This tutorial will guide you through the process of adding a new Detection Model (DM) or Context Model (CM) in the Netography Fusion Platform. Network Detection Models monitor network traffic and generate alerts when specific conditions are met. Context Creation Models assign labels to data that match certain conditions. The configuration for each will differ based on their unique roles and purposes in network data analysis.

Add Network Detection Models

Step 1: Access Detection Models

In the Netography Fusion Platform interface, locate the Network Models option in the left-hand menu under the DETECTION section.

Step 2: Add a New Network Detection Model

In the Network Detection Models screen, click the ADD DETECTION MODEL button located in the top right corner. This will open the 'Add Detection Model' configuration window.

Step 3: Configure the New Network Detection Model

Fill out the necessary fields and options to configure your new Detection Model:

• Name: Enter a unique name for your Detection Model.
• Description: Provide a brief description of the Detection Model's purpose and function.
• Categories: Select one or more categories from the drop-down menu, including system options and any custom categories you've created.
• Enable/Disable Toggle: Toggle the switch to enable or disable the Detection Model.
• Hide Events Toggle: Enable or disable the hiding of events related to this Detection Model in the portal and API.
• Bypass Policies Toggle: Enable or disable the bypassing of policies and integrations for alerts generated by this Detection Model.
• NQL Search: Select a flow type from the drop-down menu, including 'All', cloud provider-specific flow types, 'Netflow', and 'sFlow'.
• NQL Expression Builder: Use the company and system presets available to build your NQL expression, or create a custom expression based on your requirements.
• Rollup Period: Enter a numeric value between 1 and 3600 (max 1 hour) to define the rollup period for this Detection Model.
• Thresholds: Configure two thresholds for the Detection Model by selecting a severity level ('Low', 'Medium', or 'High') and creating an NQL expression for each.
• Track By Fields: Select one or more fields from the drop-down menu, choosing from the list of current Track values used by available Detection Models.
• Discards: Use NQL statements to discard specific data combinations without disabling the Detection Model.
• Update Interval: Enter a numeric value between 1 and 21600 (max 6 hours) to set the update interval for this Detection Model.

Step 4: Save Your New Network Detection Model

After configuring the new Detection Model, click the CREATE button to add it to your Detection Models list. The new Detection Model will now be active and ready to generate alerts based on the specified conditions.

Add Context Creation Models

Step 1: Access Context Models

In the Netography Fusion Platform interface, locate the Context Models option in the left-hand menu under the DETECTION section.

Step 2: Add a New Context Model

In the Network Detection Models screen, click the ADD DETECTION MODEL button located in the top right corner. This will open the 'Add Detection Model' configuration window.

Step 3: Configure the New Context Model

Fill out the necessary fields and options to configure your new Detection Model:

• Name: Enter a unique name for your Detection Model.
• Description: Provide a brief description of the Detection Model's purpose and function.
• Enable/Disable Toggle: Toggle the switch to enable or disable the Context Model.
• NQL Search: Select a flow type from the drop-down menu, including 'All', cloud provider-specific flow types, 'Netflow', and 'sFlow'.
• NQL Expression Builder: Use the company and system presets available to build your NQL expression, or create a custom expression based on your requirements.
• Rollup Period: Enter a numeric value between 1 and 3600 (max 1 hour) to define the rollup period for this Detection Model.
• Thresholds: Configure two thresholds for the Detection Model by selecting a severity level ('Low', 'Medium', or 'High') and creating an NQL expression for each.
• Track By Fields: Select one or more fields from the drop-down menu, choosing from the list of current Track values used by available Context Models.
• Context Labels: Add new Context and Label values or selection existing values from the drop-down to be used in your Context Model.
• Discards: Use NQL statements to discard specific data combinations without disabling the Context Model.

Step 4: Save Your New Context Creation Model

After configuring the new Context Model, click the CREATE button to add it to your Detection Models list. The new Context Model will now be active and ready to generate alerts based on the specified conditions.

📘

You can also create a new Detection Model from existing DMs by clicking the 'Create As New' option in the right side ellipsis of an existing DM

❗️

While system DMs can be edited, the Name, Description, and Categories of a system DM cannot be changed