Host Insights

Introduction

Host Insights™ is a feature of Clear NDR® that provides detailed insights into the activity of the hosts it observes on the network.

Host Insights™ tracks every host observed on the network in real time, giving analysts a rapid understanding of what HTTP User-Agents, TLS agents, user logins and so on, have been observed on each and every host. Each metadata value is tracked with a first seen and last seen timestamps. For example, if the HTTP user agent “wget/1.20” is observed on a host, it will be recorded with the first time it was seen and the most recent time it was seen.

On top of the basic metadata, Host Insights™ also provides additional context such as the role of the host. Role is based on the services that the host has been observed to provide, as well as the protocols and ports it has been seen using. Multiple roles can be assigned to a host. For example, it is common to see an Active Directory Domain Controller having roles such as Domain Controller, DHCP Server. Role includes Domain Controller, DHCP Server, HTTP Proxy, Printer.

Information about hosts is collected independently of threat detection ensuring visibility on any hosts present in the analyzed traffic.

Hosts can be internal (inside the organization’s network) or external (outside the organization’s network). Internal hosts will be part of the attack surface of the organization.

Usage

The Host Insights™ feature is particularly useful for:

  • Alert and event contextualization: By providing detailed metadata about hosts, analysts can quickly understand the context of alerts and events, such as which user logged in, what services are running, and what protocols are being used.

  • Incident response: During an incident, analysts can use Host Insights™ to quickly identify affected hosts and understand their roles and behaviors, which can help in prioritizing response actions.

  • Threat hunting: Analysts can leverage Host Insights™ to proactively search for anomalies or suspicious behaviors across hosts, such as unusual user agents or unexpected services running on hosts.

  • Asset management: Host Insights™ provides a comprehensive view of all hosts observed on the network, which can assist in asset management and inventory tracking.

This information is available in the Host Insights™ section of the Clear NDR® user interface, where analysts can quickly see the history of each host and its associated metadata. See Host Insights for more details on how to access and use this feature in the scope of hunting. The Host Insights™ database can also be explored in the Inventory section of Clear NDR® user interface.

Host Insights information are also available through the REST API, allowing integration with other tools and systems for further analysis or automation. See Host Insights for more details on how to access Host Insights information through the API.