Labels

Labels in Netography were previously user defined unique names associated with an IP address or protocol/port displayed throughout the portal as 1-to-1 relationships. There are now many use-cases to categorize the IP addresses in your infrastructure resources by applying unique names to individual IP addresses and applying additional labels beyond a name value. 

In addition to visually differentiating IP addresses in the Netography portal, labels can be used in NQL and Analytics calls for search/filtering aggregate statistics, defining custom alerting conditions, and much more granularity use cases for threat hunting and detection models.

New changes

• Multiple labels can be created for a single IP address within Netography.
• The Netography portal can now display multiple labels for an IP in the new Label Tray. When an IP is selected, you have the option to “View Labels” which will display all contexts and labels
• Labels now support the concept of “context” as a way to give labels structure. The format is:

label.IP.context = value. Where context and value are definable.

• Individual IP addresses can support multiple contexts.
• Each context can support multiple values for each context.
• Context integrations: Users can now configure Netography to automatically poll data such as cloud provider, compute resource information(OS type, CPU cores, memory size), and subnet information, importing these values into the Netography system as labels.
• Labels can automatically be updated with the above context integrations.

🚧

The name context is treated differently than other contexts, as this context used in Netography Fusion charts and tables whereas other contexts are not.

Differences from flow tags

Labels in Netography are set of values applied to an IP address or Port number. The Fusion portal will only display the current set of label values for an IP and does not maintain a historical record of label values. Flow tags, on the other hand, are values that are applied to the flows between Source IP / Source Port to Destination IP / Destination Port pairs and are stored within each matching flow record that Netography stores. As such, there is a historical record of the tag value that was applied when the flow record was stored. Names only are supported in flow tags, a context structure is not supported.

IP labels

Creating IP labels

From the left hand pane, go to SETUP → click Labels → select IP Labels and click ADD LABEL, as shown below:

The following fields are required in order to successfully create IP labels within Netography:

• IP Address: Specify the target and unique address of the device or resource within your network.
• Context: Define the context for your label, The context value is a mechanism to logically group together types of labels, to make sense of the labels you apply to the IP addresses in your infrastructure. This can be types of information such as; department, security_policy, hostname, cloud_provider, etc. You can create a new context value or use an existing value from the drop down menu.

🚧

Context name characters must be [A-Za-z0-9_-]

• Labels: Apply the Label value(s) for the given Context. For instance, a context value of “department” might have values of: finance, accounting, and receivables. While the same IP address could also have a context value of “location” with the associated label value of: Minneapolis.

🚧

Label value characters must be [^a-zA-Z0-9 ._/\\-#~:()]

When you finish typing your label, select the Create option that appears underneath the drop box to create and save the first label. You can repeat this for creating multiple labels. 

Port labels

Creating port labels

Port labels in Netography will differ from IP label creation, as they will have the common protocol types and port values mapped to your created port labels.

While in the same screen as above, you can select the Port Labels tab on right next to the IP Labels tab to start creating your port labels.

The following fields are required in order to successfully create portal labels within Netography:

• Port: Specify the port number of the device or resource within your network.

• Protocol: Specify the protocol type associated to your port number by selecting the appropriate value from the dropdown. 

• Label: You can define the context for your port label, such as categorizing dhcp, calling out cloud provider, etc. You are also able to create multiple labels using the same creation steps in the IP label section earlier.

  • 

Label Usage Notes:

1. Custom Context Names (i.e one NOT automatically polled via an integration) must be unique from any that are being polled or will be polled in the future via a Context Integration. If you receive an error creating a custom context, please choose a different context name.
2. Both Contexts and Label Values are restricted to the following character set: a-z , A-Z , 0-9 ,” “ (space), “_” (underscore) ,”-” (dash), and “.” (dot/period)
3. The CSV format for both “CSV via S3” integration and portal CSV bulk upload is as follows:

IP1,Context1,Label1,Label2

IP1,Context2,Label1,Label2

IP2,Context3,Label1,Label2

🚧

The combination of IP and Context should be unique per line in the file

API for Labels

To view how label creation and modification works on our API, please visit the following:

• IP Labels for more API information on IP labels.
• Port Labels for more API information on Port labels.
• API Overview for more general API information.