Skip to main content
Sumo Logic

CSE Built-In Rules

See a list and descriptions of CSE's built-in rules.

This page lists the CSE Built-in-Rules along with the rule names and their descriptions in detail. 

AWS - CloudTrail Failed Logon Spike (user)

Multiple failed logins were detected from the same IAM user within a short period of time. It is important to note that AWS CloudTrail does not log failed authentications for the root account user.

AWS CloudTrail - IAM policy Change

Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.

AWS CloudTrail - Key Disabled or Deleted

Data encrypted with disabled or deleted keys will no longer be accessible.

AWS CloudTrail - Root Authentication Activity (IP)

This rule looks for AWS Root user login events by IP.

AWS CloudTrail - Unauthorized API calls (IP)

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

AWS CloudTrail - Unauthorized API calls (user)

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

AWS ConsoleLogin - No MFA (IP)

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

AWS ConsoleLogin - No MFA (user)

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

AWS GuardDuty Alerts - EC2

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

AWS GuardDuty Alerts - IAM

An IAM account sent multiple requests to perform a wide distinct number of AWS actions in a short time frame while receiving the error code AccessDenied. This could indicate an account attempting to enumerate their access across the AWS account.

Active Directory Password Spray Attack

A high number of failed login attempts with bad password sub status in a 5-minute window from a single endpoint.

Administrator Login via RDP

This rule looks for successful logins over RDP for administrator accounts.

AlphaSOC NFR

This rule looks for successful logins over RDP for administrator accounts.

Amazon VPC - Network Scan

Attackers will often perform reconnaissance against customer environments to better understand resources on the network. In doing this behavior they are usually blocked by firewall rules while performing their discovery. This rule looks for a single source IP address network traffic rejected by AWS security groups to at least 10 different destination IP addresses within a 5-minute window.

Amazon VPC - Port Scan

Attackers will often perform reconnaissance against customer environments to better understand resources on the network. In doing this behavior they are usually blocked by firewall rules while performing their discovery. This rule looks for a single source IP address network traffic rejected by AWS security groups to at least 10 different destination IP addresses within a 5-minute window.

AutoIT User Agent

AutoIT is an automation software that is sometimes used for malware command and control.

Base32 in DNS Query

By using base32, binary and text data can be encoded in a way that is fully compliant with DNS protocol specifications. Since common standard base32 uses 2-7 and the letters a-z, entropy must be measured to distinguish from normal text. The presence of long base32 encoding in a DNS query may indicate tunneling of information out of a network. Some security vendors and internet providers also use this technique to operate cloud infrastructure or transport information through firewalled environments.

Bitsadmin to Uncommon TLD

Detects BITS connections to external domains with uncommon TLDs. Reference: https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/

Blocked Email Host

The originator's address is seen in the block list error message, which means an SMTP server sent a reply mentioning an SMTP block list. This is useful to detect local hosts sending SPAM with a high positive rate.

Blocked Email Message

An SMTP server sent a reply mentioning an SMTP block list.

Bluecoat Proxy - Suspicious DNS Query

This signal looks for DNS requests logged by your BlueCoat proxy server for domains that appear to be created by a Domain Generation Algorithm (DGA) or a domain associated with a dynamic DNS service.

Bluecoat Proxy - Suspicious or Malicious Categories

This rule triggers any time there is a Suspicious or Malicious Bluecoat category which could indicate there is a problem with the host making the connection. 

Browser Exploitation Framework (BeEF) Hook

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - High Threat Event (Hostname)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - High Threat Event (IP)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - High Threat Event (Username)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - Low Threat Event (IP)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - Low Threat Event (Username)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - Medium Threat Event (Hostname)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - Medium Threat Event (IP)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Carbon Black Defense - Medium Threat Event (Username)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Checkpoint Firewall

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Cisco AMP - Templated Events (Hostname)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Cisco AMP - Templated Events (IP)

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Cisco Firepower - Attack Alert

The Browser Exploitation Framework (BeEF) is a penetration-testing tool focusing on web browsers. This rule looks for HTTP communication that includes the default BeEF cookie, which indicates a hooked browser.

Cisco Firepower - IDS Attack Alert Diversity

5 or more diverse IDS attack signatures were observed within 5 minutes from a single source IP address. A single IP address produces diverse signature alerts within a short period of time if often times a more interesting attack detection.

Cisco Firepower - IDS Attack Alert Spike

A spike of 50 IDS attack alerts in 10 minutes from the same source IP entity was observed.

Cisco Firepower - IDS Response Alert Diversity

5 or more diverse IDS response signatures were observed within 5 minutes from a single destination IP address. A single IP address producing a diverse signature alerts within a short period of time if often times a more interesting attack detection.

Cisco Firepower - IDS Response Alert Spike

A spike of 50 IDS attack alerts in 10 minutes from the same source IP entity was observed.

Cisco Firepower - Response Alert

A spike of 50 IDS attack alerts in 10 minutes from the same source IP entity was observed.

Cisco Meraki Threat Events

A spike of 50 IDS attack alerts in 10 minutes from the same source IP entity was observed.

Cisco Stealthwatch Template Alerts

A spike of 50 IDS attack alerts in 10 minutes from the same source IP entity was observed.

Cisco Umbrella - DNS Request Category: Adware

Cisco Umbrella detected a DNS request to a domain categorized as Adware.

Cisco Umbrella - DNS Request Category: Command and Control

Cisco Umbrella detected a DNS request to a domain categorized as Command and Control.

Cisco Umbrella - DNS Request Category: Cryptomining

Cisco Umbrella detected a DNS request to a domain categorized as Cryptomining.

Cisco Umbrella - DNS Request Category: DNS Tunneling VPN

Cisco Umbrella detected a DNS request to a domain categorized as Adware.

Cisco Umbrella - DNS Request Category: Dynamic DNS

Cisco Umbrella detected a DNS request to a domain categorized as Dynamic DNS.

Cisco Umbrella - DNS Request Category: Hacking

Cisco Umbrella detected a DNS request to a domain categorized as Hacking.

Cisco Umbrella - DNS Request Category: Malware

Cisco Umbrella detected a DNS request to a domain categorized as Malware.

Cisco Umbrella - DNS Request Category: Newly Seen Domains

Cisco Umbrella detected a DNS request to a domain categorized as Newly Seen Domains. It can be unusual for a host to communicate with a new domain under normal operations, but malware authors register domains specifically for malicious intent will have hosts connect to them shortly after registering them.

Cisco Umbrella - DNS Request Category: P2P/File sharing

Cisco Umbrella detected a DNS request to a domain categorized as P2P/File sharing.

Cisco Umbrella - DNS Request Category: Personal VPN

Cisco Umbrella detected a DNS request to a domain categorized as Personal VPN.

Cisco Umbrella - DNS Request Category: Phishing

Cisco Umbrella detected a DNS request to a domain categorized as Adware.

Cisco Umbrella - DNS Request Category: Potentially Harmful

Cisco Umbrella detected a DNS request to a domain categorized as Potentially Harmful.

Cisco Umbrella - DNS Request Category: Proxy/Anonymizer

Cisco Umbrella detected a DNS request to a domain categorized as Proxy/Anonymizer.

Cisco Umbrella - Proxy Logs with Cisco AMP Detections

Cisco Umbrella proxy logs with a Cisco AMP disposition of malicious was detected.

Connection to High Entropy Domain

An HTTP connection was made to a high entropy domain name. Entropy is a measure of randomness, DGA domains used by malware (For Example, g46mbrrzpfszonuk) often have high entropy.

CrowdStrike Threat Detection Alert

An HTTP connection was made to a high entropy domain name. Entropy is a measure of randomness, DGA domains used by malware (i.e g46mbrrzpfszonuk) often have high entropy.

Crypto Miner HTTP User Agent

This signal looks for HTTP requests where the user agent matches common names associated with crypto miners. It is common for attackers to install crypto miners on compromised hosts to use your CPU resources for their profit.

Cylance Protect - Event Severity 1

Cylance Protect event with the severity between -0.199 and -0.001

Cylance Protect - Event Severity 2

Cylance Protect event with the severity between -0.299 and -0.200

Cylance Protect - Event Severity 3

Cylance Protect event with the severity between -0.399 and -0.300

Cylance Protect - Event Severity 4

Cylance Protect event with the severity between -0.499 and -0.400

Cylance Protect - Event Severity 5

Cylance Protect event with the severity between -0.599 and -0.500

Cylance Protect - Event Severity 6

Cylance Protect event with the severity between -0.699 and -0.600

Cylance Protect - Event Severity 7

Cylance Protect event with the severity between -0.799 and -0.700

Cylance Protect - Event Severity 8

Cylance Protect event with the severity between -0.899 and -0.800

Cylance Protect - Event Severity 9

Cylance Protect event with the severity between -1.000 and -0.900

DCE-RPC Service Control Call - Destination Match

The Remote Procedure Call (RPC) protocol allows remote administrative commands to be executed.  Creating/Deleting Services, when combined with other signals can be part of an attempt to expand influence inside a network using SMB and related protocols. 

DCE-RPC Service Control Call - Source Match

The Remote Procedure Call (RPC) protocol allows remote administrative commands to be executed.  Creating/Deleting Services, when combined with other signals can be part of an attempt to expand influence inside a network using SMB and related protocols.

DCERPC - SAMR Enumeration of All Users

Microsoft provides a protocol called SAMR which stands for Security Account Manager Remote Protocol. It is designed for developers to perform (RPC) remote procedure calls for interacting the account database for both local and remote Activity Directory domains. It contains a method called SamrEnumerateUsersInDomain which returns a list of users in a domain. Attackers who have network access to the domain can use this method to enumerate a list of user accounts in Active Directory. This signal looks for an RPC connection using the SAMR protocol with the method SamrEnumerateUsersInDomain signifying a request to enumerate user accounts over the network.

DNS DGA Lookup Behavior - NXDOMAIN Responses

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions. This technique is described in https://attack.mitre.org/techniques/T1483/.

DNS Lookup of High Entropy Domain

DNS lookup of a high entropy domain name, which may be indicative of a domain generation algorithm (DGA) related domain. This technique is described at https://attack.mitre.org/techniques/T1483/.

DNS query for dynamic DNS provider

Dynamic DNS providers are often abused to host malware control servers and other malicious content. https://attack.mitre.org/techniques/T1311/ and https://attack.mitre.org/techniques/T1333/ describe the use of this technique by attackers.

Directory Traversal - Successful

Directory traversal is an attempt by an attacker to access files located on the host which are not intended to be returned by the web server. For example, attackers seeking usernames/passwords for the host will focus on paths like ../../etc/passwd, ../../.

Directory Traversal - Unsuccessful

Directory traversal is an attempt by an attacker to access files located on the host which are not intended to be returned by the web server. For example, attackers seeking usernames/passwords for the host will focus on paths like ../../etc/passwd, ../../.

Disabled Account Logon Attempt

Detects a disabled account being used for a logon attempt in a Windows environment.

Domain Resolution in Non-Standard TLD

DNS resolution of a domain that is not under an ICANN-standard TLD. These TLDs are provided by alternate DNS root servers such as OpenNIC. Their use on corporate networks is fundamentally suspicious and potentially a sign of abuse by threat actors.

Doublepulsar scan - likely not infected

Doublepulsar scans to check if the host is already infected before attempting to install the backdoor. 

Duo Security - Excessive Authentication Failures From IP

An IP address was observed generating an excessive amount of authentication failures. This could indicate an attack or misconfigured system.

Duo Security - Multiple Authentication Failures From a User

A user account was observed generating an excessive amount of authentication failures. This could indicate an attack or misconfigured system.

Duo Security - Source IP Failing Authentication with Excessive Usernames

A source IP address was observed making excessive authentication failures using many different user accounts in a short period of time. This could indicate an attacker attempting a brute force attack.

Executable Downloaded - Content-Type Mismatch

This rule identifies scenarios where an attacker may have attempted to surreptitiously download an executable file by hiding it behind a different Content-Type, such as image/png. This technique has been observed in samples of Trickbot malware.

FTP Bruteforce Attempt

Multiple attempts to access an FTP server.

FireEye CMS - Malware Callback

FireEye detected a malware callback with the following details: {{fields['channel']}}

FireEye CMS - Riskware Callback

This rule detects CMS Riskware Callback events.

FireEye CMS Domain Matches

This rule detects CMS Riskware Callback events.

FireEye CMS IPS Response Events

This rule detects CMS Riskware Callback events.

FireEye Web Infection Alert

This rule detects CMS Riskware Callback events.

First Seen Access - SMB Share

Adversaries may access a networked system remotely using Server Message Block (SMB) to transfer files and run transferred binaries through remote execution. Although not malicious on its own, this first-seen access to a DISK share over SMB can be an indicator of lateral movement.

Fortinet Critical App-Risk

This signal fires when Fortinet identifies a critical risk application in use within the network. 

Fortinet High App-Risk

This signal fires when Fortinet detects a high risk application within the environment.

Fortinet IDS Alerts

This signal fires when Fortinet detects a high risk application within the environment.

G Suite - Account Warnings

This signal fires when Fortinet detects a high risk application within the environment.

G Suite - Multiple Failed Login For User

Google G Suite has detected multiple failed logins from a user within a short period of time.

G Suite - Multiple Failed Login From IP

Google G Suite has detected multiple failed logins from a single IP address within a short period of time.

G Suite - User Received Phishing Email

Google G Suite has detected multiple failed logins from a single IP address within a short period of time.

GitHub Raw URL Resource Request

Github.com is the most popular code repo site on the internet. Typically users of GitHub will look at the code from the Github.com website or clone it locally to their system. You can however request a raw version of an individual file directly. Attackers like to use GitHub as well to host their malicious code and will often download malicious files and scripts directly from the site which uses the domain raw.githubusercontent.com instead of github.com. This signal looks for HTTP requests to that raw domain to monitor individual file downloads from the site.

HTTP CloudFlare Protocol Violation or Empty Response

Error code 520 is used as a catch-all status when the origin server returns something that is unexpected, not tolerated, or not interpreted. This can include protocol violations and empty responses.

HTTP External Request to PowerShell Extension

Attackers will often download a PowerShell script from an external web server to help maintain persistence or to invoke additional functionally on Windows machines. It is not common for internal computers to download PowerShell scripts over HTTP from an external web server, but in some rare cases, software like Anti-Virus does perform this behavior.

HTTP Request to Domain in Non-Standard TLD

HTTP request to a domain that is not under an ICANN-standard TLD. These TLDs are provided by alternate DNS root servers such as OpenNIC. Their use on corporate networks is fundamentally suspicious and potentially a sign of abuse by threat actors.

HTTP Request to Possible DGA Domain

The CSE anomaly engine has determined that the observed domain may have been created using a domain generation algorithm (DGA).

HTTP Request with Single Header

HTTP requests typically have multiple headers. It is odd in some cases if the event only contains a single header. This produces a low severity signal when an HTTP event is observed containing only one header in the request.

HTTP Response Error Spike - External

HTTP web services provide response codes to client requests. The response code numbers in the 400s are used to indicate a client related error and response code numbers in the 500s represent server related errors. This rule looks for a web client receiving a large frequency of web errors within a short period of time. It is unusual for a web client to cause this many errors in a short period of time. Common occurrences for this behavior is scanning/probing activity or scripted web clients which are now encountering errors due to a misconfiguration or recent change. This rule alerts when a host external to the monitored network triggers the threshold.

HTTP Response Error Spike - Internal

HTTP web services provide response codes to client requests. The response code numbers in the 400s are used to indicate a client related error and response code numbers in the 500s represent server related errors. This rule looks for a web client receiving a large frequency of web errors within a short period of time. It is unusual for a web client to cause this many errors in a short period of time. Common occurrences for this behavior is scanning/probing activity or scripted web clients which are now encountering errors due to a misconfiguration or recent change. This rule alerts when a host external to the monitored network triggers the threshold.

HTTP Shell Script Download Disguised as a Common Web File

Attackers who have compromised Unix/Linux machines will sometimes download additional payloads using clear text HTTP where a shell script is downloaded disguised with another file extension. This signal looks for HTTP requests to common web file extensions.

HTTP request for single character file name

Many threats are served from websites using lazy single character-based filenames like 1.exe, etc. These nondescript file names are rare with most legitimate content. This rule looks for requests to retrieve high-risk file extensions from such paths.

Hexadecimal User-Agent

User-Agent strings with hexadecimal values are often indicative of malware.

Hexadecimal in DNS Query Domain

Encoding in hexadecimal is a way that attackers can bypass network security devices that are inspecting traffic. While hexadecimal often appears in subdomains, it is much less frequent in domains.

High risk file extension download without hostname and referrer

Although executable and dynamic-link libraries (.exe, .dll) are regularly downloaded from the Internet, benign ones are normally downloaded with the hostname and referrer fields populated. Thus, downloads from an IP address without referrer carry an elevated risk.

Houdini/Iniduoh/njRAT User-Agent

User-Agent strings used by Houdini/Iniduoh/njRAT malware.

IP Address Scan - External

A scan of IP addresses

IP Address Scan - Internal

A scan of IP addresses

IRC traffic internal-to-external

IRC traffic is uncommonly used for business use in most organizations. IRC traffic that originates inside a network and is outbound to the internet is especially unusual and a common channel for command and control.

IRC traffic over non standard ports

IRC traffic is uncommonly used for business use in most organizations.  IRC traffic that originates inside a network and is outbound to the internet is especially unusual and a common channel for command and control.

Internal Communication on Unassigned Low Ports - Destination Match

Many ports in the 0-1023 are unassigned by the IANA. These can be used as communication channels inside a network, as there are rarely legitimate services using these ports.

Likely doublepulsar Infected

Hosts infected with the Doublepulsar typically exhibit this type of SMB behavior.

MS-LSAT Username Enumeration

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

McAfee Endpoint Security Alerts (Hostname)

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

McAfee Endpoint Security Alerts (Username)

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

McAfee Solidifier Deny Events (Hostname)

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

McAfee Solidifier Deny Events (IP Address)

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

McAfee Solidifier Deny Events (Username)

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

McAfee Web Gateway - Poor Reputation

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

Microsoft ATA Alerts (Target Hostname)

The MS-LSAT Remote Protocol provides a number of RPC calls that can be used to map security principal SIDs to usernames. Attackers could use this technique to perform username enumeration and identify accounts on targeted systems.

Mimecast - Message with Virus Detections from IP

Mimecast detected a message with one or more virus detections.

Mimecast - Message with Virus Detections to Recipient

Mimecast detected a message with one or more virus detections.

Mimecast - SPAM Message from IP

Mimecast detected an email message with an elevated SPAM score.

Mimecast - SPAM Message to Recipient

Mimecast detected an email message with an elevated SPAM score.

Mimecast - Targeted Threat Protection from IP

Mimecast's Targeted Threat Protection matched on an email message.

Mimecast - Targeted Threat Protection to Recipient

Mimecast's Targeted Threat Protection matched on an email message.

Noncompliant Protocol Tunnel Over Common Service Port

Tools or malware may be configured to send communications over a network by using a common service port to carry unrelated traffic. This is often done to bypass security controls or to obfuscate malicious traffic by mimicking a legitimate service. For example, this is often done with UDP based VPN tunnels connecting over port 53. https://attack.mitre.org/techniques/T1043/ describes the use of this technique by attackers.

O365 - Exchange DLP Policy Match

Tools or malware may be configured to send communications over a network by using a common service port to carry unrelated traffic. This is often done to bypass security controls or to obfuscate malicious traffic by mimicking a legitimate service. For example, this is often done with UDP based VPN tunnels connecting over port 53. https://attack.mitre.org/techniques/T1043/ describes the use of this technique by attackers.

O365 - IP Failing Authentications with Multiple Usernames

An IP address has been observed failing multiple authentications in Office 365 while using many different usernames in a short period of time.

O365 - Multiple Failed Authentications (IP)

An IP address has generated multiple failed authentications sourced from Office 365.

O365 - Multiple Failed Authentications (User)

A user account has generated multiple failed authentications sourced from Office 365.

O365 - SecurityComplianceAlerts

A user account has generated multiple failed authentications sourced from Office 365.

O365 - SharePoint DLP Policy Match

A user account has generated multiple failed authentications sourced from Office 365.

O365 - Threat Intel ATP Detection

A user account has generated multiple failed authentications sourced from Office 365.

O365 - Threat Intel Email Match (IP)

A user account has generated multiple failed authentications sourced from Office 365.

O365 - Threat Intel Email Match (User)

A user account has generated multiple failed authentications sourced from Office 365.

O365 - Threat Intel URL Match (IP)

A user account has generated multiple failed authentications sourced from Office 365.

O365 - Threat Intel URL Match (User)

A user account has generated multiple failed authentications sourced from Office 365.

O365 - User attempted login from 2+ countries in 1 hour

O365 - User logged in from 2+ countries in 1 hour.

O365 - User successfully logged in from 2+ countries in 1 hour

Users successfully logged in from 2+ countries in an hour. 

O365 - Users Password Changed

Users successfully logged in from 2+ countries in an hour. 

O365 - Users Password Reset

Users successfully logged in from 2+ countries in an hour. 

Okta SSO - Source IP Authentication Failure Spike with Distinct Usernames

This signal looks for a spike in failed Okta authentications from the same source IP address trying multiple user accounts.

Okta SSO - User Failed Logons (Track IP)

An Okta user has failed multiple authentications in a short period of time.

Okta SSO - User Failed Logons (Track Username)

An Okta user has failed multiple authentications in a short period of time.

Okta SSO - User Login From Two Different Countries

This signal triggers when there are two successful logins from the same user with different country codes indicating possible credential theft. 

Outbound TFTP Traffic

TFTP is rarely used externally and has been observed as a means to deliver malicious code from the outside.

Outbound Traffic to Countries Outside the United States

Traffic was observed leaving your network destined to some countries outside the United States within a time frame. This rule is shipped disabled by default as is intended for environments based in the United States with very tight network restriction policies.

Palo Alto - Traps Templated Events

Traffic was observed leaving your network destined to some countries outside the United States within a time frame. This rule is shipped disabled by default as is intended for environments based in the United States with very tight network restriction policies.

Palo Alto Correlation Event (IP)

Palo Alto Traps reported a {{fields['profile']}} event from the module {{fields['module_status_id']}}. Additional details include: {{fields['misc']}}

Palo Alto Correlation Event (User)

The Palo Alto device {{device_hostname}} detected '{{fields['object_id']}}' from the IP address {{srcDevice_ip}}

Palo Alto Failed Authentication - Multiple Attempts from the Same IP

A source IP address failed authentication multiple times within a short period of time.

Palo Alto Failed Authentication - Multiple Attempts from the User

A user account failed authentication multiple times within a short period of time.

Palo Alto Failed Authentication - Multiple Usernames Attempted

A source IP address attempted and failed to authenticate multiple times while providing multiple usernames. This can indicate a dictionary attack where the attacker is attempting to log in with a list of commonly known usernames and passwords.

Palo Alto Firewall Threat (IP)

A source IP address attempted and failed to authenticate multiple times while providing multiple usernames. This can indicate a dictionary attack where the attacker is attempting to log in with a list of commonly known usernames and passwords.

Palo Alto Firewall Threat (User)

A source IP address attempted and failed to authenticate multiple times while providing multiple usernames. This can indicate a dictionary attack where the attacker is attempting to log in with a list of commonly known usernames and passwords.

Pastebin Raw URL Resource Request

Attackers will often host malicious code on pastebin.com and attempt to download their additional payloads if their initial attack is successful. They will download the post with the raw URI. Generally, the malicious content hosted on Pastebin.com is quickly removed automatically by the poster setting an expiry time.

Port Scan - External

External port scan. A host external to the monitored network was detected as showing behavior consistent with a scan for a port on multiple destination addresses in a short time.

Port Scan - Internal

Internal port scan. A host on the monitored network was detected as showing behavior consistent with a scan for a port on multiple destination addresses in a short time.

Possible Black Energy Command and Control

Black Energy is a botnet with HTTP based Command and Control communication.

Possible Credential Abuse

This signal logic is designed to catch repetitive attempts to call (and presumably attempt to auth via) login pages for drupal, wordpress, and jira.

Possible DGA Domain

The CSE anomaly engine has determined that the observed domain may have been created using a domain generation algorithm (DGA).

Possible DNS Data Exfiltration

Some families of malware use data nested within the subdomain portion of a DNS query as a means of data exfiltration. This can be identified by looking for DNS queries where the full query is substantially longer than the top-level domain (For Example, ooo.nu6tgnzvgm2tmmbzgq4a.rkgotw5.5z5i6fjnugmxfowy.beevish.com is substantially longer than beevish.com). This technique is described in https://attack.mitre.org/techniques/T1001/.

Possible DNS over TLS (DoT) Activity

This rule detects attempted or successful connections to the standard service port for DoT services. DNS over TLS (RFC 7858, DoT) is a name resolution service that allows clients to resolve DNS records over encrypted and validated connections. DoT operates over standards compliant TLS and is specified to operate over port 853/tcp. In some environments this may be abused as a method to bypass security and policy controls. Some malicious actors leverage DoT to tunnel DNS traffic over TLS, and research has demonstrated the ability to carry out other DNS related abuse such as malware C2 over DoT as well.

Possible TOR Connection

The subject and issuer of the SSL certificate match the pattern for certificates used by TOR connections.

Potential malicious JVM download

A document was downloaded and opened followed by a file download using a Java user-agent.

Potential malicious document executed

A document was downloaded and opened followed shortly by an executable or dll download shortly thereafter.

Potentially vulnerable software detected

The software version has a known vulnerability

PowerShell Remote Administration

Remote Administration from Powershell is logged by default in the admin$temp folder.  These commands should only be associated with IP addresses that are expected to carry out remote administration tasks.

PowerShell via SMB

PowerShell being accessed via SMB should never occur in a Windows environment, and indicates malicious activity.

Proofpoint TAP - IP Sent Email with Malware

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - IP Sent Email with Malware Link

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - IP Sent Email with Phishing Link

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - IP Sent Impostor Email

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - IP Sent Phishing Email

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - User Received Email with Malware

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - User Received Email with Phishing Link

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - User Received Impostor Email

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

Proofpoint TAP - User Received Phishing Email

PowerShell being accessed via SMB should never occur in a Windows environment and indicates malicious activity.

PsExec Admin Tool Detection

Detects PSEXESVC.EXE being written to remote computer via SMB/CIFS. This is a service executable that is copied in place and started when a remote client connects to a host with PsExec.

RDP Brute Force - Success

Hydra and Ncrack are popular tools for attempting brute force attacks to access a targeted system. In this case, a brute force attempt against an RDP server has succeeded and the attacker has gained access to the targeted system.

RDP Brute Force Attempt

An attacker is making a brute force attempt to gain access to an RDP server.

RDP Error Messages

When setting up an RDP connection, there are a number of negotiation steps that happen.  If a connection is encrypted, not all of these can be analyzed.  Errors can indicate an operational issue or potential exploitation of a vulnerability in negotiation.

RDP external-to-internal

Access to Remote Desktop from the internet is not common and may represent an intrusion on the network.

RDP with non-standard client

While the product_id of the RDP client is not required, a missing one or one that does not look like a client access license can indicate an RDP attack with hacker software (ie NCRACK, hydra).

Request to Anomalous Web Server Software

Attackers often stage content during intrusions using external web infrastructure to host exploits, malware, and other tooling. In rare cases, attacker playbooks show the threat actor hosting web files by serving them using the SimpleHTTPServer server, a lightweight built-in web server module installed with Python. Occurrences of clients connecting to servers implemented using SimpleHTTPServer are anomalous and may indicate an active attack.

Request to DNS over HTTPS (DoH) Service Provider

DNS over HTTPS (RFC 8484, DoH) is a web based name resolution service that allows clients to resolve DNS records over web services. DoH operates over standards-compliant HTTPS and is therefore typically encrypted and validated TLS over port 443/tcp. In some environments, this may be abused as a method to bypass security and policy controls. Some malicious actors leverage DoH to tunnel DNS traffic over HTTPS and research has demonstrated the ability to carry out other DNS related abuse such as malware C2 over DoH as well.

SMB - Remote execution and/or persistence via scheduled task using ATSVC 

Remote execution and/or persistence via scheduled tasks using an ATSVC named pipe.

SMB Brute Force Attempt

This rule looks for failed SMB login attempts.

SMB External to Internal File Share Access

This signal identifies external sources connecting to file shares. Due to the vulnerabilities and insecurities of SMB this type of traffic should be prohibited. 

SMB Internal to External traffic

SMB/CIFS is a workgroup protocol for file sharing intended to be used among trusted systems on an internal LAN. A number of risks are associated with internal systems connecting to untrusted external SMB servers, including exploit delivery, credential harvesting, and data exfiltration. SMB access should be limited to the enterprise network to prevent participation in unknown SMB related attacks. Limited exceptions may exist, such as file server access over extranet connections.

SMB Scanning Detected

This rule looks for a host scanning other SMB hosts for specific commands similar to WannaCry.

SMB write to hidden admin share

SMB is primarily used for remote file access across a network. SMB access to admin shares should be a rare occurrence, especially by a non-administrator account. Such access is often a part of an attack pivot once an attacker has compromised one machine.

SQL Injection Attacker

SQL Injection attempt detected.

SQL Injection Victim

Successful SQL Injection attack detected.

SQL-Select-From

Requests to web applications containing SQL statement keywords may indicate attempts to compromise the web application or access data in a backend database engine in an unauthorized manner. This technique is described at https://attack.mitre.org/techniques.

SSH Authentication Failures

Many SSH authentication failures from the same source IP in a short period of time can signal a brute-force attack.

SSH Interesting Hostname Login

"Interesting hostname" in this context includes those that start with dns, ns, smtp, mail, pop, imap, www, and ftp. Using SSH to hosts that appear to be purposed as servers corresponding to one of these hostnames is considered suspicious.

SSH Password Brute Force

SSH Password brute force attack detected.

SSH Password Brute Force Successful Login

SSH Login successful from a brute force password attack.

SSH to non-standard port

SSH connections to a non-standard port.

SSL Certificate Expired

A server responded on a SSL or TLS service using an expired certificate.

SSL Certificate Expires Soon

A server responded on a SSL or TLS service using a certificate that will expire soon.

SSL Certificate Not Valid Yet

A server responded on a SSL or TLS service using a certificate with a future-dated NotValidBefore attribute.

SSL Heartbleed Attack

SSL Heartbleed Attack detected.

SSL Heartbleed Attack Successful

SSL Heartbleed Attack Successful.

SSL Heartbleed Many Requests

Indicates we saw many heartbeat requests without a reply. Might be an attack.

SSL Heartbleed Odd Length

SSL Heartbleed Odd Length

SSL Invalid Server Cert

A server responded on a SSL or TLS service using a certificate identified as invalid by the Network Sensor.

Script/CLI UserAgent string

This pattern discovers HTTP communications from an internal source where a development library or command line client user-agent string was observed (e.g. Wget, cURL, etc.). Use of these techniques by attackers is described in https://attack.mitre.org/techniques/T1105/ and https://attack.mitre.org/techniques/T1064/.

Self-signed Certificates

A server responded on a SSL or TLS service using a self-signed certificate.

Server-Side Code Injection in URL

Attackers may use improper URL checking to inject code that is executed on a server. This may be used in DoS attacks or to execute commands to elevate privilege. The attack pattern is similar to Shellshock exploitation.

Shellshock

HTTP requests with headers indicating an attempt to exploit CVE-2014-6271 and related vulnerabilities in the Bash shell using Bashdoor/Shellshock attack. This vulnerability is most often triggered in CGI scripts implemented against vulnerable versions of the shell.

Sophos Endpoint Not Protected

Sophos detected a condition indicating that endpoint protection is not activated.

Sophos HMPA Exploit Prevented

Sophos HMPA Exploit Prevented.

Sophos PUA Detected

Sophos detected a potentially unwanted application (PUA) on the endpoint.

Sophos SAV Disabled

Sophos real time protection disabled.

Sophos Service Not Running

One or more Sophos services are missing or not running.

Sophos Threat Detected

Sophos detected a medium severity threat on the endpoint.

Sophos Web Control Violation

Sophos blocked access to a website for an undisclosed reason.

Sophos Web Filtering - Blocked

Sophos blocked access to malicious web content.

Sumo Logic Scheduled Searches - Hostname

Sophos blocked access to malicious web content.

Sumo Logic Scheduled Searches - IP

Sophos blocked access to malicious web content.

Sumo Logic Scheduled Searches - Username

Sophos blocked access to malicious web content.

Suricata IDS Alerts (Attack Signatures)

Sophos blocked access to malicious web content.

Suricata IDS Alerts (Response Signatures)

Sophos blocked access to malicious web content.

Suspicious DC Logon

Suspicious DC login. Non ADMIN logging into a domain controller.

Suspicious Email Origin

The email has originated from a suspicious location.

Suspicious HTTP User-Agent

Common administrative tools may be used by malware authors and attackers who use live-off-the-land methods to operate on victim networks.

Symantec SEP Alerts (Target Hostname)

Common administrative tools may be used by malware authors and attackers who use live-off-the-land methods to operate on victim networks.

Symantec SEP Alerts (Target IP)

Common administrative tools may be used by malware authors and attackers who use live-off-the-land methods to operate on victim networks.

Symantec SEP Alerts (Target Username)

Common administrative tools may be used by malware authors and attackers who use live-off-the-land methods to operate on victim networks.

Tanium - Templated Signals

Common administrative tools may be used by malware authors and attackers who use live-off-the-land methods to operate on victim networks.

The Audit Log was Cleared - 1102

Attackers may attempt to clear the Windows Security Event Log in an effort to hide records of their activity during an intrusion. This rule detects that action.

Threat Intel - Device IP Matched Threat Intel Domain Name

A record flagged a domain name from a threat intelligence match list.

Threat Intel - Device IP Matched Threat Intel File Hash

A record flagged a domain name from a threat intelligence match list.

Threat Intel - Device IP Matched Threat Intel URL

A record flagged a domain name from a threat intelligence match list.

Threat Intel - Source IP Matched Threat Intel Domain Name

A record flagged a domain name from a threat intelligence match list.

Threat Intel Match - IP Address

A record flagged a domain name from a threat intelligence match list.

Too Many Failed Login Attempts

Excessive failed login attempts were observed for accounts in a Windows domain.

Too Many Kerberos Encryption Downgrade SPNs (Kerberoasting)

Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection. This is facilitated by requesting service tickets that have data encrypted with weak encryption.

Too many empty/refused DNS queries 

The DNS request/response was empty or refused. This may be an indication of DNS tunneling. (Excludes IPv4/IPv6 multicast DNS and LLMNR traffic).

Trend Micro Deep Security File Integrity Monitoring Alerts (Device Hostname)

The DNS request/response was empty or refused. This may be an indication of DNS tunneling. (Excludes IPv4/IPv6 multicast DNS and LLMNR traffic).

Trend Micro Deep Security File Integrity Monitoring Alerts (Device IP)

The DNS request/response was empty or refused. This may be an indication of DNS tunneling. (Excludes IPv4/IPv6 multicast DNS and LLMNR traffic).

Trend Micro Deep Security File Integrity Monitoring Alerts (User)

The DNS request/response was empty or refused. This may be an indication of DNS tunneling. (Excludes IPv4/IPv6 multicast DNS and LLMNR traffic).

VBS file downloaded from Internet

Although Visual Basic scripts (.vbs) are sometimes regularly downloaded from the Internet, they are often part of malware establishment. They carry an elevated risk.

Varonis Alerts

Although Visual Basic scripts (.vbs) are sometimes regularly downloaded from the Internet, they are often part of malware establishment.  They carry an elevated risk.

Websense - Blocked Activity Threshold

Websense blocked a large amount of activity originating from a single host within a short period of time.

Windows Account Added To Privileged Security Group

This signal alerts on the elevation of privileges assigned to a domain user account according to Windows Event ID 4728, 4732, and/or 4756.

Windows Account Locked Out - 4740

This signal fires whenever Windows Event type 4740 is seen in the environment.

Windows Service Executed from Nonstandard Execution Path

Windows services launching from locations outside of their standard installation path is a common malware persistence mechanism.

Windows Temp Directory Access Via SMB

This can be seen as suspicious, as you will not often see remote systems pulling files from the Windows Temp directory of other systems.

Write-only SNMP attempt from external

Probing for the default SNMP write password is a way to bypass network security hardware.

Zscaler Web Proxy - Allowed Events

Probing for the default SNMP write password is a way to bypass network security hardware.

vpnoverdns.com DNS lookup

vpnoverdns.com is a free service providing VPN functionality over DNS. DNS resolutions for *.tun.vpnoverdns.com indicates the usage of their VPN service. The service describes itself as "Data exfiltration, for those times when everything else is blocked.".