-- NAME: NDR - Top 100 most trafficked hostnames -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the top 100 most trafficked hostnames by traffic volume -- SOURCE: Data Lake -- VARIABLE $$Destination IP Address$$ IP ADDRESS -- VARIABLE...

-- NAME: NDR - Top Clusters (BARS) -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the clusters with the most traffic in bytes. -- A cluster is a group of flows defined by their shared values for src_ip, dest_ip, dest_port, protocol, app_protocol...

-- NAME: NDR - Top Clusters -- CATEGORY: NDR -- DESCRIPTION: Detection for identifying the clusters with the most traffic in bytes. -- A cluster is a group of flows defined by their shared values for src_ip, dest_ip, dest_port, protocol, app_protocol...

-- NAME: NDR -Mac IP Hostname Correlation -- CATEGORY: NDR -- DESCRIPTION: Source Mac IP and Hostname Correlation based on MDNS and NetBIOS -- NOTE: This includes hostname information extracted from the flow data where available. -- If no web_hostname...

View each row of an NDR FLOW based detection -- NAME: NDR - Detection Details (FLOW BASED) -- CATEGORY: NDR -- DESCRIPTION: Examine the detection context for flow based detections and provide context and investigation actions -- VARIABLE $$Message...

This query provides a human readable description of an NDR FLOW based detection. You can use a wild card % to see all detections in a time range or pivot directly to the query from the 'message_id' field of the flow detection record. -- NAME: NDR...