Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleSecOpsHAFNIUMUserAgentsTargetingExchangeServers

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.

Source table → domains.all

Expand
titleSecOpsTLDFromDomainNotInMozillaTLD

Detect a domain with a TLD, not in Mozilla TLD List.

Source table → domains.all

Expand
titleSecOpsUnusualUseragentLength

Unusual User Agent length detected. It can be associated with some type of attack or vulnerability.

Source table → domains.all

Expand
titleSecOpsRevilKaseyaDomainConnection

The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya.

Source table → domains.all

Expand
titleSecOpsHostNameSubdomainLength

Too long subdomains could be part of Application Layer Protocols.

Source table → network.dns

Expand
titleSecOpsTooLongDNSResponse

Monitor TXT and ANY responses to detect infiltrations or possible reflection attacks.

Source table → network.dns

Expand
titleSecOpsPossibleDnsEncodingQuery

Possible DNS exfiltration detected.

Source table → network.dns

Expand
titleSecOpsHostDNSBasedCovertChannelIpv6Record

Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6, we can think there is a kind of cover-channel communication attempt.

Source table → network.dns

Expand
title

...

SecOpsDNSQueryToExternalSrvcInteractionDomains

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE.

Source table → network.dns

Expand
title

...

SecOpsLog4ShellVulnOverDomainsUnionTableConnectionsWithLookup

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → domains.all

Expand
titleSecOpsLog4ShellVulnOverDomainsUnionTableConnections

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the URL, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → domains.all