Processes initiating outbound connections on uncommon ports or using protocols inconsistent with the assigned port. Correlating process creation with subsequent network connections reveals anomalies such as svchost.exe or Office applications using high, atypical ports.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Security | EventCode=5156 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| PortThresholds | Define what constitutes a 'non-standard port' based on organizational baselines (e.g., allow 443/80/22 but flag 8088/587/3389 changes). |
| ProcessAllowList | Processes normally allowed to use non-standard ports (e.g., custom apps). |
| TimeWindow | Correlate process creation and network activity within N seconds. |
Unusual daemons or user processes binding/listening on ports outside of standard ranges, or initiating client connections using mismatched protocol/port pairings.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | auditd:SYSCALL | socket/connect syscalls |
| Application Log Content (DC0038) | linux:syslog | processes binding to non-standard ports or sshd configured on unexpected port |
| Process Creation (DC0032) | linux:osquery | process listening or connecting on non-standard ports |
| Field | Description |
|---|---|
| AllowedServices | Exclude ports intentionally configured for enterprise apps. |
| PayloadEntropyThreshold | Define thresholds for anomalous payload entropy to catch tunneled traffic. |
Applications making outbound connections on non-standard ports or launchd services bound to ports inconsistent with system baselines.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | macos:unifiedlog | outbound TCP/UDP traffic over unexpected port |
| Process Creation (DC0032) | macos:unifiedlog | launchd services binding to non-standard ports |
| Field | Description |
|---|---|
| BaselinePortProfiles | Define expected macOS service port usage (e.g., AirDrop, Bonjour). |
VM services or management daemons communicating on ports not defined by VMware defaults, such as vpxa or hostd processes initiating traffic over high-numbered or unexpected ports.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:vpxd | ESXi service connections on unexpected ports |
| Network Traffic Content (DC0085) | esxcli:network | listening sockets bound to non-standard ports |
| Field | Description |
|---|---|
| ESXiAllowedPorts | Default VMware service ports that should not be flagged. |