Notification Categories

NDR notifications provide alerts about suspicious or potentially malicious activity within your network. To respond effectively, review each notification’s details and implement the recommended mitigation steps.

Each notification category includes the following details:

• Severity: The assigned risk level (Low, Medium, or High). Higher severity means greater impact and requires immediate action.

• Reason: The condition or behavior that triggered the alert.

• Investigation: A step-by-step process to determine whether the activity is legitimate or malicious.

• Mitigation: Recommended actions to contain or resolve the issue.

Address Scan Detected

Severity: High

Reason A device attempted to connect to multiple IP addresses on a specific port within the internal network. The scanned port is listed in the notification details.

Investigation

1. Verify whether the device is expected to perform internal scans, such as a vulnerability scanner or an administrator workstation.

2. Contact the device user to confirm whether the scan was intentional and authorized.

3. If the activity is malicious, identify which tools performed the scan and determine how they were installed on the system.

Mitigation

1. Monitor the device for scanning tools.

2. If scanning is unauthorized, isolate the device from the network.

3. Remove any malicious software identified on the device.

Anomaly - Data Transfer

Severity: Variable (depends on anomaly score)

Reason An interaction between endpoints transferred an unusually large volume of data.

Investigation

1. Review the endpoints and traffic type involved in the transfer.

2. Determine whether the transfer is consistent with business activity or if it could indicate malicious activity.

3. If suspicious, search notifications and metadata for related activity from the originating host.

Mitigation

• Benign:

  1. If many false positives occur, adjust the anomaly sensitivity from Settings >> Dyadic Anomaly Event Sensitivity.

• Malicious:

  1. Disconnect the affected machine from the internet.

  2. Initiate incident response procedures.

Anomaly - Out of Hours

Severity: Variable (depends on anomaly score)

Reason Endpoints communicated outside of standard working hours.

Investigation

1. Identify the type of action performed and review the endpoints involved.

2. Verify whether the timing of the activity aligns with user behavior or business needs.

3. If suspicious, search notifications and metadata for related activity from the originating host.

Mitigation

• Benign:

  1. If many false positives occur, adjust the anomaly sensitivity from Settings >> Dyadic Anomaly Event Sensitivity.

• Malicious:

  1. Disconnect the affected machine from the internet.

  2. Initiate incident response procedures.

Anomaly - Unexpected Interaction

Severity: Variable (depends on anomaly score)

Reason Endpoints communicated that had not previously interacted.

Investigation

1. Review the endpoints and traffic type involved.

2. Determine whether the activity is expected or consistent with business needs.

3. If suspicious, search notifications and metadata for signs of attacks involving either endpoint.

Mitigation

• Benign:

  1. If many false positives occur, adjust the anomaly sensitivity from Settings >> Dyadic Anomaly Event Sensitivity.

• Malicious:

  1. Disconnect the affected machine from the internet.

  2. Initiate incident response procedures.

Anomaly - Unexpected Port

Severity: Variable (depends on anomaly score)

Reason Endpoints communicated using a port not previously used.

Investigation

1. Review the endpoints and traffic type involved.

2. Verify whether the port usage is legitimate or expected.

3. If suspicious, search notifications and metadata for signs of attacks involving either endpoint.

Mitigation

• Benign:

  1. If many false positives occur, adjust the anomaly sensitivity from Settings >> Dyadic Anomaly Event Sensitivity.

• Malicious:

  1. Disconnect the affected machine from the internet.

  2. Initiate incident response procedures.

Anomaly - Unexpected Service

Severity: Variable (depends on anomaly score)

Reason Endpoints communicated using a service not previously used.

Investigation

1. Review the endpoints and traffic type involved.

2. Verify whether the service usage is legitimate or expected.

3. If suspicious, search notifications and metadata for signs of attacks involving either endpoint.

Mitigation

• Benign:

  1. If many false positives occur, adjust the anomaly sensitivity from Settings >> Dyadic Anomaly Event Sensitivity.

• Malicious:

  1. Disconnect the affected machine from the internet.

  2. Initiate incident response procedures.

Anomaly - Unexpected Service and Port

Severity: Variable (depends on anomaly score)

Reason Endpoints communicated using a service and port combination not previously used.

Investigation

1. Review the endpoints and traffic type involved.

2. Verify whether the activity is legitimate or expected.

3. If suspicious, search notifications and metadata for signs of attacks involving either endpoint.

Mitigation

• Benign:

  1. If many false positives occur, adjust the anomaly sensitivity from Settings >> Dyadic Anomaly Event Sensitivity.

• Malicious:

  1. Disconnect the affected machine from the internet.

  2. Initiate incident response procedures.

Anomaly - Unusual Context

Severity: Variable (depends on anomaly score)

Reason Endpoints communicated under unusual circumstances. Details of the context are provided in the notification.

Investigation

1. Review the endpoints and traffic type involved.

2. Determine whether the unusual context aligns with legitimate business behavior.

3. If suspicious, search notifications and metadata for related malicious activity.

Mitigation

• Benign:

  1. If many false positives occur, adjust the anomaly sensitivity from Settings >> Dyadic Anomaly Event Sensitivity.

• Malicious:

  1. Disconnect the affected machine from the internet.

  2. Initiate incident response procedures.

ARP Scan Detected

Severity: High

Reason A host broadcasted a large number of ARP requests on the internal network in a suspicious manner.

Investigation

1. Verify whether the host is expected to perform intensive ARP requests.

2. Consider that ARP scans are often used by attackers as a stealthy enumeration technique.

3. Review raw data in packet captures (PCAPs) since automatically extracted ARP PCAPs may be unreliable.

Mitigation

• Benign:

  1. Whitelist the host as narrowly as possible.

• Malicious:

  1. Disconnect the host from the network.

  2. Investigate the host for malware, trojans, rootkits, or unauthorized services.

BitTorrent Port Usage

Severity: Low

Reason A host transferred files using ports associated with BitTorrent traffic. This activity is generally unwanted because BitTorrent is commonly used for unauthorized file sharing.

Investigation

1. Review the remote IP addresses or domains involved.

2. Confirm whether the traffic was correctly flagged as BitTorrent.

Mitigation

1. Prevent the installation or use of BitTorrent clients on workstations.

2. Block known BitTorrent ports in the firewall.

Blacklist Match Certificate

Severity: Medium

Reason A certificate used in an SSL connection is associated with known malicious activity.

Investigation

1. Gather more information about the certificate to check its legitimacy.

2. Review the data attached to the notification or search metadata for details on the connection and other connections made by the host.

3. Check for additional suspicious activity involving the same host.

Mitigation

• Benign

  1. Whitelist the certificate as narrowly as possible, using the certificate hash to avoid false positives.

• Malicious

  1. Disconnect the infected machine from the network.

  2. Enable Muninn AI Prevent for this notification type to automatically block future connections.

  3. Initiate incident response procedures.

Blacklist Match Domain

Severity: Medium

Reason A host made a DNS request for a known malicious domain. This activity may indicate that the host is infected and attempting to communicate with a command-and-control server or download malware.

Investigation

1. Analyze the domain using tools such as VirusTotal.

2. Perform a full antivirus scan on the host to detect and remove malware.

3. Search notifications and metadata for related suspicious activity from the same host.

Mitigation

• Benign

  1. Whitelist the domain as narrowly as possible.

• Malicious

  1. Block the domain in the firewall.

Blacklist Match File

Severity: High

Reason A file matching a known malicious hash or filename was transferred over the network.

Investigation

1. Perform a full antivirus scan on the source host.

2. Investigate the file being transferred and review both endpoints.

3. If one endpoint is external, gather details on the domain and its activity.

Mitigation

• Benign

  1. Whitelist the file hash or name as narrowly as possible.

• Malicious

  1. Investigate the malware using tools such as VirusTotal.

  2. Review other notifications from the host to determine if other devices are infected.

  3. If linked to an advanced persistent threat, initiate incident response.

Blacklist Match IP Inbound

Severity: Low

Reason

The source IP of an inbound connection is malicious.

Investigation

1. Gather details on the IP address.

2. Review notification data or metadata to assess legitimacy.

3. Search for other suspicious activity involving the same host.

Mitigation

• Benign

  1. Whitelist the IP address as narrowly as possible.

• Malicious

  1. Disconnect the infected device from the network.

  2. Enable Muninn AI Prevent to block future malicious connections.

  3. Initiate incident response.

Blacklist Match IP Outbound

Severity: Medium

Reason

The destination IP of an outbound connection is malicious.

Investigation

1. Gather details on the IP address.

2. Review notification data or metadata to assess legitimacy.

3. Search for other suspicious activity involving the same host.

Mitigation

• Benign

  1. Whitelist the IP address as narrowly as possible.

• Malicious

  1. Disconnect the infected device from the network.

  2. Enable Muninn AI Prevent to block future malicious connections.

  3. Initiate incident response.

Blacklist Match SSH

Severity: High

Reason The SSH host key of a server is associated with malicious activity.

Investigation

1. Gather information about the SSH host key.

2. Investigate the IP address of the offending host.

3. Review metadata for related suspicious activity.

4. Search for other suspicious activity involving the same host.

Mitigation

• Benign

  1. Whitelist the SSH host key as narrowly as possible.

• Malicious

  1. Disconnect the infected machine from the network.

  2. Enable Muninn AI Prevent for this notification type.

  3. Initiate incident response.

Cleartext Protocol HTTP

Severity: Low

Reason An endpoint exchanged sensitive information, including credentials and authetication tokens, over HTTP on TCP port 80. Since HTTP transmits data in cleartext, this information is vulnerable to leakage.

Investigation

1. Identify the source and destination hosts involved in the HTTP session.

2. Investigate the external endpoint receiving the traffic.

3. Analyze metadata or raw traffic for cleartext credentials and other sensitive data.

4. Verify whether endpoints are using legacy operating system or applications that rely on HTTP.

Mitigation

• Migrate endpoints to HTTPS, HTTP/2, or HTTP/3 using TLS encryption.

• Isolate legacy systems that depend on HTTP into a management VLAN.

• Configure servers to redirect HTTP requests to HTTPS.

• Block outbound HTTP on port 80 unless required.

• Use proxy servers to control and analyze HTTP traffic.

• Restrict access to verified administrators through ACLs.

Cleartext Protocol SMBv1

Severity: High

Reason A system is using Server Message Block version 1(SMBv1) to share files. SMBv1 lacks encryption and modern signing, making it vulnerable to attacks including credential replay and EternalBlue exploitation.

Investigation

1. Identify the source and destination hosts involved in the SMBv1 session.

2. Review the operating system version of the host using SMBv1.

3. Analyze packet captures (PCAPs) for file-transfer paths and share names.

4. Investigate the files transferred during the session.

5. Check for related EternalBlue exploitation attempts.

Mitigation

• Disable SMBv1 on all systems.

• Migrate to SMBv3 with NTLMv2 and SMB signing.

• Segment or isolate legacy systems that require SMBv1.

• Apply Microsoft security updates (MS17-010 and later).

• Block anonymous shares through Group Policy Object (GPO).

Cleartext Protocol Telnet

Severity: Medium

Reason An endpoint used the Telnet protocol on TCP port 23 to log in to another system. Telnet transmits data, including credentials and other sensitive information, in cleartext, leaving it vulnerable to interception.

Investigation

1. Identify the source and destination hosts involved in the Telnet session.

2. Analyze traffic on TCP port 23.

3. Review logs to confirm whether sensitive data was transmitted.

4. Verify whether the host is a legacy system or embedded device that still relies on Telnet.

Mitigation

• Disable Telnet.

• Use SSH as a secure alternative.

• Isolate legacy systems that require Telnet into a management VLAN.

• Restrict Telnet access to verified administrators only through Access Control Lists (ACLs).

• Block TCP port 23 at network firewalls.

Cloud File Sharing Usage

Severity: Low

Reason A host attempted to connect to a domain associated with online file-sharing services including Google Drive, Dropbox, Box, iCloud, MediaFire, or mega.nz.

Investigation

1. Use metadata search to review the amount of data transferred and number of DNS requests.

2. Determine whether use of the service complies with company policy.

Mitigation

• If policy compliant, whitelist the service for authorized hosts.

• If policy violation, block traffic to file-sharing domains in the firewall.

Crypto Currencies Mining Pool Activity

Severity: Medium

Reason A host made a DNS request that matches a known cryptocurrency mining pool.

Investigation

1. Review metadata to determine whether the activity indicates mining.

Mitigation

• Benign

  1. Whitelist the request as narrowly as possible.

• Malicious

  1. Initiate incident response.

  2. Enable Muninn AI Prevent to block future mining activity.

DarkNet or Tor Activity

Severity: High

Reason Certificates resembling Tor certificates were detected. Tor usage is generally unwanted as it conceals network activity, which may indicate data exfiltration or malicious activity.

Investigation

1. Investigate the remote hosts to verify whether they are Tor relays.

Mitigation

• Benign

  1. Whitelist the traffic as narrowly as possible.

• Malicious

  1. Confirm with the user whether they are aware of Tor usage.

  2. If unauthorized, investigate for breaches and initiate incident response.

DICOM Presentation Data

Severity: Low

Reason A DICOM message of type P-DATA containing presentation data was detected. The message may be unencrypted.

Investigation

1. Analyze the DICOM traffic.

2. Verify whether encryption is in use.

Mitigation

1. Whitelist the traffic as narrowly as possible.

2. Verify that the host is authorized to access the data.

3. Use a secure protocol to prevent plaintext communication.

DNS Multiple Domain Not Found

Severity: Low

Reason A host received multiple “Domain not found” responses for unique domains within a short time frame. This behavior may indicate command-and-control activity.

Investigation

1. Review the queried domain names.

2. Investigate suspicious or unknown domains.

Mitigation

• Benign

  1. Whitelist the traffic as narrowly as possible.

• Malicious

  1. Disconnect the infected device from the network.

  2. Disable the malware generating the queries.

  3. Enable Muninn AI Prevent for this notification type.

  4. Initiate incident response.

DNS over HTTPS (DOH) Usage

Severity: Low

Reason A host used DoH to get DNS answers. DoH can be abused by malware to conceal communications.

Investigation

1. If DoH is unexpected, identify which process generated the traffic.

2. Determine whether the usage is malicious.

Mitigation

1. Increase notification severity to High.

2. Block known DoH providers in proxies and DNS filters.

DNS Tunneling

Severity: High

Reason Multiple large DNS queries or responses with large payloads were detected. This may indicate DNS tunneling.

Investigation

1. Review the DNS queries.

2. Investigate unknown or suspicious domains.

Mitigation

• Benign

  1. Whitelist the traffic as narrowly as possible.

• Malicious

  1. Disconnect the infected device from the network.

  2. Disable the malware generating the queries.

  3. Enable Muninn AI Prevent for this notification type.

  4. Initiate incident response.

DoublePulsar Backdoor Implant

Severity: High

Reason A host using SMBv1 changed its Multiplex ID (MID) to values between 81 and 83, which is a signature of the DoublePulsar backdoor. This typically follows an EternalBlue exploit.

Investigation

1. Identify the IP address of the affected host.

2. Confirm MID values of 81–83 in session metadata.

3. Verify SMB dialect is NT LM 0.12.

4. Review packet captures for EternalBlue-related opcodes.

5. Check SIEM logs for signs of lateral movement.

6. Perform live memory forensics if possible.

7. Inspect for other signs of compromise and registry artifacts linked to DoublePulsar.

Mitigation

1. Quarantine or isolate affected hosts.

2. Disable SMBv1 across all systems.

3. Upgrade to SMBv3 and enforce signing and encryption.

4. Apply Microsoft’s MS17-010 security update.

5. Reset all credentials used on the compromised host.

EternalBlue SMBv1 Exploit Attempt

Severity: High

Reason A host attempted SMBv1 traffic, SMB_COM_TRANSACTION2_SECONDARY request interleaved with SMB_COM_NT_TRANSACT command, consistent with the EternalBlue exploit (CVE-2017-0144), which allows remote code execution without valid credentials.

Investigation

1. Identify the source and destination hosts involved in the SMBv1 session.

2. Verify whether SMBv1 is enabled on the destination host.

3. Review packet data for invalid SMB packets.

4. Inspect endpoint antivirus or EDR logs for exploitation activity.

Mitigation

1. Disable SMBv1 across all systems.

2. Apply Microsoft’s MS17-010 patch.

3. Isolate the compromised host.

4. Segment the network to reduce exposure.

EternalChampion SMBv1 Exploit Attempt

Severity: High

Reason A host sent a rare sequence of SMBv1 commands, including SMB_COM_NT_TRANSACT with the subcommands NT_TRANSACT_RENAME and SMB_COM_NT_TRANSACT_SECONDARY, associated with the EternalChampion exploit, which attempts remote code execution by corrupting memory.

Investigation

1. Identify the source host and verify its operating system and patch status.

2. Investigate the use of unusual SMB subcommands including NT_TRANSACT_RENAME and SMB_COM_NT_TRANSACT_SECONDARY.

3. Check event logs for signs of memory violations or crashes.

4. Look for evidence of lateral movement or worm-like activity.

Mitigation

1. Disable SMBv1 unless strictly required.

2. Apply Microsoft’s MS17-010 patch.

3. Monitor for SMB subcommands including NT_TRANSACT_RENAME and SMB_COM_NT_TRANSACT_SECONDARY.

4. Use security tools to detect SMB exploitation techniques.

5. If exploitation is confirmed, perform incident response and threat hunting across the network.

EternalSynergy SMBv1 Exploit Attempt

Severity: High

Reason A host sent SMBv1 traffic consistent with EternalSynergy or EternalRomance exploits, including SMB_COM_WRITE_ANDX command interleaved with another SMB command, which manipulate system memory to execute code remotely without authentication.

Investigation

1. Identify the source host that initiated the SMBv1 traffic.

2. Inspect raw network data and SMB logs.

Mitigation

1. Disable SMBv1 on all systems.

2. Apply Microsoft’s MS17-010 security update.

3. Use intrusion prevention systems or endpoint detection tools to detect eternal exploit behavior.

4. Isolate the host and perform memory and disk forensics.

5. Enforce SMBv2 or SMBv3 usage policies.

Event Log Clearing using RPC

Severity: Medium

Reason A host sent a remote procedure call that may have cleared event logs or forced a reboot to conceal malicious activity.

Investigation

1. Verify whether the host is a domain controller or administrator workstation.

2. Review metadata for additional traffic to or from the host.

3. Determine whether the behavior is legitimate or malicious.

Mitigation

• Benign

  1. Whitelist the behavior as narrowly as possible.

• Malicious

  1. Verify that Muninn AI Prevent is blocking further attempts.

  2. Enable or adjust blocking if necessary.

  3. Initiate incident response.

Exfiltration of many files

Severity: Medium

Reason A host transferred an unusually large number of files from the internal network in a suspicious manner.

Investigation

1. Examine the nature of the file transfer.

2. Assess whether the contents of the files and the transfer were business-related.

Mitigation

• Benign

  1. Whitelist the host as narrowly as possible.

  2. Restrict file access if possible.

• Malicious

  1. Investigate the host for malware, trojans, rootkits, or unauthorized services.

Expired SSL Certificate from External Server

Severity: Low

Reason An external server presented an expired SSL certificate.

Investigation

1. Confirm that the certificate is invalid.

2. Determine whether the server is under your control.

3. If not, check metadata to ensure the notification relates to a legitimate domain.

Mitigation

• Internal Services

  1. Implement a process to log certificate expiration dates.

  2. Automate certificate renewal, for example, using ACME.

  3. Enable Muninn notifications for certificates nearing expiration.

• External Services

  1. If the site is legitimate, block the domain temporarily and notify the site owner.

  2. If the site is malicious, block the domain permanently and enable Muninn AI Prevent.

Expired SSL Certificate from Internal Server

Severity: Medium

Description An internal server presented an expired SSL or TLS certificate.

Investigation

1. Confirm whether the notification is linked to a legitimate internal server.

2. If the server is unknown, investigate for potential rogue activity.

Mitigation

• Benign

  1. Implement a process to log certificate expiration dates.

  2. Automate certificate renewal.

  3. Enable Muninn notifications for certificates nearing expiration.

• Malicious

  1. Initiate incident response.

External DNS Server

Severity: Low

Reason A host queried a DNS server outside the local network. This may indicate an attempt to bypass monitoring or restrictions.

Investigation

1. Confirm whether the query was intended for a legitimate internal DNS server.

2. If strict DNS policies exist, investigate the host for other unusual notifications or requests.

Mitigation

1. Block external DNS requests in the firewall for all non-DNS servers.

2. Enforce internal DNS usage on all workstations.

3. Whitelist validated internal DNS servers.

4. Whitelist specific external DNS servers if allowed by policy.

External IMAP Email Server

Severity: Medium

Reason A host connected to an external IMAP email server. Some malware uses IMAP to communicate with adversary-controlled servers.

Investigation

1. Verify whether the host normally connects to external IMAP servers.

2. Review notifications or metadata for related suspicious activity.

Mitigation

• Benign

  1. Enforce internal IMAP server usage.

  2. Whitelist the external server if approved or allowed under policy.

• Malicious

  1. Perform a full antivirus scan on the host.

External POP3 Email Server

Severity: Low

Reason A host connected to an external POP3 email server. Some malware uses POP3 for adversary-controlled communication.

Investigation

1. Verify whether the host normally connects to external POP3 servers.

2. Review notifications or metadata for related suspicious activity.

Mitigation

• Benign

  1. Enforce internal POP3 server usage.

  2. Whitelist the external server if approved or allowed under policy.

• Malicious

  1. Perform a full antivirus scan on the host.

External SMTP Email Server

Severity: Medium

Reason A host connected to an external SMTP email server. Some malware uses SMTP for data exfiltration or command-and-control activity.

Investigation

1. Verify whether the host normally uses SMTP.

2. Review notifications or metadata for suspicious traffic.

3. Investigate the remote host to determine whether it is malicious.

Mitigation

• Benign

  1. Enforce internal SMTP server usage.

  2. Whitelist external SMTP servers if approved by policy.

• Malicious

  1. Block outbound SMTP for all non-SMTP servers.

  2. Investigate SMTP traffic.

  3. Perform a full antivirus scan on the host.

  4. Review other notifications for possible malware spread.

Failed login attempt from an unprecedented country

Severity: Low

Reason A failed login attempt was detected from a country where the user has no previous login history.

Investigation

1. Verify whether the attempt was expected.

2. Check with the user about recent travel or remote access.

Mitigation

1. If suspicious, block further login attempts.

2. Reset the affected account password.

3. Initiate incident response if unauthorized access is suspected.

FTP Brute Force Login

Severity: High

Reason An FTP server received a large number of failed login attempts within a short period from the same source.

Investigation

1. Review usernames used in the attempts.

2. Confirm whether a misconfiguration is responsible.

3. Investigate the source IP or device.

Mitigation

1. Limit login attempts from a single source.

2. Restrict FTP access to specific IP addresses.

3. Verify that sensitive data is not being transferred over FTP, since it is unencrypted.

FTP Plaintext Credentials

Severity: Medium

Reason An endpoint transmitted FTP credentials in plaintext. FTP transmits both data and credentials without encryption.

Investigation

1. Review usernames and passwords sent in plaintext.

2. Investigate the source device or IP address.

Mitigation

1. Use SFTP or FTPS instead of FTP.

2. Restrict FTP server access to specific IP addresses

3. Ensure confidential data is not transferred over FTP.

FTP Site Execute Detected

Severity: High

Reason A successful response to an FTP SITE EXEC command was detected. This command allows execution of server-side commands.

Investigation

1. Identify which command or executable was run.

2. Verify whether the execution was expected.

Mitigation

1. Disable SITE EXEC functionality on the FTP server.

Global Address Scan

Severity: High

Reason A host attempted to connect to multiple IP addresses on a specific port outside the internal network.

Investigation

1. Verify whether the host is expected to perform scans, including a vulnerability scanner.

2. Confirm with the user whether the scan was intentional.

3. Identify which tools performed the scan and how they were installed.

4. Check for misconfigurations.

5. Review notifications and metadata for related suspicious activity.

6. Investigate the remote IP or domain for known malicious associations.

Mitigation

• Benign

  1. Whitelist the host as narrowly as possible.

• Malicious

  1. Monitor for scanning tools on the device.

Global Port Scan

Severity: High

Reason A host attempted to connect to multiple ports on a remote internet host.

Investigation

1. Verify whether the host is expected to perform scans.

2. Confirm with the user whether the scan was intentional.

3. Identify which tools performed the scan and how they were installed.

4. Check for misconfigurations.

5. Review notifications and metadata for related suspicious activity.

6. Investigate the remote IP or domain for known malicious associations.

Mitigation

• Benign

  1. Whitelist the host as narrowly as possible.

• Malicious

  1. Monitor for scanning tools on the device.

HL7 plaintext Patient Identification

Severity: Medium

Reason A plaintext HL7 message containing a patient identification segment (PID) was detected.

Investigation

1. Review the HL7 traffic.

2. Assess whether sensitive data was exposed.

Mitigation

1. Whitelist the traffic as narrowly as possible.

2. Verify that the host is authorized to access the data.

3. Use a secure protocol to prevent plaintext communication.

HTTP Authentication Brute Force

Severity: High

Reason A host made frequent failed authentication attempts using different username and password combinations over HTTP.

Investigation

1. Search HTTP traffic metadata for usernames used.

2. Determine whether the activity was benign or malicious.

Mitigation

1. Identify the software responsible for the attempts.

2. Correct the issue to prevent further attempts.

HTTP crawler detected

Severity: High

Reason A host made multiple requests for the robots.txt file or generated excessive HTTP GET requests, indicating crawling activity.

Investigation

1. If the crawler is internal, identify the software responsible.

2. If external, review the IP reputation.

Mitigation

1. Remove unauthorized crawling software.

2. Block external crawlers at the firewall.

HTTP SQL injection detected

Severity: High

Reason Multiple SQL injection attempts were detected against a server.

Investigation

1. Confirm whether the requests are valid SQL injection attempts.

2. Determine whether any requests received a valid response (HTTP code 200).

3. Check for other connections from the attacking IP.

Mitigation

1. Conduct a full web application security assessment.

2. Patch or update vulnerable applications.

3. Deploy a web application firewall to block SQL injection attempts.

4. Block the attacking IP if not associated with a trusted hosting provider.

HTTP SQL injection victim detected

Severity: High

Description A server responded successfully to one or more SQL injection attempts, indicating that the application may be vulnerable.

Investigation

1. Confirm whether the requests are valid SQL injection attempts.

2. Determine whether any requests received a valid response (HTTP code 200).

3. Check for other connections from the attacking IP.

Mitigation

1. Conduct a full web application security assessment.

2. Patch or update vulnerable applications.

3. Deploy a web application firewall to block SQL injection attempts.

4. Block the attacking IP if not associated with a trusted hosting provider.

Impossible Travel Detected

Severity: Medium

Reason A user logged in to an MS365 account from two locations that are geographically too far apart for the given timespan. This may indicate a credential breach, but it could also be caused by legitimate VPN or proxy usage.

Investigation

1. Review login timestamps, IP addresses, and geolocation data.

2. Verify with the user their physical locations at the times of login.

3. Check whether VPN or proxy connections were used.

4. Check for other suspicious logins using the same account.

Mitigation

• Benign

  1. Confirm the login activity with the user to verify it is legitimate.

  2. Document the verification and ensure no further action is needed.

  3. Adjust the impossible travel policy thresholds if needed to reduce unnecessary alerts.

• Malicious

  1. Suspend the user account, mark the account as compromised, and reset the password.

Invalid SSL Certificate from External Server

Severity: Medium

Reason A certificate from an external server could not be validated. The notification provides details on why the certificate is considered invalid.

Investigation

1. Identify why the certificate was invalid.

2. Determine which external server presented the invalid certificate.

3. Gather more details on the traffic flowing to the server by reviewing metadata.

4. Verify that the localhost did not connect to a malicious domain, as few legitimate servers provide invalid SSL certificates.

Mitigation

1. If the server is company-owned and uses a certificate issued by your internal root CA, whitelist this notification category for that server.

2. Ensure the whitelist includes both the reason the certificate is not valid and the CommonName of valid certificates.

3. If the external service is malicious, block it in the firewall and consider enabling automated prevention.

Invalid SSL Certificate from Internal Server

Severity: Low

Reason A certificate from an internal server could not be validated. The notification provides details on why the certificate is considered invalid.

Investigation

1. Identify why the certificate was invalid.

2. Determine which internal service presented the invalid certificate by reviewing Logpoint NDR’s asset table.

3. Collect more details on the server traffic using metadata search.

Mitigation

1. If you are using your own root CA not trusted by Logpoint NDR, whitelist this category for relevant hosts.

2. When whitelisting, specify the reason the certificate is not valid and the CommonName of valid certificates.

Kerberoasting TGS Tickets

Severity: Medium

Reason A host attempted to harvest Ticket Granting Service (TGS) tickets. Since part of the ticket is encrypted with keys derived from user passwords, the credentials could be cracked offline.

Investigation

1. Verify whether the host is expected to request TGS tickets.

2. Confirm the host configuration for automated tasks.

3. Investigate the host for backdoors, remote access trojans (RATs), or other malware.

Mitigation

• Benign

  1. Whitelist the host as narrowly as possible.

  2. Adjust thresholds and timeframes for this notification.

• Malicious

  1. Use service account passwords longer than 25 characters.

  2. Implement Managed Service Accounts to enforce automatic password changes and delegated SPN management.

Kerberos Failed Attempts

Severity: Medium

Reason Multiple failed Kerberos authentication requests were detected within a short period.

Investigation

1. Verify whether the failures are caused by configuration errors.

2. Determine whether the failures were generated by a legitimate user.

3. Search for additional suspicious activity from the same host.

Mitigation

1. Fix any configuration errors.

2. Ensure the affected host is publicly accessible only if necessary.

3. If the host must be publicly accessible, enforce strong security controls and whitelist the notification where applicable.

Kerberos User Enumeration

Severity: Medium

Reason A host attempted to enumerate valid users in Active Directory. This behavior often precedes brute force attacks or Kerberoasting.

Investigation

1. Verify whether the host is authorized to perform user enumeration.

2. Confirm whether the host is configured correctly for automated tasks.

3. Investigate the host for backdoors, remote access trojans (RATs), or malware.

Mitigation

• Benign

  1. Whitelist the host as narrowly as possible.

• Malicious

  1. Block the host’s network access.

  2. Investigate the host for malware, trojans, or rootkits.

Large amount of data sent as e-mail attachment

Severity: Low

Reason A user sent an unusually large number of email attachments.

Investigation

1. Confirm with the user whether the email attachments are legitimate and expected.

Mitigation

1. Dismiss the notification if the behavior is benign.

Large amount of e-mails sent

Severity: Low

Reason A user sent a unusually large number of emails.

Investigation

1. Verify with the user whether this volume of email activity is expected.

Mitigation

1. Block email transmission if required.

Large amount of files downloaded

Severity: Low

Reason

A user downloaded an unusually high number of files.

Investigation

1. Verify that the user is authorized to download such a volume of files.

Mitigation

1. Dismiss the notification if the file downloads are legitimate.

Large amount of mail attachment sent

Severity: Low

Reason A user sent an unusually high number of email attachments. This may indicate data exfiltration.

Investigation

1. Check whether the attachments contain confidential information.

2. Verify whether the recipient is legitimate.

Mitigation

1. Dismiss the notification if the activity is benign.

Large transfer downloaded from external host

Severity: Low

Reason More than 300 MB was downloaded from an external host.

Investigation

1. Verify that the host is authorized to download from this external server.

Mitigation

1. Whitelist servers for which large downloads are acceptable.

Large transfer downloaded from internal host

Severity: Medium

Reason A substantial amount of data was downloaded from an internal host.

Investigation

1. Confirm that the host is authorized to download from this internal server.

Mitigation

1. Whitelist servers for which large downloads are acceptable.

Large transfer sent to external host

Severity: Medium

Reason A substantial amount of data was uploaded to an external host.

Investigation

1. Confirm that the host is authorized to upload data to this external server.

2. Review related metadata for protocol-specific details to better understand the transfer.

Mitigation

1. Whitelist servers for which large uploads are acceptable.

Large transfer sent to internal host

Severity: Low

Reason A substantial amount of data was uploaded to an internal host.

Investigation

1. Confirm that the host is authorized to upload data to this internal server.

2. Review related metadata for protocol-specific details to better understand the transfer.

Mitigation

1. Whitelist servers for which large uploads are acceptable.

Lateral Movement using SMB Admin Shares

Severity: Medium

Reason A host wrote a file to an SMB admin share, for example c$, admin$, or ipc$. These shares provide administrative access to Windows machines and may indicate lateral movement.

Investigation

1. Verify whether the source host is a domain controller or an IT administrator workstation.

2. Confirm that the write action was legitimate.

Mitigation

1. If the notification is triggered repeatedly by legitimate requests, whitelist this notification category for the specific source.

2. If it occurs only between a small set of host pairs, whitelist them individually to narrow the scope.

Local blacklisted executable detected

Severity: High

Reason A host executed a file that matches a known malicious executable.

Investigation

1. Confirm whether the host is authorized to execute the file.

2. Check the list of expected files and packages installed on the machine.

3. Investigate whether the host is infected with backdoors, remote access trojans (RATs), or other types of malware.

Mitigation

• Benign

  1. Allowlist as narrowly as possible, using patterns such as regex to specify exact files.

• Malicious

  1. Disconnect the host from the network.

  2. Identify and remove the unauthorized or malicious software package.

  3. Wipe the machine and reinstall a clean system image.

Login from unexpected country

Severity: Low

Reason A user logged in from a country that does not match their usual profile.

Investigation

1. Verify with the user whether the login was legitimate.

Mitigation

1. If the user does not confirm legitimacy, suspend the account.

2. Reset the password.

3. Identify the appropriate time to safely re-enable the account.

Login from unprecedented country

Severity: Low

Reason A user logged in from a country for the first time. This user has never previously logged in from this location.

Investigation

1. Confirm with the user whether the login was performed from that country.

Mitigation

1. Consider creating a user group for frequent travelers.

2. Import this group into Cloud App Security.

3. Exclude the group from this alert to reduce false positives.

Misconfigured HTTP basic auth client

Severity: Low

Reason A host generated multiple failed authentication attempts with the same username-password combination in a short period.

Investigation

1. Check if there is a misconfiguration on the client.

2. If multiple clients are connecting to the same server, verify whether the server is misconfigured.

Mitigation

1. Correct the misconfiguration.

New device detected

Severity: Medium

Reason A new device with a unique MAC or IP address was detected on the network. It does not match any previously recognized hosts and could indicate a potential threat in a static environment.

Investigation

1. Verify if the MAC or IP address exists in the organization’s asset inventory.

2. Inspect which systems the device communicates with and identify the ports or protocols used.

Mitigation

1. Isolate the unrecognized device if it does not belong to the inventory.

2. For environments with frequent dynamic changes (VMs, containers, or auto-scaling), consider placing them in separate VLANs or network segments to reduce noise.

Not yet valid SSL certificate from external server

Severity: Low

Reason An external server presented an SSL certificate that is not yet valid. This could be a misconfiguration, but visiting such sites poses a security risk.

Investigation

1. Review metadata associated with the notification to identify the affected traffic.

2. Investigate the domain name for signs of suspicious or malicious behavior.

Mitigation

1. If the site is legitimate but misconfigured, notify the domain owner to correct the issue.

2. If the site is malicious, block it in the firewall.

Not yet valid SSL certificate from internal server

Severity: Low

Reason An internal server presented an SSL certificate that is not yet valid. This may be due to misconfiguration or an attacker deploying a rogue web server.

Investigation

1. Verify when the server first appeared using the asset inventory.

2. Confirm that the server is legitimate.

Mitigation

1. If the server is legitimate but misconfigured, fix the certificate.

2. If the server is malicious, initiate incident response.

NTLM User Password Bruteforce

Severity: High

Reason A host made numerous unsuccessful NTLM authentication attempts in a short period. This could be a brute-force attack or a configuration error.

Investigation

1. Verify if the same username is being targeted repeatedly.

2. Check host configuration to determine if legitimate but incorrectly configured software is generating the failures.

3. Search for additional suspicious activity from the host.

Mitigation

• Benign

  1. Correct any configuration errors.

• Malicious

  1. Investigate the source of the brute-force attempts to determine if the network has been compromised.

Old SSL encryption version in use

Severity: Low

Reason A server is using an outdated or unsafe SSL version, which poses a security risk.

Investigation

1. Determine which server is using the outdated SSL version.

2. Confirm whether it is running legacy systems that cannot be upgraded.

Mitigation

1. Upgrade servers and clients to use TLS 1.2 or higher.

2. Disable insecure SSL protocols on all systems.

OT unknown function codes

Severity: Medium

Reason A host called undocumented or unknown function codes in an OT (Operational Technology) system.

Investigation

1. Investigate why the host is calling these functions.

2. Review the ladder source code for anomalies.

Mitigation

1. Disconnect the host from the network if possible.

2. Review and thoroughly test the source code before deploying to production.

OT write rate exceeded

Severity: Medium

Reason A host generated an unusually high number of write requests in an OT system.

Investigation

1. Investigate why the write rate was exceeded.

2. Check what registers were used and whether the ratio is appropriate.

3. Assess whether the record writing rate seems reasonable.

Mitigation

1. Disconnect the host from the network if possible.

2. Review and thoroughly test the source code before deploying to production.

P2P port usage

Severity: Low

Reason Peer-to-peer traffic is suspected because a host transferred files to ports commonly associated with P2P protocols other than BitTorrent. This traffic is often unwanted because it may involve copyright violations.

Investigation

1. Investigate the remote IP addresses or domains to confirm whether the traffic was correctly identified as P2P.

Mitigation

1. Prevent the use of P2P clients on workstations.

2. Block the associated ports in the firewall.

P2P traffic patterns

Severity: Low

Reason Peer-to-peer traffic is suspected because a host transferred large volumes of data across many simultaneous connections. This traffic is often unwanted because it may involve copyright violations.

Investigation

1. Investigate the remote IP addresses or domains to confirm whether the traffic was correctly identified as P2P.

Mitigation

1. Prevent the use of P2P clients on workstations.

Persistence using RPC

Severity: Medium.

Reason A Remote Procedure Call (RPC) associated with persistent access was executed. Examples include port monitors or DLLs used for remote access. Attackers may exploit these to maintain unauthorized access.

Investigation

1. Review the RPC endpoint and operation specified in the notification.

2. Check if the request originated from a domain controller or an IT administrator.

3. Determine whether legitimate domain policies could explain the activity.

Mitigation

1. If legitimate requests repeatedly trigger this notification, whitelist the specific source.

2. If activity occurs only between a few host pairs, whitelist them individually to narrow scope.

Point Anomaly

Severity: Variable (depends on anomaly score)

Reason A connection was flagged as anomalous due to an unusual combination of sent bytes, received bytes, and connection duration.

Investigation

1. Review the associated metadata to determine whether the behavior indicates malicious activity.

Mitigation

1. If too many benign alerts occur, lower the sensitivity of the Point Anomaly Event Sensitivity setting.

Port Scan Detected

Severity: High

Reason A host attempted to connect to multiple ports on a remote machine within the local network.

Investigation

1. Verify whether the host is authorized to perform scans, including a vulnerability scanner or administrator workstation.

2. Check for configuration errors on the machine.

3. Review notifications and metadata for other suspicious activity.

Mitigation

Mitigation

• Benign

  1. Whitelist the host as narrowly as possible.

• Malicious

  1. Disconnect the host from the network.

  2. Initiate incident response.

  3. Identify and remove the software responsible for the scans.

Possible DCSync Attack

Severity: High

Reason A non-Domain Controller sent an RPC call drsuapi::DRSGetNCChanges to a trusted Domain Controller. This behavior suggests a DCSync attack, where attackers abuse replication protocols to extract NTLM password hashes and Kerberos keys.

Investigation

1. Identify the source IP that issued the RPC call and confirm it is not a whitelisted Domain Controller.

2. On the target Domain Controller, check Security Event ID 4662 for DS-Replication-Get-Changes rights.

3. Review Event IDs 4673 and 4742 for privileged service use or password resets.

4. Search EDR/SIEM logs for tools such as Mimikatz or Impacket.

5. Capture packet traces to confirm DRSGetNCChanges activity over TCP ports 135/445.

Mitigation

1. If the request is from a trusted Domain Controller, allowlist the activity.

2. Isolate the source host and disable the account used in the RPC bind.

3. Rotate the krbtgt password twice to invalidate forged tickets.

4. Remove replication rights from non-DC principals.

5. Enable LSA Protection or Credential Guard on Domain Controllers and tier-0 servers.

RDP brute force external to internal

Severity: Low

Reason An external host attempted multiple usernames or passwords to gain access to an internal computer via RDP. This may represent an initial access attempt by an attacker.

Investigation

1. Verify whether the host is authorized to access the remote service.

2. Check if the internal machine shows signs of infection by malware, RATs, or backdoors.

Mitigation

1. Disable RDP if not required.

2. Enforce strong password policies.

3. Limit the number of allowed password attempts.

RDP brute force internal to external

Severity: Medium

Reason An internal host attempted multiple usernames or passwords to connect to an external machine via RDP. This may indicate botnet activity or masquerading.

Investigation

1. Verify whether the host is authorized to access the external service.

2. Check if the host shows signs of malware or unauthorized remote tools.

Mitigation

1. Disable RDP if not required.

2. Enforce strong password policies.

3. Limit the number of allowed password attempts.

RDP brute force internal to internal

Severity: High

Reason An internal host attempted multiple usernames or passwords to connect to another internal host via RDP. This may indicate lateral movement by an attacker already inside the network.

Investigation

1. Verify whether the host is authorized to access the target system.

2. Check if the machine shows signs of malware, RATs, or backdoors.

Mitigation

1. Disable RDP if not required.

2. Enforce strong password policies.

3. Limit the number of allowed password attempts.

RDP Outgoing Connection

Severity: Low

Reason An RDP connection was established between an internal and an external host.

Investigation

1. Investigate the remote IP or domain to confirm whether the connection is legitimate.

2. Verify any unknown IPs or domains involved.

Mitigation

• Benign

  1. Whitelist as narrowly as possible.

• Malicious

  1. Disconnect the host from the network.

  2. Identify and disable any malware responsible for the connection.

  3. Consider enabling AI-based prevention to block similar activity in the future.

  4. Initiate incident response.

Remote execution using RPC

Severity: High

Reason A Remote Procedure Call (RPC) associated with remote execution was detected. Attackers often use RPC for lateral movement or privilege escalation.

Investigation

1. Review the RPC endpoint and operation in the notification.

2. Verify whether the request came from a domain controller or IT administrator workstation.

3. Check whether legitimate administrative activity could explain this behavior.

Mitigation

1. If the notification recurs due to legitimate activity, allowlist the specific source.

2. For activity between a small set of host pairs, allowlist them individually to narrow the scope.

Reverse SSH

Severity: Medium

Reason A host established a reverse SSH tunnel to an external host, bypassing firewall.

Investigation

1. Validate whether the SSH connection is legitimate.

2. Review metadata to check for other malicious activities tied to the host.

Mitigation

• Benign

  1. Whitelist as narrowly as possible.

• Malicious

  1. Disable the malware or process establishing the tunnel.

  2. Enable Muninn AI Prevent to cut off similar connections.

  3. Initiate incident response procedures.

Secure com password guessing attempts detected

Severity: High

Reason A device made multiple unsuccessful SSH login attempts. These attempts were weighted by likelihood of failure, indicating brute force or misconfiguration.

Investigation

1. Check for configuration errors on the SSH client.

2. Determine if the attempts originate from a trusted or expected source.

3. Inspect if the source device has performed other suspicious actions.

Mitigation

1. Limit login attempts per source.

2. Restrict access to the SSH server to only necessary devices or IP addresses.

3. Enforce certificate-based authentication.

4. Disable root logins.

Selective Port Scan

Severity: High

Reason A host scanned for specific ports associated with exploitable services that may serve as attack vectors.

Investigation

1. Confirm whether the scan was initiated by an authorized administrator or tool.

2. Check if the host is authorized to perform port scans.

3. Investigate the host for malware, backdoors, or RATs.

Mitigation

• Benign

  1. Whitelist the host if the behavior is legitimate.

• Malicious

  1. Block the host’s network access.

  2. Investigate for scanning tools or malicious software.

SMB Ransomware filename detected

Severity: High Reason A host wrote or renamed a file on an SMB share with an extension associated with ransomware.

Investigation

1. Review the filename in the notification description.

2. Attempt to open the file. If unreadable, it may have been encrypted by ransomware.

Mitigation:

• Benign

  1. Restore from backup if the file is incorrectly flagged.

  2. Whitelist legitimate file extensions used in your environment.

• Malicious

  1. Initiate incident response.

SMB Sensitive File

Severity: Medium Reason A host accessed a file on an SMB share with a potentially sensitive name, for example password.txt.

Investigation

1. Confirm whether the file contains sensitive or confidential information.

2. Check if the accessing host is authorized to read the file.

Mitigation:

1. Move sensitive files to secure storage such as a password manager.

2. Whitelist host-file combinations if legitimate.

3. Whitelist the file path and server IP if non-sensitive.

SMB Suspicious File Renaming

Severity: High Reason Multiple files on an SMB share were renamed, written to, or deleted in a short time. This behavior often indicates ransomware attempting to encrypt shared files.

Investigation

1. Review the filenames and file changes to confirm whether malicious encryption is in progress.

Mitigation

• Benign

  1. If caused by an automated process, whitelist as narrowly as possible (for example, specific file names).

• Malicious

  1. Enable Muninn AI Prevent to block the activity.

  2. Disconnect the affected machine from the network.

  3. Initiate incident response.

SMBv1 protocol violation (NT_Rename)

Severity: Medium Reason A client issued an undefined NT_TRANSACT_RENAME request. This activity is linked to the EternalChampion exploit, which attempts to trigger memory corruption in the Windows kernel.

Investigation

1. Check if NT_TRANSACT_SECONDARY packets were sent immediately after the NT_TRANSACT_RENAME call.

2. Review Windows Event Logs for kernel crash codes (for example, BugCheck 0x109 or 0x1E).

3. If the server crashed, analyze the full memory dump.

4. Confirm whether penetration testing tools were active at the time.

Mitigation

1. Quarantine the affected host.

2. Reset all potentially compromised credentials.

3. Disable SMBv1 and upgrade to SMBv3.

4. Enforce SMB signing and encryption on all servers.

5. Apply MS17-010 and other relevant Windows security patches.

SMBv1 protocol violation (PID/MID tampering)

Severity: Medium Reason A host using SMBv1 introduced an unknown Process ID (PID) or Multiplex ID (MID) in an active session. This violation may indicate covert channels or precursor traffic for exploits such as DoublePulsar.

Investigation

1. Validate anomalies in SMB headers.

2. Inspect the host for unsigned drivers.

3. Identify the device type (workstation, NAS, printer) and review firmware behavior.

4. Check for related Eternal-family exploit activity within ±5 minutes.

5. Review Windows Event Logs for anomalies.

Mitigation

1. Quarantine the host immediately.

2. Disable SMBv1 and upgrade to SMBv3.

3. Enforce SMB signing and encryption.

4. Apply the latest Windows security patches.

5. Reset all credentials associated with the compromised host.

SMBv1 protocol violation (TX2 command abuse)

Severity: Medium Reason A client sent an unsupported TRANSACTION2 sub-command. This pattern is linked to EternalSynergy/EternalRomance exploits or aggressive protocol fuzzing.

Investigation

1. Correlate the event with process activity on the client.

2. Review SMB activity leading up to the event for suspicious command chains (for example, WRITE_ANDX).

3. Inspect server Event Logs for crashes (Event ID 1000) or unexpected reboots (Event ID 6008).

4. Confirm whether a vulnerability scan or penetration test coincided with the detection.

Mitigation

1. Quarantine the affected host.

2. Disable SMBv1 and upgrade to SMBv3.

3. Enforce SMB signing and encryption.

4. Apply Windows security patches.

5. Add IPS/NGFW rules to block undefined SMB Transaction2 sub-commands.

SMBv1 protocol violation (unimplemented command)

Severity: Medium Reason A host sent an unused or reserved primary command code in SMBv1. Attackers and fuzzers use these opcodes to probe kernel vulnerabilities.

Investigation

1. Identify the client IP and active user account.

2. Inspect SMB traffic in Wireshark to analyze the command.

3. Check for suspicious TRANS2/NT_TRANSACT sequences before the event.

4. Investigate the client for tools such as Impacket or Cobalt Strike.

5. Review scheduled tasks and registry entries for persistence mechanisms.

Mitigation

1. Quarantine the host immediately.

2. Ensure outdated SMB drivers are not in use.

3. Disable SMBv1 and upgrade to SMBv3.

4. Enforce SMB signing and encryption.

5. Apply the latest Windows security patches.

6. Reset credentials cached on the host.

Soon to expire SSL certificate from external server

Severity: Low

Reason An external server presented an SSL certificate that is nearing expiration.

Investigation

1. Review metadata to identify the affected traffic.

2. Check whether the domain name is suspicious.

Mitigation

1. If the site is legitimate but misconfigured, notify the domain owner to renew the certificate.

2. If the site is malicious, block it in the firewall.

Soon to expire SSL certificate from internal server

Severity: Low

Reason An internal server presented an SSL certificate that will expire in 30 days.

Investigation

1. Identify the server presenting the certificate.

2. Verify whether the certificate is still valid and intended for use.

Mitigation

1. Renew the SSL certificate before it expires.

2. Implement a certificate management process to monitor and track expirations.

SSH External Connection

Severity: Low

Reason An inbound or outbound SSH connection was attempted between an internal and external host. The authentication result may be successful, unsuccessful, or unknown. “Unknown” means the connection closed before authentication or the response was not detected. Since SSH traffic is encrypted, authentication results are inferred.

Investigation

1. Verify whether this connection is expected and authorized.

2. Investigate the external host to determine if it is trusted or malicious.

Mitigation

• Benign

  1. Whitelist the connection as narrowly as possible.

• Malicious

  1. Identify and disable the software initiating the connection.

  2. Consider enabling Muninn AI Prevent to automatically block the connection.

  3. If the destination server is malicious, initiate incident response.

SSH Failed Attempts

Severity: High

Reason A host recorded repeated SSH login failures. The number of failed attempts compared to successful ones exceeded the threshold within a short period.

Investigation

1. Check for configuration errors.

2. Verify whether the attempts came from a legitimate user.

3. Look for other suspicious activity from the same host.

Mitigation

1. Fix any configuration issues.

2. Ensure the host is exposed to the internet only if required.

3. Restrict SSH access to specific IP addresses or ranges on the local network.

4. If the host must be publicly accessible, enforce strong security measures and whitelist this notification for that host.

SSH Interesting Hostname Login

Severity: Low

Reason A reverse DNS lookup showed that the source or destination hostname contains terms such as DNS, www, SMTP, POP, IMAP, or FTP. These names are usually tied to services and are not expected to perform manual actions like SSH logins.

Investigation

1. Verify whether the connection is legitimate.

2. Confirm that the destination host is intended to be accessible by SSH.

Mitigation

1. Restrict SSH access to only necessary devices or IP addresses.

2. Allow only SSH key–based logins.

3. Disable root login.

Telnet Brute Force Login Detected

Severity: Medium

Reason A host attempted multiple usernames or passwords to gain access to a system via Telnet. This may indicate an attacker trying to establish initial network access. Telnet is insecure because it transmits all data, including passwords, in plaintext.

Investigation

1. Review the usernames used in the login attempts.

2. Check for possible misconfigurations.

3. Confirm whether the host is authorized to access the Telnet service.

4. Inspect the host for backdoors, Remote Access Trojans (RATs), or other malware.

Mitigation

1. Discontinue Telnet, or ensure no confidential data is transmitted. Use SSH as a secure alternative.

2. Limit the number of login attempts from a single source.

3. Restrict Telnet access to only required devices or IP addresses.

Too many failed login attempts for user

Severity: Medium

Reason Multiple failed login attempts were detected for a user, which may indicate an attempt to compromise a user account.

Investigation

1. Verify that multi-factor authentication (MFA) is functioning correctly.

2. Check if a misconfigured application is repeatedly trying to connect with expired credentials.

3. Confirm whether the user recently changed their password and if outdated credentials are still in use across network shares.

Mitigation

1. Fix MFA configuration issues.

2. Renew expired credentials.

3. Investigate whether network latency is contributing to failed attempts.

Too Many Failed Login Attempts from IP

Severity: Medium

Reason An unusual number of failed login attempts were detected from a single IP address. This may indicate a brute force attack or misconfiguration.

Investigation

1. Check for configuration errors.

2. Verify whether the attempts came from a legitimate user.

3. Look for additional suspicious activity from the same host.

Mitigation

1. Correct any configuration errors.

2. If malicious, block the offending IP and investigate further.

Tor exit node connection

Severity: Low

Reason A host has communicated with an external Tor exit node, which could indicate unauthorized or illegal activity.

Investigation

1. Check the remote hosts to determine if they match known Tor relays.

Mitigation

• Benign

  1. Whitelist the connection as narrowly as possible if it is legitimate.

• Malicious

  1. Determine whether the user of the machine is aware of Tor usage.

  2. If the user is unaware, examine the machine for potential security breaches.

Tor middle node communication

Severity: Low

Reason A host has connected to a Tor middle node, indicating the user intends to maintain anonymity.

Investigation

1. Verify whether the host is indeed connecting to the Tor network.

2. Determine if there is a legitimate reason for using Tor.

Mitigation

• Benign

  • Whitelist the connection as narrowly as possible if usage is legitimate.

• Malicious

  • Investigate whether Tor usage is part of an unauthorized or non-user-initiated activity.

  • If the user is unaware of Tor usage, examine the machine for potential security breaches.

Traceroute Detected

Severity: Medium

Reason A host initiated a traceroute, a network diagnostic tool used to determine the path and round-trip times of connections. This activity is typically limited to system administrators.

Investigation

1. Confirm whether the host is expected to run traceroute.

2. If unexpected, investigate the traceroute destination to determine if it is a known server, IP, or domain.

3. Review metadata for other connections to the same destination.

Mitigation

1. Restrict traceroute on firewalls for both outbound and internal network segments, allowing exceptions only for validated users and devices.

Vulnerable external SSL connection

Severity: Low

Reason A host initiated a connection to an external server using an outdated SSL/TLS protocol (TLS 1.0 or any SSL version). These protocols are considered insecure.

Investigation

1. Identify the external server using the old encryption by reviewing metadata associated with this notification and checking SSL metadata for the host.

2. Use Logpoint NDR’s asset table to determine which software is present on the client, to target remediation effectively.

Mitigation

1. Ensure connections use TLS 1.2 or higher.

2. Harden systems and browsers to allow only secure ciphers.

3. Request support for modern encryption protocols from external services or consider switching to alternatives that use secure encryption.

Vulnerable internal SSL connection

Severity: Medium

Reason A host initiated a connection to an internal server using an outdated SSL/TLS protocol (TLS 1.0 or any SSL version). These protocols are considered insecure.

Investigation

1. Identify the internal service using the old encryption by reviewing metadata associated with this notification and checking SSL metadata for the host.

2. Use Logpoint NDR’s asset table to determine which software is present on the client, to target remediation effectively.

Mitigation

1. Ensure the server supports the latest TLS versions.

2. If all clients support it, enforce TLS 1.2 or higher on the server.

3. Harden systems and browsers to allow only secure ciphers.

Weak cipher for encryption

Severity: Medium

Reason A host initiated a connection using the RC4 cipher, which is considered insecure.

Investigation

1. Determine whether any software or malware is installed on either endpoint of the weakly encrypted connection.

Mitigation

1. Enforce TLS v1.2 or higher for all internal servers and workstations.

2. For frequently used external sites employing lower SSL/TLS versions, contact the webmaster to request an upgrade.

Weak key for encryption

Severity: Medium

Reason A host initiated a connection using a weak encryption key shorter than 2048 bits for non-elliptic curve ciphers.

Investigation

1. Determine whether any software or malware is installed on either endpoint of the weakly encrypted connection.

Mitigation

1. Enforce TLS v1.2 or higher for all internal servers and workstations.

2. For frequently used external sites employing lower SSL/TLS versions, contact the webmaster to request an upgrade.

Weak SNMP version detected

Severity: Medium

Reason A host communicated using an insecure SNMP protocol (v1 or v2c), which transmits data in clear text.

Investigation

1. Identify hosts supporting SNMP v1/v2c by reviewing metadata associated with this notification and SNMP metadata for the host.

2. Use Logpoint NDR’s asset table to determine which software is present on the client to target remediation effectively.

Mitigation

1. Disable SNMP v1/v2c in favor of SNMP v3.

2. If all clients support it, enforce SNMP v3 across the network.

Zerologon attempt

Severity: Medium

Reason A host initiated a high number of Netlogon attempts within a short period, indicating an attempt to exploit the Zerologon vulnerability CVE-2020-1472. This vulnerability allows an unauthenticated attacker to impersonate a domain controller and take control of the domain.

Investigation

1. Identify the host initiating the Netlogon attempts.

2. Inspect Windows Event logs for any signs of Zerologon-related activity, including Event IDs 5827, 5828, and 5829.

Mitigation

1. Isolate the host initiating the Netlogon requests.

2. Patch all domain controllers and servers with Microsoft’s fix for CVE-2020-1472 released in August 2020.

3. Audit domain controllers to prevent unauthorized changes.

4. Segment legacy systems and restrict access to a management VLAN using access control lists.

Zerologon Password Change

Severity: High

Reason A host initiated a high number of Netlogon login attempts and successfully changed the password on a domain controller, indicating full exploitation of the Zerologon vulnerability CVE-2020-1472.

Investigation

1. Identify the host initiating the Netlogon attempts.

2. Inspect Windows Event logs for password change events, including Event ID 4742.

Mitigation

1. Reset the account password on the affected domain controller through Active Directory.

2. Isolate the compromised host from the network.

3. Patch all domain controllers and servers with Microsoft’s fix for CVE-2020-1472.