Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Back to All Docs

Insights Detection

Last Updated: Nov. 11, 2023

STA is a tool for analyzing network traffic and host based activities. Using open-source services such as zeek and suricata, it enriches these events with other internal services.

To reduce the total cost of ownership of the STA, we have introduced a new insights service within the STA that will automatically detect possible threats and security related anomalies in your traffic. 

Using the Coralogix Platform, configure alerts based on those insights and receive instant notifications if anomalies occur.

Insights Overview

The following table contains a detailed list of the possible insights that can be detected by the sta-insights events.

Note:

To reduce the chances for false-positives, during the first three days the STA will only learn the patterns seen in the traffic. After that it will start sending events about anomalies to Coralogix.

Types of Insights

NameDescriptionPossible AttacksMessageSub Message
File Similarity Insightchanges to file paths that are very similar to others which encountered recentlyFile encryption based Ransomware"Detected changes to file paths very similar to others seen recently <hamming_distance>"AnomalousSimhash::Document_Similarity_insight
Connection To Suspiciously Looking Domain Nameconnections to suspicious domain using frequency score algorithmsDGA activitiesDetected connection to suspiciously looking domain name <value>AnomalousDomain-stats::Connection_to_suspiciously_looking_domain_name_insight
Connection to baby domainsconnections to domains that created less than 90 daysPhishing, C2C attacksDetected baby domain <value> connectionAnomalousDomain-stats::Baby-domain-connection_insight
Connection to possible malicious IPs/Domainsconnection to IPs/Domains which flagged as malicious by at least one DNSRBLPhishing, C2C attacksDetected connection to IPs/Domains flagged as malicious by at least one DNSRBLAnomalousDNSRBL::Malicious_domain_ip_insight
New top level domainencountered with new top level domainPhishing, C2C attacksDetected new top_level_domain <value>AnomalousTLD::New_TLD_Insight
Connection with redirection to another domainconnection to URL which redirects to another domainEvasion techniquesDetected connection to URL redirecting to another domain <value>
redirected to <redirected_value>
AnomalousUnsortenURL::url_redirecting_to_another_domain_insight
DNS over TCPdetects DNS queries over TCPdownload/upload payloads via DNSDetected dns over tcpAnomalousDns::Dns_over_tcp_insight
Public IP echo requestsdetects requests for public IP using echo commands such as ifconfig.meGeographical identificationDetected Request for public IP echo <command>AnomalousRdp::New_Rdp_cookie_insight
SSH/RDP new country connectiondetects connection using SSH/RDP from a new countryC2C attacksDetected ssh/rdp connection to new country <name> for ip <value>AnomalousNewCountryConnection::SSH_RDP_New_Country_Conn_Insight
Number of lateral connections in given timedetects more than 10 wide internal connections from one source in 10 minutesNetwork scan/propagationDetected more than <number> lateral connections in <time_in_minutes> <machine_tag_name>AnomalousConn::10_lateral_connections_in_10min_insight
number of NXDOMAIN responses in given timedetects more than 100 NXDOMAIN responses in 10 minutesDGA activitiesDetected more than 100 NXDOMAIN responses in 10minAnomalousNXDOMAIN::100_NXDOMAIN_responses_in_10min_insight
Connection to/from new countrydetects connection to/from new encountered countryC2C attacks, DGA activityDetected connection to/from new country <name> for ip <value>AnomalousGeo::New_country_insight
New FTP commanddetects new encountered FTP commandsFile transfer anomaliesDetected new ftp command <command>AnomalousFtp::New_Ftp_command_insight
new HTTP methoddetects new encountered HTTP methodNetwork anomalies, Log4Shell for exampleDetected new http method <name>AnomalousHttp::New_HTTP_method_insight
SSH/RDP with new destination connectiondetects connection using SSH/RDP to a new destinationC2C attacks, DGA activityDetected ssh/rdp connection to new destination <dest_host,tag_name> for ip <value>AnomalousNewCountryConnection::SSH_RDP_New_Destination_Conn_Insight
New MySQL instancedetects new MySQL instance creation queryRogue serverDetected New MySQL query <source_ip_tag_name>AnomalousMySQL::New_MySQL_query_insight
New AWS outbound connectionDetects new AWS outbound connectionC2C attacksDetected new outbound connection <orig_host,tag_name>AnomalousConn::New_AWS_outbound_connection_insight
new RDP cookiedetects new RDP cookiebrute force attempt, lateral movement, network propagation/scanning, etc.Detected new rdp cookie <cookie>AnomalousRdp::New_Rdp_cookie_insight
New software typedetects new software type Malicious executable software, C2C attacksDetected new software type <type>AnomalousSoftware::New_Software_type_insight
New software with reported CVEsdetects new software with reported CVEsExecution of known Exploited VulnerabilitiesDetected connection to new software <name> <version> with CVEs <values>AnomalousNIST::New_software_with_CVEs_insight
New MySQL commanddetects new MySQL commandC2C attacks, SQL injectionDetected new MySql command <command>AnomalousMySql::New_MySql_command_insight
New tunnel typedetects new tunnel type for trafficC2C attack, man in the middleDetected new tunnel type <type>AnomalousTunnel::New_Tunnel_type_insight
Outbound connection from DB serverdetects outbound connection from data base serverC2C attack, data exfiltrationDetected outbound connection from DB <name> server on port <port>AnomalousSatatsInfo::outbound_connection_from_DB_server_insight
Outbound connection using servicesdetects connections/attempts
via SMB, SSH, FTP, Kerbros, MySQL, LDAP
Data exfiltration, outbound scanning, etc.Detected outbound connection to service <name>AnomalousConn::outbound_<service>_connection_insight
invalid certification via TLS connectiondetects TLS connection with invalid certificationMan in the middleDetected TSL connection with invalid certificationAnomalousConn::TSL_connection_with_invalid_certification_insight

Handle Insights

After insight events are sent to Coralogix, you can find them under the Explore section with subsystem name sta_insight.

Example – New Country Connection Insight


To enable alerts from within Coralogix, navigate to the Alerts section and set them accordingly. Find out more regarding alerts here.

Support

Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].

On this page