Network Configuration
Introduction
Network Configuration in AI Detect allows you to manage your networks. A network is a group of interconnected devices, including computers, servers, phones, and routers, that exchange data and resources.
NDR uses this network information to learn and analyze traffic patterns, identify anomalies, and generate notifications of detected threats across your network environment.
Add a New Network
Go to AI Detect from the navigation bar.
Select Network Configuration. This page provides an overview of all networks.
Click Add Network in the top-right corner.
Enter the information of your network in the five required fields:
Add a Name for the network.
A Rank is a network's priority level.
Assign a Rank between 0 and 1000 to determine the network's priority. 0 represents the highest priority, and 1000 represents the lowest. The networks are sorted in ascending order. When NDR detects a host, it assigns it to the first network it encounters based on the highest rank.
Select a Network Group.
Assign a VLAN (Virtual Local Area Network) tag between -1 and 4095. If the tag is set to 0, the network will only include traffic without tags. If the tag is set to -1, the network will include all traffic.
Assign a Subnet using CIDR format. A subnet is a smaller segment of the network. For example, in an address' 192.168.10.0/24', the subnet is '/24'.
NDR evaluates subnets by starting with the lower-ranked (higher-priority) subnets first. Example: Network 1 is 192.168.10.0/24 with Rank 500. Network 2 is 192.168.0.0/16 with Rank 600. If a host with IP '192.168.10.52' is using both networks, it will be assigned to Network 1 with the lower rank. But, if a host has an IP of '192.168.11.23', it won't be assigned to Network 1 because it exceeds the subnet range. Instead, it will be assigned to Network 2.
Click Save.
Adding a New Network Group
Network Groups refers to groups of multiple named networks. Use Network Groups if you have a large number of devices, servers, and systems, or if the network is divided into segments, like Guest Wi-Fi, Public Wi-Fi, and such.
By default, there's a default network group. It consists of notifications that do not belong to any network.
When you set up a new network group, it must reflect your network system as it is. For example, if you have a home-based network as Guest Wi-Fi, you must create its own network group.
Click Add Network Group in the top-right corner.
Add a name and click Create.
NDR monitors every network group separately based on their traffic models as every network generates various levels of traffic. If you place a server and a client in different groups, it can mislead NDR into treating them as different entities and may lead to false or missed alerts.
Edit or Delete Networks
Use drag-and-drop to edit or delete any Networks or Network Groups.
Apply Configurations for Older Notifications
When you edit the network settings, like Rank, VLAN tags, and such, they are only applied to new notifications. Apply the latest configurations to older notifications to search for missed detections and ensure consistent monitoring.
Go to Retroactively Apply From in Network Configuration.
Select the number of days from the drop-down.
Save changes by clicking on the checkbox.
This setting applies to all networks and network groups.
Search Data
Search Data provides detailed visibility and allows you to investigate network activity and verify anomalies. It provides historical analysis of past traffic, enables advanced search for metadata and raw data. Both search types operate in real-time on data extracted continuously from network traffic.
Meta Data
The Meta Data search allows you to search metadata extracted from network packets.
Basic Search Parameters
Fields: Host, Port, and Type (Conn, HTTP, DNS, and SSL).
Select the Time Range.
Click the 5-Min next to the Search to auto fill the last 5 minutes. Advanced Search field allows extended searches using all metadata fields available in a log type's description details.
To search Metadata,
Click Search to perform a metadata search.
In the Description, click the Search icon to view the Description Details. This reveals detailed metadata specific to the log type.
Fields that match your filters will be highlighted, making it easier to identify hits even in unstructured output.
Search Operators
Search Operators are special characters used to filter search queries for specific results. They are attached to the search value along with the search field. You can add one or two search operators. If no operator is provided, = is used by default.
Example: Field (Source_IP) + Search Operator (=) + Search Value (192.168.2.1) = Result
Meaning: Search logs where the source IP is the same as 192.168.2.1.
Operator
Name
Details
!
Not/Negation prefix
Used to precede any operator that should be negated. e.g. !~ → "Not Contained In". If used without a suffix, then it is shorthand for != in most fields. In a few other fields, it is incorrect syntax.
=
Exact/Full match
Field value must match the search term exactly.
~
Contains
Field value must contain the search term.
>
Greater than
Field value must be lexically or numerically larger than the search term (depending on whether the field can be interpreted as a number). This is mostly intended to be used in conjunction with resp_bytes,orig_bytes,port,id.resp_p
@
In/Member of
Only used for subnets. Field value must be a member of the subnet defined by the search term.
#
Contained in
Functionally inverse to ~, the field value must be a substring of the search term.
Search Fields
A search result must meet all specified search criteria. Not all fields exist across all event types. Logs that don't contain the specific search field are excluded from the results.
Field Name
Operators
Details
Host
=~@
The value of either originator IP or responder IP must match the search term. Use @ to search for hosts by CIDR notation.
Port
=
The port used by either originator or responder must match the search term.
From
(Date picker)
Start of search time window. For some events, the matched value is the time when a connection opened. This may make it necessary to set the From search term a bit farther back in order to get full info on a long-running connection.
To
(Date picker)
End of search time window. For some events, the matched value is the time when a connection opened.
Type
= (Dropdown choice)
The metadata type to search for. If not set, all types are returned.
Advanced Search
=~ (Key-Value pairs)
Search terms in here must be accompanied by a search key. For example, uri=/hello where uri is the search key, = is the operator and /hello is the search term. To see available search keys, search without setting this field and click the green "+" icon to see details. Many fields are type-specific, and their usage will exclude results for types that do not contain the used search key. For multiple key-value pairs, use , as a delimiter, for example, uri=/hello,method=POST.
Options and flags
Details
Use Connection Closing Time
Match connections that ended in the time window defined by From and To. Default is that connections are matched based on when the connection opened.
Search Archived Events
In addition to searching uncompressed metadata, also traverse archived metadata as part of the search. This may significantly increase how long the search takes.
Search for Process Names
Make an additional search for process names of each connection after the main search has been made. The descriptions are then updated with process names (if found).
Search examples
Example 1 - search DHCP events to find what IP address(es) was/were assigned a specific MAC at a given time.
Search criteria: Select time window.
Set type= DHCP.
Set advanced search input: mac = 66:4b:aa:b6:0e:a4
Result:
17:04:02 GMT+0100 MAC=66:4b:aa:b6:0e:a4 Assigned IP=192.168.2.83 Lease time=28800.000000
Example 2 - search DHCP to find what MACs were assigned a specific IP in a time range
Search criteria: Select time window.
Set type=DHCP.
Set advanced search input : assigned IP = 192.168.2.83
Result:
17:04:02 GMT+0100 MAC=66:4b:aa:b6:0e:a4 Assigned IP=192.168.2.83 Lease time=28800.000000
Example 3 - search HTTP events to find HTTP responses with code 404 not found.
Search criteria: Select time window.
Set type=HTTP.
Set advanced search: status code=404
Result example:
09:52:24 GMT+0100 GET 192.168.2.36 /nagiosgraph/nagiosgraph.js
Example 4 - search for DNS requests in a specific subnet
Search criteria: Set Type=DNS and [email protected]/24
Result example:
11:06:12 GMT+0100 TTL=300
Answers=80.88.32.1
Query=my.domain.com
Source=192.168.1.100
Destination: 8.8.8.8
Raw Data
Raw Data search enables packet-level searches and PCAP file downloads.
Search Parameters
Time frame (mandatory)
IP addresses or CIDR ranges
Port number(s)
Only broad search criteria are allowed due to high resource usage.
Search Limits
Searches stop after collecting 256 MB of data.
Missing expected packets indicate that the search has reached its limit. Narrow the parameters and try again.
Filtering:
The search does not support filtering by source or destination IP addresses.
Raw data search is limited to the packet level. Filtering packet data by source only displays half of the packets in a connection.
Defining Sources:
One source: retrieves packets where the IP either sent or received the packet.
Two sources: returns all packets exchanged between the two, regardless of direction.
To conserve disk space and extend data retention:
Encrypted payloads are removed from archived packets.
PCAP viewers may show warnings about payload size mismatches due to this.
Retention Policy:
Raw packet data is retained for a limited time. It ranges from a few hours to a couple of days, depending on disk availability.
Last updated
Was this helpful?