Alert Types That Use the Scan Index

The Alert Types listed below use the Scan Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

External Exploited Vulnerability

A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Exploited Vulnerability (XT2015)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_vuln_exploit_correlation.

Key Fields and Relevant Data Points

  • tenantid — tenant ID
  • vulnerability_id — ID of the original security scan result
  • ids_event_id — ID of the original IDS exploit event
  • srcip (of security scan result) — IP address of the target correlation_info.srcip
  • dstip (of IDS event) — IP address of the target (correlation_info.dstip)
  • srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
  • correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
  • correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with internal IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve and correlation_info.ids.cve).

...

Stellar Cyber reports both internal and external versions of some alerts, with different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound or outbound. Use the following as a guide for these concepts:

  • Addresses with a srcip_type or dstip_type of private are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external).
  • Communications between hosts where srcip_type and dstip_type are both private are considered internal communications.
  • When an anomaly is observed on an internal communication, the attack is considered to be internal.
  • Stellar Cyber always sets the srcip in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show the dstip as the source address and the srcip as the destination address, even though the srcip was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record of srcip and dstip to understand which address initiated the threat event.

Internal Exploited Vulnerability

An internal host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR Exploited Vulnerability (XT2015)

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_vuln_exploit_correlation.

Key Fields and Relevant Data Points

  • tenantid — tenant ID
  • vulnerability_id — ID of the original security scan result
  • ids_event_id — ID of the original IDS exploit event
  • srcip (of security scan result) — IP address of the target correlation_info.srcip
  • dstip (of IDS event) — IP address of the target (correlation_info.dstip)
  • srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
  • correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
  • correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve and correlation_info.ids.cve).

...

Stellar Cyber reports both internal and external versions of some alerts, with different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound or outbound. Use the following as a guide for these concepts:

  • Addresses with a srcip_type or dstip_type of private are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external).
  • Communications between hosts where srcip_type and dstip_type are both private are considered internal communications.
  • When an anomaly is observed on an internal communication, the attack is considered to be internal.
  • Stellar Cyber always sets the srcip in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show the dstip as the source address and the srcip as the destination address, even though the srcip was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record of srcip and dstip to understand which address initiated the threat event.