Detection Models Overview

Detection Models are designed to detect and alert you to potential threats, malicious activity, or unwanted traffic on a network. Detection Models use the Netography Query Language (NQL) within Netography Fusion to analyze network traffic patterns and identify anomalies that may indicate a security event. Detection Models offer valuable insights into network activity, enabling organizations to quickly identify and respond to potential threats, ultimately enhancing their overall network security posture.

Detection models create events when thresholds set in the model are exceeded.

• To understand how to use the Events generated by Detection Models in Fusion, see: Quickstart: Events.
• For a short description of all the configuration fields in a Detection Model, see: Detection Model Quick Reference Guide.
• To add a Detection Model or Context Model, see: Adding a Detection Model.

Context Creation Models

The Detection Model page also displays a second type of model - a Context Creation Model. A context creation model functions exactly like a detection model, except when it triggers, instead of creating an event in Fusion, it creates a context label, which is then assigned to the IP(s) associated with the model.

As an advanced use case feature, you may wish to discuss building and using context creation models with Netography Support before implementing on your own.

Detection Models Table

The Detection Models table can be viewed by selecting Detection Models in the left-hand menu. It consists of the following columns, which can be modified by clicking the ≡ (triple bar) in top-left of the table, and filtered by selecting the filter icon (three horizontal lines in an upside-down triangle) that appears on the right-hand side of each column name when you hover your mouse over it.

• ⋯ Click the three horizontal dots to bring up a menu to Edit, Create As New (copy to a new Detection Model and start editing the new one), set Threshold Overrides, view the Raw Record (JSON or tabular form of the complete Detection Model configuration), Delete, or Reset Customization (if applicable).
• Checked/Unchecked: Select one or multiple Detection Models to enable/disable the Detection Models or to enable/disable the Bypass Policies setting (the Policies and Integrations option in the Detection Model configuration). After checking the Detection Models to change, select the Update Selected button and choose the appropriate option.
• ⚙️: The gear icon appears if this is a System Detection Model, indicating it was created by Netography.
• Name / Desc: The name and description of each Detection Model. Clicking the name of the Detection Model in this column will bring up the Property Tray on the right-hand side of the page with documentation in the Info tab and events in the Events tab.
• Categories: Detection Model categories.
• NQL Search: The Flow or DNS traffic types.
• Thresholds: The severity levels that thresholds are set for.
• Track: The Track By Fields configured.
• Type: The type of Detection Model - Detection or Context.
• Enabled: If the Detection Model is enabled. A Detection Model can be enabled or disabled by toggling this radio button.