UEBA: Network Indicators

Document created by RSA Information Design and Development Employee on Nov 11, 2020
Version 1Show Document
  • View in full screen mode

The following tables list indicators that display when a potentially malicious activity is detected for JA3 and SSL Subject entities.

Note: Indicators are for JA3, and in some instances the JA3 hash can be mapped to more than one client application.

                                                                                                                                                                                                                                             
IndicatorEntity TypeAlert TypeDescription
Abnormal Traffic Volume Sent from IP to SSL Subject SSL SubjectData exfiltrationAn IP address in the organization sent an unexpectedly high amount of data to an SSL Subject.
Abnormal Traffic Volume Sent from IP to DomainSSL SubjectData exfiltrationAn IP address in the organization sent an unexpectedly high amount of data to a domain and SSL Subject.
*Abnormal Traffic Volume Sent from IP to Organization SSL SubjectData exfiltrationAn IP address in the organization sent an unexpectedly high amount of data to an organization and SSL Subject.
Abnormal Traffic Volume Sent from IP to Port SSL SubjectData exfiltrationAn IP address in the organization sent an unexpectedly high amount of data to a port and SSL Subject.
Abnormal Traffic Volume Sent to SSL Subject SSL SubjectData exfiltration An unexpectedly high amount of data was sent to an SSL Subject.
Abnormal Traffic Volume Sent to Domain SSL SubjectData exfiltration An unexpectedly high amount of data was sent to a domain and SSL Subject.
Abnormal Traffic Volume Sent to Port SSL SubjectData exfiltrationAn unexpectedly high amount of data was sent to a port and SSL Subject.
*Abnormal Traffic Volume Sent to Organization SSL SubjectData exfiltrationAn unexpectedly high amount of data was sent to an organization and SSL Subject.

Abnormal Traffic Volume Sent from JA3

JA3

Data exfiltration

Abnormal number of bytes sent from JA3 .

High Number of IPs Use JA3 JA3C&CAn abnormally high number of IPs use JA3.

*Abnormal SSL Subject for Source Netname

SSL Subject and JA3

Phishing

A source netname contacted an abnormal SSL Subject.

*Abnormal Domain for Source Netname SSL Subject and JA3PhishingA source netname contacted an abnormal domain

*Abnormal Destination Port for Source Netname

SSL Subject and JA3

C&C

A source netname contacted an abnormal destination port.

*Abnormal Organization for Source Netname SSL Subject and JA3PhishingA source netname contacted an abnormal organization.

*Abnormal Country for SSL Subject

SSL Subject and JA3

Phishing

An SSL Subject was contacted with an abnormal destination country.

Abnormal Destination Port for SSL Subject SSL Subject and JA3C&C An SSL Subject was contacted through an abnormal destination port.

Abnormal Time for SSL Subject

SSL Subject and JA3

Non-Standard Hours

An SSL Subject was contacted at an abnormal time.

Abnormal Destination Port for Domain SSL Subject and JA3C&CA domain was accessed through an abnormal destination port.

*Abnormal Destination Port for Organization

SSL Subject and JA3

C&C

An organization was accessed through an abnormal destination port.

Abnormal Time for JA3SSL Subject and JA3Non-Standard Hours JA3 was used at an abnormal time.

*Abnormal JA3 for Source Netname

SSL Subject and JA3

C&C

A source netname utilized an abnormal client application.

Abnormal SSL Subject for JA3 SSL Subject and JA3PhishingJA3 contacted an abnormal SSL Subject.

Abnormal Domain for JA3

SSL Subject and JA3

Phishing

JA3 contacted an abnormal domain.

Abnormal Destination Port for JA3 SSL Subject and JA3C&CJA3 contacted an abnormal destination port.

High Number of IPs Contact a New SSL Subject

SSL Subject

C&C

Abnormal number of IPs contacted SSL Subject.

High Number of IPs Contact a New DomainSSL SubjectC&CAbnormal number of IPs contacted a new domain.

High Number of IPs Contact a New Organization

SSL Subject

C&C

Abnormal number of IPs contacted a new organization.

High Number of IPs Contact a New PortSSL SubjectC&CAbnormal number of IPs contacted a new port.

Abnormal Traffic Volume Sent from an IP to a New SSL Subject

SSL Subject

Data Exfiltration

Abnormal number of bytes sent from an IP to a new SSL Subject.

Abnormal Traffic Volume Sent from an IP to a New DomainSSL SubjectData ExfiltrationAbnormal number of bytes were sent an IP to a new domain.

Abnormal Traffic Volume Sent from an IP to a New Port

 

SSL Subject

Data Exfiltration

Abnormal number of bytes were sent from an IP to a new port.

Abnormal Traffic Volume Sent from an IP to a New OrganizationSSL SubjectData ExfiltrationAbnormal number of bytes were sent from an IP to a new organization.

Abnormal Traffic Volume Sent to a New SSL Subject

SSL Subject

Data Exfiltration

Abnormal number of bytes were sent to a new SSL Subject.

Abnormal Traffic Volume Sent to a New DomainSSL SubjectData ExfiltrationAbnormal number of bytes were sent to a new domain.

Abnormal Traffic Volume Sent to a New Port

SSL Subject

Data Exfiltration

Abnormal number of bytes were sent to a new port.

Abnormal Traffic Volume Sent to a New OrganizationSSL SubjectData ExfiltrationAbnormal number of bytes were sent to a new organization for an SSL Subject.

Abnormal Traffic Volume Sent from a New JA3

JA3

Data Exfiltration

Abnormal number for bytes were sent from a new JA3.

Note: *In 11.5.1, these indicators are not supported.

Previous Topic:Indicators for Users
You are here
Table of Contents > Indicators for Network Entities

Attachments

    Outcomes