SCOR Detection Signatures
Reference vocabulary for SCOR AN-DET values. Every value uses the TEN form AN-DET-Detection Signature; individual signatures are distinguished by meta.display_name and uuid. Each signature is expressed as a full RootA (roota.io) rule embedded in meta.roota and carries a mandatory METEORSTORM layer mapping (meta.pce, meta.seg, meta.svc, meta.ast), each a METEORSTORM TAG value or NA. TDM relationships to TEN clusters are created by analysts in MISP, not precalculated here.
Authors
| Authors and/or Contributors |
|---|
| H4CK32N4U75® |
Anomalous control-plane command sequence detection
Anomalous control-plane command sequence detection. Detects command sequences on the platform control plane that deviate from a learned operational baseline.
Internal MISP references
UUID c8fb7196-d938-557d-9f98-233cbf2f5382 which can be used as unique global reference for Anomalous control-plane command sequence detection in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| an_layer_tag | AN-DET |
| ast | SW |
| display_name | Anomalous control-plane command sequence detection |
| format | roota |
| pce | NA |
| roota | name: Anomalous control-plane command sequence detection |
details: Detects command sequences on the platform control plane that deviate from a learned operational baseline. author: H4CK32N4U75® severity: high type: query class: behaviour date: 2026-06-01 mitre-attack: - t1059 - t1078.004 detection: language: splunk-spl-query body: index=* source="platform:control-plane" (command_class="commanding" OR command_class="reconfig") NOT baseline_match=true | stats count by source_account, command_class, asset_id logsource: product: Linux log_name: platform_cmd_audit class_name: Process Activity audit: source: Platform control-plane command audit log enable: Enable command-audit logging on the control-plane service and forward to the SIEM. timeline: 2026-02-14: DEMO-CAMPAIGN-ALPHA references: - https://misp-galaxy.org/scor-detection-signatures/ tags: scor, control_plane, commanding license: DRL 1.1 version: 1 uuid: c8fb7196-d938-557d-9f98-233cbf2f5382 correlation: timeframe: 5m functions: count() > 5 | | roota-version | 1 | | seg | GR | | svc | CP | | ten | AN-DET-Detection Signature |