Executable or script generating large outbound network traffic targeting remote hosts or known amplification ports
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| ThresholdEventVolume | Number of connections per second that should trigger anomaly logic |
| DestinationDiversity | Count of unique destination IPs or ports |
Flooding tools like hping3 or nping sending large volumes of packets across multiple ports or IPs
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | Execution of network stress tools or anomalies in socket/syscall behavior |
| Network Traffic Flow (DC0078) | NSM:Flow | High volume flows with incomplete TCP sessions or single-packet bursts |
| Field | Description |
|---|---|
| PacketRateThreshold | Packets per second beyond normal behavior |