Top Use Cases

NetworkSage is an exceptionally powerful platform that can be leveraged in many ways. But what are the top ways users find value? This document walks through them.

Automated Alert Triage

The most common way customers are using NetworkSage is to provide a first-pass analysis of network alerts that have activity to the Internet. Whenever an alert in their existing technology stack triggers, the activity before, including, and after the alert (usually about 90 seconds to 2 minutes on either side is sufficient) is captured and uploaded to NetworkSage. From there, the Sample Summary and Sample Categorization capabilities are requested, which gives both a high-level overview of what happened and whether it was interesting (the former), as well as the details (the latter) so that deeper investigation can be accomplished with detailed knowledge.Alert Triage Workflow

When an analyst reviews this information, they are able to quickly make the right decision on whether or not follow-on work is needed.Summary Contains Context

Summary Information

Categorization Contains Details

Categorization Details (Partial)

Reviewing Hunting Results

Proactive hunting for attacks that your automated detections missed is a critical aspect of a mature SOC. But digging into the results of your hunt can be incredibly time-consuming, especially when your aim is to analyze technologies that are used for benign and malicious purposes.Unknown Phishing Portal Hosted on Trusted Cloud Site

Trusted Cloud Site Hosting Active Phishing Portal

By taking hunting results -- and the activity surrounding them -- and submitting them to NetworkSage, customers automatically get an understanding of whether the activity they've found is something to remediate. This allows hunts to be more efficient, consistent, and effective!

Hunting with Global Knowledge

NetworkSage is built in a way that allows the knowledge of the entire userbase to be available to everyone without exposing any sensitive data. Anything labeled in the system automatically appears in all results, allowing a true crowdsourced effort to understand different aspects of the threat landscape.Example of Global Knowledge Automatically Labeled in Sample

Global Knowledge Automatically Labeled in Sample

All metadata associated with activities in our system (including how many times a particular flow to a particular Destination has been seen in our dataset) is available for customers to enrich their own existing traffic and use for better hunting starting points. For example:
  • How many users are downloading data from known Cloud-Hosting Platforms?
  • Which sites have C2-like flows to them that are globally uncommon?
  • What known URL Shorteners are being used to disguise links in our traffic?

Data Science

NetworkSage is the first network analysis platform that labels every single incoming session with a number of features:By having such rich information, there are a number of excellent features to choose from to build data sets for better detections, network troubleshooting, and other scenarios.Example of Labeled Data Useful for C2 Detection

Additional Resources

To dig deeper into what NetworkSage has to offer, we recommend the following resources:
Ready to start leveraging NetworkSage in your environment? Subscribe here!