Alert Types That Use the IDPS/Malware Sandbox Events Index
The Alert Types listed below use the IDPS/Malware Sandbox Events Index. For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.
To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.
Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.
Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.
- Cryptojacking
- Encrypted C&C
- Exploited C&C Connection
- External Exploited Vulnerability
- External IDS Signature Spike
- External Other Malware
- External PII Leaked
- External PUA
- External Ransomware
- External Scanner Behavior Anomaly
- External Spyware
- External Trojan
- Internal Exploited Vulnerability
- Internal IDS Signature Spike
- Internal Other Malware
- Internal PII Leaked
- Internal PUA
- Internal Ransomware
- Internal Scanner Behavior Anomaly
- Internal Spyware
- Internal Trojan
- Malicious Site Access
- Phishing URL
- Possible Encrypted Phishing Site Visit
- Possible Unencrypted Phishing Site Visit
- Private to Private Exploit Anomaly
- Private to Private IPS Signature Spike
- Private to Public Exploit Anomaly
- Private to Public IPS Signature Spike
- Public to Private Exploit Anomaly
- Public to Private IPS Signature Spike
- Public to Public Exploit Anomaly
- Public to Public IPS Signature Spike
Cryptojacking
An unauthorized coin miner used a computer to mine cryptocurrency. Consider blocking the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: Impact (TA0040 )
-
Technique: Resource Hijacking (T1496 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is cryptojacking
.
Severity
70
Key Fields and Relevant Data Points
ids.signature
— IDS signaturesrcip
— source IP address of the cryptojacking actiondstip
— destination IP address of the cryptojacking actionsrcip_reputation
— source reputationsrcip_host
— source host namedstip_reputation
— destination reputationdstip_host
— destination host name
Use Case with Data Points
If an unauthorized coin miner is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source IP address (srcip
), source reputation (srcip_reputation
), source host (srcip_host
), destination IP address (dstip
), destination reputation (dstip_reputation
), and destination host (dstip_host
).
Encrypted C&C
A connection to or from known command and control servers was observed in encrypted traffic. Consider blocking the source IP address.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: Command and Control (TA0011 )
-
Technique: Encrypted Channel (T1573 )
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ssl_certificate
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP address of the connectiondstip
— destination IP address of the connectionsrcip_host
— host name of corresponding source IP addresssrcip_geo.countryName
— source country of the connectiondstip_host
— host name of corresponding destination IP addressdstip_geo.countryName
— destination country of the connection
Use Case with Data Points
If known command and control servers are detected on either side of a connection with encrypted traffic, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), source country (srcip_geo.countryName
), destination IP address (dstip
), destination host (dstip_host
), and destination country (dstip_geo.countryName
).
Exploited C&C Connection
An exploited host with vulnerabilities initiated a connection to the exploit attacker, which could indicate the host being compromised and performing C&C activities. See if the exploit was successful. Check the source host, and consider blocking.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Command and Control Connection Exploitation (XT2014)
-
Tags: [Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenant_id
— tenant IDexploit_id
— ID of the original exploit eventseen_traffic_id
— ID of the original Interflow traffic recordsrcip
(of exploit event) — IP address of the attacker (correlation_info.srcip
)dstip
(of exploit event) — IP address of the target host (correlation_info.dstip
)srcip
(of traffic record) — IP address of the target host (correlation_info.srcip
)dstip
(of traffic record) — IP address of the attacker (correlation_info.dstip
)
Use Case with Data Points
Two events are involved in this alert type. In the first event, an attacker (srcip
) with the IP address A is performing an exploit against a target (dstip
) with the IP address B. If, following that event, an Interflow traffic record is observed where the target host (srcip
) with IP address B initiates a network connection to the attacker (dstip
) whose IP address is A, an alert is triggered.
When an alert is triggered a new correlation event is generated. The Interflow of the correlation event includes the reference ID of the exploit event (exploit_id
), the reference ID of the traffic record (seen_traffic_id
), the IP address of the attacker (correlation_info.srcip
of the exploit event or correlation_info.dstip
of the traffic record), the IP address of the victim (correlation_info.dstip
of the exploit event or correlation_info.srcip
of the traffic record).
External Exploited Vulnerability
A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Exploited Vulnerability (XT2015)
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_vuln_exploit_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenantid
— tenant IDvulnerability_id
— ID of the original security scan resultids_event_id
— ID of the original IDS exploit eventsrcip
(of security scan result) — IP address of the targetcorrelation_info.srcip
dstip
(of IDS event) — IP address of the target (correlation_info.dstip
)srcip
(of IDS event) — IP address of the attacker (correlation_info.srcip
)correlation_info.vulnerability.cve
— CVE associated with the reported vulnerabilitycorrelation_info.ids.cve
— CVE the attacker used to exploit the host
Use Case with Data Points
An attacker (srcip
) with IP address A is performing an exploit against a target (dstip
) with internal IP address B using a vulnerability (ids.cve
) with CVE x. If any security scanning tool found the target (srcip
) with IP address B to have a vulnerability (vulnerability.cve
) with CVE x, an alert is triggered.
When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id
), the ID of the security scan record (vulnerability_id
), the IP address of the attacker (correlation_info.srcip
of the IDS event), the IP address of the victim (correlation_info.dstip
of the IDS event or correlation_info.srcip
of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve
and correlation_info.ids.cve
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External IDS Signature Spike
A source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_ids_signature_spike
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP addressids_signatures_summarize
— summarized IDS signatures of the exploitsrcip_host
— source host nameactual
— actual number of unique IDS signatures in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IDS signatures from the source IP address, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IDS signatures (ids.signature
), weighted by their severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. The Interflow includes a source (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Other Malware
Malware with uncategorized malicious activity was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR Miscellaneous Malware (XT6001)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_malware_activity
.
Severity
50
Key Fields and Relevant Data Points
ids.signature
— IDS signatureids.severity
— severity of the IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the malwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates malware that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the malware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External PII Leaked
Personally identifiable information (social security numbers or credit cards) has been observed in the clear. Check the source to see if it is compromised. If so, consider blocking it.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [External] Exfiltration (TA0010 )
-
Technique: Automated Exfiltration (T1020 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_pii_leak
.
Severity
90
Key Fields and Relevant Data Points
srcip
— source IP address of the PII leakdstip
— destination IP address of the PII leakids.signature
— IDS signaturesrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
If a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External PUA
Unwanted applications or malware that bombards the user with advertisements has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR PUA (XT6002)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_pua
.
Severity
40
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the PUAevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates potentially unwanted applications (PUA), an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
) or IDS signature for ML-IDS (ids.signature
), along with event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the PUA (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Ransomware
Malware that prevents you from accessing your system or files and demands ransom payment in order to regain access was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [External] Impact (TA0040 )
-
Technique: Data Encrypted for Impact (T1486 )
-
Tags: [External; Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_ransomware
.
Severity
80
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the ransomwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates ransomware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the ransomware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Scanner Behavior Anomaly
An anomalously large amount of scanning behavior or a rarely seen scan behavior was found. Cross-check with the IP / Port Scan Anomaly alert.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Reconnaissance (TA0043 )
-
Technique: Active Scanning (T1595 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_scan_anomalies
.
Severity
10
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
The number of occurrences of each scanner, based on IDS signature (ids.signature
), is calculated periodically. If one scanner occurs (actual
) much more often than its history (typical
), an alert is triggered. The Interflow includes information such as the traffic application type (appid_name
), source (srcip_host
), and destination (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Spyware
Malware that collects and shares information about a device without consent was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR Spyware (XT6003)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_spyware_activity
.
Severity
40
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the spywareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates spyware activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the spyware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
External Trojan
Malware that disguises itself as legitimate software in order to gain access to a system or files has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Persistent Foothold
-
Tactic: [External] XDR Malware (XTA0006)
-
Technique: XDR Trojan (XT6004)
-
Tags: [External; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is external_trojan_activity
.
Severity
50
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the trojanevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates trojan activity, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the trojan (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Exploited Vulnerability
A host with a vulnerability discovered by a security scanning tool was exploited by an attack on that same vulnerability, indicating a high probability of success. Check the target to see if it was compromised.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] XDR NBA (XTA0002)
-
Technique: XDR Exploited Vulnerability (XT2015)
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_vuln_exploit_correlation
.
Severity
75
Key Fields and Relevant Data Points
tenantid
— tenant IDvulnerability_id
— ID of the original security scan resultids_event_id
— ID of the original IDS exploit eventsrcip
(of security scan result) — IP address of the targetcorrelation_info.srcip
dstip
(of IDS event) — IP address of the target (correlation_info.dstip
)srcip
(of IDS event) — IP address of the attacker (correlation_info.srcip
)correlation_info.vulnerability.cve
— CVE associated with the reported vulnerabilitycorrelation_info.ids.cve
— CVE the attacker used to exploit the host
Use Case with Data Points
An attacker (srcip
) with IP address A is performing an exploit against a target (dstip
) with IP address B using a vulnerability (ids.cve
) with CVE x. If any security scanning tool found the target (srcip
) with IP address B to have a vulnerability (vulnerability.cve
) with CVE x, an alert is triggered.
When an alert is triggered, a new correlation event is generated. The Interflow of the correlation event includes the ID of the IDS exploit event (ids_event_id
), the ID of the security scan record (vulnerability_id
), the IP address of the attacker (correlation_info.srcip
of the IDS event), the IP address of the victim (correlation_info.dstip
of the IDS event or correlation_info.srcip
of the security scan record), and the CVE that was used in the exploit (correlation_info.vulnerability.cve
and correlation_info.ids.cve
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal IDS Signature Spike
A source IP address transmitted an anomalous number of different IDS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: Lateral Movement (TA0008 )
-
Technique: Exploitation of Remote Services (T1210 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_ids_signature_spike
.
Severity
65
Key Fields and Relevant Data Points
srcip
— source IP addressids_signatures_summarize
— summarized IDS signaturessrcip_host
— source host nameactual
— actual number of unique IDS signatures in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IDS signatures from the source IP address, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IDS signatures (ids.signature
) and severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. The Interflow includes a source (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Other Malware
Malware with uncategorized malicious activity in internal traffic was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Miscellaneous Malware (XT6001)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_malware_activity
.
Severity
70
Key Fields and Relevant Data Points
ids.signature
— IDS signatureids.severity
— severity of the IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the malwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates malware in internal traffic that cannot be categorized as ransomware, spyware, trojan, PUA, or adware, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the malware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal PII Leaked
Personally identifiable information (social security numbers or credit cards) has been observed in internal traffic in the clear. Check the source to see if it is compromised. If so, consider blocking it.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [Internal] Exfiltration (TA0010 )
-
Technique: Automated Exfiltration (T1020 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_pii_leak
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP address of the PII leakdstip
— destination IP address of the PII leakids.signature
— IDS signature of the exploitsrcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
If a personally identifiable information leak is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature
), source IP address (srcip
), destination IP address (dstip
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal PUA
Unwanted applications or malware that bombards the user with advertisements in internal traffic has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR PUA (XT6002)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_pua
.
Severity
60
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the PUAevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates potentially unwanted applications (PUA) in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the PUA (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Ransomware
Malware that prevents you from accessing your system or files and demands ransom payment in order to regain access in internal traffic was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Exfiltration & Impact
-
Tactic: [Internal] Impact (TA0040 )
-
Technique: Data Encrypted for Impact (T1486 )
-
Tags: [Internal; Malware; Ransomware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_ransomware
.
Severity
98
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the ransomwareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates ransomware in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the ransomware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Scanner Behavior Anomaly
An anomalously large amount of scanning behavior or a rarely seen scan behavior between internal hosts was observed. Cross-check with the IP / Port Scan Anomaly alert.
XDR Kill Chain
-
Kill Chain Stage: Exploration
-
Tactic: [Internal] Discovery (TA0007 )
-
Technique: Network Service Scanning (T1046 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_scan_anomalies
.
Severity
40
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP addressappid_name
— application name
Use Case with Data Points
The number of occurrences of each scanner, based on IDS signature (ids.signature
) between internal hosts, is calculated periodically. If one scanner occurs (actual
) much more often compared to its history (typical
), an alert is triggered. A sample Interflow is presented with information such as the traffic application type (appid_name
), source host (srcip_host
), and destination host (dstip_host
).
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Spyware
Malware that collects and shares information about a device without consent in internal traffic was observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Spyware (XT6003)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_spyware_activity
.
Severity
60
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the spywareevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates spyware activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the spyware (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Internal Trojan
Malware that disguises itself as legitimate software in order to gain access to a system or files in internal traffic has been observed. Check with the user.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] XDR Malware (XTA0006)
-
Technique: XDR Trojan (XT6004)
-
Tags: [Internal; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is internal_trojan_activity
.
Severity
70
Key Fields and Relevant Data Points
ids.signature
— IDS signaturemaltrace-cloud.data.malicious_activity
— malicious activityactual
— number of records for one IDS signature or malicious activity in the periodlateral
— boolean, indicating whether this activity is lateral (from private to private)srcip_host
— source host namesrcip_geo.countryName
— source countrydstip_host
— destination host namedstip_geo.countryName
— destination countryfile_name
— name of the file that carries the trojanevent_source
— source of the event, eitherids
orsandbox
Use Case with Data Points
If ML-IDS or sandbox indicates trojan activity in internal traffic, an alert is triggered. A sample Interflow includes malicious activity for sandbox (maltrace-cloud.data.malicious_activity
), IDS signature for ML-IDS (ids.signature
), event source (event_source
), source host (srcip_host
), source country (srcip_geo.countryName
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and the name of the file that carries the trojan (file_name
) from the sandbox.
Stellar Cyber reports both internal and external versions of some alerts, with
different analysis and recommended actions for each. Similarly, IDS signatures report the direction of data flow as inbound
or outbound
. Use the following as a guide for these concepts:
- Addresses with a
srcip_type
ordstip_type
ofprivate
are identified as internal. All other values are identified as external (when applicable; not all alerts have unique analytics for internal/external). - Communications
between hosts where
srcip_type
anddstip_type
are bothprivate
are considered internal communications. - When an anomaly is observed on an internal communication, the attack is considered to be internal.
- Stellar Cyber always sets the
srcip
in the Interflow record as the initiating IP address of an event. Note that IDS signatures, which are reported with relevant alerts, instead list addresses based on the direction of data flow, not the initiating address. So an INBOUND data flow may show thedstip
as the source address and thesrcip
as the destination address, even though thesrcip
was the initiator of the request. Use INBOUND and OUTBOUND information in the signature to understand the direction of data flow, together with Stellar Cyber’s Interflow record ofsrcip
anddstip
to understand which address initiated the threat event.
Malicious Site Access
A host accessed a URL with a reputation for potentially hosting malware. Check the URL and, if malicious, consider blocking it. Check the host for compromise.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] XDR NBA (XTA0002)
-
Technique: XDR Bad Reputation (XT2010)
-
Tags: [External; Network Traffic Analysis; Malware]
Event Name
The xdr_event.name
for this alert type in the Interflow data is mal_access
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP address of the host that initiated the site accesssrcip_host
— source host nameurl
— URL that was accessedurl_reputation
— reputation of the accessed URL
Use Case with Data Points
When a host (srcip
) accesses a URL with a reputation (srcip_reputation
) as potential malware hosting (MalAccess
), an alert is triggered. The Interflow includes the source host IP address (srcip
), the URL accessed (url
), and the reputation of the URL (url_reputation
).
Phishing URL
A connection to a site with a phishing reputation was observed. Check with the user to determine whether their system is compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Phishing (T1566 )
-
Tags: [Phishing; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is phishing
.
Severity
30
Key Fields and Relevant Data Points
srcip
— source IP address of the connection to the phishing URL reputation sitedstip
— destination IP address of the phishing URL reputation siteurl
— URL of the phishing sitedstip_host
— destination host namemetadata.response.subject_alt_name
— Subject Alternative Name of the phishing siteusername
— name of the visitordstip_geo.countryName
— destination countrysrcip_host
— source host name
Use Case with Data Points
If a connection from a source (scrip
) to a site with a phishing reputation is detected, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), destination IP address (dstip
), destination host (dstip_host
), URL of the site (url
), destination country (dstip_geo.countryName
), Subject Alternative Name of the site (metadata.response.subject_alt_name
), and user name (username
).
Possible Encrypted Phishing Site Visit
A possible phishing site visit to a recently registered domain was observed in encrypted traffic. Check with the user to determine whether their system is compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Phishing (T1566 )
-
Tags: [Phishing; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is encrypted_phishing_site
.
Severity
30
Key Fields and Relevant Data Points
metadata.response.effective_tld
— effective top-level domain of the possible phishing sitesrcip
— IP address of the visitor to the possible phishing sitedstip
— IP address of the possible phishing sitesrcip_host
— source host namedstip_host
— destination host namedstip_geo.countryName
— destination country
Use Case with Data Points
If an encrypted connection to a recently registered site (metadata.response.effective_tld
) is observed, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), destination IP address (dstip
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and effective top-level domain of the site (metadata.response.effective_tld
).
Possible Unencrypted Phishing Site Visit
A possible phishing site visit to a recently registered domain was observed in unencrypted traffic. Check with the user to determine whether their system is compromised.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: Initial Access (TA0001 )
-
Technique: Phishing (T1566 )
-
Tags: [Phishing; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is unencrypted_phishing_site
.
Severity
30
Key Fields and Relevant Data Points
metadata.response.effective_tld
— effective top-level domain of the possible phishing sitesrcip
— IP address of the visitor to the phishing sitedstip
— IP address of the possible phishing sitesrcip_host
— source host namedstip_host
— destination host namedstip_geo.countryName
— destination country
Use Case with Data Points
If an unencrypted connection to a recently registered site (metadata.response.effective_tld
) is detected, an alert is triggered. The Interflow includes the source IP address (srcip
), source host (srcip_host
), destination IP address (dstip
), destination host (dstip_host
), destination country (dstip_geo.countryName
), and effective top-level domain of the site (metadata.response.effective_tld
).
Private to Private Exploit Anomaly
A private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another private IP address. Investigate that signature.
This alert type has the following subtypes:
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008 )
-
Technique: Exploitation of Remote Services (T1210 )
-
Tags: [Internal; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_priv_priv
.
Severity
75
Alert Subtype: IDS Traffic Anomaly
The IDS Traffic Anomaly alert subtype is the same as the Private to Private Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isids_traffic_anomaly
. -
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IDS signatures (ids.signature
), weighted by their severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Alert Subtype: IPS Traffic Anomaly
The IPS Traffic Anomaly alert subtype is the same as the Private to Private Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isips_traffic_anomaly
. -
The Tags are: [Internal; Network Traffic Analysis; IPS Detection]
-
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ips.signature
— signature of the exploitips.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).
Private to Private IPS Signature Spike
A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Propagation
-
Tactic: [Internal] Lateral Movement (TA0008 )
-
Technique: Exploitation of Remote Services (T1210 )
-
Tags: [Internal; Network Traffic Analysis; IPS Detection]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ips_signature_spike_priv_priv
.
Severity
75
Key Fields and Relevant Data Points
srcip
— source IP addressevent_summary.ips_signatures_summarize
— signatures of the exploitsrcip_host
— host name of corresponding source IP addressactual
— actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).
Private to Public Exploit Anomaly
A private IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a public IP address. Investigate that signature.
This alert type has the following subtypes:
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_priv_pub
.
Severity
60
Alert Subtype: IDS Traffic Anomaly
The IDS Traffic Anomaly alert subtype is the same as the Private to Public Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isids_traffic_anomaly
. -
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IDS signatures (ids.signature
), weighted by their severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Alert Subtype: IPS Traffic Anomaly
The IPS Traffic Anomaly alert subtype is the same as the Private to Public Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isips_traffic_anomaly
. -
The Tags are: [External; Network Traffic Analysis; IPS Detection]
-
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ips.signature
— signature of the exploitips.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).
Private to Public IPS Signature Spike
A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis; IPS Detection]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ips_signature_spike_priv_pub
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP addressevent_summary.ips_signatures_summarize
— signatures of the exploitsrcip_host
— host name of corresponding source IP addressactual
— actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).
Public to Private Exploit Anomaly
A public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to a private IP address. Investigate that signature.
This alert type has the following subtypes:
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_pub_priv
.
Severity
60
Alert Subtype: IDS Traffic Anomaly
The IDS Traffic Anomaly alert subtype is the same as the Public to Private Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isids_traffic_anomaly
. -
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IDS signatures (ids.signature
), weighted by their severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Alert Subtype: IPS Traffic Anomaly
The IPS Traffic Anomaly alert subtype is the same as the Public to Private Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isips_traffic_anomaly
. -
The Tags are: [External; Network Traffic Analysis; IPS Detection]
-
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ips.signature
— signature of the exploitips.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).
Public to Private IPS Signature Spike
A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis; IPS Detection]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ips_signature_spike_pub_priv
.
Severity
60
Key Fields and Relevant Data Points
srcip
— source IP addressevent_summary.ips_signatures_summarize
— signatures of the exploitsrcip_host
— host name of corresponding source IP addressactual
— actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).
Public to Public Exploit Anomaly
A public IP address initiated a large number of exploit attempts identified by a given signature or a rarely seen exploit attempt to another public IP address. Investigate that signature.
This alert type has the following subtypes:
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis]
Event Name
The xdr_event.name
for this alert type in the Interflow data is exploit_attempt_pub_pub
.
Severity
50
Alert Subtype: IDS Traffic Anomaly
The IDS Traffic Anomaly alert subtype is the same as the Public to Public Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isids_traffic_anomaly
. -
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ids.signature
— signature of the exploitids.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IDS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IDS signatures (ids.signature
), weighted by their severity (ids.severity
), are calculated periodically. If many different exploits with unique IDS signatures are observed, an alert is triggered. . The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IDS signatures (actual
), the usual accumulated severity of IDS signatures (typical
), and a sampling of the IDS signatures used in the attack (ids_signatures_summarize
).
Alert Subtype: IPS Traffic Anomaly
The IPS Traffic Anomaly alert subtype is the same as the Public to Public Exploit Anomaly alert type above, with the following differences:
-
The
xdr_event.subtype.name
for this alert subtype in the Interflow data isips_traffic_anomaly
. -
The Tags are: [External; Network Traffic Analysis; IPS Detection]
-
The Key Fields and Relevant Data Points and Use Case with Data Points are as follows:
Key Fields and Relevant Data Points
ips.signature
— signature of the exploitips.severity
— severity of the exploitactual
— actual number of times this signature was found in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of times this signature is seen in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1srcip_host
— host name of corresponding source IP addressdstip_host
— host name of corresponding destination IP address
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).
Public to Public IPS Signature Spike
A source IP address transmitted an anomalous number of different IPS signatures. Typically, this indicates host penetration or vulnerability scanning.
XDR Kill Chain
-
Kill Chain Stage: Initial Attempts
-
Tactic: [External] Initial Access (TA0001 )
-
Technique: Exploit Public-Facing Application (T1190 )
-
Tags: [External; Network Traffic Analysis; IPS Detection]
Event Name
The xdr_event.name
for this alert type in the Interflow data is ips_signature_spike_pub_pub
.
Severity
50
Key Fields and Relevant Data Points
srcip
— source IP addressevent_summary.ips_signatures_summarize
— signatures of the exploitsrcip_host
— host name of corresponding source IP addressactual
— actual number of unique IPS signatures in the period, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1typical
— typical number of unique IPS signatures from the source IP address, with critical IPS signatures counted as 2, high counted as 1, low counted as 0.5, and others counted as 1
Use Case with Data Points
The number of unique IPS signatures (ips.signature
), weighted by their severity (ips.severity
), are calculated periodically. If many different exploits with unique IPS signatures are observed, an alert is triggered. Additionally, the action (ips.action
) taken by the IPS affects the alert fidelity. The Interflow includes a source IP address (srcip
), timestamp, an accumulated severity of IPS signatures (actual
), the usual accumulated severity of IPS signatures (typical
), and a sampling of the IPS signatures used in the attack (ips_signatures_summarize
).