Alert Types That Use the Scan Index
The Alert Types listed below use the Scan Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.
To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.
Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.
Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.
External Exploited Vulnerability
A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Exploited Vulnerability (XT2015)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_vuln_exploit_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenantid
— tenant IDvulnerability_id
— ID of the original security scan resultids_event_id
— ID of the original IDS exploit eventsrcip
(of security scan result) — IP address of the targetcorrelation_info.srcip
dstip
(of IDS event) — IP address of the target (correlation_info.dstip
)srcip
(of IDS event) — IP address of the attacker (correlation_info.srcip
)correlation_info.vulnerability.cve
— CVE associated with the reported vulnerabilitycorrelation_info.ids.cve
— CVE the attacker used to exploit the host
Use Case with Data Points
An attacker (srcip
) with IP address A is performing an exploit against a target (dstip
) with internal IP address B using a vulnerability (ids.cve
) with CVE x. If any security scanning tool found the target (srcip
) with IP address B to have a vulnerability (vulnerability.cve
) with CVE x, an alert is triggered.
When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id
), the ID of the security scan record (vulnerability_id
), the IP address of the attacker (correlation_info.srcip
of the IDS event), the IP address of the victim (correlation_info.dstip
of the IDS event or correlation_info.srcip
of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve
and correlation_info.ids.cve
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Exploited Vulnerability
An internal host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Exploited Vulnerability (XT2015)
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_vuln_exploit_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenantid
— tenant IDvulnerability_id
— ID of the original security scan resultids_event_id
— ID of the original IDS exploit eventsrcip
(of security scan result) — IP address of the targetcorrelation_info.srcip
dstip
(of IDS event) — IP address of the target (correlation_info.dstip
)srcip
(of IDS event) — IP address of the attacker (correlation_info.srcip
)correlation_info.vulnerability.cve
— CVE associated with the reported vulnerabilitycorrelation_info.ids.cve
— CVE the attacker used to exploit the host
Use Case with Data Points
An attacker (srcip
) with IP address A is performing an exploit against a target (dstip
) with IP address B using a vulnerability (ids.cve
) with CVE x. If any security scanning tool found the target (srcip
) with IP address B to have a vulnerability (vulnerability.cve
) with CVE x, an alert is triggered.
When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id
), the ID of the security scan record (vulnerability_id
), the IP address of the attacker (correlation_info.srcip
of the IDS event), the IP address of the victim (correlation_info.dstip
of the IDS event or correlation_info.srcip
of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve
and correlation_info.ids.cve
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.