Detection Model Quick Reference Guide
Field | Description | Example | |
---|---|---|---|
General | General configuration | ||
Name | Unique name | netbiosreflect | |
Description | Text description | Netbios reflection attack | |
Categories | Detection categories | t1498 | |
Traffic Type | Traffic to apply to -Flow or DNS | Flow | |
Enable Detection Model | Is it active | Enabled | |
Enable Policies and Integrations | If disabled, response policies and response integrations will not be executed when an event is generated | Enabled | |
Traffic Match | Defines what traffic this detection model is applied to | ||
NQL Search > Search Against | Flow (aws , azure , gcp , ibm , oracle , netflow , sflow ) or DNS (aws , gcp ) traffic type to apply corresponding NQL Expression to. all will be used for all Flow or DNS types except those specified in a separate row | all | |
NQL Search > NQL Expression | The NQL to use to filter the traffic included in this Detection Model | protocol == udp && srcport == 137 | |
Discards | Exclude traffic that would otherwise match the NQL Expression defined in NQL Search. | srcip == 10.0.0.1 | |
Thresholds | Defines the thresholds configuration used to trigger a Detection Model | ||
Track By Fields | Fields to aggregate metrics by | dstip | |
Thresholds > Severity | The severity of the event to generate when the corresponding threshold is met | High | |
Thresholds > Threshold | NQL to evaluate to determine when an event of the corresponding severity is generated | avg(bitsxrate) >= 20000000 | |
Rollup Period | The time period, in seconds, from the most recent traffic record looking backwards to include when calculating metrics for thresholds. Valid values are between 15 to 3600 (1 hour). | 300 | |
Update Interval | Frequency to generate ongoing event updates while a Detection Model threshold continues to be true. Valid values are between 1 to 21600 (6 hours). A value of 0 disables updates. | 300 | |
Auto Thresholding | Utilize machine learning to automatically set threshold values based on learning normal traffic | ||
Auto Thresholding | Enable/Disable the use of auto thresholding | Disabled | |
Strategy | How the default threshold value is calculated. max - the maximum of values that have been calculated for the different trackbys average - the average of the values calculated for the different trackbys | average | |
Cadence | How specific a time period the threshold override applies to. Daily - Specific hour each day Weekly - Specific hour on a specific day of the week Monthly - Specific hour on a specific day of the month | Daily | |
Learning Window | The period, in hours, over which values are aggregated for Track By aggregations. Valid values are between 1 to 24 | 1 hour | |
Lookback | How many previous days are used to aggregate data | 90 Days | |
Advanced Auto Thresholding Options | |||
Force Override | Disabled (default): Generates threshold overrides for Values at least 10% greater than the baseline Enabled: Generates threshold overrides for Values at least 10% greater OR 10% lower than the baseline | Disabled | |
Sigma Values | The number of standard deviations to use when calculating thresholds for each severity | Low 1.0 Medium 2.0 High 3.0 | |
Scoring | Scoring to understand relative threat and confidence in the accuracy of the Detection Model. Not applicable to Context Models | ||
Threat Score | Numeric value between 0-100 representing the relative threat | 35 | |
Confidence Score | Numeric value between 0-100 representing the relative confidence | 95 | |
Labels | Only applicable to Context Models | ||
Context Labels | Context name and one or more label values to add to the srcip or dstip when a context model triggers | ||
Expiration | A numeric value between 60 and 86400 (24 hours). The context label(s) created will be removed once it expires. | 84600 |
Updated 2 months ago