This alert detects multiple connection attempts over port 22/3389 from a single IP. This is a known attacker tactic and should be inspected thoroughly. This alert can also indicate a brute force attempt by a malicious actor for remote control ports. In rare cases that can be a legitimate activity when an end user changes the IP address and uses some sort of an automated script or application to perform some actions. Impact In case of a successful connection attempt a malicious actor can gain access to sensitive machines and services. Mitigation Check how many instances the connection attempts were. Check for any successful connection attempts. A successful attempt might indicate an attacker took control of an machine, so it is advised to investigate the machine itself as well. If needed, Block the relevant IP address in the AWS firewall. MITRE TACTIC: TA0001 MITRE TECHNIQUE:T1133

Potential port scanning detected. Port scanning can provide malicious actors with different information like running OS, application versions and more. Impact Provide malicious actors with useful information to plan their attack vector. Mitigation Check if the traffic was blocked. If needed, block the relevant IP address in the AWS firewall. If needed, further investigate according to company policies. MITRE TACTIC: TA0043 MITRE TECHNIQUE: T1595

This alert will trigger once a single source IP will have multiple ICMP requests to different destinations IPs. ICMP protocol is mainly used for ping request but can be used by malicious actors to scan the organization assets in order to gather information and plan the attack vector. Impact Can provide malicious actors the needed information to plan their attack. Mitigation. Check the source IP for any malicious indicators using the Threat Hunting actions. If needed block the source IP in the organizations firewalls. In case of an internal IP if needed, further investigate according to company policy.

This alerts detects DNS related traffic over any protocol other then UDP/DNS. DNS traffic over any other protocol rather then UDP/DNS can indicate a malicious actors actions like DNS tunneling for data theft. Impact In case of DNS tunneling attack there is a risk of data or confidential information exfiltration. Mitigation Check the destination address to see if it is associated with any knows malicious activity. If needed, run a full scan on the machine with the available EDR/AV solutions to make sure there is no malicious software running on it. If needed, further investigate according to company policies. MITRE TACTIC: TA0010 MITRE TECHNIQUE: T1048

This rule detects if there are no logs in the last 24 hours for Pritunl in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562