Multi-Session IDS Statistics: Worst IDS AppIDs (12/19/2019 11:25pm to 12/26/2019 11:25pm UTC)

Worst AppIDs serve as the context that was causing a specific rule to trigger. The severity is derived from their associated triggers. The True Positive Rate (tpr) is calculated with respect to the global count of the same AppID associated with any other rule, whether or not the event caused a compromise.

The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect the data or click on the links within the table. To see all rows in the table, click outside any bubble.

We run Cisco's OpenAppID, which helps administrators to determine what applications are running in their network. OpenAppID results appear as an additional field in the IDS alerts to give better context for the trigger. OpenAppID is an invariant that can be a very good predictor for compromises. Here we show what we have measured last week. Admittedly, not many customers are running OpenAppID because it uses more CPU power and RAM, so the data is more scarce (the bubbles are small). Hopefully this will change in the near future. You can watch a video on how OpenAppID can be used during forensic analysis here.

AppID Avg Priority (avgp) Total Priority (totp) True Positive Rate (tpr) Severity (avgp * tpr) Prevalence (totp * tpr)