SuspectedRansomware: Destination traffic matches any entry in the following watch lists: omc_ransomware_ip, omc_ransomware_domain, omc_ransomware_url. SuspectedMalware: Destination traffic matches any entry in the following watch lists: omc_malware_ip, omc_malware_domain, omc_malware_url. SuspectedAPT: Destination traffic matches any entry in the following watch lists: omc_apt_ip, omc_apt_domain, omc_apt_url. SIDScan: SID reconnaissance activity where the client performs five distinct SID connection attempts within 60 seconds. Domains in languages like Cyrillic, Japanese, or Farsi that require the Punycode algorithm to convert them into ASCII formats that DNS is able to support. Pun圜odeDomain: Detects international domain names that can't be displayed in ASCII. PTRRecon: DNS reconnaissance activity where the DNS client performs 5 distinct reverse record lookups (PTR) in a 30 second window. PossibleSynFlood: A series of firewall messages that show potential firewall stability issues. This can be indicative of misconfiguration, potential attack, or a general network issue. PossibleFirewallRouteIssue: A series of firewall messages that show potential routing issues with the firewall. PingSweep: ICMP messages, originating from the same source IP, are detected on 20 or more destination IPs within 60 seconds. HorizontalPortScan: Network communication, originating from the same source IP, is detected on the same port on 10 or more distinct destination IPs within 60 seconds. Network rules are related to network activities.īrowserCoinMiner: Detects communication to potential sites related to browser hijack for cryptocurrency mining.ĭeniedZoneTransfer: Possible DNS reconnaissance through an attempt zone transfer.ĮxternalIPDiscovery: Detects connection attempts to domains that can be used by malware to detect the external IP address of a network for profiling purposes.įirewallADDrop: Series of firewall messages that show traffic being dropped to Microsoft Domain Controllers.įirewallSiemDrop: A series of firewall messages that show traffic being dropped to or from the vulnerability assessment scanners.įirewallVaDrop: A series of firewall messages that show traffic being dropped to or from the vulnerability assessment scanners. TargetedAccountAttackLinux: 5 or more failed login events associated with the same user account are detected within an interval of 60 seconds across single or multiple Linux hosts. TargetedAccountAttack: 5 or more failed login events associated with the same user account are detected within an interval of 60 seconds across single or multiple endpoints. SuspiciousSuLogin: Two or more failed su (to root) attempts are followed by a successful su (to root) on the same endpoint within a time interval of 180 seconds. MultipleFailedSudo: Five or more failed sudo events initiated by the same account within 180 seconds are detected. MultipleFailedSu: Five or more failed su (to root) attempts are are detected on the same endpoint within 180 seconds. MultipleFailedLogin: Detects multiple failed login events on 5 or more distinct accounts on the same endpoint within 60 seconds. This rule only applies to Oracle Database events.ĭirectRootLogin: A root login event is detected on an endpoint.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |