Detection Model Quick Reference Guide

General

General configuration

Name

Unique name

netbiosreflect

Description

Text description

Netbios reflection attack

Categories

Detection categories

t1498

Traffic Type

Traffic to apply to -Flow or DNS

Flow

Enable Detection Model

Is it active

Enabled

Enable Policies and Integrations

If disabled, response policies and response integrations will not be executed when an event is generated

Enabled

Traffic Match

Defines what traffic this detection model is applied to

NQL Search > Search Against

Flow (aws, azure, gcp, ibm, oracle, netflow, sflow) or DNS (aws, gcp) traffic type to apply corresponding NQL Expression to. all will be used for all Flow or DNS types except those specified in a separate row

all

NQL Search > NQL Expression

The NQL to use to filter the traffic included in this Detection Model

protocol == udp && srcport == 137

Discards

Exclude traffic that would otherwise match the NQL Expression defined in NQL Search.

srcip == 10.0.0.1

Thresholds

Defines the thresholds configuration used to trigger a Detection Model

Track By Fields

Fields to aggregate metrics by

dstip

Thresholds > Severity

The severity of the event to generate when the corresponding threshold is met

High

Thresholds > Threshold

NQL to evaluate to determine when an event of the corresponding severity is generated

avg(bitsxrate) >= 20000000

Rollup Period

The time period, in seconds, from the most recent traffic record looking backwards to include when calculating metrics for thresholds. Valid values are between 15 to 3600 (1 hour).

300

Update Interval

Frequency to generate ongoing event updates while a Detection Model threshold continues to be true. Valid values are between 1 to 21600 (6 hours). A value of 0 disables updates.

300

Auto Thresholding

Utilize machine learning to automatically set threshold values based on learning normal traffic

Auto Thresholding

Enable/Disable the use of auto thresholding

Disabled

Strategy

How the default threshold value is calculated. max - the maximum of values that have been calculated for the different trackbys average - the average of the values calculated for the different trackbys

average

Cadence

How specific a time period the threshold override applies to. Daily - Specific hour each day Weekly - Specific hour on a specific day of the week Monthly - Specific hour on a specific day of the month

Daily

Learning Window

The period, in hours, over which values are aggregated for Track By aggregations. Valid values are between 1 to 24

1 hour

Lookback

How many previous days are used to aggregate data

90 Days

Advanced Auto Thresholding Options

Force Override

Disabled (default): Generates threshold overrides for Values at least 10% greater than the baseline Enabled: Generates threshold overrides for Values at least 10% greater OR 10% lower than the baseline

Disabled

Sigma Values

The number of standard deviations to use when calculating thresholds for each severity

Low 1.0 Medium 2.0 High 3.0

Scoring

Scoring to understand relative threat and confidence in the accuracy of the Detection Model. Not applicable to Context Models

Threat Score

Numeric value between 0-100 representing the relative threat

35

Confidence Score

Numeric value between 0-100 representing the relative confidence

95

Labels

Only applicable to Context Models

Context Labels

Context name and one or more label values to add to the srcip or dstip when a context model triggers

Expiration

A numeric value between 60 and 86400 (24 hours). The context label(s) created will be removed once it expires.

84600