Skip to main content

The Value of Enriched Metadata in Netography Fusion®

The Netography Fusion® Network Defense Platform (NDP) analyzes enriched metadata to accelerate your ability to detect compromise activity that other security controls in your stack have missed, such as lateral movement and data exfiltration.


Enriched metadata delivers context-rich visualizations and alerts of activity across your multi-cloud and on-prem network, putting critical information at the fingertips of your SecOps, NetOps, and CloudOps teams. These visualizations and alerts show what your devices, users, applications, and data are doing and what’s happening to them in real-time, and can respond to malicious or anomalous activity before it disrupts operations.

Value of Enriched Metadata 

Enriched metadata accelerates your ability to detect malicious or anomalous activity that other security controls in your stack have missed. You can use individual or combinations of context attributes (such as application in use, location, department, operating system, and group of users) to create context-rich alerts that are specific and actionable, reducing your response time. You will be able to understand the significance of the devices exhibiting the behavior without having to access additional tools or engage with other teams. 

Some use cases where enriched metadata delivers value when other detection technologies have failed: 

  • Monitoring encrypted communication: Legacy tools that rely on deep packet inspection (DPI) cannot analyze encrypted data. Zero Trust encryption blinds them from detecting anomalous or malicious activity.
  • Detecting compromised devices: Lateral movement and data exfiltration are two common behaviors exhibited by compromised devices. Legacy security tools lack the ability to understand when a device has started exhibiting anomalous activity inside a network (such as crossing trust boundaries) as well as exfiltrating large quantities of data.
  • Identifying Zero Trust violations: Zero Trust governance is a common challenge as Zero Trust adoption becomes widespread. Most network and security controls lack the ability to identify Zero Trust violations or trust boundary crossings as they occur in real-time or detect governance violations caused by changes in user, application, or device permissions. The Fusion platform uses context to monitor Zero Trust boundaries.

Flow is the Foundation of Enriched Metadata

The Fusion platform starts the process of creating enriched metadata with the collection of flow data from your multi-cloud and on-prem network. Flow data is interface-level metadata that contains information related to communications between devices, such as source and destination IP addresses and ports and protocol used. 

Flow data is an extremely valuable data source because it provides real-time visibility into activity across your network without the need to deploy costly appliances to inspect every packet. Flow is also encryption-agnostic, providing essential visibility in environments that have been encrypted to satisfy Zero Trust requirements as well as unencrypted environments. 

The Fusion platform ingests cloud flow logs from all five major cloud providers: Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, and Oracle Cloud. It also ingests flow data (NetFlow, sFlow, and IPFIX protocols) from routers, switches, and other physical or virtual devices in your network. 

The Fusion platform is 100% SaaS and it eliminates the requirement to deploy expensive sensors, taps, or agents to collect the flow data. This frictionless deployment model means that you can gain critical visibility in all segments and locations, and not just those few where you have deployed sensors or taps.

The Value of Enriched Metadata in Netography Fusion®

Use individual or combinations of attributes to create visualizations and generate alerts on compromise activity, Zero Trust governance violations, or misconfigurations. Example: a Finance notebook communicating with multiple devices in the OT network and attributes included with the detection.  

Adding Essential Context 

However, flow data by itself causes your analysts to have to conduct time-consuming additional investigations to collect the essential context they need to understand the significance of any anomalous activity they observe. 

To address the lack of context in the flow data and cloud flow logs, Fusion enriches the metadata with context already contained in applications and services in your existing tech stack, including asset management, configuration management database (CMDB), endpoint detection and response (EDR), network detection and response (NDR), extended detection and response (XDR), and vulnerability management.

Context from your tech stack is a critical component of the unique value the Fusion platform delivers to SecOps, NetOps, and CloudOps teams. The Fusion platform uses context to transform the metadata in your network from a table of IP addresses, ports, and protocols into enriched metadata that provides context-rich descriptions of the activities of your users, applications, and devices. 

Fusion can ingest dozens of attributes to enrich your metadata, including asset risk, environment, last known user, region, risk score, security workgroup, type of entity, and vulnerability count. 

Fusion has a library of built-in integrations to add new context sources quickly, and you have the ability to integrate context from other applications not listed (including custom apps) via our API. Some examples of the value our integrations deliver are:

  • Microsoft Defender XDR: You can search any of the dozens of data schemas within Microsoft Defender XDR for context, giving them access to potentially hundreds of context attributes with which to enrich your metadata: 
    • Devices managed by Microsoft Defender for Endpoint 
    • Emails processed by Microsoft 365
    • Authentication events, domain controller activities, and cloud application activities monitored by Microsoft Defender for Identity and Microsoft Defender for Cloud Apps
  • Wiz: You can see malicious activity targeting your vulnerable cloud assets as well as detect assets that have already been compromised, enabling you to eradicate threat actors that are active in your network. 
  • Crowdstrike: You can add asset, organizational, and usage context from CrowdStrike’s Falcon Endpoint Detection and Response (EDR) platform to accelerate compromise detection and threat hunting, enforce policies like Zero Trust and HIPAA, and respond to audit requests. 

Ready for a demo?

See how Netography Fusion works