Alert Type Model Summary

Abnormal Parent / Child Process

A process that typically launches a small, consistent number of child processes has launched a new child process. Investigate the new child process or the parent process to see if it is benign.

This alert type has the following subtype categories:

• Machine Learning Anomaly Detection
• Rule Based Detection

Alert Subtype: Machine Learning Anomaly Detection

The xdr_event.subtype.name for this alert subtype in the Interflow data is machine_learning_anomaly_detection.

• process_name — name of the process
• parent_proc_name — name of the parent process
• hostip — host IP address
• hostip_host — host name
• stability — score measuring the time since the parent process launched the last child process
• days_stable — time since the parent process launched the last child process
• diversity — score measuring the number of child processes that the parent process spawned
• child_count — number of child processes that the parent process spawned

Use Case with Data Points

Each pair of parent/child processes (parent_proc_name and process_name) is examined periodically. If a parent process (parent_proc_name) with a small number of child processes (diversity, child_count) has not launched a new child process (process_name) for a long time (stability, days_stable) launches a new child process from a host (srcip_host), an alert is triggered.

Alert Subtype: Rule Based Detection

The Parent/Child Suspicious Process Creation rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent/Child Suspicious Process Creation alert types.

• hostip — host IP address
• hostip_host — host name
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Parent/Child Suspicious Process Creation Alert Type

Account Creation Anomaly

An anomalously large number of accounts were created in a 5-minute interval or a user created an account for the first time in at least 14 days. Check the originating account and the new accounts for malicious behavior.

The data sources for this alert type are AWS, Microsoft Entra ID (formerly Azure AD), Google Workspace, and Windows.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [Internal] Persistence (TA0003 )

• Technique: Create Account (T1136 )

• Tags: [Internal; User Behavior Analytics; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is account_creation_anomaly.

• srcip_usersid — SID of account creating new accounts

  or

• event_data.SubjectUserName — User name of account creating new accounts (for Windows only)

  The key field for this alert type can be srcip_usersid or event_data.SubjectUserName, depending on the data source.

• srcip_username — user name of account creating new accounts
• responseElements.user.meta.createdBy — AWS user creating new accounts
• event_id — Windows event ID corresponding to the account creations
• actual — Actual number of account creation events in a 5-minute period
• typical — Typical number of account creation events in a 5-minute period
• event_summary.account_creation.new_users_count — Count of user names of new accounts
• event_summary.account_creation.new_users_summary — Summary of user names of new accounts, which is a list of up to 100 unique user names associated with the new account creations

Use Case with Data Points

If an unusually high number of accounts were created (actual) by (srcip_usersid) in a 5-minute period, an alert is triggered. The Interflow record includes the data source, the account responsible for creating other accounts, the timestamp, the number of accounts created (event_summary.account_creation.new_users_count), and a list of the created accounts (event_summary.account_creation.new_users_summary).

Validation / Remediation

Investigate the account that is creating other accounts for a breach and investigate any activity from the newly created accounts.

Potential False Positives

False positives may occur when many accounts are created at the same time for business purposes, for example, when onboarding new users or otherwise procedurally generating accounts.

Account MFA Login Failure Anomaly

An anomalously large number of Multi-Factor Authentication (MFA) user login failures was observed for an account. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is cloud_account_login_failure_okta.

• srcip_usersid — cloud account user ID
• srcip_username — cloud account user name
• event_summary.total_failed — number of failed logins in the period
• event_summary.total_successful — number of successful logins in the period
• event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
• weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than the detection threshold will generate an alert.
• srcip_host — host name of corresponding source IP address
• login_type — type of login
• srcip_reputation — source reputation
• userIdentity.userName — user name of the account involved in the event
• eventSource — source of the event
• eventName — name of the event
• eventType — type of the event

Use Case with Data Points

Multi-Factor Authentication login failures and successes are calculated periodically for every account (srcip_usersid). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Application Usage Anomaly

An internal application had an anomalously large number of connections to one or more external hosts in a measured interval, exceeding 99.99% of all other intervals corresponding to different applications in the past two weeks. Investigate the application and connections, and consider blocking connections from the application.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR App Anomaly (XT2003)

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is pripub_appid.

• appid — application ID
• appid_name — application name
• actual — actual number of connections in the period
• stellar.threshold — threshold number of connections per interval below which 99.99% of all other intervals, corresponding to different applications in the past two weeks, fall
• srcip_host — host name of a sample source IP address
• srcip_geo.countryName — source country
• dstip_host — host name of a sample destination IP address

Use Case with Data Points

Every application's (appid) number of connections is calculated periodically. If an application’s connections (actual) are larger than the threshold (stellar.threshold) below which 99.99% of all other intervals corresponding to different applications in the past two weeks fall, an alert is triggered. The Interflow includes a sample source host (srcip_host), the source country (srcip_geo.countryName), and a sample destination host (dstip_host). If there are multiple source or destination hosts, view the list in the Original Records.

AWS AMI Made Public

An AWS AMI was made public. Check with the user to make sure this was intentional.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: Privilege Escalation (TA0004 )

• Technique: Valid Accounts (T1078 )

• Tags: [AWS AMI; Access Control]

XDR Event Name

The xdr_event.name for this alert type in the Interflow data is aws_ami_public.

• userIdentity.accountId — key ID for the account
• userIdentity.userName — AWS account user name
• userIdentity.type — AWS account type
• eventName — AWS event name
• eventSource — AWS event source
• eventType — AWS event type

Use Case with Data Points

For each AWS account (userIdentity.accountId), activity to make an AMI public is monitored. If an AMI is made public, an alert is triggered. The Interflow includes the account ID (userIdentity.accountId), user name (userIdentity.userName), account type (userIdentity.type), AWS event name (eventName), AWS event source (eventSource), and AWS event type (eventType).

AWS Logging Stopped

AWS CloudTrail logging was stopped. Check with the user to make sure this was intentional.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: Defense Evasion (TA0005 )

• Technique: Impair Defenses (T1562 )

• Sub-technique: Disable or Modify Cloud Logs (T1562.008 )

• Tags: [AWS CloudTrail]

Event Name

The xdr_event.name for this alert type in the Interflow data is aws_stoplogging.

• userIdentity.accountId — key ID for the account
• userIdentity.userName — AWS account user name
• userIdentity.type — AWS account type
• eventName — AWS event name
• eventSource — AWS event source
• eventType — AWS event type

Use Case with Data Points

For each AWS account (userIdentity.accountId), log disabling is monitored. Logging is enabled by default, so if logging is disabled, an alert is triggered. The Interflow includes the account ID (userIdentity.accountId), AWS account user name (userIdentity.userName), AWS account type (userIdentity.type), AWS event name (eventName), AWS event source (eventSource), and AWS event type (eventType).

AWS S3 Ransomware

Possible AWS S3 ransomware was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: Impact (TA0040 )

• Technique: Data Encrypted for Impact (T1486 )

• Tags: [Malware; Ransomware; AWS S3]

Event Name

The xdr_event.name for this alert type in the Interflow data is aws_s3_ransomware.

• userIdentity.accountId — key ID for the account
• userIdentity.userName — AWS account user name
• userIdentity.type — AWS account type
• eventName — AWS event name
• eventSource — AWS event source
• eventType — AWS event type

Use Case with Data Points

For each AWS account user name (userIdentity.userName), suspicious S3 ransomware is monitored. If ransomware is detected, an alert is triggered. The Interflow includes the account ID (userIdentity.accountId), AWS account user name (userIdentity.userName), AWS account type (userIdentity.type), AWS event name (eventName), AWS event source (eventSource), and AWS event type (eventType).

Azure Application Gateway Changed

The Azure Application Gateway Changed rules are used to identify events when an Azure application's gateway is changed. Any one or more of these will trigger the Azure Application Gateway Changed alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_application_gateway_changed.

• callerIpAddress — IP address of the user who performed the activity
• resourceId — identifier of the resource involved
• operationName — name of the activity
• category — activity category
• resultType — result of the operation
• identity.authorization.evidence.principalType — type of the service principal involved
• identity.authorization.evidence.principalId — identifier of the service principal involved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Azure Application Gateway Changed Alert Type

Azure DNS Zone Changed

The Azure DNS Zone Changed rules are used to identify events when an Azure DNS zone is changed. Any one or more of these will trigger the Azure DNS Zone Changed alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_dns_zone_change.

• callerIpAddress — IP address of the user who performed the activity
• resourceId — identifier of the resource involved
• operationName — name of the activity
• category — activity category
• resultType — result of the operation
• identity.authorization.evidence.principalType — type of the service principal involved
• identity.authorization.evidence.principalId — identifier of the service principal involved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Azure DNS Zone Changed Alert Type

Azure New CloudShell Created

The Azure New CloudShell Created rules are used to identify events when an Azure new Cloud Shell is changed. Any one or more of these will trigger the Azure New CloudShell Created alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_new_cloudshell_created.

• callerIpAddress — IP address of the user who performed the activity
• resourceId — identifier of the resource involved
• operationName — name of the activity
• category — activity category
• resultType — result of the operation
• identity.authorization.evidence.principalType — type of the service principal involved
• identity.authorization.evidence.principalId — identifier of the service principal involved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Azure New CloudShell Created Alert Type

Azure Security Configuration Changed

The Azure Security Configuration Changed rules are used to identify events when an Azure security configuration is changed. Any one or more of these will trigger the Azure Security Configuration Changed alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_security_config_changed.

• callerIpAddress — IP address of the user who performed the activity
• resourceId — identifier of the resource involved
• operationName — name of the activity
• category — activity category
• resultType — result of the operation
• identity.authorization.evidence.principalType — type of the service principal involved
• identity.authorization.evidence.principalId — identifier of the service principal involved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Azure Security Configuration Changed Alert Type

Backup Catalogs Deleted by Ransomware

The wbadmin.exe utility was used to delete the backup catalog. Ransomware and other malware do this to prevent system recovery. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: Defense Evasion (TA0005 )

• Technique: Indicator Removal on Host (T1070 )

• Sub-technique: File Deletion (T1070.004 )

• Tags: [Malware; Ransomware]

Event Name

The xdr_event.name for this alert type in the Interflow data is ransomware_delete_backup_catalogs.

• hostip — IP address of the host on which the ransomware action happened
• hostip_host — host name
• process_name — name of the executed process
• event_data.CommandLine — command line that is executed to delete the backup catalog

Use Case with Data Points

If wbadmin.exe is used to delete the backup catalog, an alert is triggered. The Interflow includes the host IP address (hostip), process name (process_name), and command line (event_data.CommandLine).

Bad Destination Reputation Anomaly

A destination IP address with a bad reputation has received an anomalously large number of connections. Investigate the connections and consider blocking the destination IP address.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: XDR Intel (XTA0005)

• Technique: XDR Bad Reputation (XT2010)

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dstip_bad_reps.

• dstip — destination IP address
• dstip_host — destination host name
• dstip_reputation — destination reputation
• actual — actual number of connections to the destination IP address in the period
• typical — typical number of connections to the destination IP address
• srcip_host — source host name
• srcip_reputation — source reputation
• appid_name — application name

Use Case with Data Points

The number of connections for every destination IP address (dstip) with a bad reputation (dstip_reputation) is calculated periodically. If a destination IP address's number of connections (actual) is much larger than the typical historical number (typical), an alert is triggered. The Interflow includes the source IP address making the connection (srcip_host), the application (appid_name) used, and the reputation of the source host (srcip_reputation).

Bad Reputation Login

A successful login was observed from an IP address with a history of malicious activity. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Bad Reputation (XT2010)

• Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is bad_reputation_login.

• srcip — source IP address
• srcip_host — source host name
• srcip_reputation — source reputation (if not empty)
• source_geo.countryName — source country
• dstip_host — destination host name
• login_type — type of login
• username — user name

Use Case with Data Points

The login records are checked for every source IP address (srcip). If a source IP address has successful login records and its reputation (srcip_reputation) is bad (except brute-forcer and scanner), an alert is triggered. A sample Interflow includes source IP address (srcip), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), login type (login_type), and user name (username).

Bad Source Reputation Anomaly

A source IP address with a bad reputation has made an anomalously large number of connections. Investigate the connections and consider blocking the source IP address.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Bad Reputation (XT2010)

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is srcip_bad_reps.

• srcip — source IP address
• srcip_host — host name of corresponding source IP address
• srcip_reputation — source reputation
• actual — actual number of connections in the period
• typical — typical number of connections from the source IP address
• dstip_host — host name of corresponding destination IP address
• dstip_reputation — destination reputation
• appid_name — application name

Use Case with Data Points

The number of connections for every source IP address (srcip) with a bad reputation (srcip_reputation) is calculated periodically. If a source IP address's number of connections (actual) is much larger than the typical historical number (typical), an alert is triggered. The Interflow includes the application (appid_name) used and the reputation of the destination host (dstip_reputation).

BloodHound Enumeration Activity

The BloodHound Enumeration Activity rules are used to identify potential domain enumeration activity from BloodHound or other Active Directory data collection tools. Any one or more of these will trigger the BloodHound Enumeration Activity alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is network_security_bloodhound_enumeration_activity.

• appid_name — network traffic protocol that triggered this detection
• srcip — source IP address
• dstip — destination IP address
• metadata.request.base_object — baseObject field of the LDAP search request
• metadata.request.scope — scope field of the LDAP search request
• metadata.request.filter — filter field of the LDAP search request
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to BloodHound Enumeration Activity Alert Type

Carbon Black: XDR Anomaly

The Carbon Black endpoint generates an anomalously high amount of log data or a rarely seen type of log data on the host. Investigate the device and the user, to see if this is expected.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: XDR EBA (XTA0001)

• Technique: XDR Anomaly (XT1000)

• Tags: [Carbon Black]

Event Name

The xdr_event.name for this alert type in the Interflow data is carbonblack_edr_anomaly.

• host.ip — device internal IP address
• host.external_ip — device external IP address
• actual — actual volume of log records in the period
• typical — typical difference in volume of log records between this period and the previous period

Use Case with Data Points

The number of occurrences of Carbon Black endpoint (cloud) log, based on the “UNKNOWN“ threat category (event.type), is tabulated periodically. If this category occurs (actual) much more often compared to its history (typical) or a rarely seen type of record is observed, an alert is triggered. The Interflow includes information such as the file name (file.name), process (process.name), and description (xdr_event.description).

Cloud Drive Data Exfiltration Anomaly

An account downloaded an atypical number of files over a 24-hour period. Check the user and the targeted files.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Exfiltration (TA0010 )

• Technique: Exfiltration Over Web Service (T1567 )

• Sub-technique: Exfiltration to Cloud Storage (T1567.002 )

• Tags: [External; User Behavior Analytics; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is cloud_drive_data_exfiltration_anomaly.

• srcip_username — user downloading an anomalous number of files
• actual — number of downloads in the last 24 hours
• typical — typical number of downloads in the last 24 hours
• event_summary.cloud_drive_data_exfiltration_anomaly.downloaded_files_summary — names of the downloaded files from Google Workspace, OneDrive, and SharePoint (on a per-user basis)

Use Case with Data Points

If an unusually high number of files were downloaded from a cloud service by (srcip_username) in a 24-hour period, an alert will be triggered. A sample Interflow record includes the user requesting downloads (srcip_username) and a summary of what files have been downloaded (event_summary.cloud_drive_data_exfiltration_anomaly.downloaded_files_summary).

Command & Control Reputation Anomaly

An anomalously large number of connections were made to known command and control servers. Investigate the connections and source hosts. If malicious, block the IP addresses of the command and control servers.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: XDR Intel (XTA0005)

• Technique: XDR Command and Control Reputation (XT5001)

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is cnc_reputation.

• dstip — destination IP address
• dstip_host — destination host name
• dstip_reputation — destination reputation
• actual — actual number of connections in the period
• typical — typical number of connections to the destination IP address with a C&C reputation
• srcip_host — host name of corresponding source IP address
• srcip_reputation — source reputation
• appid_name — application name

Use Case with Data Points

The number of connections for every destination IP (dstip) with a command and control reputation (dstip_reputation) is calculated periodically. If a destination IP has a much higher number of connections (actual) than its history (typical) in any period, an alert is triggered. The Interflow includes the application used in the connection (appid_name), the source host (srcip_host), and the source reputation (srcip_reputation).

Command Anomaly

A command has been executed an anomalously large number of times compared to its typical executions or those of other commands. Investigate the command and the user to determine if this is expected.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: Execution (TA0002 )

• Technique: Command and Scripting Interpreter (T1059 )

• Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is command_anomaly.

• command — command executed
• actual — actual number of executions in the period
• typical — typical number of executions in the period
• cwd — current working directory from which the command executed
• hostip — host from which the command was run
• hostip_host — host name
• username — user name who ran the command

Use Case with Data Points

The number of times a command (command) has been executed is calculated periodically. If the volume (actual) is much larger than the typical volume (typical) of the command or other commands in any period, an alert is triggered. The Interflow includes the directory from which the command was executed (cwd), the host and source IP addresses (hostip and srcip) from which the command was executed, and the name of the user who ran the command (username).

Cryptojacking

An unauthorized coin miner used a computer to mine cryptocurrency. Consider blocking the source IP address.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: Impact (TA0040 )

• Technique: Resource Hijacking (T1496 )

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is cryptojacking.

• ids.signature — IDS signature
• srcip — source IP address of the cryptojacking action
• dstip — destination IP address of the cryptojacking action
• srcip_reputation — source reputation
• srcip_host — source host name
• dstip_reputation — destination reputation
• dstip_host — destination host name

Use Case with Data Points

If an unauthorized coin miner is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source IP address (srcip), source reputation (srcip_reputation), source host (srcip_host), destination IP address (dstip), destination reputation (dstip_reputation), and destination host (dstip_host).

CylanceOPTICS: XDR Anomaly

The Cylance OPTICS endpoint generates an anomalously high amount of log data or a rarely seen type of log data on the host. Investigate the device and the user to see if this is expected.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: XDR EBA (XTA0001)

• Technique: XDR Anomaly (XT1000)

• Tags: [Cylance]

Event Name

The xdr_event.name for this alert type in the Interflow data is cylance_edr_anomaly.

• host.name — device name
• event.description — description of the detection rule
• actual — actual number of log records in the period
• typical — typical number of log records generated on the device

Use Case with Data Points

The number of occurrences of CylanceOPTICS log records (event.provider) is calculated periodically. If this category occurs (actual) much more often compared to its history (typical) or a rarely seen type of event is generated, an alert is triggered. The Interflow includes information such as the process name (process.name), parent process name (process.parent.name), and description (event.description).

Data Ingestion Volume Anomaly

A sensor is sending an anomalously high or low volume of data, compared to its typical volume. Check the sensor. A low volume could indicate a sensor failure or other problems. For a high volume, determine the cause of the increase.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: XDR SBA (XTA0003)

• Technique: XDR Bytes Anomaly (XT3001)

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is ade_outbytes_anomaly.

• engid — sensor ID
• engid_name — sensor name
• actual — actual volume of data in the period
• typical — typical difference in data volume between this period and the previous period

Use Case with Data Points

The data ingestion volume of every data sensor with sensor id (engid) and sensor name (engid_name) is calculated periodically. If one of the following conditions is met, the anomaly is triggered:

• A moving window is used to record data ingestion volume. If the time window can be divided into two sub windows and the metric values of these two sub windows show large deviation

• The ingestion volume is anomalously high compared to its own history

• The ingestion volume is anomalously low compared to its history and it keeps being low for a relatively longer period

A sample Interflow includes the sensor ID (engid) and sensor name (engid_name).

DCERPC SMB Spoolss Named Pipe

The DCERPC SMB Spoolss Named Pipe rules detect suspicious SMB traffic accessing Spoolss named pipes. Any one or more of these will trigger the DCERPC SMB Spoolss Named Pipe alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is network_security_win_security_dce_rpc_smb_spoolss_named_pipe.

• appid_name — network traffic protocol that triggered this detection
• srcip — source IP address
• dstip — destination IP address
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to DCERPC SMB Spoolss Named Pipe Alert Type

DGA

A host is using a potential Domain Generation Algorithm (DGA). If the target domain is a malicious domain, the host might be compromised. Investigate the DGA domains and the host.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: Command and Control (TA0011 )

• Technique: Dynamic Resolution (T1568 )

• Sub-technique: Domain Generation Algorithms (T1568.002 )

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dga_resolvable.

• srcip — source IP address of the host that sends the DGA queries
• srcip_host — source host name
• metadata.request.effective_tld — effective top-level domain of the DNS query
• is_dga — flag marking whether or not the DNS query is a DGA query
• actual — number of DGA domains the host has queried

Use Case with Data Points

Whenever a host (srcip) sends a DNS query (appid_name: dns) and the DNS server returns a non-existent domain (NXDOMAIN) response (metadata.response.reply_code), the NX domain query counter for the host is increased. We reset the counter if no NX domain queries are observed for a period of time. When the counter reaches a certain threshold, the host is monitored. When monitored, we run the FQDNs of all DNS queries (metadata.response.query) sent by this host through domain generation analytics to determine whether the domain's entropy indicates a DGA anomaly. If so, we mark the DNS record (is_dga). If the DNS query gets a response with valid resolved IP addresses (metadata.response.resolved_ips), we call it a resolvable query, otherwise we call it a non-resolvable query.

If a monitored host (srcip) sends a resolvable DGA query (is_dga: yes_resolvable), we check the effective top-level domain (metadata.response.effective_tld). If the same host (srcip) previously sent non-resolvable DGA queries (is_dga: yes) with the same effective top-level domain (metadata.response.effective_tld), the host is considered to have a high risk of being compromised and performing C&C with DGA. The Interflow includes the source host (srcip), DNS query (metadata.response.query), query effective top-level domain (metadata.response.effective_tld), and DGA flag (is_dga).

DHCP Server Anomaly

A new DHCP server appeared in the network. This could be a hacker attempting to steer traffic. Investigate and consider telling employees to avoid this server.

XDR Kill Chain

• Kill Chain Stage: Exploration

• Tactic: [Internal] XDR NBA (XTA0002)

• Technique: XDR Server Anomaly (XT2007)

• Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dhcp_anomaly.

• metadata.response.server_ip — IP address of the anomalous DHCP server
• dstip — IP address of the anomalous DHCP destination
• engid — sensor that reported the DHCP traffic
• srcip_host — host name that visited the suspicious DHCP server
• srcip_geo.countryName — country name of the source that visited the suspicious DHCP server

Use Case with Data Points

If a DHCP server that has never been seen before appears in the network, an alert is triggered. The Interflow includes the destination IP address (dstip), destination host (dstip_host), source host (srcip_host), and source country (srcip_geo.countryName).

DNS Query to Anonymous File Upload Domains

The DNS Query to Anonymous File Upload Domains rules are used to identify DNS queries to anonymous file upload platform domains often used for malicious purposes. Any one or more of these will trigger the DNS Query to Anonymous File Upload Domains alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is dns_anonymous_file_upload_domains.

• srcip — IP address sending DNS query to anonymous file upload platform domains
• srcip_geo.countryName — country of the source IP address
• dstip — IP address receiving the DNS query
• dstip_geo.countryName — country of the destination IP address
• dns.question.name — anonymous file upload platform domain being resolved
• metadata.request.query — anonymous file upload platform domain being resolved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to DNS Query to Anonymous File Upload Domains Alert Type

DNS Query to External Service Interaction Domains

The DNS Query to External Service Interaction Domains rules are used to identify DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE. Any one or more of these will trigger the DNS Query to External Service Interaction Domains alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is dns_external_service_interaction_domains.

• srcip — IP address sending external service domain DNS query
• srcip_geo.countryName — country of the source IP address
• dstip — IP address receiving the DNS query
• dstip_geo.countryName — country of the destination IP address
• dns.question.name — external service domain being resolved
• metadata.request.query — external service domain being resolved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to DNS Query to External Service Interaction Domains Alert Type

DNS Query to Monero Crypto Coin Mining Pool Domains

The DNS Query to Monero Crypto Coin Mining Pool Domains rules are used to identify DNS queries to Monero crypto coin mining pool domains. Any one or more of these will trigger the DNS Query to Monero Crypto Coin Mining Pool Domains alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is dns_pua_cryptocoin_mining_xmr.

• srcip — IP address sending DNS query to crypto coin mining pool domains
• srcip_geo.countryName — country of the source IP address
• dstip — IP address receiving the DNS query
• dstip_geo.countryName — country of the destination IP address
• dns.question.name — crypto coin mining pool domain being resolved
• metadata.request.query — crypto coin mining pool domain being resolved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to DNS Query to Monero Crypto Coin Mining Pool Domains Alert Type

DNS Query to TOR Proxy Domain

The DNS Query to TOR Proxy Domain rules are used to identify DNS queries to onion domains and proxy domains for TOR network. Any one or more of these will trigger the DNS Query to TOR Proxy Domain alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is dns_tor_proxy_domain.

• srcip — IP address sending TOR network related DNS query
• srcip_geo.countryName — country of the source IP address
• dstip — IP address receiving the DNS query
• dstip_geo.countryName — country of the destination IP address
• dns.question.name — TOR network domain being resolved
• metadata.request.query — TOR network domain being resolved
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to DNS Query to TOR Proxy Domain Alert Type

DNS Tunneling Anomaly

An anomalously large number of connections tunneling high-entropy traffic through DNS were made. This can indicate data exfiltration. Investigate the tunnel and source host. If malicious, block the source host.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: Exfiltration (TA0010 )

• Technique: Exfiltration Over Alternative Protocol (T1048 )

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dns_tunnel.

• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• metadata.request.effective_tld — effective top-level domain, such as yahoo.com
• metadata.request.query — DNS query
• actual — actual number of bytes transmitted through the tunnel in the period
• typical — typical number of bytes transmitted through a tunnel in the period
• total_entropy — total entropy (information density) sent by the DNS tunnel
• query_count — number of queries sent by the DNS tunnel

Use Case with Data Points

The DNS queries (metadata.requests.query) for each DNS tunnel (comprising the source host (srcip_host), destination host (dstip), and top-level domain (effective_tld)) are analyzed periodically. If a DNS tunnel has sent anomalously more entropy (total_entropy) and bytes (actual) than is normal (typical) in any period, an alert is triggered. The number of queries sent (query_count) is also considered.

Dormant Account Anomaly

This topic covers a feature that is not available for all customers yet. See Early Access Program Features and Topics Under Development.

A user account has not logged any interactive actions such as logins, password changes, or resource accesses recently. Check the user account and consider disabling it.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] Persistence (TA0003 )

• Technique: Valid Accounts (T1078 )

• Tags: [Identity Detection]

XDR Event Name

The xdr_event.name for this alert type in the Interflow data is dormant_account.

• srcip_username — source user name
• days_silent — number of days since last activity
• last_seen_ts — timestamp when the user last logged interactive data

Use Case with Data Points

If an account is observed to be dormant, an alert is triggered. The Interflow will contain a user name (srcip_username), the number of days since an interactive action was logged (days_silent), and the last seen timestamp (last_seen_ts) for that user.

Validation / Remediation

Analysts can validate the alert by checking whether activity is expected from that user. They can disable the account if it is not supposed to be dormant.

Potential False Positives

A false positive could be generated if some user activity is not counted as interactive.

Emerging Threat

An emerging threat has been observed. Investigate the IP address, domain name, URL, or file hashes (MD5, SHA1, SHA256) and consider blocking.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: XDR Intel (XTA0005)

• Technique: XDR Emerging Threat (XT5003)

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is emerging_threat.

• srcip — source IP address marked as an emerging threat
• srcip_host — host name of corresponding source IP address
• dstip — destination IP address marked as an emerging threat
• dstip_host — host name of corresponding destination IP address
• url_list — URL marked as an emerging threat
• domain_list — domain marked as an emerging threat
• event_summary.detected_hashes.md5 — MD5 hash marked as emerging threat
• event_summary.detected_hashes.sha1 — SHA1 hash marked as emerging threat
• event_summary.detected_hashes.sha256 — SHA256 hash marked as emerging threat
• event_summary.detected_file_names — detected file names with matched hash value
• event_summary.detected_process_names — detected process names with matched hash value
• event_summary.ioc_source_repu_summary.url_reputation — URL reputation
• event_summary.ioc_source_repu_summary.srcip_reputation — source reputation
• event_summary.ioc_source_repu_summary.dstip_reputation — destination reputation
• event_summary.ioc_source_repu_summary.domain_reputation — domain reputation
• event_summary.ioc_source_repu_summary.filehash_reputation — hash reputation

Use Case with Data Points

Stellar Cyber monitors traffic for emerging threats. This alert type has file hash detection that monitors traffic, Syslog, and Windows events.

An alert is triggered if emerging threats are observed in any of the following:

• Source IP address (srcip)
• Destination IP address (dstip)
• URL (url_list)
• Domain (domain_list)
• MD5 file hash (event_summary.detected_hashes.md5)
• SHA1 file hash (event_summary.detected_hashes.sha1)
• SHA256 file hash (event_summary.detected_hashes.sha256)

Note that only one of these is needed to trigger the alert. So, although the Interflow includes the source IP address (srcip), destination IP address (dstip), URL (url_list), domain (domain_list), and file hashes (event_summary.detected_hashes.md5, event_summary.detected_hashes.sha1, and event_summary.detected_hashes.256), not all the values may be populated, depending on the nature of the observed threat.

Encoded PowerShell

A Windows host executed an encoded PowerShell script. Investigate the script contents to see if it is malicious. If so, consider quarantining the host.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: Execution (TA0002 )

• Technique: Command and Scripting Interpreter (T1059 )

• Tags: [PowerShell]

Event Name

The xdr_event.name for this alert type in the Interflow data is encoded_powershell.

• hostip — IP address of the Windows host
• hostip_host — host name
• event_data.ContextInfo — PowerShell script context
• event_data.Payload — PowerShell script payload

Use Case with Data Points

If a Windows host (srcip) executes a PowerShell script whose context (event_data.ContextInfo) includes flags that indicate encoding or obfuscation of the script, an alert is triggered. The Interflow includes the IP address of the Windows host (srcip), the script context (event_data.ContextInfo), and script payload (event_data.Payload).

Encrypted C&C

A connection to or from known command and control servers was observed in encrypted traffic. Consider blocking the source IP address.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: Command and Control (TA0011 )

• Technique: Encrypted Channel (T1573 )

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is ssl_certificate.

• srcip — source IP address of the connection
• dstip — destination IP address of the connection
• srcip_host — host name of corresponding source IP address
• srcip_geo.countryName — source country of the connection
• dstip_host — host name of corresponding destination IP address
• dstip_geo.countryName — destination country of the connection

Use Case with Data Points

If known command and control servers are detected on either side of a connection with encrypted traffic, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), source country (srcip_geo.countryName), destination IP address (dstip), destination host (dstip_host), and destination country (dstip_geo.countryName).

Exploited C&C Connection

An exploited host with vulnerabilities initiated a connection to the exploit attacker, which could indicate the host being compromised and performing C&C activities. See if the exploit was successful. Check the source host, and consider blocking.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Command and Control Connection Exploitation (XT2014)

• Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is exploit_attempt_correlation.

• tenant_id — tenant ID
• exploit_id — ID of the original exploit event
• seen_traffic_id — ID of the original Interflow traffic record
• srcip (of exploit event) — IP address of the attacker (correlation_info.srcip)
• dstip (of exploit event) — IP address of the target host (correlation_info.dstip)
• srcip (of traffic record) — IP address of the target host (correlation_info.srcip)
• dstip (of traffic record) — IP address of the attacker (correlation_info.dstip)

Use Case with Data Points

Two events are involved in this alert type. In the first event, an attacker (srcip) with the IP address A is performing an exploit against a target (dstip) with the IP address B. If, following that event, an Interflow traffic record is observed where the target host (srcip) with IP address B initiates a network connection to the attacker (dstip) whose IP address is A, an alert is triggered.

When an alert is triggered a new correlation event is generated. The Interflow of the correlation event includes the reference ID of the exploit event (exploit_id), the reference ID of the traffic record (seen_traffic_id), the IP address of the attacker (correlation_info.srcip of the exploit event or correlation_info.dstip of the traffic record), the IP address of the victim (correlation_info.dstip of the exploit event or correlation_info.srcip of the traffic record).

External Account Login Failure Anomaly

An anomalously large number of user login failures was observed for an account. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_cloud_account_login_failure.

• srcip_usersid — cloud account user ID

  or

• srcip_username — cloud account user name

  The key field for this alert type can be either srcip_usersid or srcip_username, depending on the data feed.

• event_summary.total_failed — number of failed logins in the period
• event_summary.total_successful — number of successful logins in the period
• event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
• weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than the detection threshold will generate an alert.
• srcip_host — host name of corresponding source IP address
• login_type — type of login
• srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes are calculated periodically for every account (srcip_usersid). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

External Brute-Forced Successful User Login

A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.

This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_success_brute_forcer.

Alert Subtype: Source IP Based

The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip.

• srcip — source IP address
• srcip_usersid — Windows SID associated with the source IP address
• srcip_host — source host name
• srcip_reputation — source reputation
• source_geo.countryName — source country
• dstip_host — destination host name
• login_type — type of login
• username — user name
• related_alert._id — link to the related External User Login Failure Anomaly

Use Case with Data Points

The login records are checked for every external source IP address (srcip). An alert is triggered if that IP address:

1. Has so many failed login attempts that it triggered the External User Login Failure Anomaly, and
2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

Alert Subtype: User ID Based

The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip_usersid.

• srcip_usersid — Windows SID associated with the source IP address
• srcip — source IP address
• srcip_host — source host name
• srcip_reputation — source reputation
• source_geo.countryName — source country
• dstip_host — destination host name
• login_type — type of login
• username — user name
• related_alert._id — link to the related External Account Login Failure Anomaly

External Credential Stuffing

An anomalously large amount of username/password testing was observed on AWS, Okta, or Windows. Check the activity after successful logins, and consider blocking the source IP addresses.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_credential_stuffing.

• msg_class — name of the service: cloudtrail for AWS, okta for Okta, Microsoft-Windows-Security-Auditing for Windows
• service_id — specific account ID of a service
• login_failure_rate — rate of login failures per minute in the period
• unknown_users_rate — rate of unknown user names per minute in the period
• unknown_users_to_login_failures — ratio of unknown user names to login failures in the period
• suspicious_ips — suspicious source IP addresses (up to 100)
• possible_breached_ips — list of malicious IP addresses that may have successful breach activities

Use Case with Data Points

External credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class), tenant's account ID on that service (service_id), suspicious source IP address (suspicious_ips), login failure rate (login_failure_rate), unknown user rate (unknown_users_rate), the ratio of unknown users to login failures (unknown_users_to_login_failures), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips).

External Exploited Vulnerability

A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Exploited Vulnerability (XT2015)

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_vuln_exploit_correlation.

• tenantid — tenant ID
• vulnerability_id — ID of the original security scan result
• ids_event_id — ID of the original IDS exploit event
• srcip (of security scan result) — IP address of the target correlation_info.srcip
• dstip (of IDS event) — IP address of the target (correlation_info.dstip)
• srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
• vulnerability.cve — CVE associated with the reported vulnerability
• ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with internal IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (vulnerability.cve and ids.cve).

External Firewall Denial Anomaly

A source host had actions blocked by a firewall too many times. Investigate the firewall rules that were violated. If suspicious, block the source IP address.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Firewall Anomaly (XT2002)

• Tags: [External; Firewall Anomalies; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_fw_action.

• srcip — source host IP address
• srcip_host — source host IP address
• actual — actual number of firewall denials in the period
• typical — typical number of firewall denials in the period
• dstip_host — host name of corresponding destination IP address
• dev_name — name of the firewall
• engid_name — name of the sensor

Use Case with Data Points

The number of firewall denials for every source IP address (srcip) is calculated periodically. If a source IP address’s number of firewall denials (actual) is much larger than the historical count (typical) of all IP addresses, an alert is triggered. The Interflow includes the name of the firewall (dev_name), the name of the sensor (engid_name), and the destination host (dstip_host).

External Firewall Policy Anomaly

A firewall policy was triggered that has never been seen before (or has very rarely been seen). Investigate the policy, the intent, and the associated traffic to determine whether this activity is legitimate or malicious.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Firewall Anomaly (XT2002)

• Tags: [External; Firewall Anomalies; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_fw_policy_id.

• fw_policy_id — ID of the violated firewall policy
• days_silent — number of days since this firewall policy was last seen
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• dev_name — device name
• dev_type — device type
• engid_name — sensor name

Use Case with Data Points

A firewall policy ID (fw_policy_id), which is raised by a device (dev_name and dev_type) and captured by a sensor (engid_name), shows never seen or very rare (days_silent) traffic between a host (srcip_host) and another host (dstip_host). This will trigger an alert.

External Handshake Failure

There were too many handshake failures between two hosts, which might indicate port scanning. Check the source host to see if this was expected and, if not, consider blocking the host.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Reconnaissance (TA0043 )

• Technique: Active Scanning (T1595 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_handshake_failure.

• srcip — source IP address of the host with the handshake failures
• srcip_host — source host name
• dstip — destination IP address of the host with the handshake failures
• dstip_host — destination host name
• timestamp — when the scan happened

Use Case with Data Points

If a host (srcip) scans across many ports on another host (dstip), an alert is triggered. The Interflow includes the IP address of the potential attacker (srcip), the IP address of the victim (dstip), a special message flag (msgtyp), and when the scan happened (timestamp).

External IDS Signature Spike

A source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_ids_signature_spike.

• event_summary.ids_signatures_summarize — summarized IDS signatures of the exploit
• srcip_host — source host name
• actual — actual number of unique IDS signatures in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of unique IDS signatures from the source IP address, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1

Use Case with Data Points

The number of unique IDS signatures (ids.signature), weighted by their severity (ids.severity), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. The Interflow includes a source (srcip), timestamp, an accumulated severity of IDS signatures (actual), the usual accumulated severity of IDS signatures (typical), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize).

External IP / Port Scan Anomaly

A host has either generated an anomalous number of connections compared to the typical amount, or has triggered an anomalous number of connection failure responses, in the measured interval. This can indicate that an attacker is scanning for computers or ports to exploit. If the source IP address is internal targeting an external address, check with the user. If the source IP address is external targeting any addresses, it could be a scanning campaign.

This alert type has the following subtypes:

• Connection Failure Anomaly (Sensor Traffic)
• Connection Spike Anomaly (Firewall / Windows Traffic)

Alert Subtype: Connection Failure Anomaly (Sensor Traffic)

The xdr_event.subtype.name for this alert subtype in the Interflow data is connection_failure_anomaly.

• srcip — source IP address
• srcip_host — host name of corresponding source IP address
• num_failed — unique number of (destination IP and destination port) tuples that respond with failed status
• num_successful — unique number of (destination IP and destination port) tuples that respond with success status
• percent_failed — percent of unique (destination IP and destination port) tuples that respond with failed status
• weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than the detection threshold will generate an alert.
• dstip_host — host name of corresponding destination IP address
• appid_name — application name
• summary_port_scan_type — port scan type

Use Case with Data Points

For every unique triplet (source IP address, destination IP address, and destination port) browsed by each source IP address (srcip), the number of response failures and successes is calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and application name (appid_name).

Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.

Alert Subtype: Connection Spike Anomaly (Firewall / Windows Traffic)

The xdr_event.subtype.name for this alert subtype in the Interflow data is connection_spike_anomaly.

Event Name

The xdr_event.name for this alert type in the Interflow data is external_port_scan_tsa.

• srcip — source IP address
• srcip_host — host name of corresponding source IP address
• actual — actual number of connections to the destination IP address in the time period
• typical — typical number of connections to the destination IP address
• dstip_host — host name of corresponding destination IP address
• appid_name — application name
• summary_port_scan_type — port scan type

Use Case with Data Points

For every unique (destination IP address and destination port) browsed by each source IP address (srcip), the number of response failures and successes and the number of total data volume are calculated periodically. If the total data volume is significantly larger than the typical number, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and application name (appid_name).

Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.

External Non-Standard Port Anomaly

An application had an anomalously large number of connections or a rarely seen connection on non-standard ports. Check the application to be sure this is benign.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] Command and Control (TA0011 )

• Technique: Non-Standard Port (T1571 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_non_std_port_anomaly.

• dstip — destination IP address
• dstport — destination port
• appid — application ID
• days_silent — number of days since the application was last seen
• appid_name — application name
• dstip_host — host name of corresponding destination IP address
• actual — actual number of connections in the period
• typical — typical number of connections in the period

Use Case with Data Points

The number of connections for an application (dst_ip + dstport + appid) is calculated periodically. If a non-standard combination has an actual number of connections (actual) that is much larger than the typical number of connections (typical), or the combination has not appeared for a long time, an alert is triggered. The Interflow includes the source host (srcip_host), destination IP address (dstip), destination port (dstport), application ID (appid), and application name (appid_name).

External Other Malware

Malware with uncategorized malicious activity was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR Miscellaneous Malware (XT6001)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_malware_activity.

• ids.signature — IDS signature
• ids.severity — severity of the IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the malware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates malware that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the malware (file_name) from the sandbox.

External Password Spraying

.An anomalously large number of failed logins with unknown user names was observed on external Windows authentication services. Check the activity after successful logins, and consider blocking the source IP addresses.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Sub-technique: Password Spraying (T1110.003 )

• Tags: [External; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_password_spray.

• srcip — source IP address generating a failed login

  or

• event_data.Workstation — workstation generating a failed login

  The key field for this alert type can be either srcip or event_data.Workstation, depending on the data feed.

• srcip_host — source host name
• event_id — Windows event ID corresponding to the login failures
• login_type — type of login protocol; the available values vary by event_id
• actual — actual number of failed logins with unknown user names in a 5-minute period
• typical — typical number of failed logins with unknown user names in a 5-minute period
• event_summary.password_spray_user_summary — list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)

Use Case with Data Points

If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip or event_data.Workstation), timestamp, the type of login (login_type), the number of failed logins (actual), the usual number of failed logins (typical), and a sampling of the user names used in the attack (password_spray_user_summary).

External PII Leaked

Personally identifiable information (social security numbers or credit cards) has been observed in the clear. Check the source to see if it is compromised. If so, consider blocking it.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Exfiltration (TA0010 )

• Technique: Automated Exfiltration (T1020 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_pii_leak.

• srcip — source IP address of the PII leak
• dstip — destination IP address of the PII leak
• ids.signature — IDS signature
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

If a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source IP address (srcip), destination IP address (dstip), source host (srcip_host), and destination host (dstip_host).

External Plain Text Passwords Detected

A plain text password was detected in unencrypted traffic. Check with the user.

This alert type looks for the presence of metadata.request.password, metadata.request.auth_password, and metadata.request.auth_simple in the Interflow records from the sensors. When plain text passwords are present in the network traffic, the sensors are able to decode and create the corresponding Interflow fields. To preserve privacy, the actual passwords are replaced by a sequence of asterisks (*).

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR Clear Password (XT2006)

• Tags: [External; Network Traffic Analysis; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_clear_password.

• srcip — source IP address
• actual — actual number of connections with a plain text password in the period
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• appid_name — application name

Use Case with Data Points

If there are plain text passwords in unencrypted traffic records with a public source IP address (srcip) or destination IP address (dstip), an alert is triggered. A sample Interflow includes the source IP address (srcip), destination IP address (dstip), source host (srcip_host), destination host (dstip_host), and application (appid_name).

External Protocol Account Login Failure Anomaly

An anomalously large number of login failures over SMB or FTP was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; Network Traffic Analysis; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_protocol_account_login_failure.

• metadata.request.username — user name in the HTTP connection request
• event_summary.total_failed — number of failed logins in the period
• event_summary.total_successful — number of successful logins in the period
• event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
• weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than the detection threshold will generate an alert.
• appid_name — application name
• login_type — type of login
• srcip_host — host name of corresponding source IP address
• srcip_reputation — source reputation

Use Case with Data Points

For every user name (metadata.request.username) in the HTTP connections names (that do not begin with "Mozilla" or "Aella"), the number of failed and successful logins are calculated periodically. If the number of failed logins is much greater than successful logins, an alert is triggered. The Interflow includes the application name (appid_name), login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

External PUA

Unwanted applications or malware that bombards the user with advertisements has been observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR PUA (XT6002)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_pua.

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the PUA
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates potentially unwanted applications (PUA), an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity) or IDS signature for ML-IDS (ids.signature), along with event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the PUA (file_name) from the sandbox.

External Ransomware

Malware that prevents you from accessing your system or files and demands ransom payment in order to regain access was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Impact (TA0040 )

• Technique: Data Encrypted for Impact (T1486 )

• Tags: [External; Malware; Ransomware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_ransomware.

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the ransomware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates ransomware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the ransomware (file_name) from the sandbox.

External RDP BlueKeep

Use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed. Check the IP address and block if necessary.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [External] Privilege Escalation (TA0004 )

• Technique: Exploitation for Privilege Escalation (T1068 )

• Tags: [External; RDP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_rdp_bluekeep.

• ids.signature — IDS signature
• srcip_host — source host name
• dstip_host — destination host name

Use Case with Data Points

If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source host (srcip_host), and destination host (dstip_host).

External RDP Brute Force Attack

An anomalously large number of RDP connections to an RDP server was observed. Check the source IP addresses to determine whether they are unknown or malicious, and monitor any successful RDP logins.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; RDP; Network Traffic Analysis; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_rdp_brute_force.

• dstip — IP address of the destination RDP server
• dstip_host — destination host name
• actual — actual number of RDP connections to the destination IP address in the observed time bucket
• typical — typical number of RDP connections to the destination IP address in most time buckets
• srcip — source IP address
• srcip_host — source host name

Use Case with Data Points

RDP connection activity is monitored and the number of connections are calculated periodically. If the number of connections to an RDP server (actual) is much greater than normal (typical), an alert is triggered. A sample Interflow includes the destination IP address (dstip) and source IP address (srcip).

External RDP Suspicious Outbound

Non-standard tools connecting to TCP port 3389 were observed. Check the IP address and block if necessary.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR App Anomaly (XT2003)

• Tags: [External; RDP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_rdp_suspicious_outbound.

• srcip — source IP address of the host that connects to TCP port 3389 with a non-standard tool
• srcip_host — source host name
• process_name — process name

Use Case with Data Points

Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip) and the process name (process_name). The following are the standard tools:

• mstsc.exe
• RTSApp.exe
• RTS2App.exe
• RDCMan.exe
• ws_TunnelService.exe
• RSSensor.exe
• RemoteDesktopManagerFree.exe
• RemoteDesktopManager.exe
• RemoteDesktopManager64.exe
• mRemoteNG.exe
• mRemote.exe
• Terminals.exe
• spiceworks-finder.exe
• FSDiscovery.exe
• FSAssessment.exe
• MobaRTE.exe
• chrome.exe
• thor.exe
• thor64.exe

External Scanner Behavior Anomaly

An anomalously large amount of scanning behavior or a rarely seen scan behavior was found. Cross-check with the IP / Port Scan Anomaly alert.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Reconnaissance (TA0043 )

• Technique: Active Scanning (T1595 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_scan_anomalies.

• ids.signature — signature of the exploit
• actual — actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• typical — typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• appid_name — application name

Use Case with Data Points

The number of occurrences of each scanner, based on IDS signature (ids.signature), is calculated periodically. If one scanner occurs (actual) much more often than its history (typical), an alert is triggered. The Interflow includes information such as the traffic application type (appid_name), source (srcip_host), and destination (dstip_host).

External SMB Read Anomaly

An IP address sent an anomalously large number of read requests to SMB protocol based service(s). Investigate the files that the IP address tried to read. If suspicious, block the source IP address.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_smb_read_anomaly.

• srcip — source IP address
• srcip_host — source host name
• actual — actual number of SMB reads from the source IP address in the period
• typical — typical number of SMB reads from other source IP addresses in the period
• dstip_host — destination host name
• smb_username — SMB user name
• event_summary.smb_path_list — folders experiencing a high volume of SMB read requests (the first three are shown in the alert description)

Use Case with Data Points

The number of SMB read requests for every source IP address (srcip) is calculated periodically. If a source IP address’s number of SMB reads (actual) is much larger than the typical number (typical) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username) and destination host (dstip_host).

External SMB Username Enumeration

At least 5 different users SMB login attempts and 1 denied attempt or at least 10 different users SMB login attempts, were observed from the same source. Check the source IP address. If malicious, consider blocking it.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; SMB; Network Traffic Analysis; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_smb_user_scan.

• srcip — source IP address
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• actual — actual unique SMB user count
• typical — SMB user count threshold
• smb_username_set — all SMB login user names

Use Case with Data Points

If one source IP address (srcip) has several SMB login attempts with (1) at least 5 unique user names and at least 1 denied attempt or (2) at least 10 unique user names, an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), destination host (dstip_host), and all the user names (smb_username_set).

External SMB Write Anomaly

An IP address sent an anomalously large number of SMB write requests. Investigate the files that the IP address tried to write. If suspicious, block the source IP address.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Impact (TA0040 )

• Technique: Data Manipulation (T1565 )

• Tags: [External; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_smb_anomaly.

• srcip_host — source host name
• actual — actual number of SMB writes in the period
• typical — typical number of SMB writes in the period
• dstip_host — destination host name
• smb_username — SMB user name
• event_summary.smb_path_list — folders experiencing a high volume of SMB write requests (the first three are shown in the alert description)

Use Case with Data Points

The number of SMB write requests for every source IP address (srcip_host) is calculated periodically. If a source IP address’s number of SMB writes (actual) is much larger than the typical number (typical) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username) and destination host (dstip_host).

External Spyware

Malware that collects and shares information about a device without consent was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR Spyware (XT6003)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_spyware_activity.

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the spyware
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates spyware activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the spyware (file_name) from the sandbox.

External SQL Anomaly

An IP address sent an anomalously large number of queries to one or more SQL servers. Investigate the queries. If suspicious, block the source IP address.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Initial Access (TA0001 )

• Technique: Exploit Public-Facing Application (T1190 )

• Tags: [External; Database; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_mysql_anomaly.

• srcip_host — source host name
• srcip_geo.countryName — name of the source country
• actual — actual number of SQL queries in the period
• typical — typical number of SQL queries from the source IP address
• dstip_host — host name of corresponding destination IP address

Use Case with Data Points

The number of SQL queries for every source IP address (srcip_host) is calculated periodically. If a source IP’s SQL query count (actual) is much larger than the typical count (typical) and that of other IP addresses in any period, an alert is triggered. The source IP’s country is (srcip_geo.countryName). The Interflow includes the destination host (dstip_host) the source IP visits.

External SQL Dumpfile Execution

The SQL dumpfile command was observed. This command is commonly used to dump database content or query output to a file on disk. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Exploration

• Tactic: [External] Collection (TA0009 )

• Technique: Data Staged (T1074 )

• Tags: [External; Database; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_sql_db_dump.

• srcip — source IP address
• actual — number of SQL dumpfile queries
• srcip_host — source host name
• source_geo.countryName — source country
• dstip_host — destination host name

Use Case with Data Points

If the SQL dumpfile command is seen on any source IP address (srcip), an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), and number of SQL dumpfile queries in the period (actual).

External SQL Shell Command

Shell commands were observed over a SQL connection, which is a common way hackers try to gain shell access over vulnerable SQL applications. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] Execution (TA0002 )

• Technique: Command and Scripting Interpreter (T1059 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_database_command.

• srcip — source IP address
• dstip — destination IP address
• srcip_host — source host name
• srcip_reputation — source reputation
• dstip_host — destination host name
• dstip_reputation — destination reputation
• metadata.request.query — SQL query command
• actual — number of query records from one source to one destination in one period

Use Case with Data Points

For SQL query records, if special commands (such as select mylab_sys_exec) are found, an alert is triggered. A sample Interflow includes the source IP address (srcip), destination IP address (dstip), source host (srcip_host), source reputation (srcip_reputation), destination host (dstip_host), destination reputation (dstip_reputation), and SQL query records (metadata.request.query).

External Suspected Malicious User Agent

An external HTTP connection was made by a user agent that has been identified as potentially malicious. Investigate the connection's destination.

This alert type has the following subtypes:

• Predicted Malicious Agent

• Known Malicious Agent Match

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR NBA (XTA0002)

• Technique: XDR User Agent Anomaly (XT2012)

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_suspected_malicious_user_agent.

• user_agent.original — user agent in the HTTP connection request
• metadata.request.user_agent — user agent in the HTTP connection request
• stellar.confidence — model's confidence in the prediction
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• appid_name — application name

Use Case with Data Points

If a seen user agent is identified as suspicious, an alert is triggered. The alert includes the suspicious user agent (metadata.request.user_agent), confidence (stellar.confidence), tenant (tenant_name), source IP (srcip), and destination IP (dstip) in the key fields. Additionally, the confidence level of the model is displayed in the alert description in a pop-up box.

Alert Subtype: Predicted Malicious Agent

The Predicted Malicious Agent alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:

• The stellar.anomaly_tag is predicted_external.

• The xdr_event.subtype.name for this alert subtype in the Interflow data is external_suspected_malicious_user_agent.

• It is triggered by a machine learning classifier.

Alert Subtype: Known Malicious Agent Match

The Known Malicious Agent Match alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:

• The stellar.anomaly_tag is known_external.

• The xdr_event.subtype.name for this alert subtype in the Interflow data is external_suspected_malicious_user_agent_known_malicious.

• It is triggered by known threats.

External SYN Flood Attacker

An attacker sends a large amount of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Impact (TA0040 )

• Technique: Endpoint Denial of Service (T1499 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_syn_flood_attacker.

• srcip — source IP address of the SYN flood
• srcip_host — source host name
• dstip — target IP address of the SYN flood
• dstip_host — destination host name
• dstport — port on target host that received the SYN flood
• syn_flood_events — number of SYN packets during the period

Use Case with Data Points

If an external host (srcip) sends too many SYN packets (syn_flood_events) to internal target(s) (dstip) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip), the IP address of the target host (dstip), the port of the target host (dstport), and how many SYN packets were observed (actual).

External SYN Flood Victim

A large amount of SYN requests were observed, which can indicate an attempt to consume server resources and make the target unresponsive. Check to see if the host is malicious or compromised. If so, consider blocking the source host.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Impact (TA0040 )

• Technique: Endpoint Denial of Service (T1499 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_syn_flood.

• srcip — source IP address of the SYN flood
• srcip_host — source host name
• dstip — target IP address of the SYN flood
• dstip_host — destination host name
• dstport — port on target host that received the SYN flood
• syn_flood_events — number of SYN packets during the period

Use Case with Data Points

If an external host (srcip) sends too many SYN packets (syn_flood_events) to internal target(s) (dstip) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip), the IP address of the target host (dstip), the port of the target host (dstport), and how many SYN packets were observed (actual).

External Trojan

Malware that disguises itself as legitimate software in order to gain access to a system or files has been observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: [External] XDR Malware (XTA0006)

• Technique: XDR Trojan (XT6004)

• Tags: [External; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_trojan_activity.

• ids.signature — IDS signature
• maltrace-cloud.data.malicious_activity — malicious activity
• actual — number of records for one IDS signature or malicious activity in the period
• lateral — boolean, indicating whether this activity is lateral (from private to private)
• srcip_host — source host name
• srcip_geo.countryName — source country
• dstip_host — destination host name
• dstip_geo.countryName — destination country
• file_name — name of the file that carries the trojan
• event_source — source of the event, either ids or sandbox

Use Case with Data Points

If ML-IDS or sandbox indicates trojan activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity), IDS signature for ML-IDS (ids.signature), event source (event_source), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), destination country (dstip_geo.countryName), and the name of the file that carries the trojan (file_name) from the sandbox.

External URL Reconnaissance Anomaly

An anomalous number of HTTP 4xx errors were observed. This can indicate an attacker scanning for pages to exploit. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Reconnaissance (TA0043 )

• Technique: Active Scanning (T1595 )

• Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_url_scan.

• srcip — source IP address
• event_summary.total_failed — number of unique URLs with HTTP error status response in the period
• event_summary.total_successful — number of unique URLs with HTTP success status response in the period
• event_summary.total_fail_ratio — percent of unique URLs with HTTP error status response in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
• weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than the detection threshold will generate an alert.
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• srcip_geo.countryName — source country name

Use Case with Data Points

For every unique URL browsed by each source IP address (srcip), the number of HTTP response failures and successes is calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and source country (srcip_geo.countryName).

External User Application Usage Anomaly

A user who typically uses a small, consistent number of applications used a new application. Investigate the application, to see if it is benign. Check with the user to see if this was expected.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR UBA (XTA0004)

• Technique: XDR App Anomaly (XT2003)

• Tags: [External; User Behavior Analytics; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_uncommon_app.

• srcip_usersid — source user ID
• appid_name — application name
• srcip_host — host name of corresponding source IP address
• dstip_host — host name of corresponding destination IP address
• appid_family — application family
• srcip_username — source user name
• stability — score measuring the time since the last new application was used
• days_stable — time since the last new application was used
• diversity — score measuring the number of applications that the user used
• child_count — number of applications that the user used

Use Case with Data Points

An alert is triggered under the following conditions:

• a user (srcip_usersid, srcip_username) with a small number of applications (diversity, child_count) who has not used a new application for a long period of time (stability, days_stable), and then

• a new application (appid_name) belonging to an application family (appid_family) appears on a host (scrip_host) with this user, and

• that host connects to another host (scrip_host)

External User Data Volume Anomaly

A user had an anomalously large volume of traffic compared to its typical volume or that of its peers. Investigate the user to determine if this is expected.

Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR UBA (XTA0004)

• Technique: XDR Bytes Anomaly (XT3001)

• Tags: [External; User Behavior Analytics; Network Traffic Analysis; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_bytes_sum.

• srcip_usersid — source user ID
• actual — actual traffic volume in the period
• typical — typical traffic volume from the user
• srcip_host — host name of corresponding source IP address
• srcip_username — source user name
• dstip_host — host name of corresponding destination IP address
• dstip_reputation — destination reputation
• dstip_geo.countryName — destination country
• appid_name — application name

Use Case with Data Points

The total traffic volume of each user identified by user ID (scrip_usersid) is calculated periodically. If the volume in one period (actual) is much larger than its normal volume (typical), an alert is triggered.

The Interflow includes the source IP address (scrip_host), destination IP address (dstip_host), destination reputation (dstip_reputation), destination country (dstip_geo.countryName), and application of the traffic (appid_name).

External User Login Failure Anomaly

An anomalous number of login failures was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, or Google Workspace. For Okta, an anomalous number of multi-factor authentication (MFA) failures was observed. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_login_fail.

• srcip — source IP address
• dstip — destination IP address
• dstip_host — destination host name
• event_summary.total_failed — number of failed logins in the period
• event_summary.total_successful — number of successful logins in the period
• event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
• weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than the detection threshold will generate an alert.
• login_type — type of login, such as ssh_traffic, okta_log, or aws_cloudtrail
• srcip_host — source host name
• srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes are calculated periodically for every source (srcip) and destination (dstip) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

File Action Anomaly

Actions, such as move, copy, delete, or change attribute, were taken on a file or files an anomalous number of times. Investigate the actions and the user to see if this is expected.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: Impact (TA0040 )

• Technique: Data Manipulation (T1565 )

• Tags: [Internal; File Anomaly]

Event Name

The xdr_event.name for this alert type in the Interflow data is anomalous_file_action.

• secondary — user name
• actual — actual number of file actions in the period
• typical — typical number of file actions in the period
• path — path to the file

Use Case with Data Points

The number of file actions for each user (secondary) is calculated periodically. If the volume (actual) is anomalous compared to the typical volume (typical) of file actions in any period, an alert is triggered. The Interflow includes the directory to the file (path).

File Creation Anomaly

A file or files were created an anomalously large number of times. Check with the user to see if this is expected.

XDR Kill Chain

• Kill Chain Stage: Persistent Foothold

• Tactic: XDR EBA (XTA0001)

• Technique: XDR File Anomaly (XT1003)

• Tags: [File Anomaly; User Behavior Analytics; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is file_creation.

• secondary — user name
• actual — actual number of file creations in the period
• typical — typical number of file creations in the period
• path — path to the file(s) created

Use Case with Data Points

The number of file creations for each user (command) is calculated periodically. If the volume (actual) is much larger than the typical volume (typical) of file creations in any period, an alert is triggered. The Interflow includes the directory to the file (path).

Google Workspace Account Manipulation

A Google Workspace user was manipulated. Check with the user to make sure this was expected.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR UBA (XTA0004)

• Technique: XDR Account Anomaly (XT4007)

• Tags: [External; GSuite; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is gsuite_account_manipulation.

• event_detail.affected_email_address — key ID for the account
• event_detail.name — Google Workspace suspicious event name
• event_detail.type — Google Workspace suspicious event type

Use Case with Data Points

For each Google Workspace account (event_detail.affected_email_address), account manipulation is evaluated periodically. This alert is triggered if the Google Security center reports a leaked password or a user account being suspended for specific reasons. The Interflow includes the account ID (event_detail.affected_email_address), Google Workspace event name (event_detail.name), and Google Workspace event type (event_detail.type).

Google Workspace Attack Warning

Attacks to a Google Workspace account were observed. Check with the account holder.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [External; GSuite; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is gsuite_attack_warning.

• actor.email — key ID for the account
• srcip — source IP address of the account
• srcip_host — source host name
• event_detail.name — Google Workspace suspicious event name
• event_detail.type — Google Workspace suspicious event type

Use Case with Data Points

For each Google Workspace account (actor.email), attacks are searched periodically. If an attack is identified, an alert is triggered. The Interflow includes the account ID (actor.email), source IP address (srcip), Google Workspace event name (event_detail.name), and Google Workspace event type (event_detail.type).

Google Workspace Suspicious Activities

Suspicious activities were observed in a Google Workspace account. Check with the account holder.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR UBA (XTA0004)

• Technique: XDR Login Anomaly (XT4006)

• Tags: [External; GSuite; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is gsuite_suspicious_activities.

• user.name — key ID for the account
• srcip — source IP address of the account
• srcip_host — source host name
• event_detail.name — Google Workspace suspicious event name
• event_detail.type — Google Workspace suspicious event type

Use Case with Data Points

For each Google Workspace account (actor.email), suspicious activities are searched periodically. If suspicious activities are detected, an alert is triggered. The Interflow includes the account ID (actor.email), source IP address (srcip), Google Workspace event name (event_detail.name), and Google Workspace event type (event_detail.type).

Google Workspace User Suspended

A Google Workspace user was suspended. Check with the user to make sure this was expected.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR UBA (XTA0004)

• Technique: XDR Account Anomaly (XT4007)

• Tags: [External; GSuite; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is gsuite_user_suspended.

• actor.email — key ID for the account
• srcip — source IP address of the account
• srcip_host — source host name
• event_detail.name — Google Workspace suspicious event name
• event_detail.type — Google Workspace suspicious event type

Use Case with Data Points

For each Google Workspace account (actor.email), suspension status is searched periodically. If a user is suspended, an alert is triggered. The Interflow includes the account ID (actor.email), source IP address (srcip), Google Workspace event name (event_detail.name), and Google Workspace event type (event_detail.type).

Hydra Password Guessing Hack Tool

A user from a Windows host executed a command-line script that launched either the hydra.exe command or a command using known Hydra parameters, which may be an inappropriate use of the Hydra password guessing tool.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [Hydra; Brute Force; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is hydra_password_guessing_hack_tool.

• hostip — device internal IP address
• computer_name — name of the Windows host
• event_data.CommandLine — command used to run the tool
• event_data.Image — process running hydra.exe for password cracking

Use Case with Data Points

This alert is triggered if a Windows host (hostip) executes a PowerShell script with a context that includes one or more flags (event_data.Imageor event_data.CommandLine indicating usage of the Hydra password guessing hack tool. The Interflow includes the IP address of the Windows host (hostip), the host name (computer_name), and the script image (event_data.Image) or script payload (event_data.CommandLine).

Validation / Remediation

Check the body of the Powershell script that is reported on the Windows host to identify whether the contents of the script are actually malicious. If malicious, consider quarantining the host.

Potential False Positives

The running of any executable named hydra.exe or a command that has parameters of -u and -p or ^user^ and ^pass^ triggers this alert.

ICMP Based Exfiltration or Tunneling

Possible ICMP based exfiltration activities have been observed.

XDR Kill Chain

• Kill Chain Stage: Exfiltration & Impact

• Tactic: [External] Exfiltration (TA0010 )

• Technique: Exfiltration Over Alternative Protocol (T1048 )

• Tags: [ICMP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is icmp_tunnel.

• srcip — source IP address
• dstip — destination IP address
• inbytes_delta — total received bytes
• inpkts_delta — total received packets
• outbytes_delta — total sent bytes
• outpkts_delta — total sent packets
• actual — actual packet size transmitted through the tunnel in the time period
• typical — typical packet size transmitted through the tunnel in the time period

Use Case with Data Points

An anomalously large tunneled ICMP packet (actual) bytes has been observed between (srcip) and (dstip). The typical ICMP packet size transmitted through this tunnel is (typical) bytes, measured in a 5-minute interval. This indicates potential ICMP based exfiltration or tunneling.

Validation / Remediation

Check whether the abnormal ICMP packet is benign and whether the destination IP address is malicious.

Potential False Positives

New benign DNS server or CDN servers may utilize ICMP to transmit data.

For example, a user or IT script sending ping -l 1400 8.8.8.8 (or ping -s 1400 on Linux/MacOS) to test network MTU or connectivity may trigger this detection. These larger-than-normal ICMP packets can appear anomalous compared to the typical 32–64 byte payloads, especially if repeated within a short interval. However, this behavior is usually benign, particularly when the destination is a well-known diagnostic IP like Google DNS (8.8.8.8).

You can use an alert filter combined with a lookup list to filter false positives.

Impacket PsExec Execution

The Impacket PsExec Execution rules detect suspicious SMB traffic related to Impacket PsExec execution. Any one or more of these will trigger the Impacket PsExec Execution alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is network_security_win_security_impacket_psexec.

• appid_name — network traffic protocol that triggered this detection
• srcip — source IP address
• dstip — destination IP address
• stellar.rule_id — Stellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Impacket PsExec Execution Alert Type

Impossible Travel Anomaly

A user logged in from locations that are geographically impossible to travel between in the time frame. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Initial Attempts

• Tactic: [External] XDR UBA (XTA0004)

• Technique: XDR Location Anomaly (XT2001)

• Tags: [External; User Behavior Analytics; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_impossible_travel.

• srcip_usersid — key ID for the source user
• srcip_username — source user name
• srcip — source IP address
• srcip_host — source host name
• engid_gateway — gateway IP address, used to determine the geo location when the source IP address is private
• srcip_geo — source IP address geo location, including latitude and longitude
• has_mfa — whether a Multi-Factor Authentication (MFA) event is associated with the current login
• distance_deviation — deviation in distance between two login locations (miles)

• time_deviation_human_readable— deviation in time between the two login events

• time_deviation — deviation in time between the two login events (seconds)
• travel_speed — calculated speed for the user to travel between two locations (miles/hour)
• appid_name — application name for the login event
• last_login_time — timestamp of event 2, the 2^nd login
• _id2 — ID of event 2
• _index2 — index of event 2
• srcip2 — source IP address of event 2
• srcip_geo2 — source IP address geo location of event 2, including latitude and longitude
• has_mfa2 — whether an MFA event is associated with the previous login (event 2)

has_mfa and has_mfa2 are best-effort and are not guaranteed to be accurate, specifically when there are ingestion delays.

About srcip and srcip2: For any given travel, there is a source and a destination, which are defined by timestamp, so the source timestamp is less than the destination timestamp. Since the destination record arrives later than the source record, the destination is used as the basis for the alert. This means that srcip comes from the destination and srcip2 is added to that record from the source login. (This can be counterintuitive because one might assume that srcip2 comes after srcip.)

Use Case with Data Points

Login events (event 1 and event 2) are examined for a user (srcip_usersid), to see if the login locations (srcip_geo and srcip_geo2), that are at least 100 miles apart, changed faster (travel_speed = distance_deviation/time_deviation) than possible with the typical commercial flight speed of 600 miles/hour.

Event 1 is the basis for the Interflow. The srcip_usersid and srcip_username identify the user, appid_name identifies the application, and last_login_time identifies the time when the 2^nd login event (event 2) happened. You can find detailed information about event 2 by checking id2 in index2, source IP (srcip2), and geo location (srcip_geo2).

Internal Account Login Failure Anomaly

An anomalously large number of login failures from an internal source IP address to an internal destination IP address was observed for an account. Check with the user.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [Internal; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_cloud_account_login_failure.

• srcip_usersid — account user ID

  or

• srcip_username — account user name, enriched from event_data.targetusername

  The key field for this alert type can be either srcip_usersid or srcip_username, depending on the data feed.

• event_summary.total_failed — number of failed logins in the period
• event_summary.total_successful — number of successful logins in the period
• event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
• weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than the detection threshold will generate an alert.
• srcip_host — host name of corresponding source IP address
• login_type — type of login
• srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes between any internal IP addresses are calculated periodically for every account (srcip_usersid). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Internal Brute-Forced Successful User Login

A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.

This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.

XDR Kill Chain

• Kill Chain Stage: Propagation

• Tactic: [Internal] Credential Access (TA0006 )

• Technique: Brute Force (T1110 )

• Tags: [Internal; Brute Force; Identity Detection]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_user_success_brute_forcer.

Alert Subtype: Source IP Based

The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip_usersid.

• srcip — source IP address
• srcip_usersid — Windows SID associated with the source IP address
• srcip_host — source host name
• srcip_reputation — source reputation
• source_geo.countryName — source country
• dstip_host — destination host name
• login_type — type of login
• username — user name
• related_alert._id — link to the related Internal User Login Failure Anomaly

Alert Subtype: User ID Based

The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip.

• srcip — source IP address
• srcip_usersid — Windows SID associated with the source IP address
• srcip_host — source host name
• srcip_reputation — source reputation
• source_geo.countryName — source country
• dstip_host — destination host name
• login_type — type of login
• username — user name
• related_alert._id — link to the related Internal Account Login Failure Anomaly