Title
Create new category
Edit page index title
Edit category
Edit link
Detection Overview
MetaDefender NDR generates alerts from six complementary detection engines. Each engine answers a different question about the network — "has this signature fired before?", "is this entity on a threat-intelligence list?", "did a scanned file come back malicious?", "does this traffic pattern look like beaconing or exfiltration?", "is this event statistically anomalous?" — and every engine feeds into a single unified alert pipeline with the same severity and confidence vocabulary. This chapter introduces the six families, traces how a detection travels from the wire to the analyst, and defines the severity and confidence scales every subsequent chapter uses.
This chapter is written for Tier 1, 2, and 3 Security Operations Center (SOC) analysts, threat hunters, Managed Security Service Provider (MSSP) analysts, and SOC leads. It assumes a running MetaDefender NDR deployment and familiarity with the Dashboard and Hunt Page
First-use acronym expansions in this chapter: SOC (Security Operations Center), MSSP (Managed Security Service Provider), C2 (command-and-control), IOC (Indicator of Compromise), TIDB (Threat Intelligence Database), REPDB (Reputation Database), IDS (Intrusion Detection System), AV (antivirus), SID (Signature Identifier), MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), DNS (Domain Name System), TLS (Transport Layer Security), SNI (Server Name Indication), JA3 / JA4 (TLS client fingerprint formats), DGA (Domain Generation Algorithm), NXDOMAIN (Non-Existent Domain DNS response), TTL (Time To Live), ML (machine learning), RCF (Random Cut Forest), MVP (Minimum Viable Product).
The Detection Landscape
MetaDefender NDR ships six detection families. Each family is engineered around a distinct evidence type, runs on its own pipeline stage, and produces its own alert shape — but every family converges on the same unified alert stream that the Hunt Page and Dashboardsurface.
- Suricata signatures. Deep-packet-inspection signatures from Proofpoint Emerging Threats Pro and other rulepacks shipped with the OPSWAT InSights rulepack. Classical intrusion-detection matches on packet content, protocol anomalies, and rule metadata. See Suricata Signatures.
- Command-and-control (C2) threat intelligence. Exact-match lookups of Internet Protocol (IP) addresses and Domain Name System (DNS) query names against the OPSWAT Eyelet C2 feed. Produces dedicated C2 IP and C2 DNS alerts. See C2 and Threat Intelligence.
- OPSWAT InSights threat intelligence (TIDB and REPDB). Hash-lookup matches against two curated threat-intelligence feeds — the high-confidence Threat Intelligence Database (TIDB) and the broader-coverage Reputation Database (REPDB) — applied to IPs, hostnames, and domain hierarchies across DNS, TLS, and HTTP traffic. See InSights TIDB and REPDB
- MetaDefender Core file scanning. Extracted files are submitted to MetaDefender Cloud or an on-premises MetaDefender Core cluster for multi-antivirus (multi-AV) scanning. Three alert tiers are raised on the basis of positive-engine count. See MetaDefender Core File Scanning
- Behavioral analytics. Streaming structured-query-language (SQL) detections running in RisingWave produce eight behavioral alert types — Beaconing, Data Exfiltration, Long Duration Flow, Port Scanning, Connection Spray, DNS Tunneling, Domain Generation Algorithm (DGA) activity, and Fast Flux hosting. See Behavioral Detections.
- Machine-learning (ML) anomaly detection. Random Cut Forest (RCF) unsupervised anomaly scoring applied per event type (DNS, HTTP, Flow) with configurable score thresholds. See ML Anomaly Detections
Suricata signatures run inside the sensor process. The C2, InSights, and MetaDefender Core families run as enrichment services fed from a shared raw-events Kafka topic. The behavioral family runs in a separate RisingWave streaming pipeline reading the aggregator's merged event stream, and the ML family runs in the RCF pipeline on the same merged stream. All five post-sensor families converge on the alert engine, which applies the rules that translate each stream into a categorized alert.
How Detections Reach the Analyst
A detection travels through a fixed pipeline before it becomes an alert on an operator screen. Understanding that pipeline makes the where and when of each detection family predictable.
- Sensor. A MetaDefender NDR sensor observes traffic on a tapped interface. Suricata parses packets, emits session records (DNS, HTTP, TLS, Server Message Block (SMB), Remote Desktop Protocol (RDP), Simple Mail Transfer Protocol (SMTP), Secure Shell (SSH), Quick User Datagram Protocol Internet Connection (QUIC), File Transfer Protocol (FTP), FileInfo), flow records, and Suricata signature alerts when a rule matches. All output is published to the raw sensor-events stream on the Manager.
- Enrichment services. Each enrichment service consumes the raw stream and adds its own payload when relevant: C2 looks up IPs and DNS names against the Eyelet feed; InSights does the same against TIDB and REPDB; MetaDefender Core submits extracted files for multi-AV scanning; and per-IP metadata services add Autonomous System Number (ASN) and GeoIP data. Enrichment output is published to an enriched stream that names the event's identifier and carries the enrichment status.
- Aggregator. The aggregator waits until every expected enrichment has reported in for a given event, stitches the enrichments back onto the correct entities on the event, and emits a single merged event. If an enrichment never reports, the aggregator synthesizes a timeout status and ships the merged event anyway — no event is lost because an enrichment stalled.
- Streaming analytics. The merged event is consumed in parallel by the RisingWave behavioral pipeline and the RCF ML pipeline. Each pipeline applies its own windowed SQL or anomaly-scoring logic and publishes its findings to dedicated behavioral and ML alert streams.
- Alert engine. A rules engine consumes the merged event stream and the behavioral and ML alert streams. It evaluates a small catalog of rules (one per detection family plus per-tier rules for MetaDefender Core) and, when a rule matches, produces a typed alert with a canonical severity, confidence, and payload. The alert is stored and published to downstream consumers.
- User interface (UI) surfaces. The alert reaches the analyst in three places: the Dashboard Recent Alerts widget and Recent Severities donut (recent activity at a glance), the Hunt Page All Alerts tab and its per-type sub-tabs (full investigation surface), and, for any alert with an attached enrichment, the Hunt detail sidebar's per-enrichment section that renders the enrichment payload inline next to the event.
End-to-end latency from sensor observation to the Hunt table is under ten seconds under normal conditions. Detections that require windowed aggregation (Beaconing, DGA, Fast Flux, Connection Spray, Port Scanning, Long Duration Flow) incur the window size as an additional delay — a one-hour window detection cannot raise an alert faster than one hour after the first qualifying event.
Where Each Family Surfaces in the UI
Detections are presented consistently across surfaces so analysts can pivot freely between orientation and investigation.
| Surface | What the operator sees per family |
|---|---|
| Dashboard — Recent Severities | Every detection family contributes to the donut chart, classified by severity. |
| Dashboard — Recent Alerts | Newest alerts from every family, most recent first. Clicking a row opens the same sidebar used on the Hunt page. |
| Dashboard — Top Signature Hits | Suricata signature family only — the top signature identifiers by alert count. |
| Hunt page — All Alerts tab | Mixed stream of every alert type with common columns (timestamp, protocol, source and destination endpoints, alert type, severity). |
| Hunt page — per-type sub-tabs | One sub-tab per detection family: Suricata Alert, C2 Infrastructure Alert, InSights Alert, MDCore Alert, behavioral sub-tabs (one per alert type), and ML Random Cut Forest Anomaly. |
| Hunt detail sidebar — Suricata Alert section | Rendered on any row that carries a Suricata signature match: signature, SID, category, MITRE technique. |
| Hunt detail sidebar — C2 Enrichment section | Rendered on any row with a C2 feed match: match type, matched value, confidence, score, source feed — one block per matched entity. |
| Hunt detail sidebar — InSights Enrichment section | Rendered on any row with a TIDB or REPDB match: matched entity, feed tagging, and match metadata — one block per matched entity. |
| Hunt detail sidebar — MDCore Enrichment section | Rendered on any FileInfo row scanned by MetaDefender Core: scan result, threat name, positive-engine ratio, per-engine details, file metadata. |
| Hunt detail sidebar — Behavioral Alert sections | One section per behavioral detection key (Beaconing, Data Exfiltration, Long Duration, DNS Tunneling, DGA, Fast Flux, Port Scan, Connection Spray, and the composite aggregates). Renders detection-specific metadata: connection counts, byte ratios, window bounds, destination country / ASN / organization. |
| Hunt detail sidebar — ML Anomaly fields | For ML Random Cut Forest Anomaly rows, the standard network-base section plus any companion protocol sections. RCF-specific fields appear inline; a dedicated sidebar section is planned. |
Note on enrichment rendering: one record can fire several sidebar sections at once. A DNS session row that matched a TIDB entry renders the DNS section alongside the InSights Enrichment section. A FileInfo row with a MetaDefender Core hit renders the FileInfo section alongside the MDCore Enrichment section. This is intentional — the sidebar is a composite view of every block the record carries.
The Unified Severity Scale
Every alert MetaDefender NDR produces carries a severity level drawn from the same four-level scale. The severity is set by the alert engine on the basis of the detection's trigger conditions.
Suricata signatures carry their own native severity on a 1–4 scale (1 = Critical, 2 = High, 3 = Medium, 4 = Low); the alert engine maps this one-to-one onto the unified scale above so analysts never have to translate between them.
| Severity | Severity | Meaning | Typical Trigger |
|---|---|---|---|
| Critical | Confirmed threat or extreme anomaly. | An IOC match on the entity, or a threshold that indicates active compromise (for example, 50+ connections in a beaconing window, 6+ positive antivirus engines, a signature marked Critical). | Confirmed threat or extreme anomaly. |
| High | Strong indicator of malicious activity. | Exceeds a major threshold (for example, 30+ connections in a beaconing window, 3–5 positive antivirus engines, a REPDB match that also carries a TIDB hit). | Strong indicator of malicious activity. |
| Medium | Moderate anomaly; warrants investigation. | Exceeds a moderate threshold (for example, 20+ connections in a beaconing window, a REPDB-only match, an aggregate behavioral finding). | Moderate anomaly; warrants investigation. |
| Low | Mild anomaly; informational. | Meets the minimum threshold for the detection (for example, 15 connections in a beaconing window, 1–2 positive antivirus engines — likely false positive territory). | Mild anomaly; informational. |
The Confidence Scale
Every alert also carries a confidence score expressed as a floating-point number. Confidence ranges from 0.40 to 0.99, with the bands defined as follows.
Analysts use confidence to order work within a severity tier: among ten Medium alerts, the one at 0.78 confidence is triaged before the one at 0.42.
| Range | Meaning |
|---|---|
| 0.95–0.99 | Very high — IOC match or extreme values. Effectively a "this is really bad" marker. |
| 0.80–0.94 | High — strong behavioral signal with corroborating evidence. |
| 0.60–0.79 | Moderate — behavioral anomaly is present but warrants context. |
| 0.40–0.59 | Low — meets the detection threshold but may be benign. |
IOC Auto-Escalation Rule
When a detection carries an IOC match — any matched entity from the C2 feed or the InSights TIDB or REPDB feeds — the unified pipeline applies a single hard override: the alert is escalated to severity Critical and confidence 0.99 regardless of the detection family's normal thresholds.
This rule applies to every family that can carry an IOC reference. A Beaconing detection with 16 connections (normally Low severity) that hits a destination on the C2 IP feed is raised as Critical at 0.99 confidence. A Long Duration Flow of 3,700 seconds (normally Medium) to a REPDB-listed domain is raised as Critical at 0.99. The rule is intentional and not tunable: once a detection crosses with a known-bad indicator, the signal is too strong to demote.
Analysts interpreting Critical alerts therefore distinguish between threshold-Critical (the behavioral or file-scan evidence alone was strong enough to reach Critical) and IOC-Critical (the evidence tripped the auto-escalation). The alert's sidebar enrichment sections make the distinction visible: an IOC-Critical alert shows the matched entity and source feed in the C2 or InSights Enrichment section, whereas a threshold-Critical alert carries only the family-native metadata.
Detection Family Quick Reference
The table below summarizes the six families at a glance.
| Family | Engine | Primary Trigger | Severity range | Hunt sub-tab |
|---|---|---|---|---|
| Suricata signatures | Suricata IDS engine in the sensor | A shipped rule matches packet content, protocol metadata, or flow characteristics (rule fires at signature severity 1–4). | Critical / High / Medium / Low (native 1-to-1 mapping) | Signature Alert |
| C2 threat intelligence | c2 enrichment in the Manager pipeline | Exact-match IP or DNS name hit against the Eyelet C2 feed. | Critical (IOC auto-escalation always applies) | C2 Infrastructure Alert |
| InSights TIDB and REPDB | insights enrichment in the Manager pipeline | Hash match against the TIDB (high-confidence) or REPDB (reputation) feeds on any IP, hostname, or domain hierarchy in the event. | Critical (IOC) — High on TIDB-only — Medium on REPDB-only | InSights Alert |
| MetaDefender Core file scanning | mdcore enrichment submitting to MetaDefender Cloud or Core | Extracted file returns a multi-AV scan result with ≥1 positive engine. | Critical (IOC) — High (6+ engines) — Medium (3–5) — Low (1–2) | MD Core Alert |
| Behavioral analytics | RisingWave streaming SQL over merged events | Windowed aggregate crosses a detection-specific threshold (for example, 15+ connections in a 4-hour beaconing window; 2:1 upload ratio on a 15-minute exfiltration window). | Critical / High / Medium / Low per detection (IOC auto-escalation applies to all) | One sub-tab per behavioral alert type (Beaconing, Data Exfiltration, Long Duration Flow, DNS Tunneling, DGA, Fast Flux, Port Scan, Connection Spray, and the composite aggregates). |
| ML anomaly (RCF) | RCF anomaly scoring per event type | Event's anomaly score crosses the per-event-type threshold (DNS: 3.0 — HTTP: 8.0 — Flow: 20.0). | Medium (pass-through; family does not set native severity on MVP) | ML Random Cut Forest Anomaly |
The rest of this chapter group covers each family in full, following the same template: what it is, what it detects, how it works, trigger conditions, severity classification, confidence scoring, where it surfaces in the UI, a representative alert payload, tuning considerations, and a cross-link to the matching (Link Removed) entry.