Detection Rules
NetSenX uses the proprietary NDR engine with behavioral analysis and multi-valued logic to detect threats unknown to traditional signatures.
Built-in Detections
| Capability | Severity | What it detects |
|---|---|---|
| C2 Beacon Detection | CRITICAL | Periodic outbound connections to suspicious IPs |
| Data Exfiltration Detection | CRITICAL | High upload ratio to external IPs, especially after hours |
| OT/ICS Unauthorized Write | CRITICAL | Write commands to OT/ICS protocols (Modbus, DNP3, BACnet) |
| Port Scan Detection | HIGH | Single IP scanning multiple ports on a target |
| Lateral Movement Detection | HIGH | Internal-to-internal connections on sensitive ports (RDP, SSH, SMB) |
| Brute Force Detection | HIGH | Multiple failed authentication attempts |
| DNS Tunneling Detection | HIGH | DNS queries with abnormal entropy (potential data tunneling) |
| Shadow AI Detection | MEDIUM | Unauthorized connections to AI/ML service endpoints |
| Anomalous Payload Detection | MEDIUM | Unusual packet sizes or byte patterns |
| New Device Detection | LOW | Previously unseen device on the network |
Detection coverage expands with higher-tier plans:
| Plan | Coverage |
|---|---|
| Free | Core detections |
| Starter | Core detections |
| Professional | Extended detections |
| Business | Extended detections + OT protocol support |
| Enterprise | Full detection suite + OT protocol support |
How the NDR Engine Works
The NetSenX behavioral detection engine:
- Builds baseline: Learns normal network behavior over the first 24-48 hours
- Extracts features: For each flow, extracts a rich feature set (timing, volume, ports, protocols)
- Scores with multi-valued logic: Applies multi-valued logic scoring across multiple detection dimensions
- Explains with SHAP: Generates feature attribution for every detection
- Accumulates evidence: Uses temporal analysis to correlate related events
Unlike signature-based IDS (Snort, Suricata), NDR detects zero-day attacks and novel threat patterns because it analyzes behavior, not signatures.
Customizing Rules
Go to Dashboard -> Rules to:
- Enable/disable rules (Admin only)
- Adjust threshold (0.0 to 1.0) — lower = more sensitive, higher = fewer alerts
- View rule statistics — how many alerts each rule has generated
Threshold Tuning
Each rule produces a confidence score from 0.0 to 1.0:
| Score Range | Meaning | Alert Level |
|---|---|---|
| 0.0 - 0.3 | No threat detected | No alert |
| 0.3 - 0.5 | Low confidence | Logged, no alert |
| 0.5 - 0.7 | Medium confidence | MEDIUM or LOW alert |
| 0.7 - 0.9 | High confidence | HIGH alert |
| 0.9 - 1.0 | Very high confidence | CRITICAL alert |
The default threshold is 0.5. Lowering it increases sensitivity (more alerts, potentially more false positives). Raising it reduces noise but may miss threats.
Recommendation: Start with defaults for 1-2 weeks, then tune based on your false positive rate.
OT/ICS Protocol Support
Business and Enterprise plans include support for industrial protocols:
| Protocol | Ports | Detection |
|---|---|---|
| Modbus | 502 | Unauthorized function codes (write coils, write registers) |
| DNP3 | 20000 | Unauthorized control commands |
| BACnet | 47808 | Unauthorized property writes |
These rules are critical for manufacturing, energy, and infrastructure companies subject to NIS2.