Alert Type Model Summary
Use this topic for a high level summary of each alert type, whether it is based on Analytics or Machine Learning (and what type), and the training time required for each. Optionally, expand any alert name for more specifics on that alert type.
-
Machine Learning (ML): Stellar Cyber's powerful artificial intelligence system uses a variety of models to analyze data and may aggregate many alert logs to generate one Stellar Cyber alert.
-
Unsupervised ML – Unsupervised models power the alert types that look for dissimilarities from normal patterns. These models learn the normal pattern within a certain customer environment, such as what application usage is normal for which users. Then, after that initial learning period, the alert types trigger when activity appears significantly different from the observed normal pattern. Similarly, a user observed using an anomalous application would result in a trigger of this alert type. Unsupervised Machine Learning is applicable when there is no clear identifier for what "bad" looks like.
-
Supervised ML – Supervised models power the alert types that look for known bad patterns based on training performed on large scale datasets. An example of a bad pattern here is a recently registered domain used for data exfiltration. There are enough real world examples of this type of activity that a model can be constructed to identify it with a certain level of confidence. Supervised machine learning models require no customer training period because they are already "trained" and ready to be used. In summary, Supervised Machine Learning is used when there are clear identifiers for what "bad" looks like, but it is far too computationally complex for a simple "rule" to be used.
For more details, refer to the overview of Machine Learning and the details for each alert type that may be produced in the Machine Learning pathway.
-
-
Analytics – These prediction results are based on security rules. These alert types leverage simple arithmetic or logic conditions instead of machine learning. For example, a Bad Reputation alert may trigger if a source IP has a reputation of "Bad Reputation". Another example could be looking for suspicious RDP activity that matches a certain process name. You can also use Stellar Cyber's Statistical Analysis engine to create your own Automated Threat Hunting rules..
Training Time
Certain ML models learn the data distribution in your network automatically but require two weeks of observing data to create an approximation of the real distribution. After that baseline, the model is automatically updated every 24 hours. Use the table below as a guide for which need to run in your environment for two weeks to begin reporting.
XDR Display Name |
Model Type |
Machine Learning Model Requires Two Weeks |
---|---|---|
Abnormal Parent / Child Process
Abnormal Parent / Child ProcessA process that typically launches a small, consistent number of child processes has launched a new child process. Investigate the new child process or the parent process to see if it is benign. This alert type has the following subtype categories: XDR Kill Chain
Event NameThe Severity25 Alert Subtype: Machine Learning Anomaly Detection The Key Fields and Relevant Data Points
Use Case with Data PointsEach pair of parent/child processes ( Alert Subtype: Rule Based Detection The Parent/Child Suspicious Process Creation rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent/Child Suspicious Process Creation alert types. Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Parent/Child Suspicious Process Creation Alert Type |
Unsupervised |
Y |
Account MFA Login Failure Anomaly
Account MFA Login Failure AnomalyAn anomalously large number of Multi-Factor Authentication (MFA) user login failures was observed for an account. Check with the user. This alert type has the following subtypes: XDR Kill Chain
Event NameThe Severity45 Key Fields and Relevant Data Points
Use Case with Data PointsMulti-Factor Authentication login failures and successes are calculated periodically for every account ( Alert Subtype: Rule Based Alert Type The Suspicious AWS Login Failure rules are used to identify suspicious AWS account login failures. Any one or more of these will trigger the AWS Cloud Account Login Failure alert type. Key Fields and Relevant Data Points
Link to Rule-Based Alert Types |
Unsupervised |
N |
Application Usage Anomaly
Application Usage AnomalyAn internal application had an anomalously large number of connections to one or more external hosts in a measured interval, exceeding 99.99% of all other intervals corresponding to different applications in the past two weeks. Investigate the application and connections, and consider blocking connections from the application. XDR Kill Chain
Event NameThe Severity15 Key Fields and Relevant Data Points
Use Case with Data PointsEvery application's ( |
Unsupervised |
Y |
AWS AMI Made Public
AWS AMI Made PublicAn AWS AMI was made public. Check with the user to make sure this was intentional. XDR Kill Chain
XDR Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsFor each AWS account ( |
Analytics |
N |
AWS Logging Stopped
AWS Logging StoppedAWS CloudTrail logging was stopped. Check with the user to make sure this was intentional. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsFor each AWS account ( |
Analytics |
N |
AWS S3 Ransomware
AWS S3 RansomwarePossible AWS S3 ransomware was observed. Check with the user. XDR Kill Chain
Event NameThe Severity90 Key Fields and Relevant Data Points
Use Case with Data PointsFor each AWS account user name ( |
Analytics |
N |
Backup Catalogs Deleted by Ransomware
Backup Catalogs Deleted by RansomwareThe XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf |
Analytics |
N |
Bad Destination Reputation Anomaly
Bad Destination Reputation AnomalyA destination IP address with a bad reputation has received an anomalously large number of connections. Investigate the connections and consider blocking the destination IP address. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of connections for every destination IP address ( |
Unsupervised |
Y |
Bad Reputation Login
Bad Reputation LoginA successful login was observed from an IP address with a history of malicious activity. Check with the user. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsThe login records are checked for every source IP address ( |
Analytics |
N |
Bad Source Reputation Anomaly
Bad Source Reputation AnomalyA source IP address with a bad reputation has made an anomalously large number of connections. Investigate the connections and consider blocking the source IP address. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of connections for every source IP address ( |
Unsupervised |
Y |
Carbon Black: XDR Anomaly
Carbon Black: XDR AnomalyOn a specific device, an anomalously large number of VMware Carbon Black endpoint log records or a rarely seen type of record has been observed compared to the typical number in a measured interval. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of occurrences of Carbon Black endpoint (cloud) log, based on the “UNKNOWN“ threat category ( |
Unsupervised |
Y |
Command & Control Reputation Anomaly
Command & Control Reputation AnomalyAn anomalously large number of connections were made to known command and control servers. Investigate the connections and source hosts. If malicious, block the IP addresses of the command and control servers. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of connections for every destination IP ( |
Unsupervised |
Y |
Command Anomaly
Command AnomalyA command has been executed an anomalously large number of times compared to its typical executions or those of other commands. Investigate the command and the user to determine if this is expected. XDR Kill Chain
Event NameThe Severity15 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of times a command ( |
Unsupervised |
Y |
Cryptojacking
CryptojackingAn unauthorized coin miner used a computer to mine cryptocurrency. Consider blocking the source IP address. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsIf an unauthorized coin miner is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature ( |
Analytics |
N |
CylanceOPTICS: XDR Anomaly
CylanceOPTICS: XDR AnomalyOn a specific device, a rarely seen or an anomalously large number of CylanceOPTICS endpoint log records has been observed, compared to the typical number in a measured interval or has been observed after several days of silence. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of occurrences of CylanceOPTICS log records ( |
Unsupervised |
Y |
Data Ingestion Volume Anomaly
Data Ingestion Volume AnomalyA sensor is sending an anomalously high or low volume of data, compared to its typical volume. Check the sensor. A low volume could indicate a sensor failure or other problems. For a high volume, determine the cause of the increase. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsThe data ingestion volume of every data sensor with sensor id (
A sample Interflow includes the sensor ID ( |
Unsupervised |
Y |
DGA
DGAA host is using a potential Domain Generation Algorithm (DGA). If the target domain is a malicious domain, the host might be compromised. Investigate the DGA domains and the host. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsWhenever a host ( If a monitored host ( |
Supervised |
N |
DHCP Server Anomaly
DHCP Server AnomalyA new DHCP server appeared in the network. This could be a hacker attempting to steer traffic. Investigate and consider telling employees to avoid this server. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsIf a DHCP server that has never been seen before appears in the network, an alert is triggered. The Interflow includes the destination IP address ( |
Analytics |
N |
DNS Tunneling Anomaly
DNS Tunneling AnomalyAn anomalously large number of connections tunneling high-entropy traffic through DNS were made. This can indicate data exfiltration. Investigate the tunnel and source host. If malicious, block the source host. XDR Kill Chain
Event NameThe Severity98 Key Fields and Relevant Data Points
Use Case with Data PointsThe DNS queries ( |
Supervised |
N |
Emerging Threat
Emerging ThreatAn emerging threat has been observed. Investigate the IP address and consider blocking. XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsStellar Cyber monitors traffic for emerging threats. An alert is triggered if emerging threats are observed in any of the following:
Note that only one of these is needed to trigger the alert. So, although the Interflow includes the source IP address ( |
Analytics |
N |
Encoded PowerShell
Encoded PowerShellA Windows host executed an encoded PowerShell script. Investigate the script contents to see if it is malicious. If so, consider quarantining the host. XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf a Windows host ( |
Analytics |
N |
Encrypted C&C
Encrypted C&CA connection to or from known command and control servers was observed in encrypted traffic. Consider blocking the source IP address. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsIf known command and control servers are detected on either side of a connection with encrypted traffic, an alert is triggered. The Interflow includes the source IP address ( |
Analytics |
N |
Exploited C&C Connection
Exploited C&C ConnectionAn exploited host with vulnerabilities initiated a connection to the exploit attacker, which could indicate the host being compromised and performing C&C activities. See if the exploit was successful. Check the source host, and consider blocking. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsTwo events are involved in this alert type. In the first event, an attacker ( When an alert is triggered a new correlation event is generated. The Interflow of the correlation event includes the reference ID of the exploit event ( |
Analytics |
N |
External Account Login Failure Anomaly
External Account Login Failure AnomalyAn anomalously large number of user login failures was observed for an account. Check with the user. This alert type has the following subtypes: This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency. The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion. XDR Kill Chain
Event NameThe Severity45 Key Fields and Relevant Data Points
Use Case with Data PointsLogin failures and successes are calculated periodically for every account ( Alert Subtype: Office 365 / Entra ID The Office 365 / Entra ID alert subtype is the same as the External Account Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Windows Security Events The Windows Security Events alert subtype is the same as the External Account Login Failure Anomaly alert type above, with the following differences:
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
External Brute-Forced Successful User Login
External Brute-Forced Successful User LoginA successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user. This alert type has the following subtypes: This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins. XDR Kill Chain
Event NameThe Severity90 Alert Subtype: Source IP Based The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points. The Key Fields and Relevant Data Points
Use Case with Data PointsThe login records are checked for every external source IP address (
A sample Interflow includes the source IP address ( The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points. The Key Fields and Relevant Data Points
Use Case with Data PointsThe login records to a user account (
A sample Interflow includes the source IP address (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised+Analytics |
N |
External Credential Stuffing
External Credential StuffingAn anomalously large amount of username/password testing was observed on AWS, Okta, or Windows. Check the activity after successful logins, and consider blocking the source IP addresses. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsExternal credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
External Exploited Vulnerability
External Exploited VulnerabilityA host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsAn attacker ( When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Firewall Denial Anomaly
External Firewall Denial AnomalyA source host had actions blocked by a firewall too many times. Investigate the firewall rules that were violated. If suspicious, block the source IP address. XDR Kill ChainKill Chain Stage: Initial Attempts Tactic: [External] XDR NBA (XTA0002) Technique: XDR Firewall Anomaly (XT2002) Tags: [External; Network Traffic Analysis; Firewall Anomalies] Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of firewall denials for every source IP address (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External Firewall Policy Anomaly
External Firewall Policy AnomalyA rarely triggered firewall policy has been violated. Investigate that policy and track down the violation. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsA firewall policy violation (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External Handshake Failure
External Handshake FailureThere were too many handshake failures between two hosts, which might indicate port scanning. Check the source host to see if this was expected and, if not, consider blocking the host. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsIf a host (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External IDS Signature Spike
External IDS Signature SpikeA source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IDS signatures (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External IP / Port Scan Anomaly
External IP / Port Scan AnomalyA host has either generated an anomalous number of connections compared to the typical amount, or has triggered an anomalous number of connection failure responses, in the measured interval. This can indicate that an attacker is scanning for computers or ports to exploit. This alert type has the following subtypes: XDR Kill ChainEvent NameThe Severity10 Alert Subtype: Connection Failure Anomaly (Sensor Traffic) The Key Fields and Relevant Data Points
Use Case with Data PointsFor every unique triplet (source IP address, destination IP address, and destination port) browsed by each source IP address ( Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one. Validation / RemediationIf the source IP address is internal targeting an external address, check with the user if they are aware of the activity or if they are authorized to perform the activity. Inform the user's supervisor if the activity is unauthorized. If the source IP address is external targeting any addresses, check the reputation of the source IP address as in known malicious/scanner. Potential False PositivesSome legitimate activities such as vulnerability scans or penetration testing may trigger this alert type, if from an external IP address to an internal IP address. Alert Subtype: Connection Spike Anomaly (Firewall / Windows Traffic) The XDR Kill ChainEvent NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsFor every unique (destination IP address and destination port) browsed by each source IP address ( Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one. Validation / RemediationIf the source IP address is internal targeting an external address, check with the user if they are aware of the activity or if they are authorized to perform the activity. Inform the user's supervisor if the activity is unauthorized. If the source IP address is external targeting any addresses, check the reputation of the source IP address as in known malicious/scanner. Potential False PositivesSome legitimate activities such as vulnerability scans or penetration testing may trigger this alert type, if from an external IP address to an internal IP address. More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External Non-Standard Port Anomaly
External Non-Standard Port AnomalyAn application had an anomalously large number of connections or a rarely seen connection on non-standard ports. Check the application to be sure this is benign. XDR Kill Chain
Event NameThe Severity15 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of connections for an application ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised+Analytics |
Y |
External Other Malware
External Other MalwareMalware with uncategorized malicious activity was observed. Check with the user. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates malware that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Password Spraying
External Password Spraying.An anomalously large number of failed logins with unknown user names was observed on external Windows authentication services. Check the activity after successful logins, and consider blocking the source IP addresses. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsIf a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External PII Leaked
External PII LeakedPersonally identifiable information (social security numbers or credit cards) has been observed in the clear. Check the source to see if it is compromised. If so, consider blocking it. XDR Kill Chain
Event NameThe Severity90 Key Fields and Relevant Data Points
Use Case with Data PointsIf a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Plain Text Passwords Detected
External Plain Text Passwords DetectedA plain text password was detected in unencrypted traffic. Check with the user. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsIf there are plain text passwords in unencrypted traffic records with a public source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Protocol Account Login Failure Anomaly
External Protocol Account Login Failure AnomalyAn anomalously large number of login failures over SMB or FTP was observed. Check with the user. XDR Kill Chain
Event NameThe Severity35 Key Fields and Relevant Data Points
Use Case with Data PointsFor every user name ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
External PUA
External PUAUnwanted applications or malware that bombards the user with advertisements has been observed. Check with the user. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates potentially unwanted applications (PUA), an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Ransomware
External RansomwareMalware that prevents you from accessing your system or files and demands ransom payment in order to regain access was observed. Check with the user. XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates ransomware, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External RDP BlueKeep
External RDP BlueKeepDetects the use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed. Check the IP address and block if necessary. XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External RDP Brute Force Attack
External RDP Brute Force AttackAn anomalously large number of RDP connections to an RDP server was observed. Check the source IP addresses to determine if they are unknown or malicious, and monitor any successful RDP logins. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsRDP connection activity is monitored and the number of connections are calculated periodically. If the number of connections to an RDP server ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External RDP Suspicious Outbound
External RDP Suspicious OutboundNon-standard tools connecting to TCP port 3389 were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsConnections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (
More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Scanner Behavior Anomaly
External Scanner Behavior AnomalyAn anomalously large amount of scanning behavior or a rarely seen scan behavior was found. Cross-check with the IP/Port Scan Anomaly alert. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of occurrences of each scanner, based on IDS signature ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External SMB Read Anomaly
External SMB Read AnomalyAn IP address sent an anomalously large number of read requests to SMB protocol based service(s). Investigate the files that the IP address tried to read. If suspicious, block the source IP address. XDR Kill Chain
Event NameThe Severity15 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of SMB read requests for every source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External SMB Username Enumeration
External SMB Username EnumerationAt least 5 different users SMB login attempts and 1 denied attempt or at least 10 different users SMB login attempts, were observed from the same source. Check the source IP address. If malicious, consider blocking it. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsIf one source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External SMB Write Anomaly
External SMB Write AnomalyAn IP address sent an anomalously large number of SMB write requests. Investigate the files that the IP address tried to write. If suspicious, block the source IP address. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of SMB write requests for every source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Spyware
External SpywareMalware that collects and shares information about a device without consent was observed. Check with the user. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates spyware activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External SQL Anomaly
External SQL AnomalyAn IP address sent an anomalously large number of queries to one or more SQL servers. Investigate the queries. If suspicious, block the source IP address. XDR Kill Chain
Event NameThe Severity15 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of SQL queries for every source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External SQL Dumpfile Execution
External SQL Dumpfile ExecutionThe SQL XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsIf the SQL More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External SQL Shell Command
External SQL Shell CommandShell commands were observed over a SQL connection, which is a common way hackers try to gain shell access over vulnerable SQL applications. Check with the user. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsFor SQL query records, if special commands (such as More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Suspected Malicious User Agent
External Suspected Malicious User AgentAn external HTTP connection was made by a user agent that has been identified as potentially malicious. Investigate the connection's destination. This alert type has the following subtypes: XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf a seen user agent is identified as suspicious, an alert is triggered. The alert includes the suspicious user agent ( Alert Subtype: Predicted Malicious Agent The Predicted Malicious Agent alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:
Alert Subtype: Known Malicious Agent Match The Known Malicious Agent Match alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Supervised |
N |
External SYN Flood Attacker
External SYN Flood AttackerAn attacker sends a large amount of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsIf an external host (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External SYN Flood Victim
External SYN Flood VictimA large amount of SYN requests were observed, which can indicate an attempt to consume server resources and make the target unresponsive. Check to see if the host is malicious or compromised. If so, consider blocking the source host. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsIf an external host ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External Trojan
External TrojanMalware that disguises itself as legitimate software in order to gain access to a system or files has been observed. Check with the user. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates trojan activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
External URL Reconnaissance Anomaly
External URL Reconnaissance AnomalyAn anomalous number of HTTP 4xx errors were observed. This can indicate an attacker scanning for pages to exploit. Check with the user. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsFor every unique URL browsed by each source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
External User Agent Anomaly
External User Agent AnomalyAn HTTP connection was made by a user agent that has never been seen before (or been seen very rarely). Investigate the connection destination. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsAll user agent ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External User Application Usage Anomaly
External User Application Usage AnomalyA user who typically uses a small, consistent number of applications used a new application. Investigate the application, to see if it is benign. Check with the user to see if this was expected. XDR Kill Chain
Event NameThe Severity15 Key Fields and Relevant Data Points
Use Case with Data PointsAn alert is triggered under the following conditions:
More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External User Data Volume Anomaly
External User Data Volume AnomalyA user had an anomalously large volume of traffic compared to its typical volume or that of its peers. Investigate the user to determine if this is expected. Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe total traffic volume of each user identified by user ID ( The Interflow includes the source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
External User Login Failure Anomaly
External User Login Failure AnomalyAn anomalous number of login failures was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, or Google Workspace. For Okta, an anomalous number of multi-factor authentication (MFA) failures was observed. Check with the user. This alert type has the following subtypes: This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency. The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsLogin failures and successes are calculated periodically for every source ( Alert Subtype: Office 365 / Entra ID The Office 365 / Entra ID alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Source IP Based The Source IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Destination IP Based The Destination IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Kerberos Events The Kerberos Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Source IP Based Windows Logon Events The Source IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Destination IP Based Windows Logon Events The Destination IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:
More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
File Action Anomaly
File Action AnomalyActions, such as move, copy, delete, or change attribute, were taken on a file or files an anomalous number of times. Investigate the actions and the user to see if this is expected. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of file actions for each user ( |
Unsupervised |
Y |
File Creation Anomaly
File Creation AnomalyA file or files were created an anomalously large number of times. Check with the user to see if this is expected. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of file creations for each user ( |
Unsupervised |
Y |
Google Workspace Account Manipulation
Google Workspace Account ManipulationA Google Workspace user was manipulated. Check with the user to make sure this was expected. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsFor each Google Workspace account ( |
Analytics |
N |
Google Workspace Attack Warning
Google Workspace Attack WarningAttacks to a Google Workspace account were observed. Check with the account holder. XDR Kill Chain
Event NameThe Severity74 Key Fields and Relevant Data Points
Use Case with Data PointsFor each Google Workspace account ( |
Analytics |
N |
Google Workspace Suspicious Activities
Google Workspace Suspicious ActivitiesSuspicious activities were observed in a Google Workspace account. Check with the account holder. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsFor each Google Workspace account ( |
Analytics |
N |
Google Workspace User Suspended
Google Workspace User SuspendedA Google Workspace user was suspended. Check with the user to make sure this was expected. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsFor each Google Workspace account ( |
Analytics |
N |
Hydra Password Guessing Hack Tool
Hydra Password Guessing Hack ToolA user on a Windows host executed a command-line script that launched either the hydra.exe command or a command using known Hydra style parameters, which may be an inappropriate use of the Hydra password guessing tool. XDR Kill Chain
Event NameThe Severity90 Key Fields and Relevant Data Points
Use Case with Data PointsThis alert is triggered if a Windows host ( Validation / RemediationCheck the body of the Powershell script that is reported on the Windows host to identify whether the contents of the script are actually malicious. If malicious, consider quarantining the host. Potential False PositivesThe running of any executable named |
Analytics |
N |
Impossible Travel Anomaly
Impossible Travel AnomalyA user logged in from locations that are geographically impossible to travel between in the time frame. Check with the user. This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency. The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion. For the Impossible Travel Anomaly, there are two chances for ingestion delay, so the slowest of the two records will define the delay. This alert type is also sensitive to the order of user logins. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsLogin events (E1 and E2) are examined for a user ( E1 is the basis for the Interflow. The |
Unsupervised |
Y |
Internal Account Login Failure Anomaly
Internal Account Login Failure AnomalyAn anomalously large number of login failures from an internal source IP address to an internal destination IP address was observed for an account. Check with the user. This alert type has the following subtypes: This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency. The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsLogin failures and successes between any internal IP addresses are calculated periodically for every account ( Alert Subtype: Windows Logon Events The Windows Logon Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Kerberos Events The Kerberos Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
The NTLM Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Hibun Security Logs The Hibun Security Logs alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:
More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
Internal Brute-Forced Successful User Login
Internal Brute-Forced Successful User LoginA successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user. This alert type has the following subtypes: This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins. XDR Kill Chain
Event NameThe Severity95 Alert Subtype: Source IP Based The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points. The Key Fields and Relevant Data Points
Use Case with Data PointsThe login records to an internal IP address (
A sample Interflow includes the source IP address ( The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points. The Key Fields and Relevant Data Points
Use Case with Data PointsThe login records to a user account (
A sample Interflow includes the source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised+Analytics |
N |
Internal Credential Stuffing
Internal Credential StuffingAn anomalously large amount of username/password testing was observed on an internal Windows authentication service. Check the activity after successful logins, and consider blocking the internal source IP addresses. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsInternal credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
Internal Exploited Vulnerability
Internal Exploited VulnerabilityAn internal host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsAn attacker ( When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Firewall Denial Anomaly
Internal Firewall Denial AnomalyA internal source host had actions blocked by a firewall too many times. Investigate the firewall rules that were violated. If suspicious, block the internal source IP address. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of firewall denials for every internal source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal Firewall Policy Anomaly
Internal Firewall Policy AnomalyA rarely triggered firewall policy involving an internal source IP and internal destination IP has been violated. Investigate that policy and track down the violation. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsA firewall policy violation ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal Handshake Failure
Internal Handshake FailureThere were too many handshake failures between two internal hosts, which might indicate port scanning. Check the source host to see if this was expected, and if not, consider blocking the host. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf an internal host ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal IDS Signature Spike
Internal IDS Signature SpikeA source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning. XDR Kill Chain
Event NameThe Severity65 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IDS signatures (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal IP / Port Scan Anomaly
Internal IP / Port Scan AnomalyA host has either generated an anomalous number of connections compared to the typical amount, or has triggered an anomalous number of connection failure responses, in the measured interval. This can indicate that an attacker is scanning for computers or ports to exploit. Check with the user. This alert type has the following subtypes: XDR Kill ChainEvent NameThe Severity40 Alert Subtype: Connection Failure Anomaly (Sensor Traffic) The Key Fields and Relevant Data Points
Use Case with Data PointsFor each internal source IP address ( Validation / RemediationCheck with the user related to the internal source IP address. Inform the user's supervisor if the activity is unauthorized. Potential False PositivesSome legitimate activities such as vulnerability scans or penetration testing may trigger this alert type. Alert Subtype: Connection Spike Anomaly (Firewall / Windows Traffic) Event NameThe Key Fields and Relevant Data Points
Use Case with Data PointsFor every unique triplet (source IP address, destination IP address, and destination port) browsed by each source IP address ( Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one. Validation / RemediationCheck with the user related to the internal source IP address. Inform the user's supervisor if the activity is unauthorized. Potential False PositivesSome legitimate activities such as vulnerability scans or penetration testing may trigger this alert type. More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal Non-Standard Port Anomaly
Internal Non-Standard Port AnomalyAn application had an anomalously large number of connections or a rarely seen connection to an internal IP address on non-standard ports. Check the application to be sure this is benign. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of connections for an application ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal Other Malware
Internal Other MalwareMalware with uncategorized malicious activity in internal traffic was observed. Check with the user. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates malware in internal traffic that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Password Spraying
Internal Password SprayingAn anomalously large number of failed logins with unknown user names was observed on internal Windows authentication services. Check the activity after successful logins, and consider blocking the internal source IP addresses. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsIf a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal PII Leaked
Internal PII LeakedPersonally identifiable information (social security numbers or credit cards) has been observed in internal traffic in the clear. Check the source to see if it is compromised. If so, consider blocking it. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsIf a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Plain Text Passwords Detected
Internal Plain Text Passwords DetectedA plain text password was observed in unencrypted traffic between internal systems. Check with the user. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf there are plain text passwords in traffic records with a public source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Protocol Account Login Failure Anomaly
Internal Protocol Account Login Failure AnomalyAn anomalously large number of login failures between internal IP addresses over SMB or FTP was observed. Check with the user. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsFor every user name ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
Internal PUA
Internal PUAUnwanted applications or malware that bombards the user with advertisements in internal traffic has been observed. Check with the user. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates potentially unwanted applications (PUA) in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Ransomware
Internal RansomwareMalware that prevents you from accessing your system or files and demands ransom payment in order to regain access in internal traffic was observed. Check with the user. XDR Kill Chain
Event NameThe Severity98 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates ransomware in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal RDP BlueKeep
Internal RDP BlueKeepThe use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed between internal hosts. Check the IP address and block if necessary. XDR Kill Chain
Event NameThe Severity90 Key Fields and Relevant Data Points
Use Case with Data PointsIf the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal RDP Brute Force Attack
Internal RDP Brute Force AttackAn anomalously large number of RDP connections from internal host(s) to an RDP server were observed. Check the source IP addresses to see if they are unknown or malicious, and monitor any successful RDP logins. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsRDP connection activity is monitored and the number of connections calculated periodically. If the number of connections from internal host(s) to an RDP server ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal RDP Suspicious Outbound
Internal RDP Suspicious OutboundNon-standard tools from an internal host connecting to TCP port 3389 in the other internal host were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsConnections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (
More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Scanner Behavior Anomaly
Internal Scanner Behavior AnomalyAn anomalously large amount of scanning behavior or a rarely seen scan behavior between internal hosts was observed. Cross-check with the IP/Port Scan Anomaly alert. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of occurrences of each scanner, based on IDS signature ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal SMB Read Anomaly
Internal SMB Read AnomalyAn internal IP address sent an anomalously large number of read requests to an internal SMB protocol based service(s). Investigate the files that this internal IP address tried to read. If suspicious, block the specific internal source IP address. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of SMB read requests for every internal source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal SMB Username Enumeration
Internal SMB Username EnumerationAt least 5 different users SMB login attempts and 1 denied attempt or at least 10 different users SMB login attempts, were observed from an internal IP address to other internal IP address(es). Check the source IP address. If malicious, consider blocking it. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf an internal source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal SMB Write Anomaly
Internal SMB Write AnomalyAn internal IP address sent an anomalously large number of SMB write requests to other internal IP address(es). Investigate the files that the IP address tried to write. If suspicious, block the source IP address. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of SMB write requests to internal IP address(es) for every internal source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal Spyware
Internal SpywareMalware that collects and shares information about a device without consent in internal traffic was observed. Check with the user. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates spyware activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal SQL Anomaly
Internal SQL AnomalyAn internal IP address sent an anomalously large number of queries to an internal SQL server. Investigate the queries. If suspicious, block the source IP address. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of SQL queries for every internal source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal SQL Dumpfile Execution
Internal SQL Dumpfile ExecutionThe SQL XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsIf any SQL More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal SQL Shell Command
Internal SQL Shell CommandShell commands were observed over a SQL connection, which is a common way hackers try to gain shell access over vulnerable SQL applications. Check with the user. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsFor SQL query records, if special commands (such as More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Suspected Malicious User Agent
Internal Suspected Malicious User AgentAn internal HTTP connection was made by a user agent that has been identified as potentially malicious. Investigate the connection's destination. This alert type has the following subtypes: XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsIf a seen user agent is identified as suspicious, an alert is triggered. The alert will contain the suspicious user agent ( Alert Subtype: Predicted Malicious Agent The Predicted Malicious Agent alert subtype is the same as the Internal Suspected Malicious User Agent alert type above, with the following differences:
Alert Subtype: Known Malicious Agent Match The Known Malicious Agent Match alert subtype is the same as the Internal Suspected Malicious User Agent alert type above, with the following differences:
More on Internal versus External and Inbound vs Outbound
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Supervised |
N |
Internal SYN Flood Attacker
Internal SYN Flood AttackerAn internal attacker sends a large amount of SYN requests to internal target system(s) in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. XDR Kill Chain
Event NameThe Severity25 Key Fields and Relevant Data Points
Use Case with Data PointsIf an internal host ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal SYN Flood Victim
Internal SYN Flood VictimA large amount of SYN requests to an internal target were observed, which can indicate an attempt to consume server resources and make the target unresponsive. Check to see if the host is malicious or compromised. If so, consider blocking the source host. XDR Kill Chain
Event NameThe Severity25 Key Fields and Relevant Data Points
Use Case with Data PointsIf an internal host ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal Trojan
Internal TrojanMalware that disguises itself as legitimate software in order to gain access to a system or files in internal traffic has been observed. Check with the user. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsIf ML-IDS or sandbox indicates trojan activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Analytics |
N |
Internal URL Reconnaissance Anomaly
Internal URL Reconnaissance AnomalyAn anomalous number of HTTP 4xx errors from an internal IP address to other internal IP addresses were observed. This can indicate an attacker scanning for pages to exploit. Check with the user. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsFor each internal source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
Internal User Agent Anomaly
Internal User Agent AnomalyAn internal HTTP connection was made by an internal user agent that has never been seen before (or been seen very rarely). Investigate the connection destination. XDR Kill Chain
Event NameThe Severity35 Key Fields and Relevant Data Points
Use Case with Data PointsAll user agents ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal User Application Usage Anomaly
Internal User Application Usage AnomalyAn internal user who usually runs a few applications with internal service IP addresses suddenly runs a new application. Investigate the application to see if it is benign. Check with the user to see if this was expected. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsAn alert is triggered under the following conditions:
More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal User Data Volume Anomaly
Internal User Data Volume AnomalyA user had an anomalously large volume of internal traffic compared to its typical volume or that of its peers. Investigate the user to determine if this is expected. Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsThe total internal traffic volume of each user identified by user ID ( The Interflow includes the source IP address ( More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
Y |
Internal User Login Failure Anomaly
Internal User Login Failure AnomalyAn anomalous number of login failures between internal IP addresses was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, Google Workspace, Salesforce, or Microsoft Entra ID (formerly Azure Active Directory). Check with the user. This alert type has the following subtypes: This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency. The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsLogin failures and successes between internal IP addresses are calculated periodically for every source ( Alert Subtype: Source IP Based The Source IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Destination IP Based The Destination IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
The NTLM Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Kerberos Events The Kerberos Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
Alert Subtype: Windows Logon Events The Windows Logon Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:
More on Internal versus External and Inbound vs Outbound Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as
|
Unsupervised |
N |
Login Time Anomaly
Login Time AnomalyA user logged in at an abnormal time. Check with the user. This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins. This alert type reads the System Timezone in Global Settings and puts the timezone into the alert descriptions. In Global Settings, set your timezone relative to UTC. When a Login Time Anomaly occurs, the timezone is bound to the alert description with the following priorities:
XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsEvery user's ( |
Unsupervised |
Y |
Long App Session Anomaly
Long App Session AnomalyAn application had an anomalously long session compared to its typical session length or that of its peers. Investigate the application to see if this session was expected. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsEvery application's ( |
Unsupervised |
Y |
Malicious Site Access
Malicious Site AccessA host accessed a URL with a reputation for potentially hosting malware. Check the URL and, if malicious, consider blocking it. Check the host for compromise. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsWhen a host ( |
Analytics |
N |
Malware on Disk
Malware on DiskSophos is deprecated from this alert type as of the 5.2.0 release. It is replaced by Sophos alert integration. Malicious software or a potentially unwanted application was found on a device and reported as not cleaned. Check with the user. XDR Kill Chain
Event NameThe Severity90 (Windows Defender) 80 (Sophos) Key Fields and Relevant Data Points
Use Case with Data PointsIf either of the following occurs, an alert is triggered:
A sample Interflow includes the computer name ( |
Analytics |
N |
Microsoft Entra Application Configuration Changes
Microsoft Entra Application Configuration ChangesThe Microsoft Entra Application Configuration Changes rules are used to identify suspicious Microsoft Entra application configuration changes. Any one or more of these will trigger the Microsoft Entra Application Configuration Changes alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Application Configuration Changes Alert Type |
Analytics |
N |
Microsoft Entra Application Permission Changes
Microsoft Entra Application Permission ChangesThe Microsoft Entra Application Permission Changes rules are used to identify suspicious Microsoft Entra application permission changes. Any one or more of these will trigger the Microsoft Entra Application Permission Changes alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Application Permission Changes Alert Type |
Analytics |
N |
Microsoft Entra Apps Modified to Allow Multi-Tenant Access
Microsoft Entra Apps Modified to Allow Multi-Tenant AccessMicrosoft Entra ID (formerly Azure Active Directory) observed an application being modified to allow multi-tenant access. Check with the organization to be sure this was expected. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsIf Microsoft Entra ID detects any user ( |
Analytics |
N |
Microsoft Entra BitLocker Key Retrieval
Microsoft Entra Bitlocker Key RetrievalThe Microsoft Entra Bitlocker Key Retrieval rules are used to identify suspicious Microsoft Entra Bitlocker key retrieval activity. Any one or more of these will trigger the Microsoft Entra Bitlocker Key Retrieval alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra BitLocker Key Retrieval Alert Type |
Analytics |
N |
Microsoft Entra Changes to Conditional Access Policy
Microsoft Entra Changes to Conditional Access PolicyThe Microsoft Entra Changes to Conditional Access Policy rules are used to identify suspicious Microsoft Entra changes to conditional access policy. Any one or more of these will trigger the Microsoft Entra Changes to Conditional Access Policy alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert Type |
Analytics |
N |
Microsoft Entra Changes to Device Registration Policy
Microsoft Entra Changes to Device Registration PolicyThe Microsoft Entra Changes to Device Registration Policy rules are used to identify suspicious Microsoft Entra changes to device registration policy. Any one or more of these will trigger the Microsoft Entra Changes to Device Registration Policy alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Changes to Device Registration Policy Alert Type |
Analytics |
N |
Microsoft Entra Changes to Privileged Account
Microsoft Entra Changes to Privileged AccountThe Microsoft Entra Changes to Privileged Account rules are used to identify suspicious Microsoft Entra changes to privileged account. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Account alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Changes to Privileged Account Alert Type |
Analytics |
N |
Microsoft Entra Changes to Privileged Role Assignment
Microsoft Entra Changes to Privileged Role AssignmentThe Microsoft Entra Changes to Privileged Role Assignment rules are used to identify suspicious Microsoft Entra changes to privileged role assignment. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Role Assignment alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert Type |
Analytics |
N |
Microsoft Entra Custom Domains Changed
Microsoft Entra Custom Domains ChangedMicrosoft Entra ID (formerly Azure Active Directory) observed a custom domain being changed. Check with the organization to be sure this was expected. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsIf Microsoft Entra ID detects any user ( |
Analytics |
N |
Microsoft Entra Federation Modified
Microsoft Entra Federation ModifiedThe Microsoft Entra Federation Modified rules are used to identify suspicious Microsoft Entra federation modified activity. Any one or more of these will trigger the Microsoft Entra Federation Modified alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Federation Modified Alert Type |
Analytics |
N |
Microsoft Entra Guest User Invited by Non-Approved Inviters
Microsoft Entra Guest User Invited by Non-Approved InvitersThe Microsoft Entra Guest User Invited by Non-Approved Inviters rules are used to identify suspicious Microsoft Entra guest user invited by non-approved inviters. Any one or more of these will trigger the Microsoft Entra Guest User Invited by Non-Approved Inviters alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Guest User Invited by Non-Approved Inviters Alert Type |
Analytics |
N |
Microsoft Entra ID Discovery Using AzureHound
Microsoft Entra ID Discovery Using AzureHoundThe Microsoft Entra ID Discovery using AzureHound rules are used to identify Microsoft Entra ID discovery using Azurehound. Any one or more of these will trigger the Microsoft Entra ID Discovery using Azurehound alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra ID Discovery Using Azurehound Alert Type |
Analytics |
N |
Microsoft Entra PIM Setting Changed
Microsoft Entra PIM Setting ChangedThe Microsoft Entra PIM Setting Changed rules are used to identify suspicious Microsoft Entra PIM setting changed. Any one or more of these will trigger the Microsoft Entra PIM Setting Changed alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra PIM Setting Changed Alert Type |
Analytics |
N |
Microsoft Entra Privileged Account Assignment or Elevation
Microsoft Entra Privileged Account Assignment or ElevationThe Microsoft Entra Privileged Account Assignment or Elevation rules are used to identify suspicious Microsoft Entra privileged account assignment or elevation. Any one or more of these will trigger the Microsoft Entra Privileged Account Assignment or Elevation alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert Type |
Analytics |
N |
Microsoft Entra Sign-in Failure
Microsoft Entra Sign-in FailureThe Microsoft Entra Sign-in Failure rules are used to identify suspicious Microsoft Entra sign-in failures. Any one or more of these will trigger the Microsoft Entra Sign-in Failure alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Sign-in Failure Alert Type |
Analytics |
N |
Microsoft Entra Suspicious Sign-in Activity
Microsoft Entra Suspicious Sign-in ActivityThe Microsoft Entra Suspicious Sign-in Activity rules are used to identify suspicious Microsoft Entra sign-in activity. Any one or more of these will trigger the Microsoft Entra Suspicious Sign-in Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Microsoft Entra Sign-In Activity Alert Type |
Analytics |
N |
Microsoft Entra Unusual Account Creation
Microsoft Entra Unusual Account CreationThe Microsoft Entra Unusual Account Creation rules are used to identify Microsoft Entra unusual account creation activity. Any one or more of these will trigger the Microsoft Entra Unusual Account Creation alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Microsoft Entra Unusual Account Creation Alert Type |
Analytics |
N |
Mimikatz Credential Dump
Mimikatz Credential DumpA potential Mimikatz memory dump was observed. Check the process to determine whether the host is compromised. Consider quarantining the host. XDR Kill Chain
Event NameThe Severity90 Key Fields and Relevant Data Points
Use Case with Data Points If a process ( |
Analytics |
N |
Mimikatz DCSync
Mimikatz DCSyncAn attempt to replicate Active Directory for the first time on a domain controller, or the first time by that account, has occurred. Evaluate whether the replication is intended and, if not, consider disabling the account involved in the replication and investigate for further signs of compromise. XDR Kill Chain
Event NameThe Severity90 Key Fields and Relevant Data Points
Use Case with Data PointsThis alert is triggered when replication of an Active Directory domain controller ( Validation / RemediationTo triage an alert of this type, consider first verifying whether the Active Directory replication event was expected. If the replication is not intended, then the alert has indicated that a DCSync attack is highly likely. This attack can be very severe, because all password hashes stored on the targeted domain controller might have been dumped. Disable the account involved in the replication as soon as possible and further investigate the account for any signs of compromise. There is no simple remediation for a confirmed DCSync attack. Evaluate the overall risks of credential leakage and apply appropriate corrective actions, including minimizing accounts with permissions to perform Active Directory replication, and forcing a change of credentials for accounts with weak passwords. Potential False PositivesThe following will trigger an alert:
|
Analytics |
N |
Office 365 Admin Audit Logging Disabled
Office 365 Admin Audit Logging DisabledOffice 365 admin audit logging was disabled. Make sure this change was expected. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors each Office 365 account ( |
Analytics |
N |
Office 365 Content Filter Policy Changed
Office 365 Content Filter Policy ChangedThe Microsoft Exchange content policy was changed. An overly permissive content policy can allow spammers to send your organization unwanted email. Make sure this change was expected. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors all Office 365 accounts ( |
Analytics |
N |
Office 365 File Sharing with Outside Entities
Office 365 File Sharing with Outside EntitiesAn Office 365 account shared multiple files with entities outside of the organization. Check with the user to make sure this was expected. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors sharing with outside entities for each Office 365 account ( |
Analytics |
N |
Office 365 Malware Filter Policy Changed
Office 365 Malware Filter Policy ChangedThe Microsoft Exchange malware filter policy changed. An overly permissive malware filter policy can allow attackers to send malicious attachments to your organization. Make sure this change was expected. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors all Office 365 accounts ( |
Analytics |
N |
Office 365 Multiple Files Restored
Office 365 Multiple Files RestoredOffice 365 observed that multiple files were restored in a short period. Check with the user. XDR Kill ChainEvent NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 periodically checks file restore records. If multiple file restore records are detected within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID ( |
Analytics |
N |
Office 365 Multiple Users Deleted
Office 365 Multiple Users DeletedOffice 365 observed that multiple users were deleted in a short period. Check with the user. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 periodically checks user deletion records. If multiple users were deleted within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID ( |
Analytics |
N |
Office 365 Network Security Configuration Changed
Office 365 Network Security Configuration ChangedOffice 365 identified a change to your organization's network security configuration, which is uncommon. Make sure this was expected. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors all Office 365 accounts ( |
Analytics |
N |
Office 365 Password Policy Changed
Office 365 Password Policy ChangedOffice 365 identified a change to your organization's password policy, which is uncommon. Make sure this was expected. XDR Kill Chain
Event NameThe Severity40 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors all Office 365 accounts ( |
Analytics |
N |
Office 365 Sharing Policy Changed
Office 365 Sharing Policy ChangedOffice 365 identified a change to your organization's sharing policy, which is uncommon. Make sure this was expected. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors all Office 365 accounts ( |
Analytics |
N |
Office 365 User Network Admin Changed
Office 365 User Network Admin ChangedThe Office 365 account’s network admin information was changed. Make sure this change was expected. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsOffice 365 monitors the network admin information for each Office 365 account ( |
Analytics |
N |
Outbound Destination Country Anomaly
Outbound Destination Country AnomalyA host that typically communicates with a small, consistent number of countries communicated with a new country. Investigate the destination, to see if it is benign. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsHosts ( |
Unsupervised |
Y |
Outbytes Anomaly
Outbytes AnomalyA source IP address transmitted an anomalously high amount of outbound traffic to one or multiple destination addresses in a 5 minute interval. This could indicate data exfiltration. Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data. XDR Kill Chain
Event NameThe Severity35 Key Fields and Relevant Data Points
Use Case with Data PointsEvery source host's ( |
Unsupervised |
Y |
Password Cracking with Hashcat
Password Cracking with HashcatA user from a Windows host executed a command-line script that launched either the hashcat.exe command or a command using known Hashcat parameters (-a -m 1000 -r). The Hashcat command is known to use a SAM file from the Windows registry along with a password list to crack passwords. XDR Kill Chain
Event NameThe Severity90 Key Fields and Relevant Data Points
Use Case with Data PointsThis alert is triggered if a Windows host ( Validation / RemediationCheck the body of the Powershell script that is reported on the Windows host to identify whether the contents are actually malicious. If malicious, consider quarantining the host. Potential False PositivesThe running of any executable named |
Analytics |
N |
Password Resets Anomaly
Password Resets AnomalyAn account reset/changed one or more target accounts' passwords an anomalously large number of times. Check the subject account and major target accounts. This alert type has the following subtype: XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsThe daily number of password reset/change actions of a user ( Validation / RemediationValidate the alert by checking the account activity on the date. If the number of resets/changes are abnormal, check the target user names that are being reset to verify if the action is expected. Potential False PositivesFalse positives can be triggered in the following situations:
Alert Subtype: Windows Account Password Reset Anomaly The |
Unsupervised |
Y |
Password Spraying Attempts Using Dsacls
Password Spraying Attempts Using DsaclsA user from a Windows host executed a command-line script to launch a command that by name and parameter list indicates an attempt to abuse dsacls.exe for password spraying. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsThis alert is triggered if a Windows host ( Validation / RemediationCheck whether the usage was actually malicious. If so, consider quarantining the Windows host. Potential False PositivesThis alert could be triggered even if the use is a legitimate use of |
Analytics |
N |
Phishing URL
Phishing URLA connection to a site with a phishing reputation was observed. Check with the user to determine whether their system is compromised. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf a connection from a source ( |
Analytics |
N |
Possible Encrypted Phishing Site Visit
Possible Encrypted Phishing Site VisitA possible phishing site visit to a recently registered domain was observed in encrypted traffic. Check with the user to determine whether their system is compromised. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf an encrypted connection to a recently registered site ( |
Analytics |
N |
Possible Phishing Site Visit from Email
Possible Phishing Site Visit from EmailA user visited a recently registered domain shortly after using email, indicating a possible phishing site visit. Check to see if the site is malicious. If so, check with the user to see if they are compromised. XDR Kill Chain
Event NameThe Severity70 Key Fields and Relevant Data Points
Use Case with Data PointsIf a user ( When an alert is triggered, a new correlation event is created. The Interflow includes the reference ID of the original record of the domain visit ( |
Analytics |
N |
Possible Unencrypted Phishing Site Visit
Possible Unencrypted Phishing Site VisitA possible phishing site visit to a recently registered domain was observed in unencrypted traffic. Check with the user to determine whether their system is compromised. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf an unencrypted connection to a recently registered site ( |
Analytics |
N |
Potentially Malicious AWS Activity
Potentially Malicious AWS ActivityThe Potentially Malicious AWS Activity rules are used to identify suspicious activity within AWS logs. Any one or more of these will trigger the Potentially Malicious AWS Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Potentially Malicious AWS Activity Alert Type |
Analytics |
N |
Potentially Malicious Windows Event
Potentially Malicious Windows EventThe Potentially Malicious Windows Event rules are used to identify suspicious activity with Windows events. This is a generic rule name. Any one or more of these will trigger the Potentially Malicious Windows Event alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Potentially Malicious Event Alert Type |
Analytics |
N |
PowerShell Remote Access
PowerShell Remote AccessA Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host. XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf a Windows host ( |
Analytics |
N |
Private to Private Exploit Anomaly
Private to Private Exploit AnomalyA private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another private IP address. Investigate that signature. This alert type has the following subtypes: XDR Kill Chain
Event NameThe Severity75 Alert Subtype: IDS Traffic Anomaly The IDS Traffic Anomaly alert subtype is the same as the Private to Private Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IDS signatures ( Alert Subtype: IPS Traffic Anomaly The IPS Traffic Anomaly alert subtype is the same as the Private to Private Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
Private to Private IPS Signature Spike
Private to Private IPS Signature SpikeA source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
Private to Public Exploit Anomaly
Private to Public Exploit AnomalyA private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a public IP address. Investigate that signature. This alert type has the following subtypes: XDR Kill Chain
Event NameThe Severity60 Alert Subtype: IDS Traffic Anomaly The IDS Traffic Anomaly alert subtype is the same as the Private to Public Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IDS signatures ( Alert Subtype: IPS Traffic Anomaly The IPS Traffic Anomaly alert subtype is the same as the Private to Public Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
Private to Public IPS Signature Spike
Private to Public IPS Signature SpikeA source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
Process Anomaly
Process AnomalyA process has been launched an anomalously large number of times. Investigate the process and the user to see if this is expected. XDR Kill Chain
Event NameThe Severity15 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of times a process ( |
Unsupervised |
Y |
Public to Private Exploit Anomaly
Public to Private Exploit AnomalyA public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a private IP address. Investigate that signature. This alert type has the following subtypes: XDR Kill Chain
Event NameThe Severity60 Alert Subtype: IDS Traffic Anomaly The IDS Traffic Anomaly alert subtype is the same as the Public to Private Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IDS signatures ( Alert Subtype: IPS Traffic Anomaly The IPS Traffic Anomaly alert subtype is the same as the Public to Private Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
Public to Private IPS Signature Spike
Public to Private IPS Signature SpikeA source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
Public to Public Exploit Anomaly
Public to Public Exploit AnomalyA public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another public IP address. Investigate that signature. This alert type has the following subtypes: XDR Kill Chain
Event NameThe Severity50 Alert Subtype: IDS Traffic Anomaly The IDS Traffic Anomaly alert subtype is the same as the Public to Public Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IDS signatures ( Alert Subtype: IPS Traffic Anomaly The IPS Traffic Anomaly alert subtype is the same as the Public to Public Exploit Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
Public to Public IPS Signature Spike
Public to Public IPS Signature SpikeA source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of unique IPS signatures ( |
Unsupervised |
Y |
RDP Outbytes Anomaly
RDP Outbytes AnomalyAn internal host transferred an anomalously high amount of data to external host(s) through RDP. This could indicate data exfiltration. Check with the user. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsEvery destination host's ( |
Unsupervised |
Y |
RDP Port Opening
RDP Port OpeningNetsh commands to open TCP port 3389 were observed. This could indicate Sarwent malware attempting to establish an RDP connection. Check the IP address and block if necessary. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsCommands that open TCP port 3389 are monitored, and if netsh commands are seen, an alert is triggered. A sample Interflow includes the source IP address ( |
Analytics |
N |
RDP Registry Modification
RDP Registry ModificationModifications of the property values of XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsThe property values of |
Analytics |
N |
RDP Reverse Tunnel
RDP Reverse TunnelAn XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf an svchost hosting RDP termsvcs communicating with the loopback address is found on TCP port 3389, an alert is triggered. A sample Interflow includes the host IP address ( |
Analytics |
N |
RDP Session Hijacking
RDP Session HijackingA suspicious RDP session using XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsIf an RDP session redirect using tscon.exe or MSTSC is detected, an alert is triggered. A sample Interflow includes the host IP address ( |
Analytics |
N |
RDP Settings Hijacking
RDP Settings HijackingChanges to RDP terminal services settings were observed. Check the IP address and block if necessary. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsRDP terminal service settings are monitored, and if changes are found to these settings, an alert is triggered. A sample Interflow includes the source IP address ( |
Analytics |
N |
RDP Suspicious Logon
RDP Suspicious LogonAn RDP logon with a local source IP address was observed. This could indicate a tunneled logon. Check with the user. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsRemote desktop logins are monitored, and if a local source IP address is seen, an alert is triggered. A sample Interflow includes the source IP address ( |
Analytics |
N |
RDP Suspicious Logon Attempt
RDP Suspicious Logon AttemptAn authenticated user who is not allowed to log on remotely attempted to connect through RDP. Check with the user. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsWindows remote desktop logins are monitored, and if a user who is not allowed to remotely log in tries to log in with RDP, an alert is triggered. A sample Interflow includes the source IP address ( |
Analytics |
N |
Recently Registered Domains
Recently Registered DomainsA DNS request was observed for a site that was registered less than 90 days ago. Check the domain. If suspicious, notify users. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsIf a domain has been registered within the last 90 days, an alert is triggered. A sample Interflow includes the domain name ( |
Analytics |
N |
Scanner Reputation Anomaly
Scanner Reputation AnomalyAn anomalously large amount of connections were observed from an IP address with a reputation of being a scanner. Cross-check with the IP/Port Scan Anomaly alert, and check the links and content for possible spam or phishing. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsThe number of connections from a source IP address ( |
Unsupervised |
Y |
Sensitive Windows Active Directory Attribute Modification
Sensitive Windows Active Directory Attribute ModificationThe Sensitive Windows Active Directory Attribute Modification rules are used to identify suspicious activity with sensitive Windows Active Directory attribute modification. Any one or more of these will trigger the Sensitive Windows Active Directory Attribute Modification alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type |
Analytics |
N |
Sensitive Windows Network Share File or Folder Accessed
Sensitive Windows Network Share File or Folder AccessedThe Sensitive Windows Network Share File or Folder Accessed rules are used to identify suspicious activity with Windows network share file or folder access. Any one or more of these will trigger the Sensitive Windows Network Share File or Folder Accessed alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type |
Analytics |
N |
Sensor Status Anomaly
Sensor Status AnomalyThe sensor has changed its status from "connected" to "disconnected". XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsFor each sensor, its connection status is checked periodically, if the status changes from “connected“ to “disconnected“, the anomaly is triggered. A sample Interflow includes the sensor ID ( |
Unsupervised |
Y |
SMB Impacket Lateralization
SMB Impacket LateralizationThe execution of XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf a Windows host ( |
Analytics |
N |
SMB Specific Service Installation
SMB Specific Service InstallationA specific service installation used by the Impacket tool or Metasploit was observed. Check the source host. If malicious, consider blocking the host. XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf a Windows host ( |
Analytics |
N |
SMB Suspicious Copy
SMB Suspicious CopyA suspicious copy command from a remote C$ or ADMIN$ share was observed. Check the source host. If malicious, consider blocking the host. XDR Kill Chain
Event NameThe Severity75 Key Fields and Relevant Data Points
Use Case with Data PointsIf a Windows host ( |
Analytics |
N |
Steal or Forge Kerberos Tickets
Steal or Forge Kerberos TicketsThe Steal or Forge Kerberos Tickets rules are used to identify suspicious activity to steal or forge Kerberos tickets. Any one or more of these will trigger the Steal or Forge Kerberos Tickets alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Steal or Forge Kerberos Tickets Alert Type |
Analytics |
N |
Suspicious Access Attempt to Windows Object
Suspicious Access Attempt to Windows ObjectThe Suspicious Access Attempt to Windows Object rules are used to identify suspicious activity with access attempt to Windows objects. Any one or more of these will trigger the Suspicious Access Attempt to Windows Object alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Access Attempt to Windows Object Alert Type |
Analytics |
N |
Suspicious Activity Related to Security-Enabled Group
Suspicious Activity Related to Security-Enabled GroupThe Suspicious Activity Related to Security-Enabled Group rules are used to identify suspicious activity related to security-enabled groups. Any one or more of these will trigger the Suspicious Activity Related to Security-Enabled Group alert types. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type |
Analytics |
N |
Suspicious AWS Bucket Enumeration
Suspicious AWS Bucket EnumerationThe Suspicious AWS Bucket Enumeration rules are used to identify suspicious activity related to AWS Bucket enumeration. Any one or more of these will trigger the AWS Bucket Enumeration alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS Bucket Enumeration Alert Type |
Analytics |
N |
Suspicious AWS EBS Activity
Suspicious AWS EBS ActivityThe Suspicious AWS EBS Activity rules are used to identify suspicious AWS Elastic Block Store (EBS) activity. Any one or more of these will trigger the Suspicious AWS EBS Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS EBS Activity Alert Type |
Analytics |
N |
Suspicious AWS EC2 Activity
Suspicious AWS EC2 ActivityThe Suspicious AWS EC2 Activity rules are used to identify suspicious activity within AWS EC2 logs. Any one or more of these will trigger the Suspicious AWS EC2 Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS EC2 Activity Alert Type |
Analytics |
N |
Suspicious AWS ELB Activity
Suspicious AWS ELB ActivityThe Suspicious AWS ELB Activity rules are used to identify suspicious activity with AWS ELB. Any one or more of these will trigger the Suspicious AWS ELB Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS ELB Activity Alert Type |
Analytics |
N |
Suspicious AWS IAM Activity
Suspicious AWS IAM ActivityThe Suspicious AWS IAM Activity rules are used to identify suspicious activity within AWS IAM logs. Any one or more of these will trigger the Suspicious AWS IAM Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS IAM Activity Alert Type |
Analytics |
N |
Suspicious AWS RDS Event
Suspicious AWS RDS EventThe Suspicious AWS RDS Event rules are used to identify suspicious activity related to AWS RDS events. Any one or more of these will trigger the Suspicious AWS RDS Event alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert Types |
Analytics |
N |
Suspicious AWS Root Account Activity
Suspicious AWS Root Account ActivityThe Suspicious AWS Root Account Activity rules are used to identify suspicious activity with AWS Root Account. Any one or more of these will trigger the Suspicious AWS Root Account Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS Root Account Activity Alert Type |
Analytics |
N |
Suspicious AWS Route 53 Activity
Suspicious AWS Route 53 ActivityThe Suspicious AWS Route 53 Activity rules are used to identify suspicious activity within AWS Route 53 logs. Any one or more of these will trigger the Suspicious AWS Route 53 Activity alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS Route 53 Activity Alert Type |
Analytics |
N |
Suspicious AWS SSL Certificate Activity
Suspicious AWS SSL Certificate ActivityThe Suspicious AWS SSL Certificate Activity rules are used to identify suspicious activity with AWS SSL certificates. Any one or more of these will trigger the Suspicious AWS SSL Certificate alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS SSL Certificate Activity Alert Type |
Analytics |
N |
Suspicious AWS VPC Flow Logs Modification
Suspicious AWS VPC Flow Logs ModificationThe Suspicious AWS VPC Flow Logs Modification rules are used to identify suspicious modification of AWS VPC Flow logs. Any one or more of these will trigger the Suspicious AWS VPC Flow Logs Modification alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS VPC Flow Logs Modification Alert Type |
Analytics |
N |
Suspicious AWS VPC Mirror Session
Suspicious AWS VPC Mirror SessionThe Suspicious AWS VPC Mirror Session rules are used to identify suspicious AWS VPC mirror session activity. Any one or more of these will trigger the Suspicious AWS VPC Mirror Session alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious AWS VPC Mirror Session Alert Type |
Analytics |
N |
Suspicious Connection to Another Process
Suspicious Connection to Another ProcessThe Suspicious Connection to Another Process rules are used to identify suspicious connection to another process. Any one or more of these will trigger the Suspicious Connection to Another Process alert types. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Connection to Another Process Alert Type |
Analytics |
N |
Suspicious Handle Request to Sensitive Object
Suspicious Handle Request to Sensitive ObjectThe Suspicious Handle Request to Sensitive Object rules are used to identify suspicious activity with handle requests to sensitive Windows objects. Any one or more of these will trigger the Suspicious Handle Request to Sensitive Object alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Handle Request to Sensitive Object Alert Type |
Analytics |
N |
Suspicious LSASS Process Access
Suspicious LSASS Process AccessThe Suspicious LSASS Process Access rules are used to identify suspicious process access to or from the Local Security Authority Subsystem Service (LSASS). Any one or more of these will trigger the Suspicious LSASS Process Access alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious LSASS Process Access Alert Type |
Analytics |
N |
Suspicious Modification of AWS CloudTrail Logs
Suspicious Modification of AWS CloudTrail LogsThe Suspicious Modification of AWS CloudTrail Logs rules are used to identify suspicious activity within AWS Cloudtrail logs. Any one or more of these will trigger the Suspicious Modification of AWS CloudTrail Logs alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Modification of AWS CloudTrail Logs Alert Type |
Analytics |
N |
Suspicious Modification of AWS Route Table
Suspicious Modification of AWS Route TableThe Suspicious Modification of AWS Route Table rules are used to identify suspicious activity related to modification of AWS route table. Any one or more of these will trigger the Suspicious Modification of AWS Route Table alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Modification of AWS Route Table Alert Type |
Analytics |
N |
Suspicious Modification of S3 Bucket
Suspicious Modification of S3 BucketThe Suspicious Modification of S3 Bucket rules are used to identify suspicious activity within S3 Bucket logs. Any one or more of these will trigger the Suspicious Modification of S3 Bucket alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Modification of S3 Bucket Alert Type |
Analytics |
N |
Suspicious Powershell Script
Suspicious Powershell ScriptThe Suspicious Powershell Script rules are used to identify suspicious activity relating to PowerShell scripts. Any one or more of these will trigger the Suspicious PowerShell Script alert types. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Powershell Script Alert Type |
Analytics |
N |
Suspicious Process Creation Commandline
Suspicious Process Creation CommandlineThe Suspicious Process Creation Commandline rules are used to identify suspicious activity relating to command-line process creation. Any one or more of these will trigger the Suspicious Process Creation Commandline alert types. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Process Creation Commandline Alert Type |
Analytics |
N |
Suspicious Windows Active Directory Operation
Suspicious Windows Active Directory OperationThe Suspicious Windows Active Directory Operation rules are used to identify suspicious activity with Windows Active Directory operation. Any one or more of these will trigger the Suspicious Windows Active Directory Operation alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Windows Active Directory Operation Alert Type |
Analytics |
N |
Suspicious Windows Logon Event
Suspicious Windows Logon EventThe Suspicious Windows Logon Event rules are used to identify suspicious activity with Windows Logons. Any one or more of these will trigger the Suspicious Windows Logon alert types. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Windows Logon Event Alert Type |
Analytics |
N |
Suspicious Windows Network Connection
Suspicious Windows Network ConnectionThe Suspicious Windows Network Connection rules are used to identify suspicious Windows network connection activities. Any one or more of these will trigger the Suspicious Windows Network Connection alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Windows Network Connection Alert Type |
Analytics |
N |
Suspicious Windows Process Creation
Suspicious Windows Process CreationThe Suspicious Windows Process Creation rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Windows Suspicious Process Creation Alert Type |
Analytics |
N |
Suspicious Windows Registry Event: Impact
Suspicious Windows Registry Event: ImpactThe Suspicious Windows Registry Event: Impact rules are used to identify suspicious Windows registry events usually in the impact stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Impact alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Windows Registry Event: Impact Alert Type |
Analytics |
N |
Suspicious Windows Registry Event: Persistence
Suspicious Windows Registry Event: PersistenceThe Suspicious Windows Registry Event: Persistence rules are used to identify suspicious Windows registry events usually in the persistence stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Persistence alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Windows Registry Event: Persistence Alert Type |
Analytics |
N |
Suspicious Windows Service Installation
Suspicious Windows Service InstallationThe Suspicious Windows Service Installation rules are used to identify suspicious activity with service installation. Any one or more of these will trigger the Suspicious Windows Service Installation alert type. Event NameThe Key Fields and Relevant Data Points
Link to Rule-Based Alert TypesRules Contributing to Suspicious Windows Service Installation Alert Type |
Analytics |
N |
Unapproved Asset Activity
Unapproved Asset ActivityActivity of an asset has been marked as unapproved in one of the Investigate | Asset Activity tabs. Unapproved assets generate one alert per day until their approval status is changed with either the Approve or Ignore button in the Asset Activity tabs. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsIf an analyst marks an asset as unapproved in the Asset Activity tabs, a daily alert is triggered until the asset is either manually approved or ignored. |
Analytics |
N |
Uncommon Application Anomaly
Uncommon Application AnomalyPrivate (internal assets) to public (Internet) traffic has revealed an application that has never been seen before (or been seen very rarely). Investigate that application and ensure that it is benign. XDR Kill Chain
Event NameThe Severity20 Key Fields and Relevant Data Points
Use Case with Data PointsIf an application ( |
Unsupervised |
Y |
Uncommon Process Anomaly
Uncommon Process AnomalyAn asset launched a process that has never been seen before (or has very rarely been seen). This could indicate a malware attack. XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsIf a process ( |
Unsupervised |
Y |
User Asset Access Anomaly
User Asset Access AnomalyA user who typically uses a small, consistent number of assets logged in to a new asset. Investigate the asset and user to see if this was expected. This alert type has the following subtype: XDR Kill Chain
Event NameThe Severity30 Key Fields and Relevant Data Points
Use Case with Data PointsUsers ( The user is identified with the The SMB User Based alert subtype is the same as the User Asset Access Anomaly alert type above, with the following differences:
Key Fields and Relevant Data Points
|
Unsupervised |
Y |
User Login Location Anomaly
User Login Location AnomalyA login to a user account occurred from a source IP address that is anomalously distant from the nearest location typically observed for logins to that user account. This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency. The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
Use Case with Data PointsSuccessful login events for certain login types ( |
Unsupervised |
Y |
User Process Usage Anomaly
User Process Usage AnomalyA user who typically executes a small, consistent number of processes suddenly executed a new process. Investigate the process, to see if it is benign. Check with the user to see if this process was expected. XDR Kill Chain
Event NameThe Severity10 Key Fields and Relevant Data Points
Use Case with Data PointsLooks for a user ( The user is identified with the |
Unsupervised |
Y |
Volume Shadow Copy Deletion via VssAdmin
Volume Shadow Copy Deletion via VssAdminThe XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf |
Analytics |
N |
Volume Shadow Copy Deletion via WMIC
Volume Shadow Copy Deletion via WMICThe XDR Kill Chain
Event NameThe Severity80 Key Fields and Relevant Data Points
Use Case with Data PointsIf |
Analytics |
N |
WAF Internal Attacker Anomaly
WAF Internal Attacker AnomalyInternal web requests from a private IP address have been blocked/alerted by the Web Application Firewall (WAF). Investigate the source requester and ensure they are not compromised. XDR Kill Chain
Event NameThe Severity60 Key Fields and Relevant Data Points
The above fields are standardized to support a variety of WAFs. The original fields, listed below, remain in the F5 WAF Interflow record for backward compatibility. Use Case with Data PointsIf web requests (f5.uri) from an internal IP address (srcip) to a web application (f5.web_application_name) have been blocked/alerted (f5.request_status) by the WAF, an alert is triggered. The Interflow includes the level of severity (f5.severity), the attack type (f5.attack_type), and the violation information (f5.violations), as well as signature name (f5.sig_names), staged signature name (f5.staged_sig_names), sub violation information (f5.sub_violations), and threat campaign name (f5.violation_details_xml.request-violations.violation.threat_campaign_data.threat_campaign_name), if applicable. If web requests ( Ingestion Types Supported for this Alert
|
Analytics |
N |
WAF Rule Violation Anomaly
WAF Rule Violation AnomalyWeb requests have been blocked/alerted by the Web Application Firewall (WAF) due to a surge in violations or violating a rule that is rarely invoked. Investigate the blocked/alerted web requests and ensure they are benign. Refer to Log Parser Portsfor the most current list of WAF parsers. XDR Kill Chain
Event NameThe Severity50 Key Fields and Relevant Data Points
The above fields are standardized to support a variety of WAFs. The original fields, listed below, remain in the F5 WAF Interflow record for backward compatibility. Use Case with Data PointsIf web requests ( Ingestion Types Supported for this Alert
|
Unsupervised |
Y |