Applies To: ThreatSync+ NDR
You can create custom ThreatSync+ NDR policies to monitor traffic flows and the events that ThreatSync+ NDR detects. To define a custom policy, you configure a source zone, a destination zone, and an activity filter. The activity filter enables you to evaluate traffic or event logs between the selected zones, triggering when the activity filter is matched.
When you filter traffic, activity filters can match:
- The ports in the traffic flows.
- The conversation class — a combination of the protocol type (TCP, UDP, or ICMP) and the type of conversation (for example, 2-way, unresponsive scan or malformed).
- The volume of data in the traffic flows.
When you filter on events, activity filters can match:
- The type of anomaly the event represents.
- The ports in the event logs.
- The conversation class — a combination of the protocol type (TCP, UDP, or ICMP) and the type of conversation (for example, 2-way, unresponsive scan or malformed)
ThreatSync+ NDR policies support these activity filters:
| Filter Type | Filter Name | Description |
|---|---|---|
| Zone | Source IP address | A valid IPv4 address. |
| Zone | Destination IP address | A valid IPv4 address. |
| Zone | Source MAC address | A valid MAC address that uniquely identifies a device. Detected only when DHCP logs are available and automatically saved in the Asset name text box. |
| Zone | Destination MAC address | A valid MAC address that uniquely identifies a device. Detected only when DHCP logs are available and automatically saved in the Asset name field. |
| Zone | Source Host Name | A string that represents a device. Detected only when DHCP logs are available and automatically saved in the Asset name text box |
| Zone | Destination Host Name | A string that represents a device. Detected only when DHCP logs are available and automatically saved in the Asset name text box. |
| Zone | Source Internal/External | Indicator of whether the device has an internal (private) IP address or an external (public) IP address. If public IP addresses are used in your enterprise network, you can assign them to be internal from the Zones page. |
| Zone | Destination Internal/External | Indicator of whether the device has an internal (private) IP address or an external (public) IP address. If public IP addresses are used in your enterprise network, you can assign them to be internal from the Zones page. |
| Zone | Source Country | The country name determined from the IP address. Must match a country in the metadata list that ThreatSync+ NDR uses. |
|
Zone |
Destination Country | The country name determined from the IP address. Must match a country in the metadata list that ThreatSync+ NDR uses. |
| Zone | Source Locality | The locality (city, state) name determined from the IP address. Must match a country in the metadata list that ThreatSync+ NDR uses. |
| Zone | Destination Locality | The locality (city, state) name determined from the IP address. Must match a country in the metadata list that ThreatSync+ NDR uses. |
| Zone | Source Domain | The second level domain name as determined by the IP address, defined by the Internet Assigned Numbers Authority (IANA) registration data. |
| Zone | Destination Domain | The second level domain name as determined by the IP address, defined by IANA registration data. |
| Zone | Source Organization | The administrative organization name as determined by the IP address, defined by IANA registration data. |
| Zone | Destination Organization | The administrative organization name as determined by the IP address, defined by IANA registration data. |
| Zone | Source Asset | The assigned name of an asset, either by an administrator in the Asset Settings, or dynamically by the system as a MAC Address or host name. |
| Zone | Destination Asset | The assigned name of an asset, either by an administrator in the Asset Settings, or dynamically by the system as a MAC address or host name. |
| Conversation | Source Port | The source port. |
| Conversation | Destination Port | The destination port. |
| Conversation | Application Port | The source or destination port that represents the application that owns the port. This is usually the destination port for flows in the request direction and the source port for flows in the response direction |
| Conversation | Conversation Originator | Indicates if the traffic flow represents the request or response traffic of a 2-way conversation. Filter by selecting Traffic Flow from a source to a destination. To filter for both request and response traffic, select Traffic Flow Between source and destination. |
| Conversation | Traffic Volume | The total count of bytes in traffic flows. |
| Conversation | Conversation Class | An indicator of the type of conversation. Possible values are ICMP Normal, ICMP Scanning, ICMP Unknown, TCP Malformed, TCP Normal, TCP Scanning, UDP Malformed, UDP One-Way, and UDP Two-Way |
| Event | Beaconing Through Web API | Detected periodic traffic through a Web Service API that indicates possible tunneling through a public web site. |
| Event | High Volume from Source IP | Detected traffic from a source that has significantly exceeded the expected baseline volume. |
| Event | Irregular ICMP Conversation | Detected unusual ICMP traffic that indicates possible network scanning, mapping, and data exfiltration. |
| Event | Abnormally Fast ICMP Flow from Inbound to Outbound | Detected unusual fast inbound to outbound ICMP traffic that indicates possible scanning and data exfiltration. |
| Event | NetFlow High Ports Only | Traffic flows between high ports detected. This might indicate unauthorized traffic such as BitTorrent activity. |
| Event | Large Volume from Asset | Detected traffic from an asset significantly exceeds the baseline volume. |
| Event | Large Volume to Asset | Detected traffic to an asset significantly exceeds the baseline volume. |
| Event | Large Packet Count from Asset | Detected traffic from an asset significantly exceeds the expected baseline packet count. |
| Event | Large Packet Count to Asset | Detected traffic to an asset significantly exceeds the expected baseline packet count. |
| Event | Data Sent to Large Number of Hosts | The count of destinations seen in traffic from a source exceeds the baseline. |
| Event | Data Received from Large Number of Hosts | The count of sources seen in traffic sent to a device exceeds the baseline. |
| Event | Data Sent To Large Number of Cities | The count of destination localities seen in traffic from a source exceeds the baseline. |
| Event | Data Received From Large Number Of Cities | The count of source localities seen in traffic sent to a device exceeds the baseline. |
| Event | Unusual Outgoing connection duration | The average outgoing connection duration from a device was significantly different from the baseline. |
| Event | Unusual Incoming connection duration | The average incoming connection duration to a device was significantly different from the baseline. |
| Event | High Ratio of Outgoing Bytes Per Incoming Bytes | The ratio was significantly higher than the baseline. |
| Event | High Ratio Of Incoming Bytes Per Outgoing Bytes | The ratio was significantly higher than the baseline. |
| Event | High Ratio of Outgoing Packets Per Incoming Packets | The ratio was significantly higher than the baseline. |
| Event | High Ratio of Incoming Packets Per Outgoing Packets | The ratio was significantly higher than the baseline. |
| Event | High Rate of Incoming Bytes | The rate was significantly higher than the baseline. |
| Event | High Rate of Outgoing Bytes | The rate was significantly higher than the baseline. |
| Event | High Rate of Incoming Packets | The rate was significantly higher than the baseline. |
| Event | High Rate of Outgoing Packets | The rate was significantly higher than the baseline. |
| Event | High Count of Incoming Flows | The count was significantly higher than the baseline. |
| Event | High Count of Outgoing Flows | The count was significantly higher than the baseline. |
| Event | Unusual Rate of Incoming Bytes Per Flow | The rate was significantly different than the baseline. |
| Event | Unusual Rate of Outgoing Bytes Per Flow | The rate was significantly different than the baseline. |
| Event | Unexpected Port Accessed on Asset | Significant traffic was seen to an asset on a port unrelated to a role assigned to that asset. |
| Event | High Ratio of Incoming Bytes to Incoming Packets | The ratio was significantly higher than the baseline. |
| Event | High Ratio Of Outgoing Bytes to Outgoing Packets | The ratio was significantly higher than the baseline. |
| Event | Connection to New Organization | Activity detected from a node to an organization that has not previously been communicated with on your network. |
| Event | Connection to New Domain | Activity detected from a node to a domain that has not previously been communicated with on your network. |
| Event | Connection to New Locality | Activity detected from a node to a locality that has not previously been communicated with on your network. |
| Event | Connection to New Host | Activity detected from a node to a IP address that has not previously been communicated with on your network. |
| Event | Connection from New Organization | Activity detected to a node from an organization that has not previously been communicated with on your network. |
| Event | Connection from New Domain | Activity detected to a node from a domain that has not previously been communicated with on your network. |
| Event | Connection from New Locality | Activity detected to a node from a locality that has not previously been communicated with on your network. |
| Event | Connection from New Host | Activity detected to a node from an IP address that has not previously been communicated with on your network. |
| Event | Unusual Total Outgoing Connection Duration | The total outgoing connection duration from a device was significantly different from the baseline. |
| Event | Unusual Total Incoming Connection Duration | The total incoming connection duration to a device was significantly different from the baseline. |
| Event | Suspected High Throughput DNS Tunnel | Activity indicates the presence of a DNS tunnel with high volume. |
| Event | Suspected Low Throughput DNS Tunnel | Activity indicates the presence of a DNS tunnel with low volume. |
| Event | Suspected RDP Tunnel | Activity indicates the presence of an RDP tunnel. |
| Event | Suspected RDP Session | Activity indicates the presence of an RDP session. |
| Event | Suspected RDP Attempt | Activity indicates the attempt to initiate an RDP tunnel. |
| Event | Fast Vertical Port Scan | Activity indicates a port scan of a destination IP address in a short amount of time. |
| Event | Slow Vertical Port Scan | Activity indicates a port scan of a destination IP address over a longer amount of time. |
| Event | Fast Horizontal Port Scan | Activity indicates a scan of similar ports to at least 8 destination IP addresses in a short amount of time. |
| Event | Blocklist IP Address | Activity to an IP address on the ThreatSync+ NDR blocklist was detected. |