Detection Categories

Detection categories are similar to flow tags. They are used to group or ‘categorize’ detection models, after which rules - based on categories - can be crafted.

System

The system categories are based off the MITRE ATT&CK® framework.

Short name
Long name

configuration

Neto_configuration

iprep

IP Reputation Based

p2p

Peer To Peer

policy

Policy

rate

Rate Based

security

Security

t1001

T1001 Data Obfuscation

t1007

T1007 System Service Discovery

t1008

T1008 Fallback Channels

t1011

T1011 Exfiltration Over Other Network Medium

t1016

T1016 System Network Configuration Discovery

t1018

T1018 Remote System Discovery

t1020

T1020 Automated Exfiltration

t1021

T1021 Remote Services

t1033

T1033 System Owner or User Discovery

t1040

T1040 Network Sniffing

t1041

T1041 Exfiltration Over C2 Channel

t1043

T1043 Commonly Used Port

t1046

T1046 Network Service Scanning

t1048

T1048 Exfiltration Over Alternative Protocol

t1049

T1049 System Network Connections Discovery

t1082

T1082 System Information Discovery

t1083

T1083 File and Directory Discovery

t1090

T1090 Proxy

t1095

T1095 Non-Application Layer Protocol

t1102

T1102 Web Service

t1110

T1110 Brute Force

t1119

T1119 Automated Collection

t1124

T1124 System Time Discovery

t1133

T1133 External Remote Services

t1135

T1135 Network Share Discovery

t1136

T1136 Create Account

t1189

T1189 Drive-by Compromise

t1204

T1204 User Execution

t1205

T1205 Traffic Signaling

t1207

T1207 Rogue Domain Controller

t1219

T1219 Remote Access Software

t1482

T1482 Domain Trust Discovery

t1498

T1498 Network Denial of Service

t1499

T1499 Endpoint Denial of Service

t1518

T1518 Software Discovery

t1526

T1526 Cloud Service Discovery

t1534

T1534 Internal Spearphishing

t1535

T1535 Unused Unsupported Cloud Regions

t1537

T1537 Transfer Data to Cloud Account

t1538

T1538 Cloud Service Dashboard

t1557

T1557 Adversary-in-the-Middle

t1562

T1562 Impair Defenses

t1563

T1563 Remote Service Session Hijacking

t1566

T1566 Phishing

t1567

T1567 Exfiltration Over Web Service

t1568

T1568 Dynamic Resolution

t1571

T1571 Non-Standard Port

t1572

T1572 Protocol Tunneling

t1573

T1573 Encrypted Channel

t1578

T1578 Modify Cloud Compute Infrastructure

t1580

T1580 Cloud Infrastructure Discovery

t1583

T1583 Acquire Infrastructure

t1584

T1584 Compromise Infrastructure

t1585.001

T1585.001 Social Media Accounts

t1589

T1589 Gather Victim Identity Information

t1590

T1590 Gather Victim Network Information

t1592

T1592 Gather Victim Host Information

t1595

T1595 Active Scanning

t1598

T1598 Phishing for Information

t1599

T1599 Network Boundary Bridging

t1602

T1602 Data from Configuration Repository

t1614

T1614 System Location Discovery

t1619

T1619 Cloud Storage Object Discovery

ta0011

TA0011 Command and Control

Custom

In addition to the system default categories, custom detection categories can also be configured in Netography Fusion. To create a custom category in the portal, go to Settings > Detection Categories, then on the main Detection Categories menu, click ADD/UPDATE CATEGORY.

You can input your own category and description and click SAVE at the bottom of the window.

PreviousThreat IntelligenceNextAbout Dashboards

Last updated