Alert Types That Use the Sensor Monitoring Index

The Alert Types listed below use the Sensor Monitoring Index .For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

Data Ingestion Volume Anomaly

A sensor is sending an anomalously high or low volume of data, compared to its typical volume. Check the sensor. A low volume could indicate a sensor failure or other problems. For a high volume, determine the cause of the increase.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: XDR SBA (XTA0003)

  • Technique: XDR Bytes Anomaly (XT3001)

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is ade_outbytes_anomaly.

Severity

10

Key Fields and Relevant Data Points

  • engid — sensor ID
  • engid_name — sensor name
  • actual — actual volume of data in the period
  • typical — typical difference in data volume between this period and the previous period

Use Case with Data Points

The data ingestion volume of every data sensor with sensor id (engid) and sensor name (engid_name) is calculated periodically. If one of the following conditions is met, the anomaly is triggered:

  • A moving window is used to record data ingestion volume. If the time window can be divided into two sub windows and the metric values of these two sub windows show large deviation

  • The ingestion volume is anomalously high compared to its own history

  • The ingestion volume is anomalously low compared to its history and it keeps being low for a relatively longer period

A sample Interflow includes the sensor ID (engid) and sensor name (engid_name).

Sensor Status Anomaly

The sensor has changed its status from "connected" to "disconnected".

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: XDR SBA (XTA0003)

  • Technique: XDR Status Anomaly (XT3002)

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is ade_outbytes_anomaly_flip.

Severity

10

Key Fields and Relevant Data Points

  • engid — sensor ID
  • engid_name — sensor name

Use Case with Data Points

For each sensor, its connection status is checked periodically, if the status changes from “connected“ to “disconnected“, the anomaly is triggered. A sample Interflow includes the sensor ID (engid) and sensor name (engid_name).