Alert Types That Use the Scan Index

The Alert Types listed below use the Scan Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

External Exploited Vulnerability

A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Exploited Vulnerability (XT2015)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_vuln_exploit_correlation.

Severity

75

Key Fields and Relevant Data Points

  • tenantid — tenant ID
  • vulnerability_id — ID of the original security scan result
  • ids_event_id — ID of the original IDS exploit event
  • srcip (of security scan result) — IP address of the target correlation_info.srcip
  • dstip (of IDS event) — IP address of the target (correlation_info.dstip)
  • srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
  • correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
  • correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with internal IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve and correlation_info.ids.cve).

Internal Exploited Vulnerability

An internal host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR Exploited Vulnerability (XT2015)

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_vuln_exploit_correlation.

Severity

75

Key Fields and Relevant Data Points

  • tenantid — tenant ID
  • vulnerability_id — ID of the original security scan result
  • ids_event_id — ID of the original IDS exploit event
  • srcip (of security scan result) — IP address of the target correlation_info.srcip
  • dstip (of IDS event) — IP address of the target (correlation_info.dstip)
  • srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
  • correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
  • correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve and correlation_info.ids.cve).