Suspect Protocol Activity detection descriptions

**Triggers: **

• Suspect HTTP Activity Detections are based upon the HTTP protocol.

• These are high fidelity indicators which are usually looking for malicious User-Agents, specific unique byte values within HTTP payloads, or other positive indicators in the HTTP headers.

**Possible Root Causes: **

• A host is compromised with malware and initiates a connection to an external resource over the HTTP protocol.

• Breach simulation software which may emulate known malware and C2 frameworks over the C2 protocol.

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the HTTP detection details is consistent with public resources of threat information.

• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.

• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.

• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.

• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

**Triggers: **

• Suspect HTTPS Activity Detections are based upon the HTTPS (TLS/SSL) protocol.

• These are high fidelity indicators which are usually looking for known certificates or attributes of the TLS/SSL negotiation associated with malware and attack tools.

**Possible Root Causes: **

• A host is compromised with malware and initiates a connection to an external resource over the HTTPS protocol.

• Breach simulation software which may emulate known malware and C2 frameworks over the C2 protocol.

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the HTTPS detection details is consistent with public resources of threat information.

• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.

• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.

• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.

• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

**Triggers: **

• Suspect TCP Activity Detections are based upon the TCP protocol not associated with HTTP or HTTPS detections which are covered by the respective Suspect HTTP and Suspect HTTPS Activity detections.

**Possible Root Causes: **

• A host is compromised with malware and initiates a connection to an external resource over the TCP Protocol.

• Breach simulation software which may emulate known malware and C2 frameworks over the TCP protocol

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the TCP detection details is consistent with public resources of threat information.

• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.

• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.

• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.

• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

**Triggers: **

• Suspect DNS Activity Detections are based upon the DNS protocol and can be over TCP or UDP DNS

**Possible Root Causes: **

• A host is compromised with malware and initiates a connection to an external resource over the DNS.

• Breach simulation software which may emulate known malware and C2 frameworks over the DNS protocol

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the DNS detection details is consistent with public resources of threat information.

• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.

• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.

• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.

• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

Triggers:

• Suspect LDAP Activity Detections are based upon the LDAP protocol.

• These are high fidelity indicators which are usually looking for malicious LDAP Request/Responses

Possible Root Causes:

• A host is compromised and performs a query for directory information in the Active Directory environment over LDAP

• Scheduled scripts or automation using service accounts

Business Impact:

• Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

Steps to Verify:

• Check if the source Host/IP is expected to perform LDAP directory queries.

• Check for recent login activity or changes on the source Host/IP.

• Check if the LDAP queries match known administrative scripts or job schedules.

• Examine the query volume and timestamps for abnormal behaviors.

• Look for follow-on behavior like remote logins or privilege escalation.

Triggers:

• Suspect Kerberos Activity Detections are based upon the Kerberos protocol and can be over TCP, UDP, or HTTP

Possible Root Causes:

• A host is compromised and performs a query for directory information in the Active Directory environment over Kerberos

• Scheduled scripts or automation using service accounts

Business Impact:

• Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

Steps to Verify:

• Check if the source Host/IP is expected to perform Kerberos directory queries.

• Check for recent login activity or changes on the source Host/IP.

• Check if the Kerberos queries match known administrative scripts or job schedules.

• Examine the query volume and timestamps for abnormal behaviors.

• Look for follow-on behavior like remote logins or privilege escalation.

Triggers:

• Suspect NTLM Activity Detections are based upon the NTLM protocol and can be over SMB, HTTP, TLS, LDAP or DCERPC

Possible Root Causes:

• A host is compromised and captures the NTLM handshake and relays the credentials to other services

• Legacy systems or applications relying on NTLM

Business Impact:

• Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

Steps to Verify:

• Check if the source Host/IP is expected to use NTLM.

• Check for recent login activity or changes on the source Host/IP.

• Check if the NTLM queries match known administrative scripts or job schedules.

• Examine the query volume and timestamps for abnormal behaviors.

• Look for follow-on behavior like remote logins or privilege escalation.

Triggers:

• Suspect SMB Activity Detections are based upon the SMB protocol

Possible Root Causes:

• A host is compromised and attempts to move laterally throughout the organization using SMB

• A host is compromised and attempts to exfiltrate data using SMB

• Expected file sharing between users or departments

Business Impact:

• Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

Steps to Verify:

• Check if the source Host/IP is expected to use SMB.

• Check for recent login activity or changes on the source Host/IP.

• Check if the SMB queries match known administrative scripts or job schedules.

• Examine the query volume and timestamps for abnormal behaviors.

• Look for follow-on behavior like remote logins or privilege escalation.

Triggers:

• Suspect Brute Force Activity Detections require multiple authentication requests to the same account in a short period and can target various protocols such as SMB, LDAP, FTP, RDP, SSH, and HTTP

Possible Root Causes:

• A host is compromised and attempts to gain unauthorized access to a single account by guessing credentials

Business Impact:

• Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

Steps to Verify:

• Determine if login attempts were to privileged accounts (e.g., admin, service accounts).

• Review login success/failure pattern — is there a successful login after many failures?

• Look for known brute force tools (e.g., Hydra, Medusa, CrackMapExec) in logs or telemetry.

• Check if this user or IP has triggered similar detections previously.