iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Radiflow

( 189 Alerts)

NF – Outbound mail setup command HELO

This alert is triggered when an outbound email connection is made from the internal network, and the "HELO" command is used to initiate the SMTP conversation. This command is typically used in email setups but may indicate unauthorized outbound email activity, especially in restricted environments.

NF – Bad TLD domain – win DNS query – Check domains

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .win. This domain ending is commonly used for games and is sometimes linked to suspicious or malicious activities.

NF – POLICY – AnyDesk Client – Outbound Connection – TLS client keyx

This alert is triggered when an AnyDesk client attempts an outbound connection over TLS (port 443). AnyDesk is a remote desktop application that a malicious actor may use to gain access or exfiltrate data from the network.

NF – USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)

This alert is triggered when an HTTP request with a suspicious "Mozilla/5.0" User-Agent header is detected. This User-Agent string might be used by fake or malicious clients and is flagged if it doesn’t match typical patterns or known safe domains.

NF – POLICY – TOR browser V8.X starting up – TOR SSL NAT Check Detected – Typical TOR DNS name

This alert is triggered when traffic from an external server on port 8080 to an internal network device (port 1024 or higher) contains a domain name pattern commonly associated with TOR browser activity.

NF – Bad TLD domain – pictures DNS query – Check domains

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .pictures. This domain ending is sometimes linked to suspicious or malicious activities.

NF – VNC server response

This alert is triggered when a VNC (Virtual Network Computing) server response is detected, identified by the "RFB" (Remote Frame Buffer) protocol header. VNC connections can be used by a malicious actor for remote access.

NF – ISAKMP VPN Connection setup from host to outbound destination – Windows 8 / 8.1 – Windows Server 2012 / 2012 R2 – Windows 10 – Windows Server 2016

This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows systems initiating such connections.

NF – ISAKMP VPN Connection setup from host to outbound destination – Windows Server 2003

This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows Server 2003 hosts initiating such connections.

NF – POLICY ask.com

This alert is triggered when a DNS query attempts to resolve a domain related to "ask.com.".