feature_meta.json

{
  "feature_names": [
    "source_port",
    "dest_port",
    "cvss_score_analogue",
    "label_log_tampered",
    "label_false_positive",
    "edr_agent_installed",
    "patch_compliance_level",
    "vulnerability_count_open",
    "hour_of_day",
    "is_off_hours",
    "is_weekend",
    "log_cvss",
    "is_high_cvss",
    "is_well_known_port",
    "is_dynamic_port",
    "is_outbound_web",
    "risk_composite",
    "event_class_application_api",
    "event_class_application_waf",
    "event_class_authentication",
    "event_class_cloud_compute",
    "event_class_cloud_iam",
    "event_class_cloud_storage",
    "event_class_dns_resolution",
    "event_class_endpoint_filesystem",
    "event_class_endpoint_process",
    "event_class_endpoint_registry",
    "event_class_network_flow",
    "event_class_threat_intelligence_match",
    "log_source_type_arcsight_esm",
    "log_source_type_aws_security_hub",
    "log_source_type_elastic_siem",
    "log_source_type_google_chronicle",
    "log_source_type_ibm_qradar",
    "log_source_type_microsoft_sentinel",
    "log_source_type_palo_alto_xsiam",
    "log_source_type_splunk",
    "severity_level_critical",
    "severity_level_high",
    "severity_level_informational",
    "severity_level_low",
    "severity_level_medium",
    "os_type_cloud_managed",
    "os_type_linux_debian",
    "os_type_linux_rhel",
    "os_type_linux_ubuntu",
    "os_type_macos",
    "os_type_windows_server",
    "os_type_windows_workstation",
    "host_role_cloud_compute_instance",
    "host_role_database_server",
    "host_role_domain_controller",
    "host_role_file_server",
    "host_role_ot_ics_controller",
    "host_role_siem_collector",
    "host_role_vpn_gateway",
    "host_role_web_server",
    "host_role_workstation_privileged",
    "host_role_workstation_standard",
    "network_segment_cloud_workload",
    "network_segment_corporate_lan",
    "network_segment_data_exfiltration_target",
    "network_segment_dmz_perimeter",
    "network_segment_endpoint_fleet",
    "network_segment_ot_ics_control_network",
    "network_segment_soc_management_plane",
    "network_segment_zero_trust_segment",
    "defender_posture_tier_hardened",
    "defender_posture_tier_minimal",
    "defender_posture_tier_standard",
    "defender_posture_tier_zero_trust",
    "criticality_rating_critical",
    "criticality_rating_high",
    "criticality_rating_low",
    "criticality_rating_medium",
    "cloud_provider_aws",
    "cloud_provider_azure",
    "cloud_provider_gcp",
    "cloud_provider_on_premises",
    "siem_platform_arcsight_esm",
    "siem_platform_aws_security_hub",
    "siem_platform_elastic_siem",
    "siem_platform_google_chronicle",
    "siem_platform_ibm_qradar",
    "siem_platform_microsoft_sentinel",
    "siem_platform_palo_alto_xsiam",
    "siem_platform_splunk"
  ],
  "numeric_features": [
    "source_port",
    "dest_port",
    "cvss_score_analogue",
    "label_log_tampered",
    "label_false_positive",
    "edr_agent_installed",
    "patch_compliance_level",
    "vulnerability_count_open",
    "hour_of_day",
    "is_off_hours",
    "is_weekend",
    "log_cvss",
    "is_high_cvss",
    "is_well_known_port",
    "is_dynamic_port",
    "is_outbound_web",
    "risk_composite"
  ],
  "categorical_levels": {
    "event_class": [
      "application_api",
      "application_waf",
      "authentication",
      "cloud_compute",
      "cloud_iam",
      "cloud_storage",
      "dns_resolution",
      "endpoint_filesystem",
      "endpoint_process",
      "endpoint_registry",
      "network_flow",
      "threat_intelligence_match"
    ],
    "log_source_type": [
      "arcsight_esm",
      "aws_security_hub",
      "elastic_siem",
      "google_chronicle",
      "ibm_qradar",
      "microsoft_sentinel",
      "palo_alto_xsiam",
      "splunk"
    ],
    "severity_level": [
      "critical",
      "high",
      "informational",
      "low",
      "medium"
    ],
    "os_type": [
      "cloud_managed",
      "linux_debian",
      "linux_rhel",
      "linux_ubuntu",
      "macos",
      "windows_server",
      "windows_workstation"
    ],
    "host_role": [
      "cloud_compute_instance",
      "database_server",
      "domain_controller",
      "file_server",
      "ot_ics_controller",
      "siem_collector",
      "vpn_gateway",
      "web_server",
      "workstation_privileged",
      "workstation_standard"
    ],
    "network_segment": [
      "cloud_workload",
      "corporate_lan",
      "data_exfiltration_target",
      "dmz_perimeter",
      "endpoint_fleet",
      "ot_ics_control_network",
      "soc_management_plane",
      "zero_trust_segment"
    ],
    "defender_posture_tier": [
      "hardened",
      "minimal",
      "standard",
      "zero_trust"
    ],
    "criticality_rating": [
      "critical",
      "high",
      "low",
      "medium"
    ],
    "cloud_provider": [
      "aws",
      "azure",
      "gcp",
      "on_premises"
    ],
    "siem_platform": [
      "arcsight_esm",
      "aws_security_hub",
      "elastic_siem",
      "google_chronicle",
      "ibm_qradar",
      "microsoft_sentinel",
      "palo_alto_xsiam",
      "splunk"
    ]
  },
  "label_to_int": {
    "benign_background": 0,
    "initial_access": 1,
    "lateral_movement": 2,
    "persistence_establishment": 3,
    "exfiltration_or_impact": 4
  },
  "int_to_label": {
    "0": "benign_background",
    "1": "initial_access",
    "2": "lateral_movement",
    "3": "persistence_establishment",
    "4": "exfiltration_or_impact"
  },
  "oracle_excluded": [
    "mitre_tactic",
    "mitre_technique_id",
    "label_malicious",
    "threat_actor_id",
    "threat_actor_profile",
    "event_type"
  ]
}