This topic explains basic terms related to Network Detection and Response (NDR) to help you better understand the product.
General concepts
Concepts | Description |
UID | The ID of the Alibaba Cloud account that is enabled for the NDR trial. |
Service-linked role | A service-linked role is a RAM role that an Alibaba Cloud service assumes as a trusted entity to access other Alibaba Cloud services. After you create a service-linked role for NDR, NDR can access other Alibaba Cloud services to provide its full features. You can view the service-linked role that Alibaba Cloud automatically creates for NDR on the Roles page of the Resource Access Management (RAM) console. |
5-tuple log | A log record that contains the five key elements of a network communication: source IP address, destination IP address, source port, destination port, and protocol number. A 5-tuple uniquely identifies a network session or connection. |
PCAP packet | A PCAP (packet capture) packet is the content of a network packet file stored in the PCAP format. PCAP is a widely used file format for capturing and saving raw data packets from network communications. Many network analysis tools, such as Wireshark and tcpdump, use the PCAP format for in-depth network traffic analysis, troubleshooting, and security audits. |
Protocol log | A protocol log is a log record generated by network devices, servers, security devices, or applications when they execute network communication protocols. These logs detail processes such as packet transmission, connection establishment, errors, and security events. They are crucial for network security, performance monitoring, and troubleshooting. Common protocol logs include TCP 5-tuple logs, UDP 5-tuple logs, ICMP protocol logs, HTTP protocol logs, DNS protocol logs, TLS protocol logs, and other protocol logs. |
Log delivery | Log delivery, also known as log forwarding or log shipping, is the process of automatically collecting log data from NDR and sending it to a specified destination. NDR currently supports log delivery to a user's Simple Log Service (SLS) in a destination region. |
Network packet payload | In network communications, the payload is the actual business data carried in a datagram or packet. It is the data content processed by the application layer, excluding all protocol headers, control information, and metadata. For example, in an HTTP request, the payload might be the JSON or XML data in a POST request. This data can include form data, file upload content, or specific parameters for an API call. In the context of a network attack, the payload is the malicious code or data that an attacker attempts to inject or exploit to perform specific actions, such as controlling the target system or stealing data. |
ATT&CK | ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary tactics and techniques created and maintained by MITRE. This framework provides a comprehensive method to describe and classify the behavior of network attackers. It helps defenders better understand, prevent, and detect network intrusions. ATT&CK categorizes attack behaviors into multiple tactical categories, such as Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control (C2), Exfiltration, and Impact. These tactics represent the series of steps an attacker takes to achieve their objectives. |