Detection Categories
Detection categories are similar to flow tags. They are used to group or ‘categorize’ detection models, after which rules - based on categories - can be crafted.
System
The system categories are based off the MITRE ATT&CK® framework.
Short name | Long name |
---|---|
configuration | Neto_configuration |
iprep | IP Reputation Based |
p2p | Peer To Peer |
policy | Policy |
rate | Rate Based |
security | Security |
t1001 | T1001 Data Obfuscation |
t1007 | T1007 System Service Discovery |
t1008 | T1008 Fallback Channels |
t1011 | T1011 Exfiltration Over Other Network Medium |
t1016 | T1016 System Network Configuration Discovery |
t1018 | T1018 Remote System Discovery |
t1020 | T1020 Automated Exfiltration |
t1021 | T1021 Remote Services |
t1033 | T1033 System Owner or User Discovery |
t1040 | T1040 Network Sniffing |
t1041 | T1041 Exfiltration Over C2 Channel |
t1043 | T1043 Commonly Used Port |
t1046 | T1046 Network Service Scanning |
t1048 | T1048 Exfiltration Over Alternative Protocol |
t1049 | T1049 System Network Connections Discovery |
t1082 | T1082 System Information Discovery |
t1083 | T1083 File and Directory Discovery |
t1090 | T1090 Proxy |
t1095 | T1095 Non-Application Layer Protocol |
t1102 | T1102 Web Service |
t1110 | T1110 Brute Force |
t1119 | T1119 Automated Collection |
t1124 | T1124 System Time Discovery |
t1133 | T1133 External Remote Services |
t1135 | T1135 Network Share Discovery |
t1136 | T1136 Create Account |
t1189 | T1189 Drive-by Compromise |
t1204 | T1204 User Execution |
t1205 | T1205 Traffic Signaling |
t1207 | T1207 Rogue Domain Controller |
t1219 | T1219 Remote Access Software |
t1482 | T1482 Domain Trust Discovery |
t1498 | T1498 Network Denial of Service |
t1499 | T1499 Endpoint Denial of Service |
t1518 | T1518 Software Discovery |
t1526 | T1526 Cloud Service Discovery |
t1534 | T1534 Internal Spearphishing |
t1535 | T1535 Unused Unsupported Cloud Regions |
t1537 | T1537 Transfer Data to Cloud Account |
t1538 | T1538 Cloud Service Dashboard |
t1557 | T1557 Adversary-in-the-Middle |
t1562 | T1562 Impair Defenses |
t1563 | T1563 Remote Service Session Hijacking |
t1566 | T1566 Phishing |
t1567 | T1567 Exfiltration Over Web Service |
t1568 | T1568 Dynamic Resolution |
t1571 | T1571 Non-Standard Port |
t1572 | T1572 Protocol Tunneling |
t1573 | T1573 Encrypted Channel |
t1578 | T1578 Modify Cloud Compute Infrastructure |
t1580 | T1580 Cloud Infrastructure Discovery |
t1583 | T1583 Acquire Infrastructure |
t1584 | T1584 Compromise Infrastructure |
t1585.001 | T1585.001 Social Media Accounts |
t1589 | T1589 Gather Victim Identity Information |
t1590 | T1590 Gather Victim Network Information |
t1592 | T1592 Gather Victim Host Information |
t1595 | T1595 Active Scanning |
t1598 | T1598 Phishing for Information |
t1599 | T1599 Network Boundary Bridging |
t1602 | T1602 Data from Configuration Repository |
t1614 | T1614 System Location Discovery |
t1619 | T1619 Cloud Storage Object Discovery |
ta0011 | TA0011 Command and Control |
Custom
In addition to the system default categories, custom detection categories can also be configured in Netography Fusion. To create a custom category in the portal, go to Settings > Detection Categories, then on the main Detection Categories menu, click ADD/UPDATE CATEGORY.
You can input your own category and description and click SAVE at the bottom of the window.
Updated about 2 months ago