Security Traffic Analyzer (STA) Alerts

Once you install the Coralogix Security Traffic Analyzer (STA) we can update your account with a set of default alerts built specifically for use with the Coralogix STA. Here's a quick example of some of these alerts and their purpose:

  1. STA - NIDS alert detected - This alert will fire every time a security-related issue is detected by the STA's Suricata engine. You can tune this alert by either modifying the alert's Lucene query or by modifying the sta.conf file (to disable the current signature) and then to create a new one in the local.rules file on the STA's config S3 bucket. To learn more about how to do that see here. Note that by default, we automatically configure this alert to ignore certain relatively noisy NIDS alerts for which we created ML based alerts that will trigger only if the relevant activity is unusual.

  2. STA - Unusual reconnaissance activity detected - This alert will fire when Coralogix detects an abnormal rate of STA events indicating that the organization is being scanned from the outside.

  3. STA - Unusual connections rate from blacklisted IPs - This alert will fire when Coralogix detects an abnormal rate of STA events indicating a connection from a potentially malicious IP address.

  4. STA - Request for public IP echo services detected - Many malicious tools will attempt to discover their public IP address. Some will attempt to do that to detect where they are located on the globe, others will use this information for registration with their Command & Control server. This alert will fire when Coralogix, based on the STA logs, detects a connection to several sites often used for this purpose by malicious tools.

  5. STA - Trojan activity detected - This alert will fire when the Suricata engine of the STA detects a Trojan attempt.

  6. STA is not seeing any traffic - MIRRORING is DOWN - This alert will fire when Coralogix detects, based on the logs from the STA that it is alive but is not seeing any traffic. This can indicate that there's a problem with your VPC Traffic Mirroring configuration. In the last version of the STA, we also published a tool for automating the VPC Traffic Mirroring configuration which can help to fix the problem. You can find more about it here.

  7. STA - Usage of rarely used DNS record types detected - Some DNS record types, like A, AAA, and MX are very commonly used while others like TXT and ISDN are almost never used. Some of those can also be used (or even preferred) by an adversary for a DNS tunneling attack. This alert will fire when an attempt is made to use such a record type. If your organization uses such records for legitimate purposes you can simply remove it from the alert query and possibly create a new alert that will fire only if the rate of DNS requests for that specific record type is abnormal.

  8. STA - Unusual high volume of DNS requests returned NXDOMAIN - This alert would fire when Coralogix detects an abnormal rate of NXDOMAIN responses by DNS servers based on the STA logs. Many types of attacks nowadays are some sort of a connection with a Command & Control server. The common way for malware to connect to its Command & Control server today is by using a machine-generated domain name - a.k.a Domain Generation Algorithm (DGA). The way it usually works is that the attacker programs the malware to attempt to generate a domain name based on the current date every day and attempt to reach it and if it fails - to use the domain that was used until now. That way, if someone would block the access to the Command & Control domain the attacker would simply have to register the domain name that the malware will look for tomorrow and the connection will automatically be restored. Such a strategy would lead to an abnormal rate of DNS requests resulting in NXDOMAIN responses (since the malware will continuously look for domains that are not registered).

  9. STA - Unrecognized software - The Zeek engine of the STA can detect software running on monitored (and unmonitored) servers by deducing them based on the traffic observed by the STA. These findings appear on the Software dashboard of the STA. This alert is a stub that you can use to whitelist software that you do use (based on what you saw on the software dashboard) and alert on everything new. This is the software dashboard of the STA:

  1. STA - Unrecognized software type - See "STA - Unrecognized software" above.

  2. STA - DNS activity on TCP detected - DNS most commonly runs on the UDP protocol on port 53. DNS uses TCP in two main scenarios: Domain transfer and for sending large TXT requests. The first one should not be used by unauthorized personnel and definitely not very often and the latter should almost never happen. This alert will fire when such activity (DNS over TCP is detected)

  3. STA - Access to a baby domain was detected - Employees and even more so, servers that are accessing domains that are "young" in the sense that they were registered only very recently are often good indications of malicious activity. This alert fires when access to a domain that was created less than three months has been detected.

  4. STA - Zeek Notice Detected - This alert fires when the Zeek engine in the STA has detected anomalous and potentially malicious behavior.

  5. STA - Unusual TOR nodes connectivity - Tor browsers and the Tor network in general are notorious for their malicious usage in hiding adversary actions. This alert would fire when Coralogix detects an anomaly in the rate of connections from Tor nodes (as detected by the Suricata engine in the STA)

  6. STA is OFFLINE - This alert would fire when no logs are coming from the STA

  7. STA - Unique dns queries to domains - The Zeek engine inside the STA is configured to count unique queries per domain and if that number exceeds a certain threshold, this alert will fire. The rationale behind this alert is that in many attack types, the attacker will attempt to cause the server to reach his command & control servers by using DNS queries (because they have to be open). These DNS queries often start or include a unique id that helps the attacker index the specific attack, sometimes the DNS request can include a hash of a password the attacker would like to try and bruteforce crack offline. In both cases the number of unique DNS requests per hour would increase.

  8. STA - New service offered by an internal host - This alert will fire if a new service has been used by an external host from an internal host

  9. STA - New DHCP server detected - This alert will fire whenever a new DHCP server was detected based on the traffic. This can be a good indication of rogue DHCP server

  10. STA - New file MIME type detected - This alert will fire if a new file MIME type has been detected

  11. STA - New certificate issuer - This alert will fire if a new certificate issuer has been detected

Many more alerts will be automatically added to your account as part of the STA installation. These alerts are fully actionable and contain a complete playbook attached to them.