FA Bulletin Boards¶
FA algorithms are posted to one of three Bulletin boards, depending on their importance and likelihood that a host has been compromised. The different bulletin boards are:
- Policy Events
- Indicators of Compromise (IOC)
- Security Events
Policy Events
Algorithms that post to this bulletin board are those that detect network traffic that generally have no direct security implications, but may violate the network policy. The following algorithms are posted to the Policy Events BB by default:
- Excessive Jitter
- Multicast Violations
- IP Address Violation
- P2P Detection
Indicators of Compromise (IOC)
The algorithms that post to the IOC bulletin board (BB) are those that indicate possible malware activity with insufficient confidence to initiate a security event alarm. This is a bulletin board that should be periodically reviewed to pick up on recent changes. If multiple IOCs are associated with a single host, these may generate an “Indicator Correlation Event” alarm that is posted to the Security Event BB. This is discussed in more detail below. The following algorithms are posted to the IOC Events BB by default:
- Breach Attempt Detection
- DNS Hits
- ICMP Port Unreachable
- ICMP Destination Unreachable
- Denied Flows
- Domain Reputation
- FIN Scan
- NULL Scan
- Odd TCP Flags Scan
- Persistent Flow Risk
- RST/ACK Scan
- SYN Scan
- TCP Scan
- UDP Scan
- XMAS Scan
Security Events
The algorithms that post to the Security Events bulletin board are high confidence detections that a host is compromised. Any events posted to this bulletin board should be investigated. The following algorithms are posted to the Security Events BB by default:
- BotNet Detection
- DDoS Detection
- DRDoS Detection
- DNS Command and Control Detection
- DNS Data Leak
- Indicator Correlation Event
- Malware Behavior Detection
- Malware Domain Communications
- Host Reputation (Tor, Blackhole, Malware C&C Server, and user defined)
Note
Edit the policy for any algorithm to change the Bulletin Board from the default settings.