NF – ISAKMP VPN Connection setup from host to outbound destination – Windows Server 2003
This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows Server 2003 hosts initiating such connections.
NF – ISAKMP VPN Connection setup from host to outbound destination – Windows 8 / 8.1 – Windows Server 2012 / 2012 R2 – Windows 10 – Windows Server 2016
This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows systems initiating such connections.
NF – VNC server response
This alert is triggered when a VNC (Virtual Network Computing) server response is detected, identified by the "RFB" (Remote Frame Buffer) protocol header. VNC connections can be used by a malicious actor for remote access.
NF – Bad TLD domain – pictures DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .pictures. This domain ending is sometimes linked to suspicious or malicious activities.
NF – POLICY – TOR browser V8.X starting up – TOR SSL NAT Check Detected – Typical TOR DNS name
This alert is triggered when traffic from an external server on port 8080 to an internal network device (port 1024 or higher) contains a domain name pattern commonly associated with TOR browser activity.