Alert Types That Use the Traffic Index

The Alert Types listed below use the Traffic Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

Application Usage Anomaly

An internal application had an anomalously large number of connections to one or more external hosts in a measured interval, exceeding 99.99% of all other intervals corresponding to different applications in the past two weeks. Investigate the application and connections, and consider blocking connections from the application.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR App Anomaly (XT2003)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is pripub_appid.

Severity

15

Key Fields and Relevant Data Points

  • appid — application ID
  • appid_name — application name
  • actual — actual number of connections in the period
  • stellar.threshold — threshold number of connections per interval below which 99.99% of all other intervals, corresponding to different applications in the past two weeks, fall
  • srcip_host — host name of a sample source IP address
  • srcip_geo.countryName — source country
  • dstip_host — host name of a sample destination IP address

Use Case with Data Points

Every application's (appid) number of connections is calculated periodically. If an application’s connections (actual) are larger than the threshold (stellar.threshold) below which 99.99% of all other intervals corresponding to different applications in the past two weeks fall, an alert is triggered. The Interflow includes a sample source host (srcip_host), the source country (srcip_geo.countryName), and a sample destination host (dstip_host). If there are multiple source or destination hosts, view the list in the Original Records.

Bad Destination Reputation Anomaly

A destination IP address with a bad reputation has received an anomalously large number of connections. Investigate the connections and consider blocking the destination IP address.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: XDR Intel (XTA0005)

  • Technique: XDR Bad Reputation (XT2010)

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dstip_bad_reps.

Severity

30

Key Fields and Relevant Data Points

  • dstip — destination IP address
  • dstip_host — destination host name
  • dstip_reputation — destination reputation
  • actual — actual number of connections to the destination IP address in the period
  • typical — typical number of connections to the destination IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • appid_name — application name

Use Case with Data Points

The number of connections for every destination IP address (dstip) with a bad reputation (dstip_reputation) is calculated periodically. If a destination IP address's number of connections (actual) is much larger than the typical historical number (typical), an alert is triggered. The Interflow includes the source IP address making the connection (srcip_host), the application (appid_name) used, and the reputation of the source host (srcip_reputation).

Bad Reputation Login

A successful login was observed from an IP address with a history of malicious activity. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Bad Reputation (XT2010)

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is bad_reputation_login.

Severity

50

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation (if not empty)
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name

Use Case with Data Points

The login records are checked for every source IP address (srcip). If a source IP address has successful login records and its reputation (srcip_reputation) is bad (except brute-forcer and scanner), an alert is triggered. A sample Interflow includes source IP address (srcip), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), login type (login_type), and user name (username).

Bad Source Reputation Anomaly

A source IP address with a bad reputation has made an anomalously large number of connections. Investigate the connections and consider blocking the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Bad Reputation (XT2010)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is srcip_bad_reps.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation
  • actual — actual number of connections in the period
  • typical — typical number of connections from the source IP address
  • dstip_host — host name of corresponding destination IP address
  • dstip_reputation — destination reputation
  • appid_name — application name

Use Case with Data Points

The number of connections for every source IP address (srcip) with a bad reputation (srcip_reputation) is calculated periodically. If a source IP address's number of connections (actual) is much larger than the typical historical number (typical), an alert is triggered. The Interflow includes the application (appid_name) used and the reputation of the destination host (dstip_reputation).

Command & Control Reputation Anomaly

An anomalously large number of connections were made to known command and control servers. Investigate the connections and source hosts. If malicious, block the IP addresses of the command and control servers.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: XDR Intel (XTA0005)

  • Technique: XDR Command and Control Reputation (XT5001)

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is cnc_reputation.

Severity

70

Key Fields and Relevant Data Points

  • dstip — destination IP address
  • dstip_host — destination host name
  • dstip_reputation — destination reputation
  • actual — actual number of connections in the period
  • typical — typical number of connections to the destination IP address with a C&C reputation
  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation
  • appid_name — application name

Use Case with Data Points

The number of connections for every destination IP (dstip) with a command and control reputation (dstip_reputation) is calculated periodically. If a destination IP has a much higher number of connections (actual) than its history (typical) in any period, an alert is triggered. The Interflow includes the application used in the connection (appid_name), the source host (srcip_host), and the source reputation (srcip_reputation).

Cryptojacking

An unauthorized coin miner used a computer to mine cryptocurrency. Consider blocking the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Impact (TA0040 )

  • Technique: Resource Hijacking (T1496 )

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is cryptojacking.

Severity

70

Key Fields and Relevant Data Points

  • ids.signature — IDS signature
  • srcip — source IP address of the cryptojacking action
  • dstip — destination IP address of the cryptojacking action
  • srcip_reputation — source reputation
  • srcip_host — source host name
  • dstip_reputation — destination reputation
  • dstip_host — destination host name

Use Case with Data Points

If an unauthorized coin miner is detected by IDS, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source IP address (srcip), source reputation (srcip_reputation), source host (srcip_host), destination IP address (dstip), destination reputation (dstip_reputation), and destination host (dstip_host).

DGA

A host is using a potential Domain Generation Algorithm (DGA). If the target domain is a malicious domain, the host might be compromised. Investigate the DGA domains and the host.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Command and Control (TA0011 )

  • Technique: Dynamic Resolution (T1568 )

  • Sub-technique: Domain Generation Algorithms (T1568.002 )

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dga_resolvable.

Severity

75

Key Fields and Relevant Data Points

  • srcip — source IP address of the host that sends the DGA queries
  • metadata.request.effective_tld — effective top-level domain of the DNS query
  • srcip_host — source host name
  • is_dga — flag marking whether or not the DNS query is a DGA query
  • actual — number of DGA domains the host has queried

Use Case with Data Points

Whenever a host (srcip) sends a DNS query (appid_name: dns) and the DNS server returns a non-existent domain (NXDOMAIN) response (metadata.response.reply_code), the NX domain query counter for the host is increased. We reset the counter if no NX domain queries are observed for a period of time. When the counter reaches a certain threshold, the host is monitored. When monitored, we run the FQDNs of all DNS queries (metadata.response.query) sent by this host through domain generation analytics to determine whether the domain's entropy indicates a DGA anomaly. If so, we mark the DNS record (is_dga). If the DNS query gets a response with valid resolved IP addresses (metadata.response.resolved_ips), we call it a resolvable query, otherwise we call it a non-resolvable query.

If a monitored host (srcip) sends a resolvable DGA query (is_dga: yes_resolvable), we check the effective top-level domain (metadata.response.effective_tld). If the same host (srcip) previously sent non-resolvable DGA queries (is_dga: yes) with the same effective top-level domain (metadata.response.effective_tld), the host is considered to have a high risk of being compromised and performing C&C with DGA. The Interflow includes the source host (srcip), DNS query (metadata.response.query), query effective top-level domain (metadata.response.effective_tld), and DGA flag (is_dga).

DHCP Server Anomaly

A new DHCP server appeared in the network. This could be a hacker attempting to steer traffic. Investigate and consider telling employees to avoid this server.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR Server Anomaly (XT2007)

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dhcp_anomaly.

Severity

20

Key Fields and Relevant Data Points

  • metadata.response.server_ip — IP address of the anomalous DHCP server
  • dstip — IP address of the anomalous DHCP destination
  • engid — sensor that reported the DHCP traffic
  • srcip_host — host name that visited the suspicious DHCP server
  • srcip_geo.countryName — country name of the source that visited the suspicious DHCP server

Use Case with Data Points

If a DHCP server that has never been seen before appears in the network, an alert is triggered. The Interflow includes the destination IP address (dstip), destination host (dstip_host), source host (srcip_host), and source country (srcip_geo.countryName).

DNS Tunneling Anomaly

An anomalously large number of connections tunneling high-entropy traffic through DNS were made. This can indicate data exfiltration. Investigate the tunnel and source host. If malicious, block the source host.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Exfiltration (TA0010 )

  • Technique: Exfiltration Over Alternative Protocol (T1048 )

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is dns_tunnel.

Severity

98

Key Fields and Relevant Data Points

  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • metadata.request.effective_tld — effective top-level domain, such as yahoo.com
  • metadata.request.query — DNS query
  • actual — actual number of bytes transmitted through the tunnel in the period
  • typical — typical number of bytes transmitted through a tunnel in the period
  • total_entropy — total entropy (information density) sent by the DNS tunnel
  • query_count — number of queries sent by the DNS tunnel

Use Case with Data Points

The DNS queries (metadata.requests.query) for each DNS tunnel (comprising the source host (srcip_host), destination host (dstip), and top-level domain (effective_tld)) are analyzed periodically. If a DNS tunnel has sent anomalously more entropy (total_entropy) and bytes (actual) than is normal (typical) in any period, an alert is triggered. The number of queries sent (query_count) is also considered.

Emerging Threat

An emerging threat has been observed. Investigate the IP address, domain name, or URL and consider blocking.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: XDR Intel (XTA0005)

  • Technique: XDR Emerging Threat (XT5003)

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is emerging_threat.

Severity

80

Key Fields and Relevant Data Points

  • srcip — source IP address marked as an emerging threat
  • dstip — destination IP address marked as an emerging threat
  • domain_list — domain marked as an emerging threat
  • url_list — URL marked as an emerging threat
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address

Use Case with Data Points

Stellar Cyber monitors traffic for emerging threats. An alert is triggered if emerging threats are observed in any of the following:

  • Source IP address (srcip)
  • Destination IP address (dstip)
  • URL (url_list)
  • Domain (domain_list)

Note that only one of these is needed to trigger the alert. So, although the Interflow includes the source IP address (srcip), destination IP address (dstip), URL (url_list), and domain (domain_list), not all the values may be populated, depending on the nature of the observed threat.

Exploited C&C Connection

An exploited host with vulnerabilities initiated a connection to the exploit attacker, which could indicate the host being compromised and performing C&C activities. See if the exploit was successful. Check the source host, and consider blocking.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Command and Control Connection Exploitation (XT2014)

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is exploit_attempt_correlation.

Severity

75

Key Fields and Relevant Data Points

  • tenant_id — tenant ID
  • exploit_id — ID of the original exploit event
  • seen_traffic_id — ID of the original Interflow traffic record
  • srcip (of exploit event) — IP address of the attacker (correlation_info.srcip)
  • dstip (of exploit event) — IP address of the target host (correlation_info.dstip)
  • srcip (of traffic record) — IP address of the target host (correlation_info.srcip)
  • dstip (of traffic record) — IP address of the attacker (correlation_info.dstip)

Use Case with Data Points

Two events are involved in this alert type. In the first event, an attacker (srcip) with the IP address A is performing an exploit against a target (dstip) with the IP address B. If, following that event, an Interflow traffic record is observed where the target host (srcip) with IP address B initiates a network connection to the attacker (dstip) whose IP address is A, an alert is triggered.

When an alert is triggered a new correlation event is generated. The Interflow of the correlation event includes the reference ID of the exploit event (exploit_id), the reference ID of the traffic record (seen_traffic_id), the IP address of the attacker (correlation_info.srcip of the exploit event or correlation_info.dstip of the traffic record), the IP address of the victim (correlation_info.dstip of the exploit event or correlation_info.srcip of the traffic record).

External Brute-Forced Successful User Login

A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.

This alert type has the following subtypes:

This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_success_brute_forcer.

Severity

90

Alert Subtype: Source IP Based

The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_usersid — Windows SID associated with the source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related External User Login Failure Anomaly

Use Case with Data Points

The login records are checked for every external source IP address (srcip). An alert is triggered if that IP address:

  1. Has so many failed login attempts that it triggered the External User Login Failure Anomaly, and
  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

Alert Subtype: User ID Based

The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip_usersid.

Key Fields and Relevant Data Points

  • srcip_usersid — Windows SID associated with the source IP address
  • srcip — source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related External Account Login Failure Anomaly

Use Case with Data Points

The login records to a user account (srcip_usersid) are checked for every external source IP address (srcip). An alert is triggered if that user account:

  1. Has so many failed login attempts that it triggered the External Account Login Failure Anomaly, and

  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

External Firewall Denial Anomaly

A source host had actions blocked by a firewall too many times. Investigate the firewall rules that were violated. If suspicious, block the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Firewall Anomaly (XT2002)

  • Tags: [External; Firewall Anomalies; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_fw_action.

Severity

40

Key Fields and Relevant Data Points

  • srcip — source host IP address
  • srcip_host — source host IP address
  • actual — actual number of firewall denials in the period
  • typical — typical number of firewall denials in the period
  • dstip_host — host name of corresponding destination IP address
  • dev_name — name of the firewall
  • engid_name — name of the sensor

Use Case with Data Points

The number of firewall denials for every source IP address (srcip) is calculated periodically. If a source IP address’s number of firewall denials (actual) is much larger than the historical count (typical) of all IP addresses, an alert is triggered. The Interflow includes the name of the firewall (dev_name), the name of the sensor (engid_name), and the destination host (dstip_host).

External Firewall Policy Anomaly

A rarely triggered firewall policy has been violated. Investigate that policy and track down the violation.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Firewall Anomaly (XT2002)

  • Tags: [External; Firewall Anomalies; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_fw_policy_id.

Severity

20

Key Fields and Relevant Data Points

  • fw_policy_id — ID of the violated firewall policy
  • days_silent — number of days since this firewall policy was last seen
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • dev_name — device name
  • dev_type — device type
  • engid_name — sensor name

Use Case with Data Points

A firewall policy violation (fw_policy_id), which is raised by a device (dev_name and dev_type) and captured by a sensor (engid_name), shows never seen or very rare (days_silent) traffic between a host (srcip_host) and another host (dstip_host). This violation will trigger an alert.

External Handshake Failure

There were too many handshake failures between two hosts, which might indicate port scanning. Check the source host to see if this was expected and, if not, consider blocking the host.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Reconnaissance (TA0043 )

  • Technique: Active Scanning (T1595 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_handshake_failure.

Severity

10

Key Fields and Relevant Data Points

  • srcip — source IP address of the host with the handshake failures
  • srcip_host — source host name
  • dstip — destination IP address of the host with the handshake failures
  • dstip_host — destination host name
  • timestamp — when the scan happened

Use Case with Data Points

If a host (srcip) scans across many ports on another host (dstip), an alert is triggered. The Interflow includes the IP address of the potential attacker (srcip), the IP address of the victim (dstip), a special message flag (msgtyp), and when the scan happened (timestamp).

External IP / Port Scan Anomaly

A host has either generated an anomalous number of connections compared to the typical amount, or has triggered an anomalous number of connection failure responses, in the measured interval. This can indicate that an attacker is scanning for computers or ports to exploit. If the source IP address is internal targeting an external address, check with the user. If the source IP address is external targeting any addresses, it could be a scanning campaign.

This alert type has the following subtypes:

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Reconnaissance (TA0043 )

  • Technique: Active Scanning (T1595 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_port_scan.

Severity

10

Alert Subtype: Connection Failure Anomaly (Sensor Traffic)

The xdr_event.subtype.name for this alert subtype in the Interflow data is connection_failure_anomaly.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • num_failed — unique number of (destination IP and destination port) tuples that respond with failed status
  • num_successful — unique number of (destination IP and destination port) tuples that respond with success status
  • percent_failed — percent of unique (destination IP and destination port) tuples that respond with failed status
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

For every unique triplet (source IP address, destination IP address, and destination port) browsed by each source IP address (srcip), the number of response failures and successes is calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and application name (appid_name).

Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.

Validation / Remediation

If the source IP address is internal targeting an external address, check with the user if they are aware of the activity or if they are authorized to perform the activity. Inform the user's supervisor if the activity is unauthorized.

If the source IP address is external targeting any addresses, check the reputation of the source IP address as in known malicious/scanner.

Potential False Positives

Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type, if from an external IP address to an internal IP address.

Alert Subtype: Connection Spike Anomaly (Firewall / Windows Traffic)

The xdr_event.subtype.name for this alert subtype in the Interflow data is connection_spike_anomaly.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Reconnaissance (TA0043 )

  • Technique: Active Scanning (T1595 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_port_scan_tsa.

Severity

10

Key Fields and Relevant Data Points

  • srcip — source IP address
  • actual — actual number of connections to the destination IP address in the period
  • typical — typical number of connections to the destination IP address
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

For every unique (destination IP address and destination port) browsed by each source IP address (srcip), the number of response failures and successes and the number of total data volume are calculated periodically. If the total data volume is significantly larger than the typical number, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and application name (appid_name).

Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.

Validation / Remediation

If the source IP address is internal targeting an external address, check with the user if they are aware of the activity or if they are authorized to perform the activity. Inform the user's supervisor if the activity is unauthorized.

If the source IP address is external targeting any addresses, check the reputation of the source IP address as in known malicious/scanner.

Potential False Positives

Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type, if from an external IP address to an internal IP address.

External Non-Standard Port Anomaly

An application had an anomalously large number of connections or a rarely seen connection on non-standard ports. Check the application to be sure this is benign.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: [External] Command and Control (TA0011 )

  • Technique: Non-Standard Port (T1571 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_non_std_port_anomaly.

Severity

15

Key Fields and Relevant Data Points

  • dstip — destination IP address
  • dstport — destination port
  • appid — application ID
  • days_silent — number of days since the application was last seen
  • appid_name — application name
  • dstip_host — host name of corresponding destination IP address
  • actual — actual number of connections in the period
  • typical — typical number of connections in the period

Use Case with Data Points

The number of connections for an application (dst_ip + dstport + appid) is calculated periodically. If a non-standard combination has an actual number of connections (actual) that is much larger than the typical number of connections (typical), or the combination has not appeared for a long time, an alert is triggered. The Interflow includes the source host (srcip_host), destination IP address (dstip), destination port (dstport), application ID (appid), and application name (appid_name).

External Plain Text Passwords Detected

A plain text password was detected in unencrypted traffic. Check with the user.

This alert type looks for the presence of metadata.request.password and metadata.request.auth_password in the Interflow records from the sensors. When plain text passwords are present in the network traffic, the sensors are able to decode and create the corresponding Interflow fields. To preserve privacy, the actual passwords are replaced by a sequence of asterisks (*).

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Clear Password (XT2006)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_clear_password.

Severity

10

Key Fields and Relevant Data Points

  • srcip — source IP address
  • actual — actual number of connections with a plain text password in the period
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

If there are plain text passwords in unencrypted traffic records with a public source IP address (srcip) or destination IP address (dstip), an alert is triggered. A sample Interflow includes the source IP address (srcip), destination IP address (dstip), source host (srcip_host), destination host (dstip_host), and application (appid_name).

External Protocol Account Login Failure Anomaly

An anomalously large number of login failures over SMB or FTP was observed. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_protocol_account_login_failure.

Severity

35

Key Fields and Relevant Data Points

  • metadata.request.username — user name in the HTTP connection request
  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • appid_name — application name
  • login_type — type of login
  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation

Use Case with Data Points

For every user name (metadata.request.username) in the HTTP connections names (that do not begin with "Mozilla" or "Aella"), the number of failed and successful logins are calculated periodically. If the number of failed logins is much greater than successful logins, an alert is triggered. The Interflow includes the application name (appid_name), login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

External RDP Brute Force Attack

An anomalously large number of RDP connections to an RDP server was observed. Check the source IP addresses to determine whether they are unknown or malicious, and monitor any successful RDP logins.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External; RDP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_rdp_brute_force.

Severity

30

Key Fields and Relevant Data Points

  • dstip — IP address of the destination RDP server
  • dstip_host — destination host name
  • actual — actual number of RDP connections to the destination IP address in the observed time bucket
  • typical — typical number of RDP connections to the destination IP address in most time buckets
  • srcip — source IP address
  • srcip_host — source host name

Use Case with Data Points

RDP connection activity is monitored and the number of connections are calculated periodically. If the number of connections to an RDP server (actual) is much greater than normal (typical), an alert is triggered. A sample Interflow includes the destination IP address (dstip) and source IP address (srcip).

External RDP Suspicious Outbound

Non-standard tools connecting to TCP port 3389 were observed. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR App Anomaly (XT2003)

  • Tags: [External; RDP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_rdp_suspicious_outbound.

Severity

60

Key Fields and Relevant Data Points

  • srcip — source IP address of the host that connects to TCP port 3389 with a non-standard tool
  • srcip_host — source host name
  • process_name — process name

Use Case with Data Points

Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip) and the process name (process_name). The following are the standard tools:

  • mstsc.exe
  • RTSApp.exe
  • RTS2App.exe
  • RDCMan.exe
  • ws_TunnelService.exe
  • RSSensor.exe
  • RemoteDesktopManagerFree.exe
  • RemoteDesktopManager.exe
  • RemoteDesktopManager64.exe
  • mRemoteNG.exe
  • mRemote.exe
  • Terminals.exe
  • spiceworks-finder.exe
  • FSDiscovery.exe
  • FSAssessment.exe
  • MobaRTE.exe
  • chrome.exe
  • thor.exe
  • thor64.exe

External SMB Read Anomaly

An IP address sent an anomalously large number of read requests to SMB protocol based service(s). Investigate the files that the IP address tried to read. If suspicious, block the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Initial Access (TA0001 )

  • Technique: Exploit Public-Facing Application (T1190 )

  • Tags: [External; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_smb_read_anomaly.

Severity

15

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — source host name
  • actual — actual number of SMB reads from the source IP address in the period
  • typical — typical number of SMB reads from other source IP addresses in the period
  • dstip_host — destination host name
  • smb_username — SMB user name
  • event_summary.smb_path_list — folders experiencing a high volume of SMB read requests (the first three are shown in the alert description)

Use Case with Data Points

The number of SMB read requests for every source IP address (srcip) is calculated periodically. If a source IP address’s number of SMB reads (actual) is much larger than the typical number (typical) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username) and destination host (dstip_host).

External SMB Username Enumeration

At least 5 different users SMB login attempts and 1 denied attempt or at least 10 different users SMB login attempts, were observed from the same source. Check the source IP address. If malicious, consider blocking it.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_smb_user_scan.

Severity

40

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • actual — actual unique SMB user count
  • typical — SMB user count threshold
  • smb_username_set — all SMB login user names

Use Case with Data Points

If one source IP address (srcip) has several SMB login attempts with (1) at least 5 unique user names and at least 1 denied attempt or (2) at least 10 unique user names, an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), destination host (dstip_host), and all the user names (smb_username_set).

External SMB Write Anomaly

An IP address sent an anomalously large number of SMB write requests. Investigate the files that the IP address tried to write. If suspicious, block the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: [External] Impact (TA0040 )

  • Technique: Data Manipulation (T1565 )

  • Tags: [External; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_smb_anomaly.

Severity

30

Key Fields and Relevant Data Points

  • srcip_host — source host name
  • actual — actual number of SMB writes in the period
  • typical — typical number of SMB writes in the period
  • dstip_host — destination host name
  • smb_username — SMB user name
  • event_summary.smb_path_list — folders experiencing a high volume of SMB write requests (the first three are shown in the alert description)

Use Case with Data Points

The number of SMB write requests for every source IP address (srcip_host) is calculated periodically. If a source IP address’s number of SMB writes (actual) is much larger than the typical number (typical) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username) and destination host (dstip_host).

External SQL Anomaly

An IP address sent an anomalously large number of queries to one or more SQL servers. Investigate the queries. If suspicious, block the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Initial Access (TA0001 )

  • Technique: Exploit Public-Facing Application (T1190 )

  • Tags: [External; Database; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_mysql_anomaly.

Severity

15

Key Fields and Relevant Data Points

  • srcip_host — source host name
  • srcip_geo.countryName — name of the source country
  • actual — actual number of SQL queries in the period
  • typical — typical number of SQL queries from the source IP address
  • dstip_host — host name of corresponding destination IP address

Use Case with Data Points

The number of SQL queries for every source IP address (srcip_host) is calculated periodically. If a source IP’s SQL query count (actual) is much larger than the typical count (typical) and that of other IP addresses in any period, an alert is triggered. The source IP’s country is (srcip_geo.countryName). The Interflow includes the destination host (dstip_host) the source IP visits.

External SQL Dumpfile Execution

The SQL dumpfile command was observed. This command is commonly used to dump database content or query output to a file on disk. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [External] Collection (TA0009 )

  • Technique: Data Staged (T1074 )

  • Tags: [External; Database; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_sql_db_dump.

Severity

75

Key Fields and Relevant Data Points

  • srcip — source IP address
  • actual — number of SQL dumpfile queries
  • srcip_host — source host name
  • source_geo.countryName — source country
  • dstip_host — destination host name

Use Case with Data Points

If the SQL dumpfile command is seen on any source IP address (srcip), an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), and number of SQL dumpfile queries in the period (actual).

External SQL Shell Command

Shell commands were observed over a SQL connection, which is a common way hackers try to gain shell access over vulnerable SQL applications. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: [External] Execution (TA0002 )

  • Technique: Command and Scripting Interpreter (T1059 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_database_command.

Severity

40

Key Fields and Relevant Data Points

  • srcip — source IP address
  • dstip — destination IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • dstip_host — destination host name
  • dstip_reputation — destination reputation
  • metadata.request.query — SQL query command
  • actual — number of query records from one source to one destination in one period

Use Case with Data Points

For SQL query records, if special commands (such as select mylab_sys_exec) are found, an alert is triggered. A sample Interflow includes the source IP address (srcip), destination IP address (dstip), source host (srcip_host), source reputation (srcip_reputation), destination host (dstip_host), destination reputation (dstip_reputation), and SQL query records (metadata.request.query).

External Suspected Malicious User Agent

An external HTTP connection was made by a user agent that has been identified as potentially malicious. Investigate the connection's destination.

This alert type has the following subtypes:

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR User Agent Anomaly (XT2012)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_suspected_malicious_user_agent.

Severity

30

Key Fields and Relevant Data Points

  • metadata.request.user_agent — user agent in the HTTP connection request
  • stellar.confidence — model's confidence in the prediction
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

If a seen user agent is identified as suspicious, an alert is triggered. The alert includes the suspicious user agent (metadata.request.user_agent), confidence (stellar.confidence), tenant (tenant_name), source IP (srcip), and destination IP (dstip) in the key fields. Additionally, the confidence level of the model is displayed in the alert description in a pop-up box.

Alert Subtype: Predicted Malicious Agent

The Predicted Malicious Agent alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:

  • The stellar.anomaly_tag is predicted_external.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_suspected_malicious_user_agent.

  • It is triggered by a machine learning classifier.

Alert Subtype: Known Malicious Agent Match

The Known Malicious Agent Match alert subtype is the same as the External Suspected Malicious User Agent alert type above, with the following differences:

  • The stellar.anomaly_tag is known_external.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_suspected_malicious_user_agent_known_malicious.

  • It is triggered by known threats.

External SYN Flood Attacker

An attacker sends a large amount of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: [External] Impact (TA0040 )

  • Technique: Endpoint Denial of Service (T1499 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_syn_flood_attacker.

Severity

10

Key Fields and Relevant Data Points

  • srcip — source IP address of the SYN flood
  • dstip — target IP address of the SYN flood
  • srcip_host — source host name
  • dstip_host — destination host name
  • dstport — port on target host that received the SYN flood
  • syn_flood_events — number of SYN packets during the period

Use Case with Data Points

If an external host (srcip) sends too many SYN packets (syn_flood_events) to internal target(s) (dstip) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip), the IP address of the target host (dstip), the port of the target host (dstport), and how many SYN packets were observed (actual).

External SYN Flood Victim

A large amount of SYN requests were observed, which can indicate an attempt to consume server resources and make the target unresponsive. Check to see if the host is malicious or compromised. If so, consider blocking the source host.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: [External] Impact (TA0040 )

  • Technique: Endpoint Denial of Service (T1499 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_syn_flood.

Severity

10

Key Fields and Relevant Data Points

  • srcip — source IP address of the SYN flood
  • dstip — target IP address of the SYN flood
  • srcip_host — source host name
  • dstip_host — destination host name
  • dstport — port on target host that received the SYN flood
  • syn_flood_events — number of SYN packets during the period

Use Case with Data Points

If an external host (srcip) sends too many SYN packets (syn_flood_events) to internal target(s) (dstip) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip), the IP address of the target host (dstip), the port of the target host (dstport), and how many SYN packets were observed (actual).

External URL Reconnaissance Anomaly

An anomalous number of HTTP 4xx errors were observed. This can indicate an attacker scanning for pages to exploit. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Reconnaissance (TA0043 )

  • Technique: Active Scanning (T1595 )

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_url_scan.

Severity

20

Key Fields and Relevant Data Points

  • srcip — source IP address
  • event_summary.total_failed — number of unique URLs with HTTP error status response in the period
  • event_summary.total_successful — number of unique URLs with HTTP success status response in the period
  • event_summary.total_fail_ratio — percent of unique URLs with HTTP error status response in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • srcip_geo.countryName — source country name

Use Case with Data Points

For every unique URL browsed by each source IP address (srcip), the number of HTTP response failures and successes is calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and source country (srcip_geo.countryName).

External User Application Usage Anomaly

A user who typically uses a small, consistent number of applications used a new application. Investigate the application, to see if it is benign. Check with the user to see if this was expected.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR App Anomaly (XT2003)

  • Tags: [External; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_uncommon_app.

Severity

15

Key Fields and Relevant Data Points

  • srcip_usersid — source user ID
  • appid_name — application name
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_family — application family
  • srcip_username — source user name
  • stability — score measuring the time since the last new application was used
  • days_stable — time since the last new application was used
  • diversity — score measuring the number of applications that the user used
  • child_count — number of applications that the user used

Use Case with Data Points

An alert is triggered under the following conditions:

  • a user (srcip_usersid, srcip_username) with a small number of applications (diversity, child_count) who has not used a new application for a long period of time (stability, days_stable), and then

  • a new application (appid_name) belonging to an application family (appid_family) appears on a host (scrip_host) with this user, and

  • that host connects to another host (scrip_host)

External User Data Volume Anomaly

A user had an anomalously large volume of traffic compared to its typical volume or that of its peers. Investigate the user to determine if this is expected.

Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR Bytes Anomaly (XT3001)

  • Tags: [External; User Behavior Analytics; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_bytes_sum.

Severity

30

Key Fields and Relevant Data Points

  • srcip_usersid — source user ID
  • actual — actual traffic volume in the period
  • typical — typical traffic volume from the user
  • srcip_host — host name of corresponding source IP address
  • srcip_username — source user name
  • dstip_host — host name of corresponding destination IP address
  • dstip_reputation — destination reputation
  • dstip_geo.countryName — destination country
  • appid_name — application name

Use Case with Data Points

The total traffic volume of each user identified by user ID (scrip_usersid) is calculated periodically. If the volume in one period (actual) is much larger than its normal volume (typical), an alert is triggered.

The Interflow includes the source IP address (scrip_host), destination IP address (dstip_host), destination reputation (dstip_reputation), destination country (dstip_geo.countryName), and application of the traffic (appid_name).

External User Login Failure Anomaly

An anomalous number of login failures was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, or Google Workspace. For Okta, an anomalous number of multi-factor authentication (MFA) failures was observed. Check with the user.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_login_fail.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address
  • dstip — destination IP address
  • dstip_host — destination host name
  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • login_type — type of login, such as ssh_traffic, okta_log, or aws_cloudtrail
  • srcip_host — source host name
  • srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes are calculated periodically for every source (srcip) and destination (dstip) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Alert Subtype: Office 365 / Entra ID

The Office 365 / Entra ID alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Office 365 and Microsoft Entra ID (formerly Azure AD).

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_o365_azure.

Alert Subtype: Source IP Based

The Source IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_srcip.

Alert Subtype: Destination IP Based

The Destination IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_dstip.

Alert Subtype: Kerberos Events

The Kerberos Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Kerberos events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_kerberos.

Alert Subtype: Source IP Based Windows Logon Events

The Source IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Windows logon events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_src_win_logon.

Alert Subtype: Destination IP Based Windows Logon Events

The Destination IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Windows logon events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_dst_win_logon.

Impossible Travel Anomaly

A user logged in from locations that are geographically impossible to travel between in the time frame. Check with the user.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

For the Impossible Travel Anomaly, there are two chances for ingestion delay, so the slowest of the two records will define the delay. This alert type is also sensitive to the order of user logins.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR Location Anomaly (XT2001)

  • Tags: [External; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_impossible_travel.

Severity

60

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the source user
  • srcip_username — source user name
  • srcip — source IP address
  • srcip_host — source host name
  • engid_gateway — gateway IP address, used to determine the geo location when the source IP address is private
  • srcip_geo — source IP address geo location, including latitude and longitude
  • distance_deviation — deviation in distance (miles) between the two login locations
  • time_deviation — deviation in time (seconds) between the two login events
  • travel_speed — calculated speed for the user to travel between the two location (miles/hour)
  • appid_name — application name for the login event
  • last_login_time — time of 2nd login, event 2 (E2)
  • _id2 — ID of E2
  • _index2 — index of E2
  • srcip2 — source IP address of E2
  • srcip_geo2 — source IP address geo location of E2, including latitude and longitude

Use Case with Data Points

Login events (E1 and E2) are examined for a user (srcip_usersid), to see if the login locations (srcip_geo and srcip_geo2), that are at least 100 miles apart, changed faster (travel_speed = distance_deviation/time_deviation) than possible with the typical commercial flight speed of 600 miles/hour.

E1 is the basis for the Interflow. The srcip_usersid and srcip_username identify the user, appid_name identifies the application, and last_login_time identifies the time when the 2nd login event happened. You can find detailed information about E2 by checking id2 in index2, source IP (srcip2), and geo location (srcip_geo2).

Internal Brute-Forced Successful User Login

A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.

This alert type has the following subtypes:

This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal; Brute Force]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_user_success_brute_forcer.

Severity

95

Alert Subtype: Source IP Based

The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip_usersid.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_usersid — Windows SID associated with the source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related Internal User Login Failure Anomaly

Use Case with Data Points

The login records to an internal IP address (dstip) are checked for every internal source IP address (srcip). An alert is triggered if that IP address:

  1. Has so many failed login attempts that it triggered the Internal User Login Failure Anomaly, and

  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host name (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

Alert Subtype: User ID Based

The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_usersid — Windows SID associated with the source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related Internal Account Login Failure Anomaly

Use Case with Data Points

The login records to a user account (srcip_usersid) are checked for every internal source IP address (srcip). An alert is triggered if that user account:

  1. Has so many failed login attempts that it triggered the Internal Account Login Failure Anomaly, and

  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host name (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

Internal Firewall Denial Anomaly

An internal source host had actions blocked by a firewall too many times. Investigate the firewall rules that were violated. If suspicious, block the internal source IP address.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR Firewall Anomaly (XT2002)

  • Tags: [Internal; Firewall Anomalies; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_fw_action.

Severity

60

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — source host name
  • actual — actual number of firewall denials in the period
  • typical — typical number of firewall denials in the period
  • dstip_host — host name of corresponding destination IP address
  • dev_name — name of the firewall
  • engid_name — name of the sensor

Use Case with Data Points

The number of firewall denials for every internal source IP address (srcip) is calculated periodically. If an internal source IP address’s number of firewall denials (actual) is much larger than the historical count (typical) of all internal IP addresses, an alert is triggered. The Interflow includes the name of the firewall (dev_name), the name of the sensor (engid_name), and the destination host (dstip_host).

Internal Firewall Policy Anomaly

A rarely triggered firewall policy involving an internal source IP address and internal destination IP address has been violated. Investigate that policy and track down the violation.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR Firewall Anomaly (XT2002)

  • Tags: [Internal; Firewall Anomalies; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_fw_policy_id.

Severity

40

Key Fields and Relevant Data Points

  • fw_policy_id — ID of the violated firewall policy
  • days_silent — number of days since this firewall policy was last seen
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • dev_name — device name
  • dev_type — device type
  • engid_name — sensor name

Use Case with Data Points

A firewall policy violation (fw_policy_id), which is raised by a device (dev_name and dev_type) and captured by a sensor (engid_name), shows never seen or very rare (days_silent) traffic between an internal host (srcip_host) and another internal host (dstip_host). This violation will trigger an alert.

Internal Handshake Failure

There were too many handshake failures between two internal hosts, which might indicate port scanning. Check the source host to see if this was expected, and if not, consider blocking the host.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] Discovery (TA0007 )

  • Technique: Network Service Scanning (T1046 )

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_handshake_failure.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address of the host with the handshake failures
  • srcip_host — source host name
  • dstip — destination IP address of the host with the handshake failures
  • dstip_host — destination host name
  • timestamp — when the scan happened

Use Case with Data Points

If an internal host (srcip) scans across many ports on another internal host (dstip), an alert is triggered. The Interflow includes the IP address of the potential attacker (srcip), the IP address of the victim (dstip), a special message flag (msgtyp), and when the scan happened (timestamp).

Internal IP / Port Scan Anomaly

A host has either generated an anomalous number of connections compared to the typical amount, or has triggered an anomalous number of connection failure responses, in the measured interval. This can indicate that an attacker is scanning for computers or ports to exploit. Check with the user.

This alert type has the following subtypes:

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] Discovery (TA0007 )

  • Technique: Network Service Scanning (T1046 )

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_port_scan.

Severity

40

Alert Subtype: Connection Failure Anomaly (Sensor Traffic)

The xdr_event.subtype.name for this alert subtype in the Interflow data is connection_failure_anomaly.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • num_failed — unique number of (destination IP and destination port) tuples that respond with failed status
  • num_successful — unique number of (destination IP and destination port) tuples that respond with success status
  • percent_failed — percent of unique (destination IP and destination port) tuples that respond with failed status
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

For each internal source IP address (srcip), the number of unique internal destination IP:port pairs that gave fail responses and the number of unique destination IP:port pairs that gave success responses are calculated periodically. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and application name (appid_name).

Validation / Remediation

Check with the user related to the internal source IP address. Inform the user's supervisor if the activity is unauthorized.

Potential False Positives

Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type.

Alert Subtype: Connection Spike Anomaly (Firewall / Windows Traffic)

Event Name

The xdr_event.subtype.name for this alert subtype in the Interflow data is connection_spike_anomaly.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • actual — actual number of connections to the destination IP address in the period
  • typical — typical number of connections to the destination IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

For every unique triplet (source IP address, destination IP address, and destination port) browsed by each source IP address (srcip), the number of response failures and successes and the number of total data volume are calculated periodically. If the number of failures is significantly larger than the number of successes, or the total data volume is significantly larger than the typical number, an alert is triggered. The Interflow includes the source host (srcip_host), destination host (dstip_host), and application name (appid_name).

Considering that a lateral scan (private to private) is more sensitive than a non-lateral scan, this alert type is divided into two parts. One focuses on lateral scan analysis, the other focuses on non-lateral scan analysis. The mechanism remains the same as before, with the trigger condition for lateral scan alert being more sensitive than non-lateral one.

Validation / Remediation

Check with the user related to the internal source IP address. Inform the user's supervisor if the activity is unauthorized.

Potential False Positives

Some legitimate activities such as vulnerability scans or penetration testing may trigger this alert type.

Internal Non-Standard Port Anomaly

An application had an anomalously large number of connections or a rarely seen connection to an internal IP address on non-standard ports. Check the application to be sure this is benign.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR Service on Non-Standard Port (XT2011)

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_non_std_port_anomaly.

Severity

20

Key Fields and Relevant Data Points

  • dstip — destination IP address
  • dstport — destination port
  • appid — application ID
  • days_silent — number of days since the application was last seen
  • appid_name — application name
  • dstip_host — host name of corresponding destination IP address
  • actual — actual number of connections in the period
  • typical — typical number of connections in the period

Use Case with Data Points

The number of connections for an application (dst_ip + dstport + appid) to an internal IP address is calculated periodically. If a non-standard combination has an actual number of connections (actual) that is much larger than the typical number of connections (typical), or the combination has not appeared for a long time, an alert is triggered. The Interflow includes the source host (srcip_host), destination IP address (dstip), destination port (dstport), application ID (appid), and application name (appid_name).

Internal Plain Text Passwords Detected

A plain text password was observed in unencrypted traffic between internal systems. Check with the user.

This alert type looks for the presence of metadata.request.password and metadata.request.auth_password in the Interflow records from the sensors. When plain text passwords are present in the network traffic, the sensors are able to decode and create the corresponding Interflow fields. To preserve privacy, the actual passwords are replaced by a sequence of asterisks (*).

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR Clear Password (XT2006)

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_clear_password.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address
  • actual — actual number of connections with a plain text password in the period
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

If there are plain text passwords in traffic records with a public source IP address (srcip) or destination IP address (dstip), an alert is triggered. A sample Interflow includes the source IP address (srcip), destination IP address (dstip), source host (srcip_host), destination host (dstip_host), and application (appid_name).

Internal Protocol Account Login Failure Anomaly

An anomalously large number of login failures between internal IP addresses over SMB or FTP was observed. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_protocol_account_login_failure.

Severity

60

Key Fields and Relevant Data Points

  • metadata.request.username — user name in the HTTP connection request
  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • appid_name — application name
  • login_type — type of login
  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation

Use Case with Data Points

For every user name (metadata.request.username) in the HTTP connections names (that do not begin with "Mozilla" or "Aella"), the number of failed and successful logins are calculated periodically. If the number of failed logins is much greater than successful logins, an alert is triggered. The Interflow includes the application name (appid_name), login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Internal RDP Brute Force Attack

An anomalously large number of RDP connections from internal host(s) to an RDP server were observed. Check the source IP addresses to see if they are unknown or malicious, and monitor any successful RDP logins.

XDR Kill Chain

  • Kill Chain Stage:Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal; RDP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_rdp_brute_force.

Severity

50

Key Fields and Relevant Data Points

  • dstip — IP address of the destination RDP server
  • dstip_host — destination host name
  • actual — actual number of RDP connections to the destination IP address in the period
  • typical — typical number of RDP connections to the destination IP address in most time buckets
  • srcip — source IP address
  • srcip_host — source host name

Use Case with Data Points

RDP connection activity is monitored and the number of connections calculated periodically. If the number of connections from internal host(s) to an RDP server (actual) is much greater than normal (typical), an alert is triggered. A sample Interflow includes the destination IP address (dstip) and source IP address (srcip).

Internal RDP Suspicious Outbound

Non-standard tools from an internal host connecting to TCP port 3389 in the other internal host were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Lateral Movement (TA0008 )

  • Technique: Remote Services (T1021 )

  • Tags: [Internal; RDP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_rdp_suspicious_outbound.

Severity

50

Key Fields and Relevant Data Points

  • srcip — source IP address of the host that connects to TCP port 3389 with a non-standard tool
  • srcip_host — source host name
  • process_name — process name

Use Case with Data Points

Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip) and the process name (process_name). The following are the standard tools:

  • mstsc.exe
  • RTSApp.exe
  • RTS2App.exe
  • RDCMan.exe
  • ws_TunnelService.exe
  • RSSensor.exe
  • RemoteDesktopManagerFree.exe
  • RemoteDesktopManager.exe
  • RemoteDesktopManager64.exe
  • mRemoteNG.exe
  • mRemote.exe
  • Terminals.exe
  • spiceworks-finder.exe
  • FSDiscovery.exe
  • FSAssessment.exe
  • MobaRTE.exe
  • chrome.exe
  • thor.exe
  • thor64.exe

Internal SMB Username Enumeration

At least 5 different users SMB login attempts and 1 denied attempt or at least 10 different users SMB login attempts, were observed from an internal IP address to other internal IP address(es). Check the source IP address. If malicious, consider blocking it.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_smb_user_scan.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • actual — actual unique SMB user count
  • typical — SMB user count threshold
  • smb_username_set — all SMB login user names

Use Case with Data Points

If an internal source IP address (srcip) has several SMB login attempts with (1) at least 5 unique user names and at least 1 denied attempt or (2) at least 10 unique user names, an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), destination host (dstip_host), and all the user names (smb_username_set).

Internal SMB Read Anomaly

An internal IP address sent an anomalously large number of read requests to an internal SMB protocol based service(s). Investigate the files that this internal IP address tried to read. If suspicious, block the specific internal source IP address.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Lateral Movement (TA0008 )

  • Technique: Exploitation of Remote Services (T1210 )

  • Tags: [Internal; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_smb_read_anomaly.

Severity

20

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • actual — actual number of SMB reads from the source IP address in the period
  • typical — typical number of SMB reads from other source IP addresses in the period
  • dstip_host — destination host name
  • smb_username — SMB user name
  • event_summary.smb_path_list — folders experiencing a high volume of SMB read requests (the first three are shown in the alert description)

Use Case with Data Points

The number of SMB read requests for every internal source IP address (srcip) is calculated periodically. If a source IP address’s number of SMB reads (actual) is much larger than the typical number (typical) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username) and destination host (dstip_host).

Internal SMB Write Anomaly

An internal IP address sent an anomalously large number of SMB write requests to other internal IP address(es). Investigate the files that the IP address tried to write. If suspicious, block the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Lateral Movement (TA0008 )

  • Technique: Remote Services (T1021 )

  • Tags: [Internal; SMB; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_smb_anomaly.

Severity

40

Key Fields and Relevant Data Points

  • srcip_host — source host name
  • actual — actual number of SMB writes in the period
  • typical — typical number of SMB writes in the period
  • dstip_host — destination host name
  • smb_username — SMB user name
  • event_summary.smb_path_list — folders experiencing a high volume of SMB write requests (the first three are shown in the alert description)

Use Case with Data Points

The number of SMB write requests to internal IP address(es) for every internal source IP address (srcip_host) is calculated periodically. If a source IP address’s number of SMB writes (actual) is much larger than the typical number (typical) and that of other IP addresses in any period, an alert is triggered. The Interflow includes the SMB user (smb_username) and destination host (dstip_host).

Internal SQL Anomaly

An internal IP address sent an anomalously large number of queries to an internal SQL server. Investigate the queries. If suspicious, block the source IP address.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Lateral Movement (TA0008 )

  • Technique: Exploitation of Remote Services (T1210 )

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_mysql_anomaly.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — source host name
  • srcip_geo.countryName — source country
  • actual — actual number of SQL queries in the period
  • typical — typical number of SQL queries from the source IP address
  • dstip_host — destination host name

Use Case with Data Points

The number of SQL queries for every internal source IP address (srcip_host) is calculated periodically. If an internal source IP’s SQL query count (actual) is much larger than the typical count (typical) and that of other internal IP addresses in any period, an alert is triggered. The internal source IP’s country is (srcip_geo.countryName). The Interflow includes the internal destination host (dstip_host) the source IP visits.

Internal SQL Dumpfile Execution

The SQL dumpfile command between two internal IP addresses was observed. This command is commonly used to dump database content or query output to a file on disk. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] Collection (TA0009 )

  • Technique: Data Staged (T1074 )

  • Tags: [Internal; Database; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_sql_db_dump.

Severity

75

Key Fields and Relevant Data Points

  • srcip — source IP address
  • actual — number of SQL dumpfile queries
  • srcip_host — source host name
  • source_geo.countryName — source country
  • dstip_host — destination host name

Use Case with Data Points

If any SQL dumpfile commands are detected between an internal source IP address (srcip) and an internal destination IP address (dstip), an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), source country (srcip_geo.countryName), destination host (dstip_host), and the number of SQL dumpfile queries in the period (actual).

Internal SQL Shell Command

Shell commands were observed over a SQL connection, which is a common way hackers try to gain shell access over vulnerable SQL applications. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: [Internal] Execution (TA0002 )

  • Technique: Command and Scripting Interpreter (T1059 )

  • Tags: [Internal; Database; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_database_command.

Severity

70

Key Fields and Relevant Data Points

  • srcip — source IP address
  • dstip — destination IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • dstip_host — destination host name
  • dstip_reputation — destination reputation
  • metadata.request.query — SQL query command
  • actual — number of query records from one source to one destination in one period

Use Case with Data Points

For SQL query records, if special commands (such as select mylab_sys_exec) are found, an alert is triggered. A sample Interflow includes the source IP address (srcip), destination IP address (dstip), source host (srcip_host), source reputation (srcip_reputation), destination host (dstip_host), destination reputation (dstip_reputation), and SQL query records (metadata.request.query).

Internal Suspected Malicious User Agent

An internal HTTP connection was made by a user agent that has been identified as potentially malicious. Investigate the connection's destination.

This alert type has the following subtypes:

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR User Agent Anomaly (XT2012)

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_suspected_malicious_user_agent.

Severity

50

Key Fields and Relevant Data Points

  • metadata.request.user_agent — user agent in the HTTP connection request
  • stellar.confidence — model's confidence in the prediction used to make the alert
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name

Use Case with Data Points

If a seen user agent is identified as suspicious, an alert is triggered. The alert will contain the suspicious user agent (metadata.request.user_agent), confidence (stellar.confidence), tenant (tenant_name), source IP (srcip), and destination IP (dstip) in the key fields. Additionally, the confidence level of the model is displayed in the alert description in a pop-up box.

Alert Subtype: Predicted Malicious Agent

The Predicted Malicious Agent alert subtype is the same as the Internal Suspected Malicious User Agent alert type above, with the following differences:

  • The stellar.anomaly_tag is predicted_internal.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_suspected_malicious_user_agent.

  • It is triggered by a machine learning classifier.

Alert Subtype: Known Malicious Agent Match

The Known Malicious Agent Match alert subtype is the same as the Internal Suspected Malicious User Agent alert type above, with the following differences:

  • The stellar.anomaly_tag is known_internal.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_suspected_malicious_user_agent_known_malicious.

  • It is triggered by known threats.

Internal SYN Flood Attacker

An internal attacker sends a large amount of SYN requests to internal target system(s) in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: [Internal] Impact (TA0040 )

  • Technique: Endpoint Denial of Service (T1499 )

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_syn_flood_attacker.

Severity

25

Key Fields and Relevant Data Points

  • srcip — source IP address of the SYN flood
  • srcip_host — source host name
  • dstip — target IP address of the SYN flood
  • dstip_host — destination host name
  • dstport — port on the target host that received the SYN flood
  • syn_flood_events — number of SYN packets during the period

Use Case with Data Points

If an internal host (srcip) sends too many SYN packets (syn_flood_events) to internal target(s) (dstip) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip), the IP address of the target host (dstip), the port of the target host (dstport), and how many SYN packets were observed (actual).

Internal SYN Flood Victim

A large amount of SYN requests to an internal target were observed, which can indicate an attempt to consume server resources and make the target unresponsive. Check to see if the host is malicious or compromised. If so, consider blocking the source host.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: [Internal] Impact (TA0040 )

  • Technique: Endpoint Denial of Service (T1499 )

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_syn_flood.

Severity

25

Key Fields and Relevant Data Points

  • srcip — source IP address for the SYN flood
  • srcip_host — source host name
  • dstip — target IP address of the SYN flood
  • dstip_host — destination host name
  • dstport — port on the target host that received the SYN flood
  • syn_flood_events — number of SYN packets during the period

Use Case with Data Points

If an internal host (srcip) sends too many SYN packets (syn_flood_events) to internal target(s) (dstip) in a five-minute time window, an alert is triggered. The Interflow includes the IP address of the source host (srcip), the IP address of the target host (dstip), the port of the target host (dstport), and how many SYN packets were observed (actual).

Internal URL Reconnaissance Anomaly

An anomalous number of HTTP 4xx errors from an internal IP address to other internal IP addresses were observed. This can indicate an attacker scanning for pages to exploit. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] Discovery (TA0007 )

  • Technique: Network Service Scanning (T1046 )

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_url_scan.

Severity

50

Key Fields and Relevant Data Points

  • srcip — source IP address
  • event_summary.total_failed — number of unique URLs with HTTP error status response in the period
  • event_summary.total_successful — number of unique URLs with HTTP success status response in the period
  • event_summary.total_fail_ratio — percent of unique URLs with HTTP error status response in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • srcip_geo.countryName — source country name

Use Case with Data Points

For each internal source IP address (srcip), the number of unique URLs that responded with failure HTTP status and the number of unique URLs that responded with success HTTP status are calculated periodically. If the fail metric is significantly larger than the success metric, an alert is triggered. A sample Interflow includes the source host (srcip_host), destination host (dstip_host), and source country (srcip_geo.countryName).

Internal User Application Usage Anomaly

An internal user who usually runs a few applications with internal service IP addresses suddenly runs a new application. Investigate the application to see if it is benign. Check with the user to see if this was expected.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] XDR UBA (XTA0004)

  • Technique: XDR App Anomaly (XT2003)

  • Tags: [Internal; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_user_uncommon_app.

Severity

10

Key Fields and Relevant Data Points

  • srcip_usersid — source user ID
  • appid_name — application name
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_family — application family
  • srcip_username — source user name
  • stability — score measuring the time since the last new application was used
  • days_stable — time since the last new application was used
  • diversity — score measuring the number of applications that the user used
  • child_count — number of applications that the user used

Use Case with Data Points

An alert is triggered under the following conditions:

  • a user (srcip_usersid, srcip_username) with a small number of applications (diversity, child_count) who has not used a new application for a long period of time (stability, days_stable), and then

  • a new application (appid_name) belonging to an application family (appid_family) appears on a host (scrip_host) with this user, and

  • that host connects to another host (scrip_host)

Internal User Data Volume Anomaly

A user had an anomalously large volume of internal traffic compared to its typical volume or that of its peers. Investigate the user to determine if this is expected.

Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] XDR UBA (XTA0004)

  • Technique: XDR Bytes Anomaly (XT3001)

  • Tags: [Internal; User Behavior Analytics; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_user_bytes_sum.

Severity

20

Key Fields and Relevant Data Points

  • srcip_usersid — source user ID
  • actual — actual traffic volume in the period
  • typical — typical traffic volume from the user
  • srcip_host — host name of corresponding source IP address
  • srcip_username — source user name
  • dstip_host — host name of corresponding destination IP address
  • dstip_reputation — destination reputation
  • dstip_geo.countryName — destination country
  • appid_name — application name

Use Case with Data Points

The total internal traffic volume of each user identified by user ID (scrip_usersid) is calculated periodically. If the volume in one period (actual) is much larger than its normal volume (typical), an alert is triggered.

The Interflow includes the source IP address (srcip_host), destination IP address (dstip_host), destination reputation (dstip_reputation), destination country (dstip_geo.countryName), and application of the traffic (appid_name).

Internal User Login Failure Anomaly

An anomalous number of login failures between internal IP addresses was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, Google Workspace, Salesforce, or Microsoft Entra ID (formerly Azure Active Directory). Check with the user.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_user_login_fail.

Severity

60

Key Fields and Relevant Data Points

  • srcip — source IP address
  • service_id — source domain, workstation, organization, or service
  • dstip — destination IP address
  • dstip_host — destination host name
  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • login_type — type of login, such as ssh_traffic, okta_log, or aws_cloudtrail
  • srcip_host — source host name
  • srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes between internal IP addresses are calculated periodically for every source (srcip) and destination (dstip) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Alert Subtype: Source IP Based

The Source IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_srcip.

Alert Subtype: Destination IP Based

The Destination IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_dstip.

Alert Subtype: NTLM Events

The NTLM Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from NTLM events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_ntlm.

Alert Subtype: Kerberos Events

The Kerberos Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Kerberos events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_kerberos.

Alert Subtype: Windows Logon Events

The Windows Logon Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Windows Logon events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_win_logon.

Login Time Anomaly

A user logged in at an abnormal time. Check with the user.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

This alert type reads the System Timezone in Global Settings and puts the timezone into the alert descriptions. (In Global Settings, set your timezone relative to UTC.)

When a Login Time Anomaly occurs, the timezone is bound to the alert description with the following priorities:

  • The timezone inferred from engid_gateway takes precedence over the DP timezone, but only when it is present. If engid_gateway is present, the description will use the timezone where the login actually happened.

  • If engid_gateway is not present, the DP timezone setting is used.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR Time Anomaly (XT4005)

  • Tags: [External; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_login_time.

Severity

40

Key Fields and Relevant Data Points

  • srcip_usersid — key ID of the source user

    or

  • event_data.TargetUserName — name of the user (Windows event)
  • The key field for this alert type can be either srcip_usersid or event_data.TargetUserName, depending on the data feed.

  • srcip_username — source user name
  • srcip_host — host name of corresponding source IP address
  • srcip_geo.countryName — source country
  • actual_range — actual login time range
  • typical_range — typical login time range

Use Case with Data Points

Every user's (srcip_usersid) login time (actual) is compared to the typical login times (typical_range). If it is outside the range, an alert is triggered. The Interflow includes information such as the source user name (srcip_username), source host name (srcip_host), and source country (srcip_geo.countryName), as well as the destination host (dstip_host).

Long App Session Anomaly

An application had an anomalously long session compared to its typical session length or that of its peers. Investigate the application to see if this session was expected.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Session Anomaly (XT2005)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is long_session_anomaly.

Severity

30

Key Fields and Relevant Data Points

  • appid_name — application name
  • actual — actual maximum session length in the period
  • typical — typical session length from the application’s own history
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address

Use Case with Data Points

Every application's (appid_name) maximum session duration is calculated periodically. If an application’s maximum duration (actual) is much larger than its normal value (typical) or the typical value of other applications, an alert is triggered. The Interflow includes the source host (srcip_host) and destination host (dstip_host).

Malicious Site Access

A host accessed a URL with a reputation for potentially hosting malware. Check the URL and, if malicious, consider blocking it. Check the host for compromise.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Bad Reputation (XT2010)

  • Tags: [External; Network Traffic Analysis; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is mal_access.

Severity

60

Key Fields and Relevant Data Points

  • srcip — source IP address of the host that initiated the site access
  • srcip_host — source host name
  • url — URL that was accessed
  • url_reputation — reputation of the accessed URL

Use Case with Data Points

When a host (srcip) accesses a URL with a reputation (srcip_reputation) as potential malware hosting (MalAccess), an alert is triggered. The Interflow includes the source host IP address (srcip), the URL accessed (url), and the reputation of the URL (url_reputation).

Outbound Destination Country Anomaly

A host that typically communicates with a small, consistent number of countries communicated with a new country. Investigate the destination to see if it is benign.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Location Anomaly (XT2001)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is country_communication_anomaly.

Severity

20

Key Fields and Relevant Data Points

  • dstip_geo.countryName — name of the destination country
  • srcip — source IP address
  • dstip — destination IP address
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • appid_name — application name
  • stability — score measuring the time since the host communicated with the last new country
  • days_stable — time since the host communicated with the last new country
  • diversity — score measuring the number of countries with which the host communicated
  • child_count — number of countries with which the host communicated

Use Case with Data Points

Hosts (srcip_host) and destination countries (dstip_geo.countryName) are examined periodically. If a host (srcip_host) with a small number of destination countries (diversity, child_count) has not visited a new country for a long time (stability, days_stable) visits a host (dstip_host) in a new country with an application (appid_name), an alert is triggered.

Outbytes Anomaly

A source IP address transmitted an anomalously high amount of outbound traffic to one or multiple destination addresses in a 5 minute interval. This could indicate data exfiltration.

Firewall and non-firewall data do not contribute to the same alert, so this alert will have either entirely firewall data or no firewall data.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Exfiltration (TA0010 )

  • Technique: Automated Exfiltration (T1020 )

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is outbytes_anomaly.

Severity

35

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — source host name
  • actual — actual amount of outbound traffic in the period
  • typical — typical amount of outbound traffic from the source IP address
  • dstip_host — destination host name

Use Case with Data Points

Every source host's (srcip_host) transferred data volume is calculated periodically. If a host's volume (actual) is much higher than its normal volume (typical) in any period, an alert is triggered. The Interflow includes the destination host (dstip_host).

Phishing URL

A connection to a site with a phishing reputation was observed. Check with the user to determine whether their system is compromised.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: Initial Access (TA0001 )

  • Technique: Phishing (T1566 )

  • Tags: [Phishing; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is phishing.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address of the connection to the phishing URL reputation site
  • dstip — destination IP address of the phishing URL reputation site
  • url — URL of the phishing site
  • dstip_host — destination host name
  • metadata.response.subject_alt_name — Subject Alternative Name of the phishing site
  • username — name of the visitor
  • dstip_geo.countryName — destination country
  • srcip_host — source host name

Use Case with Data Points

If a connection from a source (scrip) to a site with a phishing reputation is detected, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), destination IP address (dstip), destination host (dstip_host), URL of the site (url), destination country (dstip_geo.countryName), Subject Alternative Name of the site (metadata.response.subject_alt_name), and user name (username).

Possible Encrypted Phishing Site Visit

A possible phishing site visit to a recently registered domain was observed in encrypted traffic. Check with the user to determine whether their system is compromised.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: Initial Access (TA0001 )

  • Technique: Phishing (T1566 )

  • Tags: [Phishing; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is encrypted_phishing_site.

Severity

30

Key Fields and Relevant Data Points

  • metadata.response.effective_tld — effective top-level domain of the possible phishing site
  • srcip — IP address of the visitor to the possible phishing site
  • dstip — IP address of the possible phishing site
  • srcip_host — source host name
  • dstip_host — destination host name
  • dstip_geo.countryName — destination country

Use Case with Data Points

If an encrypted connection to a recently registered site (metadata.response.effective_tld) is observed, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), destination IP address (dstip), destination host (dstip_host), destination country (dstip_geo.countryName), and effective top-level domain of the site (metadata.response.effective_tld).

Possible Phishing Site Visit from Email

A user visited a recently registered domain shortly after using email, indicating a possible phishing site visit. Check to see if the site is malicious. If so, check with the user to see if they are compromised.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: Initial Access (TA0001 )

  • Technique: Phishing (T1566 )

  • Tags: [Phishing; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is email_recent_domain_correlation.

Severity

70

Key Fields and Relevant Data Points

  • recent_domain_id — ID that points to the original record of the recently registered domain visit
  • email_traffic_id — ID that points to the original record of email traffic
  • correlation_info.appid_name — application on the visited domain accessed by the user
  • correlation_info.srcip — IP address of the user
  • correlation_info.dstip — IP address of the recently registered domain (useful if the correlation_info.appid_name is not DNS)
  • correlation_info.dstip_host — recently registered domain that was visited (useful if the correlation_info.appid_name is not DNS)
  • correlation_info.metadata.response.query — recently registered domain name the victim queried in DNS traffic. This field is only useful if the correlation_info.appid_name is DNS.
  • correlation_info.metadata.response.resolved_ips — IP addresses of the recently registered domain name the victim queried in DNS traffic. This field is only useful if correlation_info.appid_name is DNS.

Use Case with Data Points

If a user (srcip) uses email (appid_name) and then either queries a recently registered (metadata.response.domain_creation) domain (metadata.response.query) or visits a recently registered (dstip_domain_creation) domain (dstip_host), an alert is triggered.

When an alert is triggered, a new correlation event is created. The Interflow includes the reference ID of the original record of the domain visit (recent_domain_id), the reference ID pointing to the original record of email traffic (email_traffic_id), the IP address of the user (correlation_info.srcip), the application involved in the recently registered site visit (correlation_info.appid_name), and the visited domain (correlation_info.dstip_host or correlation_info.metadata.response.query).

Logic Details of Possible Phishing Site Visit from Email

The timeframe of the alert type logic is as follows:

  • The rule operates in cycles, running every 2 hours.

  • During each run, it scans for email usage within the monitored traffic.

  • After an email action, if a DNS lookup action occurs within a 30-minute window from the same source IP address, an alert is generated.

The domain query and DNS lookups are as follows:

  • The domain creation date is queried from DNS traffic.

  • The data points concerning domain creation dates are gathered from fields in the DNS traffic, including dstip_domain_creation, metadata.response.domain_creation, and metadata.request.domain_creation.

  • The alert type logic considers a domain as recent if it has been created within the past 14 days.

The alert generation conditions are as follows:

  • The alert is triggered if, within a 30-minute window, for the same source IP address, there is first, an email action, then there is DNS traffic indicating a domain creation event in the past 14 days from the same source IP address as the email’s. (The rule runs every 2 hours, so this trigger could be delayed at most by 2 hours, but the two correlation events (email action and DNS traffic) need to happen within 30 minutes.)
  • This logic ensures all specified conditions are met before an alert is generated.

Note that even though the rule runs every 2 hours, the 30-minute time window can be seen as a sliding window without gaps. For example: the rule runs now as a new cycle, but an email action happened during the last run, say 2 hours and 10 minutes ago. If the corresponding recent domain creation event happens in this cycle, say 1 hour and 50 minutes ago, this will also trigger the alert.

Possible Unencrypted Phishing Site Visit

A possible phishing site visit to a recently registered domain was observed in unencrypted traffic. Check with the user to determine whether their system is compromised.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: Initial Access (TA0001 )

  • Technique: Phishing (T1566 )

  • Tags: [Phishing; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is unencrypted_phishing_site.

Severity

30

Key Fields and Relevant Data Points

  • metadata.response.effective_tld — effective top-level domain of the possible phishing site
  • srcip — IP address of the visitor to the phishing site
  • dstip — IP address of the possible phishing site
  • srcip_host — source host name
  • dstip_host — destination host name
  • dstip_geo.countryName — destination country

Use Case with Data Points

If an unencrypted connection to a recently registered site (metadata.response.effective_tld) is detected, an alert is triggered. The Interflow includes the source IP address (srcip), source host (srcip_host), destination IP address (dstip), destination host (dstip_host), destination country (dstip_geo.countryName), and effective top-level domain of the site (metadata.response.effective_tld).

RDP Outbytes Anomaly

An internal host transferred an anomalously high amount of data to external host(s) through RDP. This could indicate data exfiltration. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Exfiltration (TA0010 )

  • Technique: Exfiltration Over Alternative Protocol (T1048 )

  • Tags: [RDP; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_outbytes_anomaly.

Severity

30

Key Fields and Relevant Data Points

  • dstip — destination IP address
  • dstip_host — destination host name
  • actual — actual amount of outbound traffic in the period
  • typical — typical amount of outbound traffic from the destination IP address
  • srcip_host — source IP address that initiates the RDP connection

Use Case with Data Points

Every destination host's (dstip) transferred data volume through RDP is calculated periodically. If a host's volume (actual) is much greater than normal (typical) in any period, an alert is triggered. A sample Interflow includes the destination host (dstip_host).

RDP Reverse Tunnel

An svchost hosting RDP termsvcs communicating with the loopback address on TCP port 3389 was observed. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Command and Control (TA0011 )

  • Technique: Protocol Tunneling (T1572 )

  • Tags: [RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_reverse_tunnel.

Severity

80

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • event_data.Image — process communicating with the loopback address

Use Case with Data Points

If an svchost hosting RDP termsvcs communicating with the loopback address is found on TCP port 3389, an alert is triggered. A sample Interflow includes the host IP address (hostip) and host name (hostip_host).

Recently Registered Domains

A DNS request was observed for a site that was registered less than 90 days ago. Check the domain. If suspicious, notify users.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR New Domain (XT2008)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is new_registered_domain.

Severity

50

Key Fields and Relevant Data Points

  • metadata.request.effective_tld — top-level domain name in the request
  • srcip_host — host name of corresponding source IP address
  • dstip_host — host name of corresponding destination IP address
  • metadata.response.domain_creation — domain creation time
  • metadata.response.effective_tld — top-level domain name in the response
  • metadata.response.resolved_ips — list of resolved IP addresses
  • actual — number of visits to the domain in the period
  • domain_creation — domain creation time
  • dns.question.registered_domain — highest registered domain
  • dns.question.name — domain name in request

Use Case with Data Points

If a domain has been registered within the last 90 days, an alert is triggered. A sample Interflow includes the domain name (metadata.request.effective_tld), source host (srcip_host), destination host (dstip_host), and domain creation time (metadata.response.domain_creation).

Scanner Reputation Anomaly

An anomalously large amount of connections were observed from an IP address with a reputation of being a scanner. Cross-check with the IP / Port Scan Anomaly alert, and check the links and content for possible spam or phishing.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: Reconnaissance (TA0043 )

  • Technique: Active Scanning (T1595 )

  • Tags: [Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is scanner_rep.

Severity

20

Key Fields and Relevant Data Points

  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation
  • srcip_geo.countryName — source country
  • actual — actual number of connections from this source in the period
  • typical — typical number of connections from this source in the period
  • dstip_host — host name of corresponding destination IP address

Use Case with Data Points

The number of connections from a source IP address (srcip_host) with a reputation as a scanner (srcip_reputation) is calculated every 5 minutes. If the number of connections (actual) is much greater than normal (typical), an alert is triggered. The Interflow includes information such as the source country (srcip_geo.countryName) and a destination (dstip_host).

Uncommon Application Anomaly

Private (internal assets) to public (Internet) traffic has revealed an application that has never been seen before (or been seen very rarely). Investigate that application and ensure that it is benign.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR App Anomaly (XT2003)

  • Tags: [External; Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is network_uncommon_app.

Severity

20

Key Fields and Relevant Data Points

  • appid_name — application name
  • days_silent — number of days since this application was last seen
  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation
  • srcip_geo.countryName — source country
  • dstip_host — host name of corresponding destination IP address
  • dstip_reputation — destination reputation
  • dstip_geo.countryName — destination country

Use Case with Data Points

If an application (appid) has never been observed by Stellar Cyber or been seen very rarely (days_silent), an alert is triggered. The Interflow includes the internal assets (srcip_host), source reputation (srcip_reputation), and source country (srcip_geo.countryName), and the destination host (dstip_host), destination reputation (dstip_reputation), and destination country (dstip_geo.countryName).

User Login Location Anomaly

A login to a user account occurred from a source IP address that is anomalously distant from the nearest location typically observed for logins to that user account.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR Location Anomaly (XT2001)

  • Tags: [External; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_login_region.

Severity

50

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the source user
  • distance_deviation — deviation in distance between two login locations (miles)
  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation
  • srcip_geo.countryName — source country name
  • srcip_geo.region — source region name
  • srcip_geo.city — source city name
  • login_type — type of login

Use Case with Data Points

Successful login events for certain login types (login_type) of a user (srcip_usersid) from a source host (srcip_host) and country location (srcip_geo.countryName are examined. If the detected login location is too far away (distance_deviation in miles) from that user's typical locations, an alert is triggered. The source host's reputation (srcip_reputation) is also checked. Map views of the Interflow include data points for the closest typical login locations for the user.

WAF Internal Attacker Anomaly

Internal web requests from a private IP address have been blocked/alerted by the Web Application Firewall (WAF). Investigate the source requester and ensure they are not compromised.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: [Internal] XDR NBA (XTA0002)

  • Technique: XDR WAF Anomaly (XT2009)

  • Tags: [Internal; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is waf_internal_attacker.

Severity

60

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • action — status of web requests
  • event.severity_str — severity level of web requests
  • event.uri — URI of the web request
  • event.reason — attack type (signature name)

The above fields are standardized to support a variety of WAFs. The original fields, listed below, remain in the F5 WAF Interflow record for backward compatibility.

List of F5 legacy fields Closed

F5 Field Purpose

Original Stellar Cyber
WAF Field Name

Standardized Stellar Cyber
WAF Field Name

Signature IDf5.sig_idsevent.sig_id
Signature namef5.sig_namesevent.reason
Staged signature IDf5.staged_sig_idsevent.staged_sig_id
Staged signature IDf5.staged_sig_namesevent.staged_sig_name
Violationf5.violationsevent.violations
Sub violationf5.sub_violationsevent.sub_violations
Threat campaignf5.threat_campaign_namesevent.threat_campaign_names
Request statusf5.request_statusaction
Severityf5.severityevent.severity_str
Attack typef5.attack_typethreat
Client IPsrcip

srcip
service.origin.ip

Client Portsrcport

srcport
service.origin.port

Service IPdstipdstip
service.target.ip
Service Portdstportdstport
service.target.port
Violation Detailsf5.violation_detailsevent.description
Telemetry Event Categoryf5.telemetryEventCategoryevent.telemetry_event_category
urlf5.urievent.uri
Web application namef5.web_application_nameevent.web_application_name

Use Case with Data Points

If web requests (f5.uri) from an internal IP address (srcip) to a web application (f5.web_application_name) have been blocked/alerted (f5.request_status) by the WAF, an alert is triggered. The Interflow includes the level of severity (f5.severity), the attack type (f5.attack_type), and the violation information (f5.violations), as well as signature name (f5.sig_names), staged signature name (f5.staged_sig_names), sub violation information (f5.sub_violations), and threat campaign name (f5.violation_details_xml.request-violations.violation.threat_campaign_data.threat_campaign_name), if applicable.

If web requests (event.uri) from an internal IP address ( srcip) to a web application (event.web_application_name) have been blocked/alerted (action) by the WAF, an alert is triggered. The Interflow includes the level of severity (event.severity_str), the attack type (threat), and the violation information (event.description), as well as signature name (event.reason). If applicable for the WAF type, the Interflow also includes staged signature name (event.staged_sig_id), sub violation information (event.sub_violations), and threat campaign name (event.threat_campaign.names).

Ingestion Types Supported for this Alert

  • F5 Big-IP Firewall

  • F5 Silverline WAF

  • Barracuda WAF

  • AWS CloudWatch WAF

WAF Rule Violation Anomaly

Web requests have been blocked/alerted by the Web Application Firewall (WAF) due to a surge in violations or violating a rule that is rarely invoked. Investigate the blocked/alerted web requests and ensure they are benign.

Refer to Log Parser Portsfor the most current list of WAF parsers.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Rule Violation (XT2004)

  • Tags: [External; Network Traffic Analysis]

Event Name

The xdr_event.name for this alert type in the Interflow data is waf_rule_violation.

Severity

50

Key Fields and Relevant Data Points

  • event.sig_id — signature ID
  • srcip — source IP address
  • srcip_host — host name of corresponding source IP address
  • event.severity_str — severity level of web requests
  • event.web_application_name — web application name
  • event.uri — URI of the web request
  • event.reason — signature name
  • actual — actual number of specific WAF violations in the period
  • typical — typical number of specific WAF violations in the period

The above fields are standardized to support a variety of WAFs. The original fields, listed below, remain in the F5 WAF Interflow record for backward compatibility.

List of F5 legacy fields Closed

F5 Field Purpose

Original Stellar Cyber
WAF Field Name

Standardized Stellar Cyber
WAF Field Name

Signature IDf5.sig_idsevent.sig_id
Signature namef5.sig_namesevent.reason
Staged signature IDf5.staged_sig_idsevent.staged_sig_id
Staged signature IDf5.staged_sig_namesevent.staged_sig_name
Violationf5.violationsevent.violations
Sub violationf5.sub_violationsevent.sub_violations
Threat campaignf5.threat_campaign_namesevent.threat_campaign_names
Request statusf5.request_statusaction
Severityf5.severityevent.severity_str
Attack typef5.attack_typethreat
Client IPsrcip

srcip
service.origin.ip

Client Portsrcport

srcport
service.origin.port

Service IPdstipdstip
service.target.ip
Service Portdstportdstport
service.target.port
Violation Detailsf5.violation_detailsevent.description
Telemetry Event Categoryf5.telemetryEventCategoryevent.telemetry_event_category
urlf5.urievent.uri
Web application namef5.web_application_nameevent.web_application_name

Use Case with Data Points

If web requests (event.uri) to a web application ( event.web_application_name) have been blocked/alerted (action) by the WAF due to violating certain rules, which include the level of severity (event.severity_str), the attack type (threat), and the violation information (event.violations). If the violations (actual) surge compared to the normal number of violations in a period (typical), an alert is triggered.

Ingestion Types Supported for this Alert

  • F5 Big-IP Firewall

  • F5 Silverline WAF

  • Barracuda WAF

  • AWS CloudWatch WAF