File size: 6,574 Bytes
146a3a4 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 | {
"feature_names": [
"timestep",
"dest_port",
"bytes_transferred",
"connection_duration_s",
"auth_failure_count",
"process_injection_flag",
"lateral_hop_count",
"c2_beacon_interval_s",
"edr_blocked_flag",
"siem_rule_triggered",
"seg_patch_lag_days_mean",
"seg_exposure_score_mean",
"seg_vulnerability_count_max",
"seg_inter_segment_trust_level_mean",
"seg_alert_threshold_sensitivity_mean",
"seg_mttd_baseline_hours_mean",
"seg_mttr_baseline_hours_mean",
"seg_siem_coverage_flag_mean",
"seg_edr_deployed_flag_mean",
"seg_ndr_coverage_flag_mean",
"seg_mfa_enforced_flag_mean",
"byte_volume_log",
"has_c2_beacon",
"is_brute_forcing",
"attacker_defender_advantage",
"is_high_volume",
"is_privileged_port",
"target_asset_type_backup_system",
"target_asset_type_cloud_vm",
"target_asset_type_container",
"target_asset_type_database_server",
"target_asset_type_domain_controller",
"target_asset_type_ehr_system",
"target_asset_type_email_server",
"target_asset_type_firewall",
"target_asset_type_iot_device",
"target_asset_type_router",
"target_asset_type_scada_plc",
"target_asset_type_server",
"target_asset_type_vpn_gateway",
"target_asset_type_web_server",
"target_asset_type_workstation",
"source_ip_class_cloud_egress",
"source_ip_class_external_internet",
"source_ip_class_internal_lan",
"source_ip_class_tor_exit",
"source_ip_class_vpn_tunnel",
"protocol_dns",
"protocol_ftp",
"protocol_http",
"protocol_https",
"protocol_icmp",
"protocol_rdp",
"protocol_smb",
"protocol_ssh",
"protocol_tcp",
"protocol_udp",
"attacker_capability_tier_apt",
"attacker_capability_tier_nation_state",
"attacker_capability_tier_opportunistic",
"attacker_capability_tier_script_kiddie",
"defender_maturity_level_advanced",
"defender_maturity_level_baseline",
"defender_maturity_level_managed",
"defender_maturity_level_minimal",
"defender_maturity_level_zero_trust",
"alert_severity_critical",
"alert_severity_high",
"alert_severity_informational",
"alert_severity_low",
"alert_severity_medium",
"detection_outcome_blind_spot",
"detection_outcome_edr_blocked",
"detection_outcome_evasion_success",
"detection_outcome_high_confidence_alert",
"detection_outcome_ir_escalated",
"detection_outcome_marginal_alert",
"detection_outcome_suppressed_alert",
"seg_segment_type_cloud_workload",
"seg_segment_type_corporate_lan",
"seg_segment_type_data_exfiltration_target",
"seg_segment_type_endpoint_fleet",
"seg_segment_type_soc_management_plane",
"seg_segment_type_supply_chain_interface",
"seg_segment_type_zero_trust_segment",
"seg_defender_maturity_level_advanced",
"seg_defender_maturity_level_baseline",
"seg_defender_maturity_level_managed",
"seg_defender_maturity_level_minimal",
"seg_defender_maturity_level_zero_trust"
],
"numeric_features": [
"timestep",
"dest_port",
"bytes_transferred",
"connection_duration_s",
"auth_failure_count",
"process_injection_flag",
"lateral_hop_count",
"c2_beacon_interval_s",
"edr_blocked_flag",
"siem_rule_triggered",
"seg_patch_lag_days_mean",
"seg_exposure_score_mean",
"seg_vulnerability_count_max",
"seg_inter_segment_trust_level_mean",
"seg_alert_threshold_sensitivity_mean",
"seg_mttd_baseline_hours_mean",
"seg_mttr_baseline_hours_mean",
"seg_siem_coverage_flag_mean",
"seg_edr_deployed_flag_mean",
"seg_ndr_coverage_flag_mean",
"seg_mfa_enforced_flag_mean",
"byte_volume_log",
"has_c2_beacon",
"is_brute_forcing",
"attacker_defender_advantage",
"is_high_volume",
"is_privileged_port"
],
"categorical_levels": {
"target_asset_type": [
"backup_system",
"cloud_vm",
"container",
"database_server",
"domain_controller",
"ehr_system",
"email_server",
"firewall",
"iot_device",
"router",
"scada_plc",
"server",
"vpn_gateway",
"web_server",
"workstation"
],
"source_ip_class": [
"cloud_egress",
"external_internet",
"internal_lan",
"tor_exit",
"vpn_tunnel"
],
"protocol": [
"dns",
"ftp",
"http",
"https",
"icmp",
"rdp",
"smb",
"ssh",
"tcp",
"udp"
],
"attacker_capability_tier": [
"apt",
"nation_state",
"opportunistic",
"script_kiddie"
],
"defender_maturity_level": [
"advanced",
"baseline",
"managed",
"minimal",
"zero_trust"
],
"alert_severity": [
"critical",
"high",
"informational",
"low",
"medium"
],
"detection_outcome": [
"blind_spot",
"edr_blocked",
"evasion_success",
"high_confidence_alert",
"ir_escalated",
"marginal_alert",
"suppressed_alert"
],
"seg_segment_type": [
"cloud_workload",
"corporate_lan",
"data_exfiltration_target",
"endpoint_fleet",
"soc_management_plane",
"supply_chain_interface",
"zero_trust_segment"
],
"seg_defender_maturity_level": [
"advanced",
"baseline",
"managed",
"minimal",
"zero_trust"
]
},
"label_to_int": {
"dwell_idle": 0,
"reconnaissance": 1,
"initial_access": 2,
"execution": 3,
"persistence": 4,
"privilege_escalation": 5,
"lateral_movement": 6,
"collection": 7,
"exfiltration": 8,
"impact": 9
},
"int_to_label": {
"0": "dwell_idle",
"1": "reconnaissance",
"2": "initial_access",
"3": "execution",
"4": "persistence",
"5": "privilege_escalation",
"6": "lateral_movement",
"7": "collection",
"8": "exfiltration",
"9": "impact"
},
"topology_aggregation": {
"segment_constant": [
"segment_type",
"defender_maturity_level"
],
"segment_numeric_aggregates": {
"patch_lag_days": "mean",
"exposure_score": "mean",
"vulnerability_count": "max",
"inter_segment_trust_level": "mean",
"alert_threshold_sensitivity": "mean",
"mttd_baseline_hours": "mean",
"mttr_baseline_hours": "mean",
"siem_coverage_flag": "mean",
"edr_deployed_flag": "mean",
"ndr_coverage_flag": "mean",
"mfa_enforced_flag": "mean"
}
}
} |