iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Radiflow

( 189 Alerts)

NF – TLD domain – .cn DNS query

This alert is triggered when a DNS query is made from the home network to an external network for a domain ending with ".cn" (indicating a Chinese top-level domain)

NF – Bad TLD domain – site DNS query – Check domains

This alert is triggered when a DNS query is made from the home network to an external network for a domain ending with ".site"

NF – Punycode COM ore DK domain used in certicifate

This alert is triggered when a DNS query from the internal network attempts to resolve a Punycode domain ending in .com or .dk. Punycode encoding is used in internationalized domain names, but it can also be exploited in phishing attacks by creating visually similar domains

NF – Punycode domain lookup to COM,DK domains

This alert is triggered when a client initiates an SSL/TLS connection (typically on port 443) to an external server, and the certificate contains a domain name using Punycode that translates to .com or .dk. Punycode encoding is used in internationalized domain names, but it can also be exploited in phishing attacks by creating visually similar domains

NF – POLICY – Windows XP making Internet connection – IE 8 – Company Policy Violation

This alert is triggered when a Windows XP machine with Internet Explorer 8 attempts to connect to an external HTTP server. Windows XP is outdated and insecure, making such connections a potential policy violation.

NF – POLICY – Windows XP making Internet connection – IE 7 – Company Policy Violation

This alert is triggered when a Windows XP machine with Internet Explorer 7 attempts to connect to an external HTTP server. Windows XP is outdated and insecure, making such connections a potential policy violation.

NF – POLICY – Windows XP making Internet connection – IE 6 – Company Policy Violation

This alert is triggered when a Windows XP machine with Internet Explorer 6 attempts to connect to an external HTTP server. Windows XP is outdated and insecure, making such connections a potential policy violation.

NF – TLD domain – .su DNS quer

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .su (Soviet Union). The .su domain remains in use today and is less regulated, making it attractive to hackers, scammers, and cybercriminals.

ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection

This alert is triggered when there is unusual traffic to port 1433 (commonly used by Microsoft SQL Server) with a high volume of SYN packets, suggesting a potential scan or infection attempt.

NF – Bad TLD domain – solutions DNS query – Check domains

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .solutions, sometimes linked to phishing activity.