Overview
The NDR module takes bypass mirroring traffic as input and provides five detection and analysis capabilities: threat detection, file sandbox detection, traffic risk analysis, asset fingerprinting recognition, and protocol parsing and storage. It covers the complete detection chain, from traffic reconstruction and real-time detection to file-level determination, and further to asset exposure surface identification and risk mitigation.
This document provides a unified overview of the functions, detection scope, key configuration items, and typical access points for these five capabilities. For configurations related to traffic ingestion, such as asset onboarding, traffic collection, and over-limit handling, see Traffic Access. Note:
All capabilities described in this section take effect only for assets that have NDR enabled on the Traffic Access page. Threat Detection
NDR leverages multi-engine capabilities to perform deep analysis and detection on bidirectional north-south and east-west traffic, addressing blind spots in traditional perimeter protection, which include advanced threats such as APT attacks, 0-day vulnerability exploits, and internal lateral movement. Threat detection alarms are uniformly ingested into the Alarm Center, and no separate alarm queue is created. 1. Log in to the CFW console, in the left sidebar, choose Network Detection and Response > Threat Detection. 2. In the Updates area, you can view the update descriptions for rules and vulnerabilities updates. Click Update History to view the complete historical updates list.
3. In the NDR threat detection rule configuration area, you can perform the following operations:
Click Reset all. The system will restore the default switch states and default actions for all rules, and the changes take effect immediately.
Click a specific Rule ID to view its detailed information.
Click the switch in the operation column of a specific rule to enable or disable the selected rule. After a rule is disabled, traffic will no longer be matched by that rule.
Note:
Enabling or disabling the switch affects all applicable scopes, which include the Internet Firewall, NAT Firewall, VPC Firewall, and NDR.
4. In the NDR threat detection rule configuration area, click Check alarm details. You will be navigated to the Alarm Center page, where alarm events with the firewall type set to NDR are filtered. For details on specific operations in the Alarm Center, see Viewing and Handling of Attack Alarm Events. 5. In the NDR threat detection rule configuration area, click View Detection Allowlist. You will be navigated to the Intrusion Defense > Allowlist strategy page. For details on specific operations for allowlist policies, see Managing Defense Operations. File Sandbox Detection
NDR supports complete file restoration from network traffic, combined with Tencent Cloud threat intelligence analysis and dynamic execution in cloud-based sandbox isolation environments, enabling timely detection of anomalous file threats.
Note:
Static File Detection, Dynamic File Sandbox, and Skill Poisoning Detection are designed for encrypted traffic scenarios. They take effect only after you enable the NDR Encrypted Traffic Detection Switch on the traffic ingestion side.
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > File Sandbox Detection. 2. In the file detection configuration area, you can enable file detection configuration:
File Restoration Switch: After you enable this switch, the system restores files transmitted in network traffic, which serves as the basis for subsequent file detection. You must enable this switch before you can configure Static File Detection, Dynamic File Sandbox, and Skill Poisoning Detection. After you disable the switch, these configurations become unavailable.
Static File Detection Switch: After you enable this switch, the system scans files by leveraging the threat intelligence cloud detection engine, accurately identifying malicious files.
Dynamic File Sandbox Switch: After you enable this switch, the system performs dynamic behavior analysis on files using Tencent's self-developed sandbox analysis engine. This analysis includes, but is not limited to, network behavior, process behavior, and file behavior.
Skill Poisoning Detection Switch: After you enable this switch, the system performs Skill (AI Agent tool/skill definition) poisoning detection based on static threat intelligence and dynamic sandboxing, providing more comprehensive detection capabilities.
3. In the file detection configuration area, click Check alarm details. You will be navigated to the Alarm Center page, where alarm events with the firewall type set to NDR and the judgment source set to file detection are filtered. For details on specific operations in the Alarm Center, see Viewing and Handling of Attack Alarm Events. 4. In the file detection configuration area, click View Log Details. You will be navigated to the Network Detection and Response Logs > File Detection Logs > File Alarm Logs page. For details on specific operations for log auditing, see Log Auditing. 5. In the detection capabilities area, you can view the file detection capabilities. The specific supported capabilities are subject to what is displayed on the page.
Traffic Risk Analysis
NDR supports the detection of risks such as sensitive data leaks, weak passwords, and open ports, helping to reduce enterprise risk.
Sensitive Data Leak Risks
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Traffic Risk Analysis > Sensitive Data Leak Detection. 2. In the sensitive data leak detection switch area, you can enable the Sensitive Data Leak Detection Switch. After you enable it, the system can analyze sensitive data leak risks in real time, detecting both inbound and outbound sensitive information leak risks.
3. In the sensitive data leak detection switch area, click View Log Details. You will be navigated to the Network Detection and Response Logs > Traffic Risk Logs > Sensitive Data Leaks page. For details on specific operations for log auditing, see Log Auditing. 4. In the detection policy area, you can enable the required sensitive data detection policies as needed.
Weak Password Risk Detection
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Traffic Risk Analysis > Weak Password Risk Detection. 2. In the weak password risk detection switch area, you can enable the Weak Password Risk Detection Switch. After you enable it, the system can detect the transmission of weak passwords within the enterprise, preventing attackers from exploiting low-security account credentials.
3. In the weak password risk detection switch area, click View Log Details. You will be navigated to the Network Detection and Response Logs > File Detection Logs > Weak Password Risks page. For details on specific operations for log auditing, see Log Auditing.
4. In the detection rules area, you can view the complexity detection rules and dictionary detection rules. The specific detection rules are subject to what is displayed on the page.
Port Risk Detection
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Traffic Risk Analysis > Port Risk Detection. 2. In the port risk detection switch area, you can enable the Port Risk Detection Switch. After you enable it, the system can detect the exposure of high-risk ports and precisely locate the source, destination IP address, and destination port.
3. In the NDR Port Risk Detection Description area, you can view the NDR port risk detection description. The specific NDR port risk detection description is subject to what is displayed on the page.
Asset Fingerprint Recognition
NDR performs deep feature analysis on network traffic. By leveraging a continuously and dynamically updated asset fingerprint rule base, it helps enterprises accurately identify and inventory various assets and application components, building comprehensive asset awareness capabilities.
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Asset Fingerprint Recognition. 2. In the asset fingerprinting configuration area, you can enable the Asset fingerprinting recognition configuration. After you enable it, the system supports asset identification through traffic fingerprints. This is a passive identification method and is non-intrusive to business operations. Enabling the NDR Encrypted Traffic Detection Switch supports the identification of AI application assets.
3. In the asset fingerprinting configuration area, click View Asset. You will be navigated to the Asset Center > By Service Type page. For details on specific operations for service types, see Service Type. 4. In the asset fingerprinting classification area, you can view the identifiable major categories and specific subcategory components supported by asset fingerprinting. The specific identifiable major categories and subcategory components are subject to what is displayed on the page.
Protocol Parsing and Storage
NDR supports parsing of a wide range of protocols. Users with the Enterprise Edition and above can use custom log storage solutions.
Protocol Parsing
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Protocol Parsing and Storage > Protocol Parsing. 2. On the protocol parsing page, you can view the supported parsing scope. The specific parsing scope is subject to what is displayed on the page.
XFF Parsing
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Protocol Parsing and Storage > XFF Parsing. 2. On the XFF Parsing page, the system can parse XFF-related fields in HTTP requests, extract the real client IP address, and display it in alarm logs. The supported parsing fields include X-Forwarded-For, X-Real-IP, X-Original-Forwarded-For, X-Forwarded-For-Pound, and cdn-src-ip. The Proxy IP Configuration provides two extraction modes:
Complete Mode: The system deduplicates all IP addresses from XFF fields (including X-Real-IP, X-Forwarded-For, and so on) and displays them in the alarm proxy IP field.
Precise Mode: Based on the domain name rules you configure, the system extracts a single IP address from the specified position in the XFF fields and displays it in the alarm proxy IP field.
3. In Precise Mode, click Add one to configure an extraction rule based on the domain name dimension. After configuration, click Save to apply the rule. You can edit or delete existing rules. Each rule includes:
Domain Name: Specific domain names or wildcard domain names are supported. Examples are as follows:
Valid Domain Name Examples:
Specific domain name: example.com
Wildcard single-level subdomain: *.example.com. It matches a.example.com but does not match a.b.example.com.
Wildcard single-level subdomain: www.*.example.com. It matches www.a.example.com but does not match www.a.b.example.com.
Wildcard multi-level subdomain: *.*.example.com
Wildcard domain name suffix: example.com.*
Domain name in IP address format: 1.2.3.4
Lllegal Domain Name Examples:
Fewer than two non-wildcard labels: *.com
It cannot be mixed with characters: *example.com:*
It cannot start with a hyphen: -example.com:
Consecutive periods are not allowed: example..com:
It cannot contain a protocol prefix: http://example.com:
XFF Field: Select the HTTP Header field to be parsed.
IP Sequence Number: A positive number indicates forward extraction, and a negative number indicates reverse extraction. For example, -1 indicates extracting the last IP address.
Note:
Precise Mode supports a maximum of 20 rules. Multiple rules are matched in the order listed, and matching stops once a rule is hit.
Custom Log Parsing
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Protocol Parsing and Storage > Custom Log Parsing. 2. On the Log Custom Parsing page, you can parse special fields in HTTP Headers. A maximum of three custom fields can be parsed. The procedure is as follows:
2.1 In the custom parsing field list, select the target custom parsing field and click Edit in the Operations column.
2.2 Enter the special field in the custom parsing field text box of the corresponding row, and click Save in the Operations column.
2.3 After saving, the data is added to the traffic logs. You can also search for custom fields on the Log Auditing and Log Analysis pages.
3. On the Log Custom Parsing page, click View Traffic Analysis Log to navigate to the Network Detection and Response Logs > Traffic Analysis Logs page. For detailed operation instructions on log auditing, see Log Auditing. Log Storage
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Protocol Parsing and Storage > Log Storage. 2. On the Log Storage page, users with the Enterprise Edition or above can modify the log storage type and retention period. This modification can be performed only once per month.
|
Message Storage Configuration for Traffic | Original traffic package storage | Supports setting the storage length for the req_hex, rsp_hex, http_request_body, and http_response_body fields, with a default of 1024 bytes. Optional values: 64, 128, 256, 512, and 1024 bytes. |
Traffic Log Storage Configuration | log retention period | Navigate to the log storage type configuration page. The default is 180 days. Optional values: 7, 30, 60, 90, and 180 days. |
| Log storage type | Navigate to the log storage type configuration page, where you can select multiple options from inbound traffic, outbound traffic, and east-west traffic. |
| Payload storage | When enabled: HTTP data parsing fully saved. When it is disabled: only HTTP request and response headers are retained; HTTP Payload details and TCP request/response packets are not retained. |
| Protocol log storage range | Set the network protocol scope for storing NDR traffic logs. The actual network protocol scope is subject to the display on the page. |
Alarm Log Storage Configuration | Alarm/Risk Log Storage Duration | Navigate to the log storage type configuration page, where you can set the log retention period to 7, 30, 60, 90, or 180 days. |
| Alarm Log Storage Type | Navigate to the log storage type configuration page, where you can select multiple options from Threat Intelligence, Basic Defense, Virtual Patch, Blocklist, Security Baseline, and Network Honeypot. |
| Risk log storage type | Network Detection and Response risk logs do not support configuration of storage type. By default, for weak password and API Sensitive Information Transmission, they are selected and cannot be modified. |
AI Traffic Log Auditing
1. Log in to the CFW console. In the left sidebar, choose Network Detection and Response > Protocol Parsing and Storage > AI Traffic Log Auditing. 2. On the AI Traffic Log Auditing page, you can enable the AI Traffic Log Auditing switch. After it is enabled, the system supports parsing and storing AI full traffic logs.