Use Cases

AE can identify both known and unknown emerging threats. The table below is an exhaustive list of the individual use cases (internally known as threats) that the engine supports.

Threat DescriptionSeverity
C2 communication attempt indicating infectionCritical
Traffic to a malicious spear phishing siteCritical
Traffic to a suspicious young domain impersonating a known brandCritical
Known bad dynamic DNS provider trafficHigh
Known bad tunneling provider trafficHigh
Multiple requests for DGA domains indicating infectionHigh
Traffic from multiple sources to a domain impersonating a known brandHigh
Anonymizing circuit setup indicating infection or evasion attemptHigh
Cryptomining indicating infection or resource abuseHigh
Encrypted DNS traffic to a server that supports non-ICANN TLDsHigh
HTTP GET request to a known bad destination indicating infectionHigh
HTTP POST to a known bad destination indicating infectionHigh
Multiple requests to long hostnames indicating DNS tunnelingHigh
Multiple suspicious connections indicating TrickBot infectionHigh
Outbound TCP port scan indicating hacking tool use or infectionHigh
Suspicious IRC traffic indicating infectionHigh
Suspicious SSH session masquerading as a different protocolHigh
Telegram Bot API traffic indicating possible infectionHigh
Traffic to a known malware distribution siteHigh
Traffic to a known sinkhole indicating infectionHigh
Traffic to a suspicious domain impersonating a known brandHigh
Traffic to a likely malicious domainMedium
Multiple requests to suspicious domainsMedium
Beaconing to a suspicious domainMedium
Cluster of suspicious requests requiring investigationMedium
High volume of outbound ICMP traffic indicating tunnelingMedium
High volume of outbound traffic over FTPMedium
High volume of outbound traffic over SSHMedium
IRC traffic requiring investigationMedium
Multiple connections to suspicious IP destinationsMedium
Multiple encrypted DNS requests requiring investigationMedium
Outbound SSH session using an uncommon server portMedium
P2P activityMedium
Potentially unwanted program or browser extension installedMedium
Suspicious HTTP GET request requiring investigationMedium
Suspicious Tor DNS requestMedium
Suspicious dynamic DNS provider trafficMedium
Suspicious hosting provider trafficMedium
Suspicious traffic to DNS server that supports non-ICANN TLDsMedium
Suspicious tunneling provider trafficMedium
Third-party VPN activityMedium
Third-party remote access software installedMedium
Traffic from multiple sources to a unique young domainMedium
Traffic to a TDS mechanism requiring investigationMedium
Traffic to a free webhook service indicating potential exfiltrationMedium
Traffic to a known consumer phishing site requiring investigationMedium
Traffic to a young domain impersonating a known brandMedium
Unusual mail traffic indicating possible implantMedium
Accessing a suspicious domainLow
DNS misconfiguration leading to potential compromiseLow
Encrypted DNS traffic indicating potential infection or evasionLow
JavaScript cryptomining indicating resource abuseLow
Malicious pop-up trafficLow
Multiple requests to unreachable domainsLow
Suspicious HTTP POST request requiring investigationLow
Traffic to a suspicious IP destinationLow
Traffic to a valid domain impersonating a known brandLow
Unknown dynamic DNS provider trafficLow
Unknown tunneling provider trafficLow