Dashboards and Visualizations Reference¶
Stamus’s Network Detection and Response (NDR) dashboards for network security monitoring.
Dashboard: SN-ALERTS¶
Security use case examples: IDS/IPS alert data for detecting active threats, exploit attempts, policy violations, and known malware signatures across all monitored network protocols.
Network use case examples: Alert volume trending, detection rule coverage baselining, top alert category distribution monitoring, and sensor performance capacity planning.
SN-ALERTS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Alert-ByExtraInfoType |
Generic description: Bar chart showing ALERT event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALERT traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALERT event volumes across timestamp, app_proto categories. |
|
event_type:alert |
SN-Alert-ByHttpMethod |
Generic description: Donut chart showing the proportional distribution of ALERT events by http.http_method. Security use case examples: Highlights dominant http.http_method values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-BySmtpHello |
Generic description: Donut chart showing the proportional distribution of ALERT events by smtp.helo. Security use case examples: Highlights dominant smtp.helo values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByTlsIssuerdn |
Generic description: Donut chart showing the proportional distribution of ALERT events by tls.issuerdn. Security use case examples: Highlights dominant tls.issuerdn values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByTlsSni |
Generic description: Donut chart showing the proportional distribution of ALERT events by tls.sni. Security use case examples: Highlights dominant tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByVLANIDTop20 |
Generic description: Data table ranking the top 20 top vlan values by ALERT event count. Security use case examples: Identifies the most active top vlan values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Count |
Generic description: Single-value metric displaying the total count of ALERT events in the selected time range. Security use case examples: Provides an at-a-glance security indicator for ALERT event volume to rapidly detect abnormal activity levels compared to baseline. Network use case examples: Supports dashboard-level health monitoring and SLA tracking by showing aggregate ALERT event counts. |
event_type:alert |
event_type:alert |
SN-Alert-GeoMap |
Generic description: Geographic heatmap displaying ALERT traffic density by geographic location using geoip.location. Security use case examples: Reveals connections to high-risk geographies, unexpected international flows, and geo-based policy violations potentially indicative of exfiltration. Network use case examples: Provides geographic traffic visibility for data sovereignty compliance, CDN optimization, and international bandwidth capacity planning. |
|
event_type:alert |
SN-Alert-Proto |
Generic description: Donut chart showing the proportional distribution of ALERT events by proto. Security use case examples: Highlights dominant proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-Top20DstIP |
Generic description: Data table ranking the top 20 destination dest_ip values by ALERT event count. Security use case examples: Identifies the most active destination dest_ip values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top destination contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20DstPorts |
Generic description: Data table ranking the top 20 destination dest_port values by ALERT event count. Security use case examples: Identifies the most active destination dest_port values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top destination contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20Signatures |
Generic description: Data table ranking the top 20 top alert.signature values by ALERT event count. Security use case examples: Identifies the most active top alert.signature values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by ALERT event count. Security use case examples: Identifies the most active source src_ip values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20SrcPorts |
Generic description: Data table ranking the top 20 source src_port values by ALERT event count. Security use case examples: Identifies the most active source src_port values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to ALERT traffic volume. |
|
event_type:alert |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP |
Generic description: Threat hunting data table for ALERT traffic focusing on dest_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP |
Generic description: Threat hunting data table for ALERT traffic focusing on src_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ALERT-EventsList (search) |
Generic description: Saved search table displaying raw ALERT events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALERT events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALERT traffic patterns. |
List of ALERT events |
event_type:alert |
Dashboard: SN-ALERTS-CVE¶
Security use case examples: IDS/IPS alert data for detecting active threats, exploit attempts, policy violations, and known malware signatures across all monitored network protocols.
Network use case examples: Alert volume trending, detection rule coverage baselining, top alert category distribution monitoring, and sensor performance capacity planning.
SN-ALERTS-CVE Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Alert-ByExtraInfoType |
Generic description: Bar chart showing ALERT event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALERT traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALERT event volumes across timestamp, app_proto categories. |
|
event_type:alert |
SN-Alert-ByHttpMethod |
Generic description: Donut chart showing the proportional distribution of ALERT events by http.http_method. Security use case examples: Highlights dominant http.http_method values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-BySmtpHello |
Generic description: Donut chart showing the proportional distribution of ALERT events by smtp.helo. Security use case examples: Highlights dominant smtp.helo values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByTlsIssuerdn |
Generic description: Donut chart showing the proportional distribution of ALERT events by tls.issuerdn. Security use case examples: Highlights dominant tls.issuerdn values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByTlsSni |
Generic description: Donut chart showing the proportional distribution of ALERT events by tls.sni. Security use case examples: Highlights dominant tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByVLANIDTop20 |
Generic description: Data table ranking the top 20 top vlan values by ALERT event count. Security use case examples: Identifies the most active top vlan values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Count |
Generic description: Single-value metric displaying the total count of ALERT events in the selected time range. Security use case examples: Provides an at-a-glance security indicator for ALERT event volume to rapidly detect abnormal activity levels compared to baseline. Network use case examples: Supports dashboard-level health monitoring and SLA tracking by showing aggregate ALERT event counts. |
event_type:alert |
event_type:alert |
SN-Alert-GeoMap |
Generic description: Geographic heatmap displaying ALERT traffic density by geographic location using geoip.location. Security use case examples: Reveals connections to high-risk geographies, unexpected international flows, and geo-based policy violations potentially indicative of exfiltration. Network use case examples: Provides geographic traffic visibility for data sovereignty compliance, CDN optimization, and international bandwidth capacity planning. |
|
event_type:alert |
SN-Alert-Proto |
Generic description: Donut chart showing the proportional distribution of ALERT events by proto. Security use case examples: Highlights dominant proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-Top20DstIP |
Generic description: Data table ranking the top 20 destination dest_ip values by ALERT event count. Security use case examples: Identifies the most active destination dest_ip values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top destination contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20DstPorts |
Generic description: Data table ranking the top 20 destination dest_port values by ALERT event count. Security use case examples: Identifies the most active destination dest_port values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top destination contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20Signatures |
Generic description: Data table ranking the top 20 top alert.signature values by ALERT event count. Security use case examples: Identifies the most active top alert.signature values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by ALERT event count. Security use case examples: Identifies the most active source src_ip values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20SrcPorts |
Generic description: Data table ranking the top 20 source src_port values by ALERT event count. Security use case examples: Identifies the most active source src_port values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to ALERT traffic volume. |
|
event_type:alert |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP |
Generic description: Threat hunting data table for ALERT traffic focusing on dest_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP |
Generic description: Threat hunting data table for ALERT traffic focusing on src_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ALERT-EventsList (search) |
Generic description: Saved search table displaying raw ALERT events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALERT events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALERT traffic patterns. |
List of ALERT events |
event_type:alert |
Dashboard: SN-ALERTS-EXE-HUNT-1¶
Security use case examples: IDS/IPS alert data for detecting active threats, exploit attempts, policy violations, and known malware signatures across all monitored network protocols.
Network use case examples: Alert volume trending, detection rule coverage baselining, top alert category distribution monitoring, and sensor performance capacity planning.
SN-ALERTS-EXE-HUNT-1 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-ALERTS-AlertedFlows-UniqueFlowbits |
Generic description: Data table aggregating ALERT events by metadata.flowbits, flow_id, ranked by event count. Security use case examples: Facilitates identification of top metadata.flowbits, flow_id values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-ALERTS-AlertedFlows-UniqueSignatures |
Generic description: Data table aggregating ALERT events by alert.signature, flow_id, ranked by event count. Security use case examples: Facilitates identification of top alert.signature, flow_id values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-ALERTS-HTTP-Hosts-ContentSize |
Generic description: Data table aggregating ALERT events by http.hostname, http.length, ranked by event count. Security use case examples: Facilitates identification of top http.hostname, http.length values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-ALERTS-HTTP-LowNoise |
Generic description: Data table aggregating ALERT events by hostname_info.domain, ranked by event count. Security use case examples: Facilitates identification of top hostname_info.domain values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-ALERT-EventsList (search) |
Generic description: Saved search table displaying raw ALERT events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALERT events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALERT traffic patterns. |
List of ALERT events |
event_type:alert |
Dashboard: SN-ALERTS-PHISHING¶
Security use case examples: IDS/IPS alert data for detecting active threats, exploit attempts, policy violations, and known malware signatures across all monitored network protocols.
Network use case examples: Alert volume trending, detection rule coverage baselining, top alert category distribution monitoring, and sensor performance capacity planning.
SN-ALERTS-PHISHING Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Alert-ByExtraInfoType |
Generic description: Bar chart showing ALERT event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALERT traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALERT event volumes across timestamp, app_proto categories. |
|
event_type:alert |
SN-Alert-ByHttpMethod |
Generic description: Donut chart showing the proportional distribution of ALERT events by http.http_method. Security use case examples: Highlights dominant http.http_method values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-BySmtpHello |
Generic description: Donut chart showing the proportional distribution of ALERT events by smtp.helo. Security use case examples: Highlights dominant smtp.helo values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByTlsIssuerdn |
Generic description: Donut chart showing the proportional distribution of ALERT events by tls.issuerdn. Security use case examples: Highlights dominant tls.issuerdn values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByTlsSni |
Generic description: Donut chart showing the proportional distribution of ALERT events by tls.sni. Security use case examples: Highlights dominant tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-ByVLANIDTop20 |
Generic description: Data table ranking the top 20 top vlan values by ALERT event count. Security use case examples: Identifies the most active top vlan values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Count |
Generic description: Single-value metric displaying the total count of ALERT events in the selected time range. Security use case examples: Provides an at-a-glance security indicator for ALERT event volume to rapidly detect abnormal activity levels compared to baseline. Network use case examples: Supports dashboard-level health monitoring and SLA tracking by showing aggregate ALERT event counts. |
event_type:alert |
event_type:alert |
SN-Alert-GeoMap |
Generic description: Geographic heatmap displaying ALERT traffic density by geographic location using geoip.location. Security use case examples: Reveals connections to high-risk geographies, unexpected international flows, and geo-based policy violations potentially indicative of exfiltration. Network use case examples: Provides geographic traffic visibility for data sovereignty compliance, CDN optimization, and international bandwidth capacity planning. |
|
event_type:alert |
SN-Alert-Proto |
Generic description: Donut chart showing the proportional distribution of ALERT events by proto. Security use case examples: Highlights dominant proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:alert |
SN-Alert-Top20DstIP |
Generic description: Data table ranking the top 20 destination dest_ip values by ALERT event count. Security use case examples: Identifies the most active destination dest_ip values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top destination contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20DstPorts |
Generic description: Data table ranking the top 20 destination dest_port values by ALERT event count. Security use case examples: Identifies the most active destination dest_port values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top destination contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20Signatures |
Generic description: Data table ranking the top 20 top alert.signature values by ALERT event count. Security use case examples: Identifies the most active top alert.signature values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by ALERT event count. Security use case examples: Identifies the most active source src_ip values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to ALERT traffic volume. |
|
event_type:alert |
SN-Alert-Top20SrcPorts |
Generic description: Data table ranking the top 20 source src_port values by ALERT event count. Security use case examples: Identifies the most active source src_port values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to ALERT traffic volume. |
|
event_type:alert |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP |
Generic description: Threat hunting data table for ALERT traffic focusing on dest_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP |
Generic description: Threat hunting data table for ALERT traffic focusing on src_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ALERT-EventsList (search) |
Generic description: Saved search table displaying raw ALERT events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALERT events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALERT traffic patterns. |
List of ALERT events |
event_type:alert |
Dashboard: SN-ALL¶
Security use case examples: The SN-ALL dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-ALL dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-ALL Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Alert-ByExtraInfoType |
Generic description: Bar chart showing ALERT event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALERT traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALERT event volumes across timestamp, app_proto categories. |
|
event_type:alert |
SN-Alert-Count |
Generic description: Single-value metric displaying the total count of ALERT events in the selected time range. Security use case examples: Provides an at-a-glance security indicator for ALERT event volume to rapidly detect abnormal activity levels compared to baseline. Network use case examples: Supports dashboard-level health monitoring and SLA tracking by showing aggregate ALERT event counts. |
event_type:alert |
event_type:alert |
SN-Alert-Top20Signatures |
Generic description: Data table ranking the top 20 top alert.signature values by ALERT event count. Security use case examples: Identifies the most active top alert.signature values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-DNS-DnsOverTime |
Generic description: Line chart plotting DNS event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in DNS activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing DNS traffic trends over time for infrastructure sizing decisions. |
|
event_type:dns |
SN-EventTypeOverTimeAll |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-FILE-EventsOverTime |
Generic description: Time-series bar chart showing FILEINFO event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in FILEINFO events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing FILEINFO event volume trends and periodic patterns over time. |
List of FILEINFO events |
event_type:fileinfo |
SN-Proto-app_proto |
Generic description: Donut chart showing the proportional distribution of ALL events by proto, app_proto. Security use case examples: Highlights dominant proto, app_proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:all |
SN-SMTP-SmtpOverTime |
Generic description: Line chart plotting SMTP event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in SMTP activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing SMTP traffic trends over time for infrastructure sizing decisions. |
|
event_type:smtp |
SN-SSH-EventsOverTime |
Generic description: Time-series bar chart showing SSH event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SSH events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SSH event volume trends and periodic patterns over time. |
List of SSH events |
event_type:ssh |
SN-TLS-EventsOverTime |
Generic description: Time-series bar chart showing TLS event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in TLS events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing TLS event volume trends and periodic patterns over time. |
List of TLS events |
event_type:tls |
SN-ALL-EventsList (search) |
Generic description: Saved search table displaying raw ALL events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALL events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALL traffic patterns. |
List of ALL events |
event_type:all |
Dashboard: SN-ANOMALY¶
Security use case examples: Protocol anomaly events for detecting protocol violations, malformed packets, and traffic patterns indicative of evasion techniques or exploitation attempts.
Network use case examples: Protocol anomaly rate baselining, malformed packet volume tracking, anomaly distribution across probes, and network health monitoring.
SN-ANOMALY Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-ANOMALY-ByVlan |
Generic description: Donut chart showing the proportional distribution of ANOMALY events by vlan. Security use case examples: Highlights dominant vlan values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:anomaly |
SN-ANOMALY-Code |
Generic description: Donut chart showing the proportional distribution of ANOMALY events by anomaly.code. Security use case examples: Highlights dominant anomaly.code values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:anomaly |
SN-ANOMALY-EventsOverTimeByAppProto |
Generic description: Time-series bar chart showing ANOMALY event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in ANOMALY events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing ANOMALY event volume trends and periodic patterns over time. |
List of ANOMALY events |
event_type:anomaly |
SN-ANOMALY-EventType |
Generic description: Donut chart showing the proportional distribution of ANOMALY events by anomaly.event. Security use case examples: Highlights dominant anomaly.event values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:anomaly |
SN-ANOMALY-Layer |
Generic description: Donut chart showing the proportional distribution of ANOMALY events by anomaly.layer. Security use case examples: Highlights dominant anomaly.layer values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:anomaly |
SN-ANOMALY-Top100-DestIP |
Generic description: Data table aggregating ANOMALY events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ANOMALY events by key observable fields. |
|
event_type:anomaly |
SN-ANOMALY-Top100-DestPort |
Generic description: Data table aggregating ANOMALY events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ANOMALY events by key observable fields. |
|
event_type:anomaly |
SN-ANOMALY-Top100-SrcIP |
Generic description: Data table aggregating ANOMALY events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ANOMALY events by key observable fields. |
|
event_type:anomaly |
SN-ANOMALY-Top100-SrcPort |
Generic description: Data table aggregating ANOMALY events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ANOMALY events by key observable fields. |
|
event_type:anomaly |
SN-ANOMALY-TotalCount |
Generic description: Single-value metric display showing the total count of ANOMALY events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing ANOMALY event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of ANOMALY traffic volume for capacity planning and operational health spot-checks. |
event_type:anomaly |
event_type:anomaly |
SN-ANOMALY-Type |
Generic description: Donut chart showing the proportional distribution of ANOMALY events by anomaly.type. Security use case examples: Highlights dominant anomaly.type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:anomaly |
SN-ANOMALY-EventsList (search) |
Generic description: Saved search showing ANOMALY event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing ANOMALY traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for ANOMALY traffic baselining, capacity planning, and operational health monitoring. |
List of ANOMALY events |
event_type:anomaly |
Dashboard: SN-BEACONING-TLS¶
Security use case examples: TLS/SSL traffic analysis for detecting expired or self-signed certificates, weak cipher suites, JA3 fingerprint-based malware identification, and encrypted C2 channel detection.
Network use case examples: TLS version adoption monitoring, certificate inventory management, cipher suite compliance baselining, and encrypted traffic volume capacity planning.
SN-BEACONING-TLS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Beaconing-Flow-TLS-Enriched-Timeline |
Generic description: Bar chart showing FLOW event counts grouped by timestamp, tls.ja3s.hash. Security use case examples: Highlights high-volume timestamp, tls.ja3s.hash categories in FLOW traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing FLOW event volumes across timestamp, tls.ja3s.hash categories. |
|
event_type:flow |
SN-Beaconing-ServerHash |
Generic description: Data table aggregating ALL events by tls.ja3s.hash, beacon_report.beacon_metric, tls.sni, beacon_report.assets, beacon_report.first_seen, beacon_report.last_seen, ranked by event count. Security use case examples: Facilitates identification of top tls.ja3s.hash, beacon_report.beacon_metric, tls.sni, beacon_report.assets, beacon_report.first_seen, beacon_report.last_seen values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALL events by key observable fields. |
|
event_type:all |
SN-Beaconing-ServingIP |
Generic description: Data table aggregating ALL events by dest_ip, beacon_report.beacon_metric, tls.sni, beacon_report.assets, beacon_report.first_seen, beacon_report.last_seen, ranked by event count. Security use case examples: Facilitates identification of top dest_ip, beacon_report.beacon_metric, tls.sni, beacon_report.assets, beacon_report.first_seen, beacon_report.last_seen values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALL events by key observable fields. |
|
event_type:all |
SN-Flow-Beaconing-BytesToClient |
Generic description: Bar chart showing FLOW event counts grouped by flow.bytes_toclient, timestamp, src_ip. Security use case examples: Highlights high-volume flow.bytes_toclient, timestamp, src_ip categories in FLOW traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing FLOW event volumes across flow.bytes_toclient, timestamp, src_ip categories. |
|
event_type:flow |
SN-Flow-Beaconing-BytesToServer |
Generic description: Bar chart showing FLOW event counts grouped by flow.bytes_toserver, timestamp, src_ip. Security use case examples: Highlights high-volume flow.bytes_toserver, timestamp, src_ip categories in FLOW traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing FLOW event volumes across flow.bytes_toserver, timestamp, src_ip categories. |
|
event_type:flow |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-DCERPC¶
Security use case examples: DCE/RPC traffic analysis for detecting lateral movement, remote code execution via RPC services, and Windows Active Directory exploitation patterns.
Network use case examples: DCE/RPC call volume baselining, top RPC operation tracking, Windows service usage monitoring, and Active Directory infrastructure sizing.
SN-DCERPC Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-DCERPC-EventsOverTime |
Generic description: Time-series bar chart showing DCERPC event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in DCERPC events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing DCERPC event volume trends and periodic patterns over time. |
List of DCERPC events |
event_type:dcerpc |
SN-DCERPC-OpNum |
Generic description: Data table aggregating DCERPC events by dcerpc.req.opnum, ranked by event count. Security use case examples: Facilitates identification of top dcerpc.req.opnum values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DCERPC events by key observable fields. |
|
event_type:dcerpc |
SN-DCERPC-Request |
Generic description: Data table aggregating DCERPC events by dcerpc.request, ranked by event count. Security use case examples: Facilitates identification of top dcerpc.request values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DCERPC events by key observable fields. |
|
event_type:dcerpc |
SN-DCERPC-Response |
Generic description: Data table aggregating DCERPC events by dcerpc.response, ranked by event count. Security use case examples: Facilitates identification of top dcerpc.response values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DCERPC events by key observable fields. |
|
event_type:dcerpc |
SN-DCERPC-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by DCERPC event count. Security use case examples: Identifies the most active top dest_ip values in DCERPC traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DCERPC traffic volume. |
|
event_type:dcerpc |
SN-DCERPC-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by DCERPC event count. Security use case examples: Identifies the most active top dest_port values in DCERPC traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DCERPC traffic volume. |
|
event_type:dcerpc |
SN-DCERPC-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by DCERPC event count. Security use case examples: Identifies the most active source src_ip values in DCERPC traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DCERPC traffic volume. |
|
event_type:dcerpc |
SN-DCERPC-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by DCERPC event count. Security use case examples: Identifies the most active source src_port values in DCERPC traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DCERPC traffic volume. |
|
event_type:dcerpc |
SN-DCERPC-Total |
Generic description: Single-value metric display showing the total count of DCERPC events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing DCERPC event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of DCERPC traffic volume for capacity planning and operational health spot-checks. |
event_type:dcerpc |
event_type:dcerpc |
SN-DCERPC-UUID |
Generic description: Data table aggregating DCERPC events by dcerpc.interfaces.uuid, ranked by event count. Security use case examples: Facilitates identification of top dcerpc.interfaces.uuid values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DCERPC events by key observable fields. |
|
event_type:dcerpc |
SN-DCERPC-EventsList (search) |
Generic description: Saved search showing DCERPC event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing DCERPC traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for DCERPC traffic baselining, capacity planning, and operational health monitoring. |
List of DCERPC events |
event_type:dcerpc |
Dashboard: SN-DHCP¶
Security use case examples: The SN-DHCP dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-DHCP dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-DHCP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-DHCP-Detailed-Type |
Generic description: Donut chart showing the proportional distribution of DHCP events by dhcp.dhcp_type. Security use case examples: Highlights dominant dhcp.dhcp_type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dhcp |
SN-DHCP-EventsOverTime |
Generic description: Time-series bar chart showing DHCP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in DHCP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing DHCP event volume trends and periodic patterns over time. |
List of DHCP events |
event_type:dhcp |
SN-DHCP-Releays |
Generic description: Donut chart showing the proportional distribution of DHCP events by dhcp.relay_ip. Security use case examples: Highlights dominant dhcp.relay_ip values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dhcp |
SN-DHCP-Routers-Servers |
Generic description: Donut chart showing the proportional distribution of DHCP events by dhcp.routers. Security use case examples: Highlights dominant dhcp.routers values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dhcp |
SN-DHCP-SubnetMasks-Served |
Generic description: Donut chart showing the proportional distribution of DHCP events by dhcp.subnet_mask. Security use case examples: Highlights dominant dhcp.subnet_mask values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dhcp |
SN-DHCP-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by DHCP event count. Security use case examples: Identifies the most active top dest_ip values in DHCP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DHCP traffic volume. |
|
event_type:dhcp |
SN-DHCP-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by DHCP event count. Security use case examples: Identifies the most active top dest_port values in DHCP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DHCP traffic volume. |
|
event_type:dhcp |
SN-DHCP-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by DHCP event count. Security use case examples: Identifies the most active source src_ip values in DHCP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DHCP traffic volume. |
|
event_type:dhcp |
SN-DHCP-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by DHCP event count. Security use case examples: Identifies the most active source src_port values in DHCP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DHCP traffic volume. |
|
event_type:dhcp |
SN-DHCP-Total |
Generic description: Single-value metric display showing the total count of DHCP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing DHCP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of DHCP traffic volume for capacity planning and operational health spot-checks. |
event_type:dhcp |
event_type:dhcp |
SN-DHCP-Type |
Generic description: Donut chart showing the proportional distribution of DHCP events by dhcp.type. Security use case examples: Highlights dominant dhcp.type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dhcp |
SN-DHCP-EventsList (search) |
Generic description: Saved search showing DHCP event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing DHCP traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for DHCP traffic baselining, capacity planning, and operational health monitoring. |
List of DHCP events |
event_type:dhcp |
Dashboard: SN-DNP3¶
Security use case examples: DNP3 industrial protocol traffic analysis for detecting unauthorized SCADA access, abnormal DNP3 function code usage, and OT network attacks.
Network use case examples: DNP3 transaction volume baselining, top master and outstation pair tracking, function code distribution monitoring, and SCADA infrastructure capacity planning.
SN-DNP3 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-DNP3-ByDestIP |
Generic description: Data table aggregating DNP3 events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNP3 events by key observable fields. |
|
event_type:dnp3 |
SN-DNP3-ByDestPort |
Generic description: Data table aggregating DNP3 events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNP3 events by key observable fields. |
|
event_type:dnp3 |
SN-DNP3-ByDst |
Generic description: Donut chart showing the proportional distribution of DNP3 events by dnp3.dst. Security use case examples: Highlights dominant dnp3.dst values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dnp3 |
SN-DNP3-ByIndicators |
Generic description: Donut chart showing the proportional distribution of DNP3 events by dnp3.iin.indicators. Security use case examples: Highlights dominant dnp3.iin.indicators values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dnp3 |
SN-DNP3-BySrc |
Generic description: Donut chart showing the proportional distribution of DNP3 events by dnp3.src. Security use case examples: Highlights dominant dnp3.src values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dnp3 |
SN-DNP3-BySrcIP |
Generic description: Data table aggregating DNP3 events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNP3 events by key observable fields. |
|
event_type:dnp3 |
SN-DNP3-BySrcPort |
Generic description: Data table aggregating DNP3 events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNP3 events by key observable fields. |
|
event_type:dnp3 |
SN-DNP3-ByType |
Generic description: Donut chart showing the proportional distribution of DNP3 events by dnp3.type. Security use case examples: Highlights dominant dnp3.type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dnp3 |
SN-DNP3-Count |
Generic description: Single-value metric displaying the total count of DNP3 events in the selected time range. Security use case examples: Provides an at-a-glance security indicator for DNP3 event volume to rapidly detect abnormal activity levels compared to baseline. Network use case examples: Supports dashboard-level health monitoring and SLA tracking by showing aggregate DNP3 event counts. |
event_type:dnp3 |
event_type:dnp3 |
SN-DNP3-EventsList (search) |
Generic description: Saved search showing DNP3 event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing DNP3 traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for DNP3 traffic baselining, capacity planning, and operational health monitoring. |
List of DNP3 events |
event_type:dnp3 |
Dashboard: SN-DNS¶
Security use case examples: DNS traffic analysis for detecting DNS tunneling, DGA-based C2 beaconing, data exfiltration via DNS queries, and fast-flux infrastructure used by botnets.
Network use case examples: DNS query volume baselining, top queried domain tracking, resolver performance monitoring, and DNS infrastructure capacity planning.
SN-DNS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-DNS-ByProto |
Generic description: Donut chart showing the proportional distribution of DNS events by proto. Security use case examples: Highlights dominant proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-ByTTL |
Generic description: Data table aggregating DNS events by dns.authorities.ttl, ranked by event count. Security use case examples: Facilitates identification of top dns.authorities.ttl values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNS events by key observable fields. |
|
event_type:dns |
SN-DNS-DnsOverTime |
Generic description: Line chart plotting DNS event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in DNS activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing DNS traffic trends over time for infrastructure sizing decisions. |
|
event_type:dns |
SN-DNS-Flags |
Generic description: Data table aggregating DNS events by dns.flags, ranked by event count. Security use case examples: Facilitates identification of top dns.flags values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNS events by key observable fields. |
|
event_type:dns |
SN-DNS-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of DNS traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:dns |
SN-DNS-Rcode |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rcode. Security use case examples: Highlights dominant dns.rcode values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrname |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrname. Security use case examples: Highlights dominant dns.rrname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrname |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrname. Security use case examples: Highlights dominant dns.rrname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrtype |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrtype. Security use case examples: Highlights dominant dns.rrtype values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by DNS event count. Security use case examples: Identifies the most active top dest_ip values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by DNS event count. Security use case examples: Identifies the most active top dest_port values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by DNS event count. Security use case examples: Identifies the most active source src_ip values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by DNS event count. Security use case examples: Identifies the most active source src_port values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Total |
Generic description: Single-value metric display showing the total count of DNS events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing DNS event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of DNS traffic volume for capacity planning and operational health spot-checks. |
event_type:dns |
event_type:dns |
SN-DNS-Type |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.type. Security use case examples: Highlights dominant dns.type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-ThreatHunt-DNS-Tunnel |
Generic description: Threat hunting data table for DNS traffic focusing on hostname_info.subdomain, hostname_info.domain, host aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious DNS behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual DNS traffic patterns for policy review and baseline validation. |
|
event_type:dns |
SN-DNS-EventsList (search) |
Generic description: Saved search table displaying raw DNS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual DNS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing DNS traffic patterns. |
List of DNS events |
event_type:dns |
Dashboard: SN-DNS-HUNT-Tunnel¶
Security use case examples: DNS traffic analysis for detecting DNS tunneling, DGA-based C2 beaconing, data exfiltration via DNS queries, and fast-flux infrastructure used by botnets.
Network use case examples: DNS query volume baselining, top queried domain tracking, resolver performance monitoring, and DNS infrastructure capacity planning.
SN-DNS-HUNT-Tunnel Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-DNS-ByProto |
Generic description: Donut chart showing the proportional distribution of DNS events by proto. Security use case examples: Highlights dominant proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-ByTTL |
Generic description: Data table aggregating DNS events by dns.authorities.ttl, ranked by event count. Security use case examples: Facilitates identification of top dns.authorities.ttl values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNS events by key observable fields. |
|
event_type:dns |
SN-DNS-DnsOverTime |
Generic description: Line chart plotting DNS event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in DNS activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing DNS traffic trends over time for infrastructure sizing decisions. |
|
event_type:dns |
SN-DNS-Flags |
Generic description: Data table aggregating DNS events by dns.flags, ranked by event count. Security use case examples: Facilitates identification of top dns.flags values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNS events by key observable fields. |
|
event_type:dns |
SN-DNS-Rcode |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rcode. Security use case examples: Highlights dominant dns.rcode values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrname |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrname. Security use case examples: Highlights dominant dns.rrname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrname |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrname. Security use case examples: Highlights dominant dns.rrname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrtype |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrtype. Security use case examples: Highlights dominant dns.rrtype values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by DNS event count. Security use case examples: Identifies the most active top dest_ip values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by DNS event count. Security use case examples: Identifies the most active top dest_port values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by DNS event count. Security use case examples: Identifies the most active source src_ip values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by DNS event count. Security use case examples: Identifies the most active source src_port values in DNS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to DNS traffic volume. |
|
event_type:dns |
SN-DNS-Total |
Generic description: Single-value metric display showing the total count of DNS events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing DNS event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of DNS traffic volume for capacity planning and operational health spot-checks. |
event_type:dns |
event_type:dns |
SN-DNS-TransactionsPerFlow |
Generic description: Data table aggregating DNS events by dns.tx_id, flow_id, src_ip, ranked by event count. Security use case examples: Facilitates identification of top dns.tx_id, flow_id, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DNS events by key observable fields. |
|
event_type:dns |
SN-DNS-Type |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.type. Security use case examples: Highlights dominant dns.type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-ThreatHunt-DNS-Tunnel |
Generic description: Threat hunting data table for DNS traffic focusing on hostname_info.subdomain, hostname_info.domain, host aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious DNS behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual DNS traffic patterns for policy review and baseline validation. |
|
event_type:dns |
SN-DNS-EventsList (search) |
Generic description: Saved search table displaying raw DNS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual DNS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing DNS traffic patterns. |
List of DNS events |
event_type:dns |
Dashboard: SN-FILE-Transactions¶
Security use case examples: File transaction events for detecting malware delivery, unauthorized file transfers, and data exfiltration through file-carrying network protocols.
Network use case examples: File transfer volume baselining, file type inventory tracking, bandwidth monitoring for file protocols, and storage infrastructure capacity planning.
SN-FILE-Transactions Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-FILE-ByAppProto |
Generic description: Donut chart showing the proportional distribution of FILEINFO events by app_proto. Security use case examples: Highlights dominant app_proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:fileinfo |
SN-FILE-ByHTTPByHostnameServed |
Generic description: Donut chart showing the proportional distribution of FILEINFO events by http.hostname. Security use case examples: Highlights dominant http.hostname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:fileinfo |
SN-FILE-ByTypeOverTime |
Generic description: Visualization panel showing FILEINFO event data aggregated by timestamp, fileinfo.type. Security use case examples: Supports security monitoring by surfacing FILEINFO traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for FILEINFO traffic baselining, capacity planning, and operational health monitoring. |
|
event_type:fileinfo |
SN-FILE-GeoIPPDFAndExecutables |
Generic description: Geographic heatmap displaying the origin and destination geography of FILEINFO traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:fileinfo |
SN-FILE-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by FILEINFO event count. Security use case examples: Identifies the most active top dest_ip values in FILEINFO traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to FILEINFO traffic volume. |
|
event_type:fileinfo |
SN-FILE-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by FILEINFO event count. Security use case examples: Identifies the most active top dest_port values in FILEINFO traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to FILEINFO traffic volume. |
|
event_type:fileinfo |
SN-FILE-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by FILEINFO event count. Security use case examples: Identifies the most active source src_ip values in FILEINFO traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to FILEINFO traffic volume. |
|
event_type:fileinfo |
SN-FILE-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by FILEINFO event count. Security use case examples: Identifies the most active source src_port values in FILEINFO traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to FILEINFO traffic volume. |
|
event_type:fileinfo |
SN-FILE-Total |
Generic description: Single-value metric display showing the total count of FILEINFO events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing FILEINFO event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of FILEINFO traffic volume for capacity planning and operational health spot-checks. |
event_type:fileinfo |
event_type:fileinfo |
SN-FILE-Transactions-ByFileSize-Breakdown-1 |
Generic description: Data table aggregating FILEINFO events by app_proto, fileinfo.size, ranked by event count. Security use case examples: Facilitates identification of top app_proto, fileinfo.size values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FILEINFO events by key observable fields. |
|
event_type:fileinfo |
SN-FILE-EventsList (search) |
Generic description: Saved search table displaying raw FILEINFO events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FILEINFO events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FILEINFO traffic patterns. |
List of FILE events |
event_type:fileinfo |
Dashboard: SN-FLOW¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-DCERPC¶
Security use case examples: DCE/RPC traffic analysis for detecting lateral movement, remote code execution via RPC services, and Windows Active Directory exploitation patterns.
Network use case examples: DCE/RPC call volume baselining, top RPC operation tracking, Windows service usage monitoring, and Active Directory infrastructure sizing.
SN-FLOW-DCERPC Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-DHCP¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-DHCP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-DNP3¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-DNP3 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-DNS¶
Security use case examples: DNS traffic analysis for detecting DNS tunneling, DGA-based C2 beaconing, data exfiltration via DNS queries, and fast-flux infrastructure used by botnets.
Network use case examples: DNS query volume baselining, top queried domain tracking, resolver performance monitoring, and DNS infrastructure capacity planning.
SN-FLOW-DNS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-ENIP¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-ENIP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-FTP¶
Security use case examples: FTP traffic analysis for detecting unauthorized data transfers, credential exposure in plaintext sessions, malware staging via anonymous FTP, and exfiltration.
Network use case examples: FTP transfer volume baselining, top file transfer endpoint tracking, storage bandwidth monitoring, and FTP server capacity planning.
SN-FLOW-FTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-FTP-DATA¶
Security use case examples: FTP traffic analysis for detecting unauthorized data transfers, credential exposure in plaintext sessions, malware staging via anonymous FTP, and exfiltration.
Network use case examples: FTP transfer volume baselining, top file transfer endpoint tracking, storage bandwidth monitoring, and FTP server capacity planning.
SN-FLOW-FTP-DATA Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-HTTP¶
Security use case examples: HTTP traffic analysis for detecting web-based attacks including SQL injection, XSS, directory traversal, malware downloads, and C2 communication over HTTP.
Network use case examples: Web server traffic baselining, top URI and user agent tracking, HTTP error rate monitoring, and web application performance capacity planning.
SN-FLOW-HTTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-HTTP2¶
Security use case examples: HTTP traffic analysis for detecting web-based attacks including SQL injection, XSS, directory traversal, malware downloads, and C2 communication over HTTP.
Network use case examples: Web server traffic baselining, top URI and user agent tracking, HTTP error rate monitoring, and web application performance capacity planning.
SN-FLOW-HTTP2 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-HUNT-DNS-EXFIL¶
Security use case examples: DNS traffic analysis for detecting DNS tunneling, DGA-based C2 beaconing, data exfiltration via DNS queries, and fast-flux infrastructure used by botnets.
Network use case examples: DNS query volume baselining, top queried domain tracking, resolver performance monitoring, and DNS infrastructure capacity planning.
SN-FLOW-HUNT-DNS-EXFIL Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DNS-Exfil-Hunt-1 |
Generic description: Threat hunting data table for FLOW traffic focusing on flow.age, flow.bytes_toclient, flow_id aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious FLOW behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual FLOW traffic patterns for policy review and baseline validation. |
|
event_type:flow |
SN-FLOW-DNS-Exfil-Hunt-2 |
Generic description: Threat hunting data table for FLOW traffic focusing on flow.bytes_toclient, flow_id aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious FLOW behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual FLOW traffic patterns for policy review and baseline validation. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-HUNT-ICMP-Possible-EXFIL¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-HUNT-ICMP-Possible-EXFIL Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-FLOW-Count |
Generic description: Single-value metric displaying the total count of FLOW events in the selected time range. Security use case examples: Provides an at-a-glance security indicator for FLOW event volume to rapidly detect abnormal activity levels compared to baseline. Network use case examples: Supports dashboard-level health monitoring and SLA tracking by showing aggregate FLOW event counts. |
event_type:flow |
event_type:flow |
SN-FLOW-ICMP-Exfil-Hunt-1 |
Generic description: Threat hunting data table for FLOW traffic focusing on flow.age, flow.bytes_toclient, flow_id aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious FLOW behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual FLOW traffic patterns for policy review and baseline validation. |
|
event_type:flow |
SN-FLOW-ICMP-UnequalClientServerSize-Hunt-1 |
Generic description: Threat hunting data table for FLOW traffic focusing on flow.age, flow.bytes_toclient, flow.bytes_toserver, flow_id aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious FLOW behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual FLOW traffic patterns for policy review and baseline validation. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-IKE¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-IKE Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-KRB5¶
Security use case examples: Kerberos authentication traffic analysis for detecting Kerberoasting, AS-REP roasting, golden ticket attacks, and anomalous ticket request patterns.
Network use case examples: Kerberos ticket request volume baselining, KDC load distribution monitoring, realm usage tracking, and Active Directory authentication infrastructure sizing.
SN-FLOW-KRB5 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-MODBUS¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-MODBUS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-MQTT¶
Security use case examples: MQTT IoT messaging traffic analysis for detecting unauthorized broker access, topic enumeration, IoT device compromise, and MQTT-based lateral movement.
Network use case examples: MQTT topic and message volume baselining, top publisher and subscriber tracking, broker load monitoring, and IoT infrastructure capacity planning.
SN-FLOW-MQTT Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-NFS¶
Security use case examples: NFS traffic analysis for detecting unauthorized file system access, data exfiltration via NFS mounts, and privilege escalation through NFS misconfigurations.
Network use case examples: NFS mount and access volume baselining, top client and server pair tracking, storage I/O monitoring, and NAS infrastructure capacity planning.
SN-FLOW-NFS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-NTP¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-NTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-RFB¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-RFB Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-SIEMENS-S7¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-SIEMENS-S7 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-SIP¶
Security use case examples: SIP VoIP signaling traffic analysis for detecting SIP scanning, toll fraud, VoIP service abuse, and unauthorized call routing modifications.
Network use case examples: SIP call setup volume baselining, top call endpoint tracking, VoIP infrastructure load monitoring, and telephony capacity planning.
SN-FLOW-SIP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-SIZE¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-SIZE Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-SMB¶
Security use case examples: SMB file sharing traffic analysis for detecting lateral movement, ransomware propagation, pass-the-hash attacks, and unauthorized file share enumeration.
Network use case examples: SMB session volume baselining, file share usage pattern tracking, authentication traffic monitoring, and file server infrastructure capacity planning.
SN-FLOW-SMB Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-SMTP¶
Security use case examples: SMTP email traffic analysis for detecting spam campaigns, phishing delivery, malware distribution via attachments, and email-based data exfiltration.
Network use case examples: Email volume baselining, top sender and recipient domain tracking, SMTP relay load monitoring, and mail infrastructure capacity planning.
SN-FLOW-SMTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-SNMP¶
Security use case examples: SNMP traffic analysis for detecting community string brute force, unauthorized MIB walks, network device reconnaissance, and SNMP-based data exfiltration.
Network use case examples: SNMP query volume baselining, managed device inventory tracking, OID access pattern monitoring, and network management infrastructure sizing.
SN-FLOW-SNMP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-SSH¶
Security use case examples: SSH traffic analysis for detecting brute force attacks, credential stuffing, unauthorized remote access, and SSH tunnel-based data exfiltration.
Network use case examples: SSH connection volume baselining, top client and server pair tracking, session duration monitoring, and remote access infrastructure capacity planning.
SN-FLOW-SSH Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-TCP¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-TCP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-TELNET¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-TELNET Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-TFTP¶
Security use case examples: FTP traffic analysis for detecting unauthorized data transfers, credential exposure in plaintext sessions, malware staging via anonymous FTP, and exfiltration.
Network use case examples: FTP transfer volume baselining, top file transfer endpoint tracking, storage bandwidth monitoring, and FTP server capacity planning.
SN-FLOW-TFTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-TLS¶
Security use case examples: TLS/SSL traffic analysis for detecting expired or self-signed certificates, weak cipher suites, JA3 fingerprint-based malware identification, and encrypted C2 channel detection.
Network use case examples: TLS version adoption monitoring, certificate inventory management, cipher suite compliance baselining, and encrypted traffic volume capacity planning.
SN-FLOW-TLS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-FLOW-UDP¶
Security use case examples: Network flow data for detecting port scanning, lateral movement, data exfiltration, DDoS participation, and anomalous connection patterns across the network.
Network use case examples: Network traffic volume baselining, top talker identification, bandwidth utilization monitoring, and network infrastructure capacity planning.
SN-FLOW-UDP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-FLOW-AppProto-PerSrcIP |
Generic description: Data table aggregating FLOW events by app_proto, src_ip, ranked by event count. Security use case examples: Facilitates identification of top app_proto, src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-DestPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-SrcPort |
Generic description: Donut chart showing the proportional distribution of FLOW events by src_port. Security use case examples: Highlights dominant src_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-Flow-unique-count-of-src-and-dst-IP |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-Mean-flow-age-and-count |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
event_type:all |
event_type:all |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
Dashboard: SN-HTTP¶
Security use case examples: HTTP traffic analysis for detecting web-based attacks including SQL injection, XSS, directory traversal, malware downloads, and C2 communication over HTTP.
Network use case examples: Web server traffic baselining, top URI and user agent tracking, HTTP error rate monitoring, and web application performance capacity planning.
SN-HTTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-HTTP-AcceptEncoding |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.accept_encoding. Security use case examples: Highlights dominant http.accept_encoding values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-AcceptEncodingByConnection |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.accept_encoding, http.connection. Security use case examples: Highlights dominant http.accept_encoding, http.connection values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-CacheControl |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.cache_control. Security use case examples: Highlights dominant http.cache_control values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-ContentTypeByAplication |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.http_content_type. Security use case examples: Highlights dominant http.http_content_type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-EventsOverTime |
Generic description: Time-series bar chart showing HTTP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in HTTP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing HTTP event volume trends and periodic patterns over time. |
List of HTTP events |
event_type:http |
SN-HTTP-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of HTTP traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:http |
SN-HTTP-methods |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.http_method. Security use case examples: Highlights dominant http.http_method values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-Servers |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.server. Security use case examples: Highlights dominant http.server values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-StatusCode |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.status. Security use case examples: Highlights dominant http.status values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-ThreatHunting-STerms-http-hostname-1 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.hostname aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-ThreatHunting-STerms-http-refer-url-1 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.http_refer_info.url aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-ThreatHunting-STerms-UserAgents-1 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.http_user_agent aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-Total |
Generic description: Single-value metric display showing the total count of HTTP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing HTTP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of HTTP traffic volume for capacity planning and operational health spot-checks. |
event_type:http |
event_type:http |
SN-HTTP-UserAgentDevices |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.device. Security use case examples: Highlights dominant http.user_agent.device values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentMajor |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.major. Security use case examples: Highlights dominant http.user_agent.major values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentName |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.name. Security use case examples: Highlights dominant http.user_agent.name values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentOS |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.os. Security use case examples: Highlights dominant http.user_agent.os values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentOSName |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.os_name. Security use case examples: Highlights dominant http.user_agent.os_name values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-Vary |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.vary. Security use case examples: Highlights dominant http.vary values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP |
Generic description: Threat hunting data table for HTTP traffic focusing on http.length, http.hostname, src_ip aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP-2 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.content_length, http.hostname, src_ip aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-EventsList (search) |
Generic description: Saved search table displaying raw HTTP events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual HTTP events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing HTTP traffic patterns. |
List of HTTP events |
event_type:http |
Dashboard: SN-HTTP-HUNT¶
Security use case examples: HTTP traffic analysis for detecting web-based attacks including SQL injection, XSS, directory traversal, malware downloads, and C2 communication over HTTP.
Network use case examples: Web server traffic baselining, top URI and user agent tracking, HTTP error rate monitoring, and web application performance capacity planning.
SN-HTTP-HUNT Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
** SN-HTTP-ThreatHunting-STerms-http-url-1** |
Generic description: Threat hunting data table for HTTP traffic focusing on http.url aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
** SN-ThreatHunt-HTTP-PossibleC2Beacons-LowNoiseBySrcIP** |
Generic description: Threat hunting data table for HTTP traffic focusing on http.hostname, src_ip aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-AcceptEncoding |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.accept_encoding. Security use case examples: Highlights dominant http.accept_encoding values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-AcceptEncodingByConnection |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.accept_encoding, http.connection. Security use case examples: Highlights dominant http.accept_encoding, http.connection values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-CacheControl |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.cache_control. Security use case examples: Highlights dominant http.cache_control values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-ContentTypeByAplication |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.http_content_type. Security use case examples: Highlights dominant http.http_content_type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-EventsOverTime |
Generic description: Time-series bar chart showing HTTP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in HTTP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing HTTP event volume trends and periodic patterns over time. |
List of HTTP events |
event_type:http |
SN-HTTP-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of HTTP traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:http |
SN-HTTP-methods |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.http_method. Security use case examples: Highlights dominant http.http_method values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-Servers |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.server. Security use case examples: Highlights dominant http.server values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-StatusCode |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.status. Security use case examples: Highlights dominant http.status values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-ThreatHunting-STerms-http-hostname-1 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.hostname aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-ThreatHunting-STerms-http-refer-url-1 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.http_refer_info.url aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-ThreatHunting-STerms-UserAgents-1 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.http_user_agent aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-ThreatHunting-Terms-UserAgents-1 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.http_user_agent aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-Total |
Generic description: Single-value metric display showing the total count of HTTP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing HTTP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of HTTP traffic volume for capacity planning and operational health spot-checks. |
event_type:http |
event_type:http |
SN-HTTP-UserAgentDevices |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.device. Security use case examples: Highlights dominant http.user_agent.device values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentMajor |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.major. Security use case examples: Highlights dominant http.user_agent.major values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentName |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.name. Security use case examples: Highlights dominant http.user_agent.name values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentOS |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.os. Security use case examples: Highlights dominant http.user_agent.os values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-UserAgentOSName |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.user_agent.os_name. Security use case examples: Highlights dominant http.user_agent.os_name values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-Vary |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.vary. Security use case examples: Highlights dominant http.vary values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP |
Generic description: Threat hunting data table for HTTP traffic focusing on http.length, http.hostname, src_ip aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP-2 |
Generic description: Threat hunting data table for HTTP traffic focusing on http.content_length, http.hostname, src_ip aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-HTTP-EventsList (search) |
Generic description: Saved search table displaying raw HTTP events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual HTTP events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing HTTP traffic patterns. |
List of HTTP events |
event_type:http |
Dashboard: SN-HUNT-1¶
Security use case examples: The SN-HUNT-1 dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-HUNT-1 dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-HUNT-1 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Application-protocol |
Generic description: Bar chart showing ALL event counts grouped by timestamp, app_proto. Security use case examples: Highlights high-volume timestamp, app_proto categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across timestamp, app_proto categories. |
|
event_type:all |
SN-DNS-Rrname |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrname. Security use case examples: Highlights dominant dns.rrname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrname |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrname. Security use case examples: Highlights dominant dns.rrname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-FILE-ByAppProto |
Generic description: Donut chart showing the proportional distribution of FILEINFO events by app_proto. Security use case examples: Highlights dominant app_proto values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:fileinfo |
SN-FILE-ByTypeOverTime |
Generic description: Visualization panel showing FILEINFO event data aggregated by timestamp, fileinfo.type. Security use case examples: Supports security monitoring by surfacing FILEINFO traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for FILEINFO traffic baselining, capacity planning, and operational health monitoring. |
|
event_type:fileinfo |
SN-HTTP-Servers |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.server. Security use case examples: Highlights dominant http.server values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-Top-hostnames |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.hostname. Security use case examples: Highlights dominant http.hostname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-Top-user-agents |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.http_user_agent. Security use case examples: Highlights dominant http.http_user_agent values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-SMB-NtlmsspHost |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.ntlmssp.host. Security use case examples: Highlights dominant smb.ntlmssp.host values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-NtlmsspUser |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.ntlmssp.user. Security use case examples: Highlights dominant smb.ntlmssp.user values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SSH-ByClientSoftwareVer |
Generic description: Donut chart showing the proportional distribution of SSH events by ssh.client.software_version. Security use case examples: Highlights dominant ssh.client.software_version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ssh |
SN-SSH-ByServerSoftwareVer |
Generic description: Donut chart showing the proportional distribution of SSH events by ssh.server.software_version. Security use case examples: Highlights dominant ssh.server.software_version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ssh |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP |
Generic description: Threat hunting data table for ALERT traffic focusing on dest_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP |
Generic description: Threat hunting data table for ALERT traffic focusing on src_ip, alert.signature aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious ALERT behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual ALERT traffic patterns for policy review and baseline validation. |
|
event_type:alert |
SN-ThreatHunt-DNS-Tunnel |
Generic description: Threat hunting data table for DNS traffic focusing on hostname_info.subdomain, hostname_info.domain, host aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious DNS behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual DNS traffic patterns for policy review and baseline validation. |
|
event_type:dns |
SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP |
Generic description: Threat hunting data table for HTTP traffic focusing on http.length, http.hostname, src_ip aggregations. Security use case examples: Provides targeted hunting capability to identify suspicious HTTP behavior patterns and indicators of compromise that evade signature-based detection. Network use case examples: Supports proactive network auditing by surfacing unusual HTTP traffic patterns for policy review and baseline validation. |
|
event_type:http |
SN-TLS-ByJa3Hash |
Generic description: Data table aggregating TLS events by src_ip, tls.ja3.hash, ranked by event count. Security use case examples: Facilitates identification of top src_ip, tls.ja3.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-TLS-ByJa3SHash |
Generic description: Data table aggregating TLS events by dest_ip, tls.ja3s.hash, ranked by event count. Security use case examples: Facilitates identification of top dest_ip, tls.ja3s.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-TLS-BySni |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.sni. Security use case examples: Highlights dominant tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-TCP-ports |
Generic description: Donut chart showing the proportional distribution of TLS events by dest_port. Security use case examples: Highlights dominant dest_port values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-versions |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.version. Security use case examples: Highlights dominant tls.version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-SMB-EventsList (search) |
Generic description: Saved search showing SMB event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing SMB traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for SMB traffic baselining, capacity planning, and operational health monitoring. |
List of SMB events |
event_type:smb |
SN-ALL-HUNTING-EventsList (search) |
Generic description: Saved search showing ALL event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing ALL traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for ALL traffic baselining, capacity planning, and operational health monitoring. |
List of ALL-HUNTING events |
event_type:all |
SN-ALERT-EventsList (search) |
Generic description: Saved search table displaying raw ALERT events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALERT events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALERT traffic patterns. |
List of ALERT events |
event_type:alert |
SN-DNS-EventsList (search) |
Generic description: Saved search table displaying raw DNS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual DNS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing DNS traffic patterns. |
List of DNS events |
event_type:dns |
SN-FILE-EventsList (search) |
Generic description: Saved search table displaying raw FILEINFO events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FILEINFO events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FILEINFO traffic patterns. |
List of FILE events |
event_type:fileinfo |
SN-FLOW-EventsList (search) |
Generic description: Saved search table displaying raw FLOW events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual FLOW events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing FLOW traffic patterns. |
List of FLOW events |
event_type:flow |
SN-HTTP-EventsList (search) |
Generic description: Saved search table displaying raw HTTP events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual HTTP events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing HTTP traffic patterns. |
List of HTTP events |
event_type:http |
SN-TLS-EventsList (search) |
Generic description: Saved search table displaying raw TLS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual TLS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing TLS traffic patterns. |
List of TLS events |
event_type:tls |
Dashboard: SN-IDS¶
Security use case examples: The SN-IDS dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-IDS dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-IDS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Timelion-Alert-Category |
Generic description: Timelion time-series chart plotting alert.category metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:alert |
SN-Timelion-Alert-Country |
Generic description: Timelion time-series chart plotting alert.signature, geoip.country_name metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:all |
SN-Timelion-Alert-Severity |
Generic description: Timelion time-series chart plotting alert.severity metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:alert |
SN-Timelion-Protocols |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:all |
SN-Timelion-Signatures |
Generic description: Timelion time-series chart plotting alert.signature metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:alert |
SN-ALERT-EventsList (search) |
Generic description: Saved search table displaying raw ALERT events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALERT events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALERT traffic patterns. |
List of ALERT events |
event_type:alert |
Dashboard: SN-IKEv2¶
Security use case examples: IKEv2 VPN traffic analysis for detecting VPN credential brute force, anomalous IKE negotiation patterns, and unauthorized VPN tunnel establishment.
Network use case examples: VPN tunnel volume baselining, top VPN peer tracking, IKEv2 negotiation success rate monitoring, and VPN gateway capacity planning.
SN-IKEv2 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-IKEv2-EventsOverTime |
Generic description: Time-series bar chart showing IKEV2 event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in IKEV2 events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing IKEV2 event volume trends and periodic patterns over time. |
List of IKEV2 events |
event_type:ikev2 |
SN-IKEv2-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of IKEV2 traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:ikev2 |
SN-IKEv2-Role |
Generic description: Donut chart showing the proportional distribution of IKEV2 events by ikev2.role. Security use case examples: Highlights dominant ikev2.role values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ikev2 |
SN-IKEv2-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by IKEV2 event count. Security use case examples: Identifies the most active top dest_ip values in IKEV2 traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to IKEV2 traffic volume. |
|
event_type:ikev2 |
SN-IKEv2-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by IKEV2 event count. Security use case examples: Identifies the most active top dest_port values in IKEV2 traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to IKEV2 traffic volume. |
|
event_type:ikev2 |
SN-IKEv2-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by IKEV2 event count. Security use case examples: Identifies the most active source src_ip values in IKEV2 traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to IKEV2 traffic volume. |
|
event_type:ikev2 |
SN-IKEv2-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by IKEV2 event count. Security use case examples: Identifies the most active source src_port values in IKEV2 traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to IKEV2 traffic volume. |
|
event_type:ikev2 |
SN-IKEv2-Total |
Generic description: Single-value metric display showing the total count of IKEV2 events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing IKEV2 event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of IKEV2 traffic volume for capacity planning and operational health spot-checks. |
event_type:ikev2 |
event_type:ikev2 |
SN-IKEv2-VerMajMinor |
Generic description: Donut chart showing the proportional distribution of IKEV2 events by ikev2.version_major, ikev2.version_minor. Security use case examples: Highlights dominant ikev2.version_major, ikev2.version_minor values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ikev2 |
SN-IKEv2-EventsList (search) |
Generic description: Saved search showing IKEV2 event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing IKEV2 traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for IKEV2 traffic baselining, capacity planning, and operational health monitoring. |
List of IKEV2 events |
event_type:ikev2 |
Dashboard: SN-IoC-Search¶
Security use case examples: The SN-IoC-Search dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-IoC-Search dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-IoC-Search Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-DNS-Rcode |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rcode. Security use case examples: Highlights dominant dns.rcode values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-DNS-Rrname |
Generic description: Donut chart showing the proportional distribution of DNS events by dns.rrname. Security use case examples: Highlights dominant dns.rrname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:dns |
SN-HTTP-status |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.status. Security use case examples: Highlights dominant http.status values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-HTTP-Top-hostnames |
Generic description: Donut chart showing the proportional distribution of HTTP events by http.hostname. Security use case examples: Highlights dominant http.hostname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:http |
SN-TLS-BySni |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.sni. Security use case examples: Highlights dominant tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-versions |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.version. Security use case examples: Highlights dominant tls.version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-DNS-EventsList (search) |
Generic description: Saved search table displaying raw DNS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual DNS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing DNS traffic patterns. |
List of DNS events |
event_type:dns |
SN-HTTP-EventsList (search) |
Generic description: Saved search table displaying raw HTTP events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual HTTP events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing HTTP traffic patterns. |
List of HTTP events |
event_type:http |
SN-TLS-EventsList (search) |
Generic description: Saved search table displaying raw TLS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual TLS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing TLS traffic patterns. |
List of TLS events |
event_type:tls |
Dashboard: SN-KRB5¶
Security use case examples: Kerberos authentication traffic analysis for detecting Kerberoasting, AS-REP roasting, golden ticket attacks, and anomalous ticket request patterns.
Network use case examples: Kerberos ticket request volume baselining, KDC load distribution monitoring, realm usage tracking, and Active Directory authentication infrastructure sizing.
SN-KRB5 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-KRB5-ByCname |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.cname. Security use case examples: Highlights dominant krb5.cname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-ByDestIP |
Generic description: Data table aggregating KRB5 events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking KRB5 events by key observable fields. |
|
event_type:krb5 |
SN-KRB5-ByDestPort |
Generic description: Data table aggregating KRB5 events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking KRB5 events by key observable fields. |
|
event_type:krb5 |
SN-KRB5-ByEncryption |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.encryption. Security use case examples: Highlights dominant krb5.encryption values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-ByErrCode |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.error_code. Security use case examples: Highlights dominant krb5.error_code values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-ByFailedRequests |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.failed_request. Security use case examples: Highlights dominant krb5.failed_request values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-ByMsgType |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.msg_type. Security use case examples: Highlights dominant krb5.msg_type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-ByRealm |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.realm. Security use case examples: Highlights dominant krb5.realm values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-BySname |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.sname. Security use case examples: Highlights dominant krb5.sname values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-BySrcIP |
Generic description: Data table aggregating KRB5 events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking KRB5 events by key observable fields. |
|
event_type:krb5 |
SN-KRB5-BySrcPort |
Generic description: Data table aggregating KRB5 events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking KRB5 events by key observable fields. |
|
event_type:krb5 |
SN-KRB5-ByWeakEncryption |
Generic description: Donut chart showing the proportional distribution of KRB5 events by krb5.weak_encryption. Security use case examples: Highlights dominant krb5.weak_encryption values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:krb5 |
SN-KRB5-EventsOverTime |
Generic description: Time-series bar chart showing KRB5 event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in KRB5 events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing KRB5 event volume trends and periodic patterns over time. |
List of KRB5 events |
event_type:krb5 |
SN-KRB5-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of KRB5 traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:krb5 |
SN-KRB5-TotalCount |
Generic description: Single-value metric display showing the total count of KRB5 events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing KRB5 event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of KRB5 traffic volume for capacity planning and operational health spot-checks. |
event_type:krb5 |
event_type:krb5 |
SN-KRB5-EventsList (search) |
Generic description: Saved search showing KRB5 event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing KRB5 traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for KRB5 traffic baselining, capacity planning, and operational health monitoring. |
List of KRB5 events |
event_type:krb5 |
Dashboard: SN-MQTT¶
Security use case examples: MQTT IoT messaging traffic analysis for detecting unauthorized broker access, topic enumeration, IoT device compromise, and MQTT-based lateral movement.
Network use case examples: MQTT topic and message volume baselining, top publisher and subscriber tracking, broker load monitoring, and IoT infrastructure capacity planning.
SN-MQTT Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-MQTT-ConnProtoString |
Generic description: Donut chart showing the proportional distribution of MQTT events by mqtt.connect.protocol_string. Security use case examples: Highlights dominant mqtt.connect.protocol_string values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:mqtt |
SN-MQTT-ConnProtoVersion |
Generic description: Donut chart showing the proportional distribution of MQTT events by mqtt.connect.protocol_version. Security use case examples: Highlights dominant mqtt.connect.protocol_version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:mqtt |
SN-MQTT-ConnUsernames |
Generic description: Donut chart showing the proportional distribution of MQTT events by mqtt.connect.username. Security use case examples: Highlights dominant mqtt.connect.username values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:mqtt |
SN-MQTT-MqttOverTime |
Generic description: Bar chart showing MQTT event counts grouped by timestamp. Security use case examples: Highlights high-volume timestamp categories in MQTT traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing MQTT event volumes across timestamp categories. |
|
event_type:mqtt |
SN-MQTT-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by MQTT event count. Security use case examples: Identifies the most active top dest_ip values in MQTT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to MQTT traffic volume. |
|
event_type:mqtt |
SN-MQTT-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by MQTT event count. Security use case examples: Identifies the most active top dest_port values in MQTT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to MQTT traffic volume. |
|
event_type:mqtt |
SN-MQTT-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by MQTT event count. Security use case examples: Identifies the most active source src_ip values in MQTT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to MQTT traffic volume. |
|
event_type:mqtt |
SN-MQTT-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by MQTT event count. Security use case examples: Identifies the most active source src_port values in MQTT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to MQTT traffic volume. |
|
event_type:mqtt |
SN-MQTT-Total |
Generic description: Single-value metric display showing the total count of MQTT events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing MQTT event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of MQTT traffic volume for capacity planning and operational health spot-checks. |
event_type:mqtt |
event_type:mqtt |
SN-MQTT-EventsList (search) |
Generic description: Saved search showing MQTT event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing MQTT traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for MQTT traffic baselining, capacity planning, and operational health monitoring. |
List of MQTT events |
event_type:mqtt |
Dashboard: SN-Network-Overview¶
Security use case examples: The SN-Network-Overview dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-Network-Overview dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-Network-Overview Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
** SN-FLOW-Network-TopVolumeSUM-ClientsTalkersToServerPie** |
Generic description: Donut chart showing the proportional distribution of FLOW events by flow.bytes_toserver, dest_ip, src_ip. Security use case examples: Highlights dominant flow.bytes_toserver, dest_ip, src_ip values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
** SN-Timelion-Network-EmergencyModeEntered** |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
** SN-Timelion-Network-Mbps-Interface** |
Generic description: Timelion time-series chart plotting iface metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:ifacestats |
** SN-Timelion-Network-PPSvsDrops** |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
SN-FLOW-Network-TopVolumeSizeSingleFlow-DestIP |
Generic description: Data table aggregating FLOW events by dest_ip, flow.bytes_toclient, ranked by event count. Security use case examples: Facilitates identification of top dest_ip, flow.bytes_toclient values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSizeSingleFlow-SrcIP |
Generic description: Data table aggregating FLOW events by src_ip, flow.bytes_toserver, ranked by event count. Security use case examples: Facilitates identification of top src_ip, flow.bytes_toserver values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ClientDownloads |
Generic description: Data table aggregating FLOW events by flow.bytes_toclient, src_ip, src_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toclient, src_ip, src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ClientUploaders |
Generic description: Data table aggregating FLOW events by flow.bytes_toserver, src_ip, src_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toserver, src_ip, src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ServerReceivingFromClients |
Generic description: Data table aggregating FLOW events by flow.bytes_toserver, dest_ip, dest_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toserver, dest_ip, dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ServerSendingToClients |
Generic description: Data table aggregating FLOW events by flow.bytes_toclient, dest_ip, dest_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toclient, dest_ip, dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-Timelion-Network-Flow-App_proto |
Generic description: Timelion time-series chart plotting app_proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:app_proto |
SN-Timelion-Network-ICMP |
Generic description: Timelion time-series chart plotting proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:proto |
SN-Timelion-Network-IPv4/IPv6 |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
SN-Timelion-Network-MostUsed-dest_port |
Generic description: Timelion time-series chart plotting dest_port metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:flow |
SN-Timelion-Network-TCP/UDP-flows |
Generic description: Timelion time-series chart plotting proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:proto |
SN-Timelion-S-slash-SA-slash-R |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
Dashboard: SN-Network-Overview-1¶
Security use case examples: The SN-Network-Overview-1 dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-Network-Overview-1 dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-Network-Overview-1 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
** SN-Timelion-Network-EmergencyModeEntered** |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
** SN-Timelion-Network-Mbps-Interface** |
Generic description: Timelion time-series chart plotting iface metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:ifacestats |
** SN-Timelion-Network-PPSvsDrops** |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
SN-Timelion-Network-Flow-App_proto |
Generic description: Timelion time-series chart plotting app_proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:app_proto |
SN-Timelion-Network-ICMP |
Generic description: Timelion time-series chart plotting proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:proto |
SN-Timelion-Network-IPv4/IPv6 |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
SN-Timelion-Network-MostUsed-dest_port |
Generic description: Timelion time-series chart plotting dest_port metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:flow |
SN-Timelion-Network-TCP/UDP-flows |
Generic description: Timelion time-series chart plotting proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:proto |
SN-Timelion-S-slash-SA-slash-R |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
Dashboard: SN-Network-Overview-2¶
Security use case examples: The SN-Network-Overview-2 dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-Network-Overview-2 dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-Network-Overview-2 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
** SN-FLOW-Network-TopVolumeSUM-ClientsTalkersToServerPie** |
Generic description: Donut chart showing the proportional distribution of FLOW events by flow.bytes_toserver, dest_ip, src_ip. Security use case examples: Highlights dominant flow.bytes_toserver, dest_ip, src_ip values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSizeSingleFlow-DestIP |
Generic description: Data table aggregating FLOW events by dest_ip, flow.bytes_toclient, ranked by event count. Security use case examples: Facilitates identification of top dest_ip, flow.bytes_toclient values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSizeSingleFlow-SrcIP |
Generic description: Data table aggregating FLOW events by src_ip, flow.bytes_toserver, ranked by event count. Security use case examples: Facilitates identification of top src_ip, flow.bytes_toserver values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ClientDownloads |
Generic description: Data table aggregating FLOW events by flow.bytes_toclient, src_ip, src_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toclient, src_ip, src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ClientUploaders |
Generic description: Data table aggregating FLOW events by flow.bytes_toserver, src_ip, src_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toserver, src_ip, src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ServerReceivingFromClients |
Generic description: Data table aggregating FLOW events by flow.bytes_toserver, dest_ip, dest_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toserver, dest_ip, dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
SN-FLOW-Network-TopVolumeSUM-ServerSendingToClients |
Generic description: Data table aggregating FLOW events by flow.bytes_toclient, dest_ip, dest_port, ranked by event count. Security use case examples: Facilitates identification of top flow.bytes_toclient, dest_ip, dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking FLOW events by key observable fields. |
|
event_type:flow |
Dashboard: SN-NFS¶
Security use case examples: NFS traffic analysis for detecting unauthorized file system access, data exfiltration via NFS mounts, and privilege escalation through NFS misconfigurations.
Network use case examples: NFS mount and access volume baselining, top client and server pair tracking, storage I/O monitoring, and NAS infrastructure capacity planning.
SN-NFS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-NFS-ByDestIP |
Generic description: Data table aggregating NFS events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking NFS events by key observable fields. |
|
event_type:nfs |
SN-NFS-ByDestPort |
Generic description: Data table aggregating NFS events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking NFS events by key observable fields. |
|
event_type:nfs |
SN-NFS-ByFileName |
Generic description: Donut chart showing the proportional distribution of NFS events by nfs.filename. Security use case examples: Highlights dominant nfs.filename values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:nfs |
SN-NFS-ByFileTx |
Generic description: Donut chart showing the proportional distribution of NFS events by nfs.file_tx. Security use case examples: Highlights dominant nfs.file_tx values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:nfs |
SN-NFS-ByProcedure |
Generic description: Donut chart showing the proportional distribution of NFS events by nfs.procedure. Security use case examples: Highlights dominant nfs.procedure values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:nfs |
SN-NFS-BySrcIP |
Generic description: Data table aggregating NFS events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking NFS events by key observable fields. |
|
event_type:nfs |
SN-NFS-BySrcPort |
Generic description: Data table aggregating NFS events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking NFS events by key observable fields. |
|
event_type:nfs |
SN-NFS-ByStatus |
Generic description: Donut chart showing the proportional distribution of NFS events by nfs.status. Security use case examples: Highlights dominant nfs.status values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:nfs |
SN-NFS-ByType |
Generic description: Donut chart showing the proportional distribution of NFS events by nfs.type. Security use case examples: Highlights dominant nfs.type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:nfs |
SN-NFS-ByVersion |
Generic description: Donut chart showing the proportional distribution of NFS events by nfs.version. Security use case examples: Highlights dominant nfs.version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:nfs |
SN-NFS-EventsOverTimeByVersion |
Generic description: Time-series bar chart showing NFS event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in NFS events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing NFS event volume trends and periodic patterns over time. |
List of NFS events |
event_type:nfs |
SN-NFS-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of NFS traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:nfs |
SN-NFS-TotalCount |
Generic description: Single-value metric display showing the total count of NFS events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing NFS event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of NFS traffic volume for capacity planning and operational health spot-checks. |
event_type:nfs |
event_type:nfs |
SN-NFS-EventsList (search) |
Generic description: Saved search showing NFS event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing NFS traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for NFS traffic baselining, capacity planning, and operational health monitoring. |
List of NFS events |
event_type:nfs |
Dashboard: SN-OVERVIEW¶
Security use case examples: The SN-OVERVIEW dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-OVERVIEW dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-OVERVIEW Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Timelion-DNS-NULL |
Generic description: Timelion time-series chart plotting dns.rrtype metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:dns |
SN-Timelion-DNS-NXDOMAIN |
Generic description: Timelion time-series chart plotting dns.rcode metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:dns |
SN-Timelion-DNS-slash-request-slash-reply |
Generic description: Timelion time-series chart plotting dns.type metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:dns |
SN-Timelion-DNS-TXT |
Generic description: Timelion time-series chart plotting dns.rrtype, geoip.country_code2 metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:all |
SN-Timelion-HTTP-statuscode-522-slash-523-slash-0 |
Generic description: Timelion time-series chart plotting http.status, geoip.country_code2 metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:all |
SN-Timelion-ICMP-request-reply |
Generic description: Timelion time-series chart plotting proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:proto |
SN-Timelion-IPv4-slash-IPv6 |
Generic description: Timelion time-series chart plotting stats.decoder.ipv4, stats.decoder.ipv6 metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:stats |
SN-Timelion-PPS-slash-Alerts |
Generic description: Timelion time-series chart plotting stats.capture.kernel_packets metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:alert |
SN-Timelion-Protocols |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:all |
SN-Timelion-S-slash-SA-slash-R |
Generic description: Timelion time-series chart plotting various fields metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
— |
event_type:stats |
SN-Timelion-TCP-slash-UDP-flows |
Generic description: Timelion time-series chart plotting proto metrics over time with customizable expressions. Security use case examples: Enables trend analysis and anomaly detection by overlaying multiple time-series to reveal correlated spikes or drops indicative of attacks or sensor degradation. Network use case examples: Supports operational health monitoring and capacity baselining by visualizing long-term metric trends across the monitored environment. |
|
event_type:flow |
SN-SMB-EventsList (search) |
Generic description: Saved search showing SMB event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing SMB traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for SMB traffic baselining, capacity planning, and operational health monitoring. |
List of SMB events |
event_type:smb |
SN-ALERT-EventsList (search) |
Generic description: Saved search table displaying raw ALERT events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALERT events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALERT traffic patterns. |
List of ALERT events |
event_type:alert |
SN-DNS-EventsList (search) |
Generic description: Saved search table displaying raw DNS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual DNS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing DNS traffic patterns. |
List of DNS events |
event_type:dns |
SN-HTTP-EventsList (search) |
Generic description: Saved search table displaying raw HTTP events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual HTTP events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing HTTP traffic patterns. |
List of HTTP events |
event_type:http |
Dashboard: SN-POLICY-OLD-TLS¶
Security use case examples: TLS/SSL traffic analysis for detecting expired or self-signed certificates, weak cipher suites, JA3 fingerprint-based malware identification, and encrypted C2 channel detection.
Network use case examples: TLS version adoption monitoring, certificate inventory management, cipher suite compliance baselining, and encrypted traffic volume capacity planning.
SN-POLICY-OLD-TLS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-TLS-ByIssuerdn |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.issuerdn. Security use case examples: Highlights dominant tls.issuerdn values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-ByJa3Hash |
Generic description: Data table aggregating TLS events by src_ip, tls.ja3.hash, ranked by event count. Security use case examples: Facilitates identification of top src_ip, tls.ja3.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-TLS-ByJa3SHash |
Generic description: Data table aggregating TLS events by dest_ip, tls.ja3s.hash, ranked by event count. Security use case examples: Facilitates identification of top dest_ip, tls.ja3s.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-TLS-BySni |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.sni. Security use case examples: Highlights dominant tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-BySubject |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.subject. Security use case examples: Highlights dominant tls.subject values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-ByVersionBySni |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.version, tls.sni. Security use case examples: Highlights dominant tls.version, tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-EventsOverTime |
Generic description: Time-series bar chart showing TLS event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in TLS events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing TLS event volume trends and periodic patterns over time. |
List of TLS events |
event_type:tls |
SN-TLS-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of TLS traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:tls |
SN-TLS-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by TLS event count. Security use case examples: Identifies the most active top dest_ip values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by TLS event count. Security use case examples: Identifies the most active top dest_port values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by TLS event count. Security use case examples: Identifies the most active source src_ip values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by TLS event count. Security use case examples: Identifies the most active source src_port values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Total |
Generic description: Single-value metric display showing the total count of TLS events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing TLS event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of TLS traffic volume for capacity planning and operational health spot-checks. |
event_type:tls |
event_type:tls |
SN-TLS-EventsList (search) |
Generic description: Saved search table displaying raw TLS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual TLS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing TLS traffic patterns. |
List of TLS events |
event_type:tls |
Dashboard: SN-POLICY-Violations¶
Security use case examples: The SN-POLICY-Violations dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-POLICY-Violations dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-POLICY-Violations Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-POLICY-ABUSED-FileSharing |
Generic description: Data table aggregating ALERT events by src_ip, dns.query.rrname, tls.sni, http.hostname, ranked by event count. Security use case examples: Facilitates identification of top src_ip, dns.query.rrname, tls.sni, http.hostname values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-POLICY-ClearTextPasswords |
Generic description: Data table aggregating ALERT events by src_ip, net_info.src_agg, http.hostname, ranked by event count. Security use case examples: Facilitates identification of top src_ip, net_info.src_agg, http.hostname values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-POLICY-EXTERNAL-DNS-Resolvers |
Generic description: Data table aggregating ALERT events by flow.src_ip, flow.dest_ip, ranked by event count. Security use case examples: Facilitates identification of top flow.src_ip, flow.dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-POLICY-EXTERNAL-IP-Lookup |
Generic description: Data table aggregating ALERT events by flow.src_ip, net_info.dest_agg, alert.signature, ranked by event count. Security use case examples: Facilitates identification of top flow.src_ip, net_info.dest_agg, alert.signature values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-POLICY-TLS-Version-Insecure |
Generic description: Data table aggregating TLS events by src_ip, dest_port, dest_ip, tls.version, ranked by event count. Security use case examples: Facilitates identification of top src_ip, dest_port, dest_ip, tls.version values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-POLICY-TOR-Usage |
Generic description: Data table aggregating ALERT events by flow.src_ip, net_info.dest_agg, ranked by event count. Security use case examples: Facilitates identification of top flow.src_ip, net_info.dest_agg values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALERT events by key observable fields. |
|
event_type:alert |
SN-ALERT-EventsList (search) |
Generic description: Saved search showing ALERT event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing ALERT traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for ALERT traffic baselining, capacity planning, and operational health monitoring. |
List of ALERT events |
event_type:alert |
SN-TLS-EventsList (search) |
Generic description: Saved search showing TLS event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing TLS traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for TLS traffic baselining, capacity planning, and operational health monitoring. |
List of TLS events |
event_type:tls |
Dashboard: SN-POSTPROC-Stats¶
Security use case examples: Engine performance statistics for monitoring sensor health, packet capture throughput, worker thread load, and detection engine efficiency.
Network use case examples: Sensor throughput baselining, packet drop rate trending, thread load distribution monitoring, and network capture infrastructure capacity planning.
SN-POSTPROC-Stats Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Postproc-Frequent-Events |
Generic description: Bar chart showing POSTPROC_METRIX event counts grouped by postproc_metrix.fields.rate_eps, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker. Security use case examples: Highlights high-volume postproc_metrix.fields.rate_eps, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker categories in POSTPROC_METRIX traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing POSTPROC_METRIX event volumes across postproc_metrix.fields.rate_eps, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker categories. |
|
event_type:postproc_metrix |
SN-Postproc-Gauge-Ingest-EPS |
Generic description: Visualization panel showing POSTPROC_METRIX event data aggregated by postproc_metrix.fields.rate_eps, probe_info.probe. Security use case examples: Supports security monitoring by surfacing POSTPROC_METRIX traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for POSTPROC_METRIX traffic baselining, capacity planning, and operational health monitoring. |
|
event_type:postproc_metrix |
SN-Postproc-Gauge-TLS-Cache-Hitrate |
Generic description: Visualization panel showing POSTPROC_METRIX event data aggregated by postproc_metrix.fields.cache_hit_rate, probe_info.probe. Security use case examples: Supports security monitoring by surfacing POSTPROC_METRIX traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for POSTPROC_METRIX traffic baselining, capacity planning, and operational health monitoring. |
|
event_type:postproc_metrix |
SN-Postproc-Heap-Usage |
Generic description: Bar chart showing POSTPROC_METRIX event counts grouped by postproc_metrix.fields.heap_inuse_bytes, timestamp, probe_info.probe, postproc_metrix.fields.heap_realeased_bytes. Security use case examples: Highlights high-volume postproc_metrix.fields.heap_inuse_bytes, timestamp, probe_info.probe, postproc_metrix.fields.heap_realeased_bytes categories in POSTPROC_METRIX traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing POSTPROC_METRIX event volumes across postproc_metrix.fields.heap_inuse_bytes, timestamp, probe_info.probe, postproc_metrix.fields.heap_realeased_bytes categories. |
|
event_type:postproc_metrix |
SN-Postproc-stats |
Generic description: Bar chart showing POSTPROC_METRIX event counts grouped by postproc_metrix.fields.rate_eps, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker. Security use case examples: Highlights high-volume postproc_metrix.fields.rate_eps, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker categories in POSTPROC_METRIX traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing POSTPROC_METRIX event volumes across postproc_metrix.fields.rate_eps, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker categories. |
|
event_type:postproc_metrix |
SN-Postproc-Timeline-Frequent-Labels |
Generic description: Bar chart showing POSTPROC_METRIX event counts grouped by postproc_metrix.fields.frequent, timestamp, probe_info.probe, postproc_metrix.tags.worker. Security use case examples: Highlights high-volume postproc_metrix.fields.frequent, timestamp, probe_info.probe, postproc_metrix.tags.worker categories in POSTPROC_METRIX traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing POSTPROC_METRIX event volumes across postproc_metrix.fields.frequent, timestamp, probe_info.probe, postproc_metrix.tags.worker categories. |
|
event_type:postproc_metrix |
SN-Postproc-Timeline-TLS-Cache |
Generic description: Bar chart showing POSTPROC_METRIX event counts grouped by postproc_metrix.fields.cached_items, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker. Security use case examples: Highlights high-volume postproc_metrix.fields.cached_items, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker categories in POSTPROC_METRIX traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing POSTPROC_METRIX event volumes across postproc_metrix.fields.cached_items, timestamp, probe_info.probe, postproc_metrix.tags.subroutine, postproc_metrix.tags.worker categories. |
|
event_type:postproc_metrix |
SN-Postproc-Total-Vectors |
Generic description: Single-value metric display showing the total count of POSTPROC_METRIX events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing POSTPROC_METRIX event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of POSTPROC_METRIX traffic volume for capacity planning and operational health spot-checks. |
event_type:postproc_metrix |
event_type:postproc_metrix |
SN-Postproc-Tracked-Items |
Generic description: Bar chart showing POSTPROC_METRIX event counts grouped by postproc_metrix.fields.items, timestamp, probe_info.probe, postproc_metrix.tags.worker, postproc_metrix.tags.subroutine. Security use case examples: Highlights high-volume postproc_metrix.fields.items, timestamp, probe_info.probe, postproc_metrix.tags.worker, postproc_metrix.tags.subroutine categories in POSTPROC_METRIX traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing POSTPROC_METRIX event volumes across postproc_metrix.fields.items, timestamp, probe_info.probe, postproc_metrix.tags.worker, postproc_metrix.tags.subroutine categories. |
|
event_type:postproc_metrix |
Dashboard: SN-Proxy¶
Security use case examples: The SN-Proxy dashboard identifies internal and external hosts acting as HTTP and HTTPS proxies, enabling detection of unauthorized or shadow-IT proxy infrastructure, traffic interception attempts, and potential command-and-control channels that leverage proxy protocols.
Network use case examples: The SN-Proxy dashboard provides a host-based inventory of HTTP and HTTPS proxy services across the network, supporting policy enforcement for proxy usage, auditing of sanctioned proxy deployments, and capacity planning for legitimate proxy infrastructure.
SN-Proxy Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Proxy-HTTP |
Generic description: Data table ranking hosts detected as HTTP proxy servers by IP address, hostname, and service port, derived from host identification events. Security use case examples: Identifies unauthorized or rogue HTTP proxy servers that may be used for traffic interception, data exfiltration, or bypassing security controls, helping analysts detect shadow-IT proxy deployments and potential man-in-the-middle infrastructure. Network use case examples: Provides an inventory of HTTP proxy services across the network for policy validation, ensuring only sanctioned proxy infrastructure is in operation and supporting capacity planning for legitimate proxy deployments. |
|
event_type:host_id |
SN-Proxy-HTTPS |
Generic description: Data table ranking hosts detected as HTTPS proxy servers by IP address, hostname, and service port, derived from host identification events. Security use case examples: Identifies unauthorized or rogue HTTPS proxy servers that may facilitate SSL interception, covert encrypted communication channels, or evasion of TLS inspection controls, supporting detection of malicious proxy infrastructure. Network use case examples: Provides an inventory of HTTPS proxy services across the network for compliance auditing, supports enforcement of encrypted proxy usage policies, and aids in sizing legitimate HTTPS proxy infrastructure. |
|
event_type:host_id |
Dashboard: SN-RDP¶
Security use case examples: RDP traffic analysis for detecting brute force attacks, unauthorized remote desktop access, lateral movement via RDP, and ransomware delivery over remote sessions.
Network use case examples: RDP session volume baselining, top client and server tracking, session duration monitoring, and virtual desktop infrastructure capacity planning.
SN-RDP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-RDP-ByProto |
Generic description: Data table aggregating RDP events by rdp.protocol, ranked by event count. Security use case examples: Facilitates identification of top rdp.protocol values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RDP events by key observable fields. |
|
event_type:rdp |
SN-RDP-Channels |
Generic description: Donut chart showing the proportional distribution of RDP events by rdp.channels. Security use case examples: Highlights dominant rdp.channels values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rdp |
SN-RDP-ClientBuild |
Generic description: Donut chart showing the proportional distribution of RDP events by rdp.client.build. Security use case examples: Highlights dominant rdp.client.build values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rdp |
SN-RDP-ClientCookie |
Generic description: Donut chart showing the proportional distribution of RDP events by rdp.cookie. Security use case examples: Highlights dominant rdp.cookie values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rdp |
SN-RDP-ClientKeyboardType |
Generic description: Donut chart showing the proportional distribution of RDP events by rdp.client.keyboard_layout. Security use case examples: Highlights dominant rdp.client.keyboard_layout values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rdp |
SN-RDP-ClientName |
Generic description: Donut chart showing the proportional distribution of RDP events by rdp.client.client_name. Security use case examples: Highlights dominant rdp.client.client_name values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rdp |
SN-RDP-ClientVersion |
Generic description: Donut chart showing the proportional distribution of RDP events by rdp.client.version. Security use case examples: Highlights dominant rdp.client.version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rdp |
SN-RDP-Event_Type |
Generic description: Donut chart showing the proportional distribution of RDP events by rdp.event_type. Security use case examples: Highlights dominant rdp.event_type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rdp |
SN-RDP-EventsOverTime |
Generic description: Time-series bar chart showing RDP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in RDP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing RDP event volume trends and periodic patterns over time. |
List of RDP events |
event_type:rdp |
SN-RDP-Top100-DestIP |
Generic description: Data table aggregating RDP events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RDP events by key observable fields. |
|
event_type:rdp |
SN-RDP-Top100-DestPort |
Generic description: Data table aggregating RDP events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RDP events by key observable fields. |
|
event_type:rdp |
SN-RDP-Top100-SrcIP |
Generic description: Data table aggregating RDP events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RDP events by key observable fields. |
|
event_type:rdp |
SN-RDP-Top100-SrcPort |
Generic description: Data table aggregating RDP events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RDP events by key observable fields. |
|
event_type:rdp |
SN-RDP-TotalEvents |
Generic description: Single-value metric display showing the total count of RDP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing RDP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of RDP traffic volume for capacity planning and operational health spot-checks. |
— |
event_type:rdp |
SN-RDP-EventsList (search) |
Generic description: Saved search showing RDP event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing RDP traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for RDP traffic baselining, capacity planning, and operational health monitoring. |
List of RDP events |
event_type:rdp |
Dashboard: SN-RFB¶
Security use case examples: The SN-RFB dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-RFB dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-RFB Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-RFB-Authentication-Sectype |
Generic description: Donut chart showing the proportional distribution of RFB events by rfb.authentication.security_type. Security use case examples: Highlights dominant rfb.authentication.security_type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rfb |
SN-RFB-ByVlan |
Generic description: Donut chart showing the proportional distribution of RFB events by vlan. Security use case examples: Highlights dominant vlan values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rfb |
SN-RFB-EventsOverTime |
Generic description: Time-series bar chart showing RFB event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in RFB events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing RFB event volume trends and periodic patterns over time. |
List of RFB events |
event_type:rfb |
SN-RFB-ScreenShared |
Generic description: Donut chart showing the proportional distribution of RFB events by rfb.screen_shared. Security use case examples: Highlights dominant rfb.screen_shared values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rfb |
SN-RFB-Server-Security-Failure |
Generic description: Donut chart showing the proportional distribution of RFB events by rfb.server_security_failure_reason. Security use case examples: Highlights dominant rfb.server_security_failure_reason values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:rfb |
SN-RFB-Top100-DestIP |
Generic description: Data table aggregating RFB events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RFB events by key observable fields. |
|
event_type:rfb |
SN-RFB-Top100-DestPort |
Generic description: Data table aggregating RFB events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RFB events by key observable fields. |
|
event_type:rfb |
SN-RFB-Top100-SrcIP |
Generic description: Data table aggregating RFB events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RFB events by key observable fields. |
|
event_type:rfb |
SN-RFB-Top100-SrcPort |
Generic description: Data table aggregating RFB events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking RFB events by key observable fields. |
|
event_type:rfb |
SN-RFB-TotalEvents |
Generic description: Single-value metric display showing the total count of RFB events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing RFB event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of RFB traffic volume for capacity planning and operational health spot-checks. |
— |
event_type:rfb |
SN-RFB-EventsList (search) |
Generic description: Saved search showing RFB event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing RFB traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for RFB traffic baselining, capacity planning, and operational health monitoring. |
List of RFB events |
event_type:rfb |
Dashboard: SN-SIGHTINGS¶
Security use case examples: The SN-SIGHTINGS dashboard surfaces communication artifacts observed for the first time in the environment — HTTP user-agents, hostnames, TLS SNIs, JA3/JA3S fingerprints, certificate metadata, and SMB filenames — enabling threat hunters to detect novel attacker infrastructure, new malware tooling, and first-contact with C2 domains before they become recurring patterns.
Network use case examples: The SN-SIGHTINGS dashboard supports asset discovery and baseline drift detection by tracking newly appeared HTTP servers, TLS certificate issuers, and domain names, providing change management visibility and helping distinguish legitimate infrastructure growth from unexpected or unauthorized network activity.
SN-SIGHTINGS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SIGHTINGS-HTTP-Hostnames |
Generic description: Data table listing HTTP hostnames ( Security use case examples: Reveals domain names appearing in HTTP traffic that were never previously observed, enabling cross-correlation with threat intelligence, detection of attacker-controlled domains on first contact, and combined analysis with beacon hunting to identify beaconing towards new hostnames. Network use case examples: Supports web asset discovery and change management by surfacing new HTTP hostnames appearing on the network, useful for identifying shadow-IT, unexpected infrastructure changes, or newly onboarded external services. |
|
event_type:alert |
SN-SIGHTINGS-HTTP-Server-Internal |
Generic description: Data table listing internal HTTP server software identifiers ( Security use case examples: Detects newly discovered internal HTTP servers that have never been seen before in the environment, enabling identification of unauthorized web services, attacker-implanted servers, or shadow-IT deployments on the internal network. Network use case examples: Supports internal web asset inventory by surfacing new HTTP server software appearing inside the network, aiding capacity planning, compliance auditing, and detection of unapproved server deployments. |
|
event_type:alert |
SN-SIGHTINGS-HTTP-Server-Remote |
Generic description: Data table listing remote (external) HTTP server software identifiers ( Security use case examples: Identifies newly discovered external HTTP servers that internal hosts are communicating with for the first time, enabling detection of connections to previously unknown C2 infrastructure, malicious hosting services, or newly registered attacker-controlled web servers. Network use case examples: Supports egress monitoring and external asset discovery by tracking new remote HTTP server software, helping validate that external web services accessed by the organization comply with policy and are expected. |
|
event_type:alert |
SN-SIGHTINGS-HTTP-UserAgents |
Generic description: Data table listing HTTP user-agent strings ( Security use case examples: Surfaces previously unseen HTTP user-agents that may represent new malware families, attacker toolkits, or unauthorized software making HTTP requests for the first time, enabling early detection of novel threats before signatures are available. Network use case examples: Tracks new HTTP client software and browser versions appearing on the network, supporting software inventory management and detection of unauthorized or policy-violating applications. |
|
event_type:alert |
SN-SIGHTINGS-SMB-Filename-exe |
Generic description: Data table listing executable filenames ( Security use case examples: Reveals newly seen executable files on SMB file shares that have never been observed before, enabling early detection of malware staging, lateral movement via new executable payloads, or ransomware deployment using previously unseen binary names. Network use case examples: Provides visibility into new executable files being accessed or transferred via SMB, supporting software change management, auditing of file share activity, and detection of unauthorized or unexpected binaries appearing on shared storage. |
|
event_type:alert |
SN-SIGHTINGS-TLS-Issuer |
Generic description: Data table listing TLS certificate issuer distinguished names ( Security use case examples: Exposes new certificate authorities and issuers never previously seen, enabling detection of self-signed or attacker-controlled certificates, new C2 infrastructure using freshly issued certificates, and connections to services backed by untrusted or suspicious certificate authorities. Network use case examples: Supports TLS certificate inventory and PKI governance by tracking new certificate issuers appearing on the network, aiding compliance validation and detection of unauthorized or unexpected certificate authority deployments. |
|
event_type:alert |
SN-SIGHTINGS-TLS-JA3 |
Generic description: Data table listing TLS client fingerprint hashes ( Security use case examples: Surfaces previously unseen TLS client fingerprints that may represent new malware, attacker toolkits, or unauthorized software initiating encrypted connections for the first time, enabling correlation with known-bad JA3 hash threat intelligence feeds. Network use case examples: Tracks new TLS client implementations appearing on the network, supporting software inventory and identification of new applications or tooling performing TLS handshakes that have not been previously seen. |
|
event_type:alert |
SN-SIGHTINGS-TLS-JA3S |
Generic description: Data table listing TLS server fingerprint hashes ( Security use case examples: Reveals previously unseen TLS server fingerprints, enabling detection of new or unknown server infrastructure, C2 servers with novel TLS configurations, and combined analysis with beacon detection to identify beaconing towards a never-observed-before TLS server fingerprint. Network use case examples: Tracks new TLS server implementations observed on the network, supporting server inventory, compliance monitoring for approved TLS configurations, and detection of unauthorized or unexpected server deployments. |
|
event_type:alert |
SN-SIGHTINGS-TLS-Serials |
Generic description: Data table listing TLS certificate serial numbers ( Security use case examples: Identifies brand-new TLS certificates appearing in the environment for the first time, enabling detection of certificate rotation by attackers, freshly issued certificates used in phishing or C2 campaigns, and rapid deployment of new malicious infrastructure. Network use case examples: Supports TLS certificate lifecycle management by tracking new certificate serial numbers on the network, useful for auditing certificate rotation events and detecting unapproved or unexpected certificate changes. |
|
event_type:alert |
SN-SIGHTINGS-TLS-SNI |
Generic description: Data table listing TLS Server Name Indication values ( Security use case examples: Surfaces previously unseen domain names in TLS SNI fields, enabling detection of first-contact with C2 domains, newly registered attacker infrastructure, and beaconing to domains that have never before been observed in the environment. Network use case examples: Tracks new TLS destinations being accessed for the first time, supporting egress monitoring, domain allowlist and denylist management, and discovery of new external services or cloud resources used by the organization. |
|
event_type:alert |
SN-SIGHTINGS-TLS-Subject |
Generic description: Data table listing TLS certificate subject names ( Security use case examples: Exposes new TLS certificate subjects never previously seen in the environment, enabling detection of attacker-created certificates with suspicious or spoofed common names, newly deployed services with previously unseen subject fields, and potential certificate impersonation attempts. Network use case examples: Supports certificate inventory management by tracking new certificate subject names appearing on the network, aiding compliance validation and detection of unauthorized or misconfigured TLS certificate deployments. |
|
event_type:alert |
Dashboard: SN-SIGNATURE-Performance¶
Security use case examples: The SN-SIGNATURE-Performance dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-SIGNATURE-Performance dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-SIGNATURE-Performance Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SIGNATURE-NOT-StamusTested-CPU-performance-perprobe |
Generic description: Data table aggregating ALL events by profile.percent, host, timestamp, profile.signature_id, profile.matches, ranked by event count. Security use case examples: Facilitates identification of top profile.percent, host, timestamp, profile.signature_id, profile.matches values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALL events by key observable fields. |
|
event_type:all |
SN-SIGNATURE-StamusTested-CPU-performance-perprobe |
Generic description: Data table aggregating ALL events by profile.percent, host, timestamp, profile.signature_id, profile.matches, ranked by event count. Security use case examples: Facilitates identification of top profile.percent, host, timestamp, profile.signature_id, profile.matches values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALL events by key observable fields. |
|
event_type:all |
Dashboard: SN-SIP¶
Security use case examples: SIP VoIP signaling traffic analysis for detecting SIP scanning, toll fraud, VoIP service abuse, and unauthorized call routing modifications.
Network use case examples: SIP call setup volume baselining, top call endpoint tracking, VoIP infrastructure load monitoring, and telephony capacity planning.
SN-SIP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SIP-EventsOverTime |
Generic description: Time-series bar chart showing SIP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SIP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SIP event volume trends and periodic patterns over time. |
List of SIP events |
event_type:sip |
SN-SIP-SipCode |
Generic description: Donut chart showing the proportional distribution of SIP events by sip.code. Security use case examples: Highlights dominant sip.code values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:sip |
SN-SIP-SipMethod |
Generic description: Donut chart showing the proportional distribution of SIP events by sip.method. Security use case examples: Highlights dominant sip.method values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:sip |
SN-SIP-SipReason |
Generic description: Donut chart showing the proportional distribution of SIP events by sip.reason. Security use case examples: Highlights dominant sip.reason values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:sip |
SN-SIP-SipUri |
Generic description: Donut chart showing the proportional distribution of SIP events by sip.uri. Security use case examples: Highlights dominant sip.uri values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:sip |
SN-SIP-SipVersion |
Generic description: Donut chart showing the proportional distribution of SIP events by sip.version. Security use case examples: Highlights dominant sip.version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:sip |
SN-SIP-Top100-DestIP |
Generic description: Data table aggregating SIP events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SIP events by key observable fields. |
|
event_type:sip |
SN-SIP-Top100-DestPort |
Generic description: Data table aggregating SIP events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SIP events by key observable fields. |
|
event_type:sip |
SN-SIP-Top100-SrcIP |
Generic description: Data table aggregating SIP events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SIP events by key observable fields. |
|
event_type:sip |
SN-SIP-Top100-SrcPort |
Generic description: Data table aggregating SIP events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SIP events by key observable fields. |
|
event_type:sip |
SN-SIP-TotalEvents |
Generic description: Single-value metric display showing the total count of SIP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing SIP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of SIP traffic volume for capacity planning and operational health spot-checks. |
— |
event_type:sip |
SN-SIP-EventsList (search) |
Generic description: Saved search showing SIP event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing SIP traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for SIP traffic baselining, capacity planning, and operational health monitoring. |
List of SIP events |
event_type:sip |
Dashboard: SN-SMB¶
Security use case examples: SMB file sharing traffic analysis for detecting lateral movement, ransomware propagation, pass-the-hash attacks, and unauthorized file share enumeration.
Network use case examples: SMB session volume baselining, file share usage pattern tracking, authentication traffic monitoring, and file server infrastructure capacity planning.
SN-SMB Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SMB-ClientDialect |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.client_dialects. Security use case examples: Highlights dominant smb.client_dialects values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-Dialect |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.dialect. Security use case examples: Highlights dominant smb.dialect values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-EventsOverTime |
Generic description: Time-series bar chart showing SMB event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SMB events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SMB event volume trends and periodic patterns over time. |
List of SMB events |
event_type:smb |
SN-SMB-Filename |
Generic description: Data table aggregating SMB events by smb.filename, ranked by event count. Security use case examples: Facilitates identification of top smb.filename values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-SMB-Function |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.function. Security use case examples: Highlights dominant smb.function values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of SMB traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:smb |
SN-SMB-KerberosSnames |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.kerberos.snames. Security use case examples: Highlights dominant smb.kerberos.snames values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-NtlmsspDomain |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.ntlmssp.domain. Security use case examples: Highlights dominant smb.ntlmssp.domain values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-NtlmsspHost |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.ntlmssp.host. Security use case examples: Highlights dominant smb.ntlmssp.host values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-NtlmsspUser |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.ntlmssp.user. Security use case examples: Highlights dominant smb.ntlmssp.user values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-ServerGUID |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.server_guid. Security use case examples: Highlights dominant smb.server_guid values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-Share |
Generic description: Data table aggregating SMB events by smb.share, ranked by event count. Security use case examples: Facilitates identification of top smb.share values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-SMB-Status |
Generic description: Donut chart showing the proportional distribution of SMB events by smb.status. Security use case examples: Highlights dominant smb.status values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:smb |
SN-SMB-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by SMB event count. Security use case examples: Identifies the most active top dest_ip values in SMB traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMB traffic volume. |
|
event_type:smb |
SN-SMB-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by SMB event count. Security use case examples: Identifies the most active top dest_port values in SMB traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMB traffic volume. |
|
event_type:smb |
SN-SMB-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by SMB event count. Security use case examples: Identifies the most active source src_ip values in SMB traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to SMB traffic volume. |
|
event_type:smb |
SN-SMB-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by SMB event count. Security use case examples: Identifies the most active source src_port values in SMB traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to SMB traffic volume. |
|
event_type:smb |
SN-SMB-Total |
Generic description: Single-value metric display showing the total count of SMB events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing SMB event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of SMB traffic volume for capacity planning and operational health spot-checks. |
event_type:smb |
event_type:smb |
SN-SMB-EventsList (search) |
Generic description: Saved search showing SMB event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing SMB traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for SMB traffic baselining, capacity planning, and operational health monitoring. |
List of SMB events |
event_type:smb |
Dashboard: SN-SMB-DCERPC-Lateral-1¶
Security use case examples: SMB file sharing traffic analysis for detecting lateral movement, ransomware propagation, pass-the-hash attacks, and unauthorized file share enumeration.
Network use case examples: SMB session volume baselining, file share usage pattern tracking, authentication traffic monitoring, and file server infrastructure capacity planning.
SN-SMB-DCERPC-Lateral-1 Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-DCERPC-OpNum |
Generic description: Data table aggregating DCERPC events by dcerpc.req.opnum, ranked by event count. Security use case examples: Facilitates identification of top dcerpc.req.opnum values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DCERPC events by key observable fields. |
|
event_type:dcerpc |
SN-DCERPC-TransactionsPerFlow |
Generic description: Data table aggregating DCERPC events by flow_id, ranked by event count. Security use case examples: Facilitates identification of top flow_id values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DCERPC events by key observable fields. |
|
event_type:dcerpc |
SN-DCERPC-UUID |
Generic description: Data table aggregating DCERPC events by dcerpc.interfaces.uuid, ranked by event count. Security use case examples: Facilitates identification of top dcerpc.interfaces.uuid values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking DCERPC events by key observable fields. |
|
event_type:dcerpc |
SN-SMB-Command |
Generic description: Data table aggregating SMB events by smb.command, ranked by event count. Security use case examples: Facilitates identification of top smb.command values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-SMB-DCERPC-UUID |
Generic description: Data table aggregating SMB events by smb.dcerpc.interfaces.uuid, ranked by event count. Security use case examples: Facilitates identification of top smb.dcerpc.interfaces.uuid values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-SMB-Filename-2 |
Generic description: Data table aggregating SMB events by smb.filename, ranked by event count. Security use case examples: Facilitates identification of top smb.filename values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-SMB-OpNum |
Generic description: Data table aggregating SMB events by smb.dcerpc.opnum, ranked by event count. Security use case examples: Facilitates identification of top smb.dcerpc.opnum values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-SMB-StatusCode |
Generic description: Data table aggregating SMB events by smb.status, ranked by event count. Security use case examples: Facilitates identification of top smb.status values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-SMB-Total |
Generic description: Single-value metric display showing the total count of SMB events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing SMB event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of SMB traffic volume for capacity planning and operational health spot-checks. |
event_type:smb |
event_type:smb |
SN-SMB-TransactionsPerFlow |
Generic description: Data table aggregating SMB events by tx_id, flow_id, ranked by event count. Security use case examples: Facilitates identification of top tx_id, flow_id values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB events by key observable fields. |
|
event_type:smb |
SN-DCERPC-EventsList (search) |
Generic description: Saved search showing DCERPC event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing DCERPC traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for DCERPC traffic baselining, capacity planning, and operational health monitoring. |
List of DCERPC events |
event_type:dcerpc |
SN-SMB-EventsList-Lateral (search) |
Generic description: Saved search showing SMB event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing SMB traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for SMB traffic baselining, capacity planning, and operational health monitoring. |
List of SMB events |
event_type:smb |
Dashboard: SN-SMB_INSIGHTS¶
Security use case examples: SMB file sharing traffic analysis for detecting lateral movement, ransomware propagation, pass-the-hash attacks, and unauthorized file share enumeration.
Network use case examples: SMB session volume baselining, file share usage pattern tracking, authentication traffic monitoring, and file server infrastructure capacity planning.
SN-SMB_INSIGHTS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SMB-Inisghts-UniqueCommands |
Generic description: Data table aggregating SMB_INSIGHTS events by smb_insights.trackers.command.count, ranked by event count. Security use case examples: Facilitates identification of top smb_insights.trackers.command.count values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB_INSIGHTS events by key observable fields. |
|
event_type:smb_insights |
SN-SMB-Inisghts-UniqueCommandsDCERPC |
Generic description: Data table aggregating SMB_INSIGHTS events by smb_insights.trackers.dcerpc_endpoint.count, ranked by event count. Security use case examples: Facilitates identification of top smb_insights.trackers.dcerpc_endpoint.count values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB_INSIGHTS events by key observable fields. |
|
event_type:smb_insights |
SN-SMB-Inisghts-UniqueFileTypes |
Generic description: Data table aggregating SMB_INSIGHTS events by smb_insights.trackers.mime_type.count, ranked by event count. Security use case examples: Facilitates identification of top smb_insights.trackers.mime_type.count values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB_INSIGHTS events by key observable fields. |
|
event_type:smb_insights |
SN-SMB-Inisghts-UniqueStatus |
Generic description: Data table aggregating SMB_INSIGHTS events by smb_insights.trackers.status.count, ranked by event count. Security use case examples: Facilitates identification of top smb_insights.trackers.status.count values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SMB_INSIGHTS events by key observable fields. |
|
event_type:smb_insights |
SN-SMB_INSIGHTS-EventsOverTime |
Generic description: Time-series bar chart showing SMB_INSIGHTS event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SMB_INSIGHTS events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SMB_INSIGHTS event volume trends and periodic patterns over time. |
List of SMB_INSIGHTS events |
event_type:smb_insights |
SN-SMB_INSIGHTS-EventsList (search) |
Generic description: Saved search showing SMB_INSIGHTS event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing SMB_INSIGHTS traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for SMB_INSIGHTS traffic baselining, capacity planning, and operational health monitoring. |
List of SMB_INSIGHTS events |
event_type:smb_insights |
Dashboard: SN-SMTP¶
Security use case examples: SMTP email traffic analysis for detecting spam campaigns, phishing delivery, malware distribution via attachments, and email-based data exfiltration.
Network use case examples: Email volume baselining, top sender and recipient domain tracking, SMTP relay load monitoring, and mail infrastructure capacity planning.
SN-SMTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SMTP-AttachmentsExtension |
Generic description: Line chart plotting SMTP event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in SMTP activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing SMTP traffic trends over time for infrastructure sizing decisions. |
|
event_type:smtp |
SN-SMTP-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of SMTP traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:smtp |
SN-SMTP-SmtpOverTime |
Generic description: Line chart plotting SMTP event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in SMTP activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing SMTP traffic trends over time for infrastructure sizing decisions. |
|
event_type:smtp |
SN-SMTP-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by SMTP event count. Security use case examples: Identifies the most active top dest_ip values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by SMTP event count. Security use case examples: Identifies the most active top dest_port values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20mail_from |
Generic description: Data table ranking the top 20 top smtp.mail_from values by SMTP event count. Security use case examples: Identifies the most active top smtp.mail_from values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20MailApplications |
Generic description: Data table ranking the top 20 top email.x_mailer values by SMTP event count. Security use case examples: Identifies the most active top email.x_mailer values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20MailOrganisations |
Generic description: Data table ranking the top 20 top email.organization values by SMTP event count. Security use case examples: Identifies the most active top email.organization values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20MailSendingIPs |
Generic description: Data table ranking the top 20 top email.x_originating_ip values by SMTP event count. Security use case examples: Identifies the most active top email.x_originating_ip values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20rcpt_to |
Generic description: Data table ranking the top 20 top smtp.rcpt_to values by SMTP event count. Security use case examples: Identifies the most active top smtp.rcpt_to values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by SMTP event count. Security use case examples: Identifies the most active source src_ip values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by SMTP event count. Security use case examples: Identifies the most active source src_port values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Total |
Generic description: Single-value metric display showing the total count of SMTP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing SMTP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of SMTP traffic volume for capacity planning and operational health spot-checks. |
event_type:smtp |
event_type:smtp |
SN-SMTP-EventsList (search) |
Generic description: Saved search table displaying raw SMTP events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual SMTP events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing SMTP traffic patterns. |
List of SMTP events |
event_type:smtp |
Dashboard: SN-SNMP¶
Security use case examples: SNMP traffic analysis for detecting community string brute force, unauthorized MIB walks, network device reconnaissance, and SNMP-based data exfiltration.
Network use case examples: SNMP query volume baselining, managed device inventory tracking, OID access pattern monitoring, and network management infrastructure sizing.
SN-SNMP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SNMP-ByVlan |
Generic description: Donut chart showing the proportional distribution of SNMP events by vlan. Security use case examples: Highlights dominant vlan values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:snmp |
SN-SNMP-Community |
Generic description: Data table aggregating SNMP events by snmp.community, ranked by event count. Security use case examples: Facilitates identification of top snmp.community values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SNMP events by key observable fields. |
|
event_type:snmp |
SN-SNMP-EventsOverTime |
Generic description: Time-series bar chart showing SNMP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SNMP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SNMP event volume trends and periodic patterns over time. |
List of SNMP events |
event_type:snmp |
SN-SNMP-Pdu |
Generic description: Donut chart showing the proportional distribution of SNMP events by snmp.pdu_type. Security use case examples: Highlights dominant snmp.pdu_type values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:snmp |
SN-SNMP-Top100-DestIP |
Generic description: Data table aggregating SNMP events by dest_ip, ranked by event count. Security use case examples: Facilitates identification of top dest_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SNMP events by key observable fields. |
|
event_type:snmp |
SN-SNMP-Top100-DestPort |
Generic description: Data table aggregating SNMP events by dest_port, ranked by event count. Security use case examples: Facilitates identification of top dest_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SNMP events by key observable fields. |
|
event_type:snmp |
SN-SNMP-Top100-SrcIP |
Generic description: Data table aggregating SNMP events by src_ip, ranked by event count. Security use case examples: Facilitates identification of top src_ip values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SNMP events by key observable fields. |
|
event_type:snmp |
SN-SNMP-Top100-SrcPort |
Generic description: Data table aggregating SNMP events by src_port, ranked by event count. Security use case examples: Facilitates identification of top src_port values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SNMP events by key observable fields. |
|
event_type:snmp |
SN-SNMP-TotalCount |
Generic description: Single-value metric display showing the total count of SNMP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing SNMP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of SNMP traffic volume for capacity planning and operational health spot-checks. |
event_type:snmp |
event_type:snmp |
SN-SNMP-Usm |
Generic description: Donut chart showing the proportional distribution of SNMP events by snmp.usm. Security use case examples: Highlights dominant snmp.usm values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:snmp |
SN-SNMP-Vars |
Generic description: Data table aggregating SNMP events by snmp.vars, ranked by event count. Security use case examples: Facilitates identification of top snmp.vars values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SNMP events by key observable fields. |
|
event_type:snmp |
SN-SNMP-Version |
Generic description: Donut chart showing the proportional distribution of SNMP events by snmp.version. Security use case examples: Highlights dominant snmp.version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:snmp |
SN-SNMP-EventsList (search) |
Generic description: Saved search showing SNMP event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing SNMP traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for SNMP traffic baselining, capacity planning, and operational health monitoring. |
List of SNMP events |
event_type:snmp |
Dashboard: SN-SSH¶
Security use case examples: SSH traffic analysis for detecting brute force attacks, credential stuffing, unauthorized remote access, and SSH tunnel-based data exfiltration.
Network use case examples: SSH connection volume baselining, top client and server pair tracking, session duration monitoring, and remote access infrastructure capacity planning.
SN-SSH Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-SSH-ByClientProtoVer |
Generic description: Donut chart showing the proportional distribution of SSH events by ssh.client.proto_version. Security use case examples: Highlights dominant ssh.client.proto_version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ssh |
SN-SSH-ByClientSoftwareVer |
Generic description: Donut chart showing the proportional distribution of SSH events by ssh.client.software_version. Security use case examples: Highlights dominant ssh.client.software_version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ssh |
SN-SSH-ByServerProtoVer |
Generic description: Donut chart showing the proportional distribution of SSH events by ssh.server.proto_version. Security use case examples: Highlights dominant ssh.server.proto_version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ssh |
SN-SSH-ByServerSoftwareVer |
Generic description: Donut chart showing the proportional distribution of SSH events by ssh.server.software_version. Security use case examples: Highlights dominant ssh.server.software_version values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:ssh |
SN-SSH-Client-hassh |
Generic description: Data table aggregating SSH events by ssh.client.hassh.hash, ranked by event count. Security use case examples: Facilitates identification of top ssh.client.hassh.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SSH events by key observable fields. |
|
event_type:ssh |
SN-SSH-EventsOverTime |
Generic description: Time-series bar chart showing SSH event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SSH events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SSH event volume trends and periodic patterns over time. |
List of SSH events |
event_type:ssh |
SN-SSH-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of SSH traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:ssh |
SN-SSH-Server-hassh |
Generic description: Data table aggregating SSH events by ssh.server.hassh.hash, ranked by event count. Security use case examples: Facilitates identification of top ssh.server.hassh.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking SSH events by key observable fields. |
|
event_type:ssh |
SN-SSH-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by SSH event count. Security use case examples: Identifies the most active top dest_ip values in SSH traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SSH traffic volume. |
|
event_type:ssh |
SN-SSH-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by SSH event count. Security use case examples: Identifies the most active top dest_port values in SSH traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SSH traffic volume. |
|
event_type:ssh |
SN-SSH-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by SSH event count. Security use case examples: Identifies the most active source src_ip values in SSH traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to SSH traffic volume. |
|
event_type:ssh |
SN-SSH-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by SSH event count. Security use case examples: Identifies the most active source src_port values in SSH traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to SSH traffic volume. |
|
event_type:ssh |
SN-SSH-Total |
Generic description: Single-value metric display showing the total count of SSH events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing SSH event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of SSH traffic volume for capacity planning and operational health spot-checks. |
event_type:ssh |
event_type:ssh |
SN-SSH-EventsList (search) |
Generic description: Saved search table displaying raw SSH events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual SSH events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing SSH traffic patterns. |
List of SSH events |
event_type:ssh |
Dashboard: SN-STAMUS¶
Security use case examples: The SN-STAMUS dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-STAMUS dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-STAMUS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-STAMUS-AffectedProducts |
Generic description: Donut chart showing the proportional distribution of STAMUS events by alert.metadata.affected_product. Security use case examples: Highlights dominant alert.metadata.affected_product values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:stamus |
SN-STAMUS-AttackTargets |
Generic description: Donut chart showing the proportional distribution of STAMUS events by alert.metadata.attack_target. Security use case examples: Highlights dominant alert.metadata.attack_target values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:stamus |
SN-STAMUS-IoC-HTTPHosts |
Generic description: Data table aggregating STAMUS events by http.hostname, stamus.threat_name, ranked by event count. Security use case examples: Facilitates identification of top http.hostname, stamus.threat_name values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking STAMUS events by key observable fields. |
|
event_type:stamus |
SN-STAMUS-IoC-TLSIssuers |
Generic description: Data table aggregating STAMUS events by tls.issuerdn, stamus.threat_name, ranked by event count. Security use case examples: Facilitates identification of top tls.issuerdn, stamus.threat_name values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking STAMUS events by key observable fields. |
|
event_type:stamus |
SN-STAMUS-IoC-TLSSNI |
Generic description: Data table aggregating STAMUS events by tls.sni, stamus.threat_name, ranked by event count. Security use case examples: Facilitates identification of top tls.sni, stamus.threat_name values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking STAMUS events by key observable fields. |
|
event_type:stamus |
SN-STAMUS-KillChain |
Generic description: Donut chart showing the proportional distribution of STAMUS events by stamus.kill_chain. Security use case examples: Highlights dominant stamus.kill_chain values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:stamus |
SN-STAMUS-MaliciousDomains-UsedByAssets |
Generic description: Data table aggregating STAMUS events by dns.query.rrname, stamus.asset, stamus.source, ranked by event count. Security use case examples: Facilitates identification of top dns.query.rrname, stamus.asset, stamus.source values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking STAMUS events by key observable fields. |
|
event_type:stamus |
SN-STAMUS-MaliciousTLS-Issuer-UsedByAssets |
Generic description: Data table aggregating STAMUS events by tls.issuerdn, stamus.asset, stamus.source, ranked by event count. Security use case examples: Facilitates identification of top tls.issuerdn, stamus.asset, stamus.source values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking STAMUS events by key observable fields. |
|
event_type:stamus |
SN-STAMUS-MaliciousTLS-SNI-UsedByAssets |
Generic description: Data table aggregating STAMUS events by tls.sni, stamus.asset, stamus.source, ranked by event count. Security use case examples: Facilitates identification of top tls.sni, stamus.asset, stamus.source values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking STAMUS events by key observable fields. |
|
event_type:stamus |
SN-STAMUS-ThreatFamilyNames |
Generic description: Bar chart showing STAMUS event counts grouped by stamus.family_name. Security use case examples: Highlights high-volume stamus.family_name categories in STAMUS traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing STAMUS event volumes across stamus.family_name categories. |
|
event_type:stamus |
SN-STAMUS-ThreatNames |
Generic description: Bar chart showing STAMUS event counts grouped by stamus.threat_name. Security use case examples: Highlights high-volume stamus.threat_name categories in STAMUS traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing STAMUS event volumes across stamus.threat_name categories. |
|
event_type:stamus |
SN-STAMUS-TopAssetsUnderAttack |
Generic description: Donut chart showing the proportional distribution of STAMUS events by stamus.asset. Security use case examples: Highlights dominant stamus.asset values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:stamus |
SN-STAMUS-TopSourcesOfAttacks |
Generic description: Donut chart showing the proportional distribution of STAMUS events by stamus.source. Security use case examples: Highlights dominant stamus.source values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:stamus |
SN-STAMUS-EventsList (search) |
Generic description: Saved search showing STAMUS event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing STAMUS traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for STAMUS traffic baselining, capacity planning, and operational health monitoring. |
List of STAMUS events |
event_type:stamus |
Dashboard: SN-STATS¶
Security use case examples: Engine performance statistics for monitoring sensor health, packet capture throughput, worker thread load, and detection engine efficiency.
Network use case examples: Sensor throughput baselining, packet drop rate trending, thread load distribution monitoring, and network capture infrastructure capacity planning.
SN-STATS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Stats-CapturedPktsVsGaps |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-Stats-DecoderAvgMaxPktSize |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-Stats-DecoderBytes-Packets |
Generic description: Single-value metric displaying the total count of ALL events in the selected time range. Security use case examples: Provides an at-a-glance security indicator for ALL event volume to rapidly detect abnormal activity levels compared to baseline. Network use case examples: Supports dashboard-level health monitoring and SLA tracking by showing aggregate ALL event counts. |
|
event_type:all |
SN-Stats-DecoderProto-Deltas |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-Stats-EmergencyMode |
Generic description: Bar chart showing ALL event counts grouped by stats.flow.emerg_mode_entered, timestamp, stats.flow.emerg_mode_over. Security use case examples: Highlights high-volume stats.flow.emerg_mode_entered, timestamp, stats.flow.emerg_mode_over categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across stats.flow.emerg_mode_entered, timestamp, stats.flow.emerg_mode_over categories. |
|
event_type:all |
SN-Stats-Frags |
Generic description: Data table aggregating ALL events by stats.defrag.ipv4.fragments, stats.defrag.ipv6.fragments, stats.defrag.max_frag_hits, timestamp, ranked by event count. Security use case examples: Facilitates identification of top stats.defrag.ipv4.fragments, stats.defrag.ipv6.fragments, stats.defrag.max_frag_hits, timestamp values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking ALL events by key observable fields. |
|
event_type:all |
SN-Stats-Frags-Deltas |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-Stats-ipv4-ipv6-fragments |
Generic description: Bar chart showing ALL event counts grouped by stats.defrag.ipv4.fragments, timestamp, stats.defrag.ipv6.fragments. Security use case examples: Highlights high-volume stats.defrag.ipv4.fragments, timestamp, stats.defrag.ipv6.fragments categories in ALL traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing ALL event volumes across stats.defrag.ipv4.fragments, timestamp, stats.defrag.ipv6.fragments categories. |
|
event_type:all |
SN-Stats-KernelPacketsAndDrops-Deltas |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-Stats-Memcap-Deltas |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-Stats-memuse-Deltas |
Generic description: Line chart plotting ALL event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALL activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALL traffic trends over time for infrastructure sizing decisions. |
|
event_type:all |
SN-Stats-TotalKernelPackets |
Generic description: Single-value metric display showing the total count of ALL events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing ALL event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of ALL traffic volume for capacity planning and operational health spot-checks. |
|
event_type:all |
SN-STATS-EventsList (search) |
Generic description: Saved search table displaying raw ALL events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual ALL events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing ALL traffic patterns. |
List of STATS events |
event_type:all |
Dashboard: SN-TFTP¶
Security use case examples: FTP traffic analysis for detecting unauthorized data transfers, credential exposure in plaintext sessions, malware staging via anonymous FTP, and exfiltration.
Network use case examples: FTP transfer volume baselining, top file transfer endpoint tracking, storage bandwidth monitoring, and FTP server capacity planning.
SN-TFTP Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-TFTP-EventsOverTime |
Generic description: Time-series bar chart showing TFTP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in TFTP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing TFTP event volume trends and periodic patterns over time. |
List of TFTP events |
event_type:tftp |
SN-TFTP-File |
Generic description: Donut chart showing the proportional distribution of TFTP events by tftp.file. Security use case examples: Highlights dominant tftp.file values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tftp |
SN-TFTP-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of TFTP traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:tftp |
SN-TFTP-Mode |
Generic description: Donut chart showing the proportional distribution of TFTP events by tftp.mode. Security use case examples: Highlights dominant tftp.mode values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tftp |
SN-TFTP-Packet |
Generic description: Donut chart showing the proportional distribution of TFTP events by tftp.packet. Security use case examples: Highlights dominant tftp.packet values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tftp |
SN-TFTP-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by TFTP event count. Security use case examples: Identifies the most active top dest_ip values in TFTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to TFTP traffic volume. |
|
event_type:tftp |
SN-TFTP-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by TFTP event count. Security use case examples: Identifies the most active top dest_port values in TFTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to TFTP traffic volume. |
|
event_type:tftp |
SN-TFTP-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by TFTP event count. Security use case examples: Identifies the most active source src_ip values in TFTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to TFTP traffic volume. |
|
event_type:tftp |
SN-TFTP-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by TFTP event count. Security use case examples: Identifies the most active source src_port values in TFTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to TFTP traffic volume. |
|
event_type:tftp |
SN-TFTP-Total |
Generic description: Single-value metric display showing the total count of TFTP events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing TFTP event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of TFTP traffic volume for capacity planning and operational health spot-checks. |
event_type:tftp |
event_type:tftp |
SN-TFTP-EventsList (search) |
Generic description: Saved search showing TFTP event data aggregated by various fields. Security use case examples: Supports security monitoring by surfacing TFTP traffic patterns indicative of threats, policy violations, or anomalous behavior. Network use case examples: Enables network operations visibility for TFTP traffic baselining, capacity planning, and operational health monitoring. |
List of TFTP events |
event_type:tftp |
Dashboard: SN-TLS¶
Security use case examples: TLS/SSL traffic analysis for detecting expired or self-signed certificates, weak cipher suites, JA3 fingerprint-based malware identification, and encrypted C2 channel detection.
Network use case examples: TLS version adoption monitoring, certificate inventory management, cipher suite compliance baselining, and encrypted traffic volume capacity planning.
SN-TLS Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-TLS-ByIssuerdn |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.issuerdn. Security use case examples: Highlights dominant tls.issuerdn values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-ByJa3Hash |
Generic description: Data table aggregating TLS events by src_ip, tls.ja3.hash, ranked by event count. Security use case examples: Facilitates identification of top src_ip, tls.ja3.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-TLS-ByJa3SHash |
Generic description: Data table aggregating TLS events by dest_ip, tls.ja3s.hash, ranked by event count. Security use case examples: Facilitates identification of top dest_ip, tls.ja3s.hash values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-TLS-ByJa4Hash |
Generic description: Data table aggregating TLS events by src_ip, tls.ja4, ranked by event count. Security use case examples: Facilitates identification of top src_ip, tls.ja4 values associated with suspicious activity, enabling pivot to related events for threat investigation. Network use case examples: Enables traffic pattern analysis and asset inventory validation by ranking TLS events by key observable fields. |
|
event_type:tls |
SN-TLS-BySni |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.sni. Security use case examples: Highlights dominant tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-BySubject |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.subject. Security use case examples: Highlights dominant tls.subject values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-ByVersionBySni |
Generic description: Donut chart showing the proportional distribution of TLS events by tls.version, tls.sni. Security use case examples: Highlights dominant tls.version, tls.sni values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:tls |
SN-TLS-EventsOverTime |
Generic description: Time-series bar chart showing TLS event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in TLS events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing TLS event volume trends and periodic patterns over time. |
List of TLS events |
event_type:tls |
SN-TLS-GeoIP |
Generic description: Geographic heatmap displaying the origin and destination geography of TLS traffic on a world map. Security use case examples: Reveals connections to threat actor regions, unexpected geographic flows, and geo-based policy violations indicative of exfiltration or C2 communication. Network use case examples: Provides geographic topology visibility for capacity planning, CDN placement decisions, and international traffic policy enforcement. |
|
event_type:tls |
SN-TLS-Top20DestIP |
Generic description: Data table ranking the top 20 top dest_ip values by TLS event count. Security use case examples: Identifies the most active top dest_ip values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Top20DestPort |
Generic description: Data table ranking the top 20 top dest_port values by TLS event count. Security use case examples: Identifies the most active top dest_port values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Top20SrcIP |
Generic description: Data table ranking the top 20 source src_ip values by TLS event count. Security use case examples: Identifies the most active source src_ip values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Top20SrcPort |
Generic description: Data table ranking the top 20 source src_port values by TLS event count. Security use case examples: Identifies the most active source src_port values in TLS traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top source contributors to TLS traffic volume. |
|
event_type:tls |
SN-TLS-Total |
Generic description: Single-value metric display showing the total count of TLS events in the selected time window. Security use case examples: Provides a quick-glance security posture indicator showing TLS event volume that signals anomalous activity when deviating from baseline. Network use case examples: Enables rapid assessment of TLS traffic volume for capacity planning and operational health spot-checks. |
event_type:tls |
event_type:tls |
SN-TLS-EventsList (search) |
Generic description: Saved search table displaying raw TLS events with full field details for drill-down investigation. Security use case examples: Enables analysts to inspect individual TLS events for IOC matching, lateral movement tracing, and forensic timeline reconstruction. Network use case examples: Provides raw event access for troubleshooting protocol behavior, validating parser output, and auditing TLS traffic patterns. |
List of TLS events |
event_type:tls |
Dashboard: SN-TrafficID¶
Security use case examples: The SN-TrafficID dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-TrafficID dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-TrafficID Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-TrafficID-ByTrafficID |
Generic description: Donut chart showing the proportional distribution of FLOW events by traffic.id. Security use case examples: Highlights dominant traffic.id values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-TrafficID-ByTrafficIdOverTime |
Generic description: Bar chart showing FLOW event counts grouped by timestamp, traffic.id. Security use case examples: Highlights high-volume timestamp, traffic.id categories in FLOW traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing FLOW event volumes across timestamp, traffic.id categories. |
|
event_type:flow |
SN-TrafficID-ByTrafficLabel |
Generic description: Donut chart showing the proportional distribution of FLOW events by traffic.label. Security use case examples: Highlights dominant traffic.label values that may indicate suspicious protocol usage, unauthorized applications, or anomalous traffic composition. Network use case examples: Supports protocol inventory and traffic composition analysis for network policy enforcement and application-layer baselining. |
|
event_type:flow |
SN-TrafficID-ByTrafficLabelOverTime |
Generic description: Bar chart showing FLOW event counts grouped by timestamp, traffic.label. Security use case examples: Highlights high-volume timestamp, traffic.label categories in FLOW traffic that may correlate with attack patterns or policy violations. Network use case examples: Enables traffic composition analysis and asset classification by comparing FLOW event volumes across timestamp, traffic.label categories. |
|
event_type:flow |
Dashboard: SN-VLAN¶
Security use case examples: The SN-VLAN dashboard supports network security monitoring by tracking protocol events, alert patterns, and traffic anomalies for threat detection and incident response.
Network use case examples: The SN-VLAN dashboard supports network operations by providing traffic baselines, top-talker visibility, and operational health metrics for capacity planning and infrastructure management.
SN-VLAN Visualizations¶
Visualization |
Description |
JSON key |
Event Type |
|---|---|---|---|
SN-Alert-ByVLANID |
Generic description: Line chart plotting ALERT event count or metric values over time for trend analysis. Security use case examples: Reveals temporal patterns in ALERT activity that may indicate periodic C2 beaconing, scheduled exfiltration, or brute force attack waves. Network use case examples: Supports capacity planning by visualizing ALERT traffic trends over time for infrastructure sizing decisions. |
|
event_type:alert |
SN-Alert-ByVLANIDTop20 |
Generic description: Data table ranking the top 20 top vlan values by ALERT event count. Security use case examples: Identifies the most active top vlan values in ALERT traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to ALERT traffic volume. |
|
event_type:alert |
SN-PerVLAN-ALERTEventsOverTime |
Generic description: Time-series bar chart showing ALERT event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in ALERT events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing ALERT event volume trends and periodic patterns over time. |
List of ALERT events |
event_type:alert |
SN-PerVLAN-DNSEventsOverTime |
Generic description: Time-series bar chart showing DNS event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in DNS events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing DNS event volume trends and periodic patterns over time. |
List of DNS events |
event_type:dns |
SN-PerVLAN-FILETransEventsOverTime |
Generic description: Time-series bar chart showing FILEINFO event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in FILEINFO events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing FILEINFO event volume trends and periodic patterns over time. |
List of FILEINFO events |
event_type:fileinfo |
SN-PerVLAN-HTTPEventsOverTime |
Generic description: Time-series bar chart showing HTTP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in HTTP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing HTTP event volume trends and periodic patterns over time. |
List of HTTP events |
event_type:http |
SN-PerVLAN-SMTPEventsOverTime |
Generic description: Time-series bar chart showing SMTP event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SMTP events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SMTP event volume trends and periodic patterns over time. |
List of SMTP events |
event_type:smtp |
SN-PerVLAN-SSHEventsOverTime |
Generic description: Time-series bar chart showing SSH event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in SSH events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing SSH event volume trends and periodic patterns over time. |
List of SSH events |
event_type:ssh |
SN-PerVLAN-TLSEventsOverTime |
Generic description: Time-series bar chart showing TLS event volume over time. Security use case examples: Identifies traffic spikes, attack bursts, and temporal anomalies in TLS events that may indicate active threats or ongoing incidents. Network use case examples: Supports capacity planning and traffic baselining by revealing TLS event volume trends and periodic patterns over time. |
List of TLS events |
event_type:tls |
SN-SMTP-Top20VLAN |
Generic description: Data table ranking the top 20 top vlan values by SMTP event count. Security use case examples: Identifies the most active top vlan values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |
SN-SMTP-Top20VLANsOverTime |
Generic description: Data table ranking the top 20 top timestamp, vlan values by SMTP event count. Security use case examples: Identifies the most active top timestamp, vlan values in SMTP traffic, highlighting potential scanners, high-volume clients, or compromised hosts. Network use case examples: Supports traffic engineering and ACL policy review by revealing the top top contributors to SMTP traffic volume. |
|
event_type:smtp |