This alert is triggered when an outbound email connection is made from the internal network, and the "HELO" command is used to initiate the SMTP conversation. This command is typically used in email setups but may indicate unauthorized outbound email activity, especially in restricted environments.
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .win. This domain ending is commonly used for games and is sometimes linked to suspicious or malicious activities.
This alert is triggered when an AnyDesk client attempts an outbound connection over TLS (port 443). AnyDesk is a remote desktop application that a malicious actor may use to gain access or exfiltrate data from the network.
This alert is triggered when an HTTP request with a suspicious "Mozilla/5.0" User-Agent header is detected. This User-Agent string might be used by fake or malicious clients and is flagged if it doesn’t match typical patterns or known safe domains.
This alert is triggered when traffic from an external server on port 8080 to an internal network device (port 1024 or higher) contains a domain name pattern commonly associated with TOR browser activity.
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .pictures. This domain ending is sometimes linked to suspicious or malicious activities.
This alert is triggered when a VNC (Virtual Network Computing) server response is detected, identified by the "RFB" (Remote Frame Buffer) protocol header. VNC connections can be used by a malicious actor for remote access.
This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows systems initiating such connections.
This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows Server 2003 hosts initiating such connections.
This alert is triggered when a DNS query attempts to resolve a domain related to "ask.com.".