# Detection Model Quick Reference Guide
| | Field | Description | Example |
| -------------------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- |
| **General** | | General configuration | |
| | **Name** | Unique name | `netbiosreflect` |
| | **Description** | Text description | Netbios reflection attack |
| | **Categories** | Detection categories | `t1498` |
| | **Traffic Type** | Traffic to apply to -`Flow` or `DNS` | `Flow` |
| | **Enable Detection Model** | Is it active | `Enabled` |
| | **Enable Policies and Integrations** | If disabled, response policies and response integrations will not be executed when an event is generated | `Enabled` |
| **Traffic Match** | | Defines what traffic this detection model is applied to | |
| | **NQL Search > Search Against** | Flow (`aws`, `azure`, `gcp`, `ibm`, `oracle`, `netflow`, `sflow`) or DNS (`aws`, `gcp`) traffic type to apply corresponding NQL Expression to. `all` will be used for all Flow or DNS types except those specified in a separate row | `all` |
| | **NQL Search > NQL Expression** | The NQL to use to filter the traffic included in this Detection Model | `protocol == udp && srcport == 137` |
| | **Discards** | Exclude traffic that would otherwise match the NQL Expression defined in NQL Search. | `srcip == 10.0.0.1` |
| **Thresholds** | | Defines the thresholds configuration used to trigger a Detection Model | |
| | **Track By Fields** | Fields to aggregate metrics by | `dstip` |
| | **Thresholds > Severity** | The severity of the event to generate when the corresponding threshold is met | `High` |
| | **Thresholds > Threshold** | NQL to evaluate to determine when an event of the corresponding severity is generated | `avg(bitsxrate) >= 20000000` |
| | **Rollup Period** | The time period, in seconds, from the most recent traffic record looking backwards to include when calculating metrics for thresholds. Valid values are between 15 to 3600 *(1 hour)*. | `300` |
| | **Update Interval** | Frequency to generate ongoing event updates while a Detection Model threshold continues to be true. Valid values are between 1 to 21600 *(6 hours)*. A value of 0 disables updates. | `300` |
| **Auto Thresholding** | | Utilize machine learning to automatically set threshold values based on learning normal traffic | |
| | **Auto Thresholding** | Enable/Disable the use of auto thresholding | `Disabled` |
| | **Strategy** | How the default threshold value is calculated.
max - the maximum of values that have been calculated for the different trackbys
average - the average of the values calculated for the different trackbys
| `average` |
| | **Cadence** | How specific a time period the threshold override applies to.
Daily - Specific hour each day
Weekly - Specific hour on a specific day of the week
Monthly - Specific hour on a specific day of the month
| `Daily` |
| | **Learning Window** | The period, in hours, over which values are aggregated for Track By aggregations. Valid values are between 1 to 24 | `1 hour` |
| | **Lookback** | How many previous days are used to aggregate data | `90 Days` |
| **Advanced Auto Thresholding Options** | | | |
| | **Force Override** | Disabled (default): Generates threshold overrides for Values at least 10% greater than the baseline
Enabled: Generates threshold overrides for Values at least 10% greater OR 10% lower than the baseline
| `Disabled` |
| | **Sigma Values** | The number of standard deviations to use when calculating thresholds for each severity | Low 1.0
Medium 2.0
High 3.0
|
| **Scoring** | | Scoring to understand relative threat and confidence in the accuracy of the Detection Model. *Not applicable to Context Models* | |
| | **Threat Score** | Numeric value between 0-100 representing the relative threat | `35` |
| | **Confidence Score** | Numeric value between 0-100 representing the relative confidence | `95` |
| **Labels** | | *Only applicable to Context Models* | |
| | **Context Labels** | Context name and one or more label values to add to the `srcip` or `dstip` when a context model triggers | |
| | **Expiration** | A numeric value between 60 and 86400 *(24 hours)*. The context label(s) created will be removed once it expires. | `84600` |