Alert Types That Use the IDPS/Malware Sandbox Events Index

The Alert Types listed below use the IDPS/Malware Sandbox Events Index. For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

• Cryptojacking
• Encrypted C& C
• Exploited C&C Connection
• External Exploited Vulnerability
• External IDS Signature Spike
• External Other Malware
• External PII Leaked
• External PUA
• External Ransomware
• External Scanner Behavior Anomaly
• External Spyware
• External Trojan
• Internal Exploited Vulnerability
• Internal IDS Signature Spike
• Internal Other Malware
• Internal PII Leaked
• Internal PUA
• Internal Ransomware
• Internal Scanner Behavior Anomaly
• Internal Spyware
• Internal Trojan
• Malicious Site Access
• Phishing URL
• Possible Encrypted Phishing Site Visit
• Possible Unencrypted Phishing Site Visit
• Private to Private Exploit Anomaly
• Private to Private IPS Signature Spike
• Private to Public Exploit Anomaly
• Private to Public IPS Signature Spike
• Public to Private Exploit Anomaly
• Public to Private IPS Signature Spike
• Public to Public Exploit Anomaly
• Public to Public IPS Signature Spike

Cryptojacking

An unauthorized coin miner used a computer to mine cryptocurrency. Consider blocking the source IP address.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: Impact (TA0040 )

• Technique: Resource Hijacking (T1496 )

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is cryptojacking.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• srcip — source IP address of the cryptojacking action
• dstip — destination IP address of the cryptojacking action
• srcip_reputation — source reputation
• srcip_host — source host name
• dstip_reputation — destination reputation
• dstip_host — destination host name

Use Case with Data Points

If an unauthorized coin miner is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source IP address (srcip), source reputation (srcip_reputation), source host (srcip_host), destination IP address (dstip), destination reputation (dstip_reputation), and destination host (dstip_host).

Encrypted C&C

A connection to or from known command and control servers was observed in encrypted traffic. Consider blocking the source IP address.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: Command and Control (TA0011 )

• Technique: Encrypted Channel (T1573 )

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is ssl_certificate.

Key Fields and Relevant Data Points

• srcip — source IP address of the connection
• dstip — destination IP address of the connection
• srcip_host — host name of corresponding source IP address
• srcip_geo.countryName — source country of the connection
• dstip_host — host name of corresponding destination IP address
• dstip_geo.countryName — destination country of the connection

Use Case with Data Points

If known command and control servers are detected on either side of a connection with encrypted traffic, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), source country (srcip_geo.countryName), destination IP address (dstip), destination host (dstip_host), and destination country (dstip_geo.countryName).

Exploited C&C Connection

An exploited host with vulnerabilities initiated a connection to the exploit attacker, which could indicate the host being compromised and performing C&C activities. See if the exploit was successful. Check the source host, and consider blocking.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Command and Control Connection Exploitation (XT2014)

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is exploit_attempt_correlation.

Key Fields and Relevant Data Points

• tenant_id — tenant ID
• exploit_id — ID of the original exploit event
• seen_traffic_id — ID of the original Interflow traffic record
• srcip (of exploit event) — IP address of the attacker (correlation_info.srcip)
• dstip (of exploit event) — IP address of the target host (correlation_info.dstip)
• srcip (of traffic record) — IP address of the target host (correlation_info.srcip)
• dstip (of traffic record) — IP address of the attacker (correlation_info.dstip)

Use Case with Data Points

Two events are involved in this alert type. In the first event, an attacker (srcip) with the IP address A is performing an exploit against a target (dstip) with the IP address B. If, following that event, an Interflow traffic record is observed where the target host (srcip) with IP address B initiates a network connection to the attacker (dstip) whose IP address is A, an alert is triggered.

When an alert is triggered a new correlation event is generated. The Interflow of the correlation event includes the reference ID of the exploit event (exploit_id), the reference ID of the traffic record (seen_traffic_id), the IP address of the attacker (correlation_info.srcip of the exploit event or correlation_info.dstip of the traffic record), the IP address of the victim (correlation_info.dstip of the exploit event or correlation_info.srcip of the traffic record).

External Exploited Vulnerability

A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Exploited Vulnerability (XT2015)

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_vuln_exploit_correlation.

Key Fields and Relevant Data Points

• tenantid — tenant ID
• vulnerability_id — ID of the original security scan result
• ids_event_id — ID of the original IDS exploit event
• srcip (of security scan result) — IP address of the target correlation_info.srcip
• dstip (of IDS event) — IP address of the target (correlation_info.dstip)
• srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
• correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
• correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with internal IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve and correlation_info.ids.cve).

External IDS Signature Spike

A source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_ids_signature_spike.

Key Fields and Relevant Data Points

• srcip — source IP address
• ids_signatures_summarize — summarized IDS signatures of the exploit
• srcip_host — source host name
• actual — actual number of unique IDS signatures in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of unique IDS signatures from the source IP address, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1

Use Case with Data Points

The number of unique IDS signatures (ids.signature), weighted by their severity (ids.severity), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. The Interflow includes a source (srcip), timestamp, an accumulated severity of IDS signatures (actual), the usual accumulated severity of IDS signatures (typical), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize).

External Other Malware

Malware with uncategorized malicious activity was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR Miscellaneous Malware (XT6001)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_malware_activity.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• ids.severity — severity of the IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the malware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates malware that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the malware (file_name) from the sandbox.

External PII Leaked

Personally identifiable information (social security numbers or credit cards) has been observed in the clear. Check the source to see if it is compromised. If so, consider blocking it.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Exfiltration (TA0010 )

• Technique: Automated Exfiltration (T1020 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_pii_leak.

Key Fields and Relevant Data Points

• srcip — source IP address of the PII leak
• dstip — destination IP address of the PII leak
• ids.signature — IDS signature
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

If a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source IP address (srcip), destination IP address (dstip), source host (srcip_host), and destination host (dstip_host).

External PUA

Unwanted applications or malware that bombards the user with advertisements has been observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR PUA (XT6002)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_pua.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the PUA
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates potentially unwanted applications (PUA), an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity) or IDS signature for ML-IDS (ids.signature), along with event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the PUA (file_name) from the sandbox.

External Ransomware

Malware that prevents you from accessing your system or files and demands ransom payment in order to regain access was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Impact (TA0040 )

• Technique: Data Encrypted for Impact (T1486 )

• Tags: [External; Malware; Ransomware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_ransomware.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the ransomware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates ransomware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the ransomware (file_name) from the sandbox.

External Scanner Behavior Anomaly

An anomalously large amount of scanning behavior or a rarely seen scan behavior was found. Cross-check with the IP/Port Scan Anomaly alert.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Reconnaissance (TA0043 )

• Technique: Active Scanning (T1595 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_scan_anomalies.

Key Fields and Relevant Data Points

• ids.signature — signature of the exploit
• actual — actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• appid_name — application name

Use Case with Data Points

The number of occurrences of each scanner, based on IDS signature (ids.signature), is calculated periodically. If one scanner occurs (actual) much more often than its history (typical), an alert is triggered. The Interflow includes information such as the traffic application type (appid_name), source (srcip_host), and destination (dstip_host).

External Spyware

Malware that collects and shares information about a device without consent was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR Spyware (XT6003)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_spyware_activity.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the spyware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates spyware activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the spyware (file_name) from the sandbox.

External Trojan

Malware that disguises itself as legitimate software in order to gain access to a system or files has been observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR Trojan (XT6004)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_trojan_activity.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the trojan
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates trojan activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the trojan (file_name) from the sandbox.

Internal Exploited Vulnerability

An internal host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

• Kill Chain Stage: Exploration

• Tactic: [Internal] XDR NBA (XTA0002)

• Technique: XDR Exploited Vulnerability (XT2015)

• Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_vuln_exploit_correlation.

Key Fields and Relevant Data Points

• tenantid — tenant ID
• vulnerability_id — ID of the original security scan result
• ids_event_id — ID of the original IDS exploit event
• srcip (of security scan result) — IP address of the target correlation_info.srcip
• dstip (of IDS event) — IP address of the target (correlation_info.dstip)
• srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
• correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
• correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve and correlation_info.ids.cve).

Internal IDS Signature Spike

A source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: Lateral Movement (TA0008 )

• Technique: Exploitation of Remote Services (T1210 )

• Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_ids_signature_spike.

Key Fields and Relevant Data Points

• srcip — source IP address
• ids_signatures_summarize — summarized IDS signatures
• srcip_host — source host name
• actual — actual number of unique IDS signatures in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of unique IDS signatures from the source IP address, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1

Use Case with Data Points

The number of unique IDS signatures (ids.signature) and severity (ids.severity), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. The Interflow includes a source (srcip), timestamp, an accumulated severity of IDS signatures (actual), the usual accumulated severity of IDS signatures (typical), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize).

Internal Other Malware

Malware with uncategorized malicious activity in internal traffic was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] XDR Malware (XTA0006)

• Technique: XDR Miscellaneous Malware (XT6001)

• Tags: [Internal; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_malware_activity.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• ids.severity — severity of the IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the malware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates malware in internal traffic that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the malware (file_name) from the sandbox.

Internal PII Leaked

Personally identifiable information (social security numbers or credit cards) has been observed in internal traffic in the clear. Check the source to see if it is compromised. If so, consider blocking it.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [Internal] Exfiltration (TA0010 )

• Technique: Automated Exfiltration (T1020 )

• Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_pii_leak.

Key Fields and Relevant Data Points

• srcip — source IP address of the PII leak
• dstip — destination IP address of the PII leak
• ids.signature — IDS signature of the exploit
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

If a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source IP address (srcip), destination IP address (dstip), source host (srcip_host), and destination host (dstip_host).

Internal PUA

Unwanted applications or malware that bombards the user with advertisements in internal traffic has been observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] XDR Malware (XTA0006)

• Technique: XDR PUA (XT6002)

• Tags: [Internal; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_pua.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the PUA
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates potentially unwanted applications (PUA) in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the PUA (file_name) from the sandbox.

Internal Ransomware

Malware that prevents you from accessing your system or files and demands ransom payment in order to regain access in internal traffic was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [Internal] Impact (TA0040 )

• Technique: Data Encrypted for Impact (T1486 )

• Tags: [Internal; Malware; Ransomware]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_ransomware.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the ransomware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates ransomware in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the ransomware (file_name) from the sandbox.

Internal Scanner Behavior Anomaly

An anomalously large amount of scanning behavior or a rarely seen scan behavior between internal hosts was observed. Cross-check with the IP/Port Scan Anomaly alert.

XDR Kill Chain

• Kill Chain Stage: Exploration

• Tactic: [Internal] Discovery (TA0007 )

• Technique: Network Service Scanning (T1046 )

• Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_scan_anomalies.

Key Fields and Relevant Data Points

• ids.signature — signature of the exploit
• actual — actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• appid_name — application name

Use Case with Data Points

The number of occurrences of each scanner, based on IDS signature (ids.signature) between internal hosts, is calculated periodically. If one scanner occurs (actual) much more often compared to its history (typical), an alert is triggered. A sample Interflow is presented with information such as the traffic application type (appid_name), source host (srcip_host), and destination host (dstip_host).

Internal Spyware

Malware that collects and shares information about a device without consent in internal traffic was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] XDR Malware (XTA0006)

• Technique: XDR Spyware (XT6003)

• Tags: [Internal; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_spyware_activity.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the spyware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates spyware activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the spyware (file_name) from the sandbox.

Internal Trojan

Malware that disguises itself as legitimate software in order to gain access to a system or files in internal traffic has been observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] XDR Malware (XTA0006)

• Technique: XDR Trojan (XT6004)

• Tags: [Internal; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_trojan_activity.

Key Fields and Relevant Data Points

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the trojan
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates trojan activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the trojan (file_name) from the sandbox.

Malicious Site Access

A host accessed a URL with a reputation for potentially hosting malware. Check the URL and, if malicious, consider blocking it. Check the host for compromise.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Bad Reputation (XT2010)

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is mal_access.

Key Fields and Relevant Data Points

• srcip — source IP address of the host that initiated the site access
• srcip_host — source host name
• url — URL that was accessed
• url_reputation — reputation of the accessed URL

Use Case with Data Points

When a host (srcip) accesses a URL with a reputation (srcip_reputation) as potential malware hosting (MalAccess), an alert is triggered. The Interflow includes the source host IP address (srcip), the URL accessed (url), and the reputation of the URL (url_reputation).

Phishing URL

A connection to a site with a phishing reputation was observed. Check with the user to determine whether their system is compromised.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: Initial Access (TA0001 )

• Technique: Phishing (T1566 )

• Tags: [Phishing; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is phishing.

Key Fields and Relevant Data Points

• srcip — source IP address of the connection to the phishing URL reputation site
• dstip — destination IP address of the phishing URL reputation site
• url — URL of the phishing site
• dstip_host — destination host name
• metadata.response.subject_alt_name — Subject Alternative Name of the phishing site
• username — name of the visitor
• dstip_geo.countryName — destination country
• srcip_host — source host name

Use Case with Data Points

If a connection from a source (scrip) to a site with a phishing reputation is detected, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), destination IP address (dstip), destination host (dstip_host), URL of the site (url), destination country (dstip_geo.countryName), Subject Alternative Name of the site (metadata.response.subject_alt_name), and user name (username).

Possible Encrypted Phishing Site Visit

A possible phishing site visit to a recently registered domain was observed in encrypted traffic. Check with the user to determine whether their system is compromised.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: Initial Access (TA0001 )

• Technique: Phishing (T1566 )

• Tags: [Phishing; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is encrypted_phishing_site.

Key Fields and Relevant Data Points

• metadata.response.effective_tld — effective top-level domain of the possible phishing site
• srcip — IP address of the visitor to the possible phishing site
• dstip — IP address of the possible phishing site
• srcip_host — source host name
• dstip_host — destination host name
• dstip_geo.countryName — destination country

Use Case with Data Points

If an encrypted connection to a recently registered site (metadata.response.effective_tld) is observed, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), destination IP address (dstip), destination host (dstip_host), destination country (dstip_geo.countryName), and effective top-level domain of the site (metadata.response.effective_tld).

Possible Unencrypted Phishing Site Visit

A possible phishing site visit to a recently registered domain was observed in unencrypted traffic. Check with the user to determine whether their system is compromised.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: Initial Access (TA0001 )

• Technique: Phishing (T1566 )

• Tags: [Phishing; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is unencrypted_phishing_site.

Key Fields and Relevant Data Points

• metadata.response.effective_tld — effective top-level domain of the possible phishing site
• srcip — IP address of the visitor to the phishing site
• dstip — IP address of the possible phishing site
• srcip_host — source host name
• dstip_host — destination host name
• dstip_geo.countryName — destination country

Use Case with Data Points

If an unencrypted connection to a recently registered site (metadata.response.effective_tld) is detected, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), destination IP address (dstip), destination host (dstip_host), destination country (dstip_geo.countryName), and effective top-level domain of the site (metadata.response.effective_tld).

Private to Private Exploit Anomaly

A private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another private IP address. Investigate that signature.

This alert type has the following subtypes:

• IDS Traffic Anomaly
• IPS Traffic Anomaly

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] Lateral Movement (TA0008 )

• Technique: Exploitation of Remote Services (T1210 )

• Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is exploit_attempt_priv_priv.

Alert Subtype: IDS Traffic Anomaly

Key Fields and Relevant Data Points

• ids.signature — signature of the exploit
• ids.severity — severity of the exploit
• actual — actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

The number of unique IDS signatures (ids.signature), weighted by their severity (ids.severity), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IDS signatures (actual), the usual accumulated severity of IDS signatures (typical), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize).

Private to Private IPS Signature Spike

A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] Lateral Movement (TA0008 )

• Technique: Exploitation of Remote Services (T1210 )

• Tags: [Internal; Network Traffic Analysis; IPS Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is ips_signature_spike_priv_priv.

Key Fields and Relevant Data Points

• event_summary.ips_signatures_summarize — signatures of the exploit
• srcip_host — host name of corresponding source IP address
• actual — actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1

Use Case with Data Points

The number of unique IPS signatures (ips.signature), weighted by their severity (ips.severity), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IPS signatures (actual), the usual accumulated severity of IPS signatures (typical), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize).

Private to Public Exploit Anomaly

A private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a public IP address. Investigate that signature.

This alert type has the following subtypes:

• IDS Traffic Anomaly
• IPS Traffic Anomaly

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is exploit_attempt_priv_pub.

Alert Subtype: IDS Traffic Anomaly

Key Fields and Relevant Data Points

• ids.signature — signature of the exploit
• ids.severity — severity of the exploit
• actual — actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

The number of unique IDS signatures (ids.signature), weighted by their severity (ids.severity), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IDS signatures (actual), the usual accumulated severity of IDS signatures (typical), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize).

Private to Public IPS Signature Spike

A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis; IPS Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is ips_signature_spike_priv_pub.

Key Fields and Relevant Data Points

• event_summary.ips_signatures_summarize — signatures of the exploit
• srcip_host — host name of corresponding source IP address
• actual — actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1

Use Case with Data Points

The number of unique IPS signatures (ips.signature), weighted by their severity (ips.severity), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IPS signatures (actual), the usual accumulated severity of IPS signatures (typical), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize).

Public to Private Exploit Anomaly

A public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a private IP address. Investigate that signature.

This alert type has the following subtypes:

• IDS Traffic Anomaly
• IPS Traffic Anomaly

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is exploit_attempt_pub_priv.

Alert Subtype: IDS Traffic Anomaly

Key Fields and Relevant Data Points

• ids.signature — signature of the exploit
• ids.severity — severity of the exploit
• actual — actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

The number of unique IDS signatures (ids.signature), weighted by their severity (ids.severity), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IDS signatures (actual), the usual accumulated severity of IDS signatures (typical), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize).

Public to Private IPS Signature Spike

A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis; IPS Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is ips_signature_spike_pub_priv.

Key Fields and Relevant Data Points

• event_summary.ips_signatures_summarize — signatures of the exploit
• srcip_host — host name of corresponding source IP address
• actual — actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1

Use Case with Data Points

The number of unique IPS signatures (ips.signature), weighted by their severity (ips.severity), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IPS signatures (actual), the usual accumulated severity of IPS signatures (typical), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize).

Public to Public Exploit Anomaly

A public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another public IP address. Investigate that signature.

This alert type has the following subtypes:

• IDS Traffic Anomaly
• IPS Traffic Anomaly

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is exploit_attempt_pub_pub.

Alert Subtype: IDS Traffic Anomaly

Key Fields and Relevant Data Points

• ids.signature — signature of the exploit
• ids.severity — severity of the exploit
• actual — actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

The number of unique IDS signatures (ids.signature), weighted by their severity (ids.severity), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IDS signatures (actual), the usual accumulated severity of IDS signatures (typical), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize).

Public to Public IPS Signature Spike

A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis; IPS Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is ips_signature_spike_pub_pub.

Key Fields and Relevant Data Points

• event_summary.ips_signatures_summarize — signatures of the exploit
• srcip_host — host name of corresponding source IP address
• actual — actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1

Use Case with Data Points

The number of unique IPS signatures (ips.signature), weighted by their severity (ips.severity), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip), timestamp, an accumulated severity of IPS signatures (actual), the usual accumulated severity of IPS signatures (typical), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize).