Detection Categories
Detection categories are similar to flow tags. They are used to group or ‘categorize’ detection models, after which rules - based on categories - can be crafted.
System
The system categories are based off the MITRE ATT&CK® framework.
| Short name | Long name |
|---|---|
| configuration | Neto_configuration |
| iprep | IP Reputation Based |
| p2p | Peer To Peer |
| policy | Policy |
| rate | Rate Based |
| security | Security |
| t1001 | T1001 Data Obfuscation |
| t1007 | T1007 System Service Discovery |
| t1008 | T1008 Fallback Channels |
| t1011 | T1011 Exfiltration Over Other Network Medium |
| t1016 | T1016 System Network Configuration Discovery |
| t1018 | T1018 Remote System Discovery |
| t1020 | T1020 Automated Exfiltration |
| t1021 | T1021 Remote Services |
| t1033 | T1033 System Owner or User Discovery |
| t1040 | T1040 Network Sniffing |
| t1041 | T1041 Exfiltration Over C2 Channel |
| t1043 | T1043 Commonly Used Port |
| t1046 | T1046 Network Service Scanning |
| t1048 | T1048 Exfiltration Over Alternative Protocol |
| t1049 | T1049 System Network Connections Discovery |
| t1082 | T1082 System Information Discovery |
| t1083 | T1083 File and Directory Discovery |
| t1090 | T1090 Proxy |
| t1095 | T1095 Non-Application Layer Protocol |
| t1102 | T1102 Web Service |
| t1110 | T1110 Brute Force |
| t1119 | T1119 Automated Collection |
| t1124 | T1124 System Time Discovery |
| t1133 | T1133 External Remote Services |
| t1135 | T1135 Network Share Discovery |
| t1136 | T1136 Create Account |
| t1189 | T1189 Drive-by Compromise |
| t1204 | T1204 User Execution |
| t1205 | T1205 Traffic Signaling |
| t1207 | T1207 Rogue Domain Controller |
| t1219 | T1219 Remote Access Software |
| t1482 | T1482 Domain Trust Discovery |
| t1498 | T1498 Network Denial of Service |
| t1499 | T1499 Endpoint Denial of Service |
| t1518 | T1518 Software Discovery |
| t1526 | T1526 Cloud Service Discovery |
| t1534 | T1534 Internal Spearphishing |
| t1535 | T1535 Unused Unsupported Cloud Regions |
| t1537 | T1537 Transfer Data to Cloud Account |
| t1538 | T1538 Cloud Service Dashboard |
| t1557 | T1557 Adversary-in-the-Middle |
| t1562 | T1562 Impair Defenses |
| t1563 | T1563 Remote Service Session Hijacking |
| t1566 | T1566 Phishing |
| t1567 | T1567 Exfiltration Over Web Service |
| t1568 | T1568 Dynamic Resolution |
| t1571 | T1571 Non-Standard Port |
| t1572 | T1572 Protocol Tunneling |
| t1573 | T1573 Encrypted Channel |
| t1578 | T1578 Modify Cloud Compute Infrastructure |
| t1580 | T1580 Cloud Infrastructure Discovery |
| t1583 | T1583 Acquire Infrastructure |
| t1584 | T1584 Compromise Infrastructure |
| t1585.001 | T1585.001 Social Media Accounts |
| t1589 | T1589 Gather Victim Identity Information |
| t1590 | T1590 Gather Victim Network Information |
| t1592 | T1592 Gather Victim Host Information |
| t1595 | T1595 Active Scanning |
| t1598 | T1598 Phishing for Information |
| t1599 | T1599 Network Boundary Bridging |
| t1602 | T1602 Data from Configuration Repository |
| t1614 | T1614 System Location Discovery |
| t1619 | T1619 Cloud Storage Object Discovery |
| ta0011 | TA0011 Command and Control |
Custom
In addition to the system default categories, custom detection categories can also be configured in Netography Fusion. To create a custom category in the portal, go to Settings > Detection Categories, then on the main Detection Categories menu, click ADD/UPDATE CATEGORY.
You can input your own category and description and click SAVE at the bottom of the window.
Updated about 1 year ago