Detection Model Quick Reference Guide
| Field | Description | Example | |
|---|---|---|---|
| General | General configuration | ||
| Name | Unique name | netbiosreflect | |
| Description | Text description | Netbios reflection attack | |
| Categories | Detection categories | t1498 | |
| Traffic Type | Traffic to apply to -Flow or DNS | Flow | |
| Enable Detection Model | Is it active | Enabled | |
| Enable Policies and Integrations | If disabled, response policies and response integrations will not be executed when an event is generated | Enabled | |
| Traffic Match | Defines what traffic this detection model is applied to | ||
| NQL Search > Search Against | Flow (aws, azure, gcp, ibm, oracle, netflow, sflow) or DNS (aws, gcp) traffic type to apply corresponding NQL Expression to. all will be used for all Flow or DNS types except those specified in a separate row | all | |
| NQL Search > NQL Expression | The NQL to use to filter the traffic included in this Detection Model | protocol == udp && srcport == 137 | |
| Discards | Exclude traffic that would otherwise match the NQL Expression defined in NQL Search. | srcip == 10.0.0.1 | |
| Thresholds | Defines the thresholds configuration used to trigger a Detection Model | ||
| Track By Fields | Fields to aggregate metrics by | dstip | |
| Thresholds > Severity | The severity of the event to generate when the corresponding threshold is met | High | |
| Thresholds > Threshold | NQL to evaluate to determine when an event of the corresponding severity is generated | avg(bitsxrate) >= 20000000 | |
| Rollup Period | The time period, in seconds, from the most recent traffic record looking backwards to include when calculating metrics for thresholds. Valid values are between 15 to 3600 (1 hour). | 300 | |
| Update Interval | Frequency to generate ongoing event updates while a Detection Model threshold continues to be true. Valid values are between 1 to 21600 (6 hours). A value of 0 disables updates. | 300 | |
| Auto Thresholding | Utilize machine learning to automatically set threshold values based on learning normal traffic | ||
| Auto Thresholding | Enable/Disable the use of auto thresholding | Disabled | |
| Strategy | How the default threshold value is calculated. max - the maximum of values that have been calculated for the different trackbys average - the average of the values calculated for the different trackbys | average | |
| Cadence | How specific a time period the threshold override applies to. Daily - Specific hour each day Weekly - Specific hour on a specific day of the week Monthly - Specific hour on a specific day of the month | Daily | |
| Learning Window | The period, in hours, over which values are aggregated for Track By aggregations. Valid values are between 1 to 24 | 1 hour | |
| Lookback | How many previous days are used to aggregate data | 90 Days | |
| Advanced Auto Thresholding Options | |||
| Force Override | Disabled (default): Generates threshold overrides for Values at least 10% greater than the baseline Enabled: Generates threshold overrides for Values at least 10% greater OR 10% lower than the baseline | Disabled | |
| Sigma Values | The number of standard deviations to use when calculating thresholds for each severity | Low 1.0Medium 2.0High 3.0 | |
| Scoring | Scoring to understand relative threat and confidence in the accuracy of the Detection Model. Not applicable to Context Models | ||
| Threat Score | Numeric value between 0-100 representing the relative threat | 35 | |
| Confidence Score | Numeric value between 0-100 representing the relative confidence | 95 | |
| Labels | Only applicable to Context Models | ||
| Context Labels | Context name and one or more label values to add to the srcip or dstip when a context model triggers | ||
| Expiration | A numeric value between 60 and 86400 (24 hours). The context label(s) created will be removed once it expires. | 84600 |
Updated about 1 month ago