Alert Types That Use the Scan Index

The Alert Types listed below use the Scan Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

External Exploited Vulnerability
Internal Exploited Vulnerability

External Exploited Vulnerability

A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

Kill Chain Stage: Initial Attempts
Tactic: [External] XDR NBA (XTA0002)
Technique: XDR Exploited Vulnerability (XT2015)
Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_vuln_exploit_correlation.

Key Fields and Relevant Data Points

tenantid — tenant ID
vulnerability_id — ID of the original security scan result
ids_event_id — ID of the original IDS exploit event
srcip (of security scan result) — IP address of the target correlation_info.srcip
dstip (of IDS event) — IP address of the target (correlation_info.dstip)
srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with internal IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.

When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id), the ID of the security scan record (vulnerability_id), the IP address of the attacker (correlation_info.srcip of the IDS event), the IP address of the victim (correlation_info.dstip of the IDS event or correlation_info.srcip of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve and correlation_info.ids.cve).

Internal Exploited Vulnerability

An internal host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.

XDR Kill Chain

Kill Chain Stage: Exploration
Tactic: [Internal] XDR NBA (XTA0002)
Technique: XDR Exploited Vulnerability (XT2015)
Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_vuln_exploit_correlation.

Key Fields and Relevant Data Points

tenantid — tenant ID
vulnerability_id — ID of the original security scan result
ids_event_id — ID of the original IDS exploit event
srcip (of security scan result) — IP address of the target correlation_info.srcip
dstip (of IDS event) — IP address of the target (correlation_info.dstip)
srcip (of IDS event) — IP address of the attacker (correlation_info.srcip)
correlation_info.vulnerability.cve — CVE associated with the reported vulnerability
correlation_info.ids.cve — CVE the attacker used to exploit the host

Use Case with Data Points

An attacker (srcip) with IP address A is performing an exploit against a target (dstip) with IP address B using a vulnerability (ids.cve) with CVE x. If any security scanning tool found the target (srcip) with IP address B to have a vulnerability (vulnerability.cve) with CVE x, an alert is triggered.