Alert Types That Use the Sensor Monitoring Index

The Alert Types listed below use the Sensor Monitoring Index .For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

Data Ingestion Volume Anomaly
Sensor Status Anomaly

Data Ingestion Volume Anomaly

A sensor is sending an anomalously high or low volume of data, compared to its typical volume. Check the sensor. A low volume could indicate a sensor failure or other problems. For a high volume, determine the cause of the increase.

XDR Kill Chain

Kill Chain Stage: Initial Attempts
Tactic: XDR SBA (XTA0003)
Technique: XDR Bytes Anomaly (XT3001)
Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is ade_outbytes_anomaly.

Severity

Key Fields and Relevant Data Points

engid — sensor ID
engid_name — sensor name
actual — actual volume of data in the period
typical — typical difference in data volume between this period and the previous period

Use Case with Data Points

The data ingestion volume of every data sensor with sensor id (engid) and sensor name (engid_name) is calculated periodically. If one of the following conditions is met, the anomaly is triggered:

A moving window is used to record data ingestion volume. If the time window can be divided into two sub windows and the metric values of these two sub windows show large deviation
The ingestion volume is anomalously high compared to its own history
The ingestion volume is anomalously low compared to its history and it keeps being low for a relatively longer period

A sample Interflow includes the sensor ID (engid) and sensor name (engid_name).

Sensor Status Anomaly

The sensor has changed its status from "connected" to "disconnected".

For Windows Agent sensors, this alert type logs the status of each sensor every 5 minutes. The status includes whether or not the sensor is connected and whether or not the sensor is sending data.

This alert type has the following subtypes:

Sensor Status Flipped
Disconnected but still sending data
Disconnected and stopped sending data
Disconnected and inactive

XDR Kill Chain

Kill Chain Stage: Initial Attempts
Tactic: XDR SBA (XTA0003)
Technique: XDR Status Anomaly (XT3002)
Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is ade_outbytes_anomaly_flip.

Severity

Key Fields and Relevant Data Points

engid — sensor ID
engid_name — sensor name
metadata.status — sensor (engine) status

Use Case with Data Points

For each sensor, its connection status is checked periodically, if the status changes from “connected“ to “disconnected“, the anomaly is triggered. A sample Interflow includes the sensor ID (engid) and sensor name (engid_name).

Alert Subtype: Sensor Status Flipped

The Sensor Status Flipped alert subtype is the same as the Sensor Status Anomaly alert type above, with the following differences:

The xdr_event.subtype.name for this alert subtype in the Interflow data is sensor_status_anomaly_flip.
The subtype is for data sources from Windows Agent sensors.
It is triggered instantly when a disconnection is logged.

Alert Subtype: Disconnected but still sending data

The Disconnected but still sending data alert subtype is the same as the Sensor Status Anomaly alert type above, with the following differences:

The xdr_event.subtype.name for this alert subtype in the Interflow data is sensor_status_anomaly_sending_data.
The subtype is for data sources from Windows Agent sensors.
It indicates a connection status of disconnected but still sending data.
A disconnection alert is sent if the sensor stays disconnected or sends no data for 15 minutes.

Alert Subtype: Disconnected and stopped sending data

The Disconnected and stopped sending data alert subtype is the same as the Sensor Status Anomaly alert type above, with the following differences:

The xdr_event.subtype.name for this alert subtype in the Interflow data is sensor_status_anomaly_stopped_sending_data.
The subtype is for data sources from Windows Agent sensors.
It indicates a connection status of disconnected and stopped sending data.
A disconnection alert is sent if the sensor stays disconnected or sends no data for 15 minutes.

Alert Subtype: Disconnected and inactive

The Disconnected and inactive alert subtype is the same as the Sensor Status Anomaly alert type above, with the following differences:

The xdr_event.subtype.name for this alert subtype in the Interflow data is sensor_status_anomaly_no_data.
The subtype is for data sources from Windows Agent sensors.
It indicates a transition from a connection status of connected, not sending data to disconnected, not sending data.
A disconnection alert is sent if the sensor stays disconnected or sends no data for 15 minutes.