Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Suspicious Content in Network Flows

SUMMARY Network Insights checks for suspicious content in network flows at the enriched and advanced inspection levels.

The Suspect Content Descriptions field is populated by multiple data sources, such as website categories, embedded links, and Yara rules, and contains data only when a suspicious entity is detected.

The following list shows examples of the types of suspicious content that are detected at the enriched and advanced inspection levels:
Enriched inspection
  • Identified protocol that runs on a non-standard port.
  • SSL/TLS certificate that is used outside of its valid dates.
  • Use of a self-signed certificate in SSL/TLS.
  • Use of a weak public key length in SSL/TLS.
  • Suspicious content via scanning with user provided Yara rules.
  • Category of a website is one of several suspicious entries.
Advanced inspection
  • Suspicious content in the transferred information.
  • Excessive numbers of items that were discovered through regular expression matching.
  • Credit card numbers, social security numbers, IP addresses, and email addresses.
  • User-defined items that are discovered through regex matching that is marked as suspicious.
  • Scripts in Office or PDF files.
  • Embedded links in PDF files.
  • Certificate has a non-DNS subject alternative name.

  • Signature algorithm does not match the to-be-signed signature algorithm.

  • BitTorrent handshake verification failure.

  • X-Force signatures.

    For more information, see Suspect content descriptions derived from X-Force.