Security

PT Network Attack Discovery

Positive Technologies Network Attack Discovery (PT NAD) events — network traffic analysis system logs covering rule-based attack detections, behavioral suspicious activity analysis, reputation/IOC alerts, lateral movement detection, C2 communication channels, protocol anomalies, credential leak detection, and parsed network session metadata in ECS-compatible JSON format.

View on GitHub

Quick Start

uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
  --path generators/security-pt-nad/generator.yml \
  --id security-pt-nad \
  --live-mode true

Event Types

Event ID	Description	Frequency	Category
session	Parsed protocol session metadata (Layer 7)	30%	network
attack	Rule-based attack detection (IDS rules)	20%	intrusion_detection
suspicious_activity	Behavioral analysis detection	15%	intrusion_detection
reputation	IOC/reputation list match from threat intelligence	10%	threat_intel
protocol_anomaly	Deep packet inspection anomaly detection	8%	network
lateral_movement	East/west lateral movement detection	7%	intrusion_detection
c2_communication	Command & control channel detection	5%	intrusion_detection
credential_leak	Cleartext credential detection in network traffic	5%	authentication

Realism Features

Rule-based attack detections with PT ESC rule IDs and MITRE ATT&CK technique mapping
C2 channel detection with beacon interval, jitter percentage, and beacon count metrics
Reputation alerts with IOC type (IP/domain/hash), confidence scores, and threat intelligence feed attribution
Behavioral suspicious activity analysis with DPI-level protocol inspection
Lateral movement detection for east/west internal traffic patterns
Credential leak detection for cleartext protocols (FTP, HTTP Basic, Telnet, LDAP)
CSV-sampled internal host pool with correlated hostname, IP, MAC, and OS fields
GeoIP and ASN enrichment for external IP addresses

Sample Output

{
    "@timestamp": "2026-03-06T22:37:22.000Z",
    "event": {
        "kind": "alert",
        "module": "pt_nad",
        "dataset": "pt_nad.alert",
        "category": ["network", "intrusion_detection"],
        "type": ["denied"],
        "severity": 3
    },
    "observer": {
        "vendor": "Positive Technologies",
        "product": "Network Attack Discovery",
        "version": "12.1.0.1234",
        "hostname": "PT-NAD-01",
        "type": "ids"
    },
    "pt_nad": {
        "event_id": 1000001,
        "detection_type": "attack",
        "detection_method": "rules",
        "rule": {
            "id": "PT-10011",
            "name": "RDP Brute Force: Multiple Failed Authentication Attempts",
            "category": "Credential Access",
            "severity": "medium"
        },
        "app_protocol": "rdp",
        "sensor": "PT-NAD-01"
    },
    "source": { "ip": "209.141.33.152", "port": 22352, "bytes": 9975 },
    "destination": { "ip": "10.1.30.5", "port": 3389, "bytes": 318273 },
    "host": {
        "hostname": "LAPTOP-EXEC01",
        "ip": ["10.1.30.5"],
        "os": { "name": "Windows", "version": "11.0.22631" },
        "domain": "CORP.ACME.COM"
    },
    "network": { "transport": "tcp", "protocol": "rdp", "direction": "inbound" },
    "rule": {
        "id": "PT-10011",
        "name": "RDP Brute Force: Multiple Failed Authentication Attempts",
        "category": "Credential Access"
    },
    "threat": {
        "framework": "MITRE ATT&CK",
        "tactic": { "id": ["TA0006"], "name": ["Credential Access"] },
        "technique": { "id": ["T1110.001"], "name": ["Password Guessing"] }
    },
    "related": { "hosts": ["LAPTOP-EXEC01"], "ip": ["209.141.33.152", "10.1.30.5"] }
}

Parameters

Parameter	Default	Description
nad_version	12.1.0.1234	PT NAD platform version
sensor_name	PT-NAD-01	Sensor hostname
sensor_ip	10.1.0.100	Sensor IP address
internal_subnet	10.1	Internal network prefix for IP generation

Related Generators

Security

Suricata IDS/IPS

Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.

Security

Palo Alto Threat

Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.

Security

Palo Alto URL Filtering

Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.