Title
Create new category
Edit page index title
Edit category
Edit link
Detection Quick Reference
This reference summarizes every detection family that MetaDefender NDR produces on MVP, ordered from signature-driven to intelligence-driven to behavioral to machine-learning. Analysts scan this table when triaging an unfamiliar alert — the Detection Name column matches the alert_type value on the wire and the Hunt sub-tab label in the user interface, the Primary Trigger Condition summarizes the rule predicate in one line, the Severity Range gives the native band (before IOC auto-escalation), the Hunt Tab names the Hunt page sub-tab under All Alerts, and the Runbook column points at the investigation procedure in Investigation Runbooks.
First-use acronym expansions in this chapter: C2 (command-and-control), TIDB (Threat Intelligence Database), REPDB (Reputation Database), AV (antivirus), SID (Signature Identifier), DGA (Domain Generation Algorithm), DNS (Domain Name System), TTL (Time To Live), NXDOMAIN (Non-Existent Domain DNS response), IOC (Indicator of Compromise), RCF (Random Cut Forest), ML (machine learning), MVP (Minimum Viable Product), MB (megabyte), SHA-256 (Secure Hash Algorithm 256-bit), RFC-1918 (IETF-reserved private IP ranges), STDDEV (standard deviation).
How to Read This Table
- Detection Name matches the
alert_typefield on the wire (for example,c2,beaconing,ml_rcf_anomaly) and the Hunt page's per-type sub-tab under All Alerts. Thendr-alertsrule that produces the alert is named in italics. - Family is the detection engine group: Signature (Suricata), IOC (curated threat-intelligence feed match), File Scan (MetaDefender Core multi-AV), Behavioral (RisingWave streaming SQL), or ML (RCF anomaly scoring).
- Engine identifies the pipeline stage that produced the signal — the Suricata sensor process, a named enrichment service, the RisingWave streaming pipeline, or the RCF streaming pipeline.
- Primary Trigger Condition is a one-line plain-English rendering of the
whenclause. The per-family chapters in Detections give the exact predicate. - Severity Range shows the native bands the rule assigns. Every row is subject to the IOC auto-escalation rule: when any entity on the event coincides with a C2, TIDB, or REPDB hit, the alert is promoted to Critical severity at 0.99 confidence regardless of the native band.
- Hunt Tab is the Hunt page sub-tab under All Alerts. Clicking a row in any sub-tab opens the Hunt detail sidebar with the family-specific enrichment section expanded.
- Runbook points at the investigation procedure analysts follow when the alert needs more than surface-level triage.
Quick Reference
| Detection name | Family | Engine | Primary trigger condition | Severity range | Hunt tab | Runbook |
|---|---|---|---|---|---|---|
| Suricata signature alert | Signature | Suricata IDS engine inside the sensor process | A shipped Proofpoint Emerging Threats Pro, OPSWAT local, or community rule matched packet content, protocol metadata, or flow shape. Rule-native severity 1–4 passes straight through. | Critical / High / Medium / Low (maps native 1–4 one-to-one) | Suricata Alert | [Critical alert triage](Critical alert triage) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting) |
| C2 Infrastructure (IP) | IOC | ndr-enrichment-c2 against the OPSWAT Eyelet feed | The event's destination IP — or an IP in a DNS answer — exactly matches an entry on the Eyelet C2 feed (c2.matches[].type is ip or ip_from_dns, has_c2_match == true). | Critical (always — IOC) | C2 Infrastructure Alert | [C2 beacon investigation](C2 beacon investigation) |
| C2 Infrastructure (DNS) | IOC | ndr-enrichment-c2 against the OPSWAT Eyelet feed | The event's queried DNS name exactly matches an entry on the Eyelet C2 feed (c2.matches[].type is dns, has_c2_match == true). | Critical (always — IOC) | C2 Infrastructure Alert | [C2 beacon investigation](C2 beacon investigation) |
| InSights TIDB | IOC | ndr-enrichment-insights against the OPSWAT Threat Intelligence Database | Any entity on the event — IP, hostname, or parent-domain hierarchy across DNS, TLS, or HTTP — matched the curated TIDB feed (insights.has_tidb_match == true). | High (always — IOC) | InSights Alert | [Critical alert triage](Critical alert triage) · [C2 beacon investigation](C2 beacon investigation) |
| InSights REPDB | IOC | ndr-enrichment-insights against the OPSWAT Reputation Database | An entity matched the REPDB feed (insights.has_repdb_match == true) and no entity on the event matched TIDB. The mutual-exclusion guard suppresses REPDB when TIDB fires on the same event. | Medium (always — IOC) | InSights Alert | [Critical alert triage](Critical alert triage) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting) |
| MetaDefender High AV | File Scan | ndr-enrichment-mdcore against MetaDefender Cloud or Core | An extracted file returned threat_found == true and the maximum positive_engines across all files on the event is ≥ 6 — broad multi-AV agreement on a malicious verdict. | High | MDCore Alert | [Malicious file investigation](Malicious file investigation) |
| MetaDefender Medium AV | File Scan | ndr-enrichment-mdcore against MetaDefender Cloud or Core | An extracted file returned threat_found == true and the maximum positive_engines across all files on the event is 3, 4, or 5 — early-detection band before broad vendor agreement. | Medium | MDCore Alert | [Malicious file investigation](Malicious file investigation) |
| MetaDefender Low AV | File Scan | ndr-enrichment-mdcore against MetaDefender Cloud or Core | An extracted file returned threat_found == true and the maximum positive_engines across all files on the event is 1 or 2 — possible false positive; corroborate with source host, destination, and filename before escalating. | Low | MDCore Alert | [Malicious file investigation](Malicious file investigation) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting) |
| Beaconing | Behavioral | RisingWave streaming SQL over merged events | The (src_ip, dest_ip, dest_port) tuple recorded ≥ 15 connections with STDDEV(bytes) < 1,000 and server_packets < connections × 5 over a 4-hour hopping window (1-hour slide). RFC-1918 destinations, broadcast/multicast, and DNS/DHCP/NTP ports are excluded at the pipeline. | Critical (≥ 50 connections) / High (≥ 30) / Medium (≥ 20) / Low (≥ 15) | Beaconing Detection Alert | [C2 beacon investigation](C2 beacon investigation) |
| Data Exfiltration | Behavioral | RisingWave streaming SQL over merged events | The (src_ip, dest_ip, dest_port, app_proto) tuple recorded an upload-to-download byte ratio ≥ 2:1 with total upload ≥ 1 MB over a 15-minute hopping window (5-minute slide), with src_ip inside RFC-1918 and dest_ip outside RFC-1918. | Critical (ratio ≥ 10:1 AND upload ≥ 100 MB) / High (ratio ≥ 5:1 AND upload ≥ 10 MB, or ratio ≥ 2:1 AND upload ≥ 100 MB) / Medium (ratio ≥ 2:1 AND upload ≥ 10 MB) / Low (ratio ≥ 2:1 AND upload ≥ 1 MB) | Data Exfiltration Detection Alert | [Data exfiltration investigation](Data exfiltration investigation) |
| Long Duration Flow | Behavioral | RisingWave streaming SQL over merged events | A single flow record reported flow.age ≥ 3,600 seconds (1 hour). The alert re-emits at the 10-, 20-, and 24-hour thresholds so analysts can watch the severity escalate without losing the original. | Critical (≥ 24 hours — RED) / High (≥ 10 hours — ORANGE) / Medium (≥ 1 hour — YELLOW) | Long Duration Flow Alert | [C2 beacon investigation](C2 beacon investigation) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting) |
| Port Scan | Behavioral | RisingWave streaming SQL over merged events | The (src_ip, dest_ip) pair touched ≥ 10 distinct destination ports over a 1-hour hopping window (15-minute slide) — a vertical scan on one target. | Critical (≥ 100 ports) / High (≥ 50) / Medium (≥ 20) / Low (≥ 10) | Port Scan Detection Alert | [Critical alert triage](Critical alert triage) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting) |
| Connection Spray | Behavioral | RisingWave streaming SQL over merged events | One src_ip touched ≥ 20 distinct destination IPs over a 1-hour hopping window (15-minute slide) — a horizontal scan across the network. | Critical (≥ 200 destinations) / High (≥ 100) / Medium (≥ 50) / Low (≥ 20) | Connection Spray Detection Alert | [Critical alert triage](Critical alert triage) |
| DNS Tunneling | Behavioral | RisingWave streaming SQL over merged events | A DNS query satisfied at least one of five suspicion indicators (LENGTH(query_name) > 50, > 3 subdomain levels, record type in TXT/NULL/CNAME, answer > 200 chars, first subdomain label > 25 chars). The suspicion_score is the count of satisfied indicators (0–5). | Critical (IOC) / High (score ≥ 3) / Medium (score = 2) / Low (score = 1) | DNS Tunneling Suspicious Alert | [Tunneling investigation](Tunneling investigation) |
| DGA | Behavioral | RisingWave streaming SQL over merged events | One src_ip recorded an NXDOMAIN ratio ≥ 0.5 with ≥ 20 total queries over a 1-hour tumbling window, or any query matched an IOC. Combined threshold separates DGA behavior from benign typos or misconfigurations. | Critical (IOC) / High (ratio ≥ 0.7 AND queries ≥ 50) / Medium (ratio ≥ 0.5 AND queries ≥ 20) / Low (above minimum) | DGA Detection Alert | [C2 beacon investigation](C2 beacon investigation) |
| Fast Flux | Behavioral | RisingWave streaming SQL over merged events | A queried domain resolved to ≥ 5 unique response IPs with average TTL < 600 seconds over a 1-hour tumbling window, or any response matched an IOC. The TTL cutoff separates fast flux from legitimate content-delivery networks. | Critical (IOC) / High (unique IPs ≥ 10 AND avg TTL < 300) / Medium (unique IPs ≥ 5 AND avg TTL < 600) / Low (above minimum) | Fast Flux Detection Alert | [C2 beacon investigation](C2 beacon investigation) |
| ML Anomaly (RCF) | ML | RCF streaming pipeline over merged events | A per-event anomaly score crossed the per-event-type threshold after whitelist adjustment: DNS ≥ 3.0, HTTP ≥ 8.0, Flow ≥ 20.0. Single pass-through rule matching alert_type == "ml_rcf_anomaly". | Medium (always on MVP — score magnitude drives confidence, not severity) | ML RCF Anomaly Event | [ML anomaly investigation](ML anomaly investigation) |
Reading the Severity Column
The Severity Range column lists the native bands each detection assigns before any cross-family escalation. Three patterns recur across the table.
- Always-single-band. The IOC families (C2 IP, C2 DNS, TIDB, REPDB) and the ML anomaly family assign exactly one severity because the match is binary (membership in a feed) or the pipeline does not differentiate by score on MVP (RCF). C2 is always Critical, TIDB is always High, REPDB is always Medium, ML is always Medium.
- Threshold-tiered. Behavioral detections, MetaDefender Core file scanning, and Suricata native severity all use numeric thresholds to assign a band. A single detection can land in any of the four bands depending on the magnitude of the evidence — 15 beaconing connections raises Low, 50 raises Critical. The thresholds are not tunable at the alert level; the detection chapters document them so analysts understand what drove an alert into a particular band rather than wondering how to reclassify it.
- IOC auto-escalation. Every family participates in the unified auto-escalation rule defined in unified security scale. When any entity on the alert coincides with a C2, TIDB, or REPDB hit, the alert is promoted to Critical / 0.99 regardless of its native band. Analysts distinguish between threshold-Critical (evidence alone reached Critical) and IOC-Critical (the auto-escalation rule fired) by reading the sidebar: an IOC-Critical alert carries a companion C2 Enrichment or InSights Enrichment section with the matched indicator.
Reading the Runbook Column
Every runbook is written to a specific investigative starting point; a given alert may route through multiple runbooks in sequence. The Runbook column names the first stop.
- Critical alert triage is the first stop for any Critical-severity alert and for the horizontal-scan family (Connection Spray, Port Scan) where the priority is deciding whether the source host is authorized for scan behavior.
- C2 beacon investigation covers the C2 IOC, Beaconing, Long Duration Flow, DGA, and Fast Flux families — every detection whose follow-on investigation involves identifying a callback destination and correlating with surrounding session evidence.
- Data exfiltration investigation covers the Data Exfiltration family: identifying the source host, quantifying the uploaded volume, and determining whether the destination is attacker-controlled.
- Malicious file investigation covers every MetaDefender Core tier: reading the multi-AV verdict, correlating the download session with its initiating host and user, retrieving the archived file when storage is enabled, and determining whether the file reached a host that executed it.
- ML anomaly investigation covers the ML Anomaly family: reading the anomaly score and threshold together, interpreting whitelist adjustments, pivoting to the original event's protocol-specific sidebar section, and deciding whether a cluster of ML alerts warrants escalation.
- Tunneling investigation covers DNS Tunneling: pivoting from the flagged query to the full query stream for the source and parent domain, cross-referencing with C2 and InSights enrichments, and determining whether the source host needs isolation.
- Alert flow and PCAP pivoting is the shared procedure for walking from any alert back to the full session capture when raw-packet evidence is needed.