on Nov 11, 2020The following tables list indicators that display when a potentially malicious activity is detected for JA3 and SSL Subject entities.
Note: Indicators are for JA3, and in some instances the JA3 hash can be mapped to more than one client application.
| Indicator | Entity Type | Alert Type | Description |
|---|---|---|---|
| Abnormal Traffic Volume Sent from IP to SSL Subject | SSL Subject | Data exfiltration | An IP address in the organization sent an unexpectedly high amount of data to an SSL Subject. |
| Abnormal Traffic Volume Sent from IP to Domain | SSL Subject | Data exfiltration | An IP address in the organization sent an unexpectedly high amount of data to a domain and SSL Subject. |
| *Abnormal Traffic Volume Sent from IP to Organization | SSL Subject | Data exfiltration | An IP address in the organization sent an unexpectedly high amount of data to an organization and SSL Subject. |
| Abnormal Traffic Volume Sent from IP to Port | SSL Subject | Data exfiltration | An IP address in the organization sent an unexpectedly high amount of data to a port and SSL Subject. |
| Abnormal Traffic Volume Sent to SSL Subject | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to an SSL Subject. |
| Abnormal Traffic Volume Sent to Domain | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to a domain and SSL Subject. |
| Abnormal Traffic Volume Sent to Port | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to a port and SSL Subject. |
| *Abnormal Traffic Volume Sent to Organization | SSL Subject | Data exfiltration | An unexpectedly high amount of data was sent to an organization and SSL Subject. |
| Abnormal Traffic Volume Sent from JA3 | JA3 | Data exfiltration | Abnormal number of bytes sent from JA3 . |
| High Number of IPs Use JA3 | JA3 | C&C | An abnormally high number of IPs use JA3. |
| *Abnormal SSL Subject for Source Netname | SSL Subject and JA3 | Phishing | A source netname contacted an abnormal SSL Subject. |
| *Abnormal Domain for Source Netname | SSL Subject and JA3 | Phishing | A source netname contacted an abnormal domain |
| *Abnormal Destination Port for Source Netname | SSL Subject and JA3 | C&C | A source netname contacted an abnormal destination port. |
| *Abnormal Organization for Source Netname | SSL Subject and JA3 | Phishing | A source netname contacted an abnormal organization. |
| *Abnormal Country for SSL Subject | SSL Subject and JA3 | Phishing | An SSL Subject was contacted with an abnormal destination country. |
| Abnormal Destination Port for SSL Subject | SSL Subject and JA3 | C&C | An SSL Subject was contacted through an abnormal destination port. |
| Abnormal Time for SSL Subject | SSL Subject and JA3 | Non-Standard Hours | An SSL Subject was contacted at an abnormal time. |
| Abnormal Destination Port for Domain | SSL Subject and JA3 | C&C | A domain was accessed through an abnormal destination port. |
| *Abnormal Destination Port for Organization | SSL Subject and JA3 | C&C | An organization was accessed through an abnormal destination port. |
| Abnormal Time for JA3 | SSL Subject and JA3 | Non-Standard Hours | JA3 was used at an abnormal time. |
| *Abnormal JA3 for Source Netname | SSL Subject and JA3 | C&C | A source netname utilized an abnormal client application. |
| Abnormal SSL Subject for JA3 | SSL Subject and JA3 | Phishing | JA3 contacted an abnormal SSL Subject. |
| Abnormal Domain for JA3 | SSL Subject and JA3 | Phishing | JA3 contacted an abnormal domain. |
| Abnormal Destination Port for JA3 | SSL Subject and JA3 | C&C | JA3 contacted an abnormal destination port. |
| High Number of IPs Contact a New SSL Subject | SSL Subject | C&C | Abnormal number of IPs contacted SSL Subject. |
| High Number of IPs Contact a New Domain | SSL Subject | C&C | Abnormal number of IPs contacted a new domain. |
| High Number of IPs Contact a New Organization | SSL Subject | C&C | Abnormal number of IPs contacted a new organization. |
| High Number of IPs Contact a New Port | SSL Subject | C&C | Abnormal number of IPs contacted a new port. |
| Abnormal Traffic Volume Sent from an IP to a New SSL Subject | SSL Subject | Data Exfiltration | Abnormal number of bytes sent from an IP to a new SSL Subject. |
| Abnormal Traffic Volume Sent from an IP to a New Domain | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent an IP to a new domain. |
| Abnormal Traffic Volume Sent from an IP to a New Port |
SSL Subject | Data Exfiltration | Abnormal number of bytes were sent from an IP to a new port. |
| Abnormal Traffic Volume Sent from an IP to a New Organization | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent from an IP to a new organization. |
| Abnormal Traffic Volume Sent to a New SSL Subject | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent to a new SSL Subject. |
| Abnormal Traffic Volume Sent to a New Domain | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent to a new domain. |
| Abnormal Traffic Volume Sent to a New Port | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent to a new port. |
| Abnormal Traffic Volume Sent to a New Organization | SSL Subject | Data Exfiltration | Abnormal number of bytes were sent to a new organization for an SSL Subject. |
| Abnormal Traffic Volume Sent from a New JA3 | JA3 | Data Exfiltration | Abnormal number for bytes were sent from a new JA3. |
Note: *In 11.5.1, these indicators are not supported.