Skip to main content

Use Cases

AE can identify both known and unknown emerging threats. The table below is an exhaustive list of the individual use cases (internally known as threats) that the engine supports.

TitleSeverity
C2 communication attempt indicating infection
Critical
Traffic to a malicious spear phishing site
Critical
Traffic to a suspicious young domain impersonating a known brand
Critical
An EC2 credential was used from an unknown external location
High
Anonymizing circuit setup indicating infection or evasion attempt
High
Cryptomining indicating infection or resource abuse
High
Domain resolves to 169.254.169.254 indicating an AWS rebinding attack
High
Encrypted DNS traffic to a server that supports non-ICANN TLDs
High
Excessive number of HTTP failures to a known bad destination
High
HTTP GET request to a known bad destination indicating infection
High
HTTP POST to a known bad destination indicating infection
High
Known bad dynamic DNS provider traffic
High
Known bad tunneling provider traffic
High
Multiple requests for DGA domains indicating infection
High
Multiple requests to long hostnames indicating DNS tunneling
High
Multiple suspicious connections indicating TrickBot infection
High
Out-of-band application security testing traffic requiring investigation
High
Outbound TCP port scan indicating hacking tool use or infection
High
Suspicious IRC traffic indicating infection
High
Suspicious SSH session masquerading as a different protocol
High
Suspicious use of AWS APIs with root account credentials
High
Telegram Bot API traffic indicating possible infection
High
Traffic from multiple sources to a domain impersonating a known brand
High
Traffic to a known malware distribution site
High
Traffic to a known sinkhole indicating infection
High
Traffic to a suspicious domain impersonating a known brand
High
Traffic to a young suspicious domain containing a brand name
High
Traffic to malicious infrastructure capturing credentials
High
Use of AWS APIs by a malicious caller
High
Anomalous use of AWS APIs with root account credentials
Medium
Beaconing to a rare domain
Medium
Beaconing to a suspicious domain
Medium
Cluster of suspicious requests requiring investigation
Medium
Destination is known to serve malicious JavaScript
Medium
Excessive number of HTTP failures to a suspicious destination
Medium
High volume of outbound ICMP traffic indicating tunneling
Medium
High volume of outbound traffic over FTP
Medium
High volume of outbound traffic over SMB
Medium
High volume of outbound traffic over SSH
Medium
High volume of reverse DNS lookups indicating scanning activity
Medium
IRC traffic requiring investigation
Medium
Multiple connections to suspicious IP destinations
Medium
Multiple encrypted DNS requests requiring investigation
Medium
Multiple requests to a rare domain
Medium
Multiple requests to suspicious domains
Medium
Outbound SSH session using an uncommon server port
Medium
P2P activity
Medium
Potentially unwanted program or browser extension installed
Medium
Successful AWS console login without MFA
Medium
Successful suspicious AWS console login
Medium
Suspicious HTTP GET request requiring investigation
Medium
Suspicious Tor DNS request
Medium
Suspicious dynamic DNS provider traffic
Medium
Suspicious hosting provider traffic
Medium
Suspicious traffic to DNS server that supports non-ICANN TLDs
Medium
Suspicious tunneling provider traffic
Medium
Suspicious use of AWS APIs indicating data staging and exfiltration
Medium
Suspicious use of AWS APIs indicating disruption
Medium
Suspicious use of AWS APIs indicating evasion by adjusting audit log settings
Medium
Suspicious use of AWS APIs indicating persistence
Medium
Suspicious use of AWS APIs indicating privilege escalation
Medium
Suspicious use of AWS APIs indicating reconnaissance
Medium
Suspicious use of AWS APIs indicating unauthorized access
Medium
The account password policy was changed in a suspicious way
Medium
Third-party VPN activity
Medium
Third-party remote access software installed
Medium
Traffic from multiple sources to a unique young domain
Medium
Traffic over a cleartext protocol exposing content and credentials
Medium
Traffic to a TDS mechanism requiring investigation
Medium
Traffic to a free webhook service indicating potential exfiltration
Medium
Traffic to a known consumer phishing site requiring investigation
Medium
Traffic to a likely malicious domain
Medium
Traffic to a suspicious domain containing a brand name
Medium
Traffic to a young domain impersonating a known brand
Medium
Unusual mail traffic indicating possible implant
Medium
Use of AWS APIs with root account access key
Medium
Accessing a suspicious domain
Low
Anomalous use of AWS APIs by a likely malicious caller
Low
Anomalous use of AWS APIs indicating data staging and exfiltration
Low
Anomalous use of AWS APIs indicating disruption
Low
Anomalous use of AWS APIs indicating evasion by adjusting audit log settings
Low
Anomalous use of AWS APIs indicating persistence
Low
Anomalous use of AWS APIs indicating privilege escalation
Low
Anomalous use of AWS APIs indicating reconnaissance
Low
Anomalous use of AWS APIs indicating unauthorized access
Low
DNS misconfiguration leading to potential compromise
Low
Encrypted DNS traffic indicating potential infection or evasion
Low
Excessive number of DNS failures requiring investigation
Low
Excessive number of HTTP failures to an uncommon destination
Low
Malicious pop-up traffic
Low
Multiple requests to unreachable domains
Low
Successful AWS console login from a new country
Low
Successful anomalous AWS console login
Low
Suspicious HTTP POST request requiring investigation
Low
The account password policy was changed in an anomalous way
Low
The account password policy was deleted
Low
Traffic to a suspicious IP destination
Low
Traffic to a valid domain impersonating a known brand
Low
Traffic to an IP lookup service
Low
Unknown dynamic DNS provider traffic
Low
Unknown tunneling provider traffic
Low
Unusual use of AWS APIs with root account credentials
Low
Adversary simulation traffic to a benign destination
Informational
Encrypted DNS traffic to a common destination
Informational
Outbound traffic over SMB requiring investigation
Informational
Successful AWS console login
Informational
Successful AWS console logins from different locations in a short period
Informational
The account password policy was changed
Informational
Traffic to a destination TLD commonly associated with malware
Informational
Traffic to an unknown young domain
Informational
Use of AWS APIs by a likely malicious caller
Informational
Use of AWS APIs indicating data staging and exfiltration
Informational
Use of AWS APIs indicating disruption
Informational
Use of AWS APIs indicating evasion by adjusting audit log settings
Informational
Use of AWS APIs indicating persistence
Informational
Use of AWS APIs indicating privilege escalation
Informational
Use of AWS APIs indicating reconnaissance
Informational
Use of AWS APIs indicating unauthorized access
Informational
Use of AWS APIs with root account credentials
Informational