| ALB:HTTPLogs |
AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts |
| apache:access_log |
Unusual HTTP POST or PUT requests to paths such as ‘/uploads/’, ‘/admin/’, or CMS plugin folders |
| API:ConfigRepoAudit |
Access to configuration repository endpoints, unusual enumeration requests or mass downloads |
| auditd:SYSCALL |
setsockopt, ioctl modifying ARP entries |
| AWS:VPCFlowLogs |
Traffic between instances |
| AWS:VPCFlowLogs |
Large volume of malformed or synthetic payloads to application endpoints prior to failure |
| AWS:VPCFlowLogs |
Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs |
| AWS:VPCFlowLogs |
High volume internal-to-internal IP transfer or cross-account cloud transfer |
| azure:activity |
networkInsightsLogs |
| azure:vpcflow |
HTTP requests to 169.254.169.254 or Azure Metadata endpoints |
| container:proxy |
outbound/inbound network activity from spawned pods |
| docker:events |
remote API calls to /containers/create or /containers/{id}/start |
| docker:stats |
unusual network TX/RX byte deltas |
| ebpf:syscalls |
Process within container accesses link-local address 169.254.169.254 |
| EDR:hunting |
Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents |
| esxcli:network |
Socket sessions with randomized payloads inconsistent with TLS |
| esxcli:network |
listening sockets bound to non-standard ports |
| esxcli:network |
listening sockets bound with non-standard encapsulated protocols |
| esxcli:network |
Socket inspection showing RSA key exchange outside baseline endpoints |
| esxi:vmkernel |
Network activity |
| esxi:vmkernel |
Outbound traffic using encoded payloads post-login |
| esxi:vmkernel |
HTTPS POST connections to webhook endpoints |
| esxi:vmkernel |
Inspection of sockets showing encrypted sessions from non-baseline processes |
| esxi:vmkernel |
HTTPS POST connections to pastebin-like domains |
| esxi:vmkernel |
network stack module logs |
| esxi:vmkernel |
Suspicious traffic filtered or redirected by VM networking stack |
| esxi:vmkernel |
VMCI syslog entries |
| esxi:vob |
NFS/remote access logs |
| etw:Microsoft-Windows-NDIS-PacketCapture |
TLS Handshake/Network Flow |
| etw:Microsoft-Windows-WinINet |
HTTPS Inspection |
| etw:Microsoft-Windows-WinINet |
WinINet API telemetry |
| gcp:audit |
network.query* |
| gcp:vpcflow |
first 5m egress to unknown ASNs |
| IDS:TLSInspection |
Malformed certs, incomplete asymmetric handshakes, or invalid CAs |
| linux:syslog |
Query to suspicious domain with high entropy or low reputation |
| linux:syslog |
curl |
| linux:syslog |
Unexpected SQL or application log entries showing tampered or malformed data |
| linux:syslog |
Integrity mismatch warnings or malformed packets detected |
| linux:syslog |
DNS response IPs followed by connections to non-standard calculated ports |
| linux:syslog |
Multiple NXDOMAIN responses and high entropy domains |
| m365:office |
External HTTP/DNS connection from Office binary shortly after macro trigger |
| macos:unifiedlog |
process + network metrics correlation for bandwidth saturation |
| macos:unifiedlog |
DNS query with pseudo-random subdomain patterns |
| macos:unifiedlog |
network flow |
| macos:unifiedlog |
curl |
| macos:unifiedlog |
subsystem: com.apple.network |
| macos:unifiedlog |
open URL |
| macos:unifiedlog |
None |
| macos:unifiedlog |
Connections to suspicious domains with mismatched certificate or unusual patterns |
| macos:unifiedlog |
HTTP POST with encoded content in user-agent or cookie field |
| macos:unifiedlog |
Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction |
| macos:unifiedlog |
log stream (subsystem: com.apple.system.networking) |
| macos:unifiedlog |
Encrypted connection with anomalous payload entropy |
| macos:unifiedlog |
Rapid incoming TLS handshakes or HTTP requests in quick succession |
| macos:unifiedlog |
network, socket, and http logs |
| macos:unifiedlog |
DNS responses followed by connections to ports outside standard ranges |
| macos:unifiedlog |
Persistent outbound traffic to mining domains |
| macos:unifiedlog |
Encrypted session initiation by unexpected binary |
| macos:unifiedlog |
eventMessage = ‘promiscuous’ |
| macos:unifiedlog |
outbound HTTPS connections to code repository APIs |
| macos:unifiedlog |
eventMessage = ‘open’, ‘sendto’, ‘connect’ |
| macos:unifiedlog |
dns-sd, mDNSResponder, socket activity |
| macos:unifiedlog |
process + network activity |
| macos:unifiedlog |
subsystem=com.apple.WebKit |
| macos:unifiedlog |
subsystem: com.apple.WebKit or com.apple.WebKit.Networking |
| macos:unifiedlog |
encrypted outbound traffic carrying unexpected application data |
| macos:unifiedlog |
Persistent outbound connections with consistent periodicity |
| macos:unifiedlog |
TLS connections with abnormal handshake sequence or self-signed cert |
| macos:unifiedlog |
Web server process initiating outbound TCP connections not tied to normal server traffic |
| macos:unifiedlog |
outbound TLS connections to cloud storage providers |
| macos:unifiedlog |
outbound HTTPS connections to cloud storage APIs |
| macos:unifiedlog |
process, network |
| macos:unifiedlog |
process = ‘ssh’ OR eventMessage CONTAINS ‘ssh’ |
| Netfilter/iptables |
Forwarded packets log |
| Network Traffic |
None |
| networkconfig |
interface flag PROMISC, netstat |
| networkdevice:config |
NAT table modification (add/update/delete rule) |
| networkdevice:IDS |
content inspection / PCAP / HTTP body |
| networkdevice:syslog |
ACL/Firewall rule modification or new route injection |
| networkdevice:syslog |
config change (e.g., logging buffered, pcap buffers) |
| networkdevice:syslog |
Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests |
| networkdevice:syslog |
Authentication failures or unusual community string usage in SNMP queries |
| NSM:Connections |
Symmetric encryption detected without TLS handshake sequence |
| NSM:Connections |
TLS handshake + HTTP headers |
| NSM:Connections |
Abnormal certificate chains or non-standard ports carrying TLS |
| NSM:Connections |
Unusual POST requests to admin or upload endpoints |
| NSM:Content |
SSL Certificate Metadata |
| NSM:Content |
HTTP Header Metadata |
| NSM:Content |
TLS Fingerprint and Certificate Analysis |
| NSM:Content |
Traffic on RPC DRSUAPI |
| NSM:Firewall |
TLS/HTTP inspection |
| NSM:Firewall |
High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion |
| NSM:Firewall |
Anomalous TCP SYN or ACK spikes from specific source or interface |
| NSM:Firewall |
Outbound encrypted traffic |
| NSM:Firewall |
ICMP/UDP protocol anomaly |
| NSM:Flow |
mqtt.log / xmpp.log (custom log feeds) |
| NSM:Flow |
mqtt.log or AMQP custom log |
| NSM:Flow |
mqtt.log, xmpp.log, amqp.log |
| NSM:Flow |
TCP/UDP |
| NSM:Flow |
TCP session tracking |
| NSM:Flow |
Captured packet payloads |
| NSM:Flow |
session behavior |
| NSM:Flow |
External C2 channel over TLS |
| NSM:Flow |
http/file-xfer: Inbound/outbound transfer of ELF shared objects |
| NSM:Flow |
http.log, files.log |
| NSM:Flow |
unexpected network activity initiated shortly after shell session starts |
| NSM:Flow |
HTTP/WebDAV requests that contain NTLMSSP or PROPFIND/MOVE/OPTIONS with Authorization: NTLM |
| NSM:Flow |
http.log, ssl.log |
| NSM:Flow |
http.log, conn.log |
| NSM:Flow |
SPAN or port-mirrored HTTP/S |
| NSM:Flow |
http.log, ssl.log, websocket.log |
| NSM:Flow |
ssl.log |
| NSM:Flow |
Browser connections to known C2 or dynamic DNS domains |
| NSM:Flow |
Session History Reset |
| NSM:Flow |
HTTP |
| NSM:Flow |
query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes |
| NSM:Flow |
HTTP/TLS Logs |
| NSM:Flow |
Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST |
| NSM:Flow |
Suspicious URL patterns, uncommon TLDs, URL shorteners |
| NSM:Flow |
Suspicious GET/POST; downloader patterns |
| NSM:Flow |
SSH logins or scp activity |
| NSM:Flow |
remote login and transfer |
| NSM:Flow |
conn.log |
| NSM:Flow |
Suspicious long-lived or reattached remote desktop sessions from unexpected IPs |
| NSM:Flow |
HTTP payloads with SQLi/LFI/JNDI/deserialization indicators |
| NSM:Flow |
outbound egress from web host after suspicious request |
| NSM:Flow |
Requests towards cloud metadata or command & control from pod IPs |
| NSM:Flow |
Connections to TCP 427 (SLP) or vCenter web services from untrusted sources |
| NSM:Flow |
NetFlow/sFlow for odd egress to Internet from mgmt plane |
| NSM:Flow |
packet capture or DPI logs |
| NSM:Flow |
http.log |
| NSM:Flow |
SMB2_LOGOFF/SMB_TREE_DISCONNECT |
| NSM:Flow |
Unusual Base64-encoded content in URI, headers, or POST body |
| NSM:Flow |
Base64 strings or gzip in URI, headers, or POST body |
| NSM:Flow |
Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval. |
| NSM:Flow |
Inbound connections to monitored service ports from external or unusual internal sources; rapid follow-on lateral connections from the same host. |
| NSM:Flow |
Inbound to tcp/427 (OpenSLP), tcp/443 (vSphere APIs), tcp/902, tcp/5989 followed by new unexpected outbound sessions from the ESXi/vCenter host. |
| NSM:Flow |
Inbound to 22/5900/8080 and follow-on internal connections. |
| NSM:Flow |
http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64 |
| NSM:Flow |
http: HTTP body contains long Base64 sections |
| NSM:Flow |
http: Base64/MIME looking payloads from ESXi host IP |
| NSM:Flow |
LDAP Bind/Search |
| NSM:Flow |
LDAP Query |
| NSM:Flow |
smtp.log |
| NSM:Flow |
smtp.log, conn.log |
| NSM:Flow |
remote CLI session detection |
| NSM:Flow |
http.log, ftp.log |
| NSM:Flow |
PCAP inspection |
| NSM:Flow |
large HTTPS POST requests to webhook endpoints |
| NSM:Flow |
Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip. |
| NSM:Flow |
Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed ≤TimeWindow by outbound SF from same host to src_ip. |
| NSM:Flow |
Inbound one-off packet to uncommon port → outbound SF to same src_ip within TimeWindow. |
| NSM:Flow |
large upload to firmware interface port or path |
| NSM:Flow |
http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources |
| NSM:Flow |
http::response: HTTP responses with suspicious content-type for scripts, long obfuscated javascript bodies, or redirects to exploit kit domains |
| NSM:Flow |
HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects) |
| NSM:Flow |
ssl.log + http.log |
| NSM:Flow |
http/file-xfer: Outbound transfer of large video-like MIME types soon after capture |
| NSM:Flow |
Outbound SCP, TFTP, or FTP sessions carrying configuration file content |
| NSM:Flow |
Session Transfer Content |
| NSM:Flow |
Captured File Content |
| NSM:Flow |
C2 exfiltration |
| NSM:Flow |
Transferred file observations |
| NSM:Flow |
http::post: Outbound HTTP POST from host shortly after DB export activity |
| NSM:Flow |
HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage |
| NSM:Flow |
Observed downgrade in negotiated cipher suites or TLS/SSH versions across sessions |
| NSM:Flow |
New egress from container IP/namespace to Internet or non-approved CIDRs/ASNs |
| NSM:Flow |
New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot |
| NSM:Flow |
http::request: Network connection to package registry or C2 from interpreter shortly after install |
| NSM:Flow |
http::request: Outbound HTTP initiated by Python interpreter |
| NSM:Flow |
DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs. |
| NSM:Flow |
large HTTPS POST requests to text storage domains |
| NSM:Flow |
Unexpected ARP replies or DNS responses inconsistent with authoritative servers |
| NSM:Flow |
TLS downgrade or inconsistent DNS answers |
| NSM:Flow |
Unusual request pattern leading up to service crash (e.g., malformed or oversized payload) |
| NSM:Flow |
conn.log or http.log |
| NSM:Flow |
http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs |
| NSM:Flow |
dns: DNS labels with excessive length and restricted custom alphabets (e.g., base36 only) repeated frequently |
| NSM:Flow |
http: suspicious long tokens with custom alphabets in body/headers |
| NSM:Flow |
http: HTTP bodies from ESXi host IPs containing long, non-standard tokens |
| NSM:Flow |
Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols |
| NSM:Flow |
HTTP(S) requests with User-Agents typical of PowerShell or curl from desktop; or URIs matching paste-inspired payload hosts |
| NSM:Flow |
Egress to non-approved networks from host after terminal exec |
| NSM:Flow |
Flow/PCAP analysis for outbound payloads |
| NSM:Flow |
conn.log + files.log + ssl.log |
| NSM:Flow |
HTTPS or custom protocol traffic with large payloads |
| NSM:Flow |
Unexpected script or binary content returned in HTTP response body |
| NSM:Flow |
Injected content responses with unexpected script/malware signatures |
| NSM:Flow |
Content injection observed in HTTPS responses with mismatched certificates or altered payloads |
| NSM:Flow |
Relay patterns across IP hops |
| NSM:Flow |
ldap.log |
| NSM:Flow |
Probe responses from unauthorized APs responding to client probe requests |
| NSM:Flow |
Excessive gratuitous ARP replies on local subnet |
| NSM:Flow |
Inbound HTTP POST with suspicious payload size or user-agent |
| NSM:Flow |
POST requests to .php, .jsp, .aspx files with high entropy body |
| NSM:Flow |
dns.log |
| NSM:FLow |
dns.log |
| NSM:Flow |
Encrypted tunnels or proxy traffic to non-standard destinations |
| NSM:Flow |
large transfer from management IPs to unauthorized host |
| NSM:Flow |
Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25) |
| NSM:Flow |
ftp.log, smb_files.log |
| NSM:Flow |
ftp.log, conn.log |
| NSM:Flow |
mirror/SPAN port |
| NSM:Flow |
ftp.log, conn.log, smb_files.log |
| NSM:Flow |
SSL/TLS Inspection or PCAP |
| NSM:Flow |
conn.log, ssl.log |
| NSM:Flow |
http, dns, smb, ssl logs |
| NSM:Flow |
dns, ssl, conn |
| NSM:Flow |
conn.log, http.log, dns.log, ssl.log |
| NSM:Flow |
ICMP/UDP traffic (Wireshark, Suricata, Zeek) |
| NSM:Flow |
icmp.log, weird.log |
| NSM:Flow |
ICMP/UDP monitoring (tcpdump, Wireshark, Zeek) |
| NSM:Flow |
Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts |
| NSM:Flow |
DHCP OFFER or ACK with unauthorized DNS/gateway parameters |
| NSM:Flow |
Multiple DHCP OFFER responses for a single DISCOVER |
| NSM:Flow |
SSL/TLS Handshake Analysis |
| NSM:Flow |
HTTP Header Metadata |
| NSM:Flow |
Network Capture TLS/HTTP |
| NSM:Flow |
container egress to unknown IPs/domains |
| NSM:Flow |
HTTP Request Logging |
| NSM:Flow |
ssh connections originating from third-party CIDRs |
| NSM:Flow |
ssh/smb connections to internal resources from third-party devices |
| NSM:Flow |
Degraded encryption throughput or switch to weaker cipher suites compared to historical baselines |
| NSM:Flow |
ssl.log (for TLS handshake analysis), dns.log (tunneling indicators) |
| NSM:Flow |
host switch egress data |
| NSM:Flow |
Outbound HTTP/S |
| NSM:Flow |
ssl.log - Certificate Analysis |
| NSM:Flow |
ssl.log, conn.log |
| NSM:Flow |
ssl.log, x509.log |
| NSM:Flow |
Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF×6 + 16×MAC) |
| NSM:Flow |
Suspicious POSTs to upload endpoints |
| saas:box |
API calls exceeding baseline thresholds |
| saas:confluence |
REST API access from non-browser agents |
| WebProxy:AccessLogs |
SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254) |
| WIDS:AssociationLogs |
Unauthorized AP or anomalous MAC address connection attempts |
| WinEventLog:iis |
IIS Logs |
| WinEventLog:Microsoft-Windows-Windows Defender/Operational |
Unusual external domain access |
| WinEventLog:Sysmon |
Outbound requests with forged tokens/cookies in headers |
| WinEventLog:System |
EventCode=5005 (WLAN), EventCode=302 (Bluetooth) |