"label":"NetoFuse Modules"}]},{"id":"w8VdtAgEwizkug7LPVcp","title":"Configure NetoFuse","pathname":"/netofuse/configure","siteSpaceId":"sitesp_pz8oP","description":"Using the default configuration The Getting Started > Launch section provides the basic configuration steps to run a NetoFuse module. Where configuration is set NetoFuse reads configurations in the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"}]},{"id":"EAot02e1YE5HPd9kqRuI","title":"NetoFuse CLI","pathname":"/netofuse/shell-commands","siteSpaceId":"sitesp_pz8oP","description":"Using the CLI netofuse is a shell script that constructs a docker run command to execute commands in the container image if you are using the container deployment and have run the Docker host setup sc","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"}]},{"id":"CnDAdPOCI3xlR7QNqAns","title":"NetoFuse Context Transforms","pathname":"/netofuse/context-transforms","siteSpaceId":"sitesp_pz8oP","description":"About Context transform configurations define how the field names and values from a NetoFuse module are modified before being sent to Netography Fusion as context label names and values. Default value","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"}]},{"id":"yPEh5KfMs3KejnlOhCT9","title":"Security Considerations","pathname":"/netofuse/security-considerations","siteSpaceId":"sitesp_pz8oP","description":"Overview NetoFuse has API access to Netography Fusion to upload context labels and to the 3rd party product modules you are using to retrieve asset information. A threat actor that gains access to the","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"Netofuse"}]},{"id":"eap0WBaMjZw7xvpWuDzE","title":"About NetoDNS","pathname":"/netodns/about-netodns","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"NetoDNS"}]},{"id":"Xmp8feQki4yLfI34kBN4","title":"Configure NetoDNS","pathname":"/netodns/configure-netodns","siteSpaceId":"sitesp_pz8oP","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"NetoDNS"}]},{"id":"LrR4tU6nh6q2R0En9zeB","title":"Install NetoDNS (container)","pathname":"/netodns/install-netodns-container","siteSpaceId":"sitesp_pz8oP","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"NetoDNS"}]},{"id":"aCMLRRyWtWQUiIXi7Ef4","title":"Install NetoDNS (Linux package)","pathname":"/netodns/install-netodns-linux-package","siteSpaceId":"sitesp_pz8oP","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"NetoDNS"}]},{"id":"nMJyAgKPb9S4oHi4LQeV","title":"Reading statistics from NetoDNS API","pathname":"/netodns/reading-statistics-from-netodns-api","siteSpaceId":"sitesp_pz8oP","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"NetoDNS"}]},{"id":"HbrYqgaqWr2ttYxu6R6l","title":"Security Considerations","pathname":"/netodns/security-considerations","siteSpaceId":"sitesp_pz8oP","description":"","breadcrumbs":[{"label":"Docs","icon":"book-open"},{"label":"NetoDNS"}]},{"id":"LpXLLtFCfTFDEUVJbQhh","title":"API Recipes","pathname":"/api-recipes","siteSpaceId":"sitesp_jxDKu","breadcrumbs":[{"label":"API Recipes","icon":"flask"}]},{"id":"sUsExkwLlOw0PgjFQx9g","title":"curl: Authenticate to API using NETOSECRET","pathname":"/api-recipes/recipes/curl-authenticate-to-api-using-netosecret","siteSpaceId":"sitesp_jxDKu","description":"Shell script that takes a NETOSECRET API key, builds a JWT request token, authenticates to the Fusion API, and output the bearer token to use in subsequent API calls.","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"FSObPFDNHRbjB8u3Qhyq","title":"NetoAPI Python class to create traffic sources in Fusion","pathname":"/api-recipes/recipes/netoapi-python-class-to-create-traffic-sources-in-fusion","siteSpaceId":"sitesp_jxDKu","description":"","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"KBFv2kpt3ORmDpyv2DVK","title":"Retrieve a list of source IP addresses from the blocklist with the API","pathname":"/api-recipes/recipes/retrieve-a-list-of-source-ip-addresses-from-the-blocklist-with-the-api","siteSpaceId":"sitesp_jxDKu","description":"An example of how to authenticate and then use the API to retrieve values from the blocklist.","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"0t0NXdemaH5yqGuXZhZ3","title":"Bulk add IP labels (php)","pathname":"/api-recipes/recipes/bulk-add-ip-labels-php","siteSpaceId":"sitesp_jxDKu","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"4CqrKva40fjQm2iCVOXx","title":"Authenticate to the API","pathname":"/api-recipes/recipes/authenticate-to-the-api","siteSpaceId":"sitesp_jxDKu","description":"Create a JWT request token and authenticate to the API with it, returning a JWT bearer token. Store the bearer token to a file.","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"yVAvWe597FzKm4DNDhAK","title":"Create a JWT request token","pathname":"/api-recipes/recipes/create-a-jwt-request-token","siteSpaceId":"sitesp_jxDKu","description":"This simple recipe demonstrates how to encode a JWT request token and output it. The output can be used as the string to pass in the jwt params in the HTTP POST to /auth/token","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"lXpLCPKX7M6OY7vbE87e","title":"Sanitize context label values","pathname":"/api-recipes/recipes/sanitize-context-label-values","siteSpaceId":"sitesp_jxDKu","description":"Python code example of how to ensure invalid characters are not part of a context label value being sent to the context labels API.","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"oGQw4PySq0GlvQIMcZo4","title":"netosecret.py - Python class and CLI","pathname":"/api-recipes/recipes/netosecret.py-python-class-and-cli","siteSpaceId":"sitesp_jxDKu","description":"Python containing the NetoSecret class to encode and decode a netosecret string and a CLI to interact with the secret on command line.","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"Izipisohav2LL6I7xuxO","title":"netosecret.sh - bash script CLI","pathname":"/api-recipes/recipes/netosecret.sh-bash-script-cli","siteSpaceId":"sitesp_jxDKu","description":"Bash shell script to encode and decode netosecret","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"OPpAYRlLzkdBCg3PGaGP","title":"Create a Traffic Source in Python","pathname":"/api-recipes/recipes/create-a-traffic-source-in-python","siteSpaceId":"sitesp_jxDKu","description":"","breadcrumbs":[{"label":"API Recipes","icon":"flask"},{"label":"Recipes"}]},{"id":"AOZhES1njomSz2VvviX2","title":"API Overview","pathname":"/api-reference","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"}]},{"id":"nyljo4rBGWFt04Sv8lCH","title":"API Recipes","pathname":"/api-reference/api-recipes","siteSpaceId":"sitesp_RP7LR","breadcrumbs":[{"label":"API Reference","icon":"code-simple"}]},{"id":"oUAdLe0KB7ti2GSQQS1I","title":"Create a Netography API Key","pathname":"/api-reference/create-a-netography-api-key","siteSpaceId":"sitesp_RP7LR","breadcrumbs":[{"label":"API Reference","icon":"code-simple"}]},{"id":"395166dcd70e622e0655d275d4166cd24b177db0","title":"Authentication","pathname":"/api-reference/netography-apis/authentication","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"e27f956db5c2d83ae053c6404941403b6cbb75b7","title":"Analytics","pathname":"/api-reference/netography-apis/analytics","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"47647c49bdf879b4337890d48587e2a3ace18c2c","title":"Raw Records   Search","pathname":"/api-reference/netography-apis/raw-records-search","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"b2d2bf7ef1eae72984c5dde9ca4046a33530b966","title":"Raw Records   Fetch","pathname":"/api-reference/netography-apis/raw-records-fetch","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"5267327d81f72d672f4531238abb5c328e9583f6","title":"Block List","pathname":"/api-reference/netography-apis/block-list","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"172f99ff8ad9972ae0f885d67f2b6508252a4c49","title":"Intelligence","pathname":"/api-reference/netography-apis/intelligence","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"9a59352740480ca0382c35afe3f5922e26d71709","title":"Labels   IPs","pathname":"/api-reference/netography-apis/labels-ips","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"c76313b70e8d7751261041d2c09689fd3cd594bd","title":"Labels   Ports","pathname":"/api-reference/netography-apis/labels-ports","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"dd5813ee5a6921e99fec0992c39fbb847ce18f1b","title":"Configuration","pathname":"/api-reference/netography-apis/configuration","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"90166c01d350747604720c12706e6a21fa812ae7","title":"Detect and Respond   Detection Categories","pathname":"/api-reference/netography-apis/detect-and-respond-detection-categories","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"833c2ba58623791854bb8e27a30acee12806c3b6","title":"Detect and Respond   Traffic Detection Models","pathname":"/api-reference/netography-apis/detect-and-respond-traffic-detection-models","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"fff20c3ea5aa9a1aa76d0f6e556ed6960a11d65a","title":"Detect and Respond   Context Creation Models","pathname":"/api-reference/netography-apis/detect-and-respond-context-creation-models","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"05621cf69167effa9908a6db91116e3ee82ad5ff","title":"Detect and Respond   Response Policies","pathname":"/api-reference/netography-apis/detect-and-respond-response-policies","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"561c984ab75c762f86b4d1f0f7756f310c3387b0","title":"Detect and Respond   Threshold Overrides","pathname":"/api-reference/netography-apis/detect-and-respond-threshold-overrides","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"23b81a1ab1cc6eb33b87a6b298d9d9f813db28aa","title":"Traffic Sources   Devices","pathname":"/api-reference/netography-apis/traffic-sources-devices","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"698f448f985e3a302e22c426b4c71ea89b0f6c06","title":"Traffic Sources   DNS Devices","pathname":"/api-reference/netography-apis/traffic-sources-dns-devices","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"1918873ab1570b303168b56405d170136b0252e8","title":"Traffic Sources   VPCs","pathname":"/api-reference/netography-apis/traffic-sources-vpcs","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"7dcbe87ebc0073827759f91c72de76f603c5fa56","title":"Integrations   Context","pathname":"/api-reference/netography-apis/integrations-context","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"f70970afab81721ab3ffa8037cc59766d6108759","title":"Integrations   Response","pathname":"/api-reference/netography-apis/integrations-response","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"649cce1a6890af729bc22dceb2bf14614d047eda","title":"Tags","pathname":"/api-reference/netography-apis/tags","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"f06eaeff2b14feda11d6a59575822f9912eb3144","title":"Roles","pathname":"/api-reference/netography-apis/roles","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"edca9f4308ca7f3331fef035913d22b7bf60512c","title":"Users","pathname":"/api-reference/netography-apis/users","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"7cb8470c155d35327099687e14af8454493dc9a0","title":"API Keys","pathname":"/api-reference/netography-apis/api-keys","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"48cd02eeab052f352ec20f55dcdb2d69268f0504","title":"Resellers","pathname":"/api-reference/netography-apis/resellers","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"890f77c0380c15df0e05bca31a914f20a47fb30e","title":"Settings   Traffic Classification","pathname":"/api-reference/netography-apis/settings-traffic-classification","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"e8badfda0b9c047ae6c626b330b867a82cf1fb49","title":"Settings   Security","pathname":"/api-reference/netography-apis/settings-security","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"ca2cb0b918a86587912574e0a30385690446dffa","title":"Auto Thresholds","pathname":"/api-reference/netography-apis/auto-thresholds","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"869560daef9bf18ef523ba1a3234ab89d35af914","title":"MITRE ATT&CK","pathname":"/api-reference/netography-apis/mitre-att-and-ck","siteSpaceId":"sitesp_RP7LR","description":"","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"9d9a80a91f7eac740df2a36641344b1a93ab6cb5","title":"Models","pathname":"/api-reference/netography-apis/models","siteSpaceId":"sitesp_RP7LR","breadcrumbs":[{"label":"API Reference","icon":"code-simple"},{"label":"Netography APIs"}]},{"id":"AiGSrxfR0K6u5oy4k918","title":"Release Notes","pathname":"/release-notes","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"}]},{"id":"MhF5RSMgK58dUxipcO7M","title":"July 9, 2025","pathname":"/release-notes/2025/july-9-2025","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2025"}]},{"id":"4zHb3nwdRQ1Yk4d5182b","title":"May 20, 2025","pathname":"/release-notes/2025/may-20-2025","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2025"}]},{"id":"OVnTSNgjM4OMloppkXmV","title":"April 15, 2025","pathname":"/release-notes/2025/april-15-2025","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2025"}]},{"id":"RSeWIDsQ2qgZCWVrfIjB","title":"March 25, 2025","pathname":"/release-notes/2025/march-25-2025","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2025"}]},{"id":"IapHT0Ffxt7Mfkcshztu","title":"February 18, 2025","pathname":"/release-notes/2025/february-18-2025","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2025"}]},{"id":"XN2wzzMrFLoA0RnT8HS3","title":"January 21, 2025","pathname":"/release-notes/2025/january-21-2025","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2025"}]},{"id":"6ZKzg6OnWHMEmhxgWnvW","title":"December 17, 2024","pathname":"/release-notes/2024/december-17-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"VW6xkRqErjuJe0gI9ZRo","title":"November 19, 2024","pathname":"/release-notes/2024/november-19-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"PgZPI7ONAskwIjr9XpjF","title":"October 16, 2024","pathname":"/release-notes/2024/october-16-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"naX7ShnxJV84dkffU0TJ","title":"October 8, 2024","pathname":"/release-notes/2024/october-8-2024","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"308lzmi5fFTyqX8EAWWm","title":"August 20, 2024","pathname":"/release-notes/2024/august-20-2024","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"jvCfusTGTw1AiKR6py2e","title":"July 26, 2024","pathname":"/release-notes/2024/july-26-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"q3rnt0O7ykMpuDAYJ35X","title":"June 27, 2024","pathname":"/release-notes/2024/june-27-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"DfroR3lTZADGTJCIg3tY","title":"June 18, 2024","pathname":"/release-notes/2024/june-18-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"gM81TXHvijN1eoUMTpVa","title":"May 21, 2024","pathname":"/release-notes/2024/may-21-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"jMnYIVw8GGqohn0bnSNJ","title":"April 16, 2024","pathname":"/release-notes/2024/april-16-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"JV2JvdiRHZYrBugwTCM8","title":"March 19, 2024","pathname":"/release-notes/2024/march-19-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"IJKGbYBK0VBigH4zCFje","title":"February 26, 2024","pathname":"/release-notes/2024/february-26-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"h2BHiuUNs1NZwNhsXGHe","title":"January 16, 2024","pathname":"/release-notes/2024/january-16-2024","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2024"}]},{"id":"6p8DkyRD5io7Jvq9fwxu","title":"December 19, 2023","pathname":"/release-notes/2023/december-19-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"oUwC2nqpm4ev9duNh9QH","title":"November 21, 2023","pathname":"/release-notes/2023/november-21-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"8BMSR1ZL3SW6ppe4UU43","title":"October 17, 2023","pathname":"/release-notes/2023/october-17-2023","siteSpaceId":"sitesp_c1fFG","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"ACkrL4H8RO92n0oztRo8","title":"August 24, 2023","pathname":"/release-notes/2023/august-24-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"aiEsjXwGLN4mpD9XKrx4","title":"July 20, 2023","pathname":"/release-notes/2023/july-20-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"OoAl0ZsNbrt3DFkWujWj","title":"June 21, 2023","pathname":"/release-notes/2023/june-21-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"7ttM93Xq1Wv2DygD3ENW","title":"June 13, 2023","pathname":"/release-notes/2023/june-13-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"mswc0ywimc3gZLDCDhmX","title":"May 19, 2023","pathname":"/release-notes/2023/may-19-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"X4H253KVX0GogjcoM2rq","title":"May 2, 2023","pathname":"/release-notes/2023/may-2-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"5HE4JUWco61cbPLgBDoW","title":"March 21, 2023","pathname":"/release-notes/2023/march-21-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"M1Q8tWtOKSgbaItLPHcz","title":"February 7, 2023","pathname":"/release-notes/2023/february-7-2023","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2023"}]},{"id":"zQarmHPVAqiXAU5D65nV","title":"November 21, 2022","pathname":"/release-notes/2022/november-21-2022","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2022"}]},{"id":"iMr9IEPJKYeCbYGaiIXJ","title":"October 31, 2022","pathname":"/release-notes/2022/october-31-2022","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2022"}]},{"id":"BTjbp54tqpLy1kU9Ufvl","title":"September 21, 2022","pathname":"/release-notes/2022/september-21-2022","siteSpaceId":"sitesp_c1fFG","description":"","breadcrumbs":[{"label":"Release Notes","icon":"bullhorn"},{"label":"2022"}]}]}