Detection Quick Reference

This reference summarizes every detection family that MetaDefender NDR produces on MVP, ordered from signature-driven to intelligence-driven to behavioral to machine-learning. Analysts scan this table when triaging an unfamiliar alert — the Detection Name column matches the alert_type value on the wire and the Hunt sub-tab label in the user interface, the Primary Trigger Condition summarizes the rule predicate in one line, the Severity Range gives the native band (before IOC auto-escalation), the Hunt Tab names the Hunt page sub-tab under All Alerts, and the Runbook column points at the investigation procedure in Investigation Runbooks.

First-use acronym expansions in this chapter: C2 (command-and-control), TIDB (Threat Intelligence Database), REPDB (Reputation Database), AV (antivirus), SID (Signature Identifier), DGA (Domain Generation Algorithm), DNS (Domain Name System), TTL (Time To Live), NXDOMAIN (Non-Existent Domain DNS response), IOC (Indicator of Compromise), RCF (Random Cut Forest), ML (machine learning), MVP (Minimum Viable Product), MB (megabyte), SHA-256 (Secure Hash Algorithm 256-bit), RFC-1918 (IETF-reserved private IP ranges), STDDEV (standard deviation).

How to Read This Table

  • Detection Name matches the alert_type field on the wire (for example, c2, beaconing, ml_rcf_anomaly) and the Hunt page's per-type sub-tab under All Alerts. The ndr-alerts rule that produces the alert is named in italics.
  • Family is the detection engine group: Signature (Suricata), IOC (curated threat-intelligence feed match), File Scan (MetaDefender Core multi-AV), Behavioral (RisingWave streaming SQL), or ML (RCF anomaly scoring).
  • Engine identifies the pipeline stage that produced the signal — the Suricata sensor process, a named enrichment service, the RisingWave streaming pipeline, or the RCF streaming pipeline.
  • Primary Trigger Condition is a one-line plain-English rendering of the when clause. The per-family chapters in Detections give the exact predicate.
  • Severity Range shows the native bands the rule assigns. Every row is subject to the IOC auto-escalation rule: when any entity on the event coincides with a C2, TIDB, or REPDB hit, the alert is promoted to Critical severity at 0.99 confidence regardless of the native band.
  • Hunt Tab is the Hunt page sub-tab under All Alerts. Clicking a row in any sub-tab opens the Hunt detail sidebar with the family-specific enrichment section expanded.
  • Runbook points at the investigation procedure analysts follow when the alert needs more than surface-level triage.

Quick Reference

Detection nameFamilyEnginePrimary trigger conditionSeverity rangeHunt tabRunbook
Suricata signature alertSignatureSuricata IDS engine inside the sensor processA shipped Proofpoint Emerging Threats Pro, OPSWAT local, or community rule matched packet content, protocol metadata, or flow shape. Rule-native severity 1–4 passes straight through.Critical / High / Medium / Low (maps native 1–4 one-to-one)Suricata Alert[Critical alert triage](Critical alert triage) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting)
C2 Infrastructure (IP)IOCndr-enrichment-c2 against the OPSWAT Eyelet feedThe event's destination IP — or an IP in a DNS answer — exactly matches an entry on the Eyelet C2 feed (c2.matches[].type is ip or ip_from_dns, has_c2_match == true).Critical (always — IOC)C2 Infrastructure Alert[C2 beacon investigation](C2 beacon investigation)
C2 Infrastructure (DNS)IOCndr-enrichment-c2 against the OPSWAT Eyelet feedThe event's queried DNS name exactly matches an entry on the Eyelet C2 feed (c2.matches[].type is dns, has_c2_match == true).Critical (always — IOC)C2 Infrastructure Alert[C2 beacon investigation](C2 beacon investigation)
InSights TIDBIOCndr-enrichment-insights against the OPSWAT Threat Intelligence DatabaseAny entity on the event — IP, hostname, or parent-domain hierarchy across DNS, TLS, or HTTP — matched the curated TIDB feed (insights.has_tidb_match == true).High (always — IOC)InSights Alert[Critical alert triage](Critical alert triage) · [C2 beacon investigation](C2 beacon investigation)
InSights REPDBIOCndr-enrichment-insights against the OPSWAT Reputation DatabaseAn entity matched the REPDB feed (insights.has_repdb_match == true) and no entity on the event matched TIDB. The mutual-exclusion guard suppresses REPDB when TIDB fires on the same event.Medium (always — IOC)InSights Alert[Critical alert triage](Critical alert triage) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting)
MetaDefender High AVFile Scanndr-enrichment-mdcore against MetaDefender Cloud or CoreAn extracted file returned threat_found == true and the maximum positive_engines across all files on the event is ≥ 6 — broad multi-AV agreement on a malicious verdict.HighMDCore Alert[Malicious file investigation](Malicious file investigation)
MetaDefender Medium AVFile Scanndr-enrichment-mdcore against MetaDefender Cloud or CoreAn extracted file returned threat_found == true and the maximum positive_engines across all files on the event is 3, 4, or 5 — early-detection band before broad vendor agreement.MediumMDCore Alert[Malicious file investigation](Malicious file investigation)
MetaDefender Low AVFile Scanndr-enrichment-mdcore against MetaDefender Cloud or CoreAn extracted file returned threat_found == true and the maximum positive_engines across all files on the event is 1 or 2 — possible false positive; corroborate with source host, destination, and filename before escalating.LowMDCore Alert[Malicious file investigation](Malicious file investigation) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting)
BeaconingBehavioralRisingWave streaming SQL over merged eventsThe (src_ip, dest_ip, dest_port) tuple recorded ≥ 15 connections with STDDEV(bytes) < 1,000 and server_packets < connections × 5 over a 4-hour hopping window (1-hour slide). RFC-1918 destinations, broadcast/multicast, and DNS/DHCP/NTP ports are excluded at the pipeline.Critical (≥ 50 connections) / High (≥ 30) / Medium (≥ 20) / Low (≥ 15)Beaconing Detection Alert[C2 beacon investigation](C2 beacon investigation)
Data ExfiltrationBehavioralRisingWave streaming SQL over merged eventsThe (src_ip, dest_ip, dest_port, app_proto) tuple recorded an upload-to-download byte ratio ≥ 2:1 with total upload ≥ 1 MB over a 15-minute hopping window (5-minute slide), with src_ip inside RFC-1918 and dest_ip outside RFC-1918.Critical (ratio ≥ 10:1 AND upload ≥ 100 MB) / High (ratio ≥ 5:1 AND upload ≥ 10 MB, or ratio ≥ 2:1 AND upload ≥ 100 MB) / Medium (ratio ≥ 2:1 AND upload ≥ 10 MB) / Low (ratio ≥ 2:1 AND upload ≥ 1 MB)Data Exfiltration Detection Alert[Data exfiltration investigation](Data exfiltration investigation)
Long Duration FlowBehavioralRisingWave streaming SQL over merged eventsA single flow record reported flow.age ≥ 3,600 seconds (1 hour). The alert re-emits at the 10-, 20-, and 24-hour thresholds so analysts can watch the severity escalate without losing the original.Critical (≥ 24 hours — RED) / High (≥ 10 hours — ORANGE) / Medium (≥ 1 hour — YELLOW)Long Duration Flow Alert[C2 beacon investigation](C2 beacon investigation) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting)
Port ScanBehavioralRisingWave streaming SQL over merged eventsThe (src_ip, dest_ip) pair touched ≥ 10 distinct destination ports over a 1-hour hopping window (15-minute slide) — a vertical scan on one target.Critical (≥ 100 ports) / High (≥ 50) / Medium (≥ 20) / Low (≥ 10)Port Scan Detection Alert[Critical alert triage](Critical alert triage) · [Alert flow and PCAP pivoting](Alert flow and PCAP pivoting)
Connection SprayBehavioralRisingWave streaming SQL over merged eventsOne src_ip touched ≥ 20 distinct destination IPs over a 1-hour hopping window (15-minute slide) — a horizontal scan across the network.Critical (≥ 200 destinations) / High (≥ 100) / Medium (≥ 50) / Low (≥ 20)Connection Spray Detection Alert[Critical alert triage](Critical alert triage)
DNS TunnelingBehavioralRisingWave streaming SQL over merged eventsA DNS query satisfied at least one of five suspicion indicators (LENGTH(query_name) > 50, > 3 subdomain levels, record type in TXT/NULL/CNAME, answer > 200 chars, first subdomain label > 25 chars). The suspicion_score is the count of satisfied indicators (0–5).Critical (IOC) / High (score ≥ 3) / Medium (score = 2) / Low (score = 1)DNS Tunneling Suspicious Alert[Tunneling investigation](Tunneling investigation)
DGABehavioralRisingWave streaming SQL over merged eventsOne src_ip recorded an NXDOMAIN ratio ≥ 0.5 with ≥ 20 total queries over a 1-hour tumbling window, or any query matched an IOC. Combined threshold separates DGA behavior from benign typos or misconfigurations.Critical (IOC) / High (ratio ≥ 0.7 AND queries ≥ 50) / Medium (ratio ≥ 0.5 AND queries ≥ 20) / Low (above minimum)DGA Detection Alert[C2 beacon investigation](C2 beacon investigation)
Fast FluxBehavioralRisingWave streaming SQL over merged eventsA queried domain resolved to ≥ 5 unique response IPs with average TTL < 600 seconds over a 1-hour tumbling window, or any response matched an IOC. The TTL cutoff separates fast flux from legitimate content-delivery networks.Critical (IOC) / High (unique IPs ≥ 10 AND avg TTL < 300) / Medium (unique IPs ≥ 5 AND avg TTL < 600) / Low (above minimum)Fast Flux Detection Alert[C2 beacon investigation](C2 beacon investigation)
ML Anomaly (RCF)MLRCF streaming pipeline over merged eventsA per-event anomaly score crossed the per-event-type threshold after whitelist adjustment: DNS ≥ 3.0, HTTP ≥ 8.0, Flow ≥ 20.0. Single pass-through rule matching alert_type == "ml_rcf_anomaly".Medium (always on MVP — score magnitude drives confidence, not severity)ML RCF Anomaly Event[ML anomaly investigation](ML anomaly investigation)

Reading the Severity Column

The Severity Range column lists the native bands each detection assigns before any cross-family escalation. Three patterns recur across the table.

  • Always-single-band. The IOC families (C2 IP, C2 DNS, TIDB, REPDB) and the ML anomaly family assign exactly one severity because the match is binary (membership in a feed) or the pipeline does not differentiate by score on MVP (RCF). C2 is always Critical, TIDB is always High, REPDB is always Medium, ML is always Medium.
  • Threshold-tiered. Behavioral detections, MetaDefender Core file scanning, and Suricata native severity all use numeric thresholds to assign a band. A single detection can land in any of the four bands depending on the magnitude of the evidence — 15 beaconing connections raises Low, 50 raises Critical. The thresholds are not tunable at the alert level; the detection chapters document them so analysts understand what drove an alert into a particular band rather than wondering how to reclassify it.
  • IOC auto-escalation. Every family participates in the unified auto-escalation rule defined in unified security scale. When any entity on the alert coincides with a C2, TIDB, or REPDB hit, the alert is promoted to Critical / 0.99 regardless of its native band. Analysts distinguish between threshold-Critical (evidence alone reached Critical) and IOC-Critical (the auto-escalation rule fired) by reading the sidebar: an IOC-Critical alert carries a companion C2 Enrichment or InSights Enrichment section with the matched indicator.

Reading the Runbook Column

Every runbook is written to a specific investigative starting point; a given alert may route through multiple runbooks in sequence. The Runbook column names the first stop.

  • Critical alert triage is the first stop for any Critical-severity alert and for the horizontal-scan family (Connection Spray, Port Scan) where the priority is deciding whether the source host is authorized for scan behavior.
  • C2 beacon investigation covers the C2 IOC, Beaconing, Long Duration Flow, DGA, and Fast Flux families — every detection whose follow-on investigation involves identifying a callback destination and correlating with surrounding session evidence.
  • Data exfiltration investigation covers the Data Exfiltration family: identifying the source host, quantifying the uploaded volume, and determining whether the destination is attacker-controlled.
  • Malicious file investigation covers every MetaDefender Core tier: reading the multi-AV verdict, correlating the download session with its initiating host and user, retrieving the archived file when storage is enabled, and determining whether the file reached a host that executed it.
  • ML anomaly investigation covers the ML Anomaly family: reading the anomaly score and threshold together, interpreting whitelist adjustments, pivoting to the original event's protocol-specific sidebar section, and deciding whether a cluster of ML alerts warrants escalation.
  • Tunneling investigation covers DNS Tunneling: pivoting from the flagged query to the full query stream for the source and parent domain, cross-referencing with C2 and InSights enrichments, and determining whether the source host needs isolation.
  • Alert flow and PCAP pivoting is the shared procedure for walking from any alert back to the full session capture when raw-packet evidence is needed.
VariableType to search · ESC to discard
GlossaryType to search · ESC to discard
InsertType to search · ESC to discard
No matches