could you consider to change the serverity of these rules to match the category (“Informational” and sev:3+ )? This will make life easier on the SOC to filter out these signatures until further investigating a possible compromise.
Signature
sid
Severity
ET INFO Observed DNS Query to .cloud TLD
2027865
Major
ET INFO Observed DNS Query to .biz TLD
2027863
Major
ET INFO Observed DNS Query to .world TLD
2027870
Major
ET INFO Observed DNS Query to .life TLD
2027867
Major
ET INFO DNS Query for Suspicious .icu Domain
2026888
Minor
ET INFO [eSentire] Possible Kali Linux Updates
2025627
Minor
ET INFO Observed DNS Query to .work TLD
2027868
Major
ETPRO INFO Dynamic DNS Provider DNS Lookup (gotdns .ch)
2833171
Major
ETPRO INFO DNS TXT Response Contains URL
2823117
Major
ETPRO INFO .moe Domain in TLS SNI
2827579
Major
ET INFO Observed DNS Query to .fit TLD
2027871
Major
ETPRO INFO HTTP Request with Lowercase accept Header Observed
2838132
Minor
ET INFO Peer-to-Peer File Sharing Service Domain in DNS Lookup (ipfs .io)
2036873
Major
ETPRO INFO DNS Query to server.com (Possible Misconfiguration)
2822354
Minor
ET INFO Suspicious Domain (*.icu) in TLS SNI
2026889
Minor
ET INFO Observed DNS Query to .desi TLD
2027866
Major
ET INFO HTTP Request to Suspicious *.world Domain
2027879
Minor
ETPRO INFO HTTP Request with Lowercase connection Header Observed
2838131
Minor
ET INFO infinityfree .net Domain in DNS Lookup
2035538
Major
ET INFO Dotted Quad Host PDF Request
2027265
Minor
ETPRO INFO AdGuard DNS Over HTTPS Certificate Inbound
2851070
Major
ET INFO HTTP Request to a *.top domain
2023882
Major
ET INFO HTTP Request to Suspicious *.cloud Domain
2027874
Minor
ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com)
2035655
Major
ET INFO Custom Logo Domain Domain in DNS Lookup (logodownload .org)
2037269
Major
ET INFO URL Shortener Service Domain in DNS Lookup (vk .sv)
2035227
Major
ET INFO Possible Rogue LoJack Asset Tracking Agent
2025553
Minor
ET INFO Observed File Sharing Domain (roamresearch .com in TLS SNI)
2037763
Major
ET INFO External Host Probing for ChromeCast Devices
2026758
Minor
ET INFO Observed DNS Query to Commonly Abused Preview Domain (preview-domain .com)
2034561
Major
ET INFO JAR Containing Executable Downloaded
2016379
Major
ET INFO Unconfigured nginx Access
2023668
Major
ET INFO Python BaseHTTP ServerBanner
2034635
Minor
ET INFO webhook .site in TLS SNI
2034634
Minor
ET INFO Observed DNS Query to .okinawa TLD
2027864
Major
ETPRO INFO Suspicious Registrar Nameservers in DNS Response (internet .bs)
2834878
Minor
ET INFO HTTP Request to Suspicious *.work Domain
2027877
Minor
ET INFO HTTP Request to Suspicious *.life Domain
2027876
Minor
ET INFO URL Shortening Service Domain in DNS Lookup (www .temporary-url .com)
2038741
Major
ET INFO PowerShell NoProfile Command Received In Powershell Stagers
2026988
Minor
ET INFO PowerShell DownloadString Command Common In Powershell Stagers
More signatures with the category INFO and none or other than informational for metadata.signature_severity. Can you consider to change the category for most of these to Misc Activity also?
alert.signature_id
alert.metadata.signature_severity
alert.signature
alert.category
2031071
-
ET INFO Microsoft Connection Test
Potentially Bad Traffic
2012758
-
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
Misc activity
2013744
-
ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain
Potentially Bad Traffic
2845391
-
ETPRO INFO HTTP Request with Lowercase user-agent Header Observed
Potentially Bad Traffic
2035466
-
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
2031502
-
ET INFO Request to Hidden Environment File
Misc Attack
2017515
-
ET INFO User-Agent (python-requests) Inbound to Webserver
Attempted Information Leak
2013097
-
ET INFO DYNAMIC_DNS HTTP Request to a .dyndns. domain
Potentially Bad Traffic
2014819
-
ET INFO Packed Executable Download
Misc activity
2022918
-
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
2025105
-
ET INFO DNS Query for Suspicious .ga Domain
Potentially Bad Traffic
2014520
-
ET INFO EXE - Served Attached HTTP
Misc activity
2013743
-
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
Potentially Bad Traffic
2031231
-
ET INFO Observed ZeroSSL SSL/TLS Certificate
Potentially Bad Traffic
2035465
-
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
2035463
-
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
2851162
-
ETPRO INFO Observed DNS Query for Ukraine Domain (.ua)
Potential Corporate Privacy Violation
2025106
-
ET INFO DNS Query for Suspicious .ml Domain
Potentially Bad Traffic
2031228
-
ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
2016777
-
ET INFO HTTP Request to a *.pw domain
Potentially Bad Traffic
2035464
-
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
2025107
-
ET INFO DNS Query for Suspicious .cf Domain
Potentially Bad Traffic
2025109
-
ET INFO Suspicious Domain (*.ga) in TLS SNI
Potentially Bad Traffic
2025110
-
ET INFO Suspicious Domain (*.ml) in TLS SNI
Potentially Bad Traffic
2851484
-
ETPRO INFO SMB/DCERPC Bind_ack with Endian Flipped
Misc activity
2834877
Minor
ETPRO INFO Suspicious Registrar Nameservers in DNS Response (internet .bs)
Potential Corporate Privacy Violation
2031501
-
ET INFO Netlink GPON Login Attempt (GET)
Attempted Administrator Privilege Gain
2025111
-
ET INFO Suspicious Domain (*.cf) in TLS SNI
Potentially Bad Traffic
2015744
-
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
Misc activity
2840581
-
ETPRO INFO Inbound Base64 Encoded Wide PowerShell Keyword (DownloadFile)
I got all these moved assigned to “information” severity, some applied with misc-activity, and at least one moved over to HUNTING. Should all come out with today’s release!
,