Detects suspicious DNS/ARP poisoning attempts, unauthorized modifications to registry/network configuration, or abnormal TLS downgrade activity. Correlates changes in system configuration with subsequent unusual network flows or authentication events.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4670 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| MonitoredRegistryPaths | Specific network stack and DNS registry keys that vary by enterprise configuration. |
| DowngradeCipherList | List of weak/legacy ciphers tuned per environment for TLS downgrade detection. |
| TimeWindow | Correlation period between config changes and abnormal network connections. |
Detects unauthorized edits to /etc/hosts, /etc/resolv.conf, or suspicious ARP broadcasts. Correlates file modifications with subsequent unexpected network sessions or service creation.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write |
| Network Traffic Content (DC0085) | NSM:Flow | Unexpected ARP replies or DNS responses inconsistent with authoritative servers |
| Field | Description |
|---|---|
| MonitoredFiles | List of system files shaping traffic flow (hosts, resolv.conf, PAM modules). |
| ARPThreshold | Rate/volume thresholds for ARP/DNS anomalies tuned per subnet. |
Detects unauthorized edits to system configuration profiles, unexpected certificate trust changes, or abnormal ARP/DNS patterns indicative of interception.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Configuration profile modified or new profile installed |
| Network Traffic Content (DC0085) | NSM:Flow | TLS downgrade or inconsistent DNS answers |
| Field | Description |
|---|---|
| ProfileIdentifiers | Known good vs suspicious configuration profiles per enterprise baseline. |
| TLSVersionThreshold | Minimum TLS version accepted in network traffic inspection. |
Detects unauthorized firmware or configuration changes enabling adversary-in-the-middle positioning (e.g., route injection, DNS spoofing, SSL downgrade). Behavioral analytics focus on sudden changes to routing tables or image file integrity failures.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | NSM:Flow | Unexpected route changes or duplicate gateway advertisements |
| File Modification (DC0061) | networkdevice:config | Configuration file modified or replaced on network device |
| Field | Description |
|---|---|
| RoutingPolicyBaseline | Expected routing and BGP/OSPF paths for validation. |
| FirmwareChecksum | Baseline image checksum per device type used to detect tampering. |