Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Snowbit STA

Snowbit STA
Snowbit STA icon

Out-of-the-Box Security For Snowbit STA Includes:

Dashboards - 40

Gain instantaneous visualization of all your Snowbit STA data.

Size - Logs size by type and source/dest IPs
Size - Logs size by type and source/dest IPs
Help Dashboard
Help Dashboard
Zeek - HTTP Dashboard
Zeek - HTTP Dashboard
Zeek - SSL/TLS Dashboard
Zeek - SSL/TLS Dashboard
Zeek - SSH Dashboard
Zeek - SSH Dashboard
Zeek - Notices Dashboard
Zeek - Notices Dashboard
Zeek - Weird Dashboard
Zeek - Weird Dashboard
Zeek - Connections Dashboard
Zeek - Connections Dashboard
Zeek - SIP Dashboard
Zeek - SIP Dashboard
Zeek - SMTP Dashboard
Zeek - SMTP Dashboard
Zeek - SMB Dashboard
Zeek - SMB Dashboard
Zeek - SNMP Dashboard
Zeek - SNMP Dashboard
Zeek - Software Dashboard
Zeek - Software Dashboard
Zeek - Syslog Dashboard
Zeek - Syslog Dashboard
Zeek - Tunnels Dashboard
Zeek - Tunnels Dashboard
Zeek - FTP Dashboard
Zeek - FTP Dashboard
Zeek - Files Dashboard
Zeek - Files Dashboard
Zeek - DCE/RPC Dashboard
Zeek - DCE/RPC Dashboard
Zeek - IRC Dashboard
Zeek - IRC Dashboard
Zeek - Kerberos Dashboard
Zeek - Kerberos Dashboard
Zeek - MySQL Dashboard
Zeek - MySQL Dashboard
Zeek - X.509 Dashboard
Zeek - X.509 Dashboard
Zeek - NTLM Dashboard
Zeek - NTLM Dashboard
Zeek - DHCP Dashboard
Zeek - DHCP Dashboard
Zeek - PE Dashboard
Zeek - PE Dashboard
Zeek - RADIUS Dashboard
Zeek - RADIUS Dashboard
Zeek - RDP Dashboard
Zeek - RDP Dashboard
Zeek - RFB Dashboard
Zeek - RFB Dashboard
Zeek - DNS Dashboard
Zeek - DNS Dashboard
Frequency Analysis Dashboard
Frequency Analysis Dashboard
Baby Domains Dashboard
Baby Domains Dashboard
NIDS
NIDS
Wazuh Agent Status Dashboard
Wazuh Agent Status Dashboard
Wazuh - Alerts Dashboard
Wazuh - Alerts Dashboard
Overview - Health
Overview - Health
Connections - Top Source IPs
Connections - Top Source IPs
Wazuh FIM Dashboard
Wazuh FIM Dashboard
Connections - Total Bytes
Connections - Total Bytes
Wazuh - Vulnerability
Wazuh - Vulnerability
STA - Status
STA - Status

Alerts - 168

Stay on top of Snowbit STA key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

STA - Health Status - No Logs From STA Tools

This alert indicates that no logs were seen from any of the connected STAs to this Coralogix account in the past 10 minutes. If this is not expected, check the status of the STAs deployed.

STA - Health Status - No Connection Logs From STA Tools

This alert indicates that no network connections were seen by the STA. This usually indicates that the mirroring configuration is not properly set. If this is not expected, check the mirroring configuration of the STAs deployed.

STA - Health Status - No DNS Logs From STA Tools

This alert indicates that no DNS connections were seen by the STA. If your mirroring configuration does not block DNS traffic, check the mirroring configuration and the status of the deployed STAs.

STA - Building Block - C2 Connectivity - Too Many Unique Dns Queries Per Domain Name

Often, malicious tools use a domain name as a C2 (Command & Control) communication channel. One such method is to send commands encoded as a Base64 string which is concatenated to a domain name for which the attacker has control over its authorized DNS server (e.g. 'bHM=.mydomain.com''''). That will force all DNS servers to forward that request to that server which can respond with commands to run. Such attempts will result in a high number of unique queries for that domain. It is recommended that if this alert fires, the data that was transmitted to the domain in question will be inspected to understand the amount and type of data that was sent and whether it was a malicious intent or not. If the domain mentioned is your own domain, you can exclude it using the security.highest_registered_domain field to reduce false-positives'''

STA - Building Block - C2 Connectivity - Unusual TOR Activity

Connection attempts from TOR network (https://en.wikipedia.org/wiki/Tor_(network)) nodes to publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs involved would be inspected (which connections from/to the organization involved them, what data was received/sent from/to them) and if possible block them at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).

STA - Building Block - Discovery - Unusual Connections Rate From Blacklisted IPs

Connections attempts from blacklisted IPs to publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs would be inspected and if possible blocked at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).

STA - Building Block - Reconnaissance - Unusual Reconnaissance Activity Detected

Reconnaissance attempts on publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs used will be inspected (which connections from/to the organization involved them, what data was received/sent from/to them) and if possible blocked at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).

STA - Building Block - DNS Exfiltration/C2 Connectivity - DNS Activity on TCP Detected

NS requests should always be transmitted over UDP. DNS requests over TCP are usually used for either DNS zones transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of a malicious activity. It is recommended that if this alert fired, the data that has been transmitted to or received in those DNS calls over TCP. Also, it is recommended to inspect the processes and machines involved in those queries by using audit logs from these machines.

STA - Health Status - S3 Config Bucket Inaccessible for write requests

This alert indicates that the STA could not upload files to its configuration S3 bucket. This is required for the VPC mirroring sessions auto-handler to work properly

STA - Health Status - Services on the STA cannot reach the Internet to public enrichment services

This alert indicates that the STA could not connect to public enrichment services

STA - Building Block - Reconnaissance - Zeek Notice Detected

This alert will fire whenever Zeek detected an issue. The correct course of action will vary depending on the event details. See more here: https://docs.zeek.org/en/master/frameworks/notice.html

STA - DNS Exfiltration/C2 Connectivity - DNS anomaly Detected

Because DNS is a protocol that effectively connects instances to the Internet (directly or indirectly), it is usually allowed in most environments and therefore used by attackers to exfiltrate data to an outbound server or to download malicious payload from such a server. This alert will fire if the number or packets sent to or received from an outbound server exceeds a certain threshold. This alert will also fire if the query sent to a public server is extremely long which may indicate an attempt to exfiltrate data.

STA - Building Block - Lateral Movement - Unrecognized Software

This alert will fire when a potentially disallowed software has been detected in your organization. It is recommended that the list below will be periodically updated with all and only the software types permitted in the organization. If this alert fires, it is recommends that either the detected software type will be added to the list if it is permitted or the relevant Zeek PE/Files logs will be investigated as well as audit logs from the relevant hosts that used the software in question to understand how and when this software was installed and what it was designed to do and what types of data were sent or received to/from the network.

STA - Building Block - Resource Development - Access to a Baby Domain Was Detected

Domains that are "younger" than three months are often used in attack campaigns. It is recommended that if this alert has fired the data that was sent to that domain will be inspected as well as the processes and files that were involved in the connection to those domains to better understand the purpose these domains were contacted for.

STA - Building Block - C2 Connectivity - Unusual High Volume of DNS Requests Returned NXDOMAIN

High number of NXDOMAIN responses by DNS servers is often an indication of a DGA (Domain Generation Algorithms) activity. It is recommends that if this alert has fired, you'll investigate further the source hosts, processes and files involved in attempting to connect to the domains which resulted in NXDOMAIN response. Links for more information: https://en.wikipedia.org/wiki/Domain_generation_algorithm, https://beta.darkreading.com/attacks-breaches/monitor-dns-traffic-you-just-might-catch-a-rat'

STA - Building Block - Initial Access - Unusual Administrator Logins

An unusual number of administrative logins (using NTLM) is often an indication of lateral movement. It is recommend that if this alert has fired, the related audit logs of the relevant machines should be inspected to better understand which actions were performed by these administrative login sessions and whether these actions should be permitted in your organization or not.

STA - Privilege Escalation - Trojan Activity Detected

This alert fires whenever Suricata detected a trojan activity. If this alert has fired, it is recommended that the suspected file will be extracted from the traffic (e.g. by carving it from the pcap file using tools such as http://sourceforge.net/projects/networkminer/) and examined using tools such as VirusTotal (https://www.virustotal.com/gui/) and Cuckoo Sandbox (https://malwr.ee). Also, it is recomended to inspect Zeek's PE and Files logs regarding this file to understand where this file is and how it is being transmitted and what it was designed to do.

STA - Discovery - Source IP Is Suspected

This alert will fire whenever a source ip was found as potentially malicious

STA - Discovery - Destination IP is Suspected

This alert will fire whenever a destination ip was found as potentially malicious based on Coralogix security enrichment

STA - Lateral Movement - New Software with CVE Detected

The US National Cyber Security Division of the US Department of Homeland Security maintains a list of common vulnerabilities and exposures (a.k.a CVE) in software and hardware products. These are available in the MITRE corporation's website here: https://cve.mitre.org/ and in the National Vulnerability Database here: https://nvd.nist.gov/. Zeek software information is enriched with the CVE data from the NVD. This alert will fire if a new software that wasn''''''''t seen in the previous 3 months that has a known CVE has been detected in the network. If this alert has fired, it is recommended to read about the relevant CVEs and either decide not to use that software and uninstall it or find a suitable mitigation plan for these vulnerabilities in the organization.'

STA - Collection - NIDS alert detected

This alert will fire whenever Suricata detects an issue. The correct course of action will vary depending on the event details. See more here about Suricata alert categories: https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

STA - Initial Access - Potentially Corporate Privacy Violation To/From a New Domain

This alert fires when Suricata detects a potentially corporate violating traffic (e.g. BitTorrent activity) to/from a domain for the first time in the last 1 month. It is recommended to inspect the domain in question and verify that it is needed by the organization and if not, to inspect the connections from and to that domain (e.g. WHOIS or VirusTotal queries).

STA - Resource Development - Potentially Bad Traffic To/From a New Domain

This alert fires when Suricata detects potentially bad traffic (e.g. dir listing outputs from a web server, DNS query for suspicious TLDs) on a domain for the first time in the last 1 month. It is recommended to inspect the domain in question and verify that it is needed by the organization and if not, to inspect the connections from and to that domain (e.g. WHOIS or VirusTotal queries).

STA - Initial Access - New Service Offered by an Internal Host

This alert will fire whenever a local IP has offered to an external IP a service which was not seen previously in the past 3 months. If this alert fires, it is recommended to either exclude the service from the alert's query if it is a service that is expected to be used by external clients or inspect the process that was used to handle the offered service by using audit logs from the local server as well as Zeek PE and Zeek files logs to understand how that service was installed and use the actual packets to understand what types of data were exchanged using that service.

STA - Defense Evasion - New Destination Country

This alert will fire whenever a local IP has connected to a country that hasn't been seen before as a destination country in the past three months. If this alert fires, it is recommended to analyze the connections to the detected country by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.

STA - C2 Connectivity - New DCE/RPC Endpoint

The DCE/RPC protocol is a complex protocol mostly used by Microsoft Windows environment services such as Active Directory and SMB based disk mappings or connections between computers. Basically, packets of communications that uses this protocol will use a single port (usually 135/tcp) to communicate with an endpoint mapper and indicate, using a special field, the requested service. Then the endpoint mapper will assign a port for the connection to the final endpoint on the host. This alert will fire when a new dce-rpc endpoint (service) that wasn't previously seen on the network in the past three months has been contacted. It is recommended to investigate, by using Zeek dce_rpc logs and possibly audit logs, and locate the machine and process that host that new DCE-RPC endpoint and determine whether it is necessary and if it is to make sure it is properly secured.

STA - Collection - New DHCP Server Detected

DHCP servers are responsible for assigning addresses to hosts on the network. As such, they must be synchronized, either manually or automatically to make sure that all clients get unique addresses. Failing to properly synchronize a new DHCP server could result in a rogue DHCP and can potentially lead to a situation in which the entire network is non operational. Also, depending on the exact use-case similar attack can lead to the ability of the attacker to successfully become a man-in-the-middle (by modifying the gateway address or the name server in the DHCP responses), or to install malicious software on multiple workstations and servers (by modifying the address to a TFTP server in the DHCP responses). This alert will fire when an IP address was used as a DHCP server although it wasn't used as a DHCP server in the past three months.

STA - Exfiltration - New File MIME Type Detected

MIME is a standard originally developed for transferring files over SMTP (emails) but todays is also being used by other protocols (such as HTTP) do indicate the type of the file being transmitted. This alert will fire if a file of a type that wasn't seen in the past three months has been received or downloaded from outside the network and was seen by Zeek. If this alert fires it is recommended that the file's hash will be searched for in services such as VirusTotal or Malwr to see if it has been reported there and if possible, to find the file either on the host that had ran it (by using the hash mentioned in the event) or on the network by extracting it from the pcap file and then attempt to run it in a safe environment and also scan it by using the aforementioned services.

STA - Exfiltration - FTP Session with Addresses Outside the Organization

The FTP protocol although originally designed to be the main protocol for transferring files over the Internet (or any network), is rarely used for that purpose nowadays. It is still sometimes used for software updates for some services but event those become less and less common. This alert will fire if Zeek detects an FTP connection to or from an external IP to or from the organization. If this alert fires it is highly recommended to check the file that has been transmitted via Zeek files logs and Zeek PE logs (if it's an executable file) and if possible to search for information about it in services such as VirusTotal and Malwr and possibly, by using audit logs, to determine the process that has initiated the connection or responded to it and to determine if and to which computers this file was also sent to and what it was designed to do.

STA - C2 Connectivity - New FTP Command Used

The FTP command can be also be used to many harmful activies such as: Exfiltration of data, Ransomware. This alert will fire if Zeek or Suricata detects a new FTP command that wasn't previously used in the past three months'

STA - Ransomware - Many Changes to Files with Similar File Paths

Many ransomware tools will create, modify and then delete files with very similar file names (with an extension that will indicate the ransomware tool.

STA - Privilege Escalation - New process running as root

Many types of malware will attempt to run new processes under the root user. This alert will trigger if a new process name that wasn't seen in the entire organization in the past 72 hours, was detected as running as root

STA - C2 Connectivity - New FTP user used

The FTP protocol although originally designed to be the main protocol for transferring files over the Internet (or any network), is rarely used for that purpose nowadays. It is still sometimes used for software updates for some services but event those become less and less common. This alert will fire if Zeek detects a new FTP user that wasn't previously used in the past three months. If this alert fires it is recomended to investigate what that user was used for in FTP, which hosts were involved, which files were transferred, deleted or modified. If files were modified by using that user, it is also recommended to scan them to better understand the change or to restore them from previous backup.

STA Insight - Building Block - C2 Connectivity - Connection to Suspicious Domain Name

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. This alert will fire whenever, an access to a domain that, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the detected domains will be investigated first by resolving it to an IP and or aliases by using a tool such as dig (https://en.wikipedia.org/wiki/Dig_(command)) and then, if the results point to an unknown domain name, if it is an HTTP/S request it is recommended to try to unshorten the URL by using a service such as https://unshorten.it/ or to capture the relevant website to an image by using a service such as this: https://cloudconvert.com/website-png-screenshot to understand if this website is a phishing attempt. Another option is to test this URL in websites such as VirusTotal to detect known malwares that are being transmitted by this website. If it'''''''''''''''s a DNS request without a following HTTP/S request it is recommended to trace the process on the machine that made that request and inspect the process assembly or code to better understand what it was designed to do

STA - Exfiltration - New HTTP method used

In HTTP, the HTTP_METHOD used determines whether the request is to delete, create, update or retrieve an item on/from the target system. Although the actual meaning of an HTTP method is implementaion depended, a new HTTP method that wasn't seen in the past three months, especially if no new system was recently installed, can mean that someone is trying to find out which HTTP methods are supported by the target system. This can then be used to execute unintended actions on the target system. This alert will fire if a new HTTP method that wasn't seen in the past three months has been detected. It is recommended to clone this alert to target high profile HTTP based systems of the organization (by adding 'AND uri:/some_uri_regex_of_target_system/'to the alert query). If this alert fires, it is recommended to inspect the user-agent used, the source host and the process used to understand if this is an expected behaviour.

STA - Credential Access - New Kerberos AS detected

The Kerberos authentication protocol defines two types of tickets that can be passed: a ticket-granting-ticket (TGT) and ticket-granting-service (TGS), the first one is passed to the authenticating service (AS). In Microsoft Active Directory, this role is served by the Domain Controller. This alert will fire if a new target address for the authenticating service has been seen which hasn't been seen in the past three months. If this alert fires it is recommended to investigate the mentioned address to understand if it is a valid and authorized AS server.'

STA - Credential Access - New Kerberos cipher detected

The Kerberos authentication protocol uses an encryption mechanisms to encrypt the various tickets. This alert will fire if a new encryption scheme was used. If this alert has fired it is recommended to check whether the detected encryption scheme is considered "weaker" than the current ones. If so, that can indicate tha an attacker is trying to "downgrade" the encryption mechanism to force it to use a weaker protocol which can be cracked easily.

STA - Execution - Executable file targeted at a new OS type was seen

An executable file designed for an operating system that wasn't seen in the past three months can, especially in organizations that use a limited set of operating systems, indicate that a file that is not designed for this organization has been downloaded. If this alert has fired it is recommended to use Zeek's PE and Files logs, as well as audit logs from the machine that executed the file to get a better understanding of what the file was designed to do. If possible, it is recommended to scan the file in services such as VirusTotal and Malwr to understand if the file is known to be malicious and if the file's designed behaviour is allowed and expected in the organization.

STA - Resource Development - New certificate issuer

The number of CA companies remains pretty much fixed over time. A new certificate issuer in a certificate can mean that someone is doing what is known as SSL-stripping, that is decrypting the data, inspecting it and then encrypting it back and sending it to the target server. If this alert fires it is recommended to inspect the specific certificate, to understand whether it should be trusted or not, whethert the certificate of the target website has changed to a new certificated issued by this issuer or not, if not, which equipment or computer provided it on behalf of the target website. This can be investigated by inspecting the configuration of all inline devices between the source machine and the target service/website. Also, it is recommended to inspect the value of the security.san_dns, if it contains multiple domain names that do not appear to belong to the same organization that can also be an indication of foul play.

STA - Building Block - C2 Connectivity - Connection to Site with a Suspicious Certificate Issuer

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. Some types of malware use an encrypted connection (HTTPS) for that communication which will force them to provide a certificate. This alert will fire whenever, an access to a domain that its certificate issuer, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the relevant domain will be inspected by first reviewing the mentioned certificate and determine whether this certificate was presented by the service or by some device on behalf of the target website (this can be tested from an out-of-band device such as a mobile phone connected to the cellular network)

STA - Lateral Movement - New SSH server (by hassh)

The security.hasshServer field contains a fingerprint value that identifies the SSH server regardless of its address. This alert fires when a new SSH server was identified. If that's unexpected it is recommended to investigate that further by using audit logs or netstat outputs from the relevant instance to determine which process is hosting the server service and to scan that file with services such as VirusTotal or Malwr and Zeek PE and Files logs to determine if its behaviour is acceptable in the organization.

STA - Building Block - Lateral Movement - Multiple SSH Connections by the Same Client to Same Server

This alert will fire when a client made more than 10 SSH authentication attempts to the same SSH server. If this alert fires it is recommended to inspect the client computer to make sure that all connections were made by a person trying to connect to the organization's SSH server.

STA - C2 Connectivity - New tunnel type

Tunnelling of all types has become the prefered method for attackers today to communicate with command and control servers. This alert will fire if a new type of tunnelling has been detected that hasn't been seen in the past three months. If this alert fires, it is recommended to inspect the source machine to understand what process is creating that tunnel and for what purpose. Also it is recommended to inspect the packets in that stream to understand which types of data are being transmitted and recieved using that tunnel (not all types of tunnelling are also encrypted)

STA - Building Block - Impact - Unusual Number of SNMP Set Requests

SNMP, Simple Network Management Protocol, is de-facto the protocol for managing network devices today. It allows administrators to query their devices for information as well as to update settings on managed devices. The most common attacks that use SNMP are those who use it as a mechanism for DDoS attack by sending many SNMP queries from a spoofed IP address (the victim) to many network devices, which will in turn, try to send their responses to the victim, overloading the network bandwidth and eventually bringing its network connection down such attack should cause a flood of zeek_snmp messages which will trigger the relevant volume anomaly alert. Another commonly used attack is to use SNMP to execute XSS and SQL injection attacks on the target system by simply sending SNMP information as if it came from a monitored device with SQL code or XSS code. This alert will fire if the number of set requests is abnormal for the current point in time. If this alert fires it is recommended to inspect the changes done via SNMP during the mentioned time period and make sure they are all expected and done by a trusted process or personnel.

STA - C2 Connectivity - New IRC server

IRC is one of the oldest text based chat protocols on the Internet. Nowdays it is more often than not, used by malwares to communicate with their command and control servers. This alert will trigger when a new destination IP was found in IRC communications. If this alert fires, it is recommended to investigate the source hosts connected to the newly discovered host by using audit logs and the zeek_files and zeek_pe logs to find out the process making such requests and whether it has spread to other hosts on the network or not.

STA - Credential Access - Unusual Number of MySQL Login Attempts

MySQL is one of the most used database system today. Since it usually holds the most sensitive information on an organization such as users, passwords (at least hashes) as well as the actual business information, that makes it a lucrative target for an attack. This alert will fire if the number of logins to the DB server is unusually high for that specific time period. If this alert fires it is recommended to check the database logs and/or other zeek_mysql logs to figure out whether all these login attempts were made by a single host and whether the relevant user has eventually managed to log in and what queries were made by that login session

STA - Lateral Movement - New RDP keyboard layout

RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. Each client indicates the keyboard layout it would like to use. By default this value would be set to the keyboard layout used by the client computer. This alert will fire if a new keyboard layout that wasn't seen in the past three months has been used in an RDP connection. This alert will require the attacker, in order to successfully hide his actions, to correctly guess the keyboard layout used by the organization in RDP connections. If this alert fires it is recommended to investigate the connection to verify that the RDP connection came from a trustworthy source.

STA - Lateral Movement - New RDP security protocol

RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. In each connection the client and the server agree on the security protocol that would be used. Often, an attacker will try to configure his client to ask the server to agree on an outdated security protocol that would be easier to break. This alert will fire if a security protocol that wasn't seen in the past three months has been used in an RDP connection. This alert will require the attacker, in order to successfully hide his actions, to correctly guess the security protocol used by the organization in RDP connections. If this alert fires it is recommended to investigate the connection to verify that the RDP connection came from a trustworthy source and to read about the new security protocol that has been discovered to understand if it is stronger or weaker than the one usually used.

STA - Lateral Movement - New RDP cookie (usually username)

RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. This alert will fire if a RDP cookie (usually the username) that wasn't seen in the past three months has been used in an RDP connection. If this alert fires it is recommended to investigate the connection to verify that the RDP connection came from a trustworthy source and, by using audit logs, to understand which process created the new connection

STA - Lateral Movement - New RFB authentication method

RFB or Remote Frame Buffer is an open simple protocol for remote access to graphical user interfaces. This protocol is used for remote access to computers running all windowing operating systems. This protocol also allows transferring files and other advanced features. This alert will fire if new RFB authentication method detected.

STA - Building Block - Credential Access - Unusual Number of Failed RFB Login Attempts

RFB or Remote Frame Buffer is an open simple protocol for remote access to graphical user interfaces. This protocol is used for remote access to computers running all windowing operating systems. This protocol also allows transferring files and other advanced features. This alert will fire if the number of failed RFB authentications is exceptionally high for the current time period. If this alert fires it is recommended to investigate the RFB clients that appeared during the alerted time frame for understand the sudden surge in the number of failed RFB authentications and find the process involved.

STA - Defense Evasion - New SIP useragent detected

SIP is one of the protocols that are used by most of the Voice Over IP solutions on the market. This alert will fire whenever a new user-agent (logical name identifying the type of device connected to the VOIP network) that was not previously seen in the past three months has been detected. If this alert fires, it is recommended to investigate, by using audit logs and other zeek_conn or suricata_flow logs, which device has generated these SIP connections and whether it is authorized to do so or not.

STA - C2 Connectivity - New SOCKS proxy username detected

SOCKS is a de facto standard for forwarding TCP and UDP traffic today, It is used by many of the most standard tools used by a network administrator such as OpenSSH. This alert will fire if the user specified in the SOCKS proxy authentication hasn't been seen in the past three months. If this alert fires it is recommended to verify that the user is legitmate and the connection with that user from the specific source host from the specific executable is authorized and expected. If not, it is recommended to inspect the zeek_files logs using the hash of the exectuable used to understand if the relevant executable has been sent to other computers on the network.

STA - C2 Connectivity - SOCKS Proxy Session with Addresses Outside the Organization

SOCKS is a de facto standard for forwarding TCP and UDP traffic today, It is used by many of the most standard tools used by a network administrator such as OpenSSH. This alert will fire if a SOCKS proxy session has been detected that involves an external IP. If this alert fires it is recommended to verify that the session is legitmate and if so, to exempt the user or host from the query of this alert. If not, it is recommended to inspect the zeek_conn logs and the involved workstation's audit logs and running processes to undertstand better what other connections were made by the source and destination machines involved in the SOCKS proxy session.

STA - Impact - MySQL Session with Addresses Outside the Organization

MySQL is one of the most used database system today. Since it usually holds the most sensitive information on an organization such as users, passwords (at least hashes) as well as the actual business information, that makes it a lucrative target for an attack. This alert will fire if a MySQL connection has been detected between a local and a public IP address. If this alert fires it is recommended to block the connection at the gateway unless it is known for sure that the connection is expected and legitimate. As a general best practice it is not recommended to allow direct connections from the Internet to local databases or from the organization to public databases.

STA - Credential Access - NTLM Session with Addresses Outside the Organization

NTLM is an old authentication protocol still being used in many Windows environments. An NTLM session with an external address is almost definitively a security issue. If this alert fires it is recommended to block the connection immediately at the gateway level and to examine the zeek_conn logs to get a better understanding of the connections originated from the same source IP or region and to review the security policy to verify that only legitimate connections to and from the organization are allowed

STA - Credential Access - Kerberos Session with Addresses Outside the Organization

The Kerberos authentication protocol uses an encryption mechanisms to encrypt the various tickets. This alert will fire if a kerberos session that involves an external IP. If this alert fires it is recommended to block that connection at the gateway level and then to review the security policy to make sure that only needed connection types are allowed from and to the organization

STA - Collection - SMB Session with Addresses Outside the Organization

SMB, which stands for Server Message Blocks, is the main (usually the only) protocol used for transferring files, connecting to printers and perfroming actions on remote computers in Windows environment. Several versions of it were notoriously known for containing high profile vulnerabilities that were exploited in recent attacks. Several implementations of it exist also for other environments such as Linux, Unix and others. This alert will fire if an SMB session involving a public IP has been detected. If this alert fires it is highly recommended to block the SMB connection at the gateway level and review the security policy to ensure that only needed and authorized connections are allowed from and to the organization.

STA - Resource Development - New OCSP hashing algorithm detected

OSCP is a protocol that is used by clients and web servers to verify that the X.509 certificates they either provide or download, haven't been reported as revoked. It serves as a replacement to the CRL protocol previously used for the same purpose. This alert will fire if the hashing algorithm used in the OCSP transaction hasn't been seen in OCSP transactions in the past three months. If this alert fires, it is recommended to read about the newly discovered hashing algorithm to understand if it is weaker or stronger than the hashing algorithms previously used. If it is weaker than those used before it is recommended to investigate the audit logs from the source machine to find the specific process that generated that query and either update it, remove it (if it is not needed) or prevent it from running..

STA - Resource Development - A certificate has been revoked

OSCP is a protocol that is used by clients and web servers to verify that the X.509 certificates they either provide or download, haven't been reported as revoked. It serves as a replacement to the CRL protocol previously used for the same purpose. This alert will fire if the a certificate has been detected as revoked. If this alert fires, it is recommended to create (or update if already exist) an alert based on zeek_ssl or zeek_x509 about access to sites that presented the revoked certificate.

STA - Building Block - Reconnaissance - An Item Matched an IOC From the Intelligence Framework

This alert will fire if an item that was seen in the traffic by Zeek matched an IOC listed in one of the configured intelligence data sources.

STA - Reconnaissance - A Traffic Matched a Zeek Signature

This alert will fire if the traffic seen by Zeek matched a Zeek script's signature.

STA - Reconnaissance - A Dangling DNS Record Has Been Detected

In cloud environments, a dangling DNS record is a DNS A record that points to an IP address that the organization no longer controls (for example if the EIP has been deleted). This issue can lead to the hijacking of the domain name by an attacker that will launch his own server on the target IP. The STA detects such cases by periodically comparing the list of DNS records to the list of EIPs. If this alert fires it is recommended that the relevant DNS records will be removed or modified to point to EIPs that the organization has control over.

STA Insight - Building Block - Collection - Outbound Connection From a DB Server

Database servers hold sensitive data that must be kept safe and out of reach from all outsiders unless they have permission to access it. If there is a connection from the database servers (recently responded on ports 5432/1433/9200/3306) to outside of the organization its a suspicious activity and this alert will fire.

STA insight - Resource Development - Connection to new TLD

Top Level Domain (TLD) represents the first stop after the root area, for example, in the domain name u2018google.comu2019, u2018.comu2019 is the TLD. This alert will fire when new top level domain detected.

STA Insight - Defense Evasion - New Source/Destination Country

This alert will fire whenever a country that hasn't been seen before has connected to Local IP as a source country. Or, alternatively, whenever a local IP has connected to a country that hasn't been seen before as a destination country in the past three months. If this alert fires, it is recommended to analyze the connections to the detected country by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.

STA insight - Impact - Incoming SSH/RDP connection from a new country

RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. SSH is a software package that enables secure system administration and file transfers over insecure networks. This alert fires when ssh or rdp connection detected from new country

STA Insight - Exfiltration - First Outbound Connection

This alert fires when first connection detected to outside the organization per AWS name tag.

STA insight - Impact - New MySQL command

MySQL is one of the most used database system today. Since it usually holds the most sensitive information on an organization such as users, passwords (at least hashes) as well as the actual business information, that makes it a lucrative target for an attack. This alert fires when new MySQL command is detected.

STA insight - Exfiltration - New instance making MySQL queries per DB

MySQL is one of the most used database system today. Since it usually holds the most sensitive information on an organization such as users, passwords (at least hashes) as well as the actual business information, that makes it a lucrative target for an attack. This alert fires when database is making new MySQL query.

STA insight - Lateral Movement - First incoming SSH/RDP connection per destination

RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. SSH is a software package that enables secure system administration and file transfers over insecure networks. This alert fires when new ssh or rdp connection detected to new destination per AWS name tag.

STA Insight - Lateral Movement - More Than 10 Lateral Connections in 10 Minutes

An unusual number of connections in short period of time is often an indication of lateral movement.

STA insight - Command and Control - Outbound TLS connection with an invalid cert

TLS is a cryptographic protocol that provides end-to-end security of data sent between applications over the Internet. Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. This alert will fire when TLS connection outside the organization is detects with invalid certificate.

STA insight - Resource Development - Connection to URL redirecting to another domain

URL Redirection is a vulnerability which allows an attacker to force users of your application to an untrusted external site. This alert will fire when connection to URL is redirecting to another domain.

STA insight - C2 Connectivity - SSH session with addresses outside the organization

SSH is a software package that enables secure system administration and file transfers over insecure networks. This alert will fire if an SSH session involving a public IP has been detected. If this alert fires it is highly recommended to block the SSH connection at the gateway level and review the security policy to ensure that only needed and authorized connections are allowed from and to the organization.

STA - C2 Connectivity - LDAP Session with Addresses Outside the Organization

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. This alert will fire if Zeek detects a LDAP connection to or from an external IP to or from the organization.

STA insight - C2 Connectivity - More than 100 NXDOMAIN responses in 10 minutes

High number of NXDOMAIN responses by DNS servers is often an indication of a DGA (Domain Generation Algorithms) activity. It is recommends that if this alert has fired, you'll investigate further the source hosts, processes and files involved in attempting to connect to the domains which resulted in NXDOMAIN response. Links for more information: https://en.wikipedia.org/wiki/Domain_generation_algorithm, https://beta.darkreading.com/attacks-breaches/monitor-dns-traffic-you-just-might-catch-a-rat'

STA insight - Exfiltration - over 1 hour long connection

Long duration connections may indicate ongoing data exfiltration, such as extracting small chunks over a long period. It could also indicate for an attempt to create Denial-of-service condition - depending on how much of those connections were found. This alert will be fired when Zeek detects a connection that had a duration more that 1 hour.

STA - Collection - NIDS alert detected - A suspicious string was detected

This classification indicates the identification of a potentially suspicious or malicious string of characters within the network traffic or system being analyzed. This alert suggests the presence of specific patterns, keywords, or sequences that are known or suspected to be associated with malicious activities or security threats. Detecting suspicious strings helps in flagging potential risks, such as the presence of malware, exploit attempts, or unauthorized commands. By promptly detecting and analyzing suspicious strings, appropriate security measures can be taken to investigate further, mitigate potential risks, and ensure the integrity and security of the network or system. For example: admin:admin": This string represents a common default username and password combination for administrative access to systems or applications. It could indicate an attempt to gain unauthorized access to a device or service."

STA - Collection - NIDS alert detected - Inappropriate Content was Detected

This classification indicates the identification of content that is deemed inappropriate or violates established policies or guidelines. This alert suggests the detection of content, such as websites, files, or media, that contains explicit, offensive, or prohibited material. Detecting inappropriate content is important as it helps maintain a secure and compliant environment, especially in organizations or networks where content filtering is in place.

STA - Collection - NIDS alert detected - Generic ICMP event

This classification indicates the detection of a security event related to ICMP (Internet Control Message Protocol) traffic that does not fit into specific predefined attack classifications. This alert suggests the identification of ICMP activity that may be anomalous or suspicious but does not have a well-defined signature or pattern associated with known attacks. ICMP is commonly used for network troubleshooting and communication purposes, but it can also be exploited for malicious activities such as ICMP flooding or ICMP-based attacks.

STA - Collection - NIDS alert detected - Web Application Attack

This classification indicates the detection of a security event involving an attack specifically targeting a web application. This alert suggests that Suricata has identified suspicious or malicious activities aimed at exploiting vulnerabilities in the web application's code, infrastructure, or configuration. Web application attacks can include various techniques, such as SQL injection, cross-site scripting (XSS), remote code execution, or directory traversal, with the goal of compromising the application's security, gaining unauthorized access, or extracting sensitive information.

STA - Collection - NIDS alert detected - Access to a potentially vulnerable web application

This classification indicates the detection of an event where there has been access to a web application that may have security vulnerabilities or weaknesses. This alert suggests that Suricata has identified activity related to a web application that could potentially be exploited by malicious actors. Access to a vulnerable web application increases the risk of unauthorized access, data breaches, or other malicious activities. Detecting such access is crucial as it highlights the need for immediate investigation and remediation to address the vulnerabilities, patch any security gaps, and ensure the overall security of the web application.

STA - Building Block - Collection - NIDS Alert Detected - A Client Was Using an Unusual Port

This classification indicates the detection of network traffic where a client is utilizing a port that is considered uncommon or atypical. This alert suggests that the client is establishing a connection or conducting communication through a port that is not commonly associated with the specific service or protocol being used. Detecting such activity is important as it may indicate potential security risks or attempts to bypass standard security measures. Unusual port usage can be indicative of unauthorized or suspicious activities, such as attempts to evade network monitoring or exploit vulnerabilities.

STA - Collection - NIDS alert detected - Unsuccessful User Privilege Gain

This classification indicates the detection of an event where an unauthorized user or entity attempted to gain higher levels of privileges or access within a system or network but was unsuccessful. This alert suggests that an attacker made an effort to escalate their privileges or gain unauthorized access to restricted resources, but their attempts were thwarted or blocked. Detecting unsuccessful user privilege gain is crucial as it provides valuable insights into potential security threats and unauthorized access attempts.

STA - Collection - NIDS alert detected - Unknown Traffic

This classification indicates the detection of network traffic that cannot be classified or identified based on predefined signatures or known patterns. This alert suggests the presence of network communication or data that does not match any recognized protocols or expected behaviors. Detecting unknown traffic is important as it can indicate the presence of new or emerging threats, zero-day vulnerabilities, or unauthorized activities that have not been previously encountered or analyzed. It highlights the need for further investigation and analysis to determine the nature and potential risks associated with the unknown traffic.

STA - Building Block - Collection - NIDS Alert Detected - A Network Trojan Was Detected

This classification indicates the identification of a malicious program or code specifically designed to infiltrate a network and perform unauthorized activities. This alert suggests that Suricata has detected the presence of a network Trojan, which is a type of malware that disguises itself as legitimate network traffic or software. Network Trojans are often used by attackers to gain unauthorized access, control compromised systems remotely, exfiltrate sensitive data, or launch further attacks within the network. Detecting a network Trojan is crucial as it reveals the presence of a significant security threat that requires immediate investigation and mitigation.

STA - Collection - NIDS alert detected - Targeted Malicious Activity was Detected

This classification indicates the identification of specific and intentional malicious actions aimed at a particular target or entity. This alert suggests the detection of sophisticated and purposeful attacks directed towards compromising the security, integrity, or availability of a specific system, network, or organization. Targeted malicious activity often involves advanced techniques, customized exploits, or social engineering tactics to bypass defenses and achieve specific objectives, such as data theft, unauthorized access, or disruption of services. Detecting targeted malicious activity is crucial as it highlights a high-level threat that requires immediate attention and response.

STA - Collection - NIDS alert detected - A system call was detected

This classification refers to the identification of a system call, which is a request made by a program or process to the operating system for a specific service or action. This alert suggests that Suricata has observed and analyzed a system call being made within the monitored system or network. System calls are essential for normal operation but can also be exploited by attackers to perform unauthorized actions or gain privileged access. Detecting system calls allows for monitoring and analyzing potential security threats, ensuring proper system behavior, and enhancing overall system security. It provides valuable insights into the activities and interactions happening at the operating system level, facilitating timely response and mitigation measures if any malicious or unauthorized behavior is detected.

STA - Building Block - Collection - NIDS Alert Detected - An Attempted Login Using a Suspicious Username Was Detected

This classification indicates the identification of an event where an unauthorized login attempt was made using a username that raises suspicions or exhibits characteristics associated with potentially malicious activities. This alert suggests the presence of an unusual or suspicious username that deviates from regular naming conventions or is associated with known malicious actors or hacking attempts. Detecting such an attempted login is crucial as it signifies a potential security threat. Immediate investigation and appropriate action are necessary to prevent unauthorized access, strengthen authentication mechanisms, and protect the integrity and security of the system or network.

STA - Collection - NIDS Alert Detected - A Suspicious Filename Was Detected

This classification indicates the identification of a filename that exhibits characteristics or patterns suggesting it may be associated with suspicious or potentially malicious activity. This alert suggests the presence of a file with a name that raises concerns or deviates from normal naming conventions. Suspicious filenames can be indicative of malware, malicious scripts, or other forms of unauthorized or harmful content. Detecting a suspicious filename allows for immediate investigation and appropriate action to mitigate potential risks, such as quarantining or removing the file, and enhancing overall system security.

STA - Collection - NIDS alert detected - Successful User Privilege Gain

This classification indicates the detection of an event where an unauthorized user or entity has successfully obtained higher levels of privileges or access within a system or network. This alert suggests that an attacker has managed to escalate their privileges, gaining greater control over resources, data, or functionalities that were originally restricted. Successful user privilege gain allows the attacker to perform unauthorized actions, access sensitive information, or manipulate system configurations. Detecting this event is crucial as it signals a significant security breach. Immediate investigation and remedial actions are necessary to revoke the unauthorized privileges, close security gaps, and prevent further compromise or unauthorized activities within the affected system or network.

STA - Collection - NIDS alert detected - Information Leak

This classification refers to the detection of a security event where sensitive or confidential information has been unintentionally or maliciously disclosed to unauthorized entities or systems. This alert suggests the identification of a potential breach or vulnerability that has led to the unauthorized exposure of valuable data. Information leaks can occur through various means, including misconfigured systems, software vulnerabilities, or intentional data exfiltration. Detecting information leaks is essential as it enables prompt investigation and remediation to prevent further data compromise, protect sensitive information, and ensure compliance with privacy regulations.

STA - Collection - NIDS alert detected - Large Scale Information Leak

This classification refers to the detection of a security event where a significant amount of sensitive or confidential information has been disclosed or leaked. This alert suggests the identification of unauthorized access, data breaches, or other malicious activities that have resulted in the exposure of valuable data on a substantial scale. Large scale information leaks can have severe consequences, including compromised personal information, intellectual property theft, or reputation damage. Detecting such leaks is crucial as it enables immediate investigation and response to mitigate further data exposure, secure affected systems, and implement measures to prevent future breaches.

STA - Collection - NIDS alert detected - Denial of Service

This classification refers to the identification of a security event involving the intentional disruption or prevention of legitimate users' access to a system, service, or network resource. This alert suggests the detection of malicious activities aimed at overwhelming the targeted infrastructure, causing service degradation or complete unavailability. Denial of Service attacks can be carried out through various means, such as flooding the network with excessive traffic, exploiting vulnerabilities in network protocols, or exhausting system resources. Detecting Denial of Service attacks is crucial as it allows for immediate response and mitigation to restore normal operations, protect system availability, and ensure uninterrupted access for legitimate users.

STA - Collection - NIDS alert detected - Successful Administrator Privilege Gain

This classification indicates the detection of an event where an unauthorized individual or entity has successfully acquired administrator-level privileges on a system or network. This alert suggests that an attacker has bypassed security measures or exploited vulnerabilities, gaining extensive control and access to critical resources and settings. Administrator privileges provide elevated levels of authority and control, enabling the attacker to perform unauthorized actions, install malicious software, manipulate configurations, or compromise sensitive data. Detecting a successful administrator privilege gain is of utmost importance as it highlights a significant security breach. Immediate investigation and remedial actions are essential to revoke the unauthorized access, close security gaps, and prevent further compromise or damage to the affected system or network.

STA - Collection - NIDS alert detected - Possible Social Engineering Attempted

This classification refers to the identification of suspicious activities or indicators that suggest the presence of a social engineering attempt. This alert indicates that certain actions, behaviors, or communication patterns have been detected that align with tactics commonly used in social engineering attacks. Social engineering involves manipulating human psychology to deceive individuals into revealing sensitive information, performing unauthorized actions, or compromising security measures. Detecting possible social engineering attempts allows for immediate investigation, raising awareness among potential targets, and implementing necessary countermeasures to prevent successful attacks and protect against social engineering-related risks.

STA - Collection - NIDS alert detected - Executable code was detected

This classification indicates the identification of executable code within the network traffic or system that has been analyzed. This alert suggests the presence of binary files or code that can be executed on a computer or device. Detecting executable code helps in monitoring and analyzing potential security threats, as it may signify the presence of malware, malicious scripts, or other forms of unauthorized code execution. By promptly detecting and analyzing executable code, security measures can be implemented to mitigate risks, prevent further compromise, and safeguard the integrity and security of the network or system.

STA - Collection - NIDS alert detected - Decode of an RPC Query

This classification refers to the successful decoding and analysis of a Remote Procedure Call (RPC) query. This alert indicates that Suricata has identified and processed an RPC query, which is a communication protocol used by networked computers to allow programs to request services from other programs located on remote systems. By decoding the RPC query, Suricata gains visibility into the content and structure of the network communication, enabling further analysis and potential detection of malicious activity or vulnerabilities within the RPC protocol. Detecting and decoding RPC queries helps in understanding network behavior, ensuring proper functioning of network services, and enhancing overall network security.

STA - Collection - NIDS alert detected - Possibly Unwanted Program Detected

This classification refers to the identification of a program or software that exhibits characteristics suggesting it may be unwanted or potentially harmful. This alert indicates the detection of behavior or attributes that align with potentially malicious or undesirable software, such as adware, spyware, or potentially unwanted applications. These programs may exhibit intrusive or unwanted behaviors, compromise user privacy, or negatively impact system performance. Detecting a possibly unwanted program allows for further investigation and appropriate action to prevent potential harm, such as removing or quarantining the program, and enhancing overall system security.

STA - Collection - NIDS alert detected - Potential Corporate Privacy Violation

This classification refers to the identification of an event that suggests a potential breach or violation of corporate privacy. This alert indicates the detection of activities or behaviors that could potentially compromise sensitive information, such as confidential corporate data, personal identifiable information (PII), or intellectual property. It raises concerns about unauthorized access, data leakage, or suspicious activities that may pose a threat to the privacy and security of the organization.

STA - Building Block - Collection - NIDS Alert Detected - Detection of a non-standard Protocol or Event

The detection of a non-standard protocol or event refers to the identification of unusual or uncommon network protocols or events that deviate from established standards. This alert indicates the detection of network traffic or system behavior that does not conform to the expected or widely recognized protocols and patterns. It suggests the presence of potentially unauthorized or suspicious activities, which may indicate an attempt to bypass security measures or exploit vulnerabilities. Detecting non-standard protocols or events is crucial for maintaining network security as it allows for immediate investigation and remediation to prevent potential threats or unauthorized access.

STA - Building Block - Collection - NIDS Alert Detected - Detection of a Network Scan

The detection of a network scan refers to the identification of suspicious activity indicating an attempt to scan a network for potential vulnerabilities or open ports. This alert suggests that an entity or automated system is systematically probing the network infrastructure to gather information about the available services or devices. Network scanning can be performed for legitimate purposes, such as network administration and security auditing. However, it can also be employed by malicious actors seeking to identify weak points for potential exploitation. Detecting network scans is crucial as it allows network administrators to investigate and address any vulnerabilities promptly, enhancing the overall security posture of the network.

STA - Collection - NIDS alert detected - Misc Attack

A miscellaneous (misc) attack refers to a type of security event that encompasses various unauthorized activities targeting a system or network, which cannot be easily classified into specific attack categories. These attacks often involve unusual or anomalous behavior, such as unauthorized port scanning, atypical network traffic patterns, or suspicious system actions that do not fit into predefined attack signatures. Due to their unpredictable nature, misc attacks can be challenging to identify and mitigate. They require thorough investigation to understand their specific nature and potential impact on the affected system or network, allowing appropriate security measures to be implemented.

STA - Collection - NIDS alert detected - Device Retrieving External IP Address Detected

This classification refers to the detection of a security event where a device is observed retrieving its external IP address. This alert suggests that the device is attempting to determine the public-facing IP address that is assigned to it by the Internet Service Provider (ISP). This information can be used by both legitimate users and potentially malicious actors for various purposes, such as establishing network connectivity or identifying the device's location on the internet.

STA - Collection - NIDS alert detected - Exploit Kit Activity Detected

This alert indicates the detection of a security event where an exploit kit is being used by malicious actors. It suggests that the observed activity involves automated delivery of harmful code or exploits to vulnerable systems. The attackers intend to exploit security weaknesses and compromise the targeted devices or networks. The presence of an exploit kit shows a high level of sophistication and poses a significant threat to the security of the affected systems.

STA - Collection - NIDS alert detected - Domain Observed Used for C2 Detected

This alert signifies the detection of a security event involving the identification of a domain being used as a Command and Control (C2) infrastructure by malicious actors. This alert suggests that the observed domain is being utilized as a central hub for malicious activities, enabling the attackers to control compromised systems remotely. Such detection indicates a potential breach of security and emphasizes the need for immediate investigation and remediation to mitigate further risks and prevent unauthorized control of affected systems.

STA - Collection - NIDS alert detected - Detection of a Denial of Service Attack

This alert indicates the identification of an ongoing security event where there are signs of a deliberate attempt to disrupt or overload a system or network, rendering it unavailable to legitimate users. This classification suggests that the attacker is employing various techniques to overwhelm the targeted resources, potentially causing service degradation or complete unavailability.

STA - Collection - NIDS alert detected - Attempt to login by a default username and password

This alert indicates that there is an ongoing security event where an unauthorized entity is trying to gain access to a system or network using default or commonly used login credentials. This classification suggests that the attacker is exploiting weak or unchanged default settings to attempt unauthorized login. Detecting and responding to this alert promptly is crucial to prevent successful unauthorized access and potential security breaches.

STA - Collection - NIDS alert detected - Successful Credential Theft Detected

This alert signifies that an unauthorized entity or malware has successfully stolen login credentials from a system or network. This classification indicates that sensitive user information, such as usernames and passwords, has been compromised. Detecting and responding to this alert promptly is crucial to mitigate the potential misuse of stolen credentials and prevent unauthorized access to systems or sensitive data.

STA - Collection - NIDS alert detected - Malware Command and Control Activity Detected

This alert indicates the presence of malicious software that is actively communicating with a remote command and control server. This classification suggests that the malware is receiving instructions or transmitting sensitive data to the external server.

STA - Collection - NIDS alert detected - Crypto Currency Mining Activity Detected

This alert signifies the detection of activities related to the unauthorized mining of cryptocurrencies. This classification suggests that there are attempts to utilize system resources for mining purposes without proper authorization. Detecting and responding to this alert promptly is crucial to prevent excessive resource consumption, potential performance degradation, and unauthorized use of computing power.

STA - Building Block - Collection - NIDS Alert Detected - Potentially Bad Traffic

This alert indicates the detection of suspicious network activity that may pose a security risk. This classification suggests that the observed traffic exhibits patterns or characteristics commonly associated with malicious or unwanted behavior. By identifying and investigating this alert, administrators can take appropriate measures to analyze and mitigate any potential threats, ensuring the integrity and security of the network.

STA - Collection - NIDS alert detected - Attempted User Privilege Gain

This alert indicates an active security event where an unauthorized entity or malware is attempting to gain higher privileges or elevate their access level within a system or network. This classification suggests that the attacker aims to acquire greater control and permissions, potentially enabling them to perform unauthorized actions or access sensitive resources. Detecting and responding to this alert promptly is crucial to prevent unauthorized privilege escalation and mitigate the risk of compromised systems or data.

STA - Collection - NIDS alert detected - Attempted Information Leak

This alert indicates an ongoing security event where there are deliberate attempts to disclose sensitive or confidential information. This classification suggests that an unauthorized entity or malware is actively trying to access and exfiltrate valuable data from the system or network. It is critical to respond promptly and implement appropriate measures to prevent unauthorized disclosure and protect the integrity of sensitive information.

STA - Collection - NIDS alert detected - Attempted Administrator Privilege Gain

This alert indicates that an unauthorized entity or malware is making deliberate attempts to acquire administrative privileges. This classification signifies the attacker's objective of gaining higher access rights, enabling them to execute unauthorized actions or take control of critical system components.

STA - Collection - NIDS alert detected - Attempted Denial of Service

This alert indicates an ongoing security event where there are active attempts to disrupt or impair the availability of a system or network. This classification signifies that an attacker is deliberately targeting the resources or services, aiming to overwhelm them and render them inaccessible to legitimate users. the continuity and reliability of the system or network.

STA - Exfiltration - New Connection to AS number

An autonomous system (AS) number is a unique identifier that is globally available and allows its autonomous system to exchange routing information with other systems. This alert will fire whenever a public IP represented by AS number has connected to AS number that hasn't been seen before as a destination AS number in the past three months. If this alert fires, it is recommended to analyze the connections to the detected AS number by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.

STA - Initial Access - New Connection from AS number

An autonomous system (AS) number is a unique identifier that is globally available and allows its autonomous system to exchange routing information with other systems. This alert will fire whenever a public IP represented by AS number has connected from AS number that hasn't been seen before as a source AS number in the past three months. If this alert fires, it is recommended to analyze the connections from the detected AS number by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.

STA - Health Status - The instance is using more than 95% CPU for more than 30 minutes

STA - Health Status - The Instance is using more than 95% of its root disk space for more than 30 minutes

STA - Health Status - The instance is using more than 95% memory for more than 30 minutes

STA - Health Status - The instance is using more than 95% of its metrics disk space for more than 30 minutes

STA - Health Status - Data sent to Coralogix is less than 100 events in 1 hr

STA - Health Status - Data sent to Coralogix is less than 100 zeek_conn events in 1 hr

STA - Health Status - Seeing less than 1 mirrored instances

STA - Health Status - Seeing less than 5 unique IPs in 1 hr

STA Flow Alert - Resource Development - Access to a Baby Suspicious Domain Was Detected

Domains that are "younger" than three months are often used in attack campaigns. It is recommended that if this alert has fired the data that was sent to that domain will be inspected as well as the processes and files that were involved in the connection to those domains to better understand the purpose these domains were contacted for.

STA Flow Alert - Credential Access - Unusual Number of Failed RFB Login Attempts From Blacklisted IP

RFB or Remote Frame Buffer is an open simple protocol for remote access to graphical user interfaces. This protocol is used for remote access to computers running all windowing operating systems. This protocol also allows transferring files and other advanced features. This alert will fire if the number of failed RFB authentications is exceptionally high for the current time period. If this alert fires it is recommended to investigate the RFB clients that appeared during the alerted time frame for understand the sudden surge in the number of failed RFB authentications and find the process involved.

STA Flow Alert - Reconnaissance - Zeek Notice Detected From Suspicious IP

This alert will fire whenever Zeek detected an issue. The correct course of action will vary depending on the event details. See more here: https://docs.zeek.org/en/master/frameworks/notice.html

STA Flow Alert - Reconnaissance - Zeek Notice Detected to Suspicious IP

This alert will fire whenever Zeek detected an issue. The correct course of action will vary depending on the event details. See more here: https://docs.zeek.org/en/master/frameworks/notice.html

STA Flow Alert - C2 Connectivity - Too Many Unique Dns Queries Per Domain Name Combined with Unusual High Volume of DNS Requests Returned NXDOMAIN

Malicious tools often use domain names as Command & Control (C2) communication channels by encoding commands as Base64 strings concatenated to controlled domains, forcing DNS servers to forward requests for command responses. This behavior leads to a high number of unique DNS queries for the manipulated domain. Similarly, a high volume of NXDOMAIN responses from DNS servers often indicates Domain Generation Algorithm (DGA) activity associated with malware. Investigate source hosts, processes, and files attempting to connect to domains triggering NXDOMAIN responses to identify potential malicious activity. When these alerts trigger, inspect transmitted data to assess its nature and intent, especially for domains under organizational control. Exclude legitimate internal domains to reduce false positives and focus on actionable threats. For further information on DGAs and monitoring DNS traffic for potential threats, https://en.wikipedia.org/wiki/Domain_generation_algorithm, https://beta.darkreading.com/attacks-breaches/monitor-dns-traffic-you-just-might-catch-a-rat. Understanding and responding promptly to these indicators of potential malware activity are crucial for maintaining network security and preventing unauthorized access or data exfiltration.

STA Flow Alert - C2 Connectivity - Too Many Unique Dns Queries Per Suspicious Domain Name

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. This alert will fire whenever, an access to a domain that, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the detected domains will be investigated first by resolving it to an IP and or aliases by using a tool such as dig (https://en.wikipedia.org/wiki/Dig_(command)) and then, if the results point to an unknown domain name, if it is an HTTP/S request it is recommended to try to unshorten the URL by using a service such as https://unshorten.it/ or to capture the relevant website to an image by using a service such as this: https://cloudconvert.com/website-png-screenshot to understand if this website is a phishing attempt. Another option is to test this URL in websites such as VirusTotal to detect known malwares that are being transmitted by this website. If it'''''''''''''''s a DNS request without a following HTTP/S request it is recommended to trace the process on the machine that made that request and inspect the process assembly or code to better understand what it was designed to do'''''''

STA Flow Alert - C2 Connectivity - Connection to Suspicious Domain Name to Blacklisted IP

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. This alert will fire whenever, an access to a domain that, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the detected domains will be investigated first by resolving it to an IP and or aliases by using a tool such as dig (https://en.wikipedia.org/wiki/Dig_(command)) and then, if the results point to an unknown domain name, if it is an HTTP/S request it is recommended to try to unshorten the URL by using a service such as https://unshorten.it/ or to capture the relevant website to an image by using a service such as this: https://cloudconvert.com/website-png-screenshot to understand if this website is a phishing attempt. Another option is to test this URL in websites such as VirusTotal to detect known malwares that are being transmitted by this website. If it'''''''''''''''s a DNS request without a following HTTP/S request it is recommended to trace the process on the machine that made that request and inspect the process assembly or code to better understand what it was designed to do'''''''

STA Flow Alert - C2 Connectivity - Connection to Suspicious Domain Name Combined Unusual DNS Requests Returned NXDOMAIN

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. This alert will fire whenever, an access to a domain that, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the detected domains will be investigated first by resolving it to an IP and or aliases by using a tool such as dig (https://en.wikipedia.org/wiki/Dig_(command)) and then, if the results point to an unknown domain name, if it is an HTTP/S request it is recommended to try to unshorten the URL by using a service such as https://unshorten.it/ or to capture the relevant website to an image by using a service such as this: https://cloudconvert.com/website-png-screenshot to understand if this website is a phishing attempt. Another option is to test this URL in websites such as VirusTotal to detect known malwares that are being transmitted by this website. If it'''''''''''''''s a DNS request without a following HTTP/S request it is recommended to trace the process on the machine that made that request and inspect the process assembly or code to better understand what it was designed to do'''''''

STA Flow Alert - C2 Connectivity - Connection to Suspicious Site with a Suspicious Certificate Issuer

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. Some types of malware use an encrypted connection (HTTPS) for that communication which will force them to provide a certificate. This alert will fire whenever, an access to a domain that its certificate issuer, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the relevant domain will be inspected by first reviewing the mentioned certificate and determine whether this certificate was presented by the service or by some device on behalf of the target website (this can be tested from an out-of-band device such as a mobile phone connected to the cellular network)

STA Flow Alert - Lateral Movement - Multiple SSH Connections by the Same Client to Same Server Combined with Unusual Number of MySQL Login Attempts

This alert will fire when a client made more than 10 SSH authentication attempts to the same SSH server. If this alert fires it is recommended to inspect the client computer to make sure that all connections were made by a person trying to connect to the organization's SSH server.

STA Flow Alert - Lateral Movement - Multiple SSH Connections by the Same Client to Same Server From Blacklisted IP

This alert will fire when a client made more than 10 SSH authentication attempts to the same SSH server. If this alert fires it is recommended to inspect the client computer to make sure that all connections were made by a person trying to connect to the organization's SSH server.

STA Flow Alert - DNS Exfiltration/C2 Connectivity - DNS Activity on TCP Detected and Unusual Reconnaissance Activity

NS requests should always be transmitted over UDP. DNS requests over TCP are usually used for either DNS zones transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of a malicious activity. It is recommended that if this alert fired, the data that has been transmitted to or received in those DNS calls over TCP. Also, it is recommended to inspect the processes and machines involved in those queries by using audit logs from these machines.

STA Flow Alert - C2 Connectivity - Unusual TOR Activity

Connection attempts from TOR network (https://en.wikipedia.org/wiki/Tor_(network)) nodes to publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs involved would be inspected (which connections from/to the organization involved them, what data was received/sent from/to them) and if possible block them at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).

STA - Building Block - Discovery - Unusual Connections Rate to Blacklisted IPs

Connections attempts from blacklisted IPs to publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs would be inspected and if possible blocked at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).

STA Flow Alert - C2 Connectivity - Connection to Suspicious Domain Name Combined with DNS on TCP

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. This alert will fire whenever, an access to a domain that, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the detected domains will be investigated first by resolving it to an IP and or aliases by using a tool such as dig (https://en.wikipedia.org/wiki/Dig_(command)) and then, if the results point to an unknown domain name, if it is an HTTP/S request it is recommended to try to unshorten the URL by using a service such as https://unshorten.it/ or to capture the relevant website to an image by using a service such as this: https://cloudconvert.com/website-png-screenshot to understand if this website is a phishing attempt. Another option is to test this URL in websites such as VirusTotal to detect known malwares that are being transmitted by this website. If it'''''''''''''''s a DNS request without a following HTTP/S request it is recommended to trace the process on the machine that made that request and inspect the process assembly or code to better understand what it was designed to do'''''''

STA - Building Block - C2 Connectivity - Connection to Suspicious Domain Name

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. This alert will fire whenever, an access to a domain that, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the detected domains will be investigated first by resolving it to an IP and or aliases by using a tool such as dig (https://en.wikipedia.org/wiki/Dig_(command)) and then, if the results point to an unknown domain name, if it is an HTTP/S request it is recommended to try to unshorten the URL by using a service such as https://unshorten.it/ or to capture the relevant website to an image by using a service such as this: https://cloudconvert.com/website-png-screenshot to understand if this website is a phishing attempt. Another option is to test this URL in websites such as VirusTotal to detect known malwares that are being transmitted by this website. If it'''''''''''''''s a DNS request without a following HTTP/S request it is recommended to trace the process on the machine that made that request and inspect the process assembly or code to better understand what it was designed to do'

STA Flow Alert - DNS Exfiltration/C2 Connectivity - DNS Activity on TCP Detected to Blacklist IP

NS requests should always be transmitted over UDP. DNS requests over TCP are usually used for either DNS zones transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of a malicious activity. It is recommended that if this alert fired, the data that has been transmitted to or received in those DNS calls over TCP. Also, it is recommended to inspect the processes and machines involved in those queries by using audit logs from these machines.

STA - Discovery - Unusual Connections Rate From Blacklisted IPs (Based on Logs)

Connections attempts from blacklisted IPs to publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs would be inspected and if possible blocked at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).

STA - Discovery - Request for Public IP Echo Services Detected

Many types of malicious tools will try to find where geographically the attacked computer is located, in order to do that they will try get their public IP often by using one of the services mentioned below. It is recommended that if this alert fires, the processes and machines that attempted to connect to these services will be inspected by using audit logs as well as Zeek conn and Suricata flow logs and possibly the actual packets to understand which data was sent or received by the processes which attempted to get the computer's public IP by using these services.

STA Insight - Building Block - Resource Development - Access to a Baby Domain Was Detected

Domains that are "younger" than three months are often used in attack campaigns. It is recommended that if this alert has fired the data that was sent to that domain will be inspected as well as the processes and files that were involved in the connection to those domains to better understand the purpose these domains were contacted for.

STA Insight - Building Block - Lateral Movement - Unrecognized Software Type

This alert will fire when a potentially disallowed software has been detected in your organization. It is recommended that the list below will be periodically updated with all and only the software types permitted in the organization. If this alert fires, it is recommends that either the detected software type will be added to the list if it is permitted or the relevant Zeek PE/Files logs will be investigated as well as audit logs from the relevant hosts that used the software in question to understand how and when this software was installed and what it was designed to do and what types of data were sent or received to/from the network.

STA Flow Alert - Collection - Outbound Connection From a DB Server

Database servers hold sensitive data that must be kept safe and out of reach from all outsiders unless they have permission to access it. If there is a connection from the database servers (recently responded on ports 5432/1433/9200/3306) to outside of the organization its a suspicious activity and this alert will fire.

STA Flow Alert - Reconnaissance - Protocol Anomaly & Reconnaissance

This alert is activated when both a non-standard protocol usage and unusual reconnaissance activity are detected within the same timeframe. The first part, "STA - Collection - NIDS Alert Detected - Detection of a Non-Standard Protocol," identifies activities involving atypical protocols that may be used to bypass typical security measures or exploit specific vulnerabilities. Concurrently, "Reconnaissance - Unusual Reconnaissance Activity Detected," marks an increase in reconnaissance efforts, indicating a heightened risk of upcoming targeted attacks or system probing. This alert framework emphasizes the need for heightened vigilance and rapid response during periods when these dual anomalies arise simultaneously, pointing to a possible escalation in threat level across the network.

STA Flow Alert - Reconnaissance - A Traffic Matched a Zeek Signature From Suspected IP

This alert will fire if the traffic seen by Zeek matched a Zeek script's signature from suspected IP.

STA Flow Alert - Impact - Trojan & SNMP Anomaly

This alert is triggered when two distinct security events linked by the same source IP occur within a short timeframe window. The first event is initiated by the detection of a network Trojan, identified by "STA - Collection - NIDS Alert Detected - A Network Trojan Was Detected." This malware is sophisticated, capable of masquerading as legitimate traffic to facilitate unauthorized access and control of systems, which can lead to data manipulation or escalation of attacks within the network. The second event involves an abnormal spike in SNMP set requests, as indicated by "STA - Impact - Unusual Number of SNMP Set Requests." Such spikes are often exploited in DDoS attacks or for executing XSS and SQL injection attacks, threatening network integrity and data security. The temporal proximity and the same source IP indicate a coordinated attack strategy, demanding immediate investigation and targeted response to prevent widespread network compromise and data loss.

STA Flow Alert - Collection - Trojan & MySQL Intrusion

This alert is configured to trigger when two significant and related security threats are detected within a specific timeframe. The first alert, "STA - Collection - NIDS Alert Detected - A Network Trojan Was Detected," indicates the presence of a network Trojan identified by Suricata. This type of malware is designed to disguise itself as legitimate network traffic, facilitating unauthorized access and control over compromised systems, potentially leading to data exfiltration or further internal attacks. The second alert, "STA - Credential Access - Unusual Number of MySQL Login Attempts," signals a potential breach attempt targeting the MySQL database, which often contains critical and sensitive organizational data. An unusually high number of login attempts can indicate a brute-force attack or an attempt to exploit database vulnerabilities. Together, these alerts highlight a coordinated attack aiming both at network infiltration and data breach attempts, necessitating immediate and comprehensive security measures to investigate and mitigate the threats.

STA Flow Alert - Collection - Network Trojan & RFB Breach

This alert is configured to trigger when two distinct but potentially related security events occur. The first part of the alert sequence concerns a network Trojan detected by Suricata, which camouflages itself within legitimate network traffic. This malware enables unauthorized access, remote control of compromised systems, data exfiltration, and facilitation of further internal attacks, representing a significant threat to network security. Following closely, the alert for "STA - Credential Access - Unusual Number of Failed RFB Login Attempts" suggests an aggressive attempt to access systems via the RFB protocol, commonly used for remote graphical interface access. An abnormal increase in failed login attempts could indicate a brute-force attack or other unauthorized access attempts. This alert implies that the detected network Trojan could be part of a broader strategy to gain remote access and control over critical systems. Immediate investigation into both the source and nature of these alerts is crucial to thwart ongoing attacks and prevent potential data breaches or system compromises.

STA Flow Alert - Collection - Detection of a Network Scan & RFB Breach Attempt

The detection of a network scan refers to the identification of suspicious activity indicating an attempt to scan a network for potential vulnerabilities or open ports. This alert suggests that an entity or automated system is systematically probing the network infrastructure to gather information about the available services or devices. Network scanning can be performed for legitimate purposes, such as network administration and security auditing. However, it can also be employed by malicious actors seeking to identify weak points for potential exploitation. When the alert is fired, it is recommended to immediately isolate the affected network segments to prevent further unauthorized access attempts. Conduct a thorough analysis of the network logs related to the RFB and scan activities to identify the source and method of the attacks. Detecting network scans is crucial as it allows network administrators to investigate and address any vulnerabilities promptly, enhancing the overall security posture of the network.

STA Flow Alert - Reconnaissance - Suspicious Traffic & Reconnaissance Activity

This alert is specifically designed to identify potential threats when two related security incidents, originating from the same source IP, occur within a short time window. The initial alert, "NIDS Alert Detected - Potentially Bad Traffic," indicates the presence of network traffic that exhibits characteristics typical of malicious or unwanted behavior, such as malware communication or unauthorized data attempts. Following this, the second alert, "STA - Reconnaissance - Zeek Notice Detected," confirms reconnaissance activities detected by Zeek, which may involve scanning for vulnerabilities or probing network defenses. The combination of these alerts, coupled with their temporal proximity and common source IP, highlights a coordinated attempt to explore and possibly exploit network vulnerabilities. Immediate, focused investigation and response are crucial to mitigate any emerging threats and secure network integrity.

STA Flow Alert - Collection - Network Intrusion & Database Threat

This alert is triggered when two related security events are detected simultaneously from the same source IP in short time window. The first event involves detection of potentially bad traffic, as identified by "STA - Collection - NIDS Alert Detected - Potentially Bad Traffic," which indicates suspicious network activity that could signal the onset of an attack. This includes traffic patterns commonly associated with malicious behavior such as scanning, probing, or preliminary exploitation attempts. The second event, "STA - Credential Access - Unusual Number of MySQL Login Attempts," highlights an abnormal surge in login attempts to a MySQL database system, potentially signifying an attempt to exploit found vulnerabilities or perform a brute-force attack. This database often contains critical and sensitive information, making it a prime target for attackers. This flow alert suggests a comprehensive and coordinated attack is underway, combining network manipulation with direct attempts to access valuable data. Immediate investigation and response are imperative to mitigate potential threats and safeguard the integrity and security of the network and its critical databases.

STA Flow Alert - Collection - Bad Traffic & Lateral Movement

This alert is activated when suspicious network activity and unusual lateral movements are detected simultaneously from the same source IPs, suggesting a coordinated attack. The first component, "STA - Collection - NIDS Alert Detected - Potentially Bad Traffic," detects initial unauthorized or malicious activities that could range from scanning to preliminary data breaches. The second component, "STA Insight - Lateral Movement - More than 10 lateral connections in 10 minutes," signals rapid internal expansion within the network, often indicative of an attacker attempting to establish footholds or access sensitive information across multiple systems. This combined alert underscores an urgent, multifaceted security threat that requires immediate, comprehensive defensive actions to prevent widespread network compromise.

STA Flow Alert - Collection - NIDS Alert Detected - Detection of a Network Scan From Blacklisted IP

The detection of a network scan refers to the identification of suspicious activity indicating an attempt to scan a network for potential vulnerabilities or open ports. This alert suggests that an entity or automated system is systematically probing the network infrastructure to gather information about the available services or devices. Network scanning can be performed for legitimate purposes, such as network administration and security auditing. However, it can also be employed by malicious actors seeking to identify weak points for potential exploitation. Detecting network scans is crucial as it allows network administrators to investigate and address any vulnerabilities promptly, enhancing the overall security posture of the network.

STA Flow Alert - Reconnaissance & Network Scan

This alert is triggered when both a network scan and unusual reconnaissance activities are detected concurrently within the same timeframe. This alert signals that an entity or automated system is not only probing the network infrastructure for vulnerabilities and open ports but is also engaging in heightened reconnaissance against publicly accessible servers. The simultaneous occurrence of these alerts suggests a sophisticated attempt to map out and exploit network weaknesses. Immediate and comprehensive security measures are necessary to investigate the scope of the probing and reconnaissance, block any identified malicious sources, and reinforce the network's defenses against further exploitation.

STA Flow Alert - Collection - Login Attempted & RFB Breach Attempt

This alert is triggered when there is simultaneous detection of an attempted login using a suspicious username and a surge in failed RFB login attempts within the same defined period. The first alert points to the use of a username that is either unconventional or linked to previous security incidents, hinting at a deliberate attempt to breach system security. Concurrently, the second alert of numerous failed RFB login attempts suggests an aggressive effort to gain remote access to the network's graphical user interfaces. This simultaneous occurrence of these alerts underlines a potential coordinated attack, necessitating immediate investigation to ascertain the source and intent of these attempts, and to implement enhanced security measures to prevent further unauthorized attempts.

STA Flow Alert - Collection - NIDS Alert Detected - A Client Was Using an Unusual Port From First Outbound Connection

This flow alert is triggered when a client initiates an outbound connection using an atypical port, signaling the first such connection detected outside the organization per AWS name tag. The use of an unusual port may indicate an attempt to circumvent standard network monitoring or exploit security vulnerabilities, while the outbound nature of the connection suggests potential data exfiltration or unauthorized external communication. This alert combination serves as a critical early warning for possible security breaches, where the atypical port usage combined with the outbound communication raises the alert's severity and prompts immediate investigation and remediation efforts to prevent potential data loss or system compromise.

STA Flow Alert - Collection - Admin Intrusion & Trojan Detection

This classification indicates the identification of a malicious program or code specifically designed to infiltrate a network and perform unauthorized activities. This alert suggests that Suricata has detected the presence of a network Trojan, which is a type of malware that disguises itself as legitimate network traffic or software. Network Trojans are often used by attackers to gain unauthorized access, control compromised systems remotely, exfiltrate sensitive data, or launch further attacks within the network. Detecting a network Trojan is crucial as it reveals the presence of a significant security threat that requires immediate investigation and mitigation.

STA Flow Alert - Unrecognized Software and Public IP Echo Service Requests

This alert combines detections of potentially disallowed software and attempts to access public IP echo services, which are often used by malicious tools for geolocation purposes. When triggered, it signifies anomalous behavior that requires investigation. Analysts should review the list of permitted software types regularly to ensure accuracy. Upon alert activation, inspect Zeek PE/Files logs and host audit logs to understand software installation details and network interactions. Additionally, investigate processes and machines attempting to access public IP echo services using audit logs, Zeek conn logs, Suricata flow logs, and packet captures to analyze data exchanges and potential security risks associated with these activities. Grouping events by source IP addresses aids in identifying and responding to suspicious network behavior effectively.

STA Flow Alert - Lateral Movement - Unrecognized Software Type

This alert will fire when a potentially disallowed software has been detected in your organization. It is recommended that the list below will be periodically updated with all and only the software types permitted in the organization. If this alert fires, it is recommends that either the detected software type will be added to the list if it is permitted or the relevant Zeek PE/Files logs will be investigated as well as audit logs from the relevant hosts that used the software in question to understand how and when this software was installed and what it was designed to do and what types of data were sent or received to/from the network.

STA Flow Alert - C2 Connectivity - Connection to Suspicious Domain Name

Many types of malicious tools will attempt to connect to their operator by using a Command and Control server that is accessible via a computer generated domain name that is rapidly changing to make it harder to detect and block. This alert will fire whenever, an access to a domain that, based on an automated NLP analysis, looks like it was computer generated. If this alert fires it is recommended that the detected domains will be investigated first by resolving it to an IP and or aliases by using a tool such as dig (https://en.wikipedia.org/wiki/Dig_(command)) and then, if the results point to an unknown domain name, if it is an HTTP/S request it is recommended to try to unshorten the URL by using a service such as https://unshorten.it/ or to capture the relevant website to an image by using a service such as this: https://cloudconvert.com/website-png-screenshot to understand if this website is a phishing attempt. Another option is to test this URL in websites such as VirusTotal to detect known malwares that are being transmitted by this website. If it''''''''s a DNS request without a following HTTP/S request it is recommended to trace the process on the machine that made that request and inspect the process assembly or code to better understand what it was designed to do'''

STA Flow Alert - Resource Development - Access to a Baby Domain Was Detected

Domains that are "younger" than three months are often used in attack campaigns. It is recommended that if this alert has fired the data that was sent to that domain will be inspected as well as the processes and files that were involved in the connection to those domains to better understand the purpose these domains were contacted for.

STA Flow Alert - Collection - Scan & SNMP Manipulation

This alert is designed to trigger when suspicious network scanning activity coincides with an unusual volume of SNMP set requests within the same timeframe. The first component, "STA - Collection - NIDS Alert Detected - Detection of a Network Scan" identifies attempts to probe the network, possibly seeking vulnerabilities or open ports which could be exploited. Simultaneously, the second alert, "Impact - Unusual Number of SNMP Set Requests," indicates abnormal SNMP activity, which may be an attempt to change device configurations maliciously or as part of a DDoS attack strategy. This combined alert suggests a sophisticated and potentially harmful attempt to both discover and exploit network weaknesses, necessitating immediate and thorough investigations to secure the network against these dual threats.

Documentation

Learn more about Coralogix's out-of-the-box integration with Snowbit STA in our documentation.

Read More
Schedule Demo