Skip to main content

Incident Investigation and Threat Hunting

Speed Up Incident Investigation and Close Visibility Gaps

Map the scope and impact of any incident with comprehensive visibility

When a security incident occurs and your security operations and incident response (IR) teams try to reconstruct the event timeline or map the scope of the event, they often cannot because of the lack of historical data. They have only partial visibility of IT, OT, and IoT activity because your monitoring technology has not kept up with the evolution of your hybrid cloud and on-prem network.

The Netography Fusion® platform gives your SecOps, NetOps, CloudOps, and IR teams a singular view of all network activity. It enables your analysts and investigators to conduct detailed forensic analysis of East/West and North/South activity between servers, endpoints, and unmanaged devices after a security event such as a data breach.

Examples of incident investigation activities the Netography Fusion platform supports:

  • Hunting anomalous activity in network traffic to expose the timeline of events
  • Mapping the scope and impact of the security incident, including devices and workloads accessed, in on-prem and cloud environments
  • Tracing the digital footprint of the threat actor, including device initially compromised and subsequent East/West movement
  • Understanding the techniques used by the threat actor to move across the network
  • Analyzing volumetric attacks (e.g., bots or flooding) to provide network evidence backed by traffic records

Accelerate incident investigation with comprehensive visibility

Eliminate delays in incident reconstruction with aggregated and normalized data

Reduce workload on analysts & investigators with enriched metadata

Accelerate post-incident analysis with context-rich metadata

Close blind spots in network monitoring capabilities in minutes

Monitor all conversations in the network without installing costly sensors or agents

Accelerate incident investigation with comprehensive visibility

Too many organizations lack the ability to quickly and effectively investigate anomalous or malicious network activity in their network. They waste their limited time trying to analyze non-normalized data from a few sources, preventing them from reconstructing the full chain of events in weeks or months.

Your investigation team has access to all network activity across your modern network, including IT, OT, and IoT devices at their fingertips. The Fusion platform aggregates and normalizes your network metadata before enriching it with context from your tech stack, saving you time.

Netography Fusion’s automatic, budget-friendly retention of network traffic data provides a complete picture of past activity on your modern network. You have the flexibility to determine the data retention schedule to meet your policy requirements.

No matter how large your network is, Netography Query Language (NQL) is a powerful search technology that enables you to search billions of enriched metadata records in seconds from a single console.

Reduce workload on analysts & investigators with enriched metadata

Trying to map each stage of a breach or other security incident without a detailed understanding of the value of each asset involved is an exercise in futility.

Fusion’s enriched metadata provides the critical context you need to understand the significance of the devices, users, and applications involved. It incorporates context already contained in applications and services in your existing tech stack, including asset management, configuration management database (CMDB), endpoint detection and response (EDR), network detection and response (NDR), extended detection and response (XDR), and vulnerability management.

Using context, the Fusion platform transforms the metadata in your network from a table of IP addresses, ports, and protocols into enriched metadata that provides context-rich descriptions of the activities of your users, applications, and devices.

The result is that you don’t have to access additional tools or engage with other teams as you measure the scope of the event to understand the significance of the devices involved.

Close blind spots in network monitoring capabilities in minutes

Most security operations centers (SOCs) lack visibility of IT, OT, and IoT activity across their hybrid cloud and on-premises networks, creating blind spots that emerge only during the incident investigation process.

The Fusion platform enables you to close blind spots before a crisis hits and you realize the critical historical data you need doesn’t exist. Fusion is cloud-native and its 100% SaaS frictionless deployment model means you can monitor any segment or instance across your cloud and on-prem network at any time (including places you can’t or don’t want to deploy an appliance or agent).

You’ll begin to visualize context-rich network activity almost immediately with no sensors, agents, or taps to deploy. You get unmatched awareness from aggregated and normalized metadata collected from the physical and virtual devices already in your network. You can also see all activity from all five major cloud providers, eliminating gaps in your knowledge of activities across your modern network.

Fusion Capabilities Include:

  • Search Billions of Flow Log Entries in Seconds
  • Flexible Data Retention Policies
  • Comprehensive Network Visibility Across On-Prem and Cloud Environments
  • Forensics-level analytics of application, protocol, or volumetric DDoS attacks
  • Powerful Searches with Netography Query Language (NQL)
  • User-Customizable Netography Detection Models (NDMs) and Context-Creation Modules (CCMs)
  • Context-Rich Metadata Eliminates Need for Additional Research
  • SOC 2 Certified