Machine Learning Alert Type Details
This article describes the machine learning alert types (and possible actions you should take), their location in the Stellar Cyber UI, the data points used for the detection, and how those data points are used to make the detection. For general overview, refer to Machine Learning and Analytics Overview
The following information lists alert types alphabetically by their display name. For alert types listed alphabetically by their XDR event name, see Alert Types by XDR Event Name.
To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.
Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.
Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.
Abnormal Parent / Child Process
A process that typically launches a small, consistent number of child processes has launched a new child process. Investigate the new child process or the parent process to see if it is benign.
This alert type has two subtype categories:
Alert Subtype: Machine Learning Anomaly Detection
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Relationship Anomaly (XT1002)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is parent_child
.
Severity
25
Key Fields and Relevant Data Points
process_name
— name of the processparent_proc_name
— name of the parent processhostip
— host IP addresshostip_host
— host namestability
— score measuring the time since the parent process launched the last child processdiversity
— score measuring the number of child processes that the parent process spawneddays_stable
— time since the parent process launched the last child processchild_count
— number of child processes that the parent process spawned
Use Case with Data Points
Each pair of parent/child processes (parent_proc_name
and process_name
) is examined periodically. If a parent process (parent_proc_name
) with a small number of child processes (diversity
, child_count
) has not launched a new child process (process_name
) for a long time (stability
, days_stable
) launches a new child process from a host (srcip_host
), an alert is triggered.
Alert Subtype: Rule Based Detection
The Parent/Child Suspicious Process Creation rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent/Child Suspicious Process Creation alert types.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Parent/Child Suspicious Process Creation Alert Type
Account MFA Login Failure Anomaly
An anomalously large number of Multi-Factor Authentication (MFA) user login failures was observed for an account. Check with the user.
This alert type has two alert subtypes:
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is cloud_account_login_failure_okta
.
Severity
45
Key Fields and Relevant Data Points
srcip_usersid
— cloud account user IDsrcip_username
— cloud account user nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addresslogin_type
— type of loginsrcip_reputation
— source reputation
Use Case with Data Points
Multi-Factor Authentication login failures and successes are calculated periodically for every account (srcip_usersid
). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type
), source host (srcip_host), and source reputation (srcip_reputation
).
Alert Subtype: Rule Based Detection
The Suspicious AWS Login Failure rules are used to identify suspicious AWS account login failures. Any one or more of these will trigger the AWS Cloud Account Login Failure alert type.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Application Usage Anomaly
An internal application had an anomalously large number of connections to one or more external hosts in a measured interval, exceeding 99.99% of all other intervals corresponding to different applications in the past two weeks.
Investigate the application and connections, and consider blocking connections from the application.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR App Anomaly (XT2003)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is pripub_appid
.
Severity
15
Key Fields and Relevant Data Points
appid
— application IDappid_name
— application nameactual
— actual number of connections in the periodstellar.threshold
— threshold number of connections per interval below which 99.99% of all other intervals, corresponding to different applications in the past two weeks, fallsrcip_host
— host name of a sample source IP addresssrcip_geo.countryName
— source countrydstip_host
— host name of a sample destination IP address
Use Case with Data Points
Every application's (appid
) number of connections is calculated periodically. If an application’s connections (actual
) are larger than the threshold (stellar.threshold
) below which 99.99% of all other intervals corresponding to different applications in the past two weeks fall, an alert is triggered. The Interflow includes a sample source host (srcip_host
), the source country (srcip_geo.countryName
), and a sample destination host (dstip_host
). If there are multiple source or destination hosts, view the list in the Original Records.
AWS AMI Made Public
An AWS AMI was made public. Check with the user to make sure this was intentional.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Privilege Escalation (TA0004 )
-
Technique: Valid Accounts (T1078 )
-
Tags: []
XDR Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_ami_public
.
Severity
70
Key Fields and Relevant Data Points
userIdentity.accountId
— key ID for the accountuserIdentity.userName
— AWS account user nameuserIdentity.type
— AWS account typeeventName
— AWS event nameeventSource
— AWS event sourceeventType
— AWS event type
Use Case with Data Points
For each AWS account (userIdentity.accountId
), activity to make an AMI public is monitored. If an AMI is made public, an alert is triggered. The Interflow includes the account ID (userIdentity.accountId
), user name (userIdentity.userName
), account type (userIdentity.type
), AWS event name (eventName
), AWS event source (eventSource
), and AWS event type (eventType
).
AWS Logging Stopped
AWS CloudTrail logging was stopped. Check with the user to make sure this was intentional.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_stoplogging
.
Severity
70
Key Fields and Relevant Data Points
userIdentity.accountId
— key ID for the accountuserIdentity.userName
— AWS account user nameuserIdentity.type
— AWS account typeeventName
— AWS event nameeventSource
— AWS event sourceeventType
— AWS event type
Use Case with Data Points
For each AWS account (userIdentity.accountId
), log disabling is monitored. Logging is enabled by default, so if logging is disabled, an alert is triggered. The Interflow includes the account ID (userIdentity.accountId
), AWS account user name (userIdentity.userName
), AWS account type (userIdentity.type
), AWS event name (eventName
), AWS event source (eventSource
), and AWS event type (eventType
).
AWS S3 Ransomware
Possible AWS S3 ransomware was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Data Encrypted for Impact (T1486 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_s3_ransomware
.
Severity
90
Key Fields and Relevant Data Points
userIdentity.accountId
— key ID for the accountuserIdentity.userName
— AWS account user nameuserIdentity.type
— AWS account typeeventName
— AWS event nameeventSource
— AWS event sourceeventType
— AWS event type
Use Case with Data Points
For each AWS account user name (userIdentity.userName
), suspicious S3 ransomware is monitored. If ransomware is detected, an alert is triggered. The Interflow includes the account ID (userIdentity.accountId
), AWS account user name (userIdentity.userName
), AWS account type (userIdentity.type
), AWS event name (eventName
), AWS event source (eventSource
), and AWS event type (eventType
).
Azure AD Apps Modified To Allow Multi-Tenant Access
Azure AD observed an application being modified to allow multi-tenant access. Check with the organization to be sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_ad_add_app_multitenant
.
Severity
75
Key Fields and Relevant Data Points
srcip_usersid
— user ID that modified the property changeactivityDisplayName
— description of the actiontargetResources.modifiedProperties.displayName
— properties that were changed
Use Case with Data Points
If Azure AD detects any user (srcip_usersid
) changing an application to allow multi-tenant access, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
), activity name (activityDisplayName
), and name of the changed property (targetResources.modifiedProperties.displayName
).
Azure AD Custom Domains Changed
Azure AD observed a custom domain being changed. Check with the organization to be sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Domain Policy Modification (T1484 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_ad_change_domain
.
Severity
75
Key Fields and Relevant Data Points
srcip_usersid
— user account that made the domain changeactivityDisplayName
— activity display nameactivity_name
— action descriptiontargetResources.modifiedProperties
— properties that were changed
Use Case with Data Points
If Azure AD detects any user (srcip_usersid
) changing a custom domain, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
) and activity name (activity_name
).
Backup Catalogs Deleted by Ransomware
The wbadmin.exe
utility was used to delete the backup catalog. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Indicator Removal on Host (T1070 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_delete_backup_catalogs
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the host on which the ransomware action happenedhostip_host
— host nameprocess_name
— name of the executed processevent_data.CommandLine
— command that was executed to delete the backup catalog
Use Case with Data Points
If wbadmin.exe
is used to delete the backup catalog, an alert is triggered. The Interflow includes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).
Bad Destination Reputation Anomaly
A destination IP address with a bad reputation has received an anomalously large number of connections. Investigate the connections and consider blocking the destination IP address.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR Intel (XTA0005)
-
Technique: XDR Bad Reputation (XT2010)
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is dstip_bad_reps
.
Severity
30
Key Fields and Relevant Data Points
dstip
— destination IP addressdstip_host
— destination host namedstip_reputation
— destination reputationactual
— actual number of connections to the destination IP address in the periodtypical
— typical number of connections to the destination IP addresssrcip_host
— source host namesrcip_reputation
— source reputationappid_name
— application name
Use Case with Data Points
The number of connections for every destination IP address (dstip
) with a bad reputation (dstip_reputation
) is calculated periodically. If a destination IP address's number of connections (actual
) is much larger than the typical historical number (typical
), an alert is triggered. The Interflow includes the source IP address making the connection (srcip_host
), the application (appid_name
) used, and the reputation of the source host (srcip_reputation
).
Bad Reputation Login
A successful login was observed from an IP address with a history of malicious activity. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Bad Reputation (XT2010)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is bad_reputation_login
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user name
Use Case with Data Points
The login records are checked for every source IP address (srcip
). If a source IP address has successful login records and its reputation (srcip_reputation
) is bad (except brute-forcer and scanner), an alert is triggered. A sample Interflow includes source IP address (srcip
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), login type (login_type
), and user name (username
).
Bad Source Reputation Anomaly
A source IP address with a bad reputation has made an anomalously large number of connections. Investigate the connections and consider blocking the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Bad Reputation (XT2010)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is srcip_bad_reps
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputationactual
— actual number of connections in the periodtypical
— typical number of connections from the source IP addressdstip_host
— host name of corresponding destination IP addressdstip_reputation
— destination reputationappid_name
— application name
Use Case with Data Points
The number of connections for every source IP address (srcip
) with a bad reputation (srcip_reputation
) is calculated periodically. If a source IP address's number of connections (actual
) is much larger than the typical historical number (typical
), an alert is triggered. The Interflow includes the application (appid_name
) used and the reputation of the destination host (dstip_reputation
).
Carbon Black: XDR Anomaly
On a specific device, an anomalously large number of VMware Carbon Black endpoint log records or a rarely seen type of record has been observed compared to the typical number in a measured interval.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Anomaly (XT1000)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is carbonblack_edr_anomaly
.
Severity
30
Key Fields and Relevant Data Points
hostip
— device internal IP addresshost.external_ip
— device external IP addressactual
— actual volume of log records in the periodtypical
— typical difference in volume of log records between this period and the previous period
Use Case with Data Points
The number of occurrences of Carbon Black endpoint (cloud) log, based on the “UNKNOWN“ threat category (event.type
), is tabulated periodically. If this category occurs (actual
) much more often compared to its history (typical
) or a rarely seen type of record is observed, an alert is triggered. The Interflow includes information such as the file name (file.name
), process (process.name
), and description (xdr_event.description
).
Command & Control Reputation Anomaly
An anomalously large number of connections were made to known command and control servers. Investigate the connections and source hosts. If malicious, block the IP addresses of the command and control servers.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR Intel (XTA0005)
-
Technique: XDR Command and Control Reputation (XT5001)
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is cnc_reputation
.
Severity
70
Key Fields and Relevant Data Points
dstip
— destination IP addressdstip_host
— destination host namedstip_reputation
— destination reputationactual
— actual number of connections in the periodtypical
— typical number of connections to the destination IP address with a C&C reputationsrcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputationappid_name
— application name
Use Case with Data Points
The number of connections for every destination IP (dstip
) with a command and control reputation (dstip_reputation
) is calculated periodically. If a destination IP has a much higher number of connections (actual
) than its history (typical
) in any period, an alert is triggered. The Interflow includes the application used in the connection (appid_name
), the source host (srcip_host
), and the source reputation (srcip_reputation
).
Command Anomaly
A command has been executed an anomalously large number of times compared to its typical executions or those of other commands. Investigate the command and the user to determine if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is command_anomaly
.
Severity
15
Key Fields and Relevant Data Points
command
— command executedactual
— actual number of executions in the periodtypical
— typical number of executions in the periodcwd
— current working directory from which the command executedhostip
— host from which the command was runhostip_host
— host nameusername
— user name who ran the command
Use Case with Data Points
The number of times a command (command
) has been executed is calculated periodically. If the volume (actual
) is much larger than the typical volume (typical
) of the command or other commands in any period, an alert is triggered. The Interflow includes the directory from which the command was executed (cwd
), the host and source IP addresses (hostip
and srcip
) from which the command was executed, and the name of the user who ran the command (username
).
Cryptojacking
An unauthorized coin miner used a computer to mine cryptocurrency. Consider blocking the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Resource Hijacking (T1496 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is cryptojacking
.
Severity
70
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip
— source IP address of the cryptojacking actiondstip
— destination IP address of the cryptojacking actionsrcip_reputation
— source reputationsrcip_host
— source host namedstip_reputation
— destination reputationdstip_host
— destination host name
Use Case with Data Points
If an unauthorized coin miner is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source IP address (srcip
), source reputation (srcip_reputation
), source host (srcip_host
), destination IP address (dstip
), destination reputation (dstip_reputation
), and destination host (dstip_host
).
CylanceOPTICS: XDR Anomaly
On a specific device, a rarely seen or an anomalously large number of CylanceOPTICS endpoint log records has been observed, compared to the typical number in a measured interval or has been observed after several days of silence.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Anomaly (XT1000)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is cylance_edr_anomaly
.
Severity
30
Key Fields and Relevant Data Points
event.description
— description of the detection rulehost.name
— device nameactual
— actual number of log records in the periodtypical
— typical number of log records generated on the device
Use Case with Data Points
The number of occurrences of CylanceOPTICS log records (event.provider
) is calculated periodically. If this category occurs (actual
) much more often compared to its history (typical
) or a rarely seen type of event is generated, an alert is triggered. The Interflow includes information such as the process name (process.name
), parent process name (process.parent.name
), and description (event.description
).
Data Ingestion Volume Anomaly
A sensor is sending an anomalously high or low volume of data, compared to its typical volume. Check the sensor. A low volume could indicate a sensor failure or other problems. For a high volume, determine the cause of the increase.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: XDR SBA (XTA0003)
-
Technique: XDR Bytes Anomaly (XT3001)
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ade_outbytes_anomaly
.
Severity
10
Key Fields and Relevant Data Points
engid
— sensor IDengid_name
— sensor nameactual
— actual volume of data in the periodtypical
— typical difference in data volume between this period and the previous period
Use Case with Data Points
The data ingestion volume of every data sensor with sensor id (engid
) and sensor name (engid_name
) is calculated periodically. If one of the following conditions is met, the anomaly is triggered:
-
A moving window is used to record data ingestion volume. If the time window can be divided into two sub windows and the metric values of these two sub windows show large deviation
-
The ingestion volume is anomalously high compared to its own history
-
The ingestion volume is anomalously low compared to its history and it keeps being low for a relatively longer period
A sample Interflow includes the sensor ID (engid
) and sensor name (engid_name
).
DGA
A host is using a potential Domain Generation Algorithm (DGA). If the target domain is a malicious domain, the host might be compromised. Investigate the DGA domains and the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Dynamic Resolution (T1568 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is dga_resolvable
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP address of the host that sends the DGA queriesmetadata.request.effective_tld
— effective top-level domain of the DNS querysrcip_host
— source host nameis_dga
— flag marking whether or not the DNS query is a DGA queryactual
— number of DGA domains the host has queried
Use Case with Data Points
Whenever a host (srcip
) sends a DNS query (appid_name
: dns
) and the DNS server returns a non-existent domain (NXDOMAIN) response (metadata.response.reply_code
), the NX domain query counter for the host is increased. We reset the counter if no NX domain queries are observed for a period of time. When the counter reaches a certain threshold, the host is monitored. When monitored, we run the FQDNs of all DNS queries (metadata.response.query
) sent by this host through domain generation analytics to determine whether the domain's entropy indicates a DGA anomaly. If so, we mark the DNS record (is_dga
). If the DNS query gets a response with valid resolved IP addresses (metadata.response.resolved_ips
), we call it a resolvable query, otherwise we call it a non-resolvable query.
If a monitored host (srcip
) sends a resolvable DGA query (is_dga
: yes_resolvable
), we check the effective top-level domain (metadata.response.effective_tld
). If the same host (srcip
) previously sent non-resolvable DGA queries (is_dga
: yes
) with the same effective top-level domain (metadata.response.effective_tld
), the host is considered to have a high risk of being compromised and performing C&C with DGA. The Interflow includes the source host (srcip
), DNS query (metadata.response.query
), query effective top-level domain (metadata.response.effective_tld
), and DGA flag (is_dga
).
DHCP Server Anomaly
A new DHCP server appeared in the network. This could be a hacker attempting to steer traffic. Investigate and consider telling employees to avoid this server.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Server Anomaly (XT2007)
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is dhcp_anomaly
.
Severity
20
Key Fields and Relevant Data Points
metadata.response.server_ip
— IP address of the anomalous DHCP serverdstip
— IP address of the anomalous DHCP destinationengid
— sensor that reported the DHCP trafficsrcip_host
— host name that visited the suspicious DHCP serversrcip_geo.countryName
— country name of the source that visited the suspicious DHCP server
Use Case with Data Points
If a DHCP server that has never been seen before appears in the network, an alert is triggered. The Interflow includes the destination IP address (dstip
), destination host (dstip_host
), source host (srcip_host
), and source country (srcip_geo.countryName
).
DNS Tunneling Anomaly
An anomalously large number of connections tunneling high-entropy traffic through DNS were made. This can indicate data exfiltration. Investigate the tunnel and source host. If malicious, block the source host.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Exfiltration Over Alternative Protocol (T1048 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is dns_tunnel
.
Severity
98
Key Fields and Relevant Data Points
metadata.request.effective_tld
— effective top-level domain, such as yahoo.comsrcip
— source IP addresssrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressmetadata.request.query
— DNS queryactual
— actual number of bytes transmitted through the tunnel in the periodtypical
— typical number of bytes transmitted through a tunnel in the periodtotal_entropy
— total entropy (information density) sent by the DNS tunnelquery_count
— number of queries sent by the DNS tunnel
Use Case with Data Points
The DNS queries (metadata.requests.query
) for each DNS tunnel (comprising the source host (srcip_host
), destination host (dstip
), and top-level domain (effective_tld
)) are analyzed periodically. If a DNS tunnel has sent anomalously more entropy (total_entropy
) and bytes (actual
) than is normal (typical
) in any period, an alert is triggered. The number of queries sent (query_count
) is also considered.
Emerging Threat
An emerging threat has been observed. Investigate the IP address and consider blocking.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR Intel (XTA0005)
-
Technique: XDR Emerging Threat (XT5003)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is emerging_threat
.
Severity
80
Key Fields and Relevant Data Points
srcip
— source IP address marked as an emerging threatdstip
— destination IP address marked as an emerging threaturl_list
— URL marked as an emerging threatdomain_list
— domain marked as an emerging threatsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
Stellar Cyber monitors traffic for emerging threats. An alert is triggered if emerging threats are observed in any of the following:
- Source IP address (
srcip
) - Destination IP address (
dstip
) - URL (
url_list
) - Domain (
domain_list
)
Note that only one of these is needed to trigger the alert. So, although the Interflow includes the source IP address (srcip
), destination IP address (dstip
), URL (url_list
), and domain (domain_list
), not all the values may be populated, depending on the nature of the observed threat.
Encoded PowerShell
A Windows host executed an encoded PowerShell script. Investigate the script contents to see if it is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is encoded_powershell
.
Severity
80
Key Fields and Relevant Data Points
srcip
— source IP addresshostip
— IP address of the Windows hosthostip_host
— host nameevent_data.ContextInfo
— PowerShell script contextevent_data.Payload
— PowerShell script payload
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script whose context (event_data.ContextInfo
) includes flags that indicate encoding or obfuscation of the script, an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script context (event_data.ContextInfo
), and script payload (event_data.Payload
).
Encrypted C&C
A connection to or from known command and control servers was observed in encrypted traffic. Consider blocking the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Encrypted Channel (T1573 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ssl_certificate
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP address of the connectiondstip
— destination IP address of the connectionsrcip_host
— host name of corresponding source IP addresssrcip_geo.countryName
— source country of the connectiondstip_host
— host name of corresponding destination IP addressdstip_geo.countryName
— destination country of the connection
Use Case with Data Points
If known command and control servers are detected on either side of a connection with encrypted traffic, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), source country (srcip_geo.countryName
), destination IP address (dstip
), destination host (dstip_host
), and destination country (dstip_geo.countryName
).
Exploited C&C Connection
An exploited host with vulnerabilities initiated a connection to the exploit attacker, which could indicate the host being compromised and performing C&C activities. See if the exploit was successful. Check the source host, and consider blocking.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Command and Control Connection Exploitation (XT2014)
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenant_id
— tenant IDexploit_id
— ID of the original exploit eventseen_traffic_id
— ID of the original Interflow traffic recordsrcip
(of exploit event) — IP address of the attacker (correlation_info.srcip
)dstip
(of exploit event) — IP address of the target host (correlation_info.dstip
)srcip
(of traffic record) — IP address of the target host (correlation_info.srcip
)dstip
(of traffic record) — IP address of the attacker (correlation_info.dstip
)
Use Case with Data Points
Two events are involved in this alert type. In the first event, an attacker (srcip
) with the IP address A is performing an exploit against a target (dstip
) with the IP address B. If, following that event, an Interflow traffic record is observed where the target host (srcip
) with IP address B initiates a network connection to the attacker (dstip
) whose IP address is A, an alert is triggered.
When an alert is triggered a new correlation event is generated. The Interflow of the correlation event includes the reference ID of the exploit event (exploit_id
), the reference ID of the traffic record (seen_traffic_id
), the IP address of the attacker (correlation_info.srcip
of the exploit event or correlation_info.dstip
of the traffic record), the IP address of the victim (correlation_info.dstip
of the exploit event or correlation_info.srcip
of the traffic record).
External Account Login Failure Anomaly
An anomalously large number of user login failures was observed for an account. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_cloud_account_login_failure
.
Severity
45
Key Fields and Relevant Data Points
srcip_usersid
— cloud account user IDscrip_username
— cloud account user nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addresslogin_type
— type of loginsrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes are calculated periodically for every account (srcip_usersid
). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Brute-Forced Successful User Login
A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.
This alert type has two subtypes:
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_success_brute_forcer
.
Severity
90
Alert Subtype: Source IP-Based
The source IP-based alert subtype has the same XDR Kill Chain and Event Name as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related External User Login Failure Anomaly
Use Case with Data Points
The login records are checked for every external source IP address (srcip
). An alert is triggered if that IP address:
- Has so many failed login attempts that it triggered the External User Login Failure Anomaly, and
- Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
The user ID-based alert subtype has the same XDR Kill Chain and Event Name as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip_usersid
— Windows SID associated with the source IP addresssrcip
— source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related External Account Login Failure Anomaly
Use Case with Data Points
The login records to a user account (srcip_usersid
) are checked for every external source IP address (srcip
). An alert is triggered if that user account:
-
Has so many failed login attempts that it triggered the External Account Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Credential Stuffing
An anomalously large amount of username/password testing was observed on AWS, Okta, or Windows. Check the activity after successful logins, and consider blocking the source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_credential_stuffing
.
Severity
50
Key Fields and Relevant Data Points
msg_class
— name of the service:cloudtrail
for AWS,okta
for Okta,Microsoft-Windows-Security-Auditing
for Windowsservice_id
— specific account ID of a servicelogin_failure_rate
— rate of login failures per minute in the periodunknown_users_rate
— rate of unknown user names per minute in the periodunknown_users_to_login_failures
— ratio of unknown user names to login failures in the periodsuspicious_ips
— suspicious source IP addresses (up to 100)possible_breached_ips
— list of malicious IPs that may have successful breach activities
Use Case with Data Points
External credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class
), tenant's account ID on that service (service_id
), suspicious source IP address (suspicious_ips
), login failure rate (login_failure_rate
), unknown user rate (unknown_users_rate
), the ratio of unknown users to login failures (unknown_users_to_login_failures
), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Exploited Vulnerability
A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Exploited Vulnerability (XT2015)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_vuln_exploit_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenantid
— tenant IDvulnerability_id
— ID of the original security scan resultids_event_id
— ID of the original IDS exploit eventsrcip
(of security scan result) — IP address of the targetcorrelation_info.srcip
dstip
(of IDS event) — IP address of the target (correlation_info.dstip
)srcip
(of IDS event) — IP address of the attacker (correlation_info.srcip
)correlation_info.vulnerability.cve
— CVE associated with the reported vulnerabilitycorrelation_info.ids.cve
— CVE the attacker used to exploit the host
Use Case with Data Points
An attacker (srcip
) with IP address A is performing an exploit against a target (dstip
) with internal IP address B using a vulnerability (ids.cve
) with CVE x. If any security scanning tool found the target (srcip
) with IP address B to have a vulnerability (vulnerability.cve
) with CVE x, an alert is triggered.
When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id
), the ID of the security scan record (vulnerability_id
), the IP address of the attacker (correlation_info.srcip
of the IDS event), the IP address of the victim (correlation_info.dstip
of the IDS event or correlation_info.srcip
of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve
and correlation_info.ids.cve
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Firewall Denial Anomaly
A source host had actions blocked by a firewall too many times. Investigate the firewall rules that were violated. If suspicious, block the source IP address.
XDR Kill Chain
Kill Chain Stage: Initial Attempts
Tactic: [External] XDR NBA (XTA0002)
Technique: XDR Firewall Anomaly (XT2002)
Tags: [External; Network Traffic Analysis; Firewall Anomalies]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_fw_action
.
Severity
40
Key Fields and Relevant Data Points
srcip_host
— source host IP addresssrcip
— source host IP addressactual
— actual number of firewall denials in the periodtypical
— typical number of firewall denials in the perioddstip_host
— host name of corresponding destination IP addressdev_name
— name of the firewallengid_name
— name of the sensor
Use Case with Data Points
The number of firewall denials for every source IP address (srcip
) is calculated periodically. If a source IP address’s number of firewall denials (actual
) is much larger than the historical count (typical
) of all IP addresses, an alert is triggered. The Interflow includes the name of the firewall (dev_name
), the name of the sensor (engid_name
), and the destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Firewall Policy Anomaly
A rarely triggered firewall policy has been violated. Investigate that policy and track down the violation.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Firewall Anomaly (XT2002)
-
Tags: [External; Network Traffic Analysis;Firewall Anomalies]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_fw_policy_id
.
Severity
20
Key Fields and Relevant Data Points
fw_policy_id
— ID of the violated firewall policydays_silent
— number of days since this firewall policy was last seensrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressdev_name
— device namedev_type
— device typeengid_name
— sensor name
Use Case with Data Points
A firewall policy violation (fw_policy_id
), which is raised by a device (dev_name
and dev_type
) and captured by a sensor (engid_name
), shows never seen or very rare (days_silent
) traffic between a host (srcip_host
) and another host (dstip_host
). This violation will trigger an alert.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Handshake Failure
There were too many handshake failures between two hosts, which might indicate port scanning. Check the source host to see if this was expected and, if not, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Reconnaissance (TA0043 )
-
Technique: Active Scanning (T1595 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_handshake_failure
.
Severity
10
Key Fields and Relevant Data Points
srcip
— source IP address of the host with the handshake failuressrcip_host
— source host namedstip
— destination IP address of the host with the handshake failuresdstip_host
— destination host nametimestamp
— when the scan happened
Use Case with Data Points
If a host (srcip
) scans across many ports on another host (dstip
), an alert is triggered. The Interflow includes the IP address of the potential attacker (srcip
), the IP address of the victim (dstip
), a special message flag (msgtyp
), and when the scan happened (timestamp
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External IDS Signature Spike
A source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_ids_signature_spike
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP addressids_signatures_summarize
— summarized IDS signatures of the exploitsrcip_host
— source host nameactual
— actual number of unique IDS signatures in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IDS signatures from the source IP address, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IDS signatures (ids.signature
), weighted by their severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. The Interflow includes a source (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External IP / Port Scan Anomaly
A host has either generated an anomalous number of connections compared to the typical amount, or has triggered an anomalous number of connection failure responses, in the measured interval. This can indicate that an attacker is scanning for computers or ports to exploit.
This alert type has two subtypes:
Alert Subtype: Connection Failure Anomaly (Sensor Traffic)
XDR Kill Chain
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_port_scan
.
Severity
10
Key Fields and Relevant Data Points
srcip
— source IP addressnum_failed
— unique number of (destination IP and destination port) tuples that respond with failed statusnum_successful
— unique number of (destination IP and destination port) tuples that respond with success statuspercent_failed
— percent of unique (destination IP and destination port) tuples that respond with failed statusweighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
For every unique triplet (source IP address, destination IP address, and destination port) browsed by each source IP address (srcip
), the number of response failures and successes is calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host
), destination host (dstip_host
), and application name (appid_name
).
Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.
Validation / Remediation
If the source IP address is internal targeting an external address, check with the user if they are aware of the activity or if they are authorized to perform the activity. Inform the user's supervisor if the activity is unauthorized.
If the source IP address is external targeting any addresses, check the reputation of the source IP address as in known malicious/scanner.
Potential False Positives
Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type, if from an external IP address to an internal IP address.
Alert Subtype: Connection Spike Anomaly (Firewall / Windows Traffic)
XDR Kill Chain
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_port_scan_tsa
.
Severity
10
Key Fields and Relevant Data Points
srcip
— source IP addressactual
— actual number of connections to the destination IP address in the periodtypical
— typical number of connections to the destination IP addresssrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
For every unique (destination IP address and destination port) browsed by each source IP address (srcip
), the number of response failures and successes and the number of total data volume are calculated periodically. If the total data volume is significantly larger than the typical number, an alert is triggered. The Interflow includes the source host (srcip_host
), destination host (dstip_host
), and application name (appid_name
).
Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.
Validation / Remediation
If the source IP address is internal targeting an external address, check with the user if they are aware of the activity or if they are authorized to perform the activity. Inform the user's supervisor if the activity is unauthorized.
If the source IP address is external targeting any addresses, check the reputation of the source IP address as in known malicious/scanner.
Potential False Positives
Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type, if from an external IP address to an internal IP address.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Non-Standard Port Anomaly
An application had an anomalously large number of connections or a rarely seen connection on non-standard ports. Check the application to be sure this is benign.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] Command and Control (TA0011 )
-
Technique: Non-Standard Port (T1571 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_non_std_port_anomaly
.
Severity
15
Key Fields and Relevant Data Points
dstip
— destination IP addressdstport
— destination portappid
— application IDdays_silent
— number of days since the application was last seenappid_name
— application namedstip_host
— host name of corresponding destination IP addressactual
— actual number of connections in the periodtypical
— typical number of connections in the period
Use Case with Data Points
The number of connections for an application (dst_ip
+ dstport
+ appid
) is calculated periodically. If a non-standard combination has an actual number of connections (actual
) that is much larger than the typical number of connections (typical
), or the combination has not appeared for a long time, an alert is triggered. The Interflow includes the source host (srcip_host
), destination IP address (dstip
), destination port (dstport
), application ID (appid
), and application name (appid_name
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Other Malware
Malware with uncategorized malicious activity was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR Miscellaneous Malware (XT6001)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_malware_activity
.
Severity
50
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the malwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates malware that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the malware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Password Spraying
.An anomalously large number of failed logins with unknown user names was observed on external Windows authentication services. Check the activity after successful logins, and consider blocking the source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Sub-technique: Password Spraying (T1110.003 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_password_spray
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP address generating a failed loginor
event_data.Workstation
— workstation generating a failed loginThe key field for this alert type can be either
srcip
orevent_data.Workstation
, depending on the data feed.srcip_host
— source host nameevent_id
— Windows event ID corresponding to the login failureslogin_type
— type of login protocol; the available values vary byevent_id
actual
— actual number of failed logins with unknown user names in a 5-minute periodtypical
— typical number of failed logins with unknown user names in a 5-minute periodpassword_spray_user_summary
— list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)
Use Case with Data Points
If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip
or event_data.Workstation
), timestamp, the type of login (login_type
), the number of failed logins (actual
), the usual number of failed logins (typical
), and a sampling of the user names used in the attack (password_spray_user_summary
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External PII Leaked
Personally identifiable information (social security numbers or credit cards) has been observed in the clear. Check the source to see if it is compromised. If so, consider blocking it.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [External] Exfiltration (TA0010 )
-
Technique: Automated Exfiltration (T1020 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_pii_leak
.
Severity
90
Key Fields and Relevant Data Points
srcip
— source IP address of the PII leakdstip
— destination IP address of the PII leakids.signature
— IDS signaturesrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
If a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Plain Text Passwords Detected
A plain text password was detected in unencrypted traffic. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Clear Password (XT2006)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_clear_password
.
Severity
10
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addressactual
— actual number of connections with a plain text password in the periodsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
If there are plain text passwords in unencrypted traffic records with a public source IP address (srcip
) or destination IP address (dstip
), an alert is triggered. A sample Interflow includes the source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), destination host (dstip_host
), and application (appid_name
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Protocol Account Login Failure Anomaly
An anomalously large number of login failures over SMB or FTP was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_protocol_account_login_failure
.
Severity
35
Key Fields and Relevant Data Points
Use Case with Data Points
metadata.request.username
— user name in the HTTP connection requestevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.appid_name
— application namelogin_type
— type of loginsrcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputation
For every user name (metadata.request.username
) in the HTTP connections names (that do not begin with "Mozilla" or "Aella"), the number of failed and successful logins are calculated periodically. If the number of failed logins is much greater than successful logins, an alert is triggered. The Interflow includes the application name (appid_name
), login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External PUA
Unwanted applications or malware that bombards the user with advertisements has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR PUA (XT6002)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_pua
.
Severity
40
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the PUAevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates potentially unwanted applications (PUA), an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
) or IDS signature for ML-IDS (ids.signature
), along with event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the PUA (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Ransomware
Malware that prevents you from accessing your system or files and demands ransom payment in order to regain access was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [External] Impact (TA0040 )
-
Technique: Data Encrypted for Impact (T1486 )
-
Tags: [External; Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_ransomware
.
Severity
80
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the ransomwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates ransomware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the ransomware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External RDP BlueKeep
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [External] Privilege Escalation (TA0004 )
-
Technique: Exploitation for Privilege Escalation (T1068 )
-
Tags: [External; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_rdp_bluekeep
.
Severity
80
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip_host
— source host namedstip_host
— destination host name
Use Case with Data Points
If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External RDP Brute Force Attack
An anomalously large number of RDP connections to an RDP server was observed. Check the source IP addresses to determine if they are unknown or malicious, and monitor any successful RDP logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_rdp_brute_force
.
Severity
30
Key Fields and Relevant Data Points
dstip
— IP address of the destination RDP serverdstip_host
— destination host nameactual
— actual number of RDP connections to the destination IP address in the observed time buckettypical
— typical number of RDP connections to the destination IP address in most time bucketssrcip
— source IP addresssrcip_host
— source host name
Use Case with Data Points
RDP connection activity is monitored and the number of connections are calculated periodically. If the number of connections to an RDP server (actual
) is much greater than normal (typical
), an alert is triggered. A sample Interflow includes the destination IP address (dstip
) and source IP address (srcip
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External RDP Suspicious Outbound
Non-standard tools connecting to TCP port 3389 were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR App Anomaly (XT2003)
-
Tags: [External; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_rdp_suspicious_outbound
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP address of the host that connects to TCP port 3389 with a non-standard toolsrcip_host
— source host nameprocess_name
— process name
Use Case with Data Points
Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip
) and the process name (process_name
). The following are the standard tools:
- mstsc.exe
- RTSApp.exe
- RTS2App.exe
- RDCMan.exe
- ws_TunnelService.exe
- RSSensor.exe
- RemoteDesktopManagerFree.exe
- RemoteDesktopManager.exe
- RemoteDesktopManager64.exe
- mRemoteNG.exe
- mRemote.exe
- Terminals.exe
- spiceworks-finder.exe
- FSDiscovery.exe
- FSAssessment.exe
- MobaRTE.exe
- chrome.exe
- thor.exe
- thor64.exe
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Scanner Behavior Anomaly
An anomalously large amount of scanning behavior or a rarely seen scan behavior was found. Cross-check with the IP/Port Scan Anomaly alert.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Reconnaissance (TA0043 )
-
Technique: Active Scanning (T1595 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_scan_anomalies
.
Severity
10
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
The number of occurrences of each scanner, based on IDS signature (ids.signature
), is calculated periodically. If one scanner occurs (actual
) much more often than its history (typical
), an alert is triggered. The Interflow includes information such as the traffic application type (appid_name
), source (srcip_host
), and destination (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SMB Read Anomaly
An IP address sent an anomalously large number of read requests to SMB protocol based service(s). Investigate the files that the IP address tried to read. If suspicious, block the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_smb_read_anomaly
.
Severity
15
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— source host nameactual
— actual number of SMB reads from the source IP address in the periodtypical
— typical number of SMB reads from other source IP addresses in the perioddstip_host
— destination host namesmb_username
— SMB user name
Use Case with Data Points
The number of SMB read requests for every source IP address (srcip
) is calculated periodically. If a source IP address’s number of SMB reads (actual
) is much larger than the typical number (typical
) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username
) and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SMB Username Enumeration
At least 5 different users SMB login attempts and 1 denied attempt or at least 10 different users SMB login attempts, were observed from the same source. Check the source IP address. If malicious, consider blocking it.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_smb_user_scan
.
Severity
40
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressactual
— actual unique SMB user counttypical
— SMB user count thresholdsmb_username_set
— all SMB login user names
Use Case with Data Points
If one source IP address (srcip
) has several SMB login attempts with (1) at least 5 unique user names and at least 1 denied attempt or (2) at least 10 unique user names, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host)
, destination host (dstip_host
), and all the user names (smb_username_set
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SMB Write Anomaly
An IP address sent an anomalously large number of SMB write requests. Investigate the files that the IP address tried to write. If suspicious, block the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [External] Impact (TA0040 )
-
Technique: Data Manipulation (T1565 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_smb_anomaly
.
Severity
30
Key Fields and Relevant Data Points
srcip_host
— source host nameactual
— actual number of SMB writes in the periodtypical
— typical number of SMB writes in the perioddstip_host
— destination host namesmb_username
— SMB user name
Use Case with Data Points
The number of SMB write requests for every source IP address (srcip_host
) is calculated periodically. If a source IP address’s number of SMB writes (actual
) is much larger than the typical number (typical
) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username
) and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Spyware
Malware that collects and shares information about a device without consent was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR Spyware (XT6003)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_spyware_activity
.
Severity
40
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the spywareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates spyware activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the spyware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SQL Anomaly
An IP address sent an anomalously large number of queries to one or more SQL servers. Investigate the queries. If suspicious, block the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_mysql_anomaly
.
Severity
15
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— source host namesrcip_geo.countryName
— name of the source countryactual
— actual number of SQL queries in the periodtypical
— typical number of SQL queries from the source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of SQL queries for every source IP address (srcip_host
) is calculated periodically. If a source IP’s SQL query count (actual
) is much larger than the typical count (typical
) and that of other IP addresses in any period, an alert is triggered. The source IP’s country is (srcip_geo.countryName
). The Interflow includes the destination host (dstip_host
) the source IP visits.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SQL Dumpfile Execution
The SQL dumpfile
command was observed. This command is commonly used to dump database content or query output to a file on disk. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [External] Collection (TA0009 )
-
Technique: Data Staged (T1074 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_sql_db_dump
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP addressactual
— number of SQLdumpfile
queriessrcip_host
— source host namesource_geo.countryName
— source countrydstip_host
— destination host name
Use Case with Data Points
If the SQL dumpfile
command is seen on any source IP address (srcip
), an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), and number of SQL dumpfile
queries in the period (actual
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SQL Shell Command
Shell commands were observed over a SQL connection, which is a common way hackers try to gain shell access over vulnerable SQL applications. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_database_command
.
Severity
40
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addresssrcip_host
— source host namesrcip_reputation
— source reputationdstip_host
— destination host namedstip_reputation
— destination reputationmetadata.request.query
— SQL query commandactual
— number of query records from one source to one destination in one period
Use Case with Data Points
For SQL query records, if special commands (such as select mylab_sys_exec
) are found, an alert is triggered. A sample Interflow includes the source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), source reputation (srcip_reputation
), destination host (dstip_host
), destination reputation (dstip_reputation
), and SQL query records (metadata.request.query
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Suspected Malicious User Agent
An external HTTP connection was made by a user agent that has been identified as potentially malicious. Investigate the connection's destination.
This alert type has two subtypes:
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR User Agent Anomaly (XT2012)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_suspected_malicious_user_agent
.
Severity
30
Key Fields and Relevant Data Points
metadata.request.user_agent
— user agent in the HTTP connection requeststellar.confidence
— model's confidence in the predictionsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
If a seen user agent is identified as suspicious, an alert is triggered. The alert includes the suspicious user agent (metadata.request.user_agent
), confidence (stellar.confidence
), tenant (tenant_name
), source IP (srcip
), and destination IP (dstip
) in the key fields. Additionally, the confidence level of the model is displayed in the alert description in a pop-up box.
Alert Subtype: Predicted Malicious Agent
The Predicted Malicious Agent alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:
-
The
stellar.anomaly_tag
ispredicted_external
. -
The
xdr_event.subtype.name
isexternal_suspected_malicious_user_agent
. -
It is triggered by a machine learning classifier.
Alert Subtype: Known Malicious Agent Match
The Known Malicious Agent Match alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:
-
The
stellar.anomaly_tag
isknown_external
. -
The
xdr_event.subtype.name
isexternal_suspected_malicious_user_agent_known_malicious
. -
It is triggered by known threats.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SYN Flood Attacker
An attacker sends a large amount of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [External] Impact (TA0040 )
-
Technique: Endpoint Denial of Service (T1499 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_syn_flood_attacker
.
Severity
10
Key Fields and Relevant Data Points
srcip
— source IP address of the SYN floodsrcip_host
— source host namedstip
— target IP address of the SYN flooddstip_host
— destination host namedstport
— port on target host that received the SYN floodsyn_flood_events
— number of SYN packets during the period
Use Case with Data Points
If an external host (srcip
) sends too many SYN packets (syn_flood_events
) to internal target(s) (dstip
) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip
), the IP address of the target host (dstip
), the port of the target host (dstport
), and how many SYN packets were observed (actual
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External SYN Flood Victim
A large amount of SYN requests were observed, which can indicate an attempt to consume server resources and make the target unresponsive. Check to see if the host is malicious or compromised. If so, consider blocking the source host.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [External] Impact (TA0040 )
-
Technique: Endpoint Denial of Service (T1499 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_syn_flood
.
Severity
10
Key Fields and Relevant Data Points
dstip
— target IP address of the SYN floodsrcip
— source IP address of the SYN floodsrcip_host
— source host namedstip_host
— destination host namedstport
— port on target host that received the SYN floodsyn_flood_events
— number of SYN packets during the period
Use Case with Data Points
If an external host (srcip
) sends too many SYN packets (syn_flood_events
) to internal target(s) (dstip
) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip
), the IP address of the target host (dstip
), the port of the target host (dstport
), and how many SYN packets were observed (actual
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Trojan
Malware that disguises itself as legitimate software in order to gain access to a system or files has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR Trojan (XT6004)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_trojan_activity
.
Severity
50
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the trojanevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates trojan activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the trojan (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External URL Reconnaissance Anomaly
An anomalous number of HTTP 4xx errors were observed. This can indicate an attacker scanning for pages to exploit. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Reconnaissance (TA0043 )
-
Technique: Active Scanning (T1595 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_url_scan
.
Severity
20
Key Fields and Relevant Data Points
srcip
— source IP addressevent_summary.total_failed
— number of unique URLs with HTTP error status response in the periodevent_summary.total_successful
— number of unique URLs with HTTP success status response in the periodevent_summary.total_fail_ratio
— percent of unique URLs with HTTP error status response in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addresssrcip_geo.countryName
— source country name
Use Case with Data Points
For every unique URL browsed by each source IP address (srcip
), the number of HTTP response failures and successes is calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host
), destination host (dstip_host
), and source country (srcip_geo.countryName
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External User Agent Anomaly
An HTTP connection was made by a user agent that has never been seen before (or been seen very rarely). Investigate the connection destination.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR User Agent Anomaly (XT2012)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_agent_anomaly
.
Severity
30
Key Fields and Relevant Data Points
metadata.request.user_agent
— user agent in the HTTP connection requestdays_silent
— number of days since this user agent was last seensrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
All user agent (metadata.request.user_agent
) HTTP connections having names that do not begin with "Mozilla" or "Aella" are examined. An alert is triggered if any of those agents have not been seen by Stellar Cyber before or have been silent for many days (days_silent
). The Interflow includes all information from the suspicious HTTP connection, such as the application (appid_name
), the source (srcip_host
), and the destination (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External User Application Usage Anomaly
A user who typically uses a small, consistent number of applications used a new application. Investigate the application, to see if it is benign. Check with the user to see if this was expected.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR App Anomaly (XT2003)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_uncommon_app
.
Severity
15
Key Fields and Relevant Data Points
srcip_usersid
— source user IDappid_name
— application namesrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_family
— application familysrcip_username
— source user namestability
— score measuring the time since the last new application was useddays_stable
— time since the last new application was useddiversity
— score measuring the number of applications that the user usedchild_count
— number of applications that the user used
Use Case with Data Points
An alert is triggered under the following conditions:
-
a user (
srcip_usersid
,srcip_username
) with a small number of applications (diversity
,child_count
) who has not used a new application for a long period of time (stability
,days_stable
), and then -
a new application (
appid_name
) belonging to an application family (appid_family
) appears on a host (scrip_host
) with this user, and -
that host connects to another host (
scrip_host
)
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External User Data Volume Anomaly
A user had an anomalously large volume of traffic compared to its typical volume or that of its peers. Investigate the user to determine if this is expected.
Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Bytes Anomaly (XT3001)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_bytes_sum
.
Severity
30
Key Fields and Relevant Data Points
srcip_usersid
— source user IDactual
— actual traffic volume in the periodtypical
— typical traffic volume from the usersrcip_host
— host name of corresponding source IP addresssrcip_username
— source user namedstip_host
— host name of corresponding destination IP addressdstip_reputation
— destination reputationdstip_geo.countryName
— destination countryappid_name
— application name
Use Case with Data Points
The total traffic volume of each user identified by user ID (scrip_usersid
) is calculated periodically. If the volume in one period (actual
) is much larger than its normal volume (typical
), an alert is triggered.
The Interflow includes the source IP address (scrip_host
), destination IP address (dstip_host
), destination reputation (dstip_reputation
), destination country (dstip_geo.countryName
), and application of the traffic (appid_name
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External User Login Failure Anomaly
An anomalous number of login failures was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, or Google Workspace. For Okta, an anomalous number of multi-factor authentication (MFA) failures was observed. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_user_login_fail
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addressdstip_host
— destination host nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.login_type
— type of login, such asssh_traffic
,okta_log
, oraws_cloudtrail
srcip_host
— source host namesrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes are calculated periodically for every source (srcip
) and destination (dstip
) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
File Action Anomaly
Actions, such as move, copy, delete, or change attribute, were taken on a file or files an anomalous number of times. Investigate the actions and the user to see if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Data Manipulation (T1565 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is anomalous_file_action
.
Severity
70
Key Fields and Relevant Data Points
secondary
— user nameactual
— actual number of file actions in the periodtypical
— typical number of file actions in the periodpath
— path to the file
Use Case with Data Points
The number of file actions for each user (secondary
) is calculated periodically. If the volume (actual
) is anomalous compared to the typical volume (typical
) of file actions in any period, an alert is triggered. The Interflow includes the directory to the file (path
).
File Creation Anomaly
A file or files were created an anomalously large number of times. Check with the user to see if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR File Anomaly (XT1003)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is file_creation
.
Severity
70
Key Fields and Relevant Data Points
secondary
— user nameactual
— actual number of file creations in the periodtypical
— typical number of file creations in the periodpath
— path to the file(s) created
Use Case with Data Points
The number of file creations for each user (command
) is calculated periodically. If the volume (actual
) is much larger than the typical volume (typical
) of file creations in any period, an alert is triggered. The Interflow includes the directory to the file (path
).
Google Workspace Account Manipulation
A Google Workspace user was manipulated. Check with the user to make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Account Anomaly (XT4007)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is gsuite_account_manipulation
.
Severity
70
Key Fields and Relevant Data Points
event_detail.affected_email_address
— key ID for the accountevent_detail.name
— Google Workspace suspicious event nameevent_detail.type
— Google Workspace suspicious event type
Use Case with Data Points
For each Google Workspace account (event_detail.affected_email_address
), account manipulation is evaluated periodically. This alert is triggered if the Google Security center reports a leaked password or a user account being suspended for specific reasons. The Interflow includes the account ID (event_detail.affected_email_address
), Google Workspace event name (event_detail.name
), and Google Workspace event type (event_detail.type
).
Google Workspace Attack Warning
Attacks to a Google Workspace account were observed. Check with the account holder.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is gsuite_attack_warning
.
Severity
74
Key Fields and Relevant Data Points
gsuite.actor.email
— key ID for the accountsrcip
— source IP addresssrcip_host
— source host nameevent_detail.name
— Google Workspace suspicious event nameevent_detail.type
— Google Workspace suspicious event type
Use Case with Data Points
For each Google Workspace account (actor.email
), attacks are searched periodically. If an attack is identified, an alert is triggered. The Interflow includes the account ID (actor.email
), source IP address (srcip
), Google Workspace event name (event_detail.name
), and Google Workspace event type (event_detail.type
).
Google Workspace Suspicious Activities
Suspicious activities were observed in a Google Workspace account. Check with the account holder.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Login Anomaly (XT4006)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is gsuite_suspicious_activities
.
Severity
50
Key Fields and Relevant Data Points
gsuite.actor.email
— key ID for the accountsrcip
— source IP addresssrcip_host
— source host nameevent_detail.name
— Google Workspace suspicious event nameevent_detail.type
— Google Workspace suspicious event type
Use Case with Data Points
For each Google Workspace account (actor.email
), suspicious activities are searched periodically. If suspicious activities are detected, an alert is triggered. The Interflow includes the account ID (actor.email
), source IP address (srcip
), Google Workspace event name (event_detail.name
), and Google Workspace event type (event_detail.type
).
Google Workspace User Suspended
A Google Workspace user was suspended. Check with the user to make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Account Anomaly (XT4007)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is gsuite_user_suspended
.
Severity
70
Key Fields and Relevant Data Points
gsuite.actor.email
— key ID for the accountsrcip
— source IP addresssrcip_host
— source host nameevent_detail.name
— Google Workspace suspicious event nameevent_detail.type
— Google Workspace suspicious event type
Use Case with Data Points
For each Google Workspace account (actor.email
), suspension status is searched periodically. If a user is suspended, an alert is triggered. The Interflow includes the account ID (actor.email
), source IP address (srcip
), Google Workspace event name (event_detail.name
), and Google Workspace event type (event_detail.type
).
Hydra Password Guessing Hack Tool
A user on a Windows host executed a command-line script that launched either the hydra.exe command or a command using known Hydra style parameters, which may be an inappropriate use of the Hydra password guessing tool.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Hydra]
Event Name
The xdr_event.name
for this alert type in the Interflow data is hydra_password_guessing_hack_tool
.
Severity
90
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running hydra.exe for password cracking.event_data.CommandLine
— command used to run the toolcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a PowerShell script with a context that includes one or more flags (event_data.Image
or event_data.CommandLine
indicating usage of the Hydra password guessing hack tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or script payload (event_data.CommandLine
).
Validation / Remediation
Check the body of the Powershell script that is reported on the Windows host to identify whether the contents of the script are actually malicious. If malicious, consider quarantining the host.
Potential False Positives
The running of any executable named hydra.exe
or a command that has parameters of -u
and -p
or ^user^
and ^pass^
triggers this alert.
Impossible Travel Anomaly
A user logged in from locations that are geographically impossible to travel between in the time frame. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Location Anomaly (XT2001)
-
Tags: [User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_impossible_travel
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the source usersrcip_username
— source user namesrcip
— source IP addresssrcip_host
— source host namesrcip_geo
— source IP address geo location, including latitude and longitudedistance_deviation
— deviation in distance (miles) between the two login locationstime_deviation
— deviation in time (seconds) between the two login eventstravel_speed
— calculated speed for the user to travel between the two location (miles/hour)appid_name
— application name for the login eventlast_login_time
— time of 2nd login, event 2 (E2)_id2
— ID of E2_index2
— index of E2srcip2
— source IP address of E2srcip_geo2
— source IP address geo location of E2, including latitude and longitudeengid_gateway
— gateway IP address, used to determine geo location when source IP address is private
Use Case with Data Points
Login events (E1 and E2) are examined for a user (srcip_usersid
), to see if the login locations (srcip_geo
and srcip_geo2
), that are at least 100 miles apart, changed faster (travel_speed
= distance_deviation
/time_deviation
) than possible with the typical commercial flight speed of 600 miles/hour.
E1 is the basis for the Interflow. The srcip_usersid
and srcip_username
identify the user, appid_name
identifies the application, and last_login_time
identifies the time when the 2nd login event happened. You can find detailed information about E2 by checking id2
in index2
, source IP (srcip2
), and geo location (srcip_geo2
).
Internal Account Login Failure Anomaly
An anomalously large number of login failures from an internal source IP address to an internal destination IP address was observed for an account. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_cloud_account_login_failure
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— account user IDor
-
srcip_username
— account user name, enriched fromevent_data.targetusername
The key field for this alert type can be either
srcip_usersid
orsrcip_username
, depending on the data feed. event_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addresslogin_type
— type of loginsrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes between any internal IP addresses are calculated periodically for every account (srcip_usersid
). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Brute-Forced Successful User Login
A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.
This alert type has two subtypes:
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_success_brute_forcer
.
Severity
95
Alert Subtype: Source IP-Based
The source IP-based alert subtype has the same XDR Kill Chain and Event Name as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related Internal User Login Failure Anomaly
Use Case with Data Points
The login records to an internal IP address (dstip
) are checked for every internal source IP address (srcip
). An alert is triggered if that IP address:
-
Has so many failed login attempts that it triggered the Internal User Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host name (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
The user ID-based alert subtype has the same XDR Kill Chain and Event Name as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_usersid
— Windows SID associated with the source IP addresssrcip_host
— source host namesrcip_reputation
— source reputationsource_geo.countryName
— source countrydstip_host
— destination host namelogin_type
— type of loginusername
— user namerelated_alert._id
— link to the related Internal Account Login Failure Anomaly
Use Case with Data Points
The login records to a user account (srcip_usersid
) are checked for every internal source IP address (srcip
). An alert is triggered if that user account:
-
Has so many failed login attempts that it triggered the Internal Account Login Failure Anomaly, and
-
Had a successful login
A sample Interflow includes the source IP address (srcip
), login type (login_type
), source host name (srcip_host
), source reputation (srcip_reputation
), source country (srcip_geo.countryName
), and user name (username
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Credential Stuffing
An anomalously large amount of username/password testing was observed on an internal Windows authentication service. Check the activity after successful logins, and consider blocking the internal source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_credential_stuffing
.
Severity
75
Key Fields and Relevant Data Points
msg_class
—Microsoft-Windows-Security-Auditing
for Windowsservice_id
— specific account ID of a servicelogin_failure_rate
— rate of login failures per minute in the periodunknown_users_rate
— rate of unknown user names per minute in the periodunknown_users_to_login_failures
— ratio of unknown user names to login failures in the periodsuspicious_ips
— suspicious source IP addresses (up to 100)possible_breached_ips
— list of malicious IP addresses that may have successful breach activities
Use Case with Data Points
Internal credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class
), tenant's account ID on that service (service_id
), suspicious source IP address (suspicious_ips
), login failure rate (login_failure_rate
), unknown user rate (unknown_users_rate
), the ratio of unknown users to login failures (unknown_users_to_login_failures
), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Exploited Vulnerability
An internal host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Exploited Vulnerability (XT2015)
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_vuln_exploit_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenantid
— tenant IDvulnerability_id
— ID of the original security scan resultids_event_id
— ID of the original IDS exploit eventsrcip
(of security scan result) — IP address of the targetcorrelation_info.srcip
dstip
(of IDS event) — IP address of the target (correlation_info.dstip
)srcip
(of IDS event) — IP address of the attacker (correlation_info.srcip
)correlation_info.vulnerability.cve
— CVE associated with the reported vulnerabilitycorrelation_info.ids.cve
— CVE the attacker used to exploit the host
Use Case with Data Points
An attacker (srcip
) with IP address A is performing an exploit against a target (dstip
) with IP address B using a vulnerability (ids.cve
) with CVE x. If any security scanning tool found the target (srcip
) with IP address B to have a vulnerability (vulnerability.cve
) with CVE x, an alert is triggered.
When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id
), the ID of the security scan record (vulnerability_id
), the IP address of the attacker (correlation_info.srcip
of the IDS event), the IP address of the victim (correlation_info.dstip
of the IDS event or correlation_info.srcip
of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve
and correlation_info.ids.cve
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Firewall Denial Anomaly
A internal source host had actions blocked by a firewall too many times. Investigate the firewall rules that were violated. If suspicious, block the internal source IP address.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Firewall Anomaly (XT2002)
-
Tags: [Internal; Network Traffic Analysis; Firewall Anomalies]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_fw_action
.
Severity
60
Key Fields and Relevant Data Points
srcip_host
— source host namesrcip
— source IP addressactual
— actual number of firewall denials in the periodtypical
— typical number of firewall denials in the perioddstip_host
— host name of corresponding destination IP addressdev_name
— name of the firewallengid_name
— name of the sensor
Use Case with Data Points
The number of firewall denials for every internal source IP address (srcip
) is calculated periodically. If an internal source IP address’s number of firewall denials (actual
) is much larger than the historical count (typical
) of all internal IP addresses, an alert is triggered. The Interflow includes the name of the firewall (dev_name
), the name of the sensor (engid_name
), and the destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Firewall Policy Anomaly
A rarely triggered firewall policy involving an internal source IP and internal destination IP has been violated. Investigate that policy and track down the violation.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Firewall Anomaly (XT2002)
-
Tags: [Internal; Network Traffic Analysis; Firewall Anomalies]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_fw_policy_id
.
Severity
40
Key Fields and Relevant Data Points
fw_policy_id
— ID of the violated firewall policydays_silent
— number of days since this firewall policy was last seensrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressdev_name
— device namedev_type
— device typeengid_name
— sensor name
Use Case with Data Points
A firewall policy violation (fw_policy_id
), which is raised by a device (dev_name
and dev_type
) and captured by a sensor (engid_name
), shows never seen or very rare (days_silent
) traffic between an internal host (srcip_host
) and another internal host (dstip_host
). This violation will trigger an alert.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Handshake Failure
There were too many handshake failures between two internal hosts, which might indicate port scanning. Check the source host to see if this was expected, and if not, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] Discovery (TA0007 )
-
Technique: Network Service Scanning (T1046 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_handshake_failure
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP address of the host with the handshake failuressrcip_host
— source host namedstip
— destination IP address of the host with the handshake failuresdstip_host
— destination host nametimestamp
— when the scan happened
Use Case with Data Points
If an internal host (srcip
) scans across many ports on another internal host (dstip
), an alert is triggered. The Interflow includes the IP address of the potential attacker (srcip
), the IP address of the victim (dstip
), a special message flag (msgtyp
), and when the scan happened (timestamp
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal IDS Signature Spike
A source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Lateral Movement (TA0008 )
-
Technique: Exploitation of Remote Services (T1210 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_ids_signature_spike
.
Severity
65
Key Fields and Relevant Data Points
srcip
— source IP addressids_signatures_summarize
— summarized IDS signaturessrcip_host
— source host nameactual
— actual number of unique IDS signatures in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IDS signatures from the source IP address, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IDS signatures (ids.signature
) and severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. The Interflow includes a source (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal IP / Port Scan Anomaly
A host has either generated an anomalous number of connections compared to the typical amount, or has triggered an anomalous number of connection failure responses, in the measured interval. This can indicate that an attacker is scanning for computers or ports to exploit. Check with the user.
This alert type has two subtypes:
Alert Subtype: Connection Failure Anomaly (Sensor Traffic)
XDR Kill Chain
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_port_scan
.
Severity
40
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressnum_failed
— unique number of (destination IP and destination port) tuples that respond with failed statusnum_successful
— unique number of (destination IP and destination port) tuples that respond with success statuspercent_failed
— percent of unique (destination IP and destination port) tuples that respond with failed statusweighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.dstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
For each internal source IP address (srcip
), the number of unique internal destination IP:port pairs that gave fail responses and the number of unique destination IP:port pairs that gave success responses are calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host
), destination host (dstip_host
), and application name (appid_name
).
Validation / Remediation
Check with the user related to the internal source IP address. Inform the user's supervisor if the activity is unauthorized.
Potential False Positives
Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type.
Alert Subtype: Connection Spike Anomaly (Firewall / Windows Traffic)
XDR Kill Chain
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_port_scan_tsa
.
Severity
40
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressactual
— actual number of connections to the destination IP address in the periodtypical
— typical number of connections to the destination IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
For every unique triplet (source IP address, destination IP address, and destination port) browsed by each source IP address (srcip
), the number of response failures and successes and the number of total data volume are calculated periodically. If the number of failures is significantly larger than the number of successes, or the total data volume is significantly larger than the typical number, an alert is triggered. The Interflow includes the source host (srcip_host
), destination host (dstip_host
), and application name (appid_name
).
Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.
Validation / Remediation
Check with the user related to the internal source IP address. Inform the user's supervisor if the activity is unauthorized.
Potential False Positives
Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Non-Standard Port Anomaly
An application had an anomalously large number of connections or a rarely seen connection to an internal IP address on non-standard ports. Check the application to be sure this is benign.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Service on Non-Standard Port (XT2011)
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_non_std_port_anomaly
.
Severity
20
Key Fields and Relevant Data Points
dstip
— destination IP addressdstport
— destination portappid
— application IDdays_silent
— number of days since the application was last seenappid_name
— application namedstip_host
— host name of corresponding destination IP addressactual
— actual number of connections in the periodtypical
— typical number of connections in the period
Use Case with Data Points
The number of connections for an application (dst_ip
+ dstport
+ appid
) to an internal IP address is calculated periodically. If a non-standard combination has an actual number of connections (actual
) that is much larger than the typical number of connections (typical
), or the combination has not appeared for a long time, an alert is triggered. The Interflow includes the source host (srcip_host
), destination IP address (dstip
), destination port (dstport
), application ID (appid
), and application name (appid_name
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Other Malware
Malware with uncategorized malicious activity in internal traffic was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Miscellaneous Malware (XT6001)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_malware_activity
.
Severity
70
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the malwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates malware in internal traffic that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the malware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Password Spraying
An anomalously large number of failed logins with unknown user names was observed on internal Windows authentication services. Check the activity after successful logins, and consider blocking the internal source IP addresses.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Sub-technique: Password Spraying (T1110.003 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_password_spray
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP address generating a failed loginor
event_data.Workstation
— workstation generating a failed loginThe key field for this alert type can be either
srcip
orevent_data.Workstation
, depending on the data feed.srcip_host
— source host nameevent_data.WorkstationName
— workstation associated with the alertingsrcip
(when applicable)event_id
— Windows event ID corresponding to the login failureslogin_type
— type of login protocol; the available values vary byevent_id
actual
— actual number of failed logins with unknown user names in a 5-minute periodtypical
— typical number of failed logins with unknown user names in a 5-minute periodpassword_spray_user_summary
— list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)
Use Case with Data Points
If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip
or event_data.Workstation
), timestamp, the type of login (login_type
), the number of failed logins (actual
), the usual number of failed logins (typical
), and a sampling of the user names used in the attack (password_spray_user_summary
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal PII Leaked
Personally identifiable information (social security numbers or credit cards) has been observed in internal traffic in the clear. Check the source to see if it is compromised. If so, consider blocking it.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [Internal] Exfiltration (TA0010 )
-
Technique: Automated Exfiltration (T1020 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_pii_leak
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP address of the PII leakdstip
— destination IP address of the PII leakids.signature
— IDS signature of the exploitsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
If a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Plain Text Passwords Detected
A plain text password was observed in unencrypted traffic between internal systems. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Clear Password (XT2006)
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_clear_password
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP addressactual
— actual number of connections with a plain text password in the periodsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
If there are plain text passwords in traffic records with a public source IP address (srcip
) or destination IP address (dstip
), an alert is triggered. A sample Interflow includes the source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), destination host (dstip_host
), and application (appid_name
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Protocol Account Login Failure Anomaly
An anomalously large number of login failures between internal IP addresses over SMB or FTP was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_protocol_account_login_failure
.
Severity
60
Key Fields and Relevant Data Points
Use Case with Data Points
metadata.request.username
— user name in the HTTP connection requestevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.appid_name
— application namelogin_type
— type of loginsrcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputation
For every user name (metadata.request.username
) in the HTTP connections names (that do not begin with "Mozilla" or "Aella"), the number of failed and successful logins are calculated periodically. If the number of failed logins is much greater than successful logins, an alert is triggered. The Interflow includes the application name (appid_name
), login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal PUA
Unwanted applications or malware that bombards the user with advertisements in internal traffic has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR PUA (XT6002)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_pua
.
Severity
60
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the PUAevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates potentially unwanted applications (PUA) in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the PUA (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Ransomware
Malware that prevents you from accessing your system or files and demands ransom payment in order to regain access in internal traffic was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [Internal] Impact (TA0040 )
-
Technique: Data Encrypted for Impact (T1486 )
-
Tags: [Internal; Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_ransomware
.
Severity
98
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the ransomwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates ransomware in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the ransomware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal RDP BlueKeep
The use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed between internal hosts. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Privilege Escalation (TA0004 )
-
Technique: Exploitation for Privilege Escalation (T1068 )
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_rdp_bluekeep
.
Severity
90
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip_host
— source host namedstip_host
— destination host name
Use Case with Data Points
If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal RDP Brute Force Attack
An anomalously large number of RDP connections from internal host(s) to an RDP server were observed. Check the source IP addresses to see if they are unknown or malicious, and monitor any successful RDP logins.
XDR Kill Chain
-
Kill Chain Stage:Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_rdp_brute_force
.
Severity
50
Key Fields and Relevant Data Points
dstip
— IP address of the destination RDP serverdstip_host
— destination host nameactual
— actual number of RDP connections to the destination IP address in the periodtypical
— typical number of RDP connections to the destination IP address in most time bucketssrcip
— source IP addresssrcip_host
— source host name
Use Case with Data Points
RDP connection activity is monitored and the number of connections calculated periodically. If the number of connections from internal host(s) to an RDP server (actual
) is much greater than normal (typical
), an alert is triggered. A sample Interflow includes the destination IP address (dstip
) and source IP address (srcip
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal RDP Suspicious Outbound
Non-standard tools from an internal host connecting to TCP port 3389 in the other internal host were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008)
-
Technique: Remote Services (T1021)
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_rdp_suspicious_outbound
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP address of the host that connects to TCP port 3389 with a non-standard toolsrcip_host
— source host nameprocess_name
— process name
Use Case with Data Points
Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip
) and the process name (process_name
). The following are the standard tools:
- mstsc.exe
- RTSApp.exe
- RTS2App.exe
- RDCMan.exe
- ws_TunnelService.exe
- RSSensor.exe
- RemoteDesktopManagerFree.exe
- RemoteDesktopManager.exe
- RemoteDesktopManager64.exe
- mRemoteNG.exe
- mRemote.exe
- Terminals.exe
- spiceworks-finder.exe
- FSDiscovery.exe
- FSAssessment.exe
- MobaRTE.exe
- chrome.exe
- thor.exe
- thor64.exe
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Scanner Behavior Anomaly
An anomalously large amount of scanning behavior or a rarely seen scan behavior between internal hosts was observed. Cross-check with the IP/Port Scan Anomaly alert.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] Discovery (TA0007 )
-
Technique: Network Service Scanning (T1046 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_scan_anomalies
.
Severity
40
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
The number of occurrences of each scanner, based on IDS signature (ids.signature
) between internal hosts, is calculated periodically. If one scanner occurs (actual
) much more often compared to its history (typical
), an alert is triggered. A sample Interflow is presented with information such as the traffic application type (appid_name
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SMB Read Anomaly
An internal IP address sent an anomalously large number of read requests to an internal SMB protocol based service(s). Investigate the files that this internal IP address tried to read. If suspicious, block the specific internal source IP address.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008 )
-
Technique: Exploitation of Remote Services (T1210 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_smb_read_anomaly
.
Severity
20
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressactual
— actual number of SMB reads from the source IP address in the periodtypical
— typical number of SMB reads from other source IP addresses in the perioddstip_host
— destination host namesmb_username
— SMB user name
Use Case with Data Points
The number of SMB read requests for every internal source IP address (srcip
) is calculated periodically. If a source IP address’s number of SMB reads (actual
) is much larger than the typical number (typical
) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username
) and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SMB Username Enumeration
At least 5 different users SMB login attempts and 1 denied attempt or at least 10 different users SMB login attempts, were observed from an internal IP address to other internal IP address(es). Check the source IP address. If malicious, consider blocking it.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_smb_user_scan
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressactual
— actual unique SMB user counttypical
— SMB user count thresholdsmb_username_set
— all SMB login user names
Use Case with Data Points
If an internal source IP address (srcip
) has several SMB login attempts with (1) at least 5 unique user names and at least 1 denied attempt or (2) at least 10 unique user names, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host)
, destination host (dstip_host
), and all the user names (smb_username_set
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SMB Write Anomaly
An internal IP address sent an anomalously large number of SMB write requests to other internal IP address(es). Investigate the files that the IP address tried to write. If suspicious, block the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008 )
-
Technique: Remote Services (T1021 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_smb_anomaly
.
Severity
40
Key Fields and Relevant Data Points
srcip_host
— source host nameactual
— actual number of SMB writes in the periodtypical
— typical number of SMB writes in the perioddstip_host
— destination host namesmb_username
— SMB user name
Use Case with Data Points
The number of SMB write requests to internal IP address(es) for every internal source IP address (srcip_host
) is calculated periodically. If a source IP address’s number of SMB writes (actual
) is much larger than the typical number (typical
) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username
) and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Spyware
Malware that collects and shares information about a device without consent in internal traffic was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Spyware (XT6003)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_spyware_activity
.
Severity
60
Severity
60
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the spywareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates spyware activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the spyware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SQL Anomaly
An internal IP address sent an anomalously large number of queries to an internal SQL server. Investigate the queries. If suspicious, block the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008 )
-
Technique: Exploitation of Remote Services (T1210 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_mysql_anomaly
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— source host namesrcip_geo.countryName
— source countryactual
— actual number of SQL queries in the periodtypical
— typical number of SQL queries from the source IP addressdstip_host
— destination host name
Use Case with Data Points
The number of SQL queries for every internal source IP address (srcip_host
) is calculated periodically. If an internal source IP’s SQL query count (actual
) is much larger than the typical count (typical
) and that of other internal IP addresses in any period, an alert is triggered. The internal source IP’s country is (srcip_geo.countryName
). The Interflow includes the internal destination host (dstip_host
) the source IP visits.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SQL Dumpfile Execution
The SQL dumpfile
command between two internal IP addresses was observed. This command is commonly used to dump database content or query output to a file on disk. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] Collection (TA0009 )
-
Technique: Data Staged (T1074 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_sql_db_dump
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP addressactual
— number of SQLdumpfile
queriessrcip_host
— source host namesource_geo.countryName
— source countrydstip_host
— destination host name
Use Case with Data Points
If any SQL dumpfile
commands are detected between an internal source IP address (srcip
) and an internal destination IP address (dstip
), an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), and the number of SQL dumpfile
queries in the period (actual
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SQL Shell Command
Shell commands were observed over a SQL connection, which is a common way hackers try to gain shell access over vulnerable SQL applications. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [Internal] Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_database_command
.
Severity
70
Key Fields and Relevant Data Points
srcip
— source IP addressdstip
— destination IP addresssrcip_host
— source host namesrcip_reputation
— source reputationdstip_host
— destination host namedstip_reputation
— destination reputationmetadata.request.query
— SQL query commandactual
— number of query records from one source to one destination in one period
Use Case with Data Points
For SQL query records, if special commands (such as select mylab_sys_exec
) are found, an alert is triggered. A sample Interflow includes the source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), source reputation (srcip_reputation
), destination host (dstip_host
), destination reputation (dstip_reputation
), and SQL query records (metadata.request.query
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Suspected Malicious User Agent
An internal HTTP connection was made by a user agent that has been identified as potentially malicious. Investigate the connection's destination.
This alert type has two subtypes:
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR User Agent Anomaly (XT2012)
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_suspected_malicious_user_agent
.
Severity
50
Key Fields and Relevant Data Points
metadata.request.user_agent
— user agent in the HTTP connection requeststellar.confidence
— model's confidence in the prediction used to make the alertsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
If a seen user agent is identified as suspicious, an alert is triggered. The alert will contain the suspicious user agent (metadata.request.user_agent
), confidence (stellar.confidence
), tenant (tenant_name
), source IP (srcip
), and destination IP (dstip
) in the key fields. Additionally, the confidence level of the model is displayed in the alert description in a pop-up box.
Alert Subtype: Predicted Malicious Agent
The Predicted Malicious Agent alert subtype is the same as the Internal Suspected Malicious User Agent alert type above, with the following differences:
-
The
stellar.anomaly_tag
ispredicted_internal
. -
The
xdr_event.subtype.name
isinternal_suspected_malicious_user_agent
. -
It is triggered by a machine learning classifier.
Alert Subtype: Known Malicious Agent Match
The Known Malicious Agent Match alert subtype is the same as the Internal Suspected Malicious User Agent alert type above, with the following differences:
-
The
stellar.anomaly_tag
isknown_internal
. -
The
xdr_event.subtype.name
isinternal_suspected_malicious_user_agent_known_malicious
. -
It is triggered by known threats.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SYN Flood Attacker
An internal attacker sends a large amount of SYN requests to internal target system(s) in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [Internal] Impact (TA0040 )
-
Technique: Endpoint Denial of Service (T1499 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_syn_flood_attacker
.
Severity
25
Key Fields and Relevant Data Points
srcip
— source IP address of the SYN floodsrcip_host
— source host namedstip
— target IP address of the SYN flooddstip_host
— destination host namedstport
— port on target host that received the SYN floodsyn_flood_events
— number of SYN packets during the period
Use Case with Data Points
If an internal host (srcip
) sends too many SYN packets (syn_flood_events
) to internal target(s) (dstip
) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip
), the IP address of the target host (dstip
), the port of the target host (dstport
), and how many SYN packets were observed (actual
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal SYN Flood Victim
A large amount of SYN requests to an internal target were observed, which can indicate an attempt to consume server resources and make the target unresponsive. Check to see if the host is malicious or compromised. If so, consider blocking the source host.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [Internal] Impact (TA0040 )
-
Technique: Endpoint Denial of Service (T1499 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_syn_flood
.
Severity
25
Key Fields and Relevant Data Points
srcip
— source IP address for the SYN floodsrcip_host
— source host namedstip
— target IP address of the SYN flooddstip_host
— destination host namedstport
— port on target host that received the SYN floodsyn_flood_events
— number of SYN packets during the period
Use Case with Data Points
If an internal host (srcip
) sends too many SYN packets (syn_flood_events
) to internal target(s) (dstip
) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip
), the IP address of the target host (dstip
), the port of the target host (dstport
), and how many SYN packets were observed (actual
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Trojan
Malware that disguises itself as legitimate software in order to gain access to a system or files in internal traffic has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Trojan (XT6004)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_trojan_activity
.
Severity
70
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the trojanevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates trojan activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the trojan (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal URL Reconnaissance Anomaly
An anomalous number of HTTP 4xx errors from an internal IP address to other internal IP addresses were observed. This can indicate an attacker scanning for pages to exploit. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] Discovery (TA0007 )
-
Technique: Network Service Scanning (T1046 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_url_scan
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP addressevent_summary.total_failed
— number of unique URLs with HTTP error status response in the periodevent_summary.total_successful
— number of unique URLs with HTTP success status response in the periodevent_summary.total_fail_ratio
— percent of unique URLs with HTTP error status response in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addresssrcip_geo.countryName
— source country name
Use Case with Data Points
For each internal source IP address (srcip
), the number of unique URLs that responded with failure HTTP status and the number of unique URLs that responded with success HTTP status are calculated periodically. If the fail metric is significantly larger than the success metric, an alert is triggered. A sample Interflow includes the source host (srcip_host
), destination host (dstip_host
), and source country (srcip_geo.countryName
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal User Agent Anomaly
An internal HTTP connection was made by an internal user agent that has never been seen before (or been seen very rarely). Investigate the connection destination.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR User Agent Anomaly (XT2012)
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_agent_anomaly
.
Severity
35
Key Fields and Relevant Data Points
metadata.request.user_agent
— user agent in the HTTP connection requestdays_silent
— number of days since this user agent was last seensrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
All user agents (metadata.request.user_agent
) with internal HTTP connections having names that do not begin with "Mozilla" or "Aella" are examined. An alert is triggered if any of those agents have not been observed by Stellar Cyber before or have been silent for many days (days_silent
). The Interflow includes all information from the suspicious HTTP connection, such as the application (appid_name
), the source host name (srcip_host
), and the destination host name (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal User Application Usage Anomaly
An internal user who usually runs a few applications with internal service IP addresses suddenly runs a new application. Investigate the application to see if it is benign. Check with the user to see if this was expected.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR UBA (XTA0004)
-
Technique: XDR App Anomaly (XT2003)
-
Tags: [Internal; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_uncommon_app
.
Severity
10
Key Fields and Relevant Data Points
srcip_usersid
— source user IDappid_name
— application namesrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_family
— application familysrcip_username
— source user namestability
— score measuring the time since the last new application was useddays_stable
— time since the last new application was useddiversity
— score measuring the number of applications that the user usedchild_count
— number of applications that the user used
Use Case with Data Points
An alert is triggered under the following conditions:
-
a user (
srcip_usersid
,srcip_username
) with a small number of applications (diversity
,child_count
) who has not used a new application for a long period of time (stability
,days_stable
), and then -
a new application (
appid_name
) belonging to an application family (appid_family
) appears on a host (scrip_host
) with this user, and -
that host connects to another host (
scrip_host
)
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal User Data Volume Anomaly
A user had an anomalously large volume of internal traffic compared to its typical volume or that of its peers. Investigate the user to determine if this is expected.
Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR UBA (XTA0004)
-
Technique: XDR Bytes Anomaly (XT3001)
-
Tags: [Internal; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_bytes_sum
.
Severity
20
Key Fields and Relevant Data Points
srcip_usersid
— source user IDactual
— actual traffic volume in the periodtypical
— typical traffic volume from the usersrcip_host
— host name of corresponding source IP addresssrcip_username
— source user namedstip_host
— host name of corresponding destination IP addressdstip_reputation
— destination reputationdstip_geo.countryName
— destination countryappid_name
— application name
Use Case with Data Points
The total internal traffic volume of each user identified by user ID (scrip_usersid
) is calculated periodically. If the volume in one period (actual
) is much larger than its normal volume (typical
), an alert is triggered.
The Interflow includes the source IP address (srcip_host
), destination IP address (dstip_host
), destination reputation (dstip_reputation
), destination country (dstip_geo.countryName
), and application of the traffic (appid_name
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal User Login Failure Anomaly
An anomalous number of login failures between internal IP addresses was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, Google Workspace, Salesforce, or Microsoft Entra ID (formerly Azure Active Directory). Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_user_login_fail
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP addressservice_id
— source domain, workstation, organization, or servicedstip
— destination IP addressdstip_host
— destination host nameevent_summary.total_failed
— number of failed logins in the periodevent_summary.total_successful
— number of successful logins in the periodevent_summary.total_fail_ratio
— percent of failed logins in the period, which is:event_summary.total_failed
/ (event_summary.total_failed
+event_summary.total_successful
)weighted_anomaly_score
— net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.login_type
— type of login, such asssh_traffic
,okta_log
, oraws_cloudtrail
srcip_host
— source host namesrcip_reputation
— source reputation
Use Case with Data Points
Login failures and successes between internal IP addresses are calculated periodically for every source (srcip
) and destination (dstip
) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type
), source host (srcip_host
), and source reputation (srcip_reputation
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Login Time Anomaly
A user logged in at an abnormal time. Check with the user.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
This alert type reads the System Timezone in Global Settings and puts the timezone into the alert descriptions. In Global Settings, set your timezone relative to UTC.
When a Login Time Anomaly occurs, the timezone is bound to the alert description with the following priorities:
-
The timezone inferred from
engid_gateway
takes precedence over the DP timezone, but only when it is present. Ifengid_gateway
is present, the description will use the timezone where the login actually happened. -
If
engid_gateway
is not present, the DP timezone setting is used.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Time Anomaly (XT4005)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_login_time
.
Severity
40
Key Fields and Relevant Data Points
srcip_usersid
— key ID of the source useror
event_data.TargetUserName
— name of the user (Windows event)-
The key field for this alert type can be either
srcip_usersid
orevent_data.TargetUserName
, depending on the data feed. srcip_username
— source user namesrcip_host
— host name of corresponding source IP addresssrcip_geo.countryName
— source countryactual_range
— actual login time rangetypical_range
— typical login time range
Use Case with Data Points
Every user's (srcip_usersid
) login time (actual
) is compared to the typical login times (typical_range
). If it is outside the range, an alert is triggered. The Interflow includes information such as the source user name (srcip_username
), source host name (srcip_host
), and source country (srcip_geo.countryName
), as well as the destination host (dstip_host
).
Long App Session Anomaly
An application had an anomalously long session compared to its typical session length or that of its peers. Investigate the application to see if this session was expected.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Session Anomaly (XT2005)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is long_session_anomaly
.
Severity
30
Key Fields and Relevant Data Points
appid_name
— application nameactual
— actual maximum session length in the periodtypical
— typical session length from the application’s own historysrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
Every application's (appid_name
) maximum session duration is calculated periodically. If an application’s maximum duration (actual
) is much larger than its normal value (typical
) or the typical value of other applications, an alert is triggered. The Interflow includes the source host (srcip_host
) and destination host (dstip_host
).
Malicious Site Access
A host accessed a URL with a reputation for potentially hosting malware. Check the URL and, if malicious, consider blocking it. Check the host for compromise.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Bad Reputation (XT2010)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mal_access
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP address of the host that initiated the site accesssrcip_host
— source host nameurl
— URL that was accessedurl_reputation
— reputation of the accessed URL
Use Case with Data Points
When a host (srcip
) accesses a URL with a reputation (srcip_reputation
) as potential malware hosting (MalAccess
), an alert is triggered. The Interflow includes the source host IP address (srcip
), the URL accessed (url
), and the reputation of the URL (url_reputation
).
Malware on Disk
Malicious software or a potentially unwanted application was found on a device and reported as not cleaned. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Miscellaneous Malware (XT6001)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is malware_on_disk
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the hostfile_path
— file pathcomputer_name
— computer namemalware_engine
— malware engine, can beSophos
orWindows Defender
group
— type of malwaretype
— status of malware
Use Case with Data Points
If either of the following occurs, an alert is triggered:
- Sophos engine indicates there is uncleaned malware
- Windows Defender indicates a failure or error when taking actions to protect the system
A sample Interflow includes the computer name (computer_name
), malware engine (malware_engine
), host IP address (hostip
), path to the file (file_path
), type of malware (group
, for Sophos), and status of the malware (type
, for Sophos).
Microsoft Entra Application Configuration Changes
The Microsoft Entra Application Configuration Changes rules are used to identify suspicious Microsoft Entra application configuration changes. Any one or more of these will trigger the Microsoft Entra Application Configuration Changes alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_application_configuration_changes
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Application Configuration Changes Alert Type
Microsoft Entra Application Permission Changes
The Microsoft Entra Application Permission Changes rules are used to identify suspicious Microsoft Entra application permission changes. Any one or more of these will trigger the Microsoft Entra Application Permission Changes alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_application_permission_changes
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Application Permission Changes Alert Type
Microsoft Entra Bitlocker Key Retrieval
The Microsoft Entra Bitlocker Key Retrieval rules are used to identify suspicious Microsoft Entra bitlocker key retrieval activity. Any one or more of these will trigger the Microsoft Entra Bitlocker Key Retrieval alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_bitlocker_key_retrieval
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Bitlocker Key Retrieval Alert Type
Microsoft Entra Changes to Conditional Access Policy
The Microsoft Entra Changes to Conditional Access Policy rules are used to identify suspicious Microsoft Entra changes to conditional access policy. Any one or more of these will trigger the Microsoft Entra Changes to Conditional Access Policy alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_suspicious_changes_to_conditional_access_policy
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert Type
Microsoft Entra Changes to Device Registration Policy
The Microsoft Entra Changes to Device Registration Policy rules are used to identify suspicious Microsoft Entra changes to device registration policy. Any one or more of these will trigger the Microsoft Entra Changes to Device Registration Policy alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_changes_to_device_registration_policy
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Device Registration Policy Alert Type
Microsoft Entra Changes to Privileged Account
The Microsoft Entra Changes to Privileged Account rules are used to identify suspicious Microsoft Entra changes to privileged account. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Account alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_changes_to_privileged_account
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Privileged Account Alert Type
Microsoft Entra Changes to Privileged Role Assignment
The Microsoft Entra Changes to Privileged Role Assignment rules are used to identify suspicious Microsoft Entra changes to privileged role assignment. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Role Assignment alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_changes_to_privileged_role_assignment
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert Type
Microsoft Entra Federation Modified
The Microsoft Entra Federation Modified rules are used to identify suspicious Microsoft Entra federation modified activity. Any one or more of these will trigger the Microsoft Entra Federation Modified alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_federation_modified
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Federation Modified Alert Type
Microsoft Entra Guest User Invited By Non-Approved Inviters
The Microsoft Entra Guest User Invited by Non-Approved Inviters rules are used to identify suspicious Microsoft Entra guest user invited by non-approved inviters. Any one or more of these will trigger the Microsoft Entra Guest User Invited by Non-Approved Inviters alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_guest_user_invited_by_non_approved_inviters
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Guest User Invited by Non-Approved Inviters Alert Type
Microsoft Entra ID Discovery Using AzureHound
The Microsoft Entra ID Discovery using AzureHound rules are used to identify Microsoft Entra ID discovery using Azurehound. Any one or more of these will trigger the Microsoft Entra ID Discovery using Azurehound alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_discovery_using_azurehound
.
Key Fields and Relevant Data Points
srcip_username
— user name of the account involved in the eventsrcip
— IP address of the login clientsrcip_host
— host name of the login clientUserAgent
— user agentstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra ID Discovery Using Azurehound Alert Type
Microsoft Entra PIM Setting Changed
The Microsoft Entra PIM Setting Changed rules are used to identify suspicious Microsoft Entra PIM setting changed. Any one or more of these will trigger the Microsoft Entra PIM Setting Changed alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_pim_setting_changed
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra PIM Setting Changed Alert Type
Microsoft Entra Privileged Account Assignment or Elevation
The Microsoft Entra Privileged Account Assignment or Elevation rules are used to identify suspicious Microsoft Entra privileged account assignment or elevation. Any one or more of these will trigger the Microsoft Entra Privileged Account Assignment or Elevation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_privileged_account_assignment_or_elevation
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert Type
Microsoft Entra Sign-in Failure
The Microsoft Entra Sign-in Failure rules are used to identify suspicious Microsoft Entra sign-in failures. Any one or more of these will trigger the Microsoft Entra Sign-in Failure alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_sign_in_failures
.
Key Fields and Relevant Data Points
srcip_username
— user name of the account involved in the eventsrcip
— IP address of the login clientsrcip_host
— host name of the login clientlogin_result
— login result of user login eventsazure_ad.status.failureReason
— reason for the login failurestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Sign-in Failure Alert Type
Microsoft Entra Suspicious Sign-in Activity
The Microsoft Entra Suspicious Sign-in Activity rules are used to identify suspicious Microsoft Entra sign-in activity. Any one or more of these will trigger the Microsoft Entra Suspicious Sign-in Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_suspicious_sign_in_activity
.
Key Fields and Relevant Data Points
srcip_username
— user name of the account involved in the eventsrcip
— IP address of the login clientsrcip_host
— host name of the login clientlogin_result
— login result of user login eventsazure_ad.status.failureReason
— reason for the login failurestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Microsoft Entra Sign-In Activity Alert Type
Microsoft Entra Unusual Account Creation
The Microsoft Entra Unusual Account Creation rules are used to identify Microsoft Entra unusual account creation activity. Any one or more of these will trigger the Microsoft Entra Unusual Account Creation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is azure_unusual_account_creation
.
Key Fields and Relevant Data Points
initiatedBy.user.id
— user ID who initiated the activityinitiatedBy.app.servicePrincipalId
— application and Service Principal ID that initiated the activityuser.name
— user nameactivityDisplayName
— activity display namecategory
— activity categoryresult
— result of the activityresultReason
— result reason of the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Microsoft Entra Unusual Account Creation Alert Type
Mimikatz Credential Dump
A potential Mimikatz memory dump was observed. Check the process to determine whether the host is compromised. Consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: OS Credential Dumping (T1003 )
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mimikatz_mem_scan
.
Severity
90
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameaccess_subject
— process attempting access-
access_mask
— mask that the suspicious process used to obtain access privileges (different access masks indicate different capabilities obtained by the suspicious process)
Use Case with Data Points
If a process (access_subject
) on a Windows host (srcip
) tries to access lsass.exe with a special access mask (access_mask
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the process performing mimikatz activity (access_subject
), and the access mask used to acquire access privilege (access_mask
).
Mimikatz DCSync
An attempt to replicate Active Directory for the first time on a domain controller, or the first time by that account, has occurred. Evaluate whether the replication is intended and, if not, consider disabling the account involved in the replication and investigate for further signs of compromise.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: OS Credential Dumping (T1003 )
-
Tags: [Internal, Active Directory]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mimikatz_dcsync
.
Severity
90
Key Fields and Relevant Data Points
hostip
— IP address of the targeted domain controllerevent_data.SubjectUserSid
— source user ID associated with the account attempting replicationhostip_host
— host name of the targeted domain controllerevent_data.SubjectUserName
— name of the account that attempted the Active Directory replicationevent_data.SubjectDomainName
— domain of the account that attempted the Active Directory replication
Use Case with Data Points
This alert is triggered when replication of an Active Directory domain controller (hostip
) occurs for the first time or is attempted by a user account or computer account (event_data.SubjectUserName
) that has rarely occurred (days_silent
) or never initiated replication on that DC before. The Interflow includes the IP address of the targeted domain controller (hostip
), the account (event_data.SubjectUserName
) attempting the replication and its domain (event_data.SubjectDomainName
), and the replication operation attempted (event_data.Properties
). (For guidance understanding the GUID in the event_data.Properties field, refer to Microsoft Documentation.)
Validation / Remediation
To triage an alert of this type, consider first verifying whether the Active Directory replication event was expected. If the replication is not intended, then the alert has indicated that a DCSync attack is highly likely. This attack can be very severe, because all password hashes stored on the targeted domain controller might have been dumped. Disable the account involved in the replication as soon as possible and further investigate the account for any signs of compromise.
There is no simple remediation for a confirmed DCSync attack. Evaluate the overall risks of credential leakage and apply appropriate corrective actions, including minimizing accounts with permissions to perform Active Directory replication, and forcing a change of credentials for accounts with weak passwords.
Potential False Positives
The following will trigger an alert:
-
Set up of a new DC
-
Replication of a DC for the first time
Office 365 Access Governance Anomaly
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Valid Accounts (Privilege Escalation) and Microsoft 365: Account Manipulation.
Office 365 generated an access governance alert, which might indicate a change in Exchange admin privileges. Check with the user to make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Privilege Escalation (TA0004 )
-
Technique: Valid Accounts (T1078 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_access_governance_alert
.
Severity
75
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountName
— alert type descriptionSource
— source that generated the alert seen by Stellar Cybersrcip
— source IP addresssrcip_host
— source host name
Use Case with Data Points
For each Office 365 account (srcip_usersid
), access governance alerts detected by Office 365 are checked periodically. If Office 365 finds an access governance alert, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), this alert type description (Name
),the alerting source (Source
), and source IP address (srcip
).
Office 365 Admin Audit Logging Disabled
Office 365 admin audit logging was disabled. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_admin_audit_logging_disabled
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationName
— organization with audit logging
Use Case with Data Points
Office 365 monitors each Office 365 account (srcip_usersid
) for admin audit logging status. If admin audit logging is disabled, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
) and organization name (OrganizationName
).
Office 365 Blocked User
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Valid Accounts (Initial Access).
The Office 365 Security Compliance Center discovered a user exceeding the sending limits of the service or outbound spam policies and blocked the user from sending email. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Suspicious User (XT4008)
-
Tags: [External]
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_blocked_user
.
Severity
40
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountSource
— alerting sourcesrcip
— source IP address of the accountsrcip_host
— source host name
Use Case with Data Points
Office 365 monitors email sending actions for each Office 365 account (srcip_usersid
). If an account exceeds the sending limit, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), alerting source (Source
), and source IP address (srcip
).
Office 365 Content Filter Policy Changed
The Microsoft Exchange content policy was changed. An overly permissive content policy can allow spammers to send your organization unwanted email. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_content_filter_policy_changed
.
Severity
40
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization with the Microsoft content policy changeOrganizationName
— organization with the Microsoft content policy change
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in each organization (OrganizationId
) for a Microsoft Exchange content policy change. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Data Exfiltration Attempt Anomaly
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Exfiltration Over Web Service.
The Office 365 Security Compliance Center discovered a data exfiltration attempt. Office 365 then blocked, quarantined, encrypted, or applied a hold on the possible exfiltration. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Exfiltration Over Web Service (T1567 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_data_exfiltration_attempt
.
Severity
90
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountName
— alert type descriptionSource
— reporting sourcesrcip
— source IP addresssrcip_host
— source host name
Use Case with Data Points
Office 365 periodically checks each Office 365 account (srcip_usersid
) for data exfiltration attempts. If data exfiltration is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), this alert type description (Name
), reporting source (Source
), and source IP address (srcip
).
Office 365 Data Loss Prevention
This alert type is deprecated as of the 4.3.7 release. It is replaced by Microsoft 365 alert integration. See Microsoft 365: Exfiltration Over Web Service.
The Office 365 Security Compliance Center discovered data loss. Office 365 then blocked, quarantined, encrypted, or applied a hold on the possible exfiltration. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Exfiltration Over Web Service (T1567 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_data_loss_prevention
.
Severity
90
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountName
— alert type descriptionSource
— reporting sourcesrcip
— source IP addresssrcip_host
— source host name
Use Case with Data Points
Office 365 periodically checks each Office 365 account (srcip_usersid
) for data loss. If data loss is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), this alert type description (Name
), reporting source (Source
), and source IP address (srcip
).
Office 365 File Sharing with Outside Entities
An Office 365 account shared multiple files with entities outside of the organization. Check with the user to make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Transfer Data to Cloud Account (T1537 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_outside_entity_file_sharing
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountsrcip
— source IP address of the sharing actionsrcip_host
— source host namesrcip_geo.countryName
— source country
Use Case with Data Points
Office 365 monitors sharing with outside entities for each Office 365 account (srcip_usersid
). If an account shares multiple files with outside entities, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid
), source IP address (srcip
), and source country (srcip_geo.countryName
).
Office 365 Malware Filter Policy Changed
The Microsoft Exchange malware filter policy changed. An overly permissive malware filter policy can allow attackers to send malicious attachments to your organization. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_malware_filter_policy_changed
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization with the Microsoft Exchange malware policy changeOrganizationName
— organization with the Microsoft Exchange malware policy change
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for Microsoft Exchange malware policy changes. If a change is discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Multiple Files Restored
Office 365 observed that multiple files were restored in a short period. Check with the user.
XDR Kill Chain
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_multi_file_restore
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountEventSource
— event sourcesrcip
— source IP address that caused the restoresrcip_host
— source host name
Use Case with Data Points
Office 365 periodically checks file restore records. If multiple file restore records are detected within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), event source (EventSource
), and source IP address (srcip
).
Office 365 Multiple Users Deleted
Office 365 observed that multiple users were deleted in a short period. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Account Access Removal (T1531 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_multi_user_deleted
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountEventSource
— event sourcesrcip
— source IP address that did the deletionsrcip_host
— source host name
Use Case with Data Points
Office 365 periodically checks user deletion records. If multiple users were deleted within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), event source (EventSource
), and source IP address (srcip
).
Office 365 Network Security Configuration Changed
Office 365 identified a change to your organization's network security configuration, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_security_conf_changed
.
Severity
70
Key Fields and Relevant Data Points
srcip_usersid
— key ID for ther Office 365 accountOrganizationId
— ID of the organization whose security configuration changedOrganizationName
— name of the organization whose security configuration changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for network security configuration changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Password Policy Changed
Office 365 identified a change to your organization's password policy, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Authentication Process (T1556 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_password_policy_changed
.
Severity
40
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization whose password policy changedOrganizationName
— name of the organization whose password policy changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for sharing policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 Sharing Policy Changed
Office 365 identified a change to your organization's sharing policy, which is uncommon. Make sure this was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_sharing_policy_changed
.
Severity
60
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationId
— ID of the organization whose sharing policy changedOrganizationName
— name of the organization whose sharing policy changed
Use Case with Data Points
Office 365 monitors all Office 365 accounts (srcip_usersid
) in every organization (OrganizationId
) for password policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid
), organization ID (OrganizationId
), and organization name (OrganizationName
).
Office 365 User Network Admin Changed
The Office 365 account’s network admin information was changed. Make sure this change was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Persistence (TA0003 )
-
Technique: Account Manipulation (T1098 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is office365_user_network_admin_changed
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the Office 365 accountOrganizationName
— name of the organization
Use Case with Data Points
Office 365 monitors the network admin information for each Office 365 account (srcip_usersid
). If changes to the network admin are discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid
) and organization name (OrganizationName
).
Outbound Destination Country Anomaly
A host that typically communicates with a small, consistent number of countries communicated with a new country. Investigate the destination, to see if it is benign.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XT2005)
-
Technique: XDR Location Anomaly (XT2001)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is country_communication_anomaly
.
Severity
20
Key Fields and Relevant Data Points
srcip
— source IP addressdstip_geo.countryName
— name of the destination countrydstip
— destination IP addresssrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application namestability
— score measuring the time since the host communicated with the last new countrydays_stable
— time since the host communicated with the last new countrydiversity
— score measuring the number of countries with which the host communicatedchild_count
— number of countries with which the host communicated
Use Case with Data Points
Hosts (srcip_host
) and destination countries (dstip_geo.countryName
) are examined periodically. If a host (srcip_host
) with a small number of destination countries (diversity
, child_count
) has not visited a new country for a long time (stability
, days_stable
) visits a host (dstip_host
) in a new country with an application (appid_name
), an alert is triggered.
Outbytes Anomaly
A source IP address transmitted an anomalously high amount of outbound traffic to one or multiple destination addresses in a 5 minute interval. This could indicate data exfiltration.
Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Automated Exfiltration (T1020 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is outbytes_anomaly
.
Severity
35
Key Fields and Relevant Data Points
srcip_host
— source host namesrcip
— source IP addressactual
— actual amount of outbound traffic in the periodtypical
— typical amount of outbound traffic from the source IP addressdstip_host
— destination host name
Use Case with Data Points
Every source host's (srcip_host
) transferred data volume is calculated periodically. If a host's volume (actual
) is much higher than its normal volume (typical
) in any period, an alert is triggered. The Interflow includes the destination host (dstip_host
).
Password Cracking with Hashcat
A user from a Windows host executed a command-line script that launched either the hashcat.exe command or a command using known Hashcat parameters (-a -m 1000 -r). The Hashcat command is known to use a SAM file from the Windows registry along with a password list to crack passwords.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Hashcat]
Event Name
The xdr_event.name
for this alert type in the Interflow data is password_cracking_with_hashcat
.
Severity
90
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running the hashcat toolevent_data.CommandLine
— command used to run the toolcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a PowerShell script with a context that includes one or more flags (event_data.Image
or event_data.CommandLine
) indicating usage of the Hashcat password cracking tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or script payload (event_data.CommandLine
).
Validation / Remediation
Check the body of the Powershell script that is reported on the Windows host to identify whether the contents are actually malicious. If malicious, consider quarantining the host.
Potential False Positives
The running of any executable named hashcat.exe
or any command that uses the hashcat signature parameter list (-a -m 1000 -r
).
Password Spraying Attempts Using Dsacls
A user from a Windows host executed a command-line script to launch a command that by name and parameter list indicates an attempt to abuse dsacls.exe for password spraying.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [Internal] Defense Evasion (TA0005 )
-
Technique: System Binary Proxy Execution (T1218)
-
Tags: [Password Spray;Dsacls]
Event Name
The xdr_event.name
for this alert type in the Interflow data is password_spraying_attempts_using_dsacls
.
Severity
50
Key Fields and Relevant Data Points
hostip
— device internal IP addressevent_data.Image
— process running dsacls for password crackingevent_data.CommandLine
— command used to run the toolevent_data.OriginalFileName
— actual file name that was executedcomputer_name
— name of the Windows host
Use Case with Data Points
This alert is triggered if a Windows host (hostip
) executes a dsacls.exe
with a context that includes one or more flags (event_data.Image
, event_data.CommandLine
, or event_data.OriginalFileName
including /user
and /passwd
as parameters). This indicates possible usage of Dcacls as a password spraying tool. The Interflow includes the IP address of the Windows host (hostip
), the host name (computer_name
), and the script image (event_data.Image
) or the original file name (event_data.OriginalFileName
), and script commandline (event_data.CommandLine
).
Validation / Remediation
Check whether the usage was actually malicious. If so, consider quarantining the Windows host.
Potential False Positives
This alert could be triggered even if the use is a legitimate use of dsacls
to bind to an LDAP session.
Phishing URL
A connection to a site with a phishing reputation was observed. Check with the user to determine whether their system is compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Phishing (T1566 )
-
Tags: [Phishing; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is phishing
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP address of the connection to the phishing URL reputation sitedstip
— destination IP address of the phishing URL reputation siteurl
— URL of the phishing sitedstip_host
— destination host namemetadata.response.subject_alt_name
— Subject Alternative Name of the phishing siteusername
— name of the visitordstip_geo.countryName
— destination countrysrcip_host
— source host name
Use Case with Data Points
If a connection from a source (scrip
) to a site with a phishing reputation is detected, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), destination IP address (dstip
), destination host (dstip_host
), URL of the site (url
), destination country (dstip_geo.countryName
), Subject Alternative Name of the site (metadata.response.subject_alt_name
), and user name (username
).
Possible Encrypted Phishing Site Visit
A possible phishing site visit to a recently registered domain was observed in encrypted traffic. Check with the user to determine whether their system is compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Phishing (T1566 )
-
Tags: [Phishing; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is encrypted_phishing_site
.
Severity
30
Key Fields and Relevant Data Points
metadata.response.effective_tld
— effective top-level domain of the possible phishing sitesrcip
— IP address of the visitor to the possible phishing sitedstip
— IP address of the possible phishing sitesrcip_host
— source host namedstip_host
— destination host namedstip_geo.countryName
— destination country
Use Case with Data Points
If an encrypted connection to a recently registered site (metadata.response.effective_tld
) is observed, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), destination IP address (dstip
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and effective top-level domain of the site (metadata.response.effective_tld
).
Possible Phishing Site Visit from Email
A user visited a recently registered domain shortly after using email, indicating a possible phishing site visit. Check to see if the site is malicious. If so, check with the user to see if they are compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Phishing (T1566 )
-
Tags: [Phishing; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is email_recent_domain_correlation
.
Severity
70
Key Fields and Relevant Data Points
recent_domain_id
— ID that points to the original record of the recently registered domain visitemail_traffic_id
— ID that points to the original record of email trafficcorrelation_info.appid_name
— application on the visited domain accessed by the usercorrelation_info.srcip
— IP address of the usercorrelation_info.dstip
— IP address of the recently registered domain (useful if thecorrelation_info.appid_name
is not DNS)correlation_info.dstip_host
— recently registered domain that was visited (useful if thecorrelation_info.appid_name
is not DNS)correlation_info.metadata.response.query
— recently registered domain name the victim queried in DNS traffic (useful if thecorrelation_info.appid_name
is DNS)-
correlation_info.metadata.response.resolved_ips
— IPs of the recently registered domain name the victim queried in DNS traffic. This field only useful ifcorrelation_info.appid_name
is DNS.
Use Case with Data Points
If a user (srcip
) uses email (appid_name
) and then either queries a recently registered (metadata.response.domain_creation
) domain (metadata.response.query
) or visits a recently registered (dstip_domain_creation
) domain (dstip_host
), an alert is triggered.
When an alert is triggered, a new correlation event is created. The Interflow includes the reference ID of the original record of the domain visit (recent_domain_id
), the reference ID pointing to the original record of email traffic (email_traffic_id
), the IP address of the user (correlation_info.srcip
), the application involved in the recently registered site visit (correlation_info.appid_name
), and the visited domain (correlation_info.dstip_host
or correlation_info.metadata.response.query
).
Possible Unencrypted Phishing Site Visit
A possible phishing site visit to a recently registered domain was observed in unencrypted traffic. Check with the user to determine whether their system is compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Phishing (T1566 )
-
Tags: [Phishing; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is unencrypted_phishing_site
.
Severity
30
Key Fields and Relevant Data Points
metadata.response.effective_tld
— effective top-level domain of the possible phishing sitesrcip
— IP address of the visitor to the phishing sitedstip
— IP address of the possible phishing sitesrcip_host
— source host namedstip_host
— destination host namedstip_geo.countryName
— destination country
Use Case with Data Points
If an unencrypted connection to a recently registered site (metadata.response.effective_tld
) is detected, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), destination IP address (dstip
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and effective top-level domain of the site (metadata.response.effective_tld
).
Potentially Malicious AWS Activity
The Potentially Malicious AWS Activity rules are used to identify suspicious activity within AWS logs. Any one or more of these will trigger the Potentially Malicious AWS Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_malicious_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Potentially Malicious AWS Activity Alert Type
Potentially Malicious Windows Event
The Potentially Malicious Windows Event rules are used to identify suspicious activity with Windows Events. This is a generic rule name. Any one or more of these will trigger the Potentially Malicious Windows Event alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_malicious_event
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Potentially Malicious Event Alert Type
PowerShell Remote Access
A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Command and Scripting Interpreter (T1059 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is powershell_cnc
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the Windows hosthostip_host
— host nameremote_ip
— IP address of the remote host involved in the scriptevent_data.ScriptBlockText
— contents of the PowerShell script
Use Case with Data Points
If a Windows host (srcip
) executes a PowerShell script that includes potential communication (event_data.ScriptBlockText
) with a remote host (remote_ip
), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip
), the script body (event_data.ScriptBlockText
), and the remote host IP address (remote_ip
).
Private to Private Exploit Anomaly
A private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another private IP address. Investigate that signature.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008 )
-
Technique: Exploitation of Remote Services (T1210 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_priv_priv
.
Severity
75
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The occurrences of each malware (ids.signature
) and severity (ids.severity
) are calculated periodically. If one malware occurs much more often (actual
) than its history (typical
) in any period, an alert is triggered. The Interflow includes the source host (srcip_host
) and destination host (dstip_host
).
Private to Public Exploit Anomaly
A private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a public IP address. Investigate that signature.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_priv_pub
.
Severity
60
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The occurrences of each malware (ids.signature
) and severity (ids.severity
) are calculated periodically. If one malware occurs much more often (actual
) than its history (typical
) in any period, an alert is triggered. The Interflow includes the source host (srcip_host
) and destination host (dstip_host
).
Process Anomaly
A process has been launched an anomalously large number of times. Investigate the process and the user to see if this is expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is bad_process
.
Severity
15
Key Fields and Relevant Data Points
process_name
— name of the processhostip
— host IP addresshostip_host
— host nameactual
— actual number of launches in the periodtypical
— typical number of launches in the period
Use Case with Data Points
The number of times a process (process_name
) has been launched is calculated periodically. If the volume (actual
) is much larger than the typical volume (typical
) of the command or other commands in any period, an alert is triggered. The Interflow includes the (hostip
) who launched the process.
Public to Private Exploit Anomaly
A public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a private IP address. Investigate that signature.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_pub_priv
.
Severity
60
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The occurrences of each malware (ids.signature
) and severity (ids.severity
) are calculated periodically. If one malware occurs much more often (actual
) than its history (typical
) in any period, an alert is triggered. The Interflow includes the source host (srcip_host
) and destination host (dstip_host
).
Public to Public Exploit Anomaly
A public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another public IP address. Investigate that signature.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_pub_pub
.
Severity
50
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The occurrences of each malware (ids.signature
) and severity (ids.severity
) are calculated periodically. If one malware occurs much more often (actual
) than its history (typical
) in any period, an alert is triggered. The Interflow includes the source host (srcip_host
) and destination host (dstip_host
).
RDP Outbytes Anomaly
An internal host transferred an anomalously high amount of data to external host(s) through RDP. This could indicate data exfiltration. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Exfiltration (TA0010 )
-
Technique: Exfiltration Over Alternative Protocol (T1048 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_outbytes_anomaly
.
Severity
30
Key Fields and Relevant Data Points
dstip
— destination IP addressdstip_host
— destination host nameactual
— actual amount of outbound traffic in the periodtypical
— typical amount of outbound traffic from the destination IP addresssrcip_host
— source IP address that initiates the RDP connection
Use Case with Data Points
Every destination host's (dstip
) transferred data volume through RDP is calculated periodically. If a host's volume (actual
) is much greater than normal (typical
) in any period, an alert is triggered. A sample Interflow includes the destination host (dstip_host
).
RDP Port Opening
Netsh commands to open TCP port 3389 were observed. This could indicate Sarwent malware attempting to establish an RDP connection. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Impair Defenses (T1562 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_port_opening
.
Severity
50
Key Fields and Relevant Data Points
hostip
— source IP address that executes the commandhostip_host
— host nameevent_data.CommandLine
— command that was executedprocess_name
— process name
Use Case with Data Points
Commands that open TCP port 3389 are monitored, and if netsh commands are seen, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the command used (event_data.CommandLine
).
RDP Registry Modification
Modifications of the property values of fDenyTSConnections
and UserAuthentication
to enable remote desktop connections were observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Registry (T1112 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_registry_modification
.
Severity
50
Key Fields and Relevant Data Points
hostip
— IP address of the host that made the setting changehostip_host
— host nameevent_data.TargetObject
— name of the registry keyevent_data.Details
— value of the registry
Use Case with Data Points
The property values of fDenyTSConnections
and UserAuthentication
are monitored, and if a possible malicious modification of the settings to enable remote desktop connections is observed, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the registry name (event_data.TargetObject
).
RDP Reverse Tunnel
An svchost
hosting RDP termsvcs
communicating with the loopback address on TCP port 3389 was observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Protocol Tunneling (T1572 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_reverse_tunnel
.
Severity
80
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process communicating with the loopback address
Use Case with Data Points
If an svchost hosting RDP termsvcs communicating with the loopback address is found on TCP port 3389, an alert is triggered. A sample Interflow includes the host IP address (hostip
) and host name (hostip_host
).
RDP Session Hijacking
A suspicious RDP session using tscon.exe
or MSTSC shadowing was observed. This could indicate a hijacked RDP session. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Lateral Movement (TA0008 )
-
Technique: Remote Service Session Hijacking (T1563 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_session_hijacking
.
Severity
50
Key Fields and Relevant Data Points
hostip
— host IP address that executes the commandhostip_host
— host nameevent_data.CommandLine
— command line usedprocess_name
— process name
Use Case with Data Points
If an RDP session redirect using tscon.exe or MSTSC is detected, an alert is triggered. A sample Interflow includes the host IP address (hostip
), name of the process used (process_name
), and command used (event_data.CommandLine
).
RDP Settings Hijacking
Changes to RDP terminal services settings were observed. Check the IP address and block if necessary.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Defense Evasion (TA0005 )
-
Technique: Modify Registry (T1112 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_settings_hijack
.
Severity
50
Key Fields and Relevant Data Points
hostip
— IP address of the host that made the setting changehostip_host
— host nameevent_data.TargetObject
— name of the registry key-
event_data.EventType
— event type on the registry key (SetValue, DeleteValue) event_data.Details
— value of the registry
Use Case with Data Points
RDP terminal service settings are monitored, and if changes are found to these settings, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and the registry name (event_data.TargetObject
).
RDP Suspicious Logon
An RDP logon with a local source IP address was observed. This could indicate a tunneled logon. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Protocol Tunneling (T1572 )
-
Tags: [RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_suspicious_logon
.
Severity
75
Key Fields and Relevant Data Points
hostip
— host IP address of the RDP serverevent_data.TargetDomainName
— domain of the login accountevent_data.TargetUserName
— user name of the login accounthostip_host
— host name
Use Case with Data Points
Remote desktop logins are monitored, and if a local source IP address is seen, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and host name (hostip_host
).
RDP Suspicious Logon Attempt
An authenticated user who is not allowed to log on remotely attempted to connect through RDP. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Credential Access (TA0006 )
-
Technique: Brute Force (T1110 )
-
Tags: [Internal; RDP]
Event Name
The xdr_event.name
for this alert type in the Interflow data is rdp_suspicious_logon_attempt
.
Severity
75
Key Fields and Relevant Data Points
hostip
— host IP address of the RDP serverhostip_host
— host nameevent_data.AccountDomain
— account domain of the user who attempts to connectevent_data.AccountName
— account name of the user who attempts to connectevent_data.ClientAddress
— IP address of the user who attempts to connect
Use Case with Data Points
Windows remote desktop logins are monitored, and if a user who is not allowed to remotely log in tries to log in with RDP, an alert is triggered. A sample Interflow includes the source IP address (hostip
) and host name (hostip_host
).
Recently Registered Domains
A DNS request was observed for a site that was registered less than 90 days ago. Check the domain. If suspicious, notify users.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR New Domain (XT2008)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is new_registered_domain
.
Severity
50
Key Fields and Relevant Data Points
metadata.request.effective_tld
— top-level domain name in the requestsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressmetadata.response.domain_creation
— domain creation timemetadata.response.effective_tld
— top-level domain name in the responsemetadata.response.resolved_ips
— list of resolved IP addressesactual
— number of visits to the domain in the period
Use Case with Data Points
If a domain has been registered within the last 90 days, an alert is triggered. A sample Interflow includes the domain name (metadata.request.effective_tld
), source host (srcip_host
), destination host (dstip_host
), and domain creation time (metadata.response.domain_creation
).
Scanner Reputation Anomaly
An anomalously large amount of connections were observed from an IP address with a reputation of being a scanner. Cross-check with the IP/Port Scan Anomaly alert, and check the links and content for possible spam or phishing.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Reconnaissance (TA0043 )
-
Technique: Active Scanning (T1595 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is scanner_rep
.
Severity
20
Key Fields and Relevant Data Points
srcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputationsrcip_geo.countryName
— source countryactual
— actual number of connections from this source in the periodtypical
— typical number of connections from this source in the perioddstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of connections from a source IP address (srcip_host
) with a reputation as a scanner (srcip_reputation
) is calculated every 5 minutes. If the number of connections (actual
) is much greater than normal (typical
), an alert is triggered. The Interflow includes information such as the source country (srcip_geo.countryName
) and a destination (dstip_host
).
Sensitive Windows Active Directory Attribute Modification
The Sensitive Windows Active Directory Attribute Modification rules are used to identify suspicious activity with Sensitive Windows Active Directory Attribute Modification. Any one or more of these will trigger the Sensitive Windows Active Directory Attribute Modification alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_ad_sensitive_attribute_modification
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type
Sensitive Windows Network Share File or Folder Accessed
The Sensitive Windows Network Share File or Folder Accessed rules are used to identify suspicious activity with Windows Network Share File or Folder Access. Any one or more of these will trigger the Sensitive Windows Network Share File or Folder Accessed alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_sensitive_networkshare
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type
Sensor Status Anomaly
The sensor has changed its status from "connected" to "disconnected".
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: XDR SBA (XTA0003)
-
Technique: XDR Status Anomaly (XT3002)
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ade_outbytes_anomaly_flip
.
Severity
10
Key Fields and Relevant Data Points
engid
— sensor IDengid_name
— sensor name
Use Case with Data Points
For each sensor, its connection status is checked periodically, if the status changes from “connected“ to “disconnected“, the anomaly is triggered. A sample Interflow includes the sensor ID (engid
) and sensor name (engid_name
).
SMB Impacket Lateralization
The execution of wmiexec, dcomexec, atexec, smbexec or PSExec
from the Impacket framework was observed. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: Windows Management Instrumentation (T1047 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_impacket_lateralization
.
Severity
80
Key Fields and Relevant Data Points
srcip
— source IP addresshostip
— host IP addresshostip_host
— host nameevent_data.CommandLine
— command line of the command that was executedevent_data.ParentCommandLine
— command line of the parent process
Use Case with Data Points
If a Windows host (srcip
) executes a command (wmiexec, dcomexec, atexec, smbexec
, or PSExec
) from the Impacket framework, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the command executed (event_data.CommandLine
).
SMB Specific Service Installation
A specific service installation used by the Impacket tool or Metasploit was observed. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Execution (TA0002 )
-
Technique: System Services (T1569 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_hack_smbexec
.
Severity
80
Key Fields and Relevant Data Points
srcip
— source IP addressevent_data.ServiceName
— name of the service installedhostip
— host IP addresshostip_host
— host name
Use Case with Data Points
If a Windows host (srcip
) installs a specific service installation that is used by the smbexec.py
tool, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the service installed (event_data.ServiceName
).
SMB Suspicious Copy
A suspicious copy command from a remote C$ or ADMIN$ share was observed. Check the source host. If malicious, consider blocking the host.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: Collection (TA0009 )
-
Technique: Data from Network Shared Drive (T1039 )
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is smb_suspicious_copy
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP addresshostip
— host IP addresshostip_host
— host nameevent_data.CommandLine
— command line of the copy command
Use Case with Data Points
If a Windows host (srcip
) uses the copy command to copy files from a remote C$ or ADMIN$ share, an alert is triggered. A sample Interflow includes the source IP address (srcip
), source host (srcip_host
), and the command executed (event_data.CommandLine
).
Steal or Forge Kerberos Tickets
The Steal or Forge Kerberos Tickets rules are used to identify suspicious activity to steal or forge Kerberos tickets. Any one or more of these will trigger the Steal or Forge Kerberos Tickets alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_steal_or_forge_kerberos_tickets
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namewineventlog_user
— Windows user who executed the scriptevent_data.ScriptBlockText
— Powershell script block textevent_id
— Windows event ID associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Steal or Forge Kerberos Tickets Alert Type
Suspicious Access Attempt to Windows Object
The Suspicious Access Attempt to Windows Object rules are used to identify suspicious activity with Access Attempt to Windows Objects. Any one or more of these will trigger the Suspicious Access Attempt to Windows Object alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_object_access_suspicious_attempt
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Access Attempt to Windows Object Alert Type
Suspicious Activity Related to Security-Enabled Group
The Suspicious Activity Related to Security-Enabled Group rules are used to identify suspicious activity related to security-enabled groups. Any one or more of these will trigger the Suspicious Activity Related to Security-Enabled Group alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_activity_related_to_security_enabled_group
.
Key Fields and Relevant Data Points
hostip
— host IP addressevent_id
— Windows event ID associated with the activityhostip_host
— host nameevent_data.SubjectUserName
— subject user name associated with the activityevent_data.SubjectUserSid
— subject user SID associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type
Suspicious AWS Bucket Enumeration
The Suspicious AWS Bucket Enumeration rules are used to identify suspicious activity related to AWS Bucket Enumeration. Any one or more of these will trigger the AWS Bucket Enumeration alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_bucket_enumeration
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS Bucket Enumeration Alert Type
Suspicious AWS EBS Activity
The Suspicious AWS EBS Activity rules are used to identify suspicious AWS Elastic Block Store (EBS) activity. Any one or more of these will trigger the Suspicious AWS EBS Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_ebs_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS EBS Activity Alert Type
Suspicious AWS EC2 Activity
The Suspicious AWS EC2 Activity rules are used to identify suspicious activity within AWS EC2 logs. Any one or more of these will trigger the Suspicious AWS EC2 Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_ec2_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS EC2 Activity Alert Type
Suspicious AWS ELB Activity
The Suspicious AWS ELB Activity rules are used to identify suspicious activity with AWS ELB. Any one or more of these will trigger the Suspicious AWS ELB Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_elb_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS ELB Activity Alert Type
Suspicious AWS IAM Activity
The Suspicious AWS IAM Activity rules are used to identify suspicious activity within AWS IAM logs. Any one or more of these will trigger the Suspicious AWS IAM Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_iam_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS IAM Activity Alert Type
Suspicious AWS RDS Event
The Suspicious AWS RDS Event rules are used to identify suspicious activity related to AWS RDS Event. Any one or more of these will trigger the Suspicious AWS RDS Event alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_rds_event
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS RDS Event Alert Type
Suspicious AWS Root Account Activity
The Suspicious AWS Root Account Activity rules are used to identify suspicious activity with AWS Root Account. Any one or more of these will trigger the Suspicious AWS Root Account Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_root_account_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS Root Account Activity Alert Type
Suspicious AWS Route 53 Activity
The Suspicious AWS Route 53 Activity rules are used to identify suspicious activity within AWS Route 53 logs. Any one or more of these will trigger the Suspicious AWS Route 53 Activity alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_route53_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS Route 53 Activity Alert Type
Suspicious AWS SSL Certificate Activity
The Suspicious AWS SSL Certificate Activity rules are used to identify suspicious activity with AWS SSL certificates. Any one or more of these will trigger the Suspicious AWS SSL Certificate alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_ssl_certificate_activity
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS SSL Certificate Activity Alert Type
Suspicious AWS VPC Flow Logs Modification
The Suspicious AWS VPC Flow Logs Modification rules are used to identify suspicious modification of AWS VPC Flow logs. Any one or more of these will trigger the Suspicious AWS VPC Flow Logs Modification alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_vpc_flow_logs_modification
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS VPC Flow Logs Modification Alert Type
Suspicious AWS VPC Mirror Session
The Suspicious AWS VPC Mirror Session rules are used to identify suspicious AWS VPC mirror session activity. Any one or more of these will trigger the Suspicious AWS VPC Mirror Session alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_vpc_mirror_session
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious AWS VPC Mirror Session Alert Type
Suspicious Connection to Another Process
The Suspicious Connection to Another Process rules are used to identify suspicious activity with Suspicious Connection to Another Process. Any one or more of these will trigger the Suspicious Connection to Another Process alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_connection_process
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Connection to Another Process Alert Type
Suspicious Handle Request to Sensitive Object
The Suspicious Handle Request to Sensitive Object rules are used to identify suspicious activity with Handle Requests to Sensitive Objects. Any one or more of these will trigger the Suspicious Handle Request to Sensitive Object alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_handle_request
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Handle Request to Sensitive Object Alert Type
Suspicious LSASS Process Access
The Suspicious LSASS Process Access rules are used to identify suspicious process access to or from the Local Security Authority Subsystem Service (LSASS). Any one or more of these will trigger the Suspicious LSASS Process Access alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_process_access_lsass
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.SourceImage
— source image path associated with the activityevent_data.TargetImage
— target image path associated with the activitywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious LSASS Process Access Alert Type
Suspicious Modification of AWS CloudTrail Logs
The Suspicious Modification of AWS CloudTrail Logs rules are used to identify suspicious activity within AWS Cloudtrail logs. Any one or more of these will trigger the Suspicious Modification of AWS CloudTrail Logs alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_cloudtrail_logs_modification
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert Type
Suspicious Modification of AWS Route Table
The Suspicious Modification of AWS Route Table rules are used to identify suspicious activity related to modification of AWS Route Table. Any one or more of these will trigger the Suspicious Modification of AWS Route Table alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_modification_of_route_table
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Modification of AWS Route Table Alert Type
Suspicious Modification of S3 Bucket
The Suspicious Modification of S3 Bucket rules are used to identify suspicious activity within S3 Bucket logs. Any one or more of these will trigger the Suspicious Modification of S3 Bucket alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is aws_suspicious_modification_of_s3_bucket
.
Key Fields and Relevant Data Points
eventSource
— source of eventeventName
— name of eventeventType
— type of eventuserIdentity.accountId
— key ID for the account involved in the eventuserIdentity.userName
— user name of the account involved in the eventuserIdentity.type
— type of account involved in the eventstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Modification of S3 Bucket Alert Type
Suspicious Powershell Script
The Suspicious Powershell Script rules are used to identify suspicious activity relating to PowerShell scripts. Any one or more of these will trigger the Suspicious PowerShell Script alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_powershell_script
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host namewineventlog_user
— Windows user who executed the scriptevent_data.ScriptBlockText
— Powershell script block textstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Powershell Script Alert Type
Suspicious Process Creation Commandline
The Suspicious Process Creation Commandline rules are used to identify suspicious activity relating to command-line process creation. Any one or more of these will trigger the Suspicious Process Creation Commandline alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_commandline
.
Key Fields and Relevant Data Points
hostip
— host IP addressevent_data.CommandLine
— process creation command linehostip_host
— host namewineventlog_user
— Windows user who executed the commandstellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Process Creation Commandline Alert Type
Suspicious Windows Active Directory Operation
The Suspicious Windows Active Directory Operation rules are used to identify suspicious activity with Windows Active Directory Operation. Any one or more of these will trigger the Suspicious Windows Active Directory Operation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_ad_suspicious_operation
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Active Directory Operation Alert Type
Suspicious Windows Logon Event
The Suspicious Windows Logon Event rules are used to identify suspicious activity with Windows Logons. Any one or more of these will trigger the Suspicious Windows Logon alert types.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_logon_event
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Logon Event Alert Type
Suspicious Windows Network Connection
The Suspicious Windows Network Connection rules are used to identify suspicious Windows network connection activities. Any one or more of these will trigger the Suspicious Windows Network Connection alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_windows_network_connection
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process associated with the activitywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Network Connection Alert Type
Suspicious Windows Process Creation
The Suspicious Windows Process Creation rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_suspicious_process_creation
.
Key Fields and Relevant Data Points
hostip
— host IP addressprocess_name
— process associated with the activityhostip_host
— host namewineventlog_user
— Windows user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Windows Suspicious Process Creation Alert Type
Suspicious Windows Registry Event: Impact
The Suspicious Windows Registry Event: Impact rules are used to identify suspicious Windows registry events usually in the impact stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Impact alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_windows_registry_event_impact
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process associated with the activityevent_data.TargetObject
— target registryevent_data.Details
— value set to the registrywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Registry Event: Impact Alert Type
Suspicious Windows Registry Event: Persistence
The Suspicious Windows Registry Event: Persistence rules are used to identify suspicious Windows registry events usually in the persistence stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Persistence alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is suspicious_windows_registry_event_persistence
.
Key Fields and Relevant Data Points
hostip
— host IP addresshostip_host
— host nameevent_data.Image
— process associated with the activityevent_data.TargetObject
— target registryevent_data.Details
— value set to the registrywineventlog_user
— user associated with the activitystellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Registry Event: Persistence Alert Type
Suspicious Windows Service Installation
The Suspicious Windows Service Installation rules are used to identify suspicious activity with service installation. Any one or more of these will trigger the Suspicious Windows Service Installation alert type.
Event Name
The xdr_event.name
for this alert type in the Interflow data is windows_security_suspicious_service_installation
.
Key Fields and Relevant Data Points
event_id
— Windows event ID associated with the activityhostip
— host IP addresshostip_host
— host namestellar.rule_id
— Stellar Cyber rule ID
Link to Rule-Based Alert Types
Rules Contributing to Suspicious Windows Service Installation Alert Type
Unapproved Asset Activity
Activity of an asset has been marked as unapproved in one of the Investigate | Asset Activity tabs. Unapproved assets generate one alert per day until their approval status is changed with either the Approve or Ignore button in the Asset Activity tabs.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Unapproved Asset Activity (XT2013)
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is asset_violation
.
Severity
50
Key Fields and Relevant Data Points
asset_id
— ID of a specific assetvendor
— vendor of this asset
Use Case with Data Points
If an analyst marks an asset as unapproved in the Asset Activity tabs, a daily alert is triggered until the asset is either manually approved or ignored.
Uncommon Application Anomaly
Private (internal assets) to public (Internet) traffic has revealed an application that has never been seen before (or been seen very rarely). Investigate that application and ensure that it is benign.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR App Anomaly (XT2003)
-
Tags: [External; Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is network_uncommon_app
.
Severity
20
Key Fields and Relevant Data Points
appid
— application IDappid_name
— application namedays_silent
— number of days since this application was last seensrcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputationsrcip_geo.countryName
— source countrydstip_host
— host name of corresponding destination IP addressdstip_reputation
— destination reputationdstip_geo.countryName
— destination country
Use Case with Data Points
If an application (appid
) has never been observed by Stellar Cyber or been seen very rarely (days_silent
), an alert is triggered. The Interflow includes the internal assets (srcip_host
), source reputation (srcip_reputation
), and source country (srcip_geo.countryName
), and the destination host (dstip_host
), destination reputation (dstip_reputation
), and destination country (dstip_geo.countryName
).
Uncommon Process Anomaly
An asset launched a process that has never been seen before (or has very rarely been seen). This could indicate a malware attack.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: []
Event Name
The xdr_event.name
for this alert type in the Interflow data is network_uncommon_process
.
Severity
30
Key Fields and Relevant Data Points
hostip
— IP address of the host running the processhostip_host
— host nameprocess_name
— name of the processwineventlog_user
— user that created the processdays_silent
— number of days since this process was last seen
Use Case with Data Points
If a process (process_name
) has never been observed by Stellar Cyber or been seen very rarely (days_silent
), an alert is triggered. The Interflow includes the user (process_user
) and host (srcip
) that executed the process.
User Asset Access Anomaly
A user who typically uses a small, consistent number of assets logged in to a new asset. Investigate the asset and user to see if this was expected.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR UBA (XTA0004)
-
Technique: XDR Asset Anomaly (XT4004)
-
Tags: [Internal; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_asset_access
.
Severity
30
Key Fields and Relevant Data Points
srcip_usersid
— source user IDsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addresssrcip_username
— source user namestability
— score measuring the time since the last new asset was accesseddays_stable
— time since the last new asset was accesseddiversity
— score measuring the number of assets that the user accessedchild_count
— number of assets that the user accessed
Use Case with Data Points
Users (srcip_usersid
and srcip_username
) with a small number of assets (diversity
, child_count
) who also have not used a new asset (srcip_host
) for a long time (stability
, days_stable
) are examined. If a new asset appears on a host (srcip_host
) with this user, an alert is triggered.
The user is identified with the scrip_userid
and scrip_username
fields. The asset is identified with the scrip_host
field. Active Directory, which is identified from the dstip_host
field, provides the relationship between the user and the asset. Stability is identified with the stability
field and diversity is identified with the diversity
field.
User Login Location Anomaly
A login to a user account occurred from a source IP address that is anomalously distant from the nearest location typically observed for logins to that user account.
This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR UBA (XTA0004)
-
Technique: XDR Location Anomaly (XT2001)
-
Tags: [External; User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_login_region
.
Severity
50
Key Fields and Relevant Data Points
srcip_usersid
— key ID for the source userdistance_deviation
— deviation in distance between two login locations (miles)srcip_host
— host name of corresponding source IP addresssrcip_reputation
— source reputationsrcip_geo.countryName
— source country namesrcip_geo.region
— source region namesrcip_geo.city
— source city namedstip_host
— host name of corresponding destination IP addresslogin_type
— type of login
Use Case with Data Points
Successful login events for certain login types (login_type
) of a user (srcip_usersid
) from a source host (srcip_host
) and country location (srcip_geo.countryName
are examined. If the detected login location is too far away (distance_deviation
in miles) from that user's typical locations, an alert is triggered. The source host's reputation (srcip_reputation
) is also checked. Map views of the Interflow include data points for the closest typical
login locations for the user.
User Process Usage Anomaly
A user who typically executes a small, consistent number of processes suddenly executed a new process. Investigate the process, to see if it is benign. Check with the user to see if this process was expected.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: XDR EBA (XTA0001)
-
Technique: XDR Process Anomaly (XT1001)
-
Tags: [User Behavior Analytics]
Event Name
The xdr_event.name
for this alert type in the Interflow data is user_uncommon_process
.
Severity
10
Key Fields and Relevant Data Points
srcip_usersid
— non-Windows source user IDor
user.identifier
— Windows source user IDThe key field for this alert type can be either
srcip_usersid
oruser.identifier
, depending on the data feed.process_name
— name of the processhostip
— IP address of the hosthostip_host
— host namesrcip_username
— source user namewineventlog_user.name
— source user name (Windows)user.name
— source user name (Windows)stability
— score measuring the time since the last new process was executeddays_stable
— time since the last new process was executeddiversity
— score measuring the number of processes that the user executedchild_count
— number of processes that the user executed
Use Case with Data Points
Looks for a user (srcip_usersid
or user.identifier
and a srcip_username
) with a small number of processes (diversity
, child_count
) who also has not used a new process for a long time (stability
, days_stable
). If a new process (process_name
) appears on a host (srcip_host
) with this user and connects to another host (dstip_host
), an alert is triggered.
The user is identified with the scrip_userid
or user.identifier
and scrip_username
fields. The process is identified with the process_name
field. The host on which the user is running the process is identified with the srcip_host
field. The destination of the traffic generated by the process is identified with the dstip_host
field. Stability is identified with the stability
field, and diversity is identified with the diversity
field.
Volume Shadow Copy Deletion via VssAdmin
The vssadmin.exe
utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Inhibit System Recovery (T1490 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_vssadminedit
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the host where the Shadow Copy was deletedhostip_host
— host nameprocess_name
— name of the executed processevent_data.CommandLine
— command that was executed to delete the Shadow Copy
Use Case with Data Points
If vssadmin.exe
is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow ibncludes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).
Volume Shadow Copy Deletion via WMIC
The wmic.exe
utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Inhibit System Recovery (T1490 )
-
Tags: [Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_wmicredit
.
Severity
80
Key Fields and Relevant Data Points
hostip
— IP address of the host where the Shadow Copy was deletedhostip_host
— host nameprocess_name
— name of the executed processevent_data.CommandLine
— command that was executed to delete the Shadow Copy
Use Case with Data Points
If wmic.exe
is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow includes the host IP address (hostip
), process name (process_name
), and command line (event_data.CommandLine
).
WAF Internal Attacker Anomaly
Internal web requests from a private IP address have been blocked/alerted by the Web Application Firewall (WAF). Investigate the source requester and ensure they are not compromised.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR WAF Anomaly (XT2009)
-
Tags: [Internal]
Event Name
The xdr_event.name
for this alert type in the Interflow data is waf_internal_attacker
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressaction
— status of web requestsevent.severity_str
— severity level of web requestsevent.uri
— URI of the web requestevent.reason
— attack type (signature name)
The above fields are standardized to support a variety of WAFs. The original fields, listed below, remain in the F5 WAF Interflow record for backward compatibility.
Use Case with Data Points
If web requests (f5.uri) from an internal IP address (srcip) to a web application (f5.web_application_name) have been blocked/alerted (f5.request_status) by the WAF, an alert is triggered. The Interflow includes the level of severity (f5.severity), the attack type (f5.attack_type), and the violation information (f5.violations), as well as signature name (f5.sig_names), staged signature name (f5.staged_sig_names), sub violation information (f5.sub_violations), and threat campaign name (f5.violation_details_xml.request-violations.violation.threat_campaign_data.threat_campaign_name), if applicable.
If web requests (event.uri
) from an internal IP address ( srcip
) to a web application (event.web_application_name
) have been blocked/alerted (action
) by the WAF, an alert is triggered. The Interflow includes the level of severity (event.severity_str
), the attack type (threat
), and the violation information (event.description
), as well as signature name (event.reason
). If applicable for the WAF type, the Interflow also includes staged signature name (event.staged_sig_id
), sub violation information (event.sub_violations
), and threat campaign name (event.threat_campaign.names
).
Ingestion Types Supported for this Alert
-
F5 Big-IP Firewall
-
F5 Silverline WAF
-
Barracuda WAF
-
AWS CloudWatch WAF
WAF Rule Violation Anomaly
Web requests have been blocked/alerted by the Web Application Firewall (WAF) due to a surge in violations or violating a rule that is rarely invoked. Investigate the blocked/alerted web requests and ensure they are benign.
Refer to Log Parser Portsfor the most current list of WAF parsers.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Rule Violation (XT2004)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is waf_rule_violation
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP addresssrcip_host
— host name of corresponding source IP addressevent.severity_str
— severity level of web requestsevent.web_application_name
— web application nameevent.uri
— URI of the web requestevent.reason
— attack type (signature name)event.sig_id
— attack type (signature ID)actual
— actual number of specific WAF violations in the periodtypical
— typical number of specific WAF violations in the period
The above fields are standardized to support a variety of WAFs. The original fields, listed below, remain in the F5 WAF Interflow record for backward compatibility.
Use Case with Data Points
If web requests (event.uri
) to a web application ( event.web_application_name
) have been blocked/alerted (action
) by the WAF due to violating certain rules, which include the level of severity (event.severity_str
), the attack type (threat
), and the violation information (event.violations
). If the violations (actual
) surge compared to the normal number of violations in a period (typical
), an alert is triggered.
Ingestion Types Supported for this Alert
F5 Big-IP Firewall
F5 Silverline WAF
Barracuda WAF
AWS CloudWatch WAF