Skip to main content
Sumo Logic

Standard Match Lists

See a list of the standard Match Lists in CSE, and what rules rely upon each.

This topic describes the standard Match Lists that CSE's built-in rules rely upon. For information about Match Lists, what they are for, how they are used, and how to create them, see Create a Match List.

business_ips

Target column: IP Address

Description: Remote IP addresses supporting business processes. Can be used for things like SSH servers for SFTP file exchanges (similarly, FTP servers).

The following CSE rules refer to this Match List:

  • Anomalous Web Server Software, Bitsadmin to Uncommon TLD, Connection to High Entropy Domain
  • HTTP External Request to PowerShell Extension
  • HTTP Request for Possible DGA Domain, 
  • Noncompliant Protocol Tunnel Over Common Service Port 
  • Palo Alto Correlation Event (IP)
  • Palo Alto Correlation Event (User)
  • Palo Alto Failed Authentication Multiple Attempts from the Same IP
  • Palo Alto Failed Authentication Multiple Attempts from the User
  • Palo Alto Failed Authentication Multiple Usernames Attempted
  • Palo Alto Firewall Threat (IP)
  • Palo Alto Firewall Threat (User)
  • Possible DGA Domain
  • Potential malicious JVM download
  • SMB Internal to External
  • SSH Interesting Hostname Login
  • SSH Password Brute Force
  • Script CLI UserAgent string

verified_domains

Target column: Domain

Description: Used in specific cases to exclude domains from flagging particular types of rule content, primarily around anomalies such as high-entropy content, DNS tunneling analytics, etc. Not an across-the-board whitelist. This is necessary to capture baseline activity and maintain high signal:noise ratio with much of our content, particularly anything based on domain/host entropy.

The following CSE rules refer to this Match List:

  • Anomalous Web Server Software
  • Base32 in DNS Query
  • Bitsadmin to Uncommon TLD 
  • Connection to High Entropy Domain 
  • DNS Lookup of High Entropy Domain 
  • DNS Query Hex in Domain 
  • DNS over TLS (DoT) Activity 
  • HTTP External Request to PowerShell Extension
  • HTTP request for single character file name
  • Possible DGA Domain
  • Possible DNS Data Exfiltration 
  • SSH Interesting Hostname Login
  • Script CLI UserAgent string
  • HTTP Request for Possible DGA Domain

verified_hostnames

Target column: Hostname

Description: This match list is similar to verified_domains but is intended to be used when the entire registry domain should not be excepted from use-case specific content but only specific hostnames within. Most often verified_domains should be used to categorize the complete domain.

The following CSE rules refer to this Match List:

  • Anomalous Web Server Software 
  • Bitsadmin to Uncommon TLD 
  • Connection to High Entropy Domain 
  • DNS Lookup of High Entropy Domain 
  • DNS Query Hex in Domain 
  • DNS over TLS (DoT) Activity 
  • HTTP External Request to PowerShell Extension 
  • HTTP request for single character file name 
  • Possible DGA Domain
  • Possible DNS Data Exfiltration 
  • SSH Interesting Hostname Login 
  • Script CLI UserAgent string 
  • HTTP Request for Possible DGA Domain

dns_servers

Target column: IP Address

Description: DNS caching resolvers/authoritative content servers in customer environments.

The following CSE rules refer to this Match List:

  • Too many empty refused dns queries
  • DNS over TLS (DoT) Activity

proxy_servers

Target column: IP Address

Description: Forward proxy servers, including HTTP and SOCKS proxies.

The following CSE rules refer to this Match List:

  • HTTP Response Error Spike Internal
  • DNS DGA Lookup Behavior NXDOMAIN Responses
  • Port Scan Internal
  •  Possible DNS Data Exfiltration

auth-servers

Target column: IP Address

Description: Network authentication servers, including Active Directory, LDAP, Kerberos, RADIUS/TACACS, NIS servers.

The following CSE rules refer to this Match List:

  • DNS Lookup of High Entropy Domain

vuln_scanners

Target column: IP Address

Description: Vulnerability scanner and network mapping hosts.

The following CSE rules refer to this Match List:

  • DNS Lookup of High Entropy Domain
  • Base32 in DNS Query
  • DNS DGA Lookup Behavior NXDOMAIN Responses 
  • Bitsadmin to Uncommon TLD
  • Connection to High Entropy Domain
  • DNS Lookup of High Entropy Domain
  • DNS over TLS (DoT) Activity
  • Directory Traversal Successful 
  • Directory Traversal Unsuccessful 
  • HTTP Request for Possible DGA Domain 
  • HTTP Request with Single Header
  • HTTP request  for single character file name 
  • IP Address Scan Internal
  • Noncompliant Protocol Tunnel Over Common Service Port
  • Palo Alto Correlation Event (IP) 
  • Palo Alto Correlation Event (User) 
  • Palo Alto Failed Authentication Multiple Attempts from the Same IP
  • Palo Alto Failed Authentication Multiple Attempts from the User
  • Palo Alto Failed Authentication Multiple Usernames Attempted 
  • Palo Alto Firewall Threat (IP) 
  • Palo Alto Firewall Threat (User) 
  • Possible DGA Domain 
  • Possible DNS Data Exfiltration 
  • SMB Scanning Detected 
  • SMB write to admin hidden share 
  • SQL Injection Attacker, SQL Injection Victim 
  • SQL Select From 
  • SSH Authentication Failures 
  • SSH Interesting Hostname Login 
  • SSH Password Brute Force 
  • SSL Certificate Expired 
  • Script CLI UserAgent string 
  • Shellshock

guest_networks

Target column: IP Address

Description: Known guest WLAN and other guests/BYOD network addresses.

The following CSE rules refer to this Match List:

  • DNS Lookup of High Entropy Domain
  • Base32 in DNS Query 
  • Bitsadmin to Uncommon TLD 
  • Connection to High Entropy Domain 
  • DNS DGA Lookup Behavior NXDOMAIN Responses 
  • DNS Query Hex in Domain 
  • DNS over TLS (DoT) Activity 
  • HTTP Request for Possible DGA Domain
  • HTTp request for single character file name 
  • Noncompliant Protocol Tunnel Over Common Service Port 
  • Palo Alto Correlation Event (IP)
  • Palo Alto Correlation Event (User) 
  • Palo Alto Failed Authentication Multiple Attempts from the Same IP
  • Palo Alto Failed Authentication Multiple Attempts from the User
  • Palo Alto Failed Authentication Multiple Usernames Attempted
  • Palo Alto Firewall Threat (IP)
  • Palo Alto Firewall Threat (User) 
  • Possible DGA Domain 
  • Possible DNS Data Exfiltration 
  • SMB write to admin hidden share 
  • SQL Injection Attacker 
  • SQL Injection Victim 
  • SQL Select From 
  • SSH Interesting Hostname Login 
  • Script CLI UserAgent string

business_domains

Target column: Domain

Description: DNS domain names that are known business-related domains. This is intended to capture domains related to validated/expected/critical business functions and may be used for whitelisting or filtering related uninteresting results from query result sets.

Note: Domain matches against the domain field, not the FQDN (i.e. hostname or query), so a valid entry is example.com but not www.example.com.

The following CSE rules refer to this Match List:

  • Anomalous Web Server Software 
  • Bitsadmin to Uncommon TLD 
  • Connection to High Entropy Domain,
  • DNS DGA Lookup Behavior NXDOMAIN Responses 
  • DNS Lookup of High Entropy Domain
  • DNS Lookup of High Entropy Domain 
  • DNS over TLS (DoT) Activity 
  • HTTP External Request to PowerShell Extension 
  • HTTP Request  for Possible DGA Domain 
  • HTTP request for single character file name
  • Possible DGA Domain
  • Possible DNS Data Exfiltration
  • SSH Interesting Hostname Login
  • Script CLI UserAgent string
  • DNS Query Hex in Domain

business_hostname

Target column: Hostname

Description: DNS hostnames that are known as business-related FQDNs.

The following CSE rules refer to this Match List:

  • Anomalous Web Server Software 
  • VBS file downloaded
  • Bitsadmin to Uncommon TLD 
  • Connection to High Entropy Domain,
  • DNS DGA Lookup Behavior NXDOMAIN Responses 
  • DNS Lookup of High Entropy Domain
  • DNS Lookup of High Entropy Domain 
  • DNS over TLS (DoT) Activity 
  • HTTP External Request to PowerShell Extension 
  • HTTP Request  for Possible DGA Domain 
  • HTTP request for single character file name
  • Possible DGA Domain
  • Possible DNS Data Exfiltration
  • SSH Interesting Hostname Login
  • Script CLI UserAgent string
  • DNS Query Hex in Domain

nat_ips

Target column: IP Address

Description: Source NAT addresses. Can be used as an exception match list to block content relying on the evaluation of data per-host from applying to hosts that are translated or aggregations of other hosts. Note that this can also be applied using proxy_servers as an example of a specific case.

The following CSE rules refer to this Match List:

  • DNS DGA Lookup Behavior NXDOMAIN Responses

admin_ips

Target column: Source IP Address

Description: Hosts are known to be involved with specific administrative/privileged activity on the network. Can be used for tracking hosts that are operated by admins and other privileged users, are often the source of restricted, privileged or suspicious authorized actions, etc. This sort of tracking is useful for baselining activity and as a result surfacing more suspicious activity.

The following CSE rules refer to this Match List:

  • PSEXEC Admin Tool Detection 
  • PowerShell Remote Administration 
  • SMB write to admin hidden share

dyndns_exception_domains

Target column: Domain

Description: Domains excepted from Dynamic DNS related content. This is necessary for handling our automation driven DDNS content to accept domains that are no longer operated by dynamic DNS providers but are still listed in DDNS data sources.

The following CSE rules refer to this Match List:

  • Possible DNS Data Exfiltration
  • Connection to High Entropy Domain 
  • DNS over TLS (DoT) Activity 
  • HTTP request for single character file name

dyndns_exception_hostnames

Target column: Hostname

Description: FQDNs excepted from Dynamic DNS related content. This is necessary for baselining and accepting FQDNs in dynamic DNS domains which are either benign DDNS provider infrastructure (e.g. nameservers) or are otherwise confirmed to be legitimate/non-threat hosts.

The following CSE rules refer to this Match List:

  • Possible DNS Data Exfiltration
  • Connection to High Entropy Domain 
  • DNS over TLS (DoT) Activity 
  • HTTP request for single character file name

ssl_exception_ips

Target column: IP Address

Description: Remote IP addresses to be excepted from SSL detection rules.

The following CSE rules refer to this Match List:

  • SSL Certificate Expired
  • SSL Certificate Expires Soon
  • SSL Certificate Not Valid Yet
  • SSL Invalid Server Cert
  • Self signed Certificates

downgrade_krb5_etype_authorized_users

Target column: Username

Description: Known account names that utilize downgraded encryption types with multiple SPNs. This is an exception match list that should be populated with a list of Kerberos principal names (e.g. jdoe@EXAMPLE.COM) matched in endpoint_username that are known to trigger content around legacy downgraded encryption types. This is directly related to the detections of Kerberoasting attacks.

The following CSE rules refer to this Match List:

  • Too Many Kerberos Encryption Downgrade SPNs

lan_scanner_exception_ips

Target column: IP Address

Description: IP addresses excepted from analytics identifying LAN protocol scanning activity. Used in specific cases to exclude hosts from flagging particular types of rule content, primarily around scanning of commonly targeted LAN service ports, etc. Not an across-the-board whitelist. This match list is not intended for vulnerability scanners, which should be listed instead in vuln_scanners.

Examples of hosts that are suited for this match list:

  • Telephony server that pushes content to deployed softphones over SMB/CIFS

  • Data security audit software that connects to SMB shares

The following CSE rules refer to this Match List:

  • IP Address Scan Internal
  • SSH Password Brute Force 
  • SSL Certificate Expired 
  • SMB Scanning Detected
  • SSH Authentication Failures

threat

Target column: IP Address

Description: A record flagged an IP address from a threat intelligence match list.

The following CSE rules refer to this Match List:

  • Threat