Use Cases
AE can identify both known and unknown emerging threats. The table below is an exhaustive list of the individual use cases (internally known as threats) that the engine supports.
Title | Severity |
---|---|
C2 communication attempt indicating infection | Critical |
Traffic to a malicious spear phishing site | Critical |
Traffic to a suspicious young domain impersonating a known brand | Critical |
An EC2 credential was used from an unknown external location | High |
Anonymizing circuit setup indicating infection or evasion attempt | High |
Cryptomining indicating infection or resource abuse | High |
Domain resolves to 169.254.169.254 indicating an AWS rebinding attack | High |
Encrypted DNS traffic to a server that supports non-ICANN TLDs | High |
Excessive number of HTTP failures to a known bad destination | High |
HTTP GET request to a known bad destination indicating infection | High |
HTTP POST to a known bad destination indicating infection | High |
Known bad dynamic DNS provider traffic | High |
Known bad tunneling provider traffic | High |
Multiple requests for DGA domains indicating infection | High |
Multiple requests to long hostnames indicating DNS tunneling | High |
Multiple suspicious connections indicating TrickBot infection | High |
Out-of-band application security testing traffic requiring investigation | High |
Outbound TCP port scan indicating hacking tool use or infection | High |
Suspicious IRC traffic indicating infection | High |
Suspicious SSH session masquerading as a different protocol | High |
Suspicious use of AWS APIs with root account credentials | High |
Telegram Bot API traffic indicating possible infection | High |
Traffic from multiple sources to a domain impersonating a known brand | High |
Traffic to a known malware distribution site | High |
Traffic to a known sinkhole indicating infection | High |
Traffic to a suspicious domain impersonating a known brand | High |
Traffic to a young suspicious domain containing a brand name | High |
Traffic to malicious infrastructure capturing credentials | High |
Use of AWS APIs by a malicious caller | High |
Anomalous use of AWS APIs with root account credentials | Medium |
Beaconing to a rare domain | Medium |
Beaconing to a suspicious domain | Medium |
Cluster of suspicious requests requiring investigation | Medium |
Destination is known to serve malicious JavaScript | Medium |
Excessive number of HTTP failures to a suspicious destination | Medium |
High volume of outbound ICMP traffic indicating tunneling | Medium |
High volume of outbound traffic over FTP | Medium |
High volume of outbound traffic over SMB | Medium |
High volume of outbound traffic over SSH | Medium |
High volume of reverse DNS lookups indicating scanning activity | Medium |
IRC traffic requiring investigation | Medium |
Multiple connections to suspicious IP destinations | Medium |
Multiple encrypted DNS requests requiring investigation | Medium |
Multiple requests to a rare domain | Medium |
Multiple requests to suspicious domains | Medium |
Outbound SSH session using an uncommon server port | Medium |
P2P activity | Medium |
Potentially unwanted program or browser extension installed | Medium |
Successful AWS console login without MFA | Medium |
Successful suspicious AWS console login | Medium |
Suspicious HTTP GET request requiring investigation | Medium |
Suspicious Tor DNS request | Medium |
Suspicious dynamic DNS provider traffic | Medium |
Suspicious hosting provider traffic | Medium |
Suspicious traffic to DNS server that supports non-ICANN TLDs | Medium |
Suspicious tunneling provider traffic | Medium |
Suspicious use of AWS APIs indicating data staging and exfiltration | Medium |
Suspicious use of AWS APIs indicating disruption | Medium |
Suspicious use of AWS APIs indicating evasion by adjusting audit log settings | Medium |
Suspicious use of AWS APIs indicating persistence | Medium |
Suspicious use of AWS APIs indicating privilege escalation | Medium |
Suspicious use of AWS APIs indicating reconnaissance | Medium |
Suspicious use of AWS APIs indicating unauthorized access | Medium |
The account password policy was changed in a suspicious way | Medium |
Third-party VPN activity | Medium |
Third-party remote access software installed | Medium |
Traffic from multiple sources to a unique young domain | Medium |
Traffic over a cleartext protocol exposing content and credentials | Medium |
Traffic to a TDS mechanism requiring investigation | Medium |
Traffic to a free webhook service indicating potential exfiltration | Medium |
Traffic to a known consumer phishing site requiring investigation | Medium |
Traffic to a likely malicious domain | Medium |
Traffic to a suspicious domain containing a brand name | Medium |
Traffic to a young domain impersonating a known brand | Medium |
Unusual mail traffic indicating possible implant | Medium |
Use of AWS APIs with root account access key | Medium |
Accessing a suspicious domain | Low |
Anomalous use of AWS APIs by a likely malicious caller | Low |
Anomalous use of AWS APIs indicating data staging and exfiltration | Low |
Anomalous use of AWS APIs indicating disruption | Low |
Anomalous use of AWS APIs indicating evasion by adjusting audit log settings | Low |
Anomalous use of AWS APIs indicating persistence | Low |
Anomalous use of AWS APIs indicating privilege escalation | Low |
Anomalous use of AWS APIs indicating reconnaissance | Low |
Anomalous use of AWS APIs indicating unauthorized access | Low |
DNS misconfiguration leading to potential compromise | Low |
Encrypted DNS traffic indicating potential infection or evasion | Low |
Excessive number of DNS failures requiring investigation | Low |
Excessive number of HTTP failures to an uncommon destination | Low |
Malicious pop-up traffic | Low |
Multiple requests to unreachable domains | Low |
Successful AWS console login from a new country | Low |
Successful anomalous AWS console login | Low |
Suspicious HTTP POST request requiring investigation | Low |
The account password policy was changed in an anomalous way | Low |
The account password policy was deleted | Low |
Traffic to a suspicious IP destination | Low |
Traffic to a valid domain impersonating a known brand | Low |
Traffic to an IP lookup service | Low |
Unknown dynamic DNS provider traffic | Low |
Unknown tunneling provider traffic | Low |
Unusual use of AWS APIs with root account credentials | Low |
Adversary simulation traffic to a benign destination | Informational |
Encrypted DNS traffic to a common destination | Informational |
Outbound traffic over SMB requiring investigation | Informational |
Successful AWS console login | Informational |
Successful AWS console logins from different locations in a short period | Informational |
The account password policy was changed | Informational |
Traffic to a destination TLD commonly associated with malware | Informational |
Traffic to an unknown young domain | Informational |
Use of AWS APIs by a likely malicious caller | Informational |
Use of AWS APIs indicating data staging and exfiltration | Informational |
Use of AWS APIs indicating disruption | Informational |
Use of AWS APIs indicating evasion by adjusting audit log settings | Informational |
Use of AWS APIs indicating persistence | Informational |
Use of AWS APIs indicating privilege escalation | Informational |
Use of AWS APIs indicating reconnaissance | Informational |
Use of AWS APIs indicating unauthorized access | Informational |
Use of AWS APIs with root account credentials | Informational |