Netify Intelligence Plugin

Introduction

The Netify Intel (Intelligence) Plugin extends the Netify Agent with advanced network intelligence capabilities designed to enhance visibility, security, and decision-making. This versatile module introduces SASE functionality, integrates cyber risk indicators, and applies alternate heuristics alongside stateful flow inspection to deliver deeper traffic analysis. In addition, it generates event-driven insights and supports secondary flow inspections, enabling adaptive and context-aware network monitoring across diverse environments.

The plugin is designed to work hand-in-hand with other plugins, allowing integrators to send events using any of the standard Netify Sink plugins as well as a level of integration with the Netify Processor Flow Actions plugin.. The latter permits the automation of flow actions based on metadata generated from the Intel plugin.

The Netify Intel plugin was first released in Q4 - 2025. You must be running Netify Agent version 5.2 or later to be able to install and run this plugin.

License

Netify Intel Plugin is a proprietary plugin requiring a license. Please contact us for details.

Installation

Netify plugins are packaged in the same workflow as the agent and can be installed using a similar syntax that was implemented during the installation of the Netify agent. Plugins are compiled and made available for x86 on mirrors. For other architectures like ARM and MIPS, please contact us

Select your installation target for specific instructions on how to install this plugin.

Plugins are compiled against specific Netify agent versions and require ABI compatibility. Click here for more information.
Netify mirros can be found here.

Indicators

What Are Indicators?

Indicators are defined elements within the Netify Intel plugin that evaluate real-time network flows to detect patterns, assess risks, and identify actionable insights. Each indicator represents a distinct analytical rule or heuristic designed to match a specific set of conditions observed in live traffic.

Indicators may serve various functions, including:

  • Detecting anomalies or policy violations
  • Identifying security threats or behavioral risks
  • Providing context for SASE (Secure Access Service Edge) and cyberrisk assessments
  • Enhancing stateful flow inspection with advanced heuristics

Core Indicators

Core indicators are developed, maintained, and validated by the eGloo team. They are included with each release of the Netify Intel plugin and are designed to deliver consistent and reliable analytics across deployments.

The Netify Intelligence resource section offers a comprehensive overview of the available indicators, providing insights into underlying features and associated cybersecurity risks.

Custom Indicators

Custom indicators can be defined by users or integrators to meet specific organizational or deployment needs. They allow administrators to extend the detection framework by introducing new conditions, thresholds, or behaviors beyond the core set provided by eGloo.

Configuration

Plugin Loader Configuration

All plugins are disabled by default, and the Netify Intelligence Processor plugin is no different. To enable: 

netifyd --enable-plugin proc-intel
A plugin can also be disabled in this way by substituting --disable-plugin.

Alternatively, you can edit /etc/netifyd/plugins.d/10-netify-proc-intel.conf and set enable to yes. 

# Netify Processor Intel Plugin Loader
# Copyright (C) 2024 eGloo Incorporated
#
##############################################################################

[proc-intel]
enable = yes
plugin_library = /usr/lib64/libnetify-proc-lua.so.0.0.0
conf_filename = ${path_state_persistent}/netify-proc-intel.json

# vim: set ft=dosini :

Plugin Configuration

Once the plugin has been enabled, it can be configured using the JSON configuration file specified in the plugin loader configuration. Indicators are initially defined and controlled in the configuration file: /etc/netifyd/netify-proc-intel.json

Each indicator entry may include the following options:

  • Enabled/Disabled — Controls whether the indicator is active.
  • Tweaks — Optional parameters that modify indicator behavior, such as sensitivity, thresholds, or reporting level.
  • Metadata — Descriptive information (e.g., category, severity, source).

Administrators can fine-tune indicators to align with network policies or sensitivity requirements. Any configuration changes are applied dynamically on a Netify daemon reload event.

A full list of currently supported indicators, including descriptions and configuration parameters, is provided in the following section. 

{
    "indicator_defaults": {
        "nfa_integration": "proc-nfa",
        "sink_flow_metadata": "none",
        "criteria": {
            "min_bytes": 0,
            "min_score": 0,
            "trigger_on_east_west": true,
            "trigger_on_wan": true
        },
        "event_filter": [
            "dpi_complete"
        ]
    },
    "indicators": {
        "credentials_cleartext": {
            "enabled": false,
            "indicator": "credentials_cleartext"
        },
        "crypto_application": {
            "enabled": false,
            "indicator": "crypto_application"
        },
        "crypto_protocol": {
            "enabled": false,
            "indicator": "crypto_protocol"
        },
        "crypto_server": {
            "enabled": false,
            "indicator": "crypto_server"
        },
        "custom_games": {
            "enabled": false,
            "indicator": "custom",
            "criteria": {
                "flow_expr": "protocol != 'DNS' && category == 'games';"
            }
        },
        "dox_server": {
            "enabled": false,
            "indicator": "dox_server"
        },
        "protocol_insecure": {
            "enabled": false,
            "indicator": "protocol_insecure"
        },
        "tls_cipher_lan": {
            "enabled": false,
            "indicator": "tls_cipher_score",
            "criteria": {
                "trigger_on_east_west": true,
                "trigger_on_wan": false
            }
        },
        "tls_cipher_wan": {
            "enabled": false,
            "indicator": "tls_cipher_score",
            "criteria": {
                "trigger_on_east_west": false,
                "trigger_on_wan": true
            }
        },
        "tls_cert_expired": {
            "enabled": false,
            "indicator": "tls_cert_expired"
        },
        "tls_cert_mismatch": {
            "enabled": false,
            "indicator": "tls_cert_mismatch"
        },
        "tls_cert_validity_too_long": {
            "enabled": false,
            "indicator": "tls_cert_validity_too_long"
        },
        "tls_cert_self_signed": {
            "enabled": false,
            "indicator": "tls_cert_self_signed"
        },
        "tor_bridge": {
            "enabled": false,
            "indicator": "tor_bridge"
        },
        "tor_exit": {
            "enabled": false,
            "indicator": "tor_exit"
        },
        "tor_replay": {
            "enabled": false,
            "indicator": "tor_relay"
        }
    }
}

Indicator Defaults

Defaults to apply to all indicators if not specifically set.

Property nfa_integration
Description The default Netify Flow Actions plugin to interact with. Unless you are doing some advanced configuration, this will always be set to proc-nfa.
Type string
Property sink_flow_metadata
Description The flow metadata representation that is appended to an indicator that triggers.
Type string
Options TODO, none, full, partial

Updates

To ensure your deployment benefits from the latest intelligence and detection improvements, it's recommended to regularly update the Netify Intel plugin. Updates may include new or improved core indicators, lists, performance optimizations, and enhanced detection logic.

Documentation


Netify Agent Plugins


Technical Support

Haven't found the answers you're looking for?

Contact Us