SUMMARY Network Insights checks for suspicious content in network flows at
the enriched and advanced
inspection levels.
The Suspect Content Descriptions field is populated by multiple data
sources, such as website categories, embedded links, and Yara rules, and contains data only when a
suspicious entity is detected.
The following list shows examples of the types of suspicious content that are detected
at the enriched and advanced inspection levels:
Enriched inspection |
- Identified protocol that runs on a
non-standard port.
- SSL/TLS certificate that is used outside of its
valid dates.
- Use of a self-signed certificate in
SSL/TLS.
- Use of a weak public key length in
SSL/TLS.
- Suspicious content via scanning with user
provided Yara rules.
- Category of a website is one of
several suspicious entries.
|
Advanced inspection |
- Suspicious content in the transferred
information.
- Excessive numbers of items that were
discovered through regular expression matching.
- Credit card numbers, social security numbers,
IP addresses, and email addresses.
- User-defined items that are discovered through
regex matching that is marked as
suspicious.
- Scripts in Office or PDF files.
- Embedded links in PDF files.
-
Certificate has a non-DNS subject alternative name.
-
Signature algorithm does not match the to-be-signed signature
algorithm.
-
BitTorrent handshake verification failure.
-
X-Force signatures.
For more information, see Suspect content descriptions derived from
X-Force.
|