Docs · SecOps
NDR — Network Detection & Response
Security Onion and IBM QRadar QFlow in spirit: find the threats that hide across many connections. From real connection telemetry, NDR detects malware phoning home, scans, and contact with known-bad hosts.
- Best-of
- Security Onion · Zeek · IBM QRadar QFlow
- Module
nexus_secops/ndr.py- Edition
- Free — agent connection telemetry required
- API
/api/v1/ndr/flows · /ndr/talkers · /ndr/stats
What it does
The agent reports active connections (source, destination, port) from ss / netstat. NDR accumulates these observations and finds patterns no single connection reveals — the regular, low-jitter callbacks of a C2 beacon, a burst of ports characteristic of a scan, or a connection to a destination in your IOC store.
How to use it
GET /api/v1/ndr/talkers # busiest external destinations
GET /api/v1/ndr/stats # observations + distinct destinations
GET /api/v1/ndr/flows?agent_id=<id>Detections
- Beaconing / C2 — repeated connections to the same external host at a regular interval (low jitter), the way malware phones home.
- Port scan — one host touching many distinct destination ports in a window.
- Known C2 — a destination that matches the Threat-Intel IOC store (critical).
- Exfiltration — large outbound volume to a single external host (when byte counts are available).
Findings become a network_threat event → alert NEXUS-NDR-001. Private and local addresses are excluded so internal chatter does not look like a beacon.
How it feeds the pipeline
NDR reuses Threat Intel for the known-C2 check, and its findings combine in XDR with a suspicious process or IOC contact into XDR-NDR-001— "C2 confirmed". SOAR's PB-NDR-BLOCK can block the destination.
Tips
- Beaconing is about regularity, not the IP — NDR catches a fresh C2 the first time it shows a cadence.
- Triage a beacon by finding the process behind it (EDR) and the threat behind the IP (Threat Intel).
- Top-talkers is a fast daily check for "who is my network talking to the most?".