Get metadata for a detector (rule)

GET {{cb_url}}/threatmetadata/v1/orgs/{{cb_org_key}}/detectors/{{cb_detector_id}}

Get the metadata for a given detector (rule).

RBAC Permissions Required

See Documentation about the APIs

HEADERS

RESPONSES

status: OK

{"detector_abstract":"A remote shell is a bidirectional communication channel that allows an attacker to send commands to a compromised host over the network. A remote shell is defined *direct* (or *bind*) if the attacker's host (client) initiates the connection towards the compromised host (server).\n\nThe detector matches on the string `whoami` sent by the attacker (client) in the first 30 bytes of a TCP packet's payload. To decrease the likelihood of false positives, an alert is generated only if no known application layer protocol is decoded.","detector_goal":"Detect the transfer of a whoami command over a TCP direct shell.","false_negatives":"The detector only matches on plaintext TCP direct shell. Stealthier shells could obfuscate or encrypt the commands.\n\nFurthermore, if `whoami` is sent deeper in the TCP payload than 30 bytes, the detector would not generate an alert.","false_positives":"While a remote shell is a plausible explanation for the string `whoami` sent over a TCP connection, other applications may have legitimate reasons for transferring content matching the detector (e.g., plaintext streaming of audit logs).\n\nThe captured traffic associated to the event should help investigate the context and purpose of the TCP connection.","threat_public_comment":"Once a host has been compromised, a remote shell could be used by the attacker to perform additional tasks (e.g., environment reconnaissance, lateral movements). An alert for this threat is generated by a plain TCP connection that may be used to transmit and execute cleartext commands through a remote shell on a compromised host."}