| ID | Title | Covers | Severity | Coverage | |
|---|---|---|---|---|---|
| AN-DET:00 | Anomalous console authentication | AN:ATT:00 | critical | Full | ⬇ .yml |
| AN-DET:01 | End-user app binary integrity | AN:ATT:01 | high | Full | ⬇ .yml |
| AN-DET:02 | Management-plane firmware abuse | AN:ATT:02 | critical | Full | ⬇ .yml |
| AN-DET:03 | Operator credential anomaly | AN:ATT:03 | high | Full | ⬇ .yml |
| AN-DET:04 | Out-of-pattern command authority | AN:ATT:04 | medium | Partial | ⬇ .yml |
| AN-DET:05 | Lateral movement to mission control | AN:ATT:05 | high | Full | ⬇ .yml |
| AN-DET:06 | Mass-encryption file-system anomaly | AN:ATT:06 | critical | Full | ⬇ .yml |
| AN-DET:07 | RF noise-floor anomaly (jamming) | AN:ATT:07 | high | Full | ⬇ .yml |
| AN-DET:08 | Replay-and-spoof command anomaly | AN:ATT:08 | high | Partial | ⬇ .yml |
| AN-DET:09 | Downlink-disclosure watch | AN:ATT:09 | medium | Gap | ⬇ .yml |
| AN-DET:10 | Destructive on-board command anomaly | AN:ATT:10 | critical | Full | ⬇ .yml |
| AN-DET:11 | FSW attestation state mismatch | AN:ATT:11 | critical | Full | ⬇ .yml |
| AN-DET:12 | Firmware hash mismatch (supply chain) | AN:ATT:12 | critical | Full | ⬇ .yml |
| AN-DET:13 | Payload-data integrity mismatch | AN:ATT:13 | high | Full | ⬇ .yml |
Translate any of these rules to your SIEM. Example: AN-DET:02 (mgmt-plane firmware abuse) in Splunk:
index=ground_mgmt source="device-mgmt-audit" (event_action="firmware_push" OR event_action="config_deploy" OR event_action="image_install") target_device="*modem*" maintenance_window="false" | stats count by user, src_ip, target_device, event_action, _time
CC-BY 4.0. Use by Space ISAC members and the broader SCORP² community is encouraged. Cite eHs and the METEORSTORM taxonomy when redistributing.