Event details¶
The table below lists the default timeout settings and details reported for alarm policy violations in Plixer Scrutinizer.
Name |
Criteria |
Alarm Keys |
Timeout (s) |
Message |
|---|---|---|---|---|
Access and Audit Events |
violators, message |
violators, message |
300 |
%{VIOLATORS} %{MESSAGE} |
Access to a potentially vulnerable web application |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
A client was using an unusual port |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
An attempted login using a suspicious username was detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
A Network Trojan was detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
A suspicious filename was detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
A system call was detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Attempted Denial of Service |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Attempted Information Leak |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Attempted User Privilege Gain |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Attempt to login by a default username and password |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Auto Investigate |
first_violator |
violators, targets, host_count, policy_count, chain_count, event_count, start_epoch, end_epoch |
86400 |
The host %{FIRST_VIOLATOR} was seen in %{CHAIN_COUNT} event chains involving %{POLICY_COUNT} policies, %{HOST_COUNT} directly involved hosts, and %{EVENT_COUNT} events. |
Azure user logged on from many hosts |
user_id |
user_id, total_hosts |
300 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_HOSTS} hosts, which is more hosts than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Azure user logged on from many locations |
user_id |
user_id, total_locations |
300 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_LOCATIONS} different locations, which is more than normal. Locations performing authentication(s) are %{VIOLATORS} |
Azure user logged on many times |
user_id |
user_id, total_auths |
300 |
In the last 30 minutes, %{USER_ID} has attempted %{TOTAL_AUTHS} authentications, which is more authentications than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Bad Exporter Flow |
violators, reason_text |
reason_text, reason_num, repetition, sequence, set_id, source_id, violators, devices |
3600 |
Exporter %{VIOLATORS} sent a bad flow (source %{SOURCE_ID}, sequence %{SEQUENCE}, set %{SET_ID}): %{REASON_TEXT} |
Bad Exporter Packet |
violators, reason_text |
reason_text, reason_num, repetition, violators, devices |
3600 |
Exporter %{VIOLATORS} sent a bad packet: %{REASON_TEXT} |
Bad Exporter Template |
violators, reason_text |
reason_text, reason_num, repetition, sequence, source_id, template_id, violators, devices |
3600 |
Exporter %{VIOLATORS} sent a bad template #%{TEMPLATE_ID} (source %{SOURCE_ID}, sequence %{SEQUENCE}): %{REASON_TEXT} |
Blocked Malicious Domains |
violators |
violators, targets, domain |
300 |
%{VIOLATORS} is accessing blocked domain %{DOMAIN} |
Bogon Attempt |
violators |
violators, targets, devices |
3600 |
Connections to a bogon network, %{TARGETS}, were seen on %{DEVICES} by %{VIOLATORS} |
Bogon Connection |
violators |
violators, targets, devices |
3600 |
Inbound traffic from a bogon network was seen going to %{TARGETS} on %{DEVICES} by %{VIOLATORS} |
BotNet Detection |
violators |
violators, targets, devices, nxcount |
3600 |
Internal IP %{VIOLATORS} performed %{NXCOUNT} unique DNS lookups using DNS server(s) %{TARGETS} that returned a No Existing Domain (NXDOMAIN) message as seen on %{DEVICES} exporter(s). This may indicate the presence of malware on %{VIOLATORS} that uses a domain generation algorithm (DGA) to communicate with malware C&C servers. |
Breach Attempt Detection |
violators, breachtype |
devices, violators, breachtype, targets |
900 |
Detected %{BREACHTYPE} breach by: %{VIOLATORS} with targets: %{TARGETS} |
Brute-force RDP (Client-side) |
violators |
violators, targets |
300 |
%{VIOLATORS} is attempting a RDP brute force attack on %{TARGETS} |
Brute-force RDP (Server-side TCP) |
targets |
violators, targets |
300 |
%{TARGETS} is receiving a RDP (tcp) brute force attack from %{VIOLATORS} |
Brute-force RDP (Server-side UDP) |
targets |
violators, targets |
300 |
%{TARGETS} is receiving a RDP (udp) brute force attack from %{VIOLATORS} |
Brute-force SSH (Client-side) |
violators |
violators, targets |
300 |
%{VIOLATORS} is attempting a SSH client brute force attack on %{TARGETS} |
Brute-force SSH (Server-side) |
targets |
violators, targets |
300 |
%{TARGETS} is receiving a SSH server brute force attack from %{VIOLATORS} |
Collector Alert |
error |
process, process_id, devices, violators, error |
300 |
%{PROCESS}(%{PROCESS_ID}) %{DEVICES} encountered %{ERROR} on %{VIOLATORS} |
Collector Message |
event_type, priority |
process, process_id, message, event_type, violators |
300 |
%{PROCESS}(%{PROCESS_ID}) on %{VIOLATORS} reported %{EVENT_TYPE}: %{MESSAGE} |
Configuration Alert |
event_type, priority |
process, process_id, message, event_type, violators |
300 |
%{PROCESS}(%{PROCESS_ID}) reported %{EVENT_TYPE} by %{VIOLATORS}: %{MESSAGE} |
Crypto Currency Mining Activity Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Cstore Strays |
devices |
count |
86400 |
Found and removed: %{COUNT} stray cstore files on: %{DEVICES} |
Data Accumulation |
violators |
violators, targets, total_data |
300 |
In the last 30 minutes, %{VIOLATORS} accumulated %{TOTAL_DATA} bytes from %{TARGETS} |
Data Exfiltration |
violators |
violators, targets, total_data |
300 |
In the last 30 minutes, %{VIOLATORS} exfiltrated %{TOTAL_DATA} bytes to %{TARGETS} |
DDoS |
targets |
attacker_count, bytes_std_dev, duration, flow_count, packets_std_dev |
300 |
Possible Inbound DDoS Attack: Within %{DURATION} seconds %{ATTACKER_COUNT} external hosts generated a combined total of %{FLOW_COUNT} flows having bytes within %{BYTES_STD_DEV} standard deviations and packets within %{PACKETS_STD_DEV} standard deviations. |
Decode of an RPC Query |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Denial of Service |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Denied Flows Firewall |
violators |
devices, violators, target_count, flowcount |
900 |
IP %{VIOLATORS} had %{FLOWCOUNT} connection attempts to %{TARGET_COUNT} external IP addresses denied by the firewall as seen on %{DEVICES} exporter(s) |
Detection of a Denial of Service Attack |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Detection of a Network Scan |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Detection of a non-standard protocol or event |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Device Retrieving External IP Address Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Diskspace Alert |
disk_error, disk_partition, violators |
process, process_id, disk_error, disk_partition, message |
300 |
%{PROCESS}(%{PROCESS_ID}) The disk partition “%{DISK_PARTITION}” is “%{DISK_ERROR}”. %{MESSAGE} |
DNS Command and Control Detection |
violators |
violators, targets, devices |
900 |
Possible Command and Control (C&C) Activity. DNS TXT messages are being exchanged between asset %{VIOLATORS} and %{TARGETS} as seen on the %{DEVICES} exporter(s) |
DNS Data Leak Detection |
violators |
violators, totaltextlength, dnsname |
900 |
DNS lookups initiated from asset: %{VIOLATORS} using complex domain name: %{DNSNAME} containing a high number of domain levels and a total of: %{TOTALTEXTLENGTH} characters. |
DNS Hits |
violators |
violators, flowcount, threshold |
900 |
Internal IP %{VIOLATORS} performed %{FLOWCOUNT} DNS lookups in the last 5 minutes exceeding the treshold of %{THRESHOLD} |
DNS Server Detection |
violators |
violators, client_count, flowcount, devices |
900 |
%{CLIENT_COUNT} IP address(es) initiated %{FLOWCOUNT} DNS lookups to IP address %{VIOLATORS} as seen on %{DEVICES} exporter(s) |
Domain Observed Used for C2 Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Domain Reputation |
violators, dnsname |
violators, dnsname, category |
900 |
IP %{VIOLATORS} performed a DNS lookup on a black-listed domain: %{DNSNAME} in the %{CATEGORY} category |
DRDoS |
targets, port_name |
devices, attacker_count, duration, packet_in_count, packet_io_ratio, packet_out_count, port, port_name |
900 |
Possible Inbound DRDoS Attack from common port %{PORT} (%{PORT_NAME}): Within %{DURATION} seconds %{ATTACKER_COUNT} violators generated a combined total of %{PACKET_IN_COUNT} inbound packets in response to %{PACKET_OUT_COUNT} outbound request packets, for a ratio of %{PACKET_IO_RATIO} inbound packets per outbound packet. |
Encrypted traffic alert |
violators |
violators, ja3, ja3s, reason, severity |
300 |
ML generated an encrypted traffic alert for %{VIOLATORS}: %{REASON} |
Endpoint Analytics Info |
violators |
violators, macaddress, risk_score, location |
300 |
Host %{VIOLATORS} has MAC address %{MACADDRESS}, has a risk score of %{RISK_SCORE}, and has location %{LOCATION}. |
Event Queue Alert |
violators, type |
threshold, value |
300 |
Event queue on host: %{VIOLATORS} has breached %{TYPE} threshold: %{THRESHOLD} with value: %{VALUE} |
Executable code was detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Exploit Kit Activity Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Exporter Ignored |
devices, violators, reason_num |
reason_text, repetition, violators |
3600 |
Discarding flows from exporter %{VIOLATORS}: %{REASON_TEXT} |
Exporter Paused |
violators, exporter_id |
1 |
Exporter %{EXPORTER_ID} paused on collector %{VIOLATORS} due to insufficient resources. See the feature sizing interface for more details. |
|
Exporter Resumed |
violators, exporter_id |
1 |
Exporter %{EXPORTER_ID} resumed on collector %{VIOLATORS} due to additional available resources. See the feature sizing interface for more details. |
|
Feature Set Paused |
violators, feature_set |
1 |
Feature set %{FEATURE_SET} paused on collector %{VIOLATORS} due to insufficient resources. See the feature sizing interface for more details. |
|
Feature Set Resumed |
violators, feature_set |
1 |
Feature set %{FEATURE_SET} resumed on collector %{VIOLATORS} due to additional available resources. See the feature sizing interface for more details. |
|
FIN Scan (External) |
violators |
devices, violators |
900 |
A FIN Scan was seen on %{DEVICES} by %{VIOLATORS} |
FIN Scan (Internal) |
violators |
devices, violators |
900 |
A FIN Scan was seen on %{DEVICES} by %{VIOLATORS} |
Flow Collection Paused |
violators |
60 |
Flow collection paused on collector %{VIOLATORS} due to hardware and/or configuration change. See the feature sizing interface for more details. |
|
Flow Collection Resumed |
violators |
new_flow_rate |
60 |
Flow collection resumed at %{NEW_FLOW_RATE} flows/sec on collector %{VIOLATORS}. |
Flow Inactivity |
violators, collector |
last_flow |
1200 |
Exporter %{VIOLATORS} stopped sending flows to the %{COLLECTOR} collector. The last flow was received %{LAST_FLOW}. If this is expected, set the exporter to disabled or delete it in manage exporters to stop these alarms. |
FlowPro Event Capture |
devices, capture_name |
violators, targets, devices, capture_name, lookup |
900 |
Traffic captured for %{CAPTURE_NAME} from %{VIOLATORS} to %{TARGETS} seen on %{DEVICES} |
Flow Rate Limit Changed |
violators |
new_flow_rate |
60 |
Flow collection rate limit changed to %{NEW_FLOW_RATE} flows/sec on collector %{VIOLATORS} due to hardware and/or configuration change. See the feature sizing interface for more details. |
Flows Limited - Licensing |
devices, violators, reason_num |
reason_text |
60 |
Collector %{VIOLATORS} license exceeded: %{REASON_TEXT} |
Forecast Anomaly |
devices, interfaces, applications, type, ts |
forecast_id, devices, interfaces, target_quantity, observed_value, mean, forecast_start_time, forecast_end_time |
300 |
Forecast: %{FORECAST_ID} found %{INTERFACES} on %{DEVICES} observed value: %{OBSERVED_VALUE} %{TARGET_QUANTITY} is outside forecast for interval %{FORECAST_START_TIME}-%{FORECAST_END_TIME}, Expected Value: %{LOWER_CONF} <= %{MEAN} <= %{UPPER_CONF} |
Forecast Task Complete |
devices, interfaces, applications, type |
forecast_id |
60 |
Forecast: %{FORECAST_ID} complete, results available |
Forecast Task Error |
devices, interfaces, applications, type |
forecast_id, error_stage, error |
60 |
Forecast: %{FORECAST_ID} resulted in an error during %{ERROR_STAGE}. Message: %{ERROR} |
Forecast Task Starting |
devices, interfaces, applications, type |
forecast_id |
60 |
Forecast: %{FORECAST_ID} received by forecasting module |
Generic Protocol Command Decode |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Hardware Resources Exceeded |
violators |
drop_rate, flow_limit_period |
60 |
Collector %{VIOLATORS} incoming flow rate exceeds hardware recommendations. %{DROP_RATE} flows per second dropped over the last %{FLOW_LIMIT_PERIOD} seconds. See the feature sizing interface for more details. |
Heartbeat Alert |
heartbeat_type, violators |
process, process_id, heartbeat_type, devices, violators |
300 |
%{PROCESS}(%{PROCESS_ID}) %{HEARTBEAT_TYPE} heartbeat failed from %{DEVICES} to %{VIOLATORS} |
Host Index Disk Availability Error |
violators |
threshold, current |
300 |
Host Indexing service has reached disk storage volume limit of %{THRESHOLD} percent in use, Currently %{CURRENT} percent in use. Stopping processing and starting garbage collection until under threshold. |
Host Index Disk Space Error |
violators |
threshold, current |
300 |
Host Indexing service has reached disk space usage: %{CURRENT}MB, threshold: %{THRESHOLD}MB. Stopping processing and starting garbage collection until under threshold. |
Host Index Disk Space Warning |
violators |
threshold, current |
300 |
Host Indexing service has reached disk space usage: %{CURRENT}MB, over 75% of threshold: %{THRESHOLD}MB |
Host Reputation |
violators, targets |
violators, targets, devices, category_note |
3600 |
IP %{VIOLATORS} sent traffic to a suspect %{CATEGORY_NOTE} at IP address %{TARGETS} as seen on the %{DEVICES} exporter(s) |
Host Watchlist |
violators |
devices, violators, port, protocol |
900 |
Host Watchlist - %{DEVICES} saw watchlisted host %{VIOLATORS} communicating from %{PROTOCOL} %{PORT} |
ICMP Destination Unreachable (External) |
violators |
flowcount, violators |
900 |
External IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Destination Unreachable flows within 5 minutes |
ICMP Destination Unreachable (Internal) |
violators |
flowcount, violators |
900 |
Internal IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Destination Unreachable flows within 5 minutes |
ICMP Port Unreachable (External) |
violators |
flowcount, violators |
900 |
External IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Protocol Unreachable flows within 5 minutes |
ICMP Port Unreachable (Internal) |
violators |
flowcount, violators |
900 |
Internal IP %{VIOLATORS} triggered %{FLOWCOUNT} ICMP Protocol Unreachable flows within 5 minutes |
Information Leak |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Interface Threshold Violation |
violators, interface_name, instance |
exporter, interface_name, instance, threshold, violation, graphStart, graphEnd |
900 |
Interface %{EXPORTER}: %{INTERFACE_NAME} exceeded the threshold of %{THRESHOLD} %{VIOLATION} |
IP Address Violations |
violators |
devices, violators, targets |
900 |
Traffic on %{DEVICES} between %{VIOLATORS} and %{TARGETS} is outside of allowed subnets |
Kafka Lag |
topic_lagged |
topic_lagged, messages_behind |
660 |
ML Kafka topic %{TOPIC_LAGGED} is lagging %{MESSAGES_BEHIND} messages behind |
Large Ping |
violators |
violators, targets, devices, threshold, avg_ping_size |
900 |
Unexpected ICMP Echo traffic seen from violator %{VIOLATORS} to target %{TARGETS} on exporter %{DEVICES} with an average packet size of %{AVG_PING_SIZE} Bytes which violates the threshold of %{THRESHOLD} Bytes |
Large Scale Information Leak |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Lateral Movement |
violators, targets, worm_type |
devices, targets, violators |
1200 |
%{WORM_TYPE} lateral movement detected on %{DEVICES}, from %{VIOLATORS} to %{TARGETS} |
Lateral Movement Attempt |
violators, worm_type |
devices, violators, targets, worm_type, dst_port |
1200 |
%{WORM_TYPE} lateral movement attempt detected on %{DEVICES} from %{VIOLATORS} to %{TARGETS} over port %{DST_PORT} |
Lateral Movement Behavior |
violators |
violators |
300 |
%{VIOLATORS} is exhibiting lateral movement behavior |
Malware Command and Control Activity Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Medianet Jitter Violations |
violators |
targets, violators, jitter |
420 |
Jitter values of %{JITTER}ms between %{VIOLATORS} and %{TARGETS} exceeds threshold |
ML Engine alert |
violators, source |
source, threshold |
300 |
ML service %{SOURCE} has reached threshold %{THRESHOLD}, throttling until next run |
ML Engine coin miner alert |
violators |
violators, family, probability, threshold |
300 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine command and control alert |
violators |
violators, family, probability, threshold |
300 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine Down |
host |
host, violators |
300 |
ML Engine %{HOST} is not responding to pings |
ML Engine exploit kit alert |
violators |
violators, family, probability, threshold |
300 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine malware alert |
violators |
violators, family, probability, threshold |
300 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML Engine remote access trojan alert |
violators |
violators, family, probability, threshold |
300 |
ML detected %{VIOLATORS} generating malicious traffic related to %{FAMILY} malware family (%{PROBABILITY}% match, threshold set to %{THRESHOLD}%) |
ML models still building |
violators |
violators, schedule |
300 |
ML is still building models for schedule %{SCHEDULE}, but the next schedule is currently expected to start. Increase replica count values in the config. |
ML Service Alert |
service_name |
service_name, unavailable, expected |
300 |
ML service %{SERVICE_NAME} has %{UNAVAILABLE}/%{EXPECTED} instances unavailable |
NetFlow Domain Reputation |
violators, domain |
violators, domain, category |
900 |
Internal IP %{VIOLATORS} performed a lookup of %{DOMAIN}, categorized as %{CATEGORY} |
New user using elevated logon |
user_id |
user_id |
300 |
A new user, %{USER_ID}, is logging in with elevated privileges. Hosts performing login(s) are %{VIOLATORS} |
NULL Scan (External) |
violators |
devices, violators, flowcount, threshold |
900 |
A NULL scan was seen on %{DEVICES} by %{VIOLATORS} in %{FLOWCOUNT} flows violating the threshold of %{THRESHOLD} |
NULL Scan (Internal) |
violators |
devices, violators, flowcount, threshold |
900 |
A NULL scan was seen on %{DEVICES} by %{VIOLATORS} in %{FLOWCOUNT} flows violating the threshold of %{THRESHOLD} |
Odd TCP Flags (External) |
violators |
devices, violators, flags, flowcount |
900 |
Odd TCP flags (%{FLAGS}) were seen in %{FLOWCOUNT} flows on %{DEVICES} by %{VIOLATORS} |
Odd TCP Flags (Internal) |
violators |
devices, violators, flags, flowcount |
900 |
Odd TCP flags (%{FLAGS}) were seen in %{FLOWCOUNT} flows on %{DEVICES} by %{VIOLATORS} |
Office 365 user logged in many times |
user_id |
user_id, total_auths |
300 |
In the last 30 minutes, %{USER_ID} has attempted %{TOTAL_AUTHS} authentications, which is more authentications than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Office 365 user logged on from many hosts |
user_id |
user_id, total_hosts |
300 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_HOSTS} hosts, which is more hosts than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Office 365 users logged on from many locations |
user_id |
user_id, total_locations |
300 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_LOCATIONS} different locations, which is more than normal. Locations performing authentication(s) are %{VIOLATORS} |
P2P Detection |
violators |
devices, violators, dst_host_count, dst_port_count |
900 |
P2P traffic to %{DST_HOST_COUNT} destinations using %{DST_PORT_COUNT} distinct port(s) was seen on %{DEVICES} from %{VIOLATORS} |
Packet Flood |
violators |
devices, violators, targets, count |
3600 |
Packet flood seen from %{VIOLATORS} to %{TARGETS} comprising of %{COUNT} small packets in a minute by devices: %{DEVICES} |
Ping Flood |
violators |
devices, violators, targets, count |
3600 |
Ping flood seen from %{VIOLATORS} to %{TARGETS} comprising of %{COUNT} pings in a minute by devices: %{DEVICES} |
Ping Scan (External) |
violators |
devices, violators, count |
3600 |
Ping scan seen from %{VIOLATORS} to %{COUNT} hosts by devices: %{DEVICES} |
Ping Scan (Internal) |
violators |
devices, violators, count |
3600 |
Ping scan seen from %{VIOLATORS} to %{COUNT} hosts by devices: %{DEVICES} |
Plixer Network Intelligence Anomaly |
violators, interface_id, anomaly_type |
violators, interface_id, anomaly_type |
300 |
Exporter %{VIOLATORS} is generating anomalous %{ANOMALY_TYPE} traffic on interface %{INTERFACE_ID} |
Plixer Security Intelligence Anomaly |
violators, anomaly_type |
violators, anomaly_type |
300 |
%{VIOLATORS} is generating anomalous %{ANOMALY_TYPE} traffic |
Possible Social Engineering Attempted |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Possibly Unwanted Program Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Privileged user logged on from many hosts |
user_id |
user_id, total_hosts |
300 |
In the last 30 minutes, %{USER_ID} has attempted to authenticate from %{TOTAL_HOSTS} hosts, which is more hosts than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Privileged user logged on many times |
user_id |
user_id, total_auths |
300 |
In the last 30 minutes, %{USER_ID} has attempted %{TOTAL_AUTHS} authentications, which is more authentications than normal. Hosts performing authentication(s) are %{VIOLATORS} |
Protocol Misdirection |
violators |
violators, traffic_type, port, targets |
3600 |
Mismatched traffic type of %{TRAFFIC_TYPE} to port %{PORT} from %{VIOLATORS} to %{TARGETS} |
Ransomware Behavior |
violators |
violators, targets, file_count, files |
900 |
Observed a possible ransomware encryption attack from %{VIOLATORS} targeting SMB share %{TARGETS}. %{FILE_COUNT} files were both read and written to, including files: %{FILES} |
Report Threshold Violation |
saved_report, row_identifier |
saved_report, row_identifier, violation, graphStart, graphEnd, src_port, dst_port, violator, violator_username, target, target_username, protocol, app_proto, url |
420 |
The report %{SAVED_REPORT} %{ROW_IDENTIFIER} has exceeded its threshold %{VIOLATION} |
Reverse SSH Shell |
violators |
origin_bytes, bytes_per_packet |
3600 |
Possible reverse SSH tunnel from %{VIOLATORS} to %{TARGETS} seen by devices: %{DEVICES} based on %{ORIGIN_BYTES} origin bytes and %{BYTES_PER_PACKET} average origin bytes per packet |
Rogue DHCP Service |
violators |
violators, targets |
300 |
%{VIOLATORS} is hosting a rogue DHCP service contacted by %{TARGETS}. If this is expected behavior, please add the DHCP server IP address to the DHCP Servers IP group |
Rogue DNS Service |
violators |
violators, targets |
300 |
%{VIOLATORS} is hosting a rogue DNS service contacted by %{TARGETS}. If this is expected behavior, please add the DNS server IP address to the DNS Servers IP group |
Rogue LDAP Service |
violators |
violators, targets |
300 |
%{VIOLATORS} is hosting a rogue LDAP service contacted by %{TARGETS}. If this is expected behavior, please add the LDAP server IP address to the LDAP Servers IP group |
RST/ACK Detection (External) |
violators |
violators, flowcount, targets |
900 |
Anomalous Behavior - Possible - RST/ACK Replies Observed Host %{TARGETS} received %{FLOWCOUNT} packets from %{VIOLATORS} without observing any other flags |
RST/ACK Detection (Internal) |
violators |
violators, flowcount, targets |
900 |
Anomalous Behavior - Possible - RST/ACK Replies Observed Host %{TARGETS} received %{FLOWCOUNT} packets from %{VIOLATORS} without observing any other flags |
Runtime Overrun |
process |
process, process_id, threshold, duration, action |
300 |
%{PROCESS}(%{PROCESS_ID}) ran for %{DURATION} seconds and exceeded the configured runtime of %{THRESHOLD} seconds (%{ACTION}) |
Scheduled Task Error |
violators, task_name |
task_id, command, error_code, start_time, run_time |
300 |
A scheduled task on collector %{VIOLATORS}, %{TASK_NAME} (ID %{TASK_ID}) returned error code: %{ERROR_CODE} running: “%{COMMAND}”. It started at %{START_TIME} AND ran for %{RUN_TIME} seconds. View the collector log and/or run the task manually for more details. |
Setup Problem |
issue |
message |
900 |
%{MESSAGE} |
SIGRed Exploit Attempt |
violators |
violators, targets |
300 |
%{VIOLATORS} is targeting a SIGRed attack on %{TARGETS} |
Slow Port Scan (External) |
violators |
devices, violators, targets |
3600 |
%{VIOLATORS} is port scanning %{TARGETS} on %{DEVICES} |
Slow Port Scan (Internal) |
violators |
devices, violators, targets |
3600 |
%{VIOLATORS} is port scanning %{TARGETS} on %{DEVICES} |
SMB Brute-force Attempt |
violators |
violators, targets, failed_logins, usernames |
900 |
Observed a possible SMB brute force attack from %{VIOLATORS} targeting SMB share %{TARGETS}. %{FAILED_LOGINS} failed logins observed including usernames: %{USERNAMES} |
Source Equals Destination |
violators |
devices, violators |
900 |
Traffic with source and destination of %{VIOLATORS} was seen on %{DEVICES} |
Stream Deactivated |
stream |
size, threshold |
900 |
The stream: %{STREAM} has breached its configured threshold: %{THRESHOLD} with total size: %{SIZE} and has been deactivated. |
Stream Reactivated |
stream |
minutes, size, threshold |
900 |
The stream: %{STREAM} with total size: %{SIZE} below its configured threshold: %{THRESHOLD} has been reactivated after having been deactivated for: %{MINUTES} minutes. |
Successful Administrator Privilege Gain |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Successful Credential Theft Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Successful User Privilege Gain |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Suspicious Host Communication |
violators |
violators, targets, protocol_name |
300 |
Based on how these hosts and those around them normally communicate, the communication between %{VIOLATORS} and the host(s) %{TARGETS} on protocol %{PROTOCOL_NAME} is unexpected. Use the explore event traffic link to view these communications in detail. |
Suspicious Host Communication |
violators |
violators, targets, protocol |
300 |
Based on how these hosts and those around them normally communicate, the communication between %{VIOLATORS} and the host(s) %{TARGETS} on protocol %{PROTOCOL} is unexpected. Use the explore event traffic link to view these communications in detail. |
SYN IP Scan (External) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900 |
A SYN IP Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
SYN IP Scan (Internal) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900 |
A SYN IP Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
SYN Port Scan (External) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900 |
A SYN Port Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
SYN Port Scan (Internal) |
violators |
devices, violators, targets, scanned_host_count, scanned_port_count, host_thresh, port_thresh |
900 |
A SYN Port Scan by %{VIOLATORS} seen scanning %{SCANNED_HOST_COUNT} hosts which exceeds the threshold of %{HOST_THRESH} and %{SCANNED_PORT_COUNT} ports per host exceeding the threshod of %{PORT_THRESH} |
System Capacity |
vital_type |
vital_type, value |
300 |
ML is using %{VALUE} percent of its %{VITAL_TYPE} capacity |
Targeted Malicious Activity was Detected |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
TCP Half-Open (External) |
violators |
devices, violators, targets, packets_per_port, scanned_port_count, pkt_thresh, port_thresh |
900 |
A possible SYN Half Open Attack by %{VIOLATORS} seen targeting %{TARGETS}. Port count of %{SCANNED_PORT_COUNT} exceeded the threshold of %{PORT_THRESH} and flows per port of %{PACKETS_PER_PORT} exceed the threshold of %{PKT_THRESH}. |
TCP Half-Open (Internal) |
violators |
devices, violators, targets, packets_per_port, scanned_port_count, pkt_thresh, port_thresh |
900 |
A possible SYN Half Open Attack by %{VIOLATORS} seen targeting %{TARGETS}. Port count of %{SCANNED_PORT_COUNT} exceeded the threshold of %{PORT_THRESH} and flows per port of %{PACKETS_PER_PORT} exceed the threshold of %{PKT_THRESH}. |
TCP Scan (External) |
violators |
devices, violators, port_count, dst_count |
900 |
A TCP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
TCP Scan (Internal) |
violators |
devices, violators, port_count, dst_count |
900 |
A TCP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
TLS Certificate Expiry |
violators |
days |
86400 |
TLS certificates on nodes: %{VIOLATORS} will expire in %{DAYS} days. Contact Plixer Support or see scrut_util –help certs. |
Token Expiration |
username, expires_on |
username, expires_on, status |
86400 |
An authentication token for %{USERNAME} %{STATUS} on %{EXPIRES_ON} |
Tunneling through external DNS host |
violators |
violators, targets, tunnel_type |
300 |
%{VIOLATORS} is tunneling external DNS traffic through %{TARGETS} |
Tunneling through external ICMP host |
violators |
violators, targets, tunnel_type |
300 |
%{VIOLATORS} is tunneling external ICMP traffic through %{TARGETS} |
Tunneling through external SSH host |
violators |
violators, targets, tunnel_type |
300 |
%{VIOLATORS} is tunneling external SSH traffic through %{TARGETS} |
Tunneling through internal DNS host |
violators |
violators, targets, tunnel_type |
300 |
%{VIOLATORS} is tunneling internal DNS traffic through %{TARGETS} |
Tunneling through internal ICMP host |
violators |
violators, targets, tunnel_type |
300 |
%{VIOLATORS} is tunneling internal ICMP traffic through %{TARGETS} |
Tunneling through internal SSH host |
violators |
violators, targets, tunnel_type |
300 |
%{VIOLATORS} is tunneling internal SSH traffic through %{TARGETS} |
UDP Scan (External) |
violators |
devices, violators, dst_count, port_count |
900 |
A UDP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
UDP Scan (Internal) |
violators |
devices, violators, dst_count, port_count |
900 |
A UDP Scan was seen on %{DEVICES} by %{VIOLATORS} scanning %{DST_COUNT} IPs and %{PORT_COUNT} ports |
Unapproved Protocol |
protocol |
protocol_name, devices |
900 |
Unapproved network transport: %{PROTOCOL_NAME} was seen on: %{DEVICES} |
Unsuccessful User Privilege Gain |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Web Application Attack |
violators |
violators, targets, devices, msg |
900 |
%{DEVICES} observed %{MSG} from %{VIOLATORS} targeting %{TARGETS} |
Worm Activity |
violators |
violators |
300 |
%{VIOLATORS} is exhibiting worm behavior |
Xmas Scan (External) |
violators |
devices, violators |
900 |
An Xmas Scan was seen on %{DEVICES} by %{VIOLATORS} |
Xmas Scan (Internal) |
violators |
devices, violators |
900 |
An Xmas Scan was seen on %{DEVICES} by %{VIOLATORS} |
Zerologon |
violators |
violators, targets |
300 |
%{VIOLATORS} is targeting a Zerologon attack on %{TARGETS} |