Connection templates
Templates for building policies based on user network connections.
DNS exfiltration
Requirements: Agent version 7.4.0 or later
Detects when DNS traffic is used to exfiltrate data.
| Parameter | Type | Description |
|---|---|---|
| Domain parameters | ||
| Authorized domains | Advanced asset list | A list of domains for which all DNS traffic is authorized. Subdomains of these will match. DNS traffic for domains or subdomains in this list will not be classified as suspicious. |
| Machine learning parameters | ||
| Machine learning model | Asset | A classification model to detect DNS exfiltration. |
| Detection threshold | Float | The threshold used for detecting malicious DNS traffic. Values less than 1 will require more abnormal DNS traffic to generate a detection and values greater than 1 will require less abnormal traffic. Decreasing the threshold will result in fewer domains being classified as suspicious, and vice versa. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by hostname | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Periodic outgoing TCP connection detected
Requirements: Agent version 6.1.0 or later
Detects when a periodic outgoing TCP connection is made.
|
Subsequent detections and actions for the same process and IP address will not be generated until at least one day after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Remote host parameters | ||
| Hostnames | Advanced asset list | A list of domains that the node is authorized or unauthorized to make periodic connections to. Subdomains will match. Case-insensitive matching is used. |
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) that the node is authorized or unauthorized to make periodic connections to. |
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to make periodic connections. Case-insensitive matching is used. |
| Machine learning parameters | ||
| Minimum period length monitored | Integer | The minimum number of seconds between consecutive outgoing TCP connections made by a process. Connections at intervals shorter than this duration will not be monitored. |
| Minimum authorized period length | Integer | The minimum number of seconds that is authorized between consecutive outgoing TCP connections made by a process. Intervals of longer than this duration will not be monitored. |
| Confidence | Float | The level of confidence on the periodicity of the connection. Choose a value between 1-100, where a higher value requires more confidence for a detection to be generated. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0011 (Command and Control)
attack.mitre.org/tactics/TA0011/ |
T1071 (Application Layer Protocol)
attack.mitre.org/techniques/T1071/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by hostname | Disabled |
| Cluster by destination IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Suspicious DNS request made
Requirements: Agent version 7.0.2 or later, Windows or Linux
Detects when an excessive number of DNS requests are made to a suspicious domain within a given time period.
|
|
A DNS request is defined as suspicious if the queried domain is non-existent and has a high entropy. |
|
|
Subsequent detections and actions will not be generated until at least one hour after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Domain parameters | ||
| Hostnames | Advanced asset list | A list of domains (e.g. example.com) that users are authorized to make requests about. Subdomains of these will match. DNS queries for domains or subdomains in this list will not be classified as suspicious. |
| Top-level domains (TLDs) | Advanced asset list | A list of top-level domains (TLDs) that users are authorized or unauthorized to make requests about. For example, enter "com" to monitor requests to ".com" domains. Case-insensitive matching is used. If this field is empty, all queries to non-existent, high-entropy domains will be classified as suspicious. |
| Machine learning parameters | ||
| Time window (in minutes) | Integer | The number of minutes during which the maximum number of suspicious DNS requests must be exceeded. |
| Maximum permitted suspicious DNS requests | Integer | The maximum number of suspicious DNS requests allowed during the given time period. |
| Entropy threshold | Float | The maximum entropy of a non-existent domain. Note: A higher entropy means that the domain name is more likely to be algorithmically generated. Increasing the threshold will result in fewer domains being classified as suspicious, and vice versa. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0011 (Command and Control)
attack.mitre.org/tactics/TA0011/ |
T1568 (Dynamic Resolution)
attack.mitre.org/techniques/T1568/ |
T1568.002 (Domain Generation Algorithms)
attack.mitre.org/techniques/T1568/002/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
TCP connection with high bandwidth
Requirements: Agent version 5.2.3 or later
Detects when a TCP connection is used to transfer a large amount of data.
| Parameter | Type | Description |
|---|---|---|
| Traffic and connection direction parameters | ||
| Monitor outgoing sent bytes | Boolean | The toggle to enable/disable monitoring of bytes sent in outgoing TCP connections. |
| Monitor outgoing received bytes | Boolean | The toggle to enable/disable monitoring of bytes received in outgoing TCP connections. |
| Monitor incoming sent bytes | Boolean | The toggle to enable/disable monitoring of bytes sent in incoming TCP connections. |
| Monitor incoming received bytes | Boolean | The toggle to enable/disable monitoring of bytes received in incoming TCP connections. |
| Bandwidth parameters | ||
| Maximum permitted bytes sent in outgoing connection | Integer | The maximum number of bytes that can be sent in an outgoing TCP connection. |
| Maximum permitted bytes received in outgoing connection | Integer | The maximum number of bytes that can be received in an outgoing TCP connection. |
| Maximum permitted bytes sent in incoming connection | Integer | The maximum number of bytes that can be sent in an incoming TCP connection. |
| Maximum permitted bytes received in incoming connection | Integer | The maximum number of bytes that can be received in an incoming TCP connection. |
| Remote host parameters | ||
| Remote IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) to/from which TCP connections are authorized or unauthorized. |
| Hostnames | Advanced asset list | A list of hostnames to/from which TCP connections are authorized or unauthorized. |
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to make outgoing TCP connections. Case-insensitive matching is used. Note: This parameter is only relevant for outgoing connections. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by hostname | Disabled |
| Cluster by remote IP | Disabled |
| Cluster by local IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Unauthorized TCP connection made
Requirements: Agent version 7.2.1 or later
Detects when a TCP connection is made to or from an unauthorized IP address or domain. A detection will be generated for connections not matching any allow list if the IP address or domain name is prohibited.
|
|
If you leave the "IP addresses", "Domains", "Ports to monitor", and "Grace period" parameters empty, the policy will not monitor any TCP connections. |
|
|
Subsequent detections and actions for repeated connections to/from the same IP address and port number will not be generated until at least one day after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Connection direction parameters | ||
| Monitor incoming TCP connections | Boolean | The toggle to enable/disable monitoring of incoming TCP connections. |
| Monitor outgoing TCP connections | Boolean | The toggle to enable/disable monitoring of outgoing TCP connections. |
| Network address parameters | ||
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) to/from which TCP connections are authorized or unauthorized. |
| Domains | Advanced asset list | A list of domain names (e.g. example.com) to which TCP connections are authorized or unauthorized. |
| Ports to monitor | Advanced asset list | A list of port numbers to monitor. Remote port numbers will be monitored for outgoing TCP connections and local port numbers will be monitored for incoming TCP connections. An empty list will monitor all remote ports for outgoing TCP connections and local ports for incoming TCP connections. A range of port numbers can be specified by using a hyphen. For example, entering "22-44" and selecting "Prohibit listed ports" would monitor all port numbers from 22 through to 44 (inclusive). |
| Connection duration parameters | ||
| Grace period (in minutes) | Integer | The maximum duration allowed for an unauthorized TCP connection. |
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to make or receive TCP connections. Case-insensitive matching is used. |
| Binary paths | Advanced asset list | A list of binary paths authorized or unauthorized to make or receive TCP connections. The match can use glob-style pattern matching rules (e.g. C:\Program Files (x86)\Google\** would match all applications under the Google folder). Case-insensitive matching is used. |
| Called paths | Advanced asset list | A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to make or receive TCP connections. Case-sensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0011 (Command and Control)
attack.mitre.org/tactics/TA0011/ |
T1071 (Application Layer Protocol)
attack.mitre.org/techniques/T1071/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by remote IP | Disabled |
| Cluster by destination IP | Disabled |
| Cluster by source IP | Disabled |
| Cluster by local IP | Disabled |
| Cluster by remote port | Disabled |
| Cluster by destination port | Disabled |
| Cluster by source port | Disabled |
| Cluster by local port | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot