Intelligence Telemetry
Displaying cybersecurity incidents in a dashboard requires structured, high-quality telemetry. The Intelligence telemetry payload provides network intelligence indicators generated by the Netify Intelligence plugin.
This structure is optimized for downstream enrichment, alerting, and policy workflows. By combining indicator scores with emitted criteria values, integrators can tune thresholds, differentiate LAN/WAN trigger behavior, and maintain clear explainability across security analytics pipelines.
Requirements
- Install and configure the Netify Agent
- Install and configure a Sink Plugin for receiving the telemetry
- Install and configure the Intelligence Plugin
- Configure Sink Targets
- Add the sink targets to any or all of your indicators
- Source
- Intelligence Plugin
- Plugin Release
- 1.2.0
Risk Overview
Intelligence telemetry maps explainable risk indicators to observed network flows, making it easy to assess exposure across devices, applications, and protocols. These indicators highlight high-value risks such as encrypted tunnels that bypass local controls, anomalous TLS certificate behavior, weak encryption, and traffic consistent with proxy or relay services.
Each detection includes relevant context and a normalized risk score (Informational to Critical), allowing operators to quickly prioritize and respond.
The same indicators can drive enforcement policies, real-time alerts, or managed monitoring services. Because both context and scoring are preserved, operators can tune thresholds, reduce false positives, and deliver clear, actionable insights.
Risk Scoring
| Score | Description |
|---|---|
| 0 | Informational |
| 1-25 | Low Risk |
| 26-50 | Medium Risk |
| 51-75 | High Risk |
| 76-100 | Critical Risk |
Risks are scored on a scale of 0 to 100 and grouped into 5 categories.
Attributes
Once the output plugin is configured, intelligence telemetry will be emitted in one of three formats described below. All formats share a common intel object, which contains the core fields for each detection. These fields capture the detection category, trigger event, indicator identity, and risk score, providing the context required for downstream alerting, correlation, and policy workflows.
category
string
criteria
object
event
string
indicator
string
Intelligence Telemetry: Core Attributes
"intel": [
{
"category": "tls_certificate_audit",
"criteria": {
"min_bytes": 0,
"min_score": 0,
"trigger_on_east_west": true,
"trigger_on_wan": true
},
"data_feed": "tls_cert_self_signed",
"event": "dpi_complete",
"indicator": "tls_cert_self_signed_remote",
"indicator_driver": "tls_cert_self_signed",
"score": 80
},
...
]Formats
The Intelligence telemetry is provided in three different formats. The choice of format mostly depends on how other telemetry data is being ingested.
Full
When flow_metadata is set to full, the complete flow record is emitted along with the additional intel attribute object described above. Refer to the flow telemetry documentation for full field definitions.
This record format is typically used in environments where only aggregated telemetry is collected, not full flows. Including the full flow in the Intelligence telemetry ensures that all necessary context is available without requiring correlation with external datasets.
Minimalist
When flow_metadata is set to none, a minimalist telemetry record is emitted.
This format is designed for environments where full flow records are already being collected independently. The additional intel attribute is delivered separately and linked to the existing flow record using the flow digest, enabling efficient correlation without duplicating data.
Intelligence Telemetry: Minimalist
{
"flow": {
"digest": "5e8529b046a53bfd3787eb7272675...",
"digest_prev": [
"355d412cf9a8a6f1cc583bffa7da9f876603998f",
"5e8529b046a53bfd3787eb7272675662d3865cbf"
],
"intel": [
{
"category": "vpn_detection",
"criteria": {
"min_bytes": 0,
"min_score": 0,
"trigger_on_east_west": true,
"trigger_on_wan": true
},
"data_feed": "vpn_server_consumer",
"event": "dpi_complete",
"indicator": "vpn_server_consumer",
"indicator_driver": "vpn_server_consumer",
"score": 70
}
],
"last_seen_at": 1775750510867
},
"interface": "eno1",
"internal": true,
"type": "flow_intel"
}Stats
When flow_metadata is set to stats, a flow record with summarized statistics is emitted.
This record type is intended for analyzing the underlying indicators that triggered detection. The included statistics reflect activity observed up to the point of detection, rather than the complete lifecycle of the flow.
Intelligence Telemetry: Stats
{
"flow": {
"detection_packets": 6,
"digest": "731246630167090d8f9eceffbc4f1...",
"digest_prev": [
"5017058958a6fa49217a594de4d169a0e4e3e180",
"731246630167090d8f9eceffbc4f15d705d616c1"
],
"intel": [
{
"category": "tor_detection",
"criteria": {
"min_bytes": 0,
"min_score": 0,
"trigger_on_east_west": true,
"trigger_on_wan": true
},
"data_feed": "tor_relay",
"event": "dpi_complete",
"indicator": "tor_relay",
"indicator_driver": "tor_relay",
"score": 70
}
],
"last_seen_at": 1775751029770,
"local_bytes": 2076,
"local_packets": 6,
"local_rate": 2076.0,
"other_bytes": 1528,
"other_packets": 4,
"other_rate": 1528.0,
"tcp": {
"resets": 0,
"retrans": 0,
"seq_errors": 0
},
"total_bytes": 3604,
"total_packets": 10
},
"interface": "eno1",
"internal": true,
"type": "flow_intel"
}