Skip to main content

Use Cases

AE can identify both known and unknown emerging threats. The table below is an exhaustive list of the individual use cases (internally known as threats) that the engine supports.

TitleSeverity
C2 communication attempt indicating infection
Critical
Traffic to a malicious spear phishing site
Critical
Traffic to a suspicious young domain impersonating a known brand
Critical
Anonymizing circuit setup indicating infection or evasion attempt
High
Cryptomining indicating infection or resource abuse
High
Domain resolves to 169.254.169.254 indicating an AWS rebinding attack
High
Encrypted DNS traffic to a server that supports non-ICANN TLDs
High
HTTP GET request to a known bad destination indicating infection
High
HTTP POST to a known bad destination indicating infection
High
Known bad dynamic DNS provider traffic
High
Known bad tunneling provider traffic
High
Multiple requests for DGA domains indicating infection
High
Multiple requests to long hostnames indicating DNS tunneling
High
Multiple suspicious connections indicating TrickBot infection
High
Out-of-band application security testing traffic requiring investigation
High
Outbound TCP port scan indicating hacking tool use or infection
High
Suspicious IRC traffic indicating infection
High
Suspicious SSH session masquerading as a different protocol
High
Telegram Bot API traffic indicating possible infection
High
Traffic from multiple sources to a domain impersonating a known brand
High
Traffic to a known malware distribution site
High
Traffic to a known sinkhole indicating infection
High
Traffic to a suspicious domain impersonating a known brand
High
Traffic to a young suspicious domain containing a brand name
High
Traffic to malicious infrastructure capturing credentials
High
Beaconing to a rare domain
Medium
Beaconing to a suspicious domain
Medium
Cluster of suspicious requests requiring investigation
Medium
Destination is known to serve malicious JavaScript
Medium
High volume of outbound ICMP traffic indicating tunneling
Medium
High volume of outbound traffic over FTP
Medium
High volume of outbound traffic over SMB
Medium
High volume of outbound traffic over SSH
Medium
High volume of reverse DNS lookups indicating scanning activity
Medium
IRC traffic requiring investigation
Medium
Multiple connections to suspicious IP destinations
Medium
Multiple encrypted DNS requests requiring investigation
Medium
Multiple requests to a rare domain
Medium
Multiple requests to suspicious domains
Medium
Outbound SSH session using an uncommon server port
Medium
P2P activity
Medium
Potentially unwanted program or browser extension installed
Medium
Suspicious HTTP GET request requiring investigation
Medium
Suspicious Tor DNS request
Medium
Suspicious dynamic DNS provider traffic
Medium
Suspicious hosting provider traffic
Medium
Suspicious traffic to DNS server that supports non-ICANN TLDs
Medium
Suspicious tunneling provider traffic
Medium
Third-party VPN activity
Medium
Third-party remote access software installed
Medium
Traffic from multiple sources to a unique young domain
Medium
Traffic over a cleartext protocol exposing content and credentials
Medium
Traffic to a TDS mechanism requiring investigation
Medium
Traffic to a free webhook service indicating potential exfiltration
Medium
Traffic to a known consumer phishing site requiring investigation
Medium
Traffic to a likely malicious domain
Medium
Traffic to a suspicious domain containing a brand name
Medium
Traffic to a young domain impersonating a known brand
Medium
Unusual mail traffic indicating possible implant
Medium
Accessing a suspicious domain
Low
DNS misconfiguration leading to potential compromise
Low
Encrypted DNS traffic indicating potential infection or evasion
Low
Malicious pop-up traffic
Low
Multiple requests to unreachable domains
Low
Suspicious HTTP POST request requiring investigation
Low
Traffic to a suspicious IP destination
Low
Traffic to a valid domain impersonating a known brand
Low
Traffic to an IP lookup service
Low
Unknown dynamic DNS provider traffic
Low
Unknown tunneling provider traffic
Low
Adversary simulation traffic to a benign destination
Informational
Encrypted DNS traffic to a common destination
Informational
Outbound traffic over SMB requiring investigation
Informational
Traffic to a destination TLD commonly associated with malware
Informational
Traffic to an unknown young domain
Informational