This alert is triggered when a DNS query is made from the home network to an external network for a domain ending with ".cn" (indicating a Chinese top-level domain)
This alert is triggered when a DNS query is made from the home network to an external network for a domain ending with ".site"
This alert is triggered when a DNS query from the internal network attempts to resolve a Punycode domain ending in .com or .dk. Punycode encoding is used in internationalized domain names, but it can also be exploited in phishing attacks by creating visually similar domains
This alert is triggered when a client initiates an SSL/TLS connection (typically on port 443) to an external server, and the certificate contains a domain name using Punycode that translates to .com or .dk. Punycode encoding is used in internationalized domain names, but it can also be exploited in phishing attacks by creating visually similar domains
This alert is triggered when a Windows XP machine with Internet Explorer 8 attempts to connect to an external HTTP server. Windows XP is outdated and insecure, making such connections a potential policy violation.
This alert is triggered when a Windows XP machine with Internet Explorer 7 attempts to connect to an external HTTP server. Windows XP is outdated and insecure, making such connections a potential policy violation.
This alert is triggered when a Windows XP machine with Internet Explorer 6 attempts to connect to an external HTTP server. Windows XP is outdated and insecure, making such connections a potential policy violation.
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .su (Soviet Union). The .su domain remains in use today and is less regulated, making it attractive to hackers, scammers, and cybercriminals.
This alert is triggered when there is unusual traffic to port 1433 (commonly used by Microsoft SQL Server) with a high volume of SYN packets, suggesting a potential scan or infection attempt.
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .solutions, sometimes linked to phishing activity.