Alarm policy list¶
The table below contains general information for all alarm policies available in Plixer Scrutinizer.
Category |
Policy |
Technology |
License |
Description |
|---|---|---|---|---|
Collection > Data Staged > Local Data Staging |
Data Accumulation |
Plixer Machine Learning |
Plixer One Enterprise |
A host is accumulating data from various internal sources in preparation to exfiltrate |
Command and Control > Application Layer Protocol > DNS |
DNS Command and Control Detection |
Scrutinizer |
Plixer One Core |
This algorithm monitors the use of DNS TXT messages traversing the network perimeter as detected by FlowPro Defender. DNS TXT messages provide a means of sending information into and out of your protected network over DNS, even when you have blocked use of an external DNS server. This technique is used by malware as a method of controlling compromised assets within your network and to extract information back out. Additionally, some legitimate companies also use this method to communicate as a means to ‘phone home’ from their applications to the developer site. The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXT messages. Thresholds may be set based either on the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a three-minute period. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to 120 minutes. To suppress alarms from authorized applications in your network, you may add the domain generating the alarm message to the ‘trusted.domains’ list on FlowPro Defender. |
Command and Control > Application Layer Protocol > DNS |
DNS Hits |
Scrutinizer |
Plixer One Core |
Triggers an alarm when a host initiates an excessive number of DNS queries. This identifies hosts that perform an inordinate number DNS lookups. To do this, set the flow threshold to a large value that reflects normal behavior on your network. The default threshold is 2500 DNS flows in three minutes. Either the source or destination IP address can be excluded from triggering this alarm. |
Command and Control > Application Layer Protocol > DNS |
DNS Server Detection |
Scrutinizer |
Plixer One Core |
When used with FlowPro Defender, detects new DNS Servers being used on or by your network through analysis of the DNS packets being exchanged between the client and the server. Exclude DNS servers that are authorized for use on the network. |
Command and Control > Custom Command and Control Protocol |
Detection of a non-standard protocol or event |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects non-standard protocols or events (e.g. use of deprecated or rarely used protocols) |
Command and Control > Custom Command and Control Protocol |
Generic Protocol Command Decode |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects generic protocol command decodes (e.g. malformed DHCP options) |
Command and Control > Data Obfuscation > Protocol Impersonation |
Protocol Misdirection |
Scrutinizer |
Plixer One Enterprise |
Identifies when the type of traffic doesn’t match the port being used. |
Command and Control > Dynamic Resolution |
BotNet Detection |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of unique DNS name lookups have failed. When a DNS lookup fails, a reply commonly known as NXDOMAIN is returned. By monitoring the number of NXDOMAINs detected as well as the DNS name looked up, behavior normally associated with a class of malware that uses Domain Generation Algorithms (DGAs) can be detected. The default threshold is 100 unique DNS lookup failures (NXDOMAIN) messages in three minutes. Either the source or destination IP address can be excluded from triggering this alarm. |
Command and Control > Dynamic Resolution |
Domain Observed Used for C2 Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects domains known to be used for malware command and control |
Command and Control > Encrypted Channel |
Encrypted traffic alert |
Plixer Machine Learning, Plixer FlowPro Defender |
Plixer One Enterprise |
Detects anomalous encrypted network traffic |
Command and Control > Non-Standard Port |
Malware Command and Control Activity Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects malware communicating with an external command and control server |
Command and Control > Non-Standard Port |
ML Engine command and control alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those of well known banking trojans (Dridex, Emotet, Quakbot, Trickbot) |
Command and Control > Proxy > External Proxy |
Tunneling through external DNS host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an external host is being used as a DNS proxy tunnel to another host |
Command and Control > Proxy > External Proxy |
Tunneling through external ICMP host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an external host is being used as an ICMP proxy tunnel to another host |
Command and Control > Proxy > External Proxy |
Tunneling through external SSH host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an external host is being used as an SSH proxy tunnel to another host |
Command and Control > Proxy > Internal Proxy |
Tunneling through internal DNS host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an internal host is being used as a DNS proxy tunnel to another host |
Command and Control > Proxy > Internal Proxy |
Tunneling through internal ICMP host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an internal host is being used as an ICMP proxy tunnel to another host |
Command and Control > Proxy > Internal Proxy |
Tunneling through internal SSH host |
Plixer Machine Learning |
Plixer One Enterprise |
Detect when an internal host is being used as an SSH proxy tunnel to another host |
Command and Control > Remote Access Software |
ML Engine remote access trojan alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with remote access trojans |
Command and Control > Web Service > Bidirectional Communication |
Domain Reputation |
Scrutinizer |
Plixer One Core |
Domain reputation provides much more accurate alarming with a dramatic decrease in the number of false positive alarms as compared to IP based Host Reputation. The domain list is provided by Plixer and is updated each hour and currently contains over 400,000 known bad domains. FlowPro Defender performs the actual monitoring, and when it detects a domain with poor reputation, it passes the information to Scrutinizer for additional processing. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to disabled so that all DNS lookups observed will result in a unique alarm. To suppress alarms from authorized applications in your network, you may add the domain generating the alarm message to the ‘Trusted Domain’ list on FlowPro Defender. See the discussion on FlowPro Defender for additional details. |
Command and Control > Web Service > Bidirectional Communication |
Host Reputation |
Scrutinizer |
Plixer One Core |
This algorithm maintains a current list of active Tor nodes that you should monitor. Some malware families use Tor for Command and Control communications. White-list your users who are authorized to use Tor and regard other uses as suspicious. This algorithm will also monitor any IP address lists that you provide as a custom list as described in the ‘Custom List’ section that follows. |
Command and Control > Web Service > Bidirectional Communication |
Host Watchlist |
Scrutinizer |
Plixer One Enterprise |
Identifies hosts that have violated internal host watchlist |
Command and Control > Web Service > Bidirectional Communication |
NetFlow Domain Reputation |
Scrutinizer |
Plixer One Core |
A blacklisted domain has been detected in NetFlow traffic |
Credential Access > Adversary-in-the-Middle > DHCP Spoofing |
Rogue DHCP Service |
Plixer Machine Learning |
Plixer One Enterprise |
Find rogue DHCP services that may not be known or desired on a network |
Credential Access > Adversary-in-the-Middle > DHCP Spoofing |
Rogue LDAP Service |
Plixer Machine Learning |
Plixer One Enterprise |
Find rogue LDAP services that may not be known or desired on a network |
Credential Access > Brute Force |
Breach Attempt Detection |
Scrutinizer |
Plixer One Core |
This algorithm is examining flow behaviors that may indicate a brute force password attack on an internal IP address. This is accomplished by examining the flow, byte, and packet counts being exchanged in short-duration completed flows between one source and one destination, with specific behaviors observed for common attack vectors such as SSH, LDAP and RDP. If the number of flows that match these characteristics exceeds the alarm threshold, an alarm will be raised. The default flow count threshold is 100. Either IP address can be excluded from triggering this alarm. |
Credential Access > Brute Force > Password Cracking |
Zerologon |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with Zerologon malware |
Credential Access > Brute Force > Password Guessing |
Brute-force RDP (Client-side) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a client trying to gain access to RDP via brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force RDP (Server-side TCP) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a server experiencing an RDP (tcp) brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force RDP (Server-side UDP) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a server experiencing an RDP (udp) brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force SSH (Client-side) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a client trying to gain access to SSH via brute force attack |
Credential Access > Brute Force > Password Guessing |
Brute-force SSH (Server-side) |
Plixer Machine Learning |
Plixer One Enterprise |
Detects a server experiencing a SSH brute force attack |
Credential Access > Brute Force > Password Guessing |
SMB Brute-force Attempt |
Plixer Machine Learning, Plixer FlowPro Defender |
Plixer One Enterprise |
Detects a client trying to gain access to an SMB server via brute force password guessing |
Credential Access > Credential Dumping |
Successful Credential Theft Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects successful attempts at stealing user credentials |
Defense Evasion > Non-Application Layer Protocol |
A client was using an unusual port |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a client is using an unusual port for a given well-known protocol (e.g. a client sending HTTP requests over a non-standard port) |
Defense Evasion > Obfuscated Files or Information |
A suspicious filename was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
A suspicious filename is detected that is often related to known malware families |
Discovery > Network Service Scanning |
Detection of a Network Scan |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects network scanning activities (e.g. a large number of requests to different ports on a single machine or multiple machines) |
Discovery > Network Service Scanning |
FIN Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a FIN scan is detected. FIN scans are often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
ICMP Port Unreachable (Internal) |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of ICMP destination unreachable messages have been sent to the suspect IP address. This may happen as a result of scanning activity, misconfiguration, or network errors. ICMP Destination Unreachable is a message that comes back from a destination host or the destination host gateway to indicate that the destination is unreachable for one reason or another. The default threshold is 100 destination unreachable messages. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
NULL Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a NULL scan is detected. NULL scans are a TCP scan with all TCP Flags cleared to zero. This scan is often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
Odd TCP Flags (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a scan is detected using unusual TCP Flag combinations. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
RST/ACK Detection (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a large number of TCP flows containing only RST and ACK flags have been detected being sent to a single destination. These flows indicate that a connection attempt was made on the host sending the RST/ACK flow, and was rejected. This algorithm may detect other scan types used by an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
Slow Port Scan (Internal) |
Scrutinizer |
Plixer One Enterprise |
Detects when a large number of ports have been probed on the target machine over a long period of time. This alert could indicate malicious activity or reconnaissance for lateral movement. |
Discovery > Network Service Scanning |
SYN Port Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
TCP Half-Open (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
TCP Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a possible TCP scan is detected from an exporter that does not provide TCP Flag information. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Network Service Scanning |
UDP Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a possible UDP scan is detected. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. NOTE: if your policy allows P2P traffic on your network, then you will likely want to exclude the allowed host(s) or disable this alarm as it will often detect P2P control traffic as a UDP Scan violation. |
Discovery > Network Service Scanning |
Xmas Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a XMAS scan is detected. XMAS scans are a TCP scan with the FIN, PSH, and URG TCP Flags set. This scan is often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Remote System Discovery |
Device Retrieving External IP Address Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects devices retrieving their external IP addresses (e.g. a device making a request to whatismyip services, commonly used in malware recon and exfiltration) |
Discovery > Remote System Discovery |
ICMP Destination Unreachable (Internal) |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of ICMP destination unreachable messages have been sent to the suspect IP address. This may happen as a result of scanning activity, misconfiguration, or network errors. ICMP Destination Unreachable is a message that comes back from a destination host or the destination host gateway to indicate that the destination is unreachable for one reason or another. The default threshold is 100 destination unreachable messages. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Remote System Discovery |
Lateral Movement Behavior |
Plixer Machine Learning |
Plixer One Enterprise |
Detect a host moving laterally inside a network during a Reconnisance phase |
Discovery > Remote System Discovery |
Ping Scan (Internal) |
Scrutinizer |
Plixer One Enterprise |
Alerts when a host is suspected of performing a ping scan. A ping scan uses ICMP Echo Requests (ping) to discover what IPs are in use on a network. The behavior is commonly demonstrated by attackers attempting to find targets for compromise or lateral movement. |
Discovery > Remote System Discovery |
SYN IP Scan (Internal) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Discovery > Remote System Discovery |
Worm Activity |
Plixer Machine Learning |
Plixer One Enterprise |
Network traffic patterns appear to indicate a worm malware propogating throughout the network |
Discovery > System Network Connections Discovery |
Lateral Movement Attempt |
Scrutinizer |
Plixer One Enterprise |
Identifies behavior from a host which could be attempted lateral movement. |
Endpoint Data |
Endpoint Analytics Info |
Endpoint Analytics |
Plixer One Enterprise |
Informational messages from Endpoint Analytics |
Execution > Command and Scripting Interpreter |
Reverse SSH Shell |
Scrutinizer |
Plixer One Enterprise |
Identifies posible reverse SSH tunnels to external destinations. A reverse SSH tunnel allows an external entity acces to internal, protected resources via use of an established outbound SSH connection. |
Execution > Exploitation for Client Execution |
Exploit Kit Activity Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects known exploit kit activities |
Execution > Exploitation for Client Execution |
SIGRed Exploit Attempt |
Plixer Machine Learning |
Plixer One Enterprise |
Detect malformed DNS query responses which could be used as an exploit via SigRED |
Execution > System Services |
A system call was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a potential system call was made (e.g. x86 shellcode found in a network payload) |
Execution > System Services |
Executable code was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when executable binary shellcode is detected in a network payload |
Execution > User Execution > Malicious File |
ML Engine exploit kit alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with RigEK + Ramnit exploit kit |
Execution > User Execution > Malicious Link |
Blocked Malicious Domains |
Plixer Machine Learning |
Plixer One Enterprise |
A known malicious domain has been blocked by Plixer DNS proxy |
Exfiltration > Exfiltration Over Alternative Protocol |
Data Exfiltration |
Plixer Machine Learning |
Plixer One Enterprise |
A host is exfiltrating large amounts of data to an external host |
Exfiltration > Exfiltration Over Alternative Protocol |
DNS Data Leak Detection |
Scrutinizer |
Plixer One Core |
This algorithm monitors the practice of encoding information into a DNS lookup message that has no intention of returning a valid IP address or making an actual connection to a remote device. When this happens, your local DNS server will fail to find the DNS name in it’s cache, and will pass the name out of your network to where it will eventually reach the authoritative server for the domain. At that point, the owner of the authoritative server can decode the information embedded in the name, and may respond with a ‘no existing domain’ response, or return a non-routable address. FlowPro Defender uses proprietary detection algorithms to identify suspicious DNS names that may contain encoded data, and passes this information to Scrutinizer where it is processed by the DNS Data Leak algorithm. Thresholds may be set based either on the number of suspicious DNS names or the number of bytes observed in the suspicious DNS name within a three-minute period. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to 120 minutes. |
FlowPro Event Captured |
FlowPro Event Capture |
Plixer FlowPro Defender |
Plixer One Enterprise |
A user defined FlowPro capture rule. |
Forecast Events |
Forecast Anomaly |
Plixer Machine Learning |
Plixer One Enterprise |
An anomaly outside the range of a network forecast has been detected |
Impact > Data Encrypted for Impact |
Ransomware Behavior |
Plixer Machine Learning, Plixer FlowPro Defender |
Plixer One Enterprise |
Detects a client accessing an SMB share and potentially encrypting files |
Impact > Endpoint Denial of Service > Application or System Exploitation |
Detection of a Denial of Service Attack |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects Denial of Service (DoS) attacks |
Impact > Endpoint Denial of Service > Application or System Exploitation |
Large Ping |
Scrutinizer |
Plixer One Enterprise |
Alerts on the observance of unusually large ICMP Echo Request (ping) packets. This alert could indicate malicious activity within the network including possible Denial of Service (DoS) attempts. |
Impact > Network Denial of Service |
DDoS |
Scrutinizer |
Plixer One Core |
Identifies generic Distributed Denial of Service (DDoS) attacks targeted at your protected network space. Refer to the DRDoS algorithm for detection of the more common Distributed Reflection DoS attacks. Note that DDoS algorithm may take a lot of time depending on the exporters selected. There are four settings which are used to adjust the sensitivity of the DDoS detection algorithm: DDoS Packet Deviation (10) and DDoS Bytes Deviation (10) - These settings control how similar the flows associated with the attack must be. The standard deviation of the byte count and packet counts associated with the flows must be less than this setting for DDoS attacks that are not reflection attacks. Reflection attacks ignore these settings. DDoS Packets(4) controls the minimum number of packets each source must have sent to be registered as a DDoS attack. The sensitivity can be reduced by increasing this setting to six or higher. DDoS Unique Hosts controls the threshold for the minimum number of hosts that have sent flows that match the other characteristics required to trigger the alarm. |
Impact > Network Denial of Service |
Denial of Service |
Plixer FlowPro Defender |
Plixer One Enterprise |
A known threat vector has been observed that indicated a DoS attempt has been successful |
Impact > Network Denial of Service |
DRDoS |
Scrutinizer |
Plixer One Core |
Identifies Distributed Reflection Denial of Service (DRDoS) attacks targeted at your protected network space. DRDoS attacks are often launched by a BotNet, and ‘reflection attacks’ have become the most common form of DoS attack. Scrutinizer may identify attacks against your network as ‘reflection attacks’ if they meet the criteria. DRDoS attacks are detected by an imbalance in the number of queries sent to external UDP services often used for DRDoS attacks and the number of replies observed. If the number of replies exceeds the number of requests by the threshold, then a DRDoS alarm is triggered. |
Impact > Network Denial of Service |
Packet Flood |
Scrutinizer |
Plixer One Enterprise |
Alerts when a packet flood is detected. A packet flood is characterized as a large volume of small sized packets intended to overwhelm the target’s ability to process legitimate traffic. |
Impact > Network Denial of Service |
Ping Flood |
Scrutinizer |
Plixer One Enterprise |
Alerts when a ping flood is detected. A ping flood is characterized as a large volume of ICMP Echo requests intended to overwhelm the target’s ability to process legitimate traffic. |
Impact > Resource Hijacking |
Crypto Currency Mining Activity Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects cryptocurrency mining activities (e.g. traffic to known mining pools) |
Impact > Resource Hijacking |
ML Engine coin miner alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those associated with XMRig coin miner |
Indicators of Compromise |
Bogon Attempt |
Scrutinizer |
Plixer One Enterprise |
Alerts if traffic to or from unallocated public IP space is detected |
Indicators of Compromise |
Bogon Connection |
Scrutinizer |
Plixer One Enterprise |
Alerts if traffic to or from unallocated public IP space is detected |
Indicators of Compromise |
Denied Flows Firewall |
Scrutinizer |
Plixer One Core |
Triggers an alarm for internal IP addresses sending to external IP addresses that cause greater than the threshold of denied flows. The default threshold is set to 5 denied flows. Either the source or destination IP address can be excluded from triggering this alarm. |
Indicators of Compromise |
P2P Detection |
Scrutinizer |
Plixer One Core |
Peer to Peer (P2P) traffic such as BitTorrent are identified by this algorithm. The default threshold is a P2P session involving over 100 external hosts, which will detect most P2P applications. However, there are several P2P applications that are stealthier, so you may want to experiment with lower thresholds or periodically lower the threshold to about 20 to determine if other ‘low and slow’ P2P traffic is on your network. |
Initial Access > Drive-by Compromise |
Possibly Unwanted Program Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects potentially unwanted programs (e.g. various spyware applications) |
Initial Access > Exploit Public-Facing Application |
Access to a potentially vulnerable web application |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when there is access to a potentially vulnerable web application (e.g. an apache ?M=D directory list attempt) |
Initial Access > Exploit Public-Facing Application |
Web Application Attack |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a possible web application attack occurs (e.g. a SQL injection attack on a web application or shellcode found in URI) |
Initial Access > Phishing |
Targeted Malicious Activity was Detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Fires when targeted malicious activity is detected (e.g. Advanced Persistent Threats (APTs) that try to remain undetected on a network) |
Initial Access > User Execution |
A Network Trojan was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects known network Trojans. Plixer default rules contain over 10,000 different trojan detections out of the box |
Initial Access > User Execution |
Possible Social Engineering Attempted |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects possible social engineering attempts (e.g. a phishing email, fake tech support landing pages, etc.) |
Initial Access > Valid Accounts |
An attempted login using a suspicious username was detected |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects a suspicious network login, such as a TELNET root login |
Initial Access > Valid Accounts |
Attempted User Privilege Gain |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects attempts to gain user-level privileges (e.g. a non-admin user trying to gain admin privileges) |
Initial Access > Valid Accounts |
Attempt to login by a default username and password |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects attempts to login to services using known default credentials (e.g. login attempts with username admin and password admin) |
Lateral Movement > Exploitation of Remote Services |
Lateral Movement |
Scrutinizer |
Plixer One Enterprise |
Identifies successful lateral movement. |
Lateral Movement > Remote Services |
Decode of an RPC Query |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects decoded Remote Procedure Call (RPC) portmap activity |
ML Engine Malware Detection |
ML Engine malware alert |
Plixer Machine Learning |
Plixer One Enterprise |
Detect traffic signatures that are similar to those of well known malware |
Privilege Escalation > Valid Accounts |
Attempted Denial of Service |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects attempts to make a machine or network resource unavailable (e.g. a sudden surge in traffic from various sources) |
Privilege Escalation > Valid Accounts |
Successful Administrator Privilege Gain |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when administrator-level access has been successfully gained. For example, a new user created with admin privileges |
Privilege Escalation > Valid Accounts |
Successful User Privilege Gain |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when user-level privileges have been successfully gained (e.g. Metasploit Meterpreter activity detected) |
Privilege Escalation > Valid Accounts |
Unsuccessful User Privilege Gain |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when an attempt to gain user-level privileges is unsuccessful (e.g. RPC rlogin login failure) |
Reconnaissance > Active Scanning > IPs |
Attempted Information Leak |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects attempts to gain unauthorized access to information (e.g. a request for a list of all users or data) |
Reconnaissance > Active Scanning > IPs |
ICMP Destination Unreachable (External) |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of ICMP destination unreachable messages have been sent to the suspect IP address. This may happen as a result of scanning activity, misconfiguration, or network errors. ICMP Destination Unreachable is a message that comes back from a destination host or the destination host gateway to indicate that the destination is unreachable for one reason or another. The default threshold is 100 destination unreachable messages. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > IPs |
Ping Scan (External) |
Scrutinizer |
Plixer One Enterprise |
Alerts when a host is suspected of performing a ping scan. A ping scan uses ICMP Echo Requests (ping) to discover what IPs are in use on a network. The behavior is commonly demonstrated by attackers attempting to find targets for compromise or lateral movement. |
Reconnaissance > Active Scanning > IPs |
SYN IP Scan (External) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
FIN Scan (External) |
Scrutinizer |
Plixer One Core |
Alerts when a FIN scan is detected. FIN scans are often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
ICMP Port Unreachable (External) |
Scrutinizer |
Plixer One Core |
This alarm is generated when a large number of ICMP destination unreachable messages have been sent to the suspect IP address. This may happen as a result of scanning activity, misconfiguration, or network errors. ICMP Destination Unreachable is a message that comes back from a destination host or the destination host gateway to indicate that the destination is unreachable for one reason or another. The default threshold is 100 destination unreachable messages. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
Information Leak |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a limited information leak has occurred (e.g. pssible Ipconfig information was detected in an HTTP response) |
Reconnaissance > Active Scanning > Ports |
Large Scale Information Leak |
Plixer FlowPro Defender |
Plixer One Enterprise |
Detects when a large scale information leak has occurred (e.g. a full Wordpress DB has been exported as XML) |
Reconnaissance > Active Scanning > Ports |
NULL Scan (External) |
Scrutinizer |
Plixer One Core |
Alerts when a NULL scan is detected. NULL scans are a TCP scan with all TCP Flags cleared to zero. This scan is often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
Odd TCP Flags (External) |
Scrutinizer |
Plixer One Core |
Alerts when a scan is detected using unusual TCP Flag combinations. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
RST/ACK Detection (External) |
Scrutinizer |
Plixer One Core |
Alerts when a large number of TCP flows containing only RST and ACK flags have been detected being sent to a single destination. These flows indicate that a connection attempt was made on the host sending the RST/ACK flow, and was rejected. This algorithm may detect other scan types used by an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
Slow Port Scan (External) |
Scrutinizer |
Plixer One Enterprise |
Detects when a large number of ports have been probed on the target machine over a long period of time. This alert could indicate malicious activity or reconnaissance for lateral movement. |
Reconnaissance > Active Scanning > Ports |
SYN Port Scan (External) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
TCP Half-Open (External) |
Scrutinizer |
Plixer One Core |
Alerts when a SYN scan is detected. SYN scans are a TCP scan with the TCP SYN Flag set. This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthy. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
TCP Scan (External) |
Scrutinizer |
Plixer One Core |
Alerts when a possible TCP scan is detected from an exporter that does not provide TCP Flag information. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Reconnaissance > Active Scanning > Ports |
UDP Scan (External) |
Scrutinizer |
Plixer One Core |
Alerts when a possible UDP scan is detected. These types of scans may allow an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. NOTE: if your policy allows P2P traffic on your network, then you will likely want to exclude the allowed host(s) or disable this alarm as it will often detect P2P control traffic as a UDP Scan violation. |
Reconnaissance > Active Scanning > Ports |
Xmas Scan (External) |
Scrutinizer |
Plixer One Core |
Alerts when a XMAS scan is detected. XMAS scans are a TCP scan with the FIN, PSH, and URG TCP Flags set. This scan is often used as reconnaissance prior to an attack. They are considered to be a ‘stealthy scan’ as they may be able to pass through firewalls, allowing an attacker to identify additional information about hosts on your network. The default threshold is 100 unique scan flows in three minutes. Internal IP addresses that are allowed to scan your internal network, such as security team members and vulnerability scanners, should be entered into the IP exclusions list. Either the source or destination IP address can be excluded from triggering this alarm. |
Resource Development > Acquire Infrastructure > DNS Server |
Rogue DNS Service |
Plixer Machine Learning |
Plixer One Enterprise |
Find rogue DNS services that may not be known or desired on a network |
Resource Development > Compromise Accounts |
Azure user logged on from many hosts |
Plixer Machine Learning |
Plixer One Enterprise |
Authentications from more hosts than normal in the past 30 minutes |
Resource Development > Compromise Accounts |
Azure user logged on from many locations |
Plixer Machine Learning |
Plixer One Enterprise |
More locations authenticated from in the past 30 minutes than normal |
Resource Development > Compromise Accounts |
Azure user logged on many times |
Plixer Machine Learning |
Plixer One Enterprise |
More authentications than normal in the past 30 minutes |
Resource Development > Compromise Accounts |
New user using elevated logon |
Plixer Machine Learning |
Plixer One Enterprise |
New LDAP user logging in with elevated privileges |
Resource Development > Compromise Accounts |
Office 365 user logged in many times |
Plixer Machine Learning |
Plixer One Enterprise |
More authentications than normal in the past 30 minutes |
Resource Development > Compromise Accounts |
Office 365 user logged on from many hosts |
Plixer Machine Learning |
Plixer One Enterprise |
Authentications from more hosts than normal in the past 30 minutes |
Resource Development > Compromise Accounts |
Office 365 users logged on from many locations |
Plixer Machine Learning |
Plixer One Enterprise |
More locations authenticated from in the past 30 minutes than normal |
Resource Development > Compromise Accounts |
Privileged user logged on from many hosts |
Plixer Machine Learning |
Plixer One Enterprise |
LDAP Authentications from more hosts than normal in the past 30 minutes |
Resource Development > Compromise Accounts |
Privileged user logged on many times |
Plixer Machine Learning |
Plixer One Enterprise |
More LDAP authentications than normal in the past 30 minutes |
Security Events |
Auto Investigate |
Scrutinizer |
Plixer One Core |
This algorithm correlates potential sequences of events into overall security incidents using the event policy classes, targets, and violators. |
System |
Access and Audit Events |
Plixer One System |
Plixer One Core |
All user access and activity can be logged and reviewed |
System |
Bad Exporter Flow |
Plixer One System |
Plixer One Core |
An exporter sent a flow record with invalid values |
System |
Bad Exporter Packet |
Plixer One System |
Plixer One Core |
An exporter sent a packet with invalid values |
System |
Bad Exporter Template |
Plixer One System |
Plixer One Core |
An exporter sent a template with invalid values |
System |
Collector Alert |
Plixer One System |
Plixer One Core |
Warnings about collector status |
System |
Collector Message |
Plixer One System |
Plixer One Core |
Informational messages from collectors |
System |
Configuration Alert |
Plixer One System |
Plixer One Core |
Warnings about Scrutinizer configuration |
System |
Cstore Strays |
Plixer One System |
Plixer One Core |
Scrutinizer has detected orphaned history files |
System |
Diskspace Alert |
Plixer One System |
Plixer One Core |
Scrutinizer is running low on disk space |
System |
Event Queue Alert |
Scrutinizer |
Plixer One Core |
Event Queue Alert |
System |
Exporter Ignored |
Plixer One System |
Plixer One Core |
Flows were received from an exporter that is not enabled for collection |
System |
Exporter Paused |
Plixer One System |
Plixer One Core |
Exporter has been paused due to Low Resources |
System |
Exporter Resumed |
Plixer One System |
Plixer One Core |
Exporter has been resumed after Low Resources |
System |
Feature Set Paused |
Plixer One System |
Plixer One Core |
Feature Set has been paused due to Low Resources |
System |
Feature Set Resumed |
Plixer One System |
Plixer One Core |
Feature Set has been resumed after Low Resources |
System |
Flow Collection Paused |
Plixer One System |
Plixer One Core |
Flow Collection Paused due to Low Resources |
System |
Flow Collection Resumed |
Plixer One System |
Plixer One Core |
Flow Collection Resumed |
System |
Flow Inactivity |
Plixer One System |
Plixer One Core |
Flow Inactivity alarms when flows have not been seen in 30 minutes. |
System |
Flow Rate Limit Changed |
Plixer One System |
Plixer One Core |
Flow Rate Limit Changed |
System |
Flows Limited - Licensing |
Plixer One System |
Plixer One Core |
Flows were limited due to licensing restrictions |
System |
Hardware Resources Exceeded |
Plixer One System |
Plixer One Core |
Hardware Resources Exceeded |
System |
Heartbeat Alert |
Plixer One System |
Plixer One Enterprise |
Warnings about API or DB heartbeats in a distributed environment |
System |
Host Index Disk Availability Error |
Plixer One System |
Plixer One Core |
Disk space allocated to host indexing is full and indexing has been paused. Manage Host Index disk allocation under Admin > Alarm Monitor > Flow Analytics Configuration > Host Indexing |
System |
Host Index Disk Space Error |
Plixer One System |
Plixer One Core |
Disk space allocated to host indexing is full and indexing has been paused. Manage Host Index disk allocation under Admin > Alarm Monitor > Flow Analytics Configuration > Host Indexing |
System |
Host Index Disk Space Warning |
Plixer One System |
Plixer One Core |
Disk space allocated to host indexing is close to full. Manage Host Index disk allocation under Admin > Alarm Monitor > Flow Analytics Configuration > Host Indexing |
System |
Kafka Lag |
Plixer Machine Learning |
Plixer One Enterprise |
ML data stream processing has fallen behind |
System |
ML Engine alert |
Plixer Machine Learning |
Plixer One Enterprise |
The ML Engine has reached its maximum number of models it can process. Increase pod’s maximum in Admin -> Settings -> ML Data Limits. |
System |
ML Engine Down |
Plixer Machine Learning |
Plixer One Enterprise |
The ML Engine is not responding to heartbeat status checks |
System |
ML models still building |
Plixer Machine Learning |
Plixer One Enterprise |
The ML Engine needs to start building models for the current schedule, but the last schedule isn’t finished yet. The replica count config values should be increased. |
System |
ML Service Alert |
Plixer Machine Learning |
Plixer One Enterprise |
The ML Engine has found some required services to not be available |
System |
Runtime Overrun |
Plixer One System |
Plixer One Core |
A scheduled task is taking longer than the time allotted |
System |
Scheduled Task Error |
Plixer One System |
Plixer One Core |
An error occurred while processing a scheduled task |
System |
Setup Problem |
Plixer Machine Learning |
Plixer One Enterprise |
An issue was detected during the setup process |
System |
Stream Deactivated |
Plixer Machine Learning |
Plixer One Enterprise |
Stream has been deactivated |
System |
Stream Reactivated |
Plixer Machine Learning |
Plixer One Enterprise |
Stream has been reactivated |
System |
System Capacity |
Plixer Machine Learning |
Plixer One Enterprise |
The ML Engine is low on resources |
System |
TLS Certificate Expiry |
Plixer One System |
Plixer One Core |
Alert when a TLS certificate is about to expire |
System |
Token Expiration |
Plixer One System |
Plixer One Core |
An API token has expired |
Thresholds |
Forecast Task Complete |
Plixer Machine Learning |
Plixer One Enterprise |
Flows were limited due to licensing restrictions |
Thresholds |
Forecast Task Error |
Plixer Machine Learning |
Plixer One Enterprise |
An error occurred while processing a network forecast |
Thresholds |
Forecast Task Starting |
Plixer Machine Learning |
Plixer One Enterprise |
Forecasting backend status update |
Thresholds |
Interface Threshold Violation |
Scrutinizer |
Plixer One Core |
Alerts when an interface exceeds a utilization threshold |
Thresholds |
IP Address Violations |
Scrutinizer |
Plixer One Core |
This algorithm compares the traffic from included exporters against a list of allowed subnets. If both source and destination addresses are outside of an allowed subnet, an alarm will be triggered. A common use of this algorithm is to identify unknown or unauthorized internal network addresses that are communicating with the public Internet. |
Thresholds |
Medianet Jitter Violations |
Scrutinizer |
Plixer One Core |
This algorithm compares the jitter values as reported by the Medianet flows to the threshold defined by the user in the Settings section of this algorithm. The default threshold is 80ms. |
Thresholds |
Report Threshold Violation |
Scrutinizer |
Plixer One Core |
Alerts when a saved report exceeds its configured threshold |
Unexpected Network Traffic |
Plixer Network Intelligence Anomaly |
Plixer Machine Learning |
Plixer One Enterprise |
Anomalous behavior detected by Plixer Network Intelligence |
Unexpected Network Traffic |
Plixer Security Intelligence Anomaly |
Plixer Machine Learning |
Plixer One Enterprise |
Anomalous behavior detected by Plixer Security Intelligence |
Unexpected Network Traffic |
Source Equals Destination |
Scrutinizer |
Plixer One Enterprise |
Alerts when traffic is observed that has the same source and destination addresses. This alarm commonly occurs due to misconfigurations within a netowrk, but may also indicate possible malicious activity. |
Unexpected Network Traffic |
Suspicious Host Communication |
Plixer Machine Learning |
Plixer One Enterprise |
This alert signifies that the mlEngine’s deep learning model, which applies GraphSAGE on network data, detected an anomalous communication pattern between host X and host Y over the specified protocol. It flags deviations from established network behaviors, such as unusual traffic volumes or protocol activities, which may indicate potential security threats like malware operations or unauthorized access. This detection is based on analyzing the relationships and data flow patterns in the network to identify outliers that could compromise security. |
Unexpected Network Traffic |
Suspicious Host Communication |
Plixer Machine Learning |
Plixer One Enterprise |
This alert signifies that the mlEngine’s deep learning model, which applies GraphSAGE on network data, detected an anomalous communication pattern between host X and host Y over the specified protocol. It flags deviations from established network behaviors, such as unusual traffic volumes or protocol activities, which may indicate potential security threats like malware operations or unauthorized access. This detection is based on analyzing the relationships and data flow patterns in the network to identify outliers that could compromise security. |
Unexpected Network Traffic |
Unapproved Protocol |
Scrutinizer |
Plixer One Core |
An unapproved protocol was detected in Netflow traffic |