March 9, 2021

GREYCORTEX has released the latest version of its Mendel Network Detection and Response solution. Version 3.7 brings important features and improvements. The main features in Mendel 3.7 include CISCO ISE user identity integration and response, CISCO Firepower incident response, SNMP appliance monitoring & SNMP trap, or AWS, MS Azure and Google cloud deployability.

Enhanced Integration With Your Infrastructure

Better visibility on user identity

For use cases when Mendel has no direct access to AD/LDAP server or with limited permissions then user identity could be provided via integration with CISCO Identity Service Engine (ISE).

Active response to threats

For situations where it is necessary to respond to emerging threats, we will ensure appropriate steps through integration with CISCO network elements. If this is unavoidable, you can block endpoint communication, isolate part of the network, etc.

SNMP Appliance Monitoring

With incorporation of SNMP agent and trap functionality you are able to oversee MENDEL appliances with your current infrastructure monitoring solution.

More Efficient Operations

New upgrade management to all your appliances

Upgrade the whole Mendel deployment through a single point  = collector’s UI. Choose either “One click” multi upgrade or upgrade each sensor individually. Upgrade is performed by two step method, to keep sensor running for maximum time and shorten the maintenance time.

Mendel installation on common cloud services 

Amazon Web Services, Microsoft Azure and Google Cloud are now supported for deployment of Collector or Central Event Management (CEM).

Utilization of high-speed disks within MultiTier storage and optimized database queries

Use your fast disks not only for the operation of the system itself, but also for a much faster response of the user interface when displaying the „hot“ data and views of them. If your deployment does not have multi-tier storage with fast disks, we still bring you a faster response in the GUI by optimizing the database queries.

False Positives for limited time period

Hide events only for the time that is relevant and related to the maintenance of your infrastructure, tests, etc. Apply false positives with specific time frame and/​or recurrence.

Conditional PCAP recording

Data captures can be triggered on-demand or by specified conditions (user-defined & event-based).


Asset discovery 

Ability to discover devices in network using various OT protocols to get asset details such as firmware versions, and many others.

Policy monitoring

We introduce a new script approach in IDS rules which allows you to define custom policy rules to monitor allowed values and perform whitelists/​blacklists operations inside OT protocols like IEC104, MMS and many others.

All Features – IT

  • CISCO ISE user identity integration and response
  • CISCO Firepower incident response
  • SNMP appliance monitoring & SNMP trap
  • Upgrade management over appliances
  • AWS, MS Azure and Google cloud deployability
  • High-speed disk utilization within multi-tier storage
  • False positives for limited time period
  • Trigger based PCAP recording
  • Processing netflow data with NAT information
  • Switch flow errors  from flags to real calculation
  • Connect Mendel sensor to secondary collector (HA)
  • Deactivate inactive Sensor on Collector
  • User Documentation available via GUI
  • Time validity of false positives
  • Connect Mendel sensor to secondary collector (HA)
  • Deactivate inactive Sensor on Collector 

Features – OT / ICS

  • Asset Discovery
  • Parsing MQTT, COAP and Profinet protocols
  • Detection of LoRaWAN protocol


  • Process VMware ESXi NSX‑T IPFIX format
  • Add support for storing Suricata Variables in DB
  • Enhance update server update data sources
  • Semi-automated restoration of SMB backup
  • IDS signatures using the detected application
  • Display the logged-in user name on all pages
  • False positive change Priority field Default text
  • False positive not applicable into past by default
  • Import new JA3 hash codes from
  • Add description field into data exports
  • Hide user from managerial/​security reports and email
  • Added assignee, reporter and date of last updated to Incident exports (PDF)
  • Reworked Firewall settings with new location in UI
  • Better explanation over data transfer between hosts in peers graph
  • Evaluate and add IPv6 multicast address into monitored subnets
  • System logs in mshell
  • CAT tool for ME localization 

Official Mendel Product Support

With release of version 3.7.0 full-service support will be provided for the versions 3.7.x and 3.6.x. Limited service support is provided for previous version 3.5.x. Versions 3.4.x and older are no longer supported, end-users with valid support and maintenance or active SW subscription can upgrade to the supported version(s).