STA is a tool for analyzing network traffic and host based activities. Using open-source services such as
suricata, it enriches these events with other internal services.
To reduce the total cost of ownership of the STA, we have introduced a new insights service within the STA that will automatically detect possible threats and security related anomalies in your traffic.
Using the Coralogix Platform, configure alerts based on those insights and receive instant notifications if anomalies occur.
The following table contains a detailed list of the possible insights that can be detected by the
To reduce the chances for false-positives, during the first three days the STA will only learn the patterns seen in the traffic. After that it will start sending events about anomalies to Coralogix.
|Name||Description||Possible Attacks||Message||Sub Message|
|File Similarity Insight||changes to file paths that are very similar to others which encountered recently||File encryption based Ransomware|
|Connection To Suspiciously Looking Domain Name||connections to suspicious domain using frequency score algorithms||DGA activities|
|Connection to baby domains||connections to domains that created less than 90 days||Phishing, C2C attacks|
|Connection to possible malicious IPs/Domains||connection to IPs/Domains which flagged as malicious by at least one DNSRBL||Phishing, C2C attacks|
|New top level domain||encountered with new top level domain||Phishing, C2C attacks|
|Connection with redirection to another domain||connection to URL which redirects to another domain||Evasion techniques|
|DNS over TCP||detects DNS queries over TCP||download/upload payloads via DNS|
|Public IP echo requests||detects requests for public IP using echo commands such as ||Geographical identification|
|SSH/RDP new country connection||detects connection using SSH/RDP from a new country||C2C attacks|
|Number of lateral connections in given time||detects more than 10 wide internal connections from one source in 10 minutes||Network scan/propagation|
|number of NXDOMAIN responses in given time||detects more than 100 NXDOMAIN responses in 10 minutes||DGA activities|
|Connection to/from new country||detects connection to/from new encountered country||C2C attacks, DGA activity|
|New FTP command||detects new encountered FTP commands||File transfer anomalies|
|new HTTP method||detects new encountered HTTP method||Network anomalies, Log4Shell for example|
|SSH/RDP with new destination connection||detects connection using SSH/RDP to a new destination||C2C attacks, DGA activity|
|New MySQL instance||detects new MySQL instance creation query||Rogue server|
|New AWS outbound connection||Detects new AWS outbound connection||C2C attacks|
|new RDP cookie||detects new RDP cookie||brute force attempt, lateral movement, network propagation/scanning, etc.|
|New software type||detects new software type||Malicious executable software, C2C attacks|
|New software with reported CVEs||detects new software with reported CVEs||Execution of known Exploited Vulnerabilities|
|New MySQL command||detects new MySQL command||C2C attacks, SQL injection|
|New tunnel type||detects new tunnel type for traffic||C2C attack, man in the middle|
|Outbound connection from DB server||detects outbound connection from data base server||C2C attack, data exfiltration|
|Outbound connection using services||detects connections/attempts|
via SMB, SSH, FTP, Kerbros, MySQL, LDAP
|Data exfiltration, outbound scanning, etc.|
|invalid certification via TLS connection||detects TLS connection with invalid certification||Man in the middle|
After insight events are sent to Coralogix, you can find them under the
Explore section with subsystem name
To enable alerts from within Coralogix, navigate to the
Alerts section and set them accordingly. Find out more regarding alerts here.
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].