Understanding Detection Models
Detection Models are designed to detect and alert you to potential threats, malicious activity, or unwanted traffic on a network. Detection Models use the Netography Query Language (NQL) within Netography Fusion to analyze network traffic patterns and identify anomalies that may indicate a security event. Detection Models offer valuable insights into network activity, enabling organizations to quickly identify and respond to potential threats, ultimately enhancing their overall network security posture.
Detection models create events when thresholds set in the model are exceeded.
To get started understanding Detection Models in Fusion, see: Quickstart: Detections & Events
Context Creation Models
The Detection Model page also displays a second type of model - a Context Creation Model. A context creation model functions exactly like a detection model, except when it triggers, instead of creating an event in Fusion, it creates a context label, which is then assigned to the IP(s) associated with the model.
As an advanced use case feature, you may wish to discuss building and using context creation models with Netography Support before implementing on your own.
Detection Models Table
The Detection Models table can be vewed by selecting Detection Models in the left-hand menu. It consists of the following columns:
Checked/Unchecked: This column allows you to select one or multiple Detection Models to apply changes to them simultaneously.
Name/Desc: This column displays the name and description of each Detection Model. To learn more about the detection model, click its name to be redirected to the Netography help documents. A new page will open and display the detection model and details related to it.
Categories: This drop-down provides the detection categories to choose from. Selecting a category filters the Detection Models by the chosen category.
NQL Search: This NQL search field allows you to filter for Detection Models based on the type of flow it is built for.
Thresholds: This drop-down provides three options to choose from: All, Medium, and High. Selecting a threshold filters the Detection Models by the chosen threshold level.
Track: This field displays fields in the traffic record that threshold values are being tracked by.
Enabled: This drop-down provides three options: All, Enabled, or Disabled. Selecting an option filters the Detection Models by their enabled status.
At the far left of each row, an ellipsis icon allows you to edit the settings and view audit log entries of each Detection Model.. You can make a copy of any detection model by selectin Create as new to customize a detection model to your specific needs.
Adding a Detection Model
To add a detection model or context creation model, see: Add Detection Models.
Updated 7 days ago