Configuration changes to virtual TAP/mirror policies that forward traffic to unapproved destinations. Detection correlates management plane API calls with mirrored traffic observation.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | AWS:CloudTrail | CreateTrafficMirrorSession or ModifyTrafficMirrorTarget |
| Network Connection Creation (DC0082) | AWS:VPCFlowLogs | Traffic observed on mirror destination instance |
| Field | Description |
|---|---|
| TimeWindow | Detect mirror session creation followed by mirrored traffic within X seconds (e.g., 60s) |
| MirrorDestinationCIDR | Define suspicious or external mirror targets (e.g., non-enterprise ranges) |
| UserIdentity | Flag traffic mirror activity by non-privileged or unexpected IAM roles |
Unauthorized mirroring sessions initiated on routers/switches (e.g., via monitor session, mirror port) coupled with outbound traffic from mirrored interface to unexpected destinations.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | networkdevice:syslog | Config change: CLI/NETCONF/SNMP – 'monitor session', 'mirror port' |
| Network Connection Creation (DC0082) | networkdevice:Flow | Traffic from mirrored interface to mirror target IP |
| Field | Description |
|---|---|
| ConfigChangeType | Tune based on accepted interface config changes (e.g., audit only mirror session creation) |
| MirrorDestinationPort | Define high-risk ports used for exfil (e.g., 4443, 8443, 2055) |
| DeviceRole | Define whether mirroring is expected on edge vs core vs distribution devices |