Skip to main content

Use Cases

AE can identify both known and unknown emerging threats. The table below is an exhaustive list of the individual use cases (internally known as threats) that the engine supports.

Threat DescriptionSeverity
C2 communication attempt indicating infectionCritical
Traffic to a malicious spear phishing siteCritical
Traffic to a suspicious young domain impersonating a known brandCritical
Anonymizing circuit setup indicating infection or evasion attemptHigh
Cryptomining indicating infection or resource abuseHigh
Domain resolves to 169.254.169.254 indicating an AWS rebinding attackHigh
Encrypted DNS traffic to a server that supports non-ICANN TLDsHigh
HTTP GET request to a known bad destination indicating infectionHigh
HTTP POST to a known bad destination indicating infectionHigh
Known bad dynamic DNS provider trafficHigh
Known bad tunneling provider trafficHigh
Multiple requests for DGA domains indicating infectionHigh
Multiple requests to long hostnames indicating DNS tunnelingHigh
Multiple suspicious connections indicating TrickBot infectionHigh
Outbound TCP port scan indicating hacking tool use or infectionHigh
Suspicious IRC traffic indicating infectionHigh
Suspicious SSH session masquerading as a different protocolHigh
Telegram Bot API traffic indicating possible infectionHigh
Traffic from multiple sources to a domain impersonating a known brandHigh
Traffic to a known malware distribution siteHigh
Traffic to a known sinkhole indicating infectionHigh
Traffic to a suspicious domain impersonating a known brandHigh
Traffic to an out-of-band interaction testing domain requiring investigationHigh
Beaconing to a suspicious domainMedium
Cluster of suspicious requests requiring investigationMedium
Destination is known to serve malicious JavaScriptMedium
High volume of outbound ICMP traffic indicating tunnelingMedium
High volume of outbound traffic over FTPMedium
High volume of outbound traffic over SMBMedium
High volume of outbound traffic over SSHMedium
High volume of reverse DNS lookups indicating scanning activityMedium
IRC traffic requiring investigationMedium
Multiple connections to suspicious IP destinationsMedium
Multiple encrypted DNS requests requiring investigationMedium
Multiple requests to suspicious domainsMedium
Outbound SSH session using an uncommon server portMedium
P2P activityMedium
Potentially unwanted program or browser extension installedMedium
Suspicious dynamic DNS provider trafficMedium
Suspicious hosting provider trafficMedium
Suspicious HTTP GET request requiring investigationMedium
Suspicious Tor DNS requestMedium
Suspicious traffic to DNS server that supports non-ICANN TLDsMedium
Suspicious tunneling provider trafficMedium
Third-party remote access software installedMedium
Third-party VPN activityMedium
Traffic from multiple sources to a unique young domainMedium
Traffic over a cleartext protocol exposing content and credentialsMedium
Traffic to a free webhook service indicating potential exfiltrationMedium
Traffic to a known consumer phishing site requiring investigationMedium
Traffic to a likely malicious domainMedium
Traffic to a suspicious domain containing a brand nameMedium
Traffic to a TDS mechanism requiring investigationMedium
Traffic to a young domain impersonating a known brandMedium
Unusual mail traffic indicating possible implantMedium
Accessing a suspicious domainLow
DNS misconfiguration leading to potential compromiseLow
Encrypted DNS traffic indicating potential infection or evasionLow
Malicious pop-up trafficLow
Multiple requests to unreachable domainsLow
Suspicious HTTP POST request requiring investigationLow
Traffic to a suspicious IP destinationLow
Traffic to a valid domain impersonating a known brandLow
Unknown dynamic DNS provider trafficLow
Unknown tunneling provider trafficLow
Adversary simulation traffic to a benign destinationInformational
Encrypted DNS traffic to a common destinationInformational
Outbound traffic over SMB requiring investigationInformational
Traffic to a destination TLD commonly associated with malwareInformational
Traffic to an unknown young domainInformational