Use Cases
AE can identify both known and unknown emerging threats. The table below is an exhaustive list of the individual use cases (internally known as threats) that the engine supports.
Threat Description | Severity |
---|---|
C2 communication attempt indicating infection | Critical |
Traffic to a malicious spear phishing site | Critical |
Traffic to a suspicious young domain impersonating a known brand | Critical |
Anonymizing circuit setup indicating infection or evasion attempt | High |
Cryptomining indicating infection or resource abuse | High |
Domain resolves to 169.254.169.254 indicating an AWS rebinding attack | High |
Encrypted DNS traffic to a server that supports non-ICANN TLDs | High |
HTTP GET request to a known bad destination indicating infection | High |
HTTP POST to a known bad destination indicating infection | High |
Known bad dynamic DNS provider traffic | High |
Known bad tunneling provider traffic | High |
Multiple requests for DGA domains indicating infection | High |
Multiple requests to long hostnames indicating DNS tunneling | High |
Multiple suspicious connections indicating TrickBot infection | High |
Outbound TCP port scan indicating hacking tool use or infection | High |
Suspicious IRC traffic indicating infection | High |
Suspicious SSH session masquerading as a different protocol | High |
Telegram Bot API traffic indicating possible infection | High |
Traffic from multiple sources to a domain impersonating a known brand | High |
Traffic to a known malware distribution site | High |
Traffic to a known sinkhole indicating infection | High |
Traffic to a suspicious domain impersonating a known brand | High |
Traffic to an out-of-band interaction testing domain requiring investigation | High |
Beaconing to a suspicious domain | Medium |
Cluster of suspicious requests requiring investigation | Medium |
Destination is known to serve malicious JavaScript | Medium |
High volume of outbound ICMP traffic indicating tunneling | Medium |
High volume of outbound traffic over FTP | Medium |
High volume of outbound traffic over SMB | Medium |
High volume of outbound traffic over SSH | Medium |
High volume of reverse DNS lookups indicating scanning activity | Medium |
IRC traffic requiring investigation | Medium |
Multiple connections to suspicious IP destinations | Medium |
Multiple encrypted DNS requests requiring investigation | Medium |
Multiple requests to suspicious domains | Medium |
Outbound SSH session using an uncommon server port | Medium |
P2P activity | Medium |
Potentially unwanted program or browser extension installed | Medium |
Suspicious dynamic DNS provider traffic | Medium |
Suspicious hosting provider traffic | Medium |
Suspicious HTTP GET request requiring investigation | Medium |
Suspicious Tor DNS request | Medium |
Suspicious traffic to DNS server that supports non-ICANN TLDs | Medium |
Suspicious tunneling provider traffic | Medium |
Third-party remote access software installed | Medium |
Third-party VPN activity | Medium |
Traffic from multiple sources to a unique young domain | Medium |
Traffic over a cleartext protocol exposing content and credentials | Medium |
Traffic to a free webhook service indicating potential exfiltration | Medium |
Traffic to a known consumer phishing site requiring investigation | Medium |
Traffic to a likely malicious domain | Medium |
Traffic to a suspicious domain containing a brand name | Medium |
Traffic to a TDS mechanism requiring investigation | Medium |
Traffic to a young domain impersonating a known brand | Medium |
Unusual mail traffic indicating possible implant | Medium |
Accessing a suspicious domain | Low |
DNS misconfiguration leading to potential compromise | Low |
Encrypted DNS traffic indicating potential infection or evasion | Low |
Malicious pop-up traffic | Low |
Multiple requests to unreachable domains | Low |
Suspicious HTTP POST request requiring investigation | Low |
Traffic to a suspicious IP destination | Low |
Traffic to a valid domain impersonating a known brand | Low |
Unknown dynamic DNS provider traffic | Low |
Unknown tunneling provider traffic | Low |
Adversary simulation traffic to a benign destination | Informational |
Encrypted DNS traffic to a common destination | Informational |
Outbound traffic over SMB requiring investigation | Informational |
Traffic to a destination TLD commonly associated with malware | Informational |
Traffic to an unknown young domain | Informational |