Download

NDR Reports

ZIP file with 14 queries for NDR

New Live Discover Reports

Report Name Description Source
NDR - Devices generating most network traffic Detection for identifying the top 100 talkers on a network. Fields are ip: the private IP address of the machine, total_bytes: the total number of bytes sent or received by that ip, avg_pcr_payload: a value that desc Data Lake
NDR - Devices generating most network traffic (BARS) Detection for identifying the top 100 talkers on a network. Fields are ip: the private IP address of the machine, total_bytes: the total number of bytes sent or received by that ip, avg_pcr_payload: Producer consumer -1 pure download 1 pure upload Data Lake
NDR - MAC IP correlation Detection for identifying all the IP addresses associated with a given MAC address Excludes :: and 0.0.0.0 The query also checks for the MAC Address in the data lakes XDR Data to determine if the devices is managed or not. Data Lake
NDR - Number of Monitored Hosts Detection for identifying the number of private, public, and unknown hosts being monitored by Data Lake
NDR - Protocl Report Detection for identifying protocols used and how often NOTE: avg_pcr is the Producer Consumer Ratio (PCR) (-1 Pure Push to +1 Pure Pull) NOTE: mac_addresses is a list of the top 100 macs by total bytes in the monitored flows for the protocol Data Lake
NDR - Protocol Report (BARS) Detection for identifying protocols used and how often NOTE: avg_pcr is the Producer Consumer Ratio (PCR) (-1 Pure Push to +1 Pure Pull) NOTE: mac_addresses is a list of the top 100 macs by total bytes in the monitored flows for the protocol Data Lake
NDR - Raw record data Display all fields for the NDR Detection or Report record. NOTE the interesting bits are in the 'raw' field. It is a JSON structure. The 'mapped_raw' is an array structure of the same. USE this query to view the raw field so it is easier to buil Data Lake
NDR - Top 10 hosts for each protocol seen Detection for identifying all used application protocols on the network and the top ten hosts using each Data Lake
NDR - Top 100 most trafficked hostnames Detection for identifying the top 100 most trafficked hostnames by traffic volume Data Lake
NDR - Top 100 most trafficked hostnames (BARS) Detection for identifying the top 100 most trafficked websites by traffic volume Data Lake
NDR - Top Clusters Detection for identifying the clusters with the most traffic in bytes. A cluster is a group of flows defined by their shared values for src_ip, dest_ip, dest_port, protocol, app_protocol Data Lake
NDR - Top Clusters (BARS) Detection for identifying the clusters with the most traffic in bytes. A cluster is a group of flows defined by their shared values for src_ip, dest_ip, dest_port, protocol, app_protocol Data Lake
NDR -Mac IP Hostname Correlation Source Mac IP and Hostname Correlation based on MDNS and NetBIOS NOTE: This includes hostname information extracted from the flow data where available. If no web_hostname was identified it will not be in the list Data Lake
NDR Report with last execution time List the available NDR reports and the most current report execution time

Data Lake

Addresses queries for the following DDE report names:

  • ALL NDR detections (DDE and FLOW based)
    • NDR - Raw record data
    • NDR - Report with last execution time
  • MacIpHostnameCorrelation
    • NDR - Mac IP Hostname Correlation
  • macIpCorrelation
    • NDR - MAC IP correlation
  • numMonitoredHosts
    • NDR - Number of Monitored Hosts
  • protocolCount
    • NDR - Protocl Report
    • NDR - Protocol Report (BARS)
  • topClusters
    • NDR - Top Clusters
    • NDR - Top Clusters (BARS)
  • topEachProtocol
    • NDR - Top 10 hosts for each protocol seen
  • topHostnames
    • NDR - Top 100 most trafficked hostnames
    • NDR - Top 100 most trafficked hostnames (BARS)
  • topTalkers
    • NDR - Devices generating most network traffic
    • NDR - Devices generating most network traffic (BARS)
Karl_Ackerman
Unfiltered HTML