-- NAME: NDR - Devices generating most network traffic -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the top 100 talkers on a network. -- Fields are ip: the private IP address of the machine, total_bytes: the total number of bytes sent...

-- NAME: NDR - Protocol Report -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying protocols used and how often -- NOTE: avg_pcr is the Producer Consumer Ratio (PCR) (-1 Pure Push to +1 Pure Pull) -- NOTE: mac_addresses is a list of the top...

-- NAME: NDR - Top 100 most trafficked hostnames -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the top 100 most trafficked hostnames by traffic volume -- SOURCE: Data Lake -- VARIABLE $$Destination IP Address$$ IP ADDRESS -- VARIABLE...

-- NAME: NDR - Top Clusters -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the clusters with the most traffic in bytes. -- A cluster is a group of flows defined by their shared values for src_ip, dest_ip, dest_port, protocol, app_protocol...

-- NAME: NDR -Mac IP Hostname Correlation -- CATEGORY: NDR -- DESCRIPTION: Source Mac IP and Hostname Correlation based on MDNS and NetBIOS -- NOTE: This includes hostname information extracted from the flow data where available. -- If no web_hostname...

-- NAME: NDR - Raw record data -- CATEGORY: NDR -- DESCRIPTION: Display all fields for the NDR Detection or Report record. -- NOTE the interesting bits are in the 'raw' field. It is a JSON structure. -- The 'mapped_raw' is an array structure of...