GREYCORTEX has released the latest version of its Mendel Network Detection and Response solution. Version 3.7.0 brings important features and improvements. The main features in Mendel 3.7.0 include CISCO ISE user identity integration and response, CISCO Firepower incident response, SNMP appliance monitoring & SNMP trap, or AWS, MS Azure and Google cloud deployability.


Better visibility on user identity

For use cases when Mendel has no direct access to AD/LDAP server or with limited permissions then user identity could be provided via integration with CISCO Identity Service Engine (ISE).

Active response to threats

For situations where it is necessary to respond to emerging threats, we will ensure appropriate steps through integration with CISCO network elements. If this is unavoidable, you can block endpoint communication, isolate part of the network, etc.

SNMP Appliance Monitoring

With incorporation of SNMP agent and trap functionality you are able to oversee MENDEL appliances with your current infrastructure monitoring solution.


New upgrade management to all your appliances

Upgrade the whole Mendel deployment through a single point  = collector’s UI. Choose either “One click” multi upgrade or upgrade each sensor individually. Upgrade is performed by two step method, to keep sensor running for maximum time and shorten the maintenance time.

Mendel installation on common cloud services 

Amazon Web Services, Microsoft Azure and Google Cloud are now supported for deployment of Collector or Central Event Management (CEM).

Utilization of high-speed disks within MultiTier storage and optimized database queries

Use your fast disks not only for the operation of the system itself, but also for a much faster response of the user interface when displaying the „hot“ data and views of them. If your deployment does not have multi-tier storage with fast disks, we still bring you a faster response in the GUI by optimizing the database queries.

False Positives for limited time period

Hide events only for the time that is relevant and related to the maintenance of your infrastructure, tests, etc. Apply false positives with specific time frame and/or recurrence.

Conditional PCAP recording

Data captures can be triggered on-demand or by specified conditions (user-defined & event-based).


Asset discovery 

Ability to discover devices in network using various OT protocols to get asset details such as firmware versions, and many others.

Policy monitoring

We introduce a new script approach in IDS rules which allows you to define custom policy rules to monitor allowed values and perform whitelists/blacklists operations inside OT protocols like IEC104, MMS and many others.


CISCO ISE user identity integration and response
CISCO Firepower incident response
SNMP appliance monitoring & SNMP trap
Upgrade management over appliances
AWS, MS Azure and Google cloud deployability
High-speed disk utilization within multi-tier storage
False positives for limited time period
Trigger based PCAP recording
Processing netflow data with NAT information
Switch flow errors  from flags to real calculation
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector
User Documentation available via GUI
Time validity of false positives
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector 


Asset Discovery
Parsing MQTT, COAP and Profinet protocols
Detection of LoRaWAN protocol


Process VMware ESXi NSX-T IPFIX format
Add support for storing Suricata Variables in DB
Enhance update server update data sources
Semi-automated restoration of SMB backup
IDS signatures using the detected application
Display the logged-in user name on all pages
False positive change Priority field Default text
False positive not applicable into past by default
Import new JA3 hash codes from
Add description field into data exports
Hide user from managerial/security reports and email
Added assignee, reporter and date of last updated to Incident exports (PDF)
Reworked Firewall settings with new location in UI
Better explanation over data transfer between hosts in peers graph
Evaluate and add IPv6 multicast address into monitored subnets
System logs in mshell
CAT tool for ME localization 


With release of version 3.7.0 full-service support will be provided for the versions 3.7.x and 3.6.x. Limited service support is provided for previous version 3.5.x. Versions 3.4.x and older are no longer supported, end-users with valid support and maintenance or active SW subscription can upgrade to the supported version(s).